Rust: Another test case (unsafe function).

geoffw0 · geoffw0 · commit dbde8418bb70 · 2025-06-18T15:29:37.000+01:00
diff --git a/rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected b/rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected
@@ -22,7 +22,8 @@
 | lifetime.rs:667:14:667:17 | ref1 | lifetime.rs:654:31:654:35 | &str1 | lifetime.rs:667:14:667:17 | ref1 | Access of a pointer to $@ after its lifetime has ended. | lifetime.rs:653:8:653:11 | str1 | str1 |
 | lifetime.rs:667:14:667:17 | ref1 | lifetime.rs:655:11:655:25 | &raw const str2 | lifetime.rs:667:14:667:17 | ref1 | Access of a pointer to $@ after its lifetime has ended. | lifetime.rs:651:7:651:10 | str2 | str2 |
 | lifetime.rs:734:12:734:13 | r1 | lifetime.rs:719:26:719:34 | &... | lifetime.rs:734:12:734:13 | r1 | Access of a pointer to $@ after its lifetime has ended. | lifetime.rs:719:19:719:20 | v2 | v2 |
-| lifetime.rs:791:10:791:12 | ptr | lifetime.rs:781:9:781:12 | &val | lifetime.rs:791:10:791:12 | ptr | Access of a pointer to $@ after its lifetime has ended. | lifetime.rs:779:6:779:8 | val | val |
+| lifetime.rs:789:12:789:13 | p1 | lifetime.rs:781:9:781:19 | &my_local10 | lifetime.rs:789:12:789:13 | p1 | Access of a pointer to $@ after its lifetime has ended. | lifetime.rs:779:6:779:15 | my_local10 | my_local10 |
+| lifetime.rs:808:10:808:12 | ptr | lifetime.rs:798:9:798:12 | &val | lifetime.rs:808:10:808:12 | ptr | Access of a pointer to $@ after its lifetime has ended. | lifetime.rs:796:6:796:8 | val | val |
 edges
 | deallocation.rs:148:6:148:7 | p1 | deallocation.rs:151:14:151:15 | p1 | provenance |  |
 | deallocation.rs:148:6:148:7 | p1 | deallocation.rs:158:14:158:15 | p1 | provenance |  |
@@ -195,10 +196,14 @@ edges
 | lifetime.rs:769:6:769:8 | ptr | lifetime.rs:771:12:771:14 | ptr | provenance |  |
 | lifetime.rs:769:12:769:23 | &val | lifetime.rs:769:12:769:23 | ptr | provenance |  |
 | lifetime.rs:769:12:769:23 | ptr | lifetime.rs:769:6:769:8 | ptr | provenance |  |
-| lifetime.rs:781:2:781:12 | return ... | lifetime.rs:785:12:785:24 | get_pointer(...) | provenance |  |
-| lifetime.rs:781:9:781:12 | &val | lifetime.rs:781:2:781:12 | return ... | provenance |  |
-| lifetime.rs:785:6:785:8 | ptr | lifetime.rs:791:10:791:12 | ptr | provenance |  |
-| lifetime.rs:785:12:785:24 | get_pointer(...) | lifetime.rs:785:6:785:8 | ptr | provenance |  |
+| lifetime.rs:781:2:781:19 | return ... | lifetime.rs:785:11:785:41 | get_local_for_unsafe_function(...) | provenance |  |
+| lifetime.rs:781:9:781:19 | &my_local10 | lifetime.rs:781:2:781:19 | return ... | provenance |  |
+| lifetime.rs:785:6:785:7 | p1 | lifetime.rs:789:12:789:13 | p1 | provenance |  |
+| lifetime.rs:785:11:785:41 | get_local_for_unsafe_function(...) | lifetime.rs:785:6:785:7 | p1 | provenance |  |
+| lifetime.rs:798:2:798:12 | return ... | lifetime.rs:802:12:802:24 | get_pointer(...) | provenance |  |
+| lifetime.rs:798:9:798:12 | &val | lifetime.rs:798:2:798:12 | return ... | provenance |  |
+| lifetime.rs:802:6:802:8 | ptr | lifetime.rs:808:10:808:12 | ptr | provenance |  |
+| lifetime.rs:802:12:802:24 | get_pointer(...) | lifetime.rs:802:6:802:8 | ptr | provenance |  |
 models
 | 1 | Summary: lang:core; crate::ptr::from_ref; Argument[0]; ReturnValue; value |
 nodes
@@ -405,9 +410,14 @@ nodes
 | lifetime.rs:769:12:769:23 | &val | semmle.label | &val |
 | lifetime.rs:769:12:769:23 | ptr | semmle.label | ptr |
 | lifetime.rs:771:12:771:14 | ptr | semmle.label | ptr |
-| lifetime.rs:781:2:781:12 | return ... | semmle.label | return ... |
-| lifetime.rs:781:9:781:12 | &val | semmle.label | &val |
-| lifetime.rs:785:6:785:8 | ptr | semmle.label | ptr |
-| lifetime.rs:785:12:785:24 | get_pointer(...) | semmle.label | get_pointer(...) |
-| lifetime.rs:791:10:791:12 | ptr | semmle.label | ptr |
+| lifetime.rs:781:2:781:19 | return ... | semmle.label | return ... |
+| lifetime.rs:781:9:781:19 | &my_local10 | semmle.label | &my_local10 |
+| lifetime.rs:785:6:785:7 | p1 | semmle.label | p1 |
+| lifetime.rs:785:11:785:41 | get_local_for_unsafe_function(...) | semmle.label | get_local_for_unsafe_function(...) |
+| lifetime.rs:789:12:789:13 | p1 | semmle.label | p1 |
+| lifetime.rs:798:2:798:12 | return ... | semmle.label | return ... |
+| lifetime.rs:798:9:798:12 | &val | semmle.label | &val |
+| lifetime.rs:802:6:802:8 | ptr | semmle.label | ptr |
+| lifetime.rs:802:12:802:24 | get_pointer(...) | semmle.label | get_pointer(...) |
+| lifetime.rs:808:10:808:12 | ptr | semmle.label | ptr |
 subpaths
diff --git a/rust/ql/test/query-tests/security/CWE-825/lifetime.rs b/rust/ql/test/query-tests/security/CWE-825/lifetime.rs
@@ -773,6 +773,23 @@ pub fn test_macros() {
 	}
 }
 
+// --- unsafe function ---
+
+fn get_local_for_unsafe_function() -> *const f64 {
+	let my_local10: f64 = 1.23;
+
+	return &my_local10; // $ Source[rust/access-after-lifetime-ended]=local10
+} // (return value immediately becomes dangling)
+
+pub unsafe fn test_unsafe_function() {
+	let p1 = get_local_for_unsafe_function();
+
+	use_the_stack();
+
+	let v1 = *p1; // $ Alert[rust/access-after-lifetime-ended]=local10
+	println!("	v1 = {v1} (!)"); // corrupt in practice
+}
+
 // --- examples from qhelp ---
 
 fn get_pointer() -> *const i64 {
diff --git a/rust/ql/test/query-tests/security/CWE-825/main.rs b/rust/ql/test/query-tests/security/CWE-825/main.rs
@@ -190,6 +190,11 @@ fn main() {
 	println!("test_macros:");
 	test_macros();
 
+	println!("test_unsafe_function:");
+	unsafe {
+		test_unsafe_function();
+	}
+
 	println!("test_lifetimes_example_bad:");
 	test_lifetimes_example_bad();
 
