Rust: Implement predicates for lambdas/closures in the data flow library

Author: paldepind

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -744,14 +744,28 @@ module RustDataFlow implements InputSig<Location> {
     SsaFlow::localMustFlowStep(_, node1, node2)
   }
 
-  class LambdaCallKind = Void;
+  class LambdaCallKind = Unit;
 
-  // class LambdaCallKind;
   /** Holds if `creation` is an expression that creates a lambda of kind `kind` for `c`. */
-  predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c) { none() }
+  predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c) {
+    exists(Expr cl | cl = creation.asExpr().getExpr() and cl = c.asCfgScope() |
+      cl instanceof ClosureExpr or cl instanceof AsyncBlockExpr
+    ) and
+    exists(kind)
+  }
 
-  /** Holds if `call` is a lambda call of kind `kind` where `receiver` is the lambda expression. */
-  predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) { none() }
+  /**
+   * Holds if `call` is a lambda call of kind `kind` where `receiver` is the
+   * invoked expression.
+   */
+  predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) {
+    receiver.asExpr() = call.asCallExprCfgNode().getFunction() and
+    // All calls to complex expressions and local variable accesses are lambda call.
+    exists(Expr f | f = receiver.asExpr().getExpr() |
+      f instanceof PathExpr implies f = any(Variable v).getAnAccess()
+    ) and
+    exists(kind)
+  }
 
   /** Extra data flow steps needed for lambda flow analysis. */
   predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() }

rust/ql/test/library-tests/dataflow/local/inline-flow.expected

@@ -23,6 +23,16 @@ edges
 | main.rs:179:36:179:36 | n | main.rs:179:48:179:48 | n | provenance |  |
 | main.rs:183:10:183:39 | ...::C {...} [C] | main.rs:183:37:183:37 | n | provenance |  |
 | main.rs:183:37:183:37 | n | main.rs:183:83:183:83 | n | provenance |  |
+| main.rs:240:20:240:52 | if cond {...} else {...} | main.rs:241:10:241:16 | f(...) | provenance |  |
+| main.rs:240:30:240:39 | source(...) | main.rs:240:20:240:52 | if cond {...} else {...} | provenance |  |
+| main.rs:245:20:245:23 | ... | main.rs:247:18:247:21 | data | provenance |  |
+| main.rs:251:13:251:22 | source(...) | main.rs:252:13:252:13 | a | provenance |  |
+| main.rs:252:13:252:13 | a | main.rs:245:20:245:23 | ... | provenance |  |
+| main.rs:256:20:256:23 | ... | main.rs:257:9:261:9 | if cond {...} else {...} | provenance |  |
+| main.rs:262:13:262:22 | source(...) | main.rs:263:21:263:21 | a | provenance |  |
+| main.rs:263:13:263:22 | f(...) | main.rs:264:10:264:10 | b | provenance |  |
+| main.rs:263:21:263:21 | a | main.rs:256:20:256:23 | ... | provenance |  |
+| main.rs:263:21:263:21 | a | main.rs:263:13:263:22 | f(...) | provenance |  |
 nodes
 | main.rs:15:10:15:18 | source(...) | semmle.label | source(...) |
 | main.rs:19:13:19:21 | source(...) | semmle.label | source(...) |
@@ -56,7 +66,21 @@ nodes
 | main.rs:183:10:183:39 | ...::C {...} [C] | semmle.label | ...::C {...} [C] |
 | main.rs:183:37:183:37 | n | semmle.label | n |
 | main.rs:183:83:183:83 | n | semmle.label | n |
+| main.rs:240:20:240:52 | if cond {...} else {...} | semmle.label | if cond {...} else {...} |
+| main.rs:240:30:240:39 | source(...) | semmle.label | source(...) |
+| main.rs:241:10:241:16 | f(...) | semmle.label | f(...) |
+| main.rs:245:20:245:23 | ... | semmle.label | ... |
+| main.rs:247:18:247:21 | data | semmle.label | data |
+| main.rs:251:13:251:22 | source(...) | semmle.label | source(...) |
+| main.rs:252:13:252:13 | a | semmle.label | a |
+| main.rs:256:20:256:23 | ... | semmle.label | ... |
+| main.rs:257:9:261:9 | if cond {...} else {...} | semmle.label | if cond {...} else {...} |
+| main.rs:262:13:262:22 | source(...) | semmle.label | source(...) |
+| main.rs:263:13:263:22 | f(...) | semmle.label | f(...) |
+| main.rs:263:21:263:21 | a | semmle.label | a |
+| main.rs:264:10:264:10 | b | semmle.label | b |
 subpaths
+| main.rs:263:21:263:21 | a | main.rs:256:20:256:23 | ... | main.rs:257:9:261:9 | if cond {...} else {...} | main.rs:263:13:263:22 | f(...) |
 testFailures
 #select
 | main.rs:15:10:15:18 | source(...) | main.rs:15:10:15:18 | source(...) | main.rs:15:10:15:18 | source(...) | $@ | main.rs:15:10:15:18 | source(...) | source(...) |
@@ -70,3 +94,6 @@ testFailures
 | main.rs:142:57:142:57 | n | main.rs:135:29:135:38 | source(...) | main.rs:142:57:142:57 | n | $@ | main.rs:135:29:135:38 | source(...) | source(...) |
 | main.rs:179:48:179:48 | n | main.rs:175:18:175:27 | source(...) | main.rs:179:48:179:48 | n | $@ | main.rs:175:18:175:27 | source(...) | source(...) |
 | main.rs:183:83:183:83 | n | main.rs:175:18:175:27 | source(...) | main.rs:183:83:183:83 | n | $@ | main.rs:175:18:175:27 | source(...) | source(...) |
+| main.rs:241:10:241:16 | f(...) | main.rs:240:30:240:39 | source(...) | main.rs:241:10:241:16 | f(...) | $@ | main.rs:240:30:240:39 | source(...) | source(...) |
+| main.rs:247:18:247:21 | data | main.rs:251:13:251:22 | source(...) | main.rs:247:18:247:21 | data | $@ | main.rs:251:13:251:22 | source(...) | source(...) |
+| main.rs:264:10:264:10 | b | main.rs:262:13:262:22 | source(...) | main.rs:264:10:264:10 | b | $@ | main.rs:262:13:262:22 | source(...) | source(...) |

rust/ql/test/library-tests/dataflow/local/main.rs

@@ -238,13 +238,13 @@ fn block_expression3(b: bool) -> i64 {
 
 fn closure_flow_out() {
     let f = |cond| if cond { source(92) } else { 0 };
-    sink(f(true)); // $ MISSING: hasValueFlow=92
+    sink(f(true)); // $ hasValueFlow=92
 }
 
 fn closure_flow_in() {
     let f = |cond, data|
         if cond {
-            sink(data); // $ MISSING: hasValueFlow=87
+            sink(data); // $ hasValueFlow=87
         } else {
             sink(0)
         };
@@ -261,7 +261,7 @@ fn closure_flow_through() {
         };
     let a = source(43);
     let b = f(true, a);
-    sink(b); // $ MISSING: hasValueFlow=43
+    sink(b); // $ hasValueFlow=43
 }
 
 fn main() {