Rust: Test for sinks inside sources.

geoffw0 · geoffw0 · commit ce7a0fd094e5 · 2025-03-28T11:12:10.000Z
diff --git a/rust/ql/test/query-tests/security/CWE-825/AccessInvalidPointer.expected b/rust/ql/test/query-tests/security/CWE-825/AccessInvalidPointer.expected
@@ -13,7 +13,8 @@
 | deallocation.rs:131:14:131:15 | p2 | deallocation.rs:124:21:124:42 | ...::dangling_mut | deallocation.rs:131:14:131:15 | p2 | This operation dereferences a pointer that may be $@. | deallocation.rs:124:21:124:42 | ...::dangling_mut | invalid |
 | deallocation.rs:132:14:132:15 | p3 | deallocation.rs:125:23:125:36 | ...::null | deallocation.rs:132:14:132:15 | p3 | This operation dereferences a pointer that may be $@. | deallocation.rs:125:23:125:36 | ...::null | invalid |
 | deallocation.rs:180:15:180:16 | p1 | deallocation.rs:176:3:176:25 | ...::drop_in_place | deallocation.rs:180:15:180:16 | p1 | This operation dereferences a pointer that may be $@. | deallocation.rs:176:3:176:25 | ...::drop_in_place | invalid |
-| deallocation.rs:245:18:245:20 | ptr | deallocation.rs:239:3:239:25 | ...::drop_in_place | deallocation.rs:245:18:245:20 | ptr | This operation dereferences a pointer that may be $@. | deallocation.rs:239:3:239:25 | ...::drop_in_place | invalid |
+| deallocation.rs:189:29:189:30 | p3 | deallocation.rs:189:29:189:30 | p3 | deallocation.rs:189:29:189:30 | p3 | This operation dereferences a pointer that may be $@. | deallocation.rs:189:29:189:30 | p3 | invalid |
+| deallocation.rs:248:18:248:20 | ptr | deallocation.rs:242:3:242:25 | ...::drop_in_place | deallocation.rs:248:18:248:20 | ptr | This operation dereferences a pointer that may be $@. | deallocation.rs:242:3:242:25 | ...::drop_in_place | invalid |
 edges
 | deallocation.rs:20:3:20:21 | ...::dealloc | deallocation.rs:20:23:20:24 | [post] m1 | provenance | Src:MaD:3 MaD:3 |
 | deallocation.rs:20:23:20:24 | [post] m1 | deallocation.rs:26:15:26:16 | m1 | provenance |  |
@@ -40,8 +41,8 @@ edges
 | deallocation.rs:125:23:125:38 | ...::null(...) | deallocation.rs:125:6:125:7 | p3 | provenance |  |
 | deallocation.rs:176:3:176:25 | ...::drop_in_place | deallocation.rs:176:27:176:28 | [post] p1 | provenance | Src:MaD:6 MaD:6 |
 | deallocation.rs:176:27:176:28 | [post] p1 | deallocation.rs:180:15:180:16 | p1 | provenance |  |
-| deallocation.rs:239:3:239:25 | ...::drop_in_place | deallocation.rs:239:27:239:29 | [post] ptr | provenance | Src:MaD:6 MaD:6 |
-| deallocation.rs:239:27:239:29 | [post] ptr | deallocation.rs:245:18:245:20 | ptr | provenance |  |
+| deallocation.rs:242:3:242:25 | ...::drop_in_place | deallocation.rs:242:27:242:29 | [post] ptr | provenance | Src:MaD:6 MaD:6 |
+| deallocation.rs:242:27:242:29 | [post] ptr | deallocation.rs:248:18:248:20 | ptr | provenance |  |
 models
 | 1 | Sink: lang:core; crate::ptr::read; pointer-access; Argument[0] |
 | 2 | Sink: lang:core; crate::ptr::write; pointer-access; Argument[0] |
@@ -83,7 +84,8 @@ nodes
 | deallocation.rs:176:3:176:25 | ...::drop_in_place | semmle.label | ...::drop_in_place |
 | deallocation.rs:176:27:176:28 | [post] p1 | semmle.label | [post] p1 |
 | deallocation.rs:180:15:180:16 | p1 | semmle.label | p1 |
-| deallocation.rs:239:3:239:25 | ...::drop_in_place | semmle.label | ...::drop_in_place |
-| deallocation.rs:239:27:239:29 | [post] ptr | semmle.label | [post] ptr |
-| deallocation.rs:245:18:245:20 | ptr | semmle.label | ptr |
+| deallocation.rs:189:29:189:30 | p3 | semmle.label | p3 |
+| deallocation.rs:242:3:242:25 | ...::drop_in_place | semmle.label | ...::drop_in_place |
+| deallocation.rs:242:27:242:29 | [post] ptr | semmle.label | [post] ptr |
+| deallocation.rs:248:18:248:20 | ptr | semmle.label | ptr |
 subpaths
diff --git a/rust/ql/test/query-tests/security/CWE-825/deallocation.rs b/rust/ql/test/query-tests/security/CWE-825/deallocation.rs
@@ -163,7 +163,7 @@ pub fn test_drop() {
 pub fn test_ptr_drop(mode: i32) {
 	let layout = std::alloc::Layout::new::<Vec<i64>>();
 	unsafe {
-		let p1 = std::alloc::alloc(layout) as *mut Vec<i64>; // *mut i64
+		let p1 = std::alloc::alloc(layout) as *mut Vec<i64>;
 		let p2 = p1;
 
 		*p1 = vec!(1, 2, 3);
@@ -184,6 +184,9 @@ pub fn test_ptr_drop(mode: i32) {
 			let v4 = (*p2)[0]; // $ MISSING: Alert
 			println!("	v4 = {v4} (!)"); // corrupt in practice
 		}
+
+		let p3 = std::alloc::alloc(layout) as *mut Vec<i64>;
+		std::ptr::drop_in_place((*p3).as_mut_ptr()); // $ SPURIOUS: Alert[rust/access-invalid-pointer]
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -163,7 +163,7 @@ pub fn test_drop() {`
`163`	`163`	`pub fn test_ptr_drop(mode: i32) {`
`164`	`164`	`let layout = std::alloc::Layout::new::<Vec<i64>>();`
`165`	`165`	`unsafe {`
`166`		`- let p1 = std::alloc::alloc(layout) as mut Vec<i64>; // mut i64`
	`166`	`+ let p1 = std::alloc::alloc(layout) as *mut Vec<i64>;`
`167`	`167`	`let p2 = p1;`
`168`	`168`
`169`	`169`	`*p1 = vec!(1, 2, 3);`
`@@ -184,6 +184,9 @@ pub fn test_ptr_drop(mode: i32) {`
`184`	`184`	`let v4 = (*p2)[0]; // $ MISSING: Alert`
`185`	`185`	`println!(" v4 = {v4} (!)"); // corrupt in practice`
`186`	`186`	`}`
	`187`	`+`
	`188`	`+ let p3 = std::alloc::alloc(layout) as *mut Vec<i64>;`
	`189`	`+ std::ptr::drop_in_place((*p3).as_mut_ptr()); // $ SPURIOUS: Alert[rust/access-invalid-pointer]`
`187`	`190`	`}`
`188`	`191`	`}`
`189`	`192`