Rust: Handle functions as lambdas

Author: paldepind

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -295,13 +295,10 @@ module LocalFlow {
 class LambdaCallKind = Unit;
 
 /** Holds if `creation` is an expression that creates a lambda of kind `kind`. */
-predicate lambdaCreationExpr(Expr creation, LambdaCallKind kind) {
-  (
-    creation instanceof ClosureExpr
-    or
-    creation instanceof Scope::AsyncBlockScope
-  ) and
-  exists(kind)
+predicate lambdaCreationExpr(Expr creation) {
+  creation instanceof ClosureExpr
+  or
+  creation instanceof Scope::AsyncBlockScope
 }
 
 /**
@@ -810,8 +807,15 @@ module RustDataFlow implements InputSig<Location> {
 
   /** Holds if `creation` is an expression that creates a lambda of kind `kind` for `c`. */
   predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c) {
-    exists(Expr e |
-      e = creation.asExpr().getExpr() and lambdaCreationExpr(e, kind) and e = c.asCfgScope()
+    exists(kind) and
+    exists(Expr e | e = creation.asExpr().getExpr() |
+      lambdaCreationExpr(e) and e = c.asCfgScope()
+      or
+      // A path expression, that resolves to a function, evaluates to a function
+      // pointer. Except if the path occurs directly in a call, then it's just a
+      // call to the function and not a function being passed as data.
+      resolvePath(e.(PathExpr).getPath()) = c.asCfgScope() and
+      not any(CallExpr call).getFunction() = e
     )
   }
 
@@ -931,7 +935,7 @@ module VariableCapture {
     }
 
     class ClosureExpr extends Expr instanceof ExprCfgNode {
-      ClosureExpr() { lambdaCreationExpr(super.getExpr(), _) }
+      ClosureExpr() { lambdaCreationExpr(super.getExpr()) }
 
       predicate hasBody(Callable body) { body = super.getExpr() }
 

rust/ql/lib/codeql/rust/dataflow/internal/Node.qll

@@ -454,7 +454,7 @@ newtype TNode =
     or
     lambdaCallExpr(_, _, e)
     or
-    lambdaCreationExpr(e.getExpr(), _)
+    lambdaCreationExpr(e.getExpr())
     or
     // Whenever `&mut e` has a post-update node we also create one for `e`.
     // E.g., for `e` in `f(..., &mut e, ...)` or `*(&mut e) = ...`.
@@ -478,5 +478,5 @@ newtype TNode =
   } or
   TSsaNode(SsaImpl::DataFlowIntegration::SsaNode node) or
   TFlowSummaryNode(FlowSummaryImpl::Private::SummaryNode sn) or
-  TClosureSelfReferenceNode(CfgScope c) { lambdaCreationExpr(c, _) } or
+  TClosureSelfReferenceNode(CfgScope c) { lambdaCreationExpr(c) } or
   TCaptureNode(VariableCapture::Flow::SynthesizedCaptureNode cn)

rust/ql/test/library-tests/dataflow/lambdas/inline-flow.expected

@@ -17,6 +17,19 @@ edges
 | main.rs:39:5:39:5 | [post] f [captured capt] | main.rs:40:10:40:13 | capt | provenance |  |
 | main.rs:39:5:39:5 | [post] f [captured capt] | main.rs:44:5:44:5 | g [captured capt] | provenance |  |
 | main.rs:44:5:44:5 | g [captured capt] | main.rs:42:14:42:17 | capt | provenance |  |
+| main.rs:47:29:49:1 | { ... } | main.rs:57:10:57:12 | f(...) | provenance |  |
+| main.rs:48:5:48:14 | source(...) | main.rs:47:29:49:1 | { ... } | provenance |  |
+| main.rs:51:17:51:25 | ...: i64 | main.rs:52:10:52:13 | data | provenance |  |
+| main.rs:62:9:62:9 | a | main.rs:63:7:63:7 | a | provenance |  |
+| main.rs:62:13:62:22 | source(...) | main.rs:62:9:62:9 | a | provenance |  |
+| main.rs:63:7:63:7 | a | main.rs:51:17:51:25 | ...: i64 | provenance |  |
+| main.rs:66:24:66:32 | ...: i64 | main.rs:66:42:72:1 | { ... } | provenance |  |
+| main.rs:76:9:76:9 | a | main.rs:77:21:77:21 | a | provenance |  |
+| main.rs:76:13:76:22 | source(...) | main.rs:76:9:76:9 | a | provenance |  |
+| main.rs:77:9:77:9 | b | main.rs:78:10:78:10 | b | provenance |  |
+| main.rs:77:13:77:22 | f(...) | main.rs:77:9:77:9 | b | provenance |  |
+| main.rs:77:21:77:21 | a | main.rs:66:24:66:32 | ...: i64 | provenance |  |
+| main.rs:77:21:77:21 | a | main.rs:77:13:77:22 | f(...) | provenance |  |
 nodes
 | main.rs:10:20:10:52 | if cond {...} else {...} | semmle.label | if cond {...} else {...} |
 | main.rs:10:30:10:39 | source(...) | semmle.label | source(...) |
@@ -39,12 +52,32 @@ nodes
 | main.rs:40:10:40:13 | capt | semmle.label | capt |
 | main.rs:42:14:42:17 | capt | semmle.label | capt |
 | main.rs:44:5:44:5 | g [captured capt] | semmle.label | g [captured capt] |
+| main.rs:47:29:49:1 | { ... } | semmle.label | { ... } |
+| main.rs:48:5:48:14 | source(...) | semmle.label | source(...) |
+| main.rs:51:17:51:25 | ...: i64 | semmle.label | ...: i64 |
+| main.rs:52:10:52:13 | data | semmle.label | data |
+| main.rs:57:10:57:12 | f(...) | semmle.label | f(...) |
+| main.rs:62:9:62:9 | a | semmle.label | a |
+| main.rs:62:13:62:22 | source(...) | semmle.label | source(...) |
+| main.rs:63:7:63:7 | a | semmle.label | a |
+| main.rs:66:24:66:32 | ...: i64 | semmle.label | ...: i64 |
+| main.rs:66:42:72:1 | { ... } | semmle.label | { ... } |
+| main.rs:76:9:76:9 | a | semmle.label | a |
+| main.rs:76:13:76:22 | source(...) | semmle.label | source(...) |
+| main.rs:77:9:77:9 | b | semmle.label | b |
+| main.rs:77:13:77:22 | f(...) | semmle.label | f(...) |
+| main.rs:77:21:77:21 | a | semmle.label | a |
+| main.rs:78:10:78:10 | b | semmle.label | b |
 subpaths
 | main.rs:29:21:29:21 | a | main.rs:27:20:27:23 | ... | main.rs:27:26:27:52 | if cond {...} else {...} | main.rs:29:13:29:22 | f(...) |
+| main.rs:77:21:77:21 | a | main.rs:66:24:66:32 | ...: i64 | main.rs:66:42:72:1 | { ... } | main.rs:77:13:77:22 | f(...) |
 testFailures
 #select
 | main.rs:11:10:11:16 | f(...) | main.rs:10:30:10:39 | source(...) | main.rs:11:10:11:16 | f(...) | $@ | main.rs:10:30:10:39 | source(...) | source(...) |
 | main.rs:17:18:17:21 | data | main.rs:22:13:22:22 | source(...) | main.rs:17:18:17:21 | data | $@ | main.rs:22:13:22:22 | source(...) | source(...) |
 | main.rs:30:10:30:10 | b | main.rs:28:13:28:22 | source(...) | main.rs:30:10:30:10 | b | $@ | main.rs:28:13:28:22 | source(...) | source(...) |
 | main.rs:40:10:40:13 | capt | main.rs:37:16:37:25 | source(...) | main.rs:40:10:40:13 | capt | $@ | main.rs:37:16:37:25 | source(...) | source(...) |
 | main.rs:42:14:42:17 | capt | main.rs:37:16:37:25 | source(...) | main.rs:42:14:42:17 | capt | $@ | main.rs:37:16:37:25 | source(...) | source(...) |
+| main.rs:52:10:52:13 | data | main.rs:62:13:62:22 | source(...) | main.rs:52:10:52:13 | data | $@ | main.rs:62:13:62:22 | source(...) | source(...) |
+| main.rs:57:10:57:12 | f(...) | main.rs:48:5:48:14 | source(...) | main.rs:57:10:57:12 | f(...) | $@ | main.rs:48:5:48:14 | source(...) | source(...) |
+| main.rs:78:10:78:10 | b | main.rs:76:13:76:22 | source(...) | main.rs:78:10:78:10 | b | $@ | main.rs:76:13:76:22 | source(...) | source(...) |

rust/ql/test/library-tests/dataflow/lambdas/main.rs

@@ -49,12 +49,12 @@ fn get_from_source() -> i64 {
 }
 
 fn pass_to_sink(data: i64) {
-    sink(data); // $ MISSING: hasValueFlow=34
+    sink(data); // $ hasValueFlow=34
 }
 
 fn function_flow_out() {
     let f = get_from_source;
-    sink(f()); // $ MISSING: hasValueFlow=93
+    sink(f()); // $ hasValueFlow=93
 }
 
 fn function_flow_in() {
@@ -75,7 +75,7 @@ fn function_flows_through() {
     let f = get_arg;
     let a = source(56);
     let b = f(true, a);
-    sink(b); // $ MISSING: hasValueFlow=56
+    sink(b); // $ hasValueFlow=56
 }
 
 fn main() {