Rust: Adapt to changes in FlowSummaryImpl

Author: hvitved

rust/ql/lib/codeql/rust/dataflow/FlowSummary.qll

@@ -17,9 +17,13 @@ module SummarizedCallable {
     Range() { any() }
 
     override predicate propagatesFlow(
-      string input, string output, boolean preservesValue, string model
+      string input, string output, boolean preservesValue, Provenance p, boolean isExact,
+      string model
     ) {
-      this.propagatesFlow(input, output, preservesValue) and model = ""
+      this.propagatesFlow(input, output, preservesValue) and
+      p = "manual" and
+      isExact = true and
+      model = "QL"
     }
 
     /**
@@ -31,6 +35,6 @@ module SummarizedCallable {
   }
 }
 
-final class SummarizedCallable = SummarizedCallable::Range;
+final class SummarizedCallable = Impl::Public::RelevantSummarizedCallable;
 
 final class Provenance = Impl::Public::Provenance;

rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll

@@ -30,6 +30,8 @@ module Input implements InputSig<Location, RustDataFlow> {
 
   class SummarizedCallableBase = Function;
 
+  predicate callableFromSource(SummarizedCallableBase c) { c.fromSource() }
+
   abstract private class SourceSinkBase extends AstNode {
     /** Gets the associated call. */
     abstract Call getCall();

rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll

@@ -111,60 +111,35 @@ predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) {
   )
 }
 
-private predicate summaryModel(
-  Function f, string input, string output, string kind, Provenance provenance, boolean isInherited,
-  QlBuiltins::ExtensionId madId
-) {
-  exists(string path, Function f0 |
-    summaryModel(path, input, output, kind, provenance, madId) and
-    f0.getCanonicalPath() = path
-  |
-    f = f0 and
-    isInherited = false
-    or
-    f.implements(f0) and
-    isInherited = true
-  )
-}
-
-private predicate summaryModelRelevant(
-  Function f, string input, string output, string kind, Provenance provenance, boolean isInherited,
-  QlBuiltins::ExtensionId madId
-) {
-  summaryModel(f, input, output, kind, provenance, isInherited, madId) and
-  // Only apply generated or inherited models to functions in library code and
-  // when no strictly better model exists
-  if provenance.isGenerated() or isInherited = true
-  then
-    not f.fromSource() and
-    not exists(Provenance other | summaryModel(f, _, _, _, other, false, _) |
-      provenance.isGenerated() and other.isManual()
+private class SummarizedCallableFromModel extends SummarizedCallable::Range {
+  string input_;
+  string output_;
+  string kind;
+  Provenance p_;
+  boolean isExact_;
+  QlBuiltins::ExtensionId madId;
+
+  SummarizedCallableFromModel() {
+    exists(string path, Function f |
+      summaryModel(path, input_, output_, kind, p_, madId) and
+      f.getCanonicalPath() = path
+    |
+      this = f and isExact_ = true
       or
-      provenance = other and isInherited = true
+      this.implements(f) and
+      isExact_ = false
     )
-  else any()
-}
-
-private class SummarizedCallableFromModel extends SummarizedCallable::Range {
-  SummarizedCallableFromModel() { summaryModelRelevant(this, _, _, _, _, _, _) }
-
-  override predicate hasProvenance(Provenance provenance) {
-    summaryModelRelevant(this, _, _, _, provenance, _, _)
   }
 
   override predicate propagatesFlow(
-    string input, string output, boolean preservesValue, string model
+    string input, string output, boolean preservesValue, Provenance p, boolean isExact, string model
   ) {
-    exists(string kind, QlBuiltins::ExtensionId madId |
-      summaryModelRelevant(this, input, output, kind, _, _, madId) and
-      model = "MaD:" + madId.toString()
-    |
-      kind = "value" and
-      preservesValue = true
-      or
-      kind = "taint" and
-      preservesValue = false
-    )
+    input = input_ and
+    output = output_ and
+    (if kind = "value" then preservesValue = true else preservesValue = false) and
+    p = p_ and
+    isExact = isExact_ and
+    model = "MaD:" + madId.toString()
   }
 }
 
@@ -211,7 +186,7 @@ private module Debug {
   private predicate relevantManualModel(SummarizedCallableImpl sc, string can) {
     exists(Provenance manual |
       can = sc.getCanonicalPath() and
-      summaryModelRelevant(sc, _, _, _, manual, false, _) and
+      sc.(SummarizedCallableFromModel).propagatesFlow(_, _, _, manual, true, _) and
       manual.isManual()
     )
   }
@@ -221,7 +196,7 @@ private module Debug {
   ) {
     exists(RustDataFlow::ParameterPosition pos, TypeMention tm |
       relevantManualModel(sc, can) and
-      sc.propagatesFlow(input, _, _, _) and
+      sc.propagatesFlow(input, _, _, _, _, _) and
       input.head() = SummaryComponent::argument(pos) and
       p = pos.getParameterIn(sc.getParamList()) and
       tm.resolveType() instanceof RefType and
@@ -238,7 +213,7 @@ private module Debug {
   ) {
     exists(TypeMention tm |
       relevantManualModel(sc, can) and
-      sc.propagatesFlow(_, output, _, _) and
+      sc.propagatesFlow(_, output, _, _, _, _) and
       tm.resolveType() instanceof RefType and
       output.head() = SummaryComponent::return(_) and
       not output.tail().head() =

rust/ql/test/library-tests/dataflow/models/models.ql

@@ -22,13 +22,10 @@ query predicate invalidSpecComponent(SummarizedCallable sc, string s, string c)
 private class SummarizedCallableIdentity extends SummarizedCallable::Range {
   SummarizedCallableIdentity() { this.getName().getText() = "identity" }
 
-  override predicate propagatesFlow(
-    string input, string output, boolean preservesValue, string provenance
-  ) {
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
     input = "Argument[0]" and
     output = "ReturnValue" and
-    preservesValue = true and
-    provenance = "QL"
+    preservesValue = true
   }
 }