github
diff --git a/‎rust/ql/lib/codeql/rust/internal/typeinference/FunctionOverloading.qll‎
Lines changed: 115 additions & 22 deletions b/‎rust/ql/lib/codeql/rust/internal/typeinference/FunctionOverloading.qll‎
Lines changed: 115 additions & 22 deletions
diff --git a/‎rust/ql/lib/codeql/rust/internal/typeinference/FunctionType.qll‎
Lines changed: 92 additions & 40 deletions b/‎rust/ql/lib/codeql/rust/internal/typeinference/FunctionType.qll‎
Lines changed: 92 additions & 40 deletions
@@ -77,32 +77,23 @@ pragma[nomagic]
 private predicate implHasSibling(ImplItemNode impl, Trait trait) { implSiblings(trait, impl, _) }
 
 /**
- * Holds if type parameter `tp` of `trait` occurs in the function `f` with the name
- * `functionName` at position `pos` and path `path`.
- *
- * Note that `pos` can also be the special `return` position, which is sometimes
- * needed to disambiguate associated function calls like `Default::default()`
- * (in this case, `tp` is the special `Self` type parameter).
+ * Holds if `f` is a function declared inside `trait`, and the type of `f` at
+ * `pos` and `path` is `traitTp`, which is a type parameter of `trait`.
  */
-bindingset[trait]
-pragma[inline_late]
+pragma[nomagic]
 predicate traitTypeParameterOccurrence(
   TraitItemNode trait, Function f, string functionName, FunctionPosition pos, TypePath path,
-  TypeParameter tp
+  TypeParameter traitTp
 ) {
-  f = trait.getASuccessor(functionName) and
-  tp = getAssocFunctionTypeAt(f, trait, pos, path) and
-  tp = trait.(TraitTypeAbstraction).getATypeParameter()
+  f = trait.getAssocItem(functionName) and
+  traitTp = getAssocFunctionTypeInclNonMethodSelfAt(f, trait, pos, path) and
+  traitTp = trait.(TraitTypeAbstraction).getATypeParameter()
 }
 
-/**
- * Holds if resolving the function `f` in `impl` with the name `functionName`
- * requires inspecting the type of applied _arguments_ at position `pos` in
- * order to determine whether it is the correct resolution.
- */
 pragma[nomagic]
-predicate functionResolutionDependsOnArgument(
-  ImplItemNode impl, Function f, FunctionPosition pos, TypePath path, Type type
+private predicate functionResolutionDependsOnArgumentCand(
+  ImplItemNode impl, Function f, string functionName, TypeParameter traitTp, FunctionPosition pos,
+  TypePath path
 ) {
   /*
    * As seen in the example below, when an implementation has a sibling for a
@@ -129,11 +120,113 @@ predicate functionResolutionDependsOnArgument(
    * method. In that case we will still resolve several methods.
    */
 
-  exists(TraitItemNode trait, string functionName |
+  exists(TraitItemNode trait |
     implHasSibling(impl, trait) and
-    traitTypeParameterOccurrence(trait, _, functionName, pos, path, _) and
-    type = getAssocFunctionTypeAt(f, impl, pos, path) and
+    traitTypeParameterOccurrence(trait, _, functionName, pos, path, traitTp) and
     f = impl.getASuccessor(functionName) and
+    not pos.isSelf()
+  )
+}
+
+private predicate functionResolutionDependsOnPositionalArgumentCand(
+  ImplItemNode impl, Function f, string functionName, TypeParameter traitTp
+) {
+  exists(FunctionPosition pos |
+    functionResolutionDependsOnArgumentCand(impl, f, functionName, traitTp, pos, _) and
+    pos.isPosition()
+  )
+}
+
+pragma[nomagic]
+private Type getAssocFunctionNonTypeParameterTypeAt(
+  ImplItemNode impl, Function f, FunctionPosition pos, TypePath path
+) {
+  result = getAssocFunctionTypeInclNonMethodSelfAt(f, impl, pos, path) and
+  not result instanceof TypeParameter
+}
+
+/**
+ * Holds if `f` inside `impl` has a sibling implementation inside `sibling`, where
+ * those two implementations agree on the instantiation of `traitTp`, which occurs
+ * in a positional position inside `f`.
+ */
+pragma[nomagic]
+private predicate hasEquivalentPositionalSibling(
+  ImplItemNode impl, ImplItemNode sibling, Function f, TypeParameter traitTp
+) {
+  exists(string functionName, FunctionPosition pos, TypePath path |
+    functionResolutionDependsOnArgumentCand(impl, f, functionName, traitTp, pos, path) and
     pos.isPosition()
+  |
+    exists(Function f1 |
+      implSiblings(_, impl, sibling) and
+      f1 = sibling.getASuccessor(functionName)
+    |
+      forall(TypePath path0, Type t |
+        t = getAssocFunctionNonTypeParameterTypeAt(impl, f, pos, path0) and
+        path = path0.getAPrefixOrSelf()
+      |
+        t = getAssocFunctionNonTypeParameterTypeAt(sibling, f1, pos, path0)
+      ) and
+      forall(TypePath path0, Type t |
+        t = getAssocFunctionNonTypeParameterTypeAt(sibling, f1, pos, path0) and
+        path = path0.getAPrefixOrSelf()
+      |
+        t = getAssocFunctionNonTypeParameterTypeAt(impl, f, pos, path0)
+      )
+    )
+  )
+}
+
+/**
+ * Holds if resolving the function `f` in `impl` requires inspecting the type
+ * of applied _arguments_ or possibly knowing the return type.
+ *
+ * `traitTp` is a type parameter of the trait being implemented by `impl`, and
+ * we need to check that the type of `f` corresponding to `traitTp` is satisfied
+ * at any one of the positions `pos` in which that type occurs in `f`.
+ *
+ * Type parameters that only occur in return positions are only included when
+ * all other type parameters that occur in a positional position are insufficient
+ * to disambiguate.
+ *
+ * Example:
+ *
+ * ```rust
+ * trait Trait1<T1> {
+ *   fn f(self, x: T1) -> T1;
+ * }
+ *
+ * impl Trait1<i32> for i32 {
+ *   fn f(self, x: i32) -> i32 { 0 } // f1
+ * }
+ *
+ * impl Trait1<i64> for i32 {
+ *   fn f(self, x: i64) -> i64 { 0 } // f2
+ * }
+ * ```
+ *
+ * The type for `T1` above occurs in both a positional position and a return position
+ * in `f`, so both may be used to disambiguate between `f1` and `f2`. That is, `f(0i32)`
+ * is sufficient to resolve to `f1`, and so is `let y: i64 = f(Default::default())`.
+ */
+pragma[nomagic]
+predicate functionResolutionDependsOnArgument(
+  ImplItemNode impl, Function f, TypeParameter traitTp, FunctionPosition pos
+) {
+  exists(string functionName |
+    functionResolutionDependsOnArgumentCand(impl, f, functionName, traitTp, pos, _)
+  |
+    if functionResolutionDependsOnPositionalArgumentCand(impl, f, functionName, traitTp)
+    then any()
+    else
+      exists(ImplItemNode sibling |
+        implSiblings(_, impl, sibling) and
+        forall(TypeParameter otherTraitTp |
+          functionResolutionDependsOnPositionalArgumentCand(impl, f, functionName, otherTraitTp)
+        |
+          hasEquivalentPositionalSibling(impl, sibling, f, otherTraitTp)
+        )
+      )
   )
 }
@@ -82,7 +82,9 @@ private newtype TAssocFunctionType =
     // through `i`. This ensures that `parent` is either a supertrait of `i` or
     // `i` in an `impl` block implementing `parent`.
     (parent = i or BaseTypes::rootTypesSatisfaction(_, TTrait(parent), i, _, _)) and
-    exists(pos.getTypeMention(f))
+    // We always include the `self` position, even for non-methods, where it is used
+    // to match type qualifiers against the `impl` or trait type, such as in `Vec::new`.
+    (exists(pos.getTypeMention(f)) or pos.isSelf())
   }
 
 bindingset[abs, constraint, tp]
@@ -116,6 +118,22 @@ Type getAssocFunctionTypeAt(Function f, ImplOrTraitItemNode i, FunctionPosition
   )
 }
 
+/**
+ * Same as `getAssocFunctionTypeAt`, but also includes types at the `self` position
+ * for non-methods.
+ */
+pragma[nomagic]
+Type getAssocFunctionTypeInclNonMethodSelfAt(
+  Function f, ImplOrTraitItemNode i, FunctionPosition pos, TypePath path
+) {
+  result = getAssocFunctionTypeAt(f, i, pos, path)
+  or
+  f = i.getASuccessor(_) and
+  not f.hasSelfParam() and
+  pos.isSelf() and
+  result = resolveImplOrTraitType(i, path)
+}
+
 /**
  * The type of an associated function at a given position, when its implicit
  * `Self` type parameter is specialized to a given trait or `impl` block.
@@ -174,7 +192,7 @@ class AssocFunctionType extends MkAssocFunctionType {
   Type getTypeAt(TypePath path) {
     exists(Function f, FunctionPosition pos, ImplOrTraitItemNode i, Type t |
       this.appliesTo(f, i, pos) and
-      t = getAssocFunctionTypeAt(f, i, pos, path)
+      t = getAssocFunctionTypeInclNonMethodSelfAt(f, i, pos, path)
     |
       not t instanceof SelfTypeParameter and
       result = t
@@ -184,9 +202,12 @@ class AssocFunctionType extends MkAssocFunctionType {
   }
 
   private TypeMention getTypeMention() {
-    exists(Function f, FunctionPosition pos |
-      this.appliesTo(f, _, pos) and
+    exists(Function f, ImplOrTraitItemNode i, FunctionPosition pos | this.appliesTo(f, i, pos) |
       result = pos.getTypeMention(f)
+      or
+      pos.isSelf() and
+      not f.hasSelfParam() and
+      result = [i.(Impl).getSelfTy().(TypeMention), i.(TypeMention)]
     )
   }
 
@@ -294,10 +315,15 @@ module ArgIsInstantiationOf<
  */
 signature module ArgsAreInstantiationsOfInputSig {
   /**
-   * Holds if types need to be matched against the type `t` at position `pos` of
-   * `f` inside `i`.
+   * Holds if `f` inside `i` needs to have the type corresponding to type parameter
+   * `tp` checked.
+   *
+   * If `i` is an inherent implementation, `tp` is a type parameter of the type being
+   * implemented, otherwise `tp` is a type parameter of the trait (being implemented).
+   *
+   * `pos` is one of the positions in `f` in which the relevant type occours.
    */
-  predicate toCheck(ImplOrTraitItemNode i, Function f, FunctionPosition pos, AssocFunctionType t);
+  predicate toCheck(ImplOrTraitItemNode i, Function f, TypeParameter tp, FunctionPosition pos);
 
   /** A call whose argument types are to be checked. */
   class Call {
@@ -318,23 +344,27 @@ signature module ArgsAreInstantiationsOfInputSig {
  */
 module ArgsAreInstantiationsOf<ArgsAreInstantiationsOfInputSig Input> {
   pragma[nomagic]
-  private predicate toCheckRanked(ImplOrTraitItemNode i, Function f, FunctionPosition pos, int rnk) {
-    Input::toCheck(i, f, pos, _) and
-    pos =
-      rank[rnk + 1](FunctionPosition pos0, int j |
-        Input::toCheck(i, f, pos0, _) and
-        (
-          j = pos0.asPosition()
-          or
-          pos0.isSelf() and j = -1
-          or
-          pos0.isReturn() and j = -2
-        )
+  private predicate toCheckRanked(
+    ImplOrTraitItemNode i, Function f, TypeParameter tp, FunctionPosition pos, int rnk
+  ) {
+    Input::toCheck(i, f, tp, pos) and
+    tp =
+      rank[rnk + 1](TypeParameter tp0, int j |
+        Input::toCheck(i, f, tp0, _) and
+        j = getTypeParameterId(tp0)
       |
-        pos0 order by j
+        tp0 order by j
       )
   }
 
+  pragma[nomagic]
+  private predicate toCheck(
+    ImplOrTraitItemNode i, Function f, TypeParameter tp, FunctionPosition pos, AssocFunctionType t
+  ) {
+    Input::toCheck(i, f, tp, pos) and
+    t.appliesTo(f, i, pos)
+  }
+
   private newtype TCallAndPos =
     MkCallAndPos(Input::Call call, FunctionPosition pos) { exists(call.getArgType(pos, _)) }
 
@@ -356,36 +386,34 @@ module ArgsAreInstantiationsOf<ArgsAreInstantiationsOfInputSig Input> {
     string toString() { result = call.toString() + " [arg " + pos + "]" }
   }
 
+  pragma[nomagic]
+  private predicate potentialInstantiationOf0(
+    CallAndPos cp, Input::Call call, TypeParameter tp, FunctionPosition pos, Function f,
+    TypeAbstraction abs, AssocFunctionType constraint
+  ) {
+    cp = MkCallAndPos(call, pragma[only_bind_into](pos)) and
+    call.hasTargetCand(abs, f) and
+    toCheck(abs, f, tp, pragma[only_bind_into](pos), constraint)
+  }
+
   private module ArgIsInstantiationOfToIndexInput implements
     IsInstantiationOfInputSig<CallAndPos, AssocFunctionType>
   {
-    pragma[nomagic]
-    private predicate potentialInstantiationOf0(
-      CallAndPos cp, Input::Call call, FunctionPosition pos, int rnk, Function f,
-      TypeAbstraction abs, AssocFunctionType constraint
-    ) {
-      cp = MkCallAndPos(call, pragma[only_bind_into](pos)) and
-      call.hasTargetCand(abs, f) and
-      toCheckRanked(abs, f, pragma[only_bind_into](pos), rnk) and
-      Input::toCheck(abs, f, pragma[only_bind_into](pos), constraint)
-    }
-
     pragma[nomagic]
     predicate potentialInstantiationOf(
       CallAndPos cp, TypeAbstraction abs, AssocFunctionType constraint
     ) {
-      exists(Input::Call call, int rnk, Function f |
-        potentialInstantiationOf0(cp, call, _, rnk, f, abs, constraint)
+      exists(Input::Call call, TypeParameter tp, FunctionPosition pos, int rnk, Function f |
+        potentialInstantiationOf0(cp, call, tp, pos, f, abs, constraint) and
+        toCheckRanked(abs, f, tp, pos, rnk)
       |
         rnk = 0
         or
         argsAreInstantiationsOfToIndex(call, abs, f, rnk - 1)
       )
     }
 
-    predicate relevantConstraint(AssocFunctionType constraint) {
-      Input::toCheck(_, _, _, constraint)
-    }
+    predicate relevantConstraint(AssocFunctionType constraint) { toCheck(_, _, _, _, constraint) }
   }
 
   private module ArgIsInstantiationOfToIndex =
@@ -398,39 +426,63 @@ module ArgsAreInstantiationsOf<ArgsAreInstantiationsOfInputSig Input> {
     exists(FunctionPosition pos |
       ArgIsInstantiationOfToIndex::argIsInstantiationOf(MkCallAndPos(call, pos), i, _) and
       call.hasTargetCand(i, f) and
-      toCheckRanked(i, f, pos, rnk)
+      toCheckRanked(i, f, _, pos, rnk)
+    |
+      rnk = 0
+      or
+      argsAreInstantiationsOfToIndex(call, i, f, rnk - 1)
     )
   }
 
   /**
    * Holds if all arguments of `call` have types that are instantiations of the
    * types of the corresponding parameters of `f` inside `i`.
+   *
+   * TODO: Check type parameter constraints as well.
    */
   pragma[nomagic]
   predicate argsAreInstantiationsOf(Input::Call call, ImplOrTraitItemNode i, Function f) {
     exists(int rnk |
       argsAreInstantiationsOfToIndex(call, i, f, rnk) and
-      rnk = max(int r | toCheckRanked(i, f, _, r))
+      rnk = max(int r | toCheckRanked(i, f, _, _, r))
     )
   }
 
+  private module ArgsAreNotInstantiationOfInput implements
+    IsInstantiationOfInputSig<CallAndPos, AssocFunctionType>
+  {
+    pragma[nomagic]
+    predicate potentialInstantiationOf(
+      CallAndPos cp, TypeAbstraction abs, AssocFunctionType constraint
+    ) {
+      potentialInstantiationOf0(cp, _, _, _, _, abs, constraint)
+    }
+
+    predicate relevantConstraint(AssocFunctionType constraint) { toCheck(_, _, _, _, constraint) }
+  }
+
+  private module ArgsAreNotInstantiationOf =
+    ArgIsInstantiationOf<CallAndPos, ArgsAreNotInstantiationOfInput>;
+
   pragma[nomagic]
   private predicate argsAreNotInstantiationsOf0(
     Input::Call call, FunctionPosition pos, ImplOrTraitItemNode i
   ) {
-    ArgIsInstantiationOfToIndex::argIsNotInstantiationOf(MkCallAndPos(call, pos), i, _, _)
+    ArgsAreNotInstantiationOf::argIsNotInstantiationOf(MkCallAndPos(call, pos), i, _, _)
   }
 
   /**
    * Holds if _some_ argument of `call` has a type that is not an instantiation of the
    * type of the corresponding parameter of `f` inside `i`.
+   *
+   * TODO: Check type parameter constraints as well.
    */
   pragma[nomagic]
   predicate argsAreNotInstantiationsOf(Input::Call call, ImplOrTraitItemNode i, Function f) {
     exists(FunctionPosition pos |
       argsAreNotInstantiationsOf0(call, pos, i) and
       call.hasTargetCand(i, f) and
-      Input::toCheck(i, f, pos, _)
+      Input::toCheck(i, f, _, pos)
     )
   }
 }