Rust: Adapt to changes in FlowSummaryImpl

hvitved · hvitved · commit aaad5fa340c2 · 2026-01-14T09:27:07.000+01:00
diff --git a/rust/ql/lib/codeql/rust/dataflow/FlowSummary.qll b/rust/ql/lib/codeql/rust/dataflow/FlowSummary.qll
@@ -17,9 +17,13 @@ module SummarizedCallable {
     Range() { any() }
 
     override predicate propagatesFlow(
-      string input, string output, boolean preservesValue, string model
+      string input, string output, boolean preservesValue, Provenance p, boolean isExact,
+      string model
     ) {
-      this.propagatesFlow(input, output, preservesValue) and model = ""
+      this.propagatesFlow(input, output, preservesValue) and
+      p = "manual" and
+      isExact = true and
+      model = "QL"
     }
 
     /**
@@ -31,6 +35,6 @@ module SummarizedCallable {
   }
 }
 
-final class SummarizedCallable = SummarizedCallable::Range;
+final class SummarizedCallable = Impl::Public::RelevantSummarizedCallable;
 
 final class Provenance = Impl::Public::Provenance;
diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll
@@ -30,6 +30,8 @@ module Input implements InputSig<Location, RustDataFlow> {
 
   class SummarizedCallableBase = Function;
 
+  predicate callableFromSource(SummarizedCallableBase c) { c.fromSource() }
+
   abstract private class SourceSinkBase extends AstNode {
     /** Gets the associated call. */
     abstract Call getCall();
diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll b/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll
@@ -111,60 +111,36 @@ predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) {
   )
 }
 
-private predicate summaryModel(
-  Function f, string input, string output, string kind, Provenance provenance, boolean isInherited,
-  QlBuiltins::ExtensionId madId
-) {
-  exists(string path, Function f0 |
-    summaryModel(path, input, output, kind, provenance, madId) and
-    f0.getCanonicalPath() = path
-  |
-    f = f0 and
-    isInherited = false
-    or
-    f.implements(f0) and
-    isInherited = true
-  )
-}
-
-private predicate summaryModelRelevant(
-  Function f, string input, string output, string kind, Provenance provenance, boolean isInherited,
-  QlBuiltins::ExtensionId madId
-) {
-  summaryModel(f, input, output, kind, provenance, isInherited, madId) and
-  // Only apply generated or inherited models to functions in library code and
-  // when no strictly better model exists
-  if provenance.isGenerated() or isInherited = true
-  then
-    not f.fromSource() and
-    not exists(Provenance other | summaryModel(f, _, _, _, other, false, _) |
-      provenance.isGenerated() and other.isManual()
+private class SummarizedCallableFromModel extends SummarizedCallable::Range {
+  string input_;
+  string output_;
+  string kind;
+  Provenance p_;
+  boolean isExact_;
+  QlBuiltins::ExtensionId madId;
+
+  SummarizedCallableFromModel() {
+    exists(string path, Function f |
+      summaryModel(path, input_, output_, kind, p_, madId) and
+      f.getCanonicalPath() = path
+    |
+      this = f and isExact_ = true
       or
-      provenance = other and isInherited = true
+      this.implements(f) and
+      isExact_ = false and
+      not this.fromSource()
     )
-  else any()
-}
-
-private class SummarizedCallableFromModel extends SummarizedCallable::Range {
-  SummarizedCallableFromModel() { summaryModelRelevant(this, _, _, _, _, _, _) }
-
-  override predicate hasProvenance(Provenance provenance) {
-    summaryModelRelevant(this, _, _, _, provenance, _, _)
   }
 
   override predicate propagatesFlow(
-    string input, string output, boolean preservesValue, string model
+    string input, string output, boolean preservesValue, Provenance p, boolean isExact, string model
   ) {
-    exists(string kind, QlBuiltins::ExtensionId madId |
-      summaryModelRelevant(this, input, output, kind, _, _, madId) and
-      model = "MaD:" + madId.toString()
-    |
-      kind = "value" and
-      preservesValue = true
-      or
-      kind = "taint" and
-      preservesValue = false
-    )
+    input = input_ and
+    output = output_ and
+    (if kind = "value" then preservesValue = true else preservesValue = false) and
+    p = p_ and
+    isExact = isExact_ and
+    model = "MaD:" + madId.toString()
   }
 }
 
@@ -211,7 +187,7 @@ private module Debug {
   private predicate relevantManualModel(SummarizedCallableImpl sc, string can) {
     exists(Provenance manual |
       can = sc.getCanonicalPath() and
-      summaryModelRelevant(sc, _, _, _, manual, false, _) and
+      sc.(SummarizedCallableFromModel).propagatesFlow(_, _, _, manual, true, _) and
       manual.isManual()
     )
   }
@@ -221,7 +197,7 @@ private module Debug {
   ) {
     exists(RustDataFlow::ParameterPosition pos, TypeMention tm |
       relevantManualModel(sc, can) and
-      sc.propagatesFlow(input, _, _, _) and
+      sc.propagatesFlow(input, _, _, _, _, _) and
       input.head() = SummaryComponent::argument(pos) and
       p = pos.getParameterIn(sc.getParamList()) and
       tm.resolveType() instanceof RefType and
@@ -238,7 +214,7 @@ private module Debug {
   ) {
     exists(TypeMention tm |
       relevantManualModel(sc, can) and
-      sc.propagatesFlow(_, output, _, _) and
+      sc.propagatesFlow(_, output, _, _, _, _) and
       tm.resolveType() instanceof RefType and
       output.head() = SummaryComponent::return(_) and
       not output.tail().head() =
diff --git a/rust/ql/test/library-tests/dataflow/models/models.ql b/rust/ql/test/library-tests/dataflow/models/models.ql
@@ -13,22 +13,23 @@ import codeql.rust.dataflow.FlowSink
 import PathGraph
 
 query predicate invalidSpecComponent(SummarizedCallable sc, string s, string c) {
-  (sc.propagatesFlow(s, _, _) or sc.propagatesFlow(_, s, _)) and
-  Private::External::invalidSpecComponent(s, c)
+  exists(Provenance p |
+    Private::External::invalidSpecComponent(s, c) and
+    p.isManual()
+  |
+    sc.propagatesFlow(s, _, _, p, _, _) or sc.propagatesFlow(_, s, _, p, _, _)
+  )
 }
 
 // not defined in `models.ext.yml`, in order to test that we can also define
 // models directly in QL
 private class SummarizedCallableIdentity extends SummarizedCallable::Range {
   SummarizedCallableIdentity() { this.getName().getText() = "identity" }
 
-  override predicate propagatesFlow(
-    string input, string output, boolean preservesValue, string provenance
-  ) {
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
     input = "Argument[0]" and
     output = "ReturnValue" and
-    preservesValue = true and
-    provenance = "QL"
+    preservesValue = true
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -17,9 +17,13 @@ module SummarizedCallable {`
`17`	`17`	`Range() { any() }`
`18`	`18`
`19`	`19`	`override predicate propagatesFlow(`
`20`		`- string input, string output, boolean preservesValue, string model`
	`20`	`+ string input, string output, boolean preservesValue, Provenance p, boolean isExact,`
	`21`	`+ string model`
`21`	`22`	`) {`
`22`		`- this.propagatesFlow(input, output, preservesValue) and model = ""`
	`23`	`+ this.propagatesFlow(input, output, preservesValue) and`
	`24`	`+ p = "manual" and`
	`25`	`+ isExact = true and`
	`26`	`+ model = "QL"`
`23`	`27`	`}`
`24`	`28`
`25`	`29`	`/**`
`@@ -31,6 +35,6 @@ module SummarizedCallable {`
`31`	`35`	`}`
`32`	`36`	`}`
`33`	`37`
`34`		`-final class SummarizedCallable = SummarizedCallable::Range;`
	`38`	`+final class SummarizedCallable = Impl::Public::RelevantSummarizedCallable;`
`35`	`39`
`36`	`40`	`final class Provenance = Impl::Public::Provenance;`