Rust: Implement data flow through tuple structs

Author: hvitved

rust/ql/lib/codeql/rust/controlflow/CfgNodes.qll

@@ -265,12 +265,8 @@ final class RecordPatCfgNode extends Nodes::RecordPatCfgNode {
   PatCfgNode getFieldPat(string field) {
     exists(RecordPatField rpf |
       rpf = node.getRecordPatFieldList().getAField() and
-      any(ChildMapping mapping).hasCfgChild(node, rpf.getPat(), this, result)
-    |
-      field = rpf.getNameRef().getText()
-      or
-      not rpf.hasNameRef() and
-      field = result.(IdentPatCfgNode).getName().getText()
+      any(ChildMapping mapping).hasCfgChild(node, rpf.getPat(), this, result) and
+      field = rpf.getFieldName()
     )
   }
 }

rust/ql/lib/codeql/rust/dataflow/DataFlow.qll

@@ -25,8 +25,6 @@ module DataFlow {
 
   final class Content = DataFlowImpl::Content;
 
-  final class VariantContent = DataFlowImpl::VariantContent;
-
   final class ContentSet = DataFlowImpl::ContentSet;
 
   /**

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -14,7 +14,6 @@ private import codeql.rust.controlflow.CfgNodes
 private import codeql.rust.dataflow.Ssa
 private import codeql.rust.dataflow.FlowSummary
 private import FlowSummaryImpl as FlowSummaryImpl
-private import codeql.rust.elements.internal.PathResolution as PathResolution
 
 /**
  * A return kind. A return kind describes how a value can be returned from a
@@ -661,7 +660,7 @@ private module VariantInLib {
   }
 
   /** A tuple variant from library code. */
-  class VariantInLibTupleFieldContent extends VariantContent, TVariantInLibTupleFieldContent {
+  class VariantInLibTupleFieldContent extends Content, TVariantInLibTupleFieldContent {
     private VariantInLib::VariantInLib v;
     private int pos_;
 
@@ -740,82 +739,73 @@ abstract class Content extends TContent {
   abstract Location getLocation();
 }
 
-/**
- * A variant of an `enum`. In addition to the variant itself, this also includes the
- * position (for tuple variants) or the field name (for record variants).
- */
-abstract class VariantContent extends Content { }
-
-private TupleField getVariantTupleField(Variant v, int i) {
-  result = v.getFieldList().(TupleFieldList).getField(i)
+/** A field belonging to either a variant or a struct. */
+abstract class FieldContent extends Content {
+  /** Gets an access to this field. */
+  pragma[nomagic]
+  abstract FieldExprCfgNode getAnAccess();
 }
 
-/** A tuple variant. */
-private class VariantTupleFieldContent extends VariantContent, TVariantTupleFieldContent {
-  private Variant v;
-  private int pos_;
+/** A tuple field belonging to either a variant or a struct. */
+class TupleFieldContent extends FieldContent, TTupleFieldContent {
+  private TupleField field;
+
+  TupleFieldContent() { this = TTupleFieldContent(field) }
+
+  predicate isVariantField(Variant v, int pos) { field.isVariantField(v, pos) }
 
-  VariantTupleFieldContent() { this = TVariantTupleFieldContent(v, pos_) }
+  predicate isStructField(Struct s, int pos) { field.isStructField(s, pos) }
 
-  Variant getVariant(int pos) { result = v and pos = pos_ }
+  override FieldExprCfgNode getAnAccess() { none() } // TODO
 
   final override string toString() {
-    exists(string name |
-      name = v.getName().getText() and
+    exists(Variant v, int pos, string vname |
+      this.isVariantField(v, pos) and
+      vname = v.getName().getText() and
       // only print indices when the arity is > 1
-      if exists(getVariantTupleField(v, 1)) then result = name + "(" + pos_ + ")" else result = name
+      if exists(v.getTupleField(1)) then result = vname + "(" + pos + ")" else result = vname
+    )
+    or
+    exists(Struct s, int pos, string sname |
+      this.isStructField(s, pos) and
+      sname = s.getName().getText() and
+      // only print indices when the arity is > 1
+      if exists(s.getTupleField(1)) then result = sname + "(" + pos + ")" else result = sname
     )
   }
 
-  final override Location getLocation() { result = getVariantTupleField(v, pos_).getLocation() }
+  final override Location getLocation() { result = field.getLocation() }
 }
 
-private RecordField getVariantRecordField(Variant v, string field) {
-  result = v.getFieldList().(RecordFieldList).getAField() and
-  field = result.getName().getText()
-}
+/** A record field belonging to either a variant or a struct. */
+class RecordFieldContent extends FieldContent, TRecordFieldContent {
+  private RecordField field;
+
+  RecordFieldContent() { this = TRecordFieldContent(field) }
 
-/** A record variant. */
-private class VariantRecordFieldContent extends VariantContent, TVariantRecordFieldContent {
-  private Variant v;
-  private string field_;
+  predicate isVariantField(Variant v, string name) { field.isVariantField(v, name) }
 
-  VariantRecordFieldContent() { this = TVariantRecordFieldContent(v, field_) }
+  predicate isStructField(Struct s, string name) { field.isStructField(s, name) }
 
-  Variant getVariant(string field) { result = v and field = field_ }
+  override FieldExprCfgNode getAnAccess() { none() } // TODO
 
   final override string toString() {
-    exists(string name |
-      name = v.getName().getText() and
+    exists(Variant v, string name, string vname |
+      this.isVariantField(v, name) and
+      vname = v.getName().getText() and
       // only print field when the arity is > 1
-      if strictcount(string f | exists(getVariantRecordField(v, f))) > 1
-      then result = name + "{" + field_ + "}"
-      else result = name
+      if strictcount(v.getRecordField(_)) > 1 then result = vname + "." + name else result = vname
     )
-  }
-
-  final override Location getLocation() {
-    result = getVariantRecordField(v, field_).getName().getLocation()
-  }
-}
-
-/** Content stored in a field on a struct. */
-class StructFieldContent extends Content, TStructFieldContent {
-  private Struct s;
-  private string field_;
-
-  StructFieldContent() { this = TStructFieldContent(s, field_) }
-
-  Struct getStruct(string field) { result = s and field = field_ }
-
-  override string toString() { result = s.getName().getText() + "." + field_.toString() }
-
-  override Location getLocation() {
-    exists(Name f | f = s.getFieldList().(RecordFieldList).getAField().getName() |
-      f.getText() = field_ and
-      result = f.getLocation()
+    or
+    exists(Struct s, string name, string sname |
+      this.isStructField(s, name) and
+      sname = s.getName().getText() and
+      // only print field when the arity is > 1
+      if strictcount(s.getRecordField(_)) > 1 then result = sname + "." + name else result = sname
     )
   }
+
+  final override Location getLocation() { result = field.getLocation() }
 }
 
 /** A captured variable. */
@@ -859,13 +849,18 @@ final class ElementContent extends Content, TElementContent {
  * NOTE: Unlike `struct`s and `enum`s tuples are structural and not nominal,
  * hence we don't store a canonical path for them.
  */
-final class TuplePositionContent extends Content, TTuplePositionContent {
+final class TuplePositionContent extends FieldContent, TTuplePositionContent {
   private int pos;
 
   TuplePositionContent() { this = TTuplePositionContent(pos) }
 
   int getPosition() { result = pos }
 
+  override FieldExprCfgNode getAnAccess() {
+    // TODO: limit to tuple types
+    result.getNameRef().getText().toInt() = pos
+  }
+
   override string toString() { result = "tuple." + pos.toString() }
 
   override Location getLocation() { result instanceof EmptyLocation }
@@ -901,11 +896,6 @@ final class FunctionCallReturnContent extends Content, TFunctionCallReturnConten
   override Location getLocation() { result instanceof EmptyLocation }
 }
 
-/** Holds if `access` indexes a tuple at an index corresponding to `c`. */
-private predicate fieldTuplePositionContent(FieldExprCfgNode access, TuplePositionContent c) {
-  access.getNameRef().getText().toInt() = c.getPosition()
-}
-
 /** A value that represents a set of `Content`s. */
 abstract class ContentSet extends TContentSet {
   /** Gets a textual representation of this element. */
@@ -1128,23 +1118,6 @@ module RustDataFlow implements InputSig<Location> {
       node2.(Node::FlowSummaryNode).getSummaryNode())
   }
 
-  /** Gets the item that `p` resolves to, if any. */
-  private PathResolution::ItemNode resolvePath(PathAstNode p) {
-    result = PathResolution::resolvePath(p.getPath())
-  }
-
-  /** Holds if `p` destructs an enum variant `v`. */
-  pragma[nomagic]
-  private predicate tupleVariantDestruction(TupleStructPat p, Variant v) { v = resolvePath(p) }
-
-  /** Holds if `p` destructs an enum variant `v`. */
-  pragma[nomagic]
-  private predicate recordVariantDestruction(RecordPat p, Variant v) { v = resolvePath(p) }
-
-  /** Holds if `p` destructs a struct `s`. */
-  pragma[nomagic]
-  private predicate structDestruction(RecordPat p, Struct s) { s = resolvePath(p) }
-
   /**
    * Holds if data can flow from `node1` to `node2` via a read of `c`.  Thus,
    * `node1` references an object with a content `c.getAReadContent()` whose
@@ -1156,7 +1129,7 @@ module RustDataFlow implements InputSig<Location> {
         pat = node1.asPat() and
         node2.asPat() = pat.getField(pos)
       |
-        tupleVariantDestruction(pat.getPat(), c.(VariantTupleFieldContent).getVariant(pos))
+        c = TTupleFieldContent(pat.getTupleStructPat().getTupleField(pos))
         or
         VariantInLib::tupleVariantCanonicalDestruction(pat.getPat(), c, pos)
       )
@@ -1169,25 +1142,17 @@ module RustDataFlow implements InputSig<Location> {
       or
       exists(RecordPatCfgNode pat, string field |
         pat = node1.asPat() and
-        (
-          // Pattern destructs a struct-like variant.
-          recordVariantDestruction(pat.getPat(), c.(VariantRecordFieldContent).getVariant(field))
-          or
-          // Pattern destructs a struct.
-          structDestruction(pat.getPat(), c.(StructFieldContent).getStruct(field))
-        ) and
+        c = TRecordFieldContent(pat.getRecordPat().getRecordField(field)) and
         node2.asPat() = pat.getFieldPat(field)
       )
       or
       c instanceof ReferenceContent and
       node1.asPat().(RefPatCfgNode).getPat() = node2.asPat()
       or
       exists(FieldExprCfgNode access |
-        // Read of a tuple entry
-        fieldTuplePositionContent(access, c) and
-        // TODO: Handle read of a struct field.
         node1.asExpr() = access.getExpr() and
-        node2.asExpr() = access
+        node2.asExpr() = access and
+        access = c.(FieldContent).getAnAccess()
       )
       or
       exists(IndexExprCfgNode arr |
@@ -1236,49 +1201,29 @@ module RustDataFlow implements InputSig<Location> {
       cs, node2.(Node::FlowSummaryNode).getSummaryNode())
   }
 
-  /** Holds if `ce` constructs an enum value of type `v`. */
-  pragma[nomagic]
-  private predicate tupleVariantConstruction(CallExpr ce, Variant v) {
-    v = resolvePath(ce.getFunction().(PathExpr))
-  }
-
-  /** Holds if `re` constructs an enum value of type `v`. */
   pragma[nomagic]
-  private predicate recordVariantConstruction(RecordExpr re, Variant v) { v = resolvePath(re) }
-
-  /** Holds if `re` constructs a struct value of type `s`. */
-  pragma[nomagic]
-  private predicate structConstruction(RecordExpr re, Struct s) { s = resolvePath(re) }
-
-  private predicate tupleAssignment(Node node1, Node node2, TuplePositionContent c) {
+  private predicate fieldAssignment(Node node1, Node node2, FieldContent c) {
     exists(AssignmentExprCfgNode assignment, FieldExprCfgNode access |
       assignment.getLhs() = access and
-      fieldTuplePositionContent(access, c) and
       node1.asExpr() = assignment.getRhs() and
-      node2.asExpr() = access.getExpr()
+      node2.asExpr() = access.getExpr() and
+      access = c.getAnAccess()
     )
   }
 
   pragma[nomagic]
   private predicate storeContentStep(Node node1, Content c, Node node2) {
     exists(CallExprCfgNode call, int pos |
-      node1.asExpr() = call.getArgument(pos) and
+      node1.asExpr() = call.getArgument(pragma[only_bind_into](pos)) and
       node2.asExpr() = call
     |
-      tupleVariantConstruction(call.getCallExpr(), c.(VariantTupleFieldContent).getVariant(pos))
+      c = TTupleFieldContent(call.getCallExpr().getTupleField(pragma[only_bind_into](pos)))
       or
       VariantInLib::tupleVariantCanonicalConstruction(call.getCallExpr(), c, pos)
     )
     or
     exists(RecordExprCfgNode re, string field |
-      (
-        // Expression is for a struct-like enum variant.
-        recordVariantConstruction(re.getRecordExpr(),
-          c.(VariantRecordFieldContent).getVariant(field))
-        or
-        // Expression is for a struct.
-        structConstruction(re.getRecordExpr(), c.(StructFieldContent).getStruct(field))
-      ) and
+      c = TRecordFieldContent(re.getRecordExpr().getRecordField(field)) and
       node1.asExpr() = re.getFieldExpr(field) and
       node2.asExpr() = re
     )
@@ -1295,7 +1240,7 @@ module RustDataFlow implements InputSig<Location> {
         node2.asExpr().(ArrayListExprCfgNode).getAnExpr()
       ]
     or
-    tupleAssignment(node1, node2.(PostUpdateNode).getPreUpdateNode(), c)
+    fieldAssignment(node1, node2.(PostUpdateNode).getPreUpdateNode(), c)
     or
     exists(AssignmentExprCfgNode assignment, IndexExprCfgNode index |
       c instanceof ElementContent and
@@ -1338,7 +1283,7 @@ module RustDataFlow implements InputSig<Location> {
    * in `x.f = newValue`.
    */
   predicate clearsContent(Node n, ContentSet cs) {
-    tupleAssignment(_, n, cs.(SingletonContentSet).getContent())
+    fieldAssignment(_, n, cs.(SingletonContentSet).getContent())
     or
     FlowSummaryImpl::Private::Steps::summaryClearsContent(n.(Node::FlowSummaryNode).getSummaryNode(),
       cs)
@@ -1644,10 +1589,10 @@ private module Cached {
 
   cached
   newtype TContent =
-    TVariantTupleFieldContent(Variant v, int pos) { exists(getVariantTupleField(v, pos)) } or
+    TTupleFieldContent(TupleField field) or
+    TRecordFieldContent(RecordField field) or
     // TODO: Remove once library types are extracted
     TVariantInLibTupleFieldContent(VariantInLib::VariantInLib v, int pos) { pos = v.getAPosition() } or
-    TVariantRecordFieldContent(Variant v, string field) { exists(getVariantRecordField(v, field)) } or
     TElementContent() or
     TTuplePositionContent(int pos) {
       pos in [0 .. max([
@@ -1656,9 +1601,6 @@ private module Cached {
               ]
           )]
     } or
-    TStructFieldContent(Struct s, string field) {
-      field = s.getFieldList().(RecordFieldList).getAField().getName().getText()
-    } or
     TFunctionCallReturnContent() or
     TFunctionCallArgumentContent(int pos) {
       pos in [0 .. any(CallExpr c).getArgList().getNumberOfArgs() - 1]