Rust: turn off macro expansion in code to be expanded by attribute macros

[redsun82]

This commits were separated from #19314

The QL part was already reviewed in the context of that PR.

[Copilot]

Pull Request Overview

This PR updates the Rust extractor and QL query for CWE-696 to stop expanding inner macros when under attribute macros, and adjusts templates and tests to match the new behavior.

• Enhance edgesFwd to follow attribute macro expansions (with fallback) and refine alert messages.
• Track macro_context_depth in the extractor and wrap AST emissions with pre_emit/post_emit to suppress nested expansions.
• Update codegen templates and revise integration and query-test expectations to align spans and annotations.

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql	Handle attribute-macro expansions in edgesFwd and update the alert text
rust/extractor/src/translate/base.rs	Introduce macro_context_depth, setup_item_expansion, and skip nested macro-call emissions
rust/ast-generator/templates/extractor.mustache	Replace emit_detached with pre_emit/post_emit hooks around node emissions
rust/ql/test/query-tests/security/CWE-696/test.rs	Adjust test annotations (Source/Alert) for ctor initialization cases
rust/ql/test/query-tests/security/CWE-696/BadCTorInitialization.expected	Update expected error spans and messages for ctor initialization tests
rust/ql/integration-tests/macro-expansion/src/lib.rs	Add function body and nested #[repeat] call to test nested macro expansion
rust/ql/integration-tests/macro-expansion/test.expected	Revise integration-test spans for expanded macros
rust/ql/integration-tests/macro-expansion/summary.qlref	Add summary query for reduced macro-expansion statistics
rust/ql/integration-tests/macro-expansion/summary.expected	Introduce expected macro-expansion summary stats

Comments suppressed due to low confidence (2)

rust/ql/test/query-tests/security/CWE-696/test.rs:168

• The annotation on the #[ctor] for bad4_1 was changed to an Alert marker, and the corresponding Alert on the macro call was removed. To keep the test harness consistent, the attribute line should be // $ Source=source4_1 and the call line should have // $ Alert[rust/ctor-initialization]=source4_1.

#[ctor] // $ Alert[rust/ctor-initialization]

rust/ql/integration-tests/macro-expansion/test.expected:4

• [nitpick] This mapping for fn inner → fn inner_0 at 0 is repeated multiple times. Consolidate duplicate entries to one line per mapping for clarity.

| src/lib.rs:7:5:8:16 | fn inner | 0 | src/lib.rs:8:5:8:16 | fn inner_0 |

[redsun82]

This looks pretty good on the experiment prior to the merge from main (with the library extraction merge). @aibaars I think we can review this, I'll restart another DCA to see how this interacts with the library extraction work.

[aibaars]

Looks good to me. Let's not forget to remove

codeql/rust/extractor/src/translate/base.rs

Lines 737 to 740 in a749cf9

	// TODO: remove this after fixing exponential expansion on libraries like funty-2.0.0
	if self.source_kind == SourceKind::Library {
	return;
	}

in a followup pull request.

Done in #19588