Rust: Improve rust/access-invalid-pointer

[geoffw0]

Improve rust/access-invalid-pointer:

• add some test cases covering issues we found in the MRVA-1000 runs.
• add a model for core::ptr::null_mut (-> more results).
• add a null check barrier for the query (-> fewer false positives).

Note that the null check barrier only works for immutable pointers (at present), due to some limitations in the design of barrier guards and SSA (specifically, the call to DfInput::getARead(def) from Ssa.qlls guardChecksSsaDef isn't getting us what we want). I'll write up an issue for that and I would appreciate anybody's thoughts on how best to fix it.

[Copilot]

Pull Request Overview

This PR improves the rust/access-invalid-pointer query to detect more invalid pointer access vulnerabilities while reducing false positives. The changes add support for detecting null pointers created via core::ptr::null_mut, introduce a null check barrier to reduce false positives, and include comprehensive test cases covering various conditional scenarios.

• Adds a model for core::ptr::null_mut as a source of invalid pointers
• Implements a null check barrier that recognizes when pointers are validated before use (currently only effective for immutable pointers due to SSA limitations)
• Adds extensive test coverage for conditional null checks and short-circuit evaluation scenarios

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
rust/ql/src/change-notes/2025-17-11-access-invalid-pointer.md	Change note documenting the query improvements (contains date format issue in filename)
rust/ql/src/queries/security/CWE-825/AccessInvalidPointer.ql	Refactored to import AccessInvalidPointer module directly and use simplified references
rust/ql/lib/codeql/rust/security/Barriers.qll	Adds NotNullCheckBarrier class to recognize null pointer checks via is_null() method
rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll	Integrates the new NotNullCheckBarrier into the AccessInvalidPointer analysis
rust/ql/lib/codeql/rust/frameworks/stdlib/core.model.yml	Adds model for core::ptr::null_mut as a source of invalid pointers
rust/ql/test/query-tests/security/CWE-825/main.rs	Adds call to new test function test_ptr_invalid_conditions
rust/ql/test/query-tests/security/CWE-825/deallocation.rs	Extensive test cases for null pointer checks in various conditional scenarios
rust/ql/test/query-tests/security/CWE-825/AccessInvalidPointer.expected	Updated expected results reflecting new detections and barrier behavior
rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected	Updated line number references due to new code additions

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[paldepind]

Looks good to me!

[geoffw0]

Ready for re-approval.