Rust: Restrict type propagation into arguments

Author: hvitved

rust/ql/lib/codeql/rust/internal/Type.qll

@@ -51,6 +51,7 @@ newtype TType =
   TSliceType() or
   TNeverType() or
   TPtrType() or
+  TContextType() or
   TTupleTypeParameter(int arity, int i) { exists(TTuple(arity)) and i in [0 .. arity - 1] } or
   TTypeParamTypeParameter(TypeParam t) or
   TAssociatedTypeTypeParameter(TypeAlias t) { any(TraitItemNode trait).getAnAssocItem() = t } or
@@ -371,6 +372,26 @@ class PtrType extends Type, TPtrType {
   override Location getLocation() { result instanceof EmptyLocation }
 }
 
+/**
+ * A special pseudo type used to indicate that the actual type is to be inferred
+ * from a context.
+ *
+ * For example, a call like `Default::default()` is assigned this type, which
+ * means that the actual type is to be inferred from the context in which the call
+ * occurs.
+ *
+ * Context types are not restricted to root types, for example in a call like
+ * `Vec::new()` we assign this type at the type path corresponding to the type
+ * parameter of `Vec`.
+ */
+class ContextType extends Type, TContextType {
+  override TypeParameter getPositionalTypeParameter(int i) { none() }
+
+  override string toString() { result = "(context typed)" }
+
+  override Location getLocation() { result instanceof EmptyLocation }
+}
+
 /** A type parameter. */
 abstract class TypeParameter extends Type {
   override TypeParameter getPositionalTypeParameter(int i) { none() }

rust/ql/lib/codeql/rust/internal/TypeInference.qll

@@ -865,6 +865,38 @@ private Type inferPathExprType(PathExpr pe, TypePath path) {
   )
 }
 
+/**
+ * A call where the type of the result may have to be inferred from the
+ * context in which the call appears.
+ */
+abstract private class ContextTypedCallCand extends AstNode {
+  abstract predicate hasTypeArgument(TypeArgumentPosition apos);
+
+  /**
+   * Holds if `this` call resolves to `target` and the type at `pos` and `path`
+   * may be inferred from the context.
+   */
+  bindingset[this, target]
+  predicate isContextTypedAt(Function target, TypePath path, FunctionPosition pos) {
+    exists(TypeParameter tp |
+      assocFunctionReturnContextTypedAt(target, pos, path, tp) and
+      // check that no explicit type arguments have been supplied for `tp`
+      not exists(TypeArgumentPosition tapos | this.hasTypeArgument(tapos) |
+        exists(int i |
+          i = tapos.asMethodTypeArgumentPosition() and
+          tp = TTypeParamTypeParameter(target.getGenericParamList().getTypeParam(i))
+        )
+        or
+        TTypeParamTypeParameter(tapos.asTypeParam()) = tp
+      ) and
+      not (
+        tp instanceof TSelfTypeParameter and
+        exists(getCallExprTypeQualifier(this, _))
+      )
+    )
+  }
+}
+
 pragma[nomagic]
 private Path getCallExprPathQualifier(CallExpr ce) {
   result = CallExprImpl::getFunctionPath(ce).getQualifier()
@@ -1890,7 +1922,7 @@ private module MethodCallMatchingInput implements MatchingWithEnvironmentInputSi
 
   final private class MethodCallFinal = MethodResolution::MethodCall;
 
-  class Access extends MethodCallFinal {
+  class Access extends MethodCallFinal, ContextTypedCallCand {
     Access() {
       // handled in the `OperationMatchingInput` module
       not this instanceof Operation
@@ -1906,6 +1938,10 @@ private module MethodCallMatchingInput implements MatchingWithEnvironmentInputSi
       )
     }
 
+    override predicate hasTypeArgument(TypeArgumentPosition apos) {
+      exists(this.getTypeArgument(apos, _))
+    }
+
     pragma[nomagic]
     private Type getInferredSelfType(string derefChain, boolean borrow, TypePath path) {
       result = this.getACandidateReceiverTypeAt(derefChain, borrow, path)
@@ -1961,7 +1997,12 @@ private Type inferMethodCallType0(
 ) {
   exists(TypePath path0 |
     n = a.getNodeAt(apos) and
-    result = MethodCallMatching::inferAccessType(a, derefChainBorrow, apos, path0)
+    (
+      result = MethodCallMatching::inferAccessType(a, derefChainBorrow, apos, path0)
+      or
+      a.isContextTypedAt(a.getTarget(derefChainBorrow), path0, apos) and
+      result = TContextType()
+    )
   |
     if
       // index expression `x[i]` desugars to `*x.index(i)`, so we must account for
@@ -1973,6 +2014,9 @@ private Type inferMethodCallType0(
   )
 }
 
+pragma[nomagic]
+private TypePath getContextTypePath(AstNode n) { inferType(n, result) = TContextType() }
+
 /**
  * Gets the type of `n` at `path`, where `n` is either a method call or an
  * argument/receiver of a method call.
@@ -1983,7 +2027,8 @@ private Type inferMethodCallType(AstNode n, TypePath path) {
     MethodCallMatchingInput::Access a, MethodCallMatchingInput::AccessPosition apos,
     string derefChainBorrow, TypePath path0
   |
-    result = inferMethodCallType0(a, apos, n, derefChainBorrow, path0)
+    result = inferMethodCallType0(a, apos, n, derefChainBorrow, path0) and
+    if not apos.isReturn() then path.startsWith(getContextTypePath(n)) else any()
   |
     (
       not apos.isSelf()
@@ -2171,6 +2216,12 @@ private module NonMethodResolution {
       or
       result = this.resolveCallTargetRec()
     }
+
+    pragma[nomagic]
+    Function resolveTraitFunction() {
+      this.(Call).hasTrait() and
+      result = this.getPathResolutionResolved()
+    }
   }
 
   private newtype TCallAndBlanketPos =
@@ -2405,12 +2456,16 @@ private module NonMethodCallMatchingInput implements MatchingInputSig {
     }
   }
 
-  class Access extends NonMethodResolution::NonMethodCall {
+  class Access extends NonMethodResolution::NonMethodCall, ContextTypedCallCand {
     pragma[nomagic]
     Type getTypeArgument(TypeArgumentPosition apos, TypePath path) {
       result = getCallExprTypeArgument(this, apos).resolveTypeAt(path)
     }
 
+    override predicate hasTypeArgument(TypeArgumentPosition apos) {
+      exists(this.getTypeArgument(apos, _))
+    }
+
     pragma[nomagic]
     Type getInferredType(AccessPosition apos, TypePath path) {
       apos.isSelf() and
@@ -2431,7 +2486,12 @@ pragma[nomagic]
 private Type inferNonMethodCallType(AstNode n, TypePath path) {
   exists(NonMethodCallMatchingInput::Access a, NonMethodCallMatchingInput::AccessPosition apos |
     n = a.getNodeAt(apos) and
+    if not apos.isReturn() then path.startsWith(getContextTypePath(n)) else any()
+  |
     result = NonMethodCallMatching::inferAccessType(a, apos, path)
+    or
+    a.isContextTypedAt([a.resolveCallTarget().(Function), a.resolveTraitFunction()], path, apos) and
+    result = TContextType()
   )
 }
 
@@ -2510,7 +2570,8 @@ pragma[nomagic]
 private Type inferOperationType(AstNode n, TypePath path) {
   exists(OperationMatchingInput::Access a, OperationMatchingInput::AccessPosition apos |
     n = a.getNodeAt(apos) and
-    result = OperationMatching::inferAccessType(a, apos, path)
+    result = OperationMatching::inferAccessType(a, apos, path) and
+    if not apos.isReturn() then path.startsWith(getContextTypePath(n)) else any()
   )
 }
 
@@ -3291,8 +3352,10 @@ private module Debug {
   Locatable getRelevantLocatable() {
     exists(string filepath, int startline, int startcolumn, int endline, int endcolumn |
       result.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) and
-      filepath.matches("%/sqlx.rs") and
-      startline = [56 .. 60]
+      filepath.matches("%/crate/data_derive/src/lib.rs") and
+      startline = [48, 74]
+      // filepath.matches("%/main.rs") and
+      // startline = [2525]
     )
   }
 
@@ -3355,7 +3418,7 @@ private module Debug {
   }
 
   predicate countTypesForNodeAtLimit(AstNode n, int c) {
-    n = getRelevantLocatable() and
+    // n = getRelevantLocatable() and
     c = strictcount(Type t, TypePath path | t = debugInferTypeForNodeAtLimit(n, path))
   }
 

rust/ql/lib/codeql/rust/internal/typeinference/FunctionType.qll

@@ -418,3 +418,24 @@ module ArgsAreInstantiationsOf<ArgsAreInstantiationsOfInputSig Input> {
     )
   }
 }
+
+/**
+ * Holds if the return type of the function `f` at path `path` is `tp`,
+ * and `tp` does not appear in the type of any parameter of `f`.
+ *
+ * In this case, the context in which `f` is called may be needed to infer
+ * the instantiation of `tp`.
+ */
+pragma[nomagic]
+predicate assocFunctionReturnContextTypedAt(
+  Function f, FunctionPosition pos, TypePath path, TypeParameter tp
+) {
+  exists(ImplOrTraitItemNode i |
+    pos.isReturn() and
+    assocFunctionTypeAt(f, i, pos, path, tp) and
+    not exists(FunctionPosition nonResPos |
+      not nonResPos.isReturn() and
+      assocFunctionTypeAt(f, i, nonResPos, _, tp)
+    )
+  )
+}

rust/ql/test/library-tests/dataflow/sources/CONSISTENCY/PathResolutionConsistency.expected

@@ -0,0 +1,16 @@
+multipleCallTargets
+| test.rs:113:62:113:77 | ...::from(...) |
+| test.rs:120:58:120:73 | ...::from(...) |
+| test.rs:229:22:229:72 | ... .read_to_string(...) |
+| test.rs:911:24:911:34 | row.take(...) |
+| test.rs:998:24:998:34 | row.take(...) |
+| test.rs:1096:50:1096:66 | ...::from(...) |
+| test.rs:1096:50:1096:66 | ...::from(...) |
+| test_futures_io.rs:35:26:35:63 | pinned.poll_read(...) |
+| test_futures_io.rs:62:22:62:50 | pinned.poll_fill_buf(...) |
+| test_futures_io.rs:69:23:69:67 | ... .poll_fill_buf(...) |
+| test_futures_io.rs:93:26:93:63 | pinned.poll_read(...) |
+| test_futures_io.rs:116:22:116:50 | pinned.poll_fill_buf(...) |
+multiplePathResolutions
+| test.rs:897:28:897:65 | Result::<...> |
+| test.rs:984:40:984:49 | Result::<...> |

rust/ql/test/library-tests/dataflow/sources/database/CONSISTENCY/PathResolutionConsistency.expected

@@ -1,3 +1,6 @@
+multipleCallTargets
+| test.rs:24:24:24:34 | row.take(...) |
+| test.rs:111:24:111:34 | row.take(...) |
 multiplePathResolutions
 | test.rs:10:28:10:65 | Result::<...> |
 | test.rs:97:40:97:49 | Result::<...> |

rust/ql/test/library-tests/sensitivedata/CONSISTENCY/PathResolutionConsistency.expected

@@ -0,0 +1,2 @@
+multipleCallTargets
+| test.rs:288:7:288:36 | ... .as_str() |