Rust: AST support for variables

Author: hvitved

rust/ql/lib/codeql/rust/elements/Variable.qll

@@ -0,0 +1,9 @@
+/**
+ * This module provides classes related to variables.
+ */
+
+private import internal.VariableImpl
+
+final class Variable = Impl::Variable;
+
+final class VariableAccess = Impl::VariableAccess;

rust/ql/lib/codeql/rust/elements/internal/VariableImpl.qll

@@ -0,0 +1,340 @@
+private import rust
+private import codeql.rust.elements.internal.generated.ParentChild
+private import codeql.rust.elements.internal.PathExprImpl::Impl as PathExprImpl
+
+module Impl {
+  /**
+   * A variable scope. Either a block `{ ... }`, the guard/rhs
+   * of a match arm, or the body of a closure.
+   */
+  abstract class VariableScope extends AstNode { }
+
+  class BlockExprScope extends VariableScope, BlockExpr { }
+
+  abstract class MatchArmScope extends VariableScope {
+    MatchArm arm;
+
+    bindingset[arm]
+    MatchArmScope() { exists(arm) }
+
+    Pat getPat() { result = arm.getPat() }
+  }
+
+  class MatchArmExprScope extends MatchArmScope {
+    MatchArmExprScope() { this = arm.getExpr() }
+  }
+
+  class MatchArmGuardScope extends MatchArmScope {
+    MatchArmGuardScope() { this = arm.getGuard() }
+  }
+
+  class ClosureBodyScope extends VariableScope {
+    ClosureBodyScope() { this = any(ClosureExpr ce).getBody() }
+  }
+
+  private Pat getImmediatePatParent(AstNode n) {
+    result = getImmediateParent(n)
+    or
+    result.(RecordPat).getRecordPatFieldList().getAField().getPat() = n
+  }
+
+  private Pat getAPatAncestor(Pat p) {
+    (p instanceof IdentPat or p instanceof OrPat) and
+    exists(Pat p0 | result = getImmediatePatParent(p0) |
+      p0 = p
+      or
+      p0 = getAPatAncestor(p) and
+      not p0 instanceof OrPat
+    )
+  }
+
+  /** Gets the immediately enclosing `|` pattern of `p`, if any */
+  private OrPat getEnclosingOrPat(Pat p) { result = getAPatAncestor(p) }
+
+  /** Gets the outermost enclosing `|` pattern parent of `p`, if any. */
+  private OrPat getOutermostEnclosingOrPat(IdentPat p) {
+    result = getEnclosingOrPat+(p) and
+    not exists(getEnclosingOrPat(result))
+  }
+
+  /**
+   * Holds if `p` declares a variable named `name` at `definingNode`. Normally,
+   * `definingNode = p`, except in cases like
+   *
+   * ```rust
+   * match either {
+   *     Either::Left(x) | Either::Right(x) => println!(x),
+   * }
+   * ```
+   *
+   * where `definingNode` is the entire `Either::Left(x) | Either::Right(x)`
+   * pattern.
+   */
+  private predicate variableDecl(AstNode definingNode, IdentPat p, string name) {
+    (
+      definingNode = getOutermostEnclosingOrPat(p)
+      or
+      not exists(getOutermostEnclosingOrPat(p)) and
+      definingNode = p.getName()
+    ) and
+    name = p.getName().getText()
+  }
+
+  /** A variable. */
+  class Variable extends MkVariable {
+    private AstNode definingNode;
+    private string name;
+
+    Variable() { this = MkVariable(definingNode, name) }
+
+    /** Gets the name of this variable. */
+    string getName() { result = name }
+
+    /** Gets the location of this variable. */
+    Location getLocation() { result = definingNode.getLocation() }
+
+    /** Gets a textual representation of this variable. */
+    string toString() { result = this.getName() }
+
+    /** Gets an access to this variable. */
+    VariableAccess getAnAccess() { result.getVariable() = this }
+  }
+
+  /** A path expression that may access a local variable. */
+  private class VariableAccessCand extends PathExpr {
+    string name_;
+
+    VariableAccessCand() {
+      exists(Path p, PathSegment ps |
+        p = this.getPath() and
+        not p.hasQualifier() and
+        ps = p.getPart() and
+        not ps.hasGenericArgList() and
+        not ps.hasParamList() and
+        not ps.hasPathType() and
+        not ps.hasReturnTypeSyntax() and
+        name_ = ps.getNameRef().getText()
+      )
+    }
+
+    string getName() { result = name_ }
+  }
+
+  private AstNode getAnAncestorInVariableScope(AstNode n) {
+    (
+      n instanceof Pat or
+      n instanceof VariableAccessCand or
+      n instanceof LetStmt or
+      n instanceof VariableScope
+    ) and
+    exists(AstNode n0 | result = getImmediateParent(n0) |
+      n0 = n
+      or
+      n0 = getAnAncestorInVariableScope(n) and
+      not n0 instanceof VariableScope
+    )
+  }
+
+  /** Gets the immediately enclosing variable scope of `n`. */
+  private VariableScope getEnclosingScope(AstNode n) { result = getAnAncestorInVariableScope(n) }
+
+  private Pat getAVariablePatAncestor(Variable v) {
+    exists(AstNode definingNode, string name |
+      v = MkVariable(definingNode, name) and
+      variableDecl(definingNode, result, name)
+    )
+    or
+    exists(Pat mid |
+      mid = getAVariablePatAncestor(v) and
+      result = getImmediatePatParent(mid)
+    )
+  }
+
+  /**
+   * Holds if `v` is named `name` and is declared inside variable scope
+   * `scope`, and `v` is bound starting from `(line, column)`.
+   */
+  private predicate variableDeclInScope(
+    Variable v, VariableScope scope, string name, int line, int column
+  ) {
+    name = v.getName() and
+    exists(Pat pat | pat = getAVariablePatAncestor(v) |
+      scope =
+        any(MatchArmScope arm |
+          arm.getPat() = pat and
+          arm.getLocation().hasLocationInfo(_, line, column, _, _)
+        )
+      or
+      exists(Function f |
+        f.getParamList().getAParam().getPat() = pat and
+        scope = f.getBody() and
+        scope.getLocation().hasLocationInfo(_, line, column, _, _)
+      )
+      or
+      exists(LetStmt let |
+        let.getPat() = pat and
+        scope = getEnclosingScope(let) and
+        // for `let` statements, variables are bound _after_ the statement, i.e.
+        // not in the RHS
+        let.getLocation().hasLocationInfo(_, _, _, line, column)
+      )
+      or
+      exists(IfExpr ie, LetExpr let |
+        let.getPat() = pat and
+        ie.getCondition() = let and
+        scope = ie.getThen() and
+        scope.getLocation().hasLocationInfo(_, line, column, _, _)
+      )
+      or
+      exists(ForExpr fe |
+        fe.getPat() = pat and
+        scope = fe.getLoopBody() and
+        scope.getLocation().hasLocationInfo(_, line, column, _, _)
+      )
+      or
+      exists(ClosureExpr ce |
+        ce.getParamList().getAParam().getPat() = pat and
+        scope = ce.getBody() and
+        scope.getLocation().hasLocationInfo(_, line, column, _, _)
+      )
+    )
+  }
+
+  /**
+   * Holds if `cand` may access a variable named `name` at
+   * `(startline, startcolumn, endline, endcolumn)` in the variable scope
+   * `scope`.
+   *
+   * `nestLevel` is the number of nested scopes that need to be traversed
+   * to reach `scope` from `cand`.
+   */
+  private predicate variableAccessCandInScope(
+    VariableAccessCand cand, VariableScope scope, string name, int nestLevel, int startline,
+    int startcolumn, int endline, int endcolumn
+  ) {
+    name = cand.getName() and
+    scope = [cand.(VariableScope), getEnclosingScope(cand)] and
+    cand.getLocation().hasLocationInfo(_, startline, startcolumn, endline, endcolumn) and
+    nestLevel = 0
+    or
+    exists(VariableScope inner |
+      variableAccessCandInScope(cand, inner, name, nestLevel - 1, _, _, _, _) and
+      scope = getEnclosingScope(inner) and
+      // Use the location of the inner scope as the location of the access, instead of the
+      // actual access location. This allows us to collapse multiple accesses in inner
+      // scopes to a single entity
+      scope.getLocation().hasLocationInfo(_, startline, startcolumn, endline, endcolumn)
+    )
+  }
+
+  private newtype TVariableOrAccessCand =
+    TVariableOrAccessCandVariable(Variable v) or
+    TVariableOrAccessCandVariableAccessCand(VariableAccessCand va)
+
+  private class VariableOrAccessCand extends TVariableOrAccessCand {
+    Variable asVariable() { this = TVariableOrAccessCandVariable(result) }
+
+    VariableAccessCand asVariableAccessCand() {
+      this = TVariableOrAccessCandVariableAccessCand(result)
+    }
+
+    string toString() {
+      result = this.asVariable().toString() or result = this.asVariableAccessCand().toString()
+    }
+
+    Location getLocation() {
+      result = this.asVariable().getLocation() or result = this.asVariableAccessCand().getLocation()
+    }
+
+    pragma[nomagic]
+    predicate rankBy(
+      string name, VariableScope scope, int startline, int startcolumn, int endline, int endcolumn
+    ) {
+      variableDeclInScope(this.asVariable(), scope, name, startline, startcolumn) and
+      endline = -1 and
+      endcolumn = -1
+      or
+      variableAccessCandInScope(this.asVariableAccessCand(), scope, name, _, startline, startcolumn,
+        endline, endcolumn)
+    }
+  }
+
+  /**
+   * Gets the rank of `v` amongst all other declarations or access candidates
+   * to a variable named `name` in the variable scope `scope`.
+   */
+  private int rankVariableOrAccess(VariableScope scope, string name, VariableOrAccessCand v) {
+    v =
+      rank[result + 1](VariableOrAccessCand v0, int startline, int startcolumn, int endline,
+        int endcolumn |
+        v0.rankBy(name, scope, startline, startcolumn, endline, endcolumn)
+      |
+        v0 order by startline, startcolumn, endline, endcolumn
+      )
+  }
+
+  /**
+   * Holds if `v` can reach rank `rnk` in the variable scope `scope`. This is needed to
+   * take shadowing into account, for example in
+   *
+   * ```rust
+   * let x = 0;  // rank 0
+   * use(x);     // rank 1
+   * let x = ""; // rank 2
+   * use(x);     // rank 3
+   * ```
+   *
+   * the declaration at rank 0 can only reach the access at rank 1, while the declaration
+   * at rank 2 can only reach the access at rank 3.
+   */
+  private predicate variableReachesRank(VariableScope scope, string name, Variable v, int rnk) {
+    rnk = rankVariableOrAccess(scope, name, TVariableOrAccessCandVariable(v))
+    or
+    variableReachesRank(scope, name, v, rnk - 1) and
+    rnk = rankVariableOrAccess(scope, name, TVariableOrAccessCandVariableAccessCand(_))
+  }
+
+  private predicate variableReachesCand(
+    VariableScope scope, string name, Variable v, VariableAccessCand cand, int nestLevel
+  ) {
+    exists(int rnk |
+      variableReachesRank(scope, name, v, rnk) and
+      rnk = rankVariableOrAccess(scope, name, TVariableOrAccessCandVariableAccessCand(cand)) and
+      variableAccessCandInScope(cand, scope, name, nestLevel, _, _, _, _)
+    )
+  }
+
+  /** A variable access. */
+  class VariableAccess extends PathExprImpl::PathExpr instanceof VariableAccessCand {
+    private string name;
+    private Variable v;
+
+    VariableAccess() { variableAccess(_, name, v, this) }
+
+    /** Gets the variable being accessed. */
+    Variable getVariable() { result = v }
+
+    override string toString() { result = name }
+
+    override string getAPrimaryQlClass() { result = "VariableAccess" }
+  }
+
+  cached
+  private module Cached {
+    cached
+    newtype TVariable =
+      MkVariable(AstNode definingNode, string name) { variableDecl(definingNode, _, name) }
+
+    cached
+    predicate variableAccess(VariableScope scope, string name, Variable v, VariableAccessCand cand) {
+      v =
+        min(Variable v0, int nestLevel |
+          variableReachesCand(scope, name, v0, cand, nestLevel)
+        |
+          v0 order by nestLevel
+        )
+    }
+  }
+
+  private import Cached
+}

rust/ql/lib/rust.qll

@@ -4,3 +4,4 @@ import codeql.rust.elements
 import codeql.Locations
 import codeql.files.FileSystem
 import codeql.rust.elements.LogicalOperation
+import codeql.rust.elements.Variable

rust/ql/test/extractor-tests/generated/LetExpr/LetExpr_getExpr.expected

@@ -1 +1 @@
-| gen_let_expr.rs:5:8:5:31 | LetExpr | gen_let_expr.rs:5:22:5:31 | PathExpr |
+| gen_let_expr.rs:5:8:5:31 | LetExpr | gen_let_expr.rs:5:22:5:31 | maybe_some |

rust/ql/test/extractor-tests/generated/MatchArm/MatchArm_getExpr.expected

@@ -1,4 +1,4 @@
-| gen_match_arm.rs:6:9:6:29 | MatchArm | gen_match_arm.rs:6:28:6:28 | PathExpr |
+| gen_match_arm.rs:6:9:6:29 | MatchArm | gen_match_arm.rs:6:28:6:28 | y |
 | gen_match_arm.rs:7:9:7:26 | MatchArm | gen_match_arm.rs:7:25:7:25 | 0 |
 | gen_match_arm.rs:10:9:10:35 | MatchArm | gen_match_arm.rs:10:30:10:34 | ... / ... |
 | gen_match_arm.rs:11:9:11:15 | MatchArm | gen_match_arm.rs:11:14:11:14 | 0 |

rust/ql/test/extractor-tests/generated/MatchExpr/MatchExpr_getExpr.expected

@@ -1,2 +1,2 @@
-| gen_match_expr.rs:5:5:8:5 | MatchExpr | gen_match_expr.rs:5:11:5:11 | PathExpr |
-| gen_match_expr.rs:9:5:12:5 | MatchExpr | gen_match_expr.rs:9:11:9:11 | PathExpr |
+| gen_match_expr.rs:5:5:8:5 | MatchExpr | gen_match_expr.rs:5:11:5:11 | x |
+| gen_match_expr.rs:9:5:12:5 | MatchExpr | gen_match_expr.rs:9:11:9:11 | x |