wip

Author: hvitved

rust/ql/lib/codeql/rust/internal/PathResolution.qll

@@ -2137,7 +2137,7 @@ private module Debug {
     exists(string filepath, int startline, int startcolumn, int endline, int endcolumn |
       result.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) and
       filepath.matches("%/main.rs") and
-      startline = 52
+      startline = 2909
     )
   }
 

rust/ql/lib/codeql/rust/internal/TypeInference.qll

@@ -748,6 +748,8 @@ private Type inferTypeEquality(AstNode n, TypePath path) {
 /**
  * A matching configuration for resolving types of struct expressions
  * like `Foo { bar = baz }`.
+ *
+ * This also includes nullary struct expressions like `None`.
  */
 private module StructExprMatchingInput implements MatchingInputSig {
   private newtype TPos =
@@ -830,26 +832,96 @@ private module StructExprMatchingInput implements MatchingInputSig {
 
   class AccessPosition = DeclarationPosition;
 
-  class Access extends StructExpr {
+  abstract class Access extends AstNode {
+    pragma[nomagic]
+    abstract AstNode getNodeAt(AccessPosition apos);
+
+    pragma[nomagic]
+    Type getInferredType(AccessPosition apos, TypePath path) {
+      result = inferType(this.getNodeAt(apos), path)
+    }
+
+    pragma[nomagic]
+    abstract Path getStructPath();
+
+    pragma[nomagic]
+    Declaration getTarget() { result = resolvePath(this.getStructPath()) }
+
+    pragma[nomagic]
     Type getTypeArgument(TypeArgumentPosition apos, TypePath path) {
+      exists(TypeMention tm, Path p, ItemNode target, int i |
+        p = this.getStructPath() and
+        target = this.getTarget() and
+        apos.asTypeParam() = target.getTypeParam(pragma[only_bind_into](i)) and
+        result = tm.resolveTypeAt(path)
+      |
+        // e.g. `Option::None::<i32>`
+        tm = p.getSegment().getGenericArgList().getTypeArg(pragma[only_bind_into](i))
+        or
+        // todo: share logic with TypeMention.qll
+        // e.g. `Option::<i32>::None`
+        target instanceof Variant and
+        not exists(p.getSegment().getGenericArgList().getTypeArg(_)) and
+        tm = p.getQualifier().getSegment().getGenericArgList().getTypeArg(pragma[only_bind_into](i))
+      )
+    }
+
+    /**
+     * Holds if the return type of this call at `path` may have to be inferred
+     * from the context.
+     */
+    pragma[nomagic]
+    predicate isContextTypedAt(DeclarationPosition pos, TypePath path) {
+      // Struct declarations, such as `Foo::Bar{field = ...}`, may also be context typed
+      exists(Declaration td, TypeParameter tp |
+        td = this.getTarget() and
+        pos.isStructPos() and
+        tp = td.getDeclaredType(pos, path) and
+        not exists(DeclarationPosition paramDpos |
+          not paramDpos.isStructPos() and
+          tp = td.getDeclaredType(paramDpos, _)
+        ) and
+        // check that no explicit type arguments have been supplied for `tp`
+        not exists(TypeArgumentPosition tapos |
+          exists(this.getTypeArgument(tapos, _)) and
+          TTypeParamTypeParameter(tapos.asTypeParam()) = tp
+        )
+      )
+    }
+  }
+
+  private class StructExprAccess extends Access, StructExpr {
+    override Type getTypeArgument(TypeArgumentPosition apos, TypePath path) {
+      result = super.getTypeArgument(apos, path)
+      or
       exists(TypePath suffix |
         suffix.isCons(TTypeParamTypeParameter(apos.asTypeParam()), path) and
         result = CertainTypeInference::inferCertainType(this, suffix)
       )
     }
 
-    AstNode getNodeAt(AccessPosition apos) {
+    override AstNode getNodeAt(AccessPosition apos) {
       result = this.getFieldExpr(apos.asFieldPos()).getExpr()
       or
       result = this and
       apos.isStructPos()
     }
 
-    Type getInferredType(AccessPosition apos, TypePath path) {
-      result = inferType(this.getNodeAt(apos), path)
+    override Path getStructPath() { result = this.getPath() }
+  }
+
+  /**
+   * A potential nullary struct/variant construction such as `None`.
+   */
+  private class PathExprAccess extends Access, PathExpr {
+    PathExprAccess() { not exists(CallExpr ce | this = ce.getFunction()) }
+
+    override AstNode getNodeAt(AccessPosition apos) {
+      result = this and
+      apos.isStructPos()
     }
 
-    Declaration getTarget() { result = resolvePath(this.getPath()) }
+    override Path getStructPath() { result = this.getPath() }
   }
 
   predicate accessDeclarationPositionMatch(AccessPosition apos, DeclarationPosition dpos) {
@@ -859,36 +931,32 @@ private module StructExprMatchingInput implements MatchingInputSig {
 
 private module StructExprMatching = Matching<StructExprMatchingInput>;
 
-/**
- * Gets the type of `n` at `path`, where `n` is either a struct expression or
- * a field expression of a struct expression.
- */
 pragma[nomagic]
-private Type inferStructExprType(AstNode n, TypePath path) {
+private Type inferStructExprType0(AstNode n, boolean isReturn, TypePath path) {
   exists(StructExprMatchingInput::Access a, StructExprMatchingInput::AccessPosition apos |
     n = a.getNodeAt(apos) and
+    if apos.isStructPos() then isReturn = true else isReturn = false
+  |
     result = StructExprMatching::inferAccessType(a, apos, path)
+    or
+    a.isContextTypedAt(apos, path) and
+    result = TContextType()
   )
 }
 
+/**
+ * Gets the type of `n` at `path`, where `n` is either a struct expression or
+ * a field expression of a struct expression.
+ */
+private predicate inferStructExprType =
+  ContextTyping::CheckContextTyping<inferStructExprType0/3>::check/2;
+
 pragma[nomagic]
 private Type inferTupleRootType(AstNode n) {
   // `typeEquality` handles the non-root cases
   result = TTuple([n.(TupleExpr).getNumberOfFields(), n.(TuplePat).getTupleArity()])
 }
 
-pragma[nomagic]
-private Type inferPathExprType(PathExpr pe, TypePath path) {
-  // nullary struct/variant constructors
-  not exists(CallExpr ce | pe = ce.getFunction()) and
-  path.isEmpty() and
-  exists(ItemNode i | i = resolvePath(pe.getPath()) |
-    result = TEnum(i.(Variant).getEnum())
-    or
-    result = TStruct(i)
-  )
-}
-
 pragma[nomagic]
 private Path getCallExprPathQualifier(CallExpr ce) {
   result = CallExprImpl::getFunctionPath(ce).getQualifier()
@@ -982,7 +1050,7 @@ private module ContextTyping {
   pragma[nomagic]
   private predicate isContextTyped(AstNode n) { isContextTyped(n, _) }
 
-  signature Type inferCallTypeSig(AstNode n, FunctionPosition pos, TypePath path);
+  signature Type inferCallTypeSig(AstNode n, boolean isReturn, TypePath path);
 
   /**
    * Given a predicate `inferCallType` for inferring the type of a call at a given
@@ -992,30 +1060,24 @@ private module ContextTyping {
    */
   module CheckContextTyping<inferCallTypeSig/3 inferCallType> {
     pragma[nomagic]
-    private Type inferCallTypeFromContextCand(
-      AstNode n, FunctionPosition pos, TypePath path, TypePath prefix
-    ) {
-      result = inferCallType(n, pos, path) and
-      not pos.isReturn() and
+    private Type inferCallTypeFromContextCand(AstNode n, TypePath path, TypePath prefix) {
+      result = inferCallType(n, false, path) and
       isContextTyped(n) and
       prefix = path
       or
       exists(TypePath mid |
-        result = inferCallTypeFromContextCand(n, pos, path, mid) and
+        result = inferCallTypeFromContextCand(n, path, mid) and
         mid.isSnoc(prefix, _)
       )
     }
 
     pragma[nomagic]
     Type check(AstNode n, TypePath path) {
-      exists(FunctionPosition pos |
-        result = inferCallType(n, pos, path) and
-        pos.isReturn()
-        or
-        exists(TypePath prefix |
-          result = inferCallTypeFromContextCand(n, pos, path, prefix) and
-          isContextTyped(n, prefix)
-        )
+      result = inferCallType(n, true, path)
+      or
+      exists(TypePath prefix |
+        result = inferCallTypeFromContextCand(n, path, prefix) and
+        isContextTyped(n, prefix)
       )
     }
   }
@@ -2131,11 +2193,13 @@ private Type inferMethodCallType0(
 }
 
 pragma[nomagic]
-private Type inferMethodCallType1(
-  AstNode n, MethodCallMatchingInput::AccessPosition apos, TypePath path
-) {
-  exists(MethodCallMatchingInput::Access a, string derefChainBorrow, TypePath path0 |
-    result = inferMethodCallType0(a, apos, n, derefChainBorrow, path0)
+private Type inferMethodCallType1(AstNode n, boolean isReturn, TypePath path) {
+  exists(
+    MethodCallMatchingInput::Access a, MethodCallMatchingInput::AccessPosition apos,
+    string derefChainBorrow, TypePath path0
+  |
+    result = inferMethodCallType0(a, apos, n, derefChainBorrow, path0) and
+    if apos.isReturn() then isReturn = true else isReturn = false
   |
     (
       not apos.isSelf()
@@ -2460,6 +2524,9 @@ private module NonMethodResolution {
 /**
  * A matching configuration for resolving types of calls like
  * `foo::bar(baz)` where the target is not a method.
+ *
+ * This also includes "calls" to tuple variants and tuple structs such
+ * as `Result::Ok(42)`.
  */
 private module NonMethodCallMatchingInput implements MatchingInputSig {
   import FunctionPositionMatchingInput
@@ -2577,42 +2644,31 @@ private module NonMethodCallMatchingInput implements MatchingInputSig {
     }
   }
 
-  class Access extends NonMethodResolution::NonMethodCall, ContextTyping::ContextTypedCallCand {
+  abstract class Access extends AstNode {
     pragma[nomagic]
-    override Type getTypeArgument(TypeArgumentPosition apos, TypePath path) {
-      result = getCallExprTypeArgument(this, apos).resolveTypeAt(path)
-    }
+    abstract Type getTypeArgument(TypeArgumentPosition apos, TypePath path);
 
     pragma[nomagic]
-    Type getInferredType(AccessPosition apos, TypePath path) {
-      apos.isSelf() and
-      result = getCallExprTypeQualifier(this, path)
-      or
-      result = inferType(this.getNodeAt(apos), path)
-    }
+    abstract AstNode getNodeAt(FunctionPosition pos);
 
-    Declaration getTarget() {
-      result = this.resolveCallTarget() // potential mutual recursion; resolving some associated function calls requires resolving types
-    }
+    pragma[nomagic]
+    abstract Type getInferredType(AccessPosition apos, TypePath path);
+
+    pragma[nomagic]
+    abstract Declaration getTarget();
+
+    pragma[nomagic]
+    abstract Declaration getTargetForContextTyping();
 
     /**
      * Holds if the return type of this call at `path` may have to be inferred
      * from the context.
      */
     pragma[nomagic]
     predicate isContextTypedAt(FunctionPosition pos, TypePath path) {
-      exists(ImplOrTraitItemNode i |
-        this.isContextTypedAt(i,
-          [
-            this.resolveCallTargetViaPathResolution().(NonMethodFunction),
-            this.resolveCallTargetViaTypeInference(i),
-            this.resolveTraitFunctionViaPathResolution(i)
-          ], pos, path)
-      )
-      or
-      // Tuple declarations, such as `None`, may also be context typed
+      // Tuple declarations, such as `Result::Ok(...)`, may also be context typed
       exists(TupleDeclaration td, TypeParameter tp |
-        td = this.resolveCallTargetViaPathResolution() and
+        td = this.getTargetForContextTyping() and
         pos.isReturn() and
         tp = td.getReturnType(path) and
         not tp = td.getParameterType(_, _) and
@@ -2624,15 +2680,55 @@ private module NonMethodCallMatchingInput implements MatchingInputSig {
       )
     }
   }
+
+  private class NonMethodCallAccess extends Access, ContextTyping::ContextTypedCallCand instanceof NonMethodResolution::NonMethodCall
+  {
+    override Type getTypeArgument(TypeArgumentPosition apos, TypePath path) {
+      result = getCallExprTypeArgument(this, apos).resolveTypeAt(path)
+    }
+
+    override AstNode getNodeAt(FunctionPosition pos) {
+      result = NonMethodResolution::NonMethodCall.super.getNodeAt(pos)
+    }
+
+    override Type getInferredType(AccessPosition apos, TypePath path) {
+      apos.isSelf() and
+      result = getCallExprTypeQualifier(this, path)
+      or
+      result = inferType(this.getNodeAt(apos), path)
+    }
+
+    override Declaration getTarget() {
+      result = super.resolveCallTarget() // potential mutual recursion; resolving some associated function calls requires resolving types
+    }
+
+    override Declaration getTargetForContextTyping() {
+      result = super.resolveCallTargetViaPathResolution()
+    }
+
+    override predicate isContextTypedAt(FunctionPosition pos, TypePath path) {
+      super.isContextTypedAt(pos, path)
+      or
+      exists(ImplOrTraitItemNode i |
+        this.isContextTypedAt(i,
+          [
+            super.resolveCallTargetViaPathResolution().(NonMethodFunction),
+            super.resolveCallTargetViaTypeInference(i),
+            super.resolveTraitFunctionViaPathResolution(i)
+          ], pos, path)
+      )
+    }
+  }
 }
 
 private module NonMethodCallMatching = Matching<NonMethodCallMatchingInput>;
 
 pragma[nomagic]
-private Type inferNonMethodCallType0(
-  AstNode n, NonMethodCallMatchingInput::AccessPosition apos, TypePath path
-) {
-  exists(NonMethodCallMatchingInput::Access a | n = a.getNodeAt(apos) |
+private Type inferNonMethodCallType0(AstNode n, boolean isReturn, TypePath path) {
+  exists(NonMethodCallMatchingInput::Access a, NonMethodCallMatchingInput::AccessPosition apos |
+    n = a.getNodeAt(apos) and
+    if apos.isReturn() then isReturn = true else isReturn = false
+  |
     result = NonMethodCallMatching::inferAccessType(a, apos, path)
     or
     a.isContextTypedAt(apos, path) and
@@ -2715,12 +2811,11 @@ private module OperationMatchingInput implements MatchingInputSig {
 private module OperationMatching = Matching<OperationMatchingInput>;
 
 pragma[nomagic]
-private Type inferOperationType0(
-  AstNode n, OperationMatchingInput::AccessPosition apos, TypePath path
-) {
-  exists(OperationMatchingInput::Access a |
+private Type inferOperationType0(AstNode n, boolean isReturn, TypePath path) {
+  exists(OperationMatchingInput::Access a, OperationMatchingInput::AccessPosition apos |
     n = a.getNodeAt(apos) and
-    result = OperationMatching::inferAccessType(a, apos, path)
+    result = OperationMatching::inferAccessType(a, apos, path) and
+    if apos.isReturn() then isReturn = true else isReturn = false
   )
 }
 
@@ -3488,8 +3583,6 @@ private module Cached {
       or
       result = inferStructExprType(n, path)
       or
-      result = inferPathExprType(n, path)
-      or
       result = inferMethodCallType(n, path)
       or
       result = inferNonMethodCallType(n, path)