Rust: Fix type inference for library parameters

The old logic relied on parameters having a pattern, which is not the
case for parameters extracted from library code.

Author: hvitved

rust/ql/lib/codeql/rust/internal/TypeInference.qll

@@ -569,7 +569,7 @@ private module CallExprBaseMatchingInput implements MatchingInputSig {
       exists(Param p, int i, boolean inMethod |
         paramPos(this.getParamList(), p, i, inMethod) and
         dpos = TPositionalDeclarationPosition(i, inMethod) and
-        result = inferAnnotatedType(p.getPat(), path)
+        result = p.getTypeRepr().(TypeMention).resolveTypeAt(path)
       )
       or
       exists(SelfParam self |
@@ -676,9 +676,9 @@ private module CallExprBaseMatchingInput implements MatchingInputSig {
     }
 
     override AstNode getNodeAt(AccessPosition apos) {
-      result = super.getOperand(0) and apos = TSelfAccessPosition()
+      result = super.getOperand(0) and apos = TPositionalAccessPosition(0, false)
       or
-      result = super.getOperand(1) and apos = TPositionalAccessPosition(0, true)
+      result = super.getOperand(1) and apos = TPositionalAccessPosition(1, false)
       or
       result = this and apos = TReturnAccessPosition()
     }
@@ -774,7 +774,15 @@ private Type inferCallExprBaseType(AstNode n, TypePath path) {
     TypePath path0
   |
     n = a.getNodeAt(apos) and
-    result = CallExprBaseMatching::inferAccessType(a, apos, path0)
+    result = CallExprBaseMatching::inferAccessType(a, apos, path0) and
+    // Many operators are heavily overloaded, for example `i32` implements
+    // both `Add` and `Add<Rhs = &i32>`, so we avoid propagating type
+    // information back into operands, as otherwise e.g. `2` in `1 + 2` would
+    // also have inferred type `&i32`.
+    //
+    // A more principled solution would be to only resolve the correct method,
+    // based on the type of the right operand as well.
+    if a instanceof Operation then apos.isReturn() else any()
   |
     if apos.isSelf()
     then
@@ -1363,7 +1371,7 @@ private module Debug {
     exists(string filepath, int startline, int startcolumn, int endline, int endcolumn |
       result.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) and
       filepath.matches("%/main.rs") and
-      startline = 948
+      startline = 1248
     )
   }
 
@@ -1372,8 +1380,8 @@ private module Debug {
     result = inferType(n, path)
   }
 
-  Function debugResolveMethodCallExpr(MethodCallExpr mce) {
-    mce = getRelevantLocatable() and
-    result = resolveMethodCallTarget(mce)
+  Function debugResolveMethodCallExpr(MethodCall mc) {
+    mc = getRelevantLocatable() and
+    result = resolveMethodCallTarget(mc)
   }
 }

rust/ql/test/library-tests/dataflow/modeled/inline-flow.expected

@@ -6,11 +6,13 @@ models
 | 5 | Summary: lang:core; <crate::option::Option>::unwrap; Argument[self].Field[crate::option::Option::Some(0)]; ReturnValue; value |
 | 6 | Summary: lang:core; <crate::option::Option>::zip; Argument[0].Field[crate::option::Option::Some(0)]; ReturnValue.Field[crate::option::Option::Some(0)].Field[1]; value |
 | 7 | Summary: lang:core; <crate::pin::Pin>::into_inner; Argument[0]; ReturnValue; value |
-| 8 | Summary: lang:core; <crate::pin::Pin>::new; Argument[0]; ReturnValue; value |
-| 9 | Summary: lang:core; <crate::result::Result>::unwrap; Argument[self].Field[crate::result::Result::Ok(0)]; ReturnValue; value |
-| 10 | Summary: lang:core; <i64 as crate::clone::Clone>::clone; Argument[self].Reference; ReturnValue; value |
-| 11 | Summary: lang:core; crate::ptr::read; Argument[0].Reference; ReturnValue; value |
-| 12 | Summary: lang:core; crate::ptr::write; Argument[1]; Argument[0].Reference; value |
+| 8 | Summary: lang:core; <crate::pin::Pin>::into_inner_unchecked; Argument[0]; ReturnValue; value |
+| 9 | Summary: lang:core; <crate::pin::Pin>::new; Argument[0]; ReturnValue; value |
+| 10 | Summary: lang:core; <crate::pin::Pin>::new_unchecked; Argument[0].Reference; ReturnValue; value |
+| 11 | Summary: lang:core; <crate::result::Result>::unwrap; Argument[self].Field[crate::result::Result::Ok(0)]; ReturnValue; value |
+| 12 | Summary: lang:core; <i64 as crate::clone::Clone>::clone; Argument[self].Reference; ReturnValue; value |
+| 13 | Summary: lang:core; crate::ptr::read; Argument[0].Reference; ReturnValue; value |
+| 14 | Summary: lang:core; crate::ptr::write; Argument[1]; Argument[0].Reference; value |
 edges
 | main.rs:12:9:12:9 | a [Some] | main.rs:13:10:13:19 | a.unwrap() | provenance | MaD:5 |
 | main.rs:12:9:12:9 | a [Some] | main.rs:14:13:14:13 | a [Some] | provenance |  |
@@ -20,18 +22,18 @@ edges
 | main.rs:14:9:14:9 | b [Some] | main.rs:15:10:15:19 | b.unwrap() | provenance | MaD:5 |
 | main.rs:14:13:14:13 | a [Some] | main.rs:14:13:14:21 | a.clone() [Some] | provenance | generated |
 | main.rs:14:13:14:21 | a.clone() [Some] | main.rs:14:9:14:9 | b [Some] | provenance |  |
-| main.rs:19:9:19:9 | a [Ok] | main.rs:20:10:20:19 | a.unwrap() | provenance | MaD:9 |
+| main.rs:19:9:19:9 | a [Ok] | main.rs:20:10:20:19 | a.unwrap() | provenance | MaD:11 |
 | main.rs:19:9:19:9 | a [Ok] | main.rs:21:13:21:13 | a [Ok] | provenance |  |
 | main.rs:19:31:19:44 | Ok(...) [Ok] | main.rs:19:9:19:9 | a [Ok] | provenance |  |
 | main.rs:19:34:19:43 | source(...) | main.rs:19:31:19:44 | Ok(...) [Ok] | provenance |  |
-| main.rs:21:9:21:9 | b [Ok] | main.rs:22:10:22:19 | b.unwrap() | provenance | MaD:9 |
+| main.rs:21:9:21:9 | b [Ok] | main.rs:22:10:22:19 | b.unwrap() | provenance | MaD:11 |
 | main.rs:21:13:21:13 | a [Ok] | main.rs:21:13:21:21 | a.clone() [Ok] | provenance | generated |
 | main.rs:21:13:21:21 | a.clone() [Ok] | main.rs:21:9:21:9 | b [Ok] | provenance |  |
 | main.rs:26:9:26:9 | a | main.rs:27:10:27:10 | a | provenance |  |
 | main.rs:26:9:26:9 | a | main.rs:28:13:28:13 | a | provenance |  |
 | main.rs:26:13:26:22 | source(...) | main.rs:26:9:26:9 | a | provenance |  |
 | main.rs:28:9:28:9 | b | main.rs:29:10:29:10 | b | provenance |  |
-| main.rs:28:13:28:13 | a | main.rs:28:13:28:21 | a.clone() | provenance | MaD:10 |
+| main.rs:28:13:28:13 | a | main.rs:28:13:28:21 | a.clone() | provenance | MaD:12 |
 | main.rs:28:13:28:13 | a | main.rs:28:13:28:21 | a.clone() | provenance | generated |
 | main.rs:28:13:28:21 | a.clone() | main.rs:28:9:28:9 | b | provenance |  |
 | main.rs:43:18:43:22 | SelfParam [Wrapper] | main.rs:44:26:44:29 | self [Wrapper] | provenance |  |
@@ -64,8 +66,8 @@ edges
 | main.rs:69:18:69:23 | TuplePat [tuple.1] | main.rs:69:22:69:22 | m | provenance |  |
 | main.rs:69:22:69:22 | m | main.rs:71:22:71:22 | m | provenance |  |
 | main.rs:92:29:92:29 | [post] y [&ref] | main.rs:93:33:93:33 | y [&ref] | provenance |  |
-| main.rs:92:32:92:41 | source(...) | main.rs:92:29:92:29 | [post] y [&ref] | provenance | MaD:12 |
-| main.rs:93:33:93:33 | y [&ref] | main.rs:93:18:93:34 | ...::read(...) | provenance | MaD:11 |
+| main.rs:92:32:92:41 | source(...) | main.rs:92:29:92:29 | [post] y [&ref] | provenance | MaD:14 |
+| main.rs:93:33:93:33 | y [&ref] | main.rs:93:18:93:34 | ...::read(...) | provenance | MaD:13 |
 | main.rs:108:13:108:17 | mut i | main.rs:109:34:109:34 | i | provenance |  |
 | main.rs:108:13:108:17 | mut i | main.rs:110:33:110:33 | i | provenance |  |
 | main.rs:108:13:108:17 | mut i | main.rs:111:47:111:47 | i | provenance |  |
@@ -74,7 +76,7 @@ edges
 | main.rs:109:13:109:20 | mut pin1 [&ref] | main.rs:114:15:114:18 | pin1 [&ref] | provenance |  |
 | main.rs:109:13:109:20 | mut pin1 [&ref] | main.rs:115:31:115:34 | pin1 [&ref] | provenance |  |
 | main.rs:109:24:109:35 | ...::new(...) [&ref] | main.rs:109:13:109:20 | mut pin1 [&ref] | provenance |  |
-| main.rs:109:33:109:34 | &i [&ref] | main.rs:109:24:109:35 | ...::new(...) [&ref] | provenance | MaD:8 |
+| main.rs:109:33:109:34 | &i [&ref] | main.rs:109:24:109:35 | ...::new(...) [&ref] | provenance | MaD:9 |
 | main.rs:109:34:109:34 | i | main.rs:109:33:109:34 | &i [&ref] | provenance |  |
 | main.rs:110:13:110:20 | mut pin2 [&ref] | main.rs:116:15:116:18 | pin2 [&ref] | provenance |  |
 | main.rs:110:24:110:34 | ...::pin(...) [&ref] | main.rs:110:13:110:20 | mut pin2 [&ref] | provenance |  |
@@ -92,6 +94,15 @@ edges
 | main.rs:122:22:122:49 | MyStruct {...} [MyStruct] | main.rs:122:13:122:18 | mut ms [MyStruct] | provenance |  |
 | main.rs:122:38:122:47 | source(...) | main.rs:122:22:122:49 | MyStruct {...} [MyStruct] | provenance |  |
 | main.rs:127:14:127:15 | ms [MyStruct] | main.rs:127:14:127:19 | ms.val | provenance |  |
+| main.rs:136:13:136:18 | mut ms [MyStruct] | main.rs:137:44:137:45 | ms [MyStruct] | provenance |  |
+| main.rs:136:22:136:49 | MyStruct {...} [MyStruct] | main.rs:136:13:136:18 | mut ms [MyStruct] | provenance |  |
+| main.rs:136:38:136:47 | source(...) | main.rs:136:22:136:49 | MyStruct {...} [MyStruct] | provenance |  |
+| main.rs:137:13:137:20 | mut pin5 [MyStruct] | main.rs:139:40:139:43 | pin5 [MyStruct] | provenance |  |
+| main.rs:137:24:137:46 | ...::new_unchecked(...) [MyStruct] | main.rs:137:13:137:20 | mut pin5 [MyStruct] | provenance |  |
+| main.rs:137:43:137:45 | &ms [&ref, MyStruct] | main.rs:137:24:137:46 | ...::new_unchecked(...) [MyStruct] | provenance | MaD:10 |
+| main.rs:137:44:137:45 | ms [MyStruct] | main.rs:137:43:137:45 | &ms [&ref, MyStruct] | provenance |  |
+| main.rs:139:14:139:44 | ...::into_inner_unchecked(...) [MyStruct] | main.rs:139:14:139:48 | ... .val | provenance |  |
+| main.rs:139:40:139:43 | pin5 [MyStruct] | main.rs:139:14:139:44 | ...::into_inner_unchecked(...) [MyStruct] | provenance | MaD:8 |
 nodes
 | main.rs:12:9:12:9 | a [Some] | semmle.label | a [Some] |
 | main.rs:12:13:12:28 | Some(...) [Some] | semmle.label | Some(...) [Some] |
@@ -178,6 +189,16 @@ nodes
 | main.rs:122:38:122:47 | source(...) | semmle.label | source(...) |
 | main.rs:127:14:127:15 | ms [MyStruct] | semmle.label | ms [MyStruct] |
 | main.rs:127:14:127:19 | ms.val | semmle.label | ms.val |
+| main.rs:136:13:136:18 | mut ms [MyStruct] | semmle.label | mut ms [MyStruct] |
+| main.rs:136:22:136:49 | MyStruct {...} [MyStruct] | semmle.label | MyStruct {...} [MyStruct] |
+| main.rs:136:38:136:47 | source(...) | semmle.label | source(...) |
+| main.rs:137:13:137:20 | mut pin5 [MyStruct] | semmle.label | mut pin5 [MyStruct] |
+| main.rs:137:24:137:46 | ...::new_unchecked(...) [MyStruct] | semmle.label | ...::new_unchecked(...) [MyStruct] |
+| main.rs:137:43:137:45 | &ms [&ref, MyStruct] | semmle.label | &ms [&ref, MyStruct] |
+| main.rs:137:44:137:45 | ms [MyStruct] | semmle.label | ms [MyStruct] |
+| main.rs:139:14:139:44 | ...::into_inner_unchecked(...) [MyStruct] | semmle.label | ...::into_inner_unchecked(...) [MyStruct] |
+| main.rs:139:14:139:48 | ... .val | semmle.label | ... .val |
+| main.rs:139:40:139:43 | pin5 [MyStruct] | semmle.label | pin5 [MyStruct] |
 subpaths
 | main.rs:50:15:50:15 | w [Wrapper] | main.rs:43:18:43:22 | SelfParam [Wrapper] | main.rs:43:33:45:9 | { ... } [Wrapper] | main.rs:53:17:53:25 | w.clone() [Wrapper] |
 testFailures
@@ -198,3 +219,4 @@ testFailures
 | main.rs:116:14:116:18 | * ... | main.rs:108:21:108:30 | source(...) | main.rs:116:14:116:18 | * ... | $@ | main.rs:108:21:108:30 | source(...) | source(...) |
 | main.rs:117:14:117:18 | * ... | main.rs:108:21:108:30 | source(...) | main.rs:117:14:117:18 | * ... | $@ | main.rs:108:21:108:30 | source(...) | source(...) |
 | main.rs:127:14:127:19 | ms.val | main.rs:122:38:122:47 | source(...) | main.rs:127:14:127:19 | ms.val | $@ | main.rs:122:38:122:47 | source(...) | source(...) |
+| main.rs:139:14:139:48 | ... .val | main.rs:136:38:136:47 | source(...) | main.rs:139:14:139:48 | ... .val | $@ | main.rs:136:38:136:47 | source(...) | source(...) |

rust/ql/test/library-tests/dataflow/modeled/main.rs

@@ -95,8 +95,8 @@ mod ptr {
     }
 }
 
-use std::pin::Pin;
 use std::pin::pin;
+use std::pin::Pin;
 
 #[derive(Clone)]
 struct MyStruct {
@@ -136,7 +136,7 @@ fn test_pin() {
         let mut ms = MyStruct { val: source(42) };
         let mut pin5 = Pin::new_unchecked(&ms);
         sink(pin5.val); // $ MISSING: hasValueFlow=42
-        sink(Pin::into_inner_unchecked(pin5).val); // $ MISSING: hasValueFlow=42
+        sink(Pin::into_inner_unchecked(pin5).val); // $ hasValueFlow=42
     }
 
     {