wip

Author: hvitved

rust/ql/lib/codeql/rust/frameworks/stdlib/Stdlib.qll

@@ -5,7 +5,10 @@
 private import rust
 private import codeql.rust.Concepts
 private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowSummary
 private import codeql.rust.internal.PathResolution
+private import codeql.rust.internal.typeinference.Type
+private import codeql.rust.internal.typeinference.TypeMention
 
 /**
  * A call to the `starts_with` method on a `Path`.
@@ -297,3 +300,28 @@ class Vec extends Struct {
   /** Gets the type parameter representing the element type. */
   TypeParam getElementTypeParam() { result = this.getGenericParamList().getTypeParam(0) }
 }
+
+private class ReflexiveFrom extends SummarizedCallable::Range {
+  ReflexiveFrom() {
+    exists(ImplItemNode impl |
+      impl.resolveTraitTy().(Trait).getCanonicalPath() = "core::convert::From" and
+      this = impl.getAnAssocItem() and
+      impl.isBlanketImplementation() and
+      this.getParam(0)
+          .getTypeRepr()
+          .(TypeMention)
+          .resolveType()
+          .(TypeParamTypeParameter)
+          .getTypeParam() = impl.getTypeParam(0)
+    )
+  }
+
+  override predicate propagatesFlow(
+    string input, string output, boolean preservesValue, string model
+  ) {
+    input = "Argument[0]" and
+    output = "ReturnValue" and
+    preservesValue = true and
+    model = "ReflexiveFrom"
+  }
+}

rust/ql/lib/codeql/rust/internal/typeinference/TypeInference.qll

@@ -1287,6 +1287,11 @@ private class BorrowKind extends TBorrowKind {
   }
 }
 
+private predicate isNotConstrainedTypeParameter(Type t) {
+  not t instanceof TypeParameter or
+  t.(TypeParamTypeParameter).getTypeParam() = any(TypeParam tp | not exists(tp.getATypeBound()))
+}
+
 /**
  * Provides logic for resolving calls to methods.
  *
@@ -2383,9 +2388,8 @@ private module MethodResolution {
         FunctionOverloading::functionResolutionDependsOnArgument(i, f, pos, path, t0) and
         t.appliesTo(f, i, pos) and
         // for now, we do not handle ambiguous targets when one of the types it iself
-        // a type parameter; we should be checking the constraints on that type parameter
-        // in this case
-        not t0 instanceof TypeParameter
+        // a constrained type parameter; we should be checking the constraints in this case
+        isNotConstrainedTypeParameter(t0)
       )
     }
 
@@ -2796,15 +2800,19 @@ private module NonMethodResolution {
     }
 
     pragma[nomagic]
-    predicate hasNoCompatibleNonBlanketTarget() {
-      not exists(this.resolveCallTargetViaPathResolution()) and
+    predicate hasNoCompatibleNonBlanketTargetViaTypeInference() {
       forall(ImplOrTraitItemNode i, Function f |
         this.(NonMethodArgsAreInstantiationsOfNonBlanketInput::Call).hasTargetCand(i, f)
       |
         NonMethodArgsAreInstantiationsOfNonBlanket::argsAreNotInstantiationsOf(this, i, f)
       )
     }
 
+    predicate hasNoCompatibleNonBlanketTarget() {
+      not exists(this.resolveCallTargetViaPathResolution()) and
+      this.hasNoCompatibleNonBlanketTargetViaTypeInference()
+    }
+
     /**
      * Gets the target of this call, which can be resolved using only path resolution.
      */
@@ -2910,9 +2918,8 @@ private module NonMethodResolution {
       t.appliesTo(f, i, pos) and
       exists(Type t0 |
         // for now, we do not handle ambiguous targets when one of the types it iself
-        // a type parameter; we should be checking the constraints on that type parameter
-        // in this case
-        not t0 instanceof TypeParameter
+        // a constrained type parameter; we should be checking the constraints in this case
+        isNotConstrainedTypeParameter(t0)
       |
         FunctionOverloading::functionResolutionDependsOnArgument(i, f, pos, _, t0)
         or

rust/ql/test/library-tests/dataflow/local/inline-flow.expected

@@ -303,7 +303,7 @@ edges
 | main.rs:566:18:566:27 | source(...) | main.rs:566:9:566:9 | a | provenance |  |
 | main.rs:569:10:569:10 | a | main.rs:569:10:569:17 | a.into() | provenance | MaD:4 |
 | main.rs:569:10:569:10 | a | main.rs:569:10:569:17 | a.into() | provenance | MaD:5 |
-| main.rs:570:20:570:20 | a | main.rs:570:10:570:21 | ...::from(...) | provenance | MaD:3 |
+| main.rs:570:20:570:20 | a | main.rs:570:10:570:21 | ...::from(...) | provenance | ReflexiveFrom |
 | main.rs:572:9:572:9 | b | main.rs:574:10:574:17 | b as i64 | provenance |  |
 | main.rs:572:9:572:9 | b | main.rs:575:10:575:10 | b | provenance |  |
 | main.rs:572:9:572:9 | b | main.rs:576:20:576:20 | b | provenance |  |

rust/ql/test/library-tests/dataflow/local/main.rs

@@ -567,7 +567,7 @@ fn conversions() {
 
     sink(a as i64); // $ hasTaintFlow=50
     sink(a.into()); // $ SPURIOUS: hasTaintFlow=50 $ MISSING: hasValueFlow=50 -- it is not possible to define a value-preserving summary for `into` since it depends on which `from` function is called
-    sink(i64::from(a)); // $ hasTaintFlow=50
+    sink(i64::from(a)); // $ hasValueFlow=50
 
     let b: i32 = source(51) as i32;