Rust: Remove borrow logic from Call classes

Author: hvitved

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowConsistency.qll

@@ -21,7 +21,7 @@ private module Input implements InputSig<Location, RustDataFlow> {
     or
     // We allow flow into post-update node for receiver expressions (from the
     // synthetic post receiever node).
-    n.(Node::PostUpdateNode).getPreUpdateNode().asExpr() = any(Node::ReceiverNode r).getReceiver()
+    n.(Node::PostUpdateNode).getPreUpdateNode().asExpr() = any(Node::ArgBorrowNode r).getArg()
     or
     n.(Node::PostUpdateNode).getPreUpdateNode().asExpr() = getPostUpdateReverseStep(_, _)
     or

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -157,7 +157,7 @@ final class ArgumentPosition extends TArgumentPosition {
       inMethodCall = true
       or
       result = call.(IndexExpr).getIndex() and
-      pos = 1 and
+      pos = 0 and
       inMethodCall = true
     )
   }
@@ -201,8 +201,7 @@ final class ArgumentPosition extends TArgumentPosition {
 predicate isArgumentForCall(Expr arg, Call call, ArgumentPosition pos) {
   // TODO: Handle index expressions as calls in data flow.
   not call instanceof IndexExpr and
-  arg = pos.getArgument(call) and
-  not (pos.isReceiver() and call.receiverImplicitlyBorrowed())
+  arg = pos.getArgument(call)
 }
 
 /** Provides logic related to SSA. */
@@ -333,14 +332,6 @@ module LocalFlow {
     or
     nodeFrom.asPat().(OrPat).getAPat() = nodeTo.asPat()
     or
-    // Simple value step from receiver expression to receiver node, in case
-    // there is no implicit deref or borrow operation.
-    nodeFrom.asExpr() = nodeTo.(ReceiverNode).getReceiver()
-    or
-    // The dual step of the above, for the post-update nodes.
-    nodeFrom.(PostUpdateNode).getPreUpdateNode().(ReceiverNode).getReceiver() =
-      nodeTo.(PostUpdateNode).getPreUpdateNode().asExpr()
-    or
     nodeTo.(PostUpdateNode).getPreUpdateNode().asExpr() =
       getPostUpdateReverseStep(nodeFrom.(PostUpdateNode).getPreUpdateNode().asExpr(), true)
   }
@@ -430,7 +421,7 @@ module RustDataFlow implements InputSig<Location> {
     node.(FlowSummaryNode).getSummaryNode().isHidden() or
     node instanceof CaptureNode or
     node instanceof ClosureParameterNode or
-    node instanceof ReceiverNode or
+    node instanceof ArgBorrowNode or
     node.asExpr() instanceof ParenExpr or
     nodeIsHidden(node.(PostUpdateNode).getPreUpdateNode())
   }
@@ -584,16 +575,16 @@ module RustDataFlow implements InputSig<Location> {
   }
 
   pragma[nomagic]
-  private predicate implicitDerefToReceiver(Node node1, ReceiverNode node2, ReferenceContent c) {
+  private predicate implicitDerefToReceiver(Node node1, ArgBorrowNode node2, ReferenceContent c) {
     TypeInference::receiverHasImplicitDeref(node1.asExpr()) and
-    node1.asExpr() = node2.getReceiver() and
+    node1.asExpr() = node2.getArg() and
     exists(c)
   }
 
   pragma[nomagic]
-  private predicate implicitBorrowToReceiver(Node node1, ReceiverNode node2, ReferenceContent c) {
-    TypeInference::receiverHasImplicitBorrow(node1.asExpr()) and
-    node1.asExpr() = node2.getReceiver() and
+  private predicate implicitBorrowToReceiver(Node node1, ArgBorrowNode node2, ReferenceContent c) {
+    TypeInference::argumentHasImplicitBorrow(node1.asExpr()) and
+    node1.asExpr() = node2.getArg() and
     exists(c)
   }
 

rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll

@@ -27,8 +27,9 @@ module Input implements InputSig<Location, RustDataFlow> {
     }
 
     Expr getArgument(ParameterPosition pos) {
-      exists(ParameterPosition pos0, ArgumentPosition apos |
-        result = apos.getArgument(this.getCall()) and
+      exists(ParameterPosition pos0, ArgumentPosition apos, CallExprBase call |
+        call = this.getCall() and
+        result = apos.getArgument(call) and
         RustDataFlow::parameterMatch(pos0, apos)
       |
         not pos.hasPosition(_) and

rust/ql/lib/codeql/rust/dataflow/internal/Node.qll

@@ -14,6 +14,7 @@ private import codeql.rust.controlflow.ControlFlowGraph
 private import codeql.rust.controlflow.CfgNodes
 private import codeql.rust.dataflow.Ssa
 private import codeql.rust.dataflow.FlowSummary
+private import codeql.rust.internal.TypeInference as TypeInference
 private import Node as Node
 private import DataFlowImpl
 private import FlowSummaryImpl as FlowSummaryImpl
@@ -238,35 +239,37 @@ final class ExprArgumentNode extends ArgumentNode, ExprNode {
   private Call call_;
   private RustDataFlow::ArgumentPosition pos_;
 
-  ExprArgumentNode() { isArgumentForCall(n, call_, pos_) }
+  ExprArgumentNode() {
+    isArgumentForCall(n, call_, pos_) and
+    not TypeInference::argumentHasImplicitBorrow(n) and
+    not TypeInference::receiverHasImplicitDeref(n)
+  }
 
   override predicate isArgumentOf(DataFlowCall call, RustDataFlow::ArgumentPosition pos) {
     call.asCall() = call_ and pos = pos_
   }
 }
 
 /**
- * The receiver of a method call _after_ any implicit borrow or dereferencing
+ * The argument of a call _after_ any implicit borrow or dereferencing
  * has taken place.
  */
-final class ReceiverNode extends ArgumentNode, TReceiverNode {
-  private Call n;
-
-  ReceiverNode() { this = TReceiverNode(n, false) }
+final class ArgBorrowNode extends ArgumentNode, TArgBorrowNode {
+  private Expr arg;
 
-  Expr getReceiver() { result = n.getReceiver() }
+  ArgBorrowNode() { this = TArgBorrowNode(arg, false) }
 
-  MethodCallExpr getMethodCall() { result = n }
+  Expr getArg() { result = arg }
 
   override predicate isArgumentOf(DataFlowCall call, RustDataFlow::ArgumentPosition pos) {
-    call.asCall() = n and pos = TReceiverArgumentPosition()
+    isArgumentForCall(arg, call.asCall(), pos)
   }
 
-  override CfgScope getCfgScope() { result = n.getEnclosingCfgScope() }
+  override CfgScope getCfgScope() { result = arg.getEnclosingCfgScope() }
 
-  override Location getLocation() { result = this.getReceiver().getLocation() }
+  override Location getLocation() { result = arg.getLocation() }
 
-  override string toString() { result = "receiver for " + this.getReceiver() }
+  override string toString() { result = "receiver for " + arg }
 }
 
 final class SummaryArgumentNode extends FlowSummaryNode, ArgumentNode {
@@ -414,16 +417,16 @@ final class ExprPostUpdateNode extends PostUpdateNode, TExprPostUpdateNode {
   override Location getLocation() { result = e.getLocation() }
 }
 
-final class ReceiverPostUpdateNode extends PostUpdateNode, TReceiverNode {
-  private Call call;
+final class ArgBorrowPostUpdateNode extends PostUpdateNode, TArgBorrowNode {
+  private Expr arg;
 
-  ReceiverPostUpdateNode() { this = TReceiverNode(call, true) }
+  ArgBorrowPostUpdateNode() { this = TArgBorrowNode(arg, true) }
 
-  override Node getPreUpdateNode() { result = TReceiverNode(call, false) }
+  override Node getPreUpdateNode() { result = TArgBorrowNode(arg, false) }
 
-  override CfgScope getCfgScope() { result = call.getEnclosingCfgScope() }
+  override CfgScope getCfgScope() { result = arg.getEnclosingCfgScope() }
 
-  override Location getLocation() { result = call.getReceiver().getLocation() }
+  override Location getLocation() { result = arg.getLocation() }
 }
 
 final class SummaryPostUpdateNode extends FlowSummaryNode, PostUpdateNode {
@@ -486,11 +489,13 @@ newtype TNode =
         ]
     )
   } or
-  TReceiverNode(Call call, Boolean isPost) {
-    call.hasEnclosingCfgScope() and
-    call.receiverImplicitlyBorrowed() and
+  TArgBorrowNode(Expr arg, Boolean isPost) {
     // TODO: Handle index expressions as calls in data flow.
-    not call instanceof IndexExpr
+    not arg = any(IndexExpr ie).getBase() and
+    (
+      TypeInference::argumentHasImplicitBorrow(arg) or
+      TypeInference::receiverHasImplicitDeref(arg)
+    )
   } or
   TSsaNode(SsaImpl::DataFlowIntegration::SsaNode node) or
   TFlowSummaryNode(FlowSummaryImpl::Private::SummaryNode sn) or

rust/ql/lib/codeql/rust/elements/internal/CallImpl.qll

@@ -34,9 +34,6 @@ module Impl {
    * called in Rust.
    */
   abstract class Call extends ExprImpl::Expr {
-    /** Holds if the receiver of this call is implicitly borrowed. */
-    predicate receiverImplicitlyBorrowed() { this.implicitBorrowAt(TSelfArgumentPosition(), _) }
-
     /** Gets the trait targeted by this call, if any. */
     abstract Trait getTrait();
 
@@ -49,9 +46,6 @@ module Impl {
     /** Gets the argument at the given position, if any. */
     abstract Expr getArgument(ArgumentPosition pos);
 
-    /** Holds if the argument at `pos` might be implicitly borrowed. */
-    abstract predicate implicitBorrowAt(ArgumentPosition pos, boolean certain);
-
     /** Gets the number of arguments _excluding_ any `self` argument. */
     int getNumberOfArguments() { result = count(this.getArgument(TPositionalArgumentPosition(_))) }
 
@@ -115,8 +109,6 @@ module Impl {
 
     override Trait getTrait() { callHasTraitQualifier(this, result) }
 
-    override predicate implicitBorrowAt(ArgumentPosition pos, boolean certain) { none() }
-
     override Expr getArgument(ArgumentPosition pos) {
       result = super.getArgList().getArg(pos.asPosition())
     }
@@ -139,8 +131,6 @@ module Impl {
 
     override Trait getTrait() { callHasTraitQualifier(this, result) }
 
-    override predicate implicitBorrowAt(ArgumentPosition pos, boolean certain) { none() }
-
     override Expr getArgument(ArgumentPosition pos) {
       pos.isSelf() and result = super.getArgList().getArg(0)
       or
@@ -153,10 +143,6 @@ module Impl {
 
     override Trait getTrait() { none() }
 
-    override predicate implicitBorrowAt(ArgumentPosition pos, boolean certain) {
-      pos.isSelf() and certain = false
-    }
-
     override Expr getArgument(ArgumentPosition pos) {
       pos.isSelf() and result = this.(MethodCallExpr).getReceiver()
       or
@@ -175,15 +161,6 @@ module Impl {
 
     override Trait getTrait() { result = trait }
 
-    override predicate implicitBorrowAt(ArgumentPosition pos, boolean certain) {
-      (
-        pos.isSelf() and borrows >= 1
-        or
-        pos.asPosition() = 0 and borrows = 2
-      ) and
-      certain = true
-    }
-
     override Expr getArgument(ArgumentPosition pos) {
       pos.isSelf() and result = super.getOperand(0)
       or
@@ -196,10 +173,6 @@ module Impl {
 
     override Trait getTrait() { result.getCanonicalPath() = "core::ops::index::Index" }
 
-    override predicate implicitBorrowAt(ArgumentPosition pos, boolean certain) {
-      pos.isSelf() and certain = true
-    }
-
     override Expr getArgument(ArgumentPosition pos) {
       pos.isSelf() and result = super.getBase()
       or

rust/ql/lib/codeql/rust/internal/TypeInference.qll

@@ -1590,9 +1590,9 @@ private module MethodResolution {
       receiver = this.getArgument(CallImpl::TSelfArgumentPosition())
     }
 
-    predicate receiverHasImplicitBorrow(AstNode receiver) {
+    predicate argumentHasImplicitBorrow(AstNode arg) {
       exists(this.resolveCallTarget(_, "", true)) and
-      receiver = this.getArgument(CallImpl::TSelfArgumentPosition())
+      arg = this.getArgument(CallImpl::TSelfArgumentPosition())
     }
   }
 
@@ -1683,8 +1683,16 @@ private module MethodResolution {
 
     override Expr getArgument(ArgumentPosition pos) { result = this.(Call).getArgument(pos) }
 
+    private predicate implicitBorrowAt(ArgumentPosition pos) {
+      exists(int borrows | this.isOverloaded(_, _, borrows) |
+        pos.isSelf() and borrows >= 1
+        or
+        pos.asPosition() = 0 and borrows = 2
+      )
+    }
+
     override Type getArgumentTypeAt(ArgumentPosition pos, TypePath path) {
-      if this.(Call).implicitBorrowAt(pos, true)
+      if this.implicitBorrowAt(pos)
       then
         result instanceof RefType and
         path.isEmpty()
@@ -1696,10 +1704,10 @@ private module MethodResolution {
       else result = inferType(this.getArgument(pos), path)
     }
 
-    override predicate receiverHasImplicitBorrow(AstNode receiver) {
+    override predicate argumentHasImplicitBorrow(AstNode arg) {
       exists(ArgumentPosition pos |
-        this.(Call).implicitBorrowAt(pos, true) and
-        receiver = this.getArgument(pos)
+        this.implicitBorrowAt(pos) and
+        arg = this.getArgument(pos)
       )
     }
 
@@ -3415,10 +3423,10 @@ private module Cached {
     any(MethodResolution::MethodCall mc).receiverHasImplicitDeref(receiver)
   }
 
-  /** Holds if `receiver` is the receiver of a method call with an implicit borrow. */
+  /** Holds if `arg` is the argument of a call with an implicit borrow. */
   cached
-  predicate receiverHasImplicitBorrow(AstNode receiver) {
-    any(MethodResolution::MethodCall mc).receiverHasImplicitBorrow(receiver)
+  predicate argumentHasImplicitBorrow(AstNode arg) {
+    any(MethodResolution::MethodCall mc).argumentHasImplicitBorrow(arg)
   }
 
   /** Gets an item (function or tuple struct/variant) that `call` resolves to, if any. */

rust/ql/test/library-tests/dataflow/global/inline-flow.expected

@@ -130,11 +130,12 @@ edges
 | main.rs:244:13:244:13 | a [MyInt] | main.rs:244:13:244:17 | ... + ... [MyInt] | provenance |  |
 | main.rs:244:13:244:17 | ... + ... [MyInt] | main.rs:244:9:244:9 | c [MyInt] | provenance |  |
 | main.rs:245:10:245:10 | c [MyInt] | main.rs:245:10:245:16 | c.value | provenance |  |
-| main.rs:252:9:252:9 | a [MyInt] | main.rs:220:12:220:15 | SelfParam [MyInt] | provenance |  |
-| main.rs:252:9:252:9 | a [MyInt] | main.rs:254:13:254:20 | a.add(...) [MyInt] | provenance |  |
+| main.rs:252:9:252:9 | a [MyInt] | main.rs:254:13:254:13 | a [MyInt] | provenance |  |
 | main.rs:252:13:252:38 | MyInt {...} [MyInt] | main.rs:252:9:252:9 | a [MyInt] | provenance |  |
 | main.rs:252:28:252:36 | source(...) | main.rs:252:13:252:38 | MyInt {...} [MyInt] | provenance |  |
 | main.rs:254:9:254:9 | d [MyInt] | main.rs:255:10:255:10 | d [MyInt] | provenance |  |
+| main.rs:254:13:254:13 | a [MyInt] | main.rs:220:12:220:15 | SelfParam [MyInt] | provenance |  |
+| main.rs:254:13:254:13 | a [MyInt] | main.rs:254:13:254:20 | a.add(...) [MyInt] | provenance |  |
 | main.rs:254:13:254:20 | a.add(...) [MyInt] | main.rs:254:9:254:9 | d [MyInt] | provenance |  |
 | main.rs:255:10:255:10 | d [MyInt] | main.rs:255:10:255:16 | d.value | provenance |  |
 | main.rs:259:9:259:9 | b [MyInt] | main.rs:261:35:261:35 | b [MyInt] | provenance |  |
@@ -329,6 +330,7 @@ nodes
 | main.rs:252:13:252:38 | MyInt {...} [MyInt] | semmle.label | MyInt {...} [MyInt] |
 | main.rs:252:28:252:36 | source(...) | semmle.label | source(...) |
 | main.rs:254:9:254:9 | d [MyInt] | semmle.label | d [MyInt] |
+| main.rs:254:13:254:13 | a [MyInt] | semmle.label | a [MyInt] |
 | main.rs:254:13:254:20 | a.add(...) [MyInt] | semmle.label | a.add(...) [MyInt] |
 | main.rs:255:10:255:10 | d [MyInt] | semmle.label | d [MyInt] |
 | main.rs:255:10:255:16 | d.value | semmle.label | d.value |
@@ -394,7 +396,7 @@ subpaths
 | main.rs:194:38:194:38 | a | main.rs:112:27:112:32 | ...: i64 | main.rs:112:42:114:5 | { ... } | main.rs:194:13:194:39 | ...::data_through(...) |
 | main.rs:212:24:212:33 | source(...) | main.rs:206:12:206:17 | ...: i64 | main.rs:206:28:208:5 | { ... } [MyInt] | main.rs:212:13:212:34 | ...::new(...) [MyInt] |
 | main.rs:244:13:244:13 | a [MyInt] | main.rs:220:12:220:15 | SelfParam [MyInt] | main.rs:220:42:223:5 | { ... } [MyInt] | main.rs:244:13:244:17 | ... + ... [MyInt] |
-| main.rs:252:9:252:9 | a [MyInt] | main.rs:220:12:220:15 | SelfParam [MyInt] | main.rs:220:42:223:5 | { ... } [MyInt] | main.rs:254:13:254:20 | a.add(...) [MyInt] |
+| main.rs:254:13:254:13 | a [MyInt] | main.rs:220:12:220:15 | SelfParam [MyInt] | main.rs:220:42:223:5 | { ... } [MyInt] | main.rs:254:13:254:20 | a.add(...) [MyInt] |
 | main.rs:261:35:261:35 | b [MyInt] | main.rs:227:30:227:39 | ...: MyInt [MyInt] | main.rs:227:19:227:27 | SelfParam [Return] [&ref, MyInt] | main.rs:261:27:261:32 | [post] &mut a [&ref, MyInt] |
 | main.rs:272:27:272:28 | &a [&ref, MyInt] | main.rs:235:14:235:18 | SelfParam [&ref, MyInt] | main.rs:235:38:237:5 | { ... } [&ref] | main.rs:272:14:272:29 | ...::deref(...) [&ref] |
 | main.rs:301:50:301:50 | a [MyInt] | main.rs:289:18:289:21 | SelfParam [MyInt] | main.rs:289:48:291:5 | { ... } [MyInt] | main.rs:301:30:301:54 | ...::take_self(...) [MyInt] |