Rust: Data flow for consts and statics

Author: hvitved

rust/ql/lib/codeql/rust/controlflow/internal/Scope.qll

@@ -45,3 +45,14 @@ final class CallableScope extends CfgScopeImpl, Callable {
   /** Holds if `scope` is exited when `last` finishes with completion `c`. */
   override predicate scopeLast(AstNode last, Completion c) { last(this.getBody(), last, c) }
 }
+
+/**
+ * A special scope used to represent the context in which `const`s and
+ * `static`s are initialized. We do not actually compute a CFG for such
+ * scopes.
+ */
+final class SourceFileScope extends CfgScopeImpl, SourceFile {
+  override predicate scopeFirst(AstNode first) { none() }
+
+  override predicate scopeLast(AstNode last, Completion c) { none() }
+}

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -653,8 +653,19 @@ module RustDataFlowGen<RustDataFlowInputSig Input> implements InputSig<Location>
    */
   predicate jumpStep(Node node1, Node node2) {
     FlowSummaryImpl::Private::Steps::summaryJumpStep(node1.(FlowSummaryNode).getSummaryNode(),
-      node2.(FlowSummaryNode).getSummaryNode()) or
+      node2.(FlowSummaryNode).getSummaryNode())
+    or
     FlowSummaryImpl::Private::Steps::sourceJumpStep(node1.(FlowSummaryNode).getSummaryNode(), node2)
+    or
+    exists(Const c |
+      node1.asExpr() = c.getBody() and
+      node2.asExpr() = c.getAnAccess()
+    )
+    or
+    exists(Static s |
+      node1.asExpr() = s.getBody() and
+      node2.asExpr() = s.getAnAccess()
+    )
   }
 
   pragma[nomagic]

rust/ql/lib/codeql/rust/elements/internal/AstNodeImpl.qll

@@ -48,17 +48,37 @@ module Impl {
       )
     }
 
-    /** Gets the CFG scope that encloses this node, if any. */
-    cached
-    CfgScope getEnclosingCfgScope() {
+    pragma[nomagic]
+    private predicate isInConstOrStaticBody(File f) {
+      exists(AstNode p |
+        this.getParentNode*() = p and
+        f = p.getFile()
+      |
+        p = any(Const c).getBody()
+        or
+        p = any(Static s).getBody()
+      )
+    }
+
+    pragma[nomagic]
+    private CfgScope getEnclosingCfgScopeImpl() {
+      not this.isInConstOrStaticBody(_) and
       exists(AstNode p | p = this.getParentNode() |
         result = p
         or
         not p instanceof CfgScope and
-        result = p.getEnclosingCfgScope()
+        result = p.getEnclosingCfgScopeImpl()
       )
     }
 
+    /** Gets the CFG scope that encloses this node, if any. */
+    cached
+    CfgScope getEnclosingCfgScope() {
+      result = this.getEnclosingCfgScopeImpl()
+      or
+      this.isInConstOrStaticBody(result.(SourceFile).getFile())
+    }
+
     /** Holds if this node is inside a CFG scope. */
     predicate hasEnclosingCfgScope() { exists(this.getEnclosingCfgScope()) }
 

rust/ql/lib/codeql/rust/elements/internal/ConstImpl.qll

@@ -25,6 +25,9 @@ module Impl {
    * ```
    */
   class Const extends Generated::Const {
+    /** Gets an access to this constant item. */
+    ConstAccess getAnAccess() { this = result.getConst() }
+
     override string toStringImpl() { result = "const " + this.getName().getText() }
   }
 

rust/ql/lib/codeql/rust/elements/internal/StaticImpl.qll

@@ -24,6 +24,9 @@ module Impl {
    * ```
    */
   class Static extends Generated::Static {
+    /** Gets an access to this static item. */
+    StaticAccess getAnAccess() { this = result.getStatic() }
+
     override string toStringImpl() { result = "static " + this.getName().getText() }
   }
 

rust/ql/test/library-tests/dataflow/global/inline-flow.expected

@@ -222,6 +222,11 @@ edges
 | main.rs:415:18:415:38 | i.get_double_number() | main.rs:415:13:415:14 | n4 | provenance |  |
 | main.rs:418:13:418:14 | n5 | main.rs:419:14:419:15 | n5 | provenance |  |
 | main.rs:418:18:418:41 | ...::get_default(...) | main.rs:418:13:418:14 | n5 | provenance |  |
+| main.rs:426:30:426:39 | source(...) | main.rs:430:35:430:45 | CONST_VALUE | provenance |  |
+| main.rs:427:32:427:41 | source(...) | main.rs:432:28:432:39 | STATIC_VALUE | provenance |  |
+| main.rs:430:35:430:45 | CONST_VALUE | main.rs:431:14:431:25 | CONST_VALUE2 | provenance |  |
+| main.rs:432:13:432:24 | static_value | main.rs:433:14:433:25 | static_value | provenance |  |
+| main.rs:432:28:432:39 | STATIC_VALUE | main.rs:432:13:432:24 | static_value | provenance |  |
 nodes
 | main.rs:12:28:14:1 | { ... } | semmle.label | { ... } |
 | main.rs:13:5:13:13 | source(...) | semmle.label | source(...) |
@@ -464,6 +469,13 @@ nodes
 | main.rs:418:13:418:14 | n5 | semmle.label | n5 |
 | main.rs:418:18:418:41 | ...::get_default(...) | semmle.label | ...::get_default(...) |
 | main.rs:419:14:419:15 | n5 | semmle.label | n5 |
+| main.rs:426:30:426:39 | source(...) | semmle.label | source(...) |
+| main.rs:427:32:427:41 | source(...) | semmle.label | source(...) |
+| main.rs:430:35:430:45 | CONST_VALUE | semmle.label | CONST_VALUE |
+| main.rs:431:14:431:25 | CONST_VALUE2 | semmle.label | CONST_VALUE2 |
+| main.rs:432:13:432:24 | static_value | semmle.label | static_value |
+| main.rs:432:28:432:39 | STATIC_VALUE | semmle.label | STATIC_VALUE |
+| main.rs:433:14:433:25 | static_value | semmle.label | static_value |
 subpaths
 | main.rs:38:16:38:24 | source(...) | main.rs:26:28:26:33 | ...: i64 | main.rs:26:17:26:25 | SelfParam [Return] [&ref, MyStruct] | main.rs:38:5:38:5 | [post] a [MyStruct] |
 | main.rs:39:10:39:10 | a [MyStruct] | main.rs:30:17:30:21 | SelfParam [&ref, MyStruct] | main.rs:30:31:32:5 | { ... } | main.rs:39:10:39:21 | a.get_data() |
@@ -525,3 +537,5 @@ testFailures
 | main.rs:412:14:412:15 | n3 | main.rs:371:13:371:21 | source(...) | main.rs:412:14:412:15 | n3 | $@ | main.rs:371:13:371:21 | source(...) | source(...) |
 | main.rs:416:14:416:15 | n4 | main.rs:391:13:391:22 | source(...) | main.rs:416:14:416:15 | n4 | $@ | main.rs:391:13:391:22 | source(...) | source(...) |
 | main.rs:419:14:419:15 | n5 | main.rs:395:13:395:21 | source(...) | main.rs:419:14:419:15 | n5 | $@ | main.rs:395:13:395:21 | source(...) | source(...) |
+| main.rs:431:14:431:25 | CONST_VALUE2 | main.rs:426:30:426:39 | source(...) | main.rs:431:14:431:25 | CONST_VALUE2 | $@ | main.rs:426:30:426:39 | source(...) | source(...) |
+| main.rs:433:14:433:25 | static_value | main.rs:427:32:427:41 | source(...) | main.rs:433:14:433:25 | static_value | $@ | main.rs:427:32:427:41 | source(...) | source(...) |

rust/ql/test/library-tests/dataflow/global/main.rs

@@ -1,4 +1,4 @@
-fn source(i: i64) -> i64 {
+const fn source(i: i64) -> i64 {
     1000 + i
 }
 
@@ -420,6 +420,20 @@ mod not_trait_dispatch {
     }
 }
 
+mod const_static {
+    use super::{sink, source};
+
+    const CONST_VALUE: i64 = source(42);
+    static STATIC_VALUE: i64 = source(43);
+
+    fn test_const_static() {
+        const CONST_VALUE2: i64 = CONST_VALUE;
+        sink(CONST_VALUE2); // $ hasValueFlow=42
+        let static_value = STATIC_VALUE;
+        sink(static_value); // $ hasValueFlow=43
+    }
+}
+
 fn main() {
     data_out_of_call();
     data_out_of_call_side_effect1();

rust/ql/test/library-tests/dataflow/global/viableCallable.expected

@@ -128,14 +128,18 @@
 | main.rs:416:9:416:16 | sink(...) | main.rs:5:1:7:1 | fn sink |
 | main.rs:418:18:418:41 | ...::get_default(...) | main.rs:394:9:396:9 | fn get_default |
 | main.rs:419:9:419:16 | sink(...) | main.rs:5:1:7:1 | fn sink |
-| main.rs:424:5:424:22 | data_out_of_call(...) | main.rs:16:1:19:1 | fn data_out_of_call |
-| main.rs:425:5:425:35 | data_out_of_call_side_effect1(...) | main.rs:35:1:40:1 | fn data_out_of_call_side_effect1 |
-| main.rs:426:5:426:35 | data_out_of_call_side_effect2(...) | main.rs:42:1:50:1 | fn data_out_of_call_side_effect2 |
-| main.rs:427:5:427:21 | data_in_to_call(...) | main.rs:56:1:59:1 | fn data_in_to_call |
-| main.rs:428:5:428:23 | data_through_call(...) | main.rs:65:1:69:1 | fn data_through_call |
-| main.rs:429:5:429:34 | data_through_nested_function(...) | main.rs:79:1:88:1 | fn data_through_nested_function |
-| main.rs:431:5:431:24 | data_out_of_method(...) | main.rs:152:1:162:1 | fn data_out_of_method |
-| main.rs:432:5:432:28 | data_in_to_method_call(...) | main.rs:169:1:179:1 | fn data_in_to_method_call |
-| main.rs:433:5:433:25 | data_through_method(...) | main.rs:187:1:199:1 | fn data_through_method |
-| main.rs:435:5:435:31 | test_operator_overloading(...) | main.rs:256:1:298:1 | fn test_operator_overloading |
-| main.rs:436:5:436:22 | test_async_await(...) | main.rs:353:1:358:1 | fn test_async_await |
+| main.rs:426:30:426:39 | source(...) | main.rs:1:1:3:1 | fn source |
+| main.rs:427:32:427:41 | source(...) | main.rs:1:1:3:1 | fn source |
+| main.rs:431:9:431:26 | sink(...) | main.rs:5:1:7:1 | fn sink |
+| main.rs:433:9:433:26 | sink(...) | main.rs:5:1:7:1 | fn sink |
+| main.rs:438:5:438:22 | data_out_of_call(...) | main.rs:16:1:19:1 | fn data_out_of_call |
+| main.rs:439:5:439:35 | data_out_of_call_side_effect1(...) | main.rs:35:1:40:1 | fn data_out_of_call_side_effect1 |
+| main.rs:440:5:440:35 | data_out_of_call_side_effect2(...) | main.rs:42:1:50:1 | fn data_out_of_call_side_effect2 |
+| main.rs:441:5:441:21 | data_in_to_call(...) | main.rs:56:1:59:1 | fn data_in_to_call |
+| main.rs:442:5:442:23 | data_through_call(...) | main.rs:65:1:69:1 | fn data_through_call |
+| main.rs:443:5:443:34 | data_through_nested_function(...) | main.rs:79:1:88:1 | fn data_through_nested_function |
+| main.rs:445:5:445:24 | data_out_of_method(...) | main.rs:152:1:162:1 | fn data_out_of_method |
+| main.rs:446:5:446:28 | data_in_to_method_call(...) | main.rs:169:1:179:1 | fn data_in_to_method_call |
+| main.rs:447:5:447:25 | data_through_method(...) | main.rs:187:1:199:1 | fn data_through_method |
+| main.rs:449:5:449:31 | test_operator_overloading(...) | main.rs:256:1:298:1 | fn test_operator_overloading |
+| main.rs:450:5:450:22 | test_async_await(...) | main.rs:353:1:358:1 | fn test_async_await |

rust/ql/test/library-tests/dataflow/global/viableCallable.ql

@@ -1,5 +1,6 @@
 import codeql.rust.dataflow.internal.DataFlowImpl
 
 query predicate viableCallable(DataFlowCall call, DataFlowCallable callee) {
-  RustDataFlow::viableCallable(call) = callee
+  RustDataFlow::viableCallable(call) = callee and
+  (call.asCall().fromSource() or call.isImplicitDerefCall(_, _, _, _))
 }