Rust: Add reverse post-update flow steps

Author: hvitved

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowConsistency.qll

@@ -18,6 +18,8 @@ private module Input implements InputSig<Location, RustDataFlow> {
     // We allow flow into post-update node for receiver expressions (from the
     // synthetic post receiever node).
     n.(Node::PostUpdateNode).getPreUpdateNode().asExpr() = any(Node::ReceiverNode r).getReceiver()
+    or
+    n.(Node::PostUpdateNode).getPreUpdateNode().asExpr() = getPostUpdateReverseStep(_, _)
   }
 
   predicate missingLocationExclude(RustDataFlow::Node n) { not exists(n.asExpr().getLocation()) }

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -197,6 +197,14 @@ private ExprCfgNode getALastEvalNode(ExprCfgNode e) {
   result.(BreakExprCfgNode).getTarget() = e
 }
 
+ExprCfgNode getPostUpdateReverseStep(ExprCfgNode e, boolean preservesValue) {
+  result = getALastEvalNode(e) and
+  preservesValue = true
+  or
+  result = e.(CastExprCfgNode).getExpr() and
+  preservesValue = false
+}
+
 module LocalFlow {
   predicate flowSummaryLocalStep(Node nodeFrom, Node nodeTo, string model) {
     exists(FlowSummaryImpl::Public::SummarizedCallable c |
@@ -258,6 +266,9 @@ module LocalFlow {
     // The dual step of the above, for the post-update nodes.
     nodeFrom.(PostUpdateNode).getPreUpdateNode().(ReceiverNode).getReceiver() =
       nodeTo.(PostUpdateNode).getPreUpdateNode().asExpr()
+    or
+    nodeTo.(PostUpdateNode).getPreUpdateNode().asExpr() =
+      getPostUpdateReverseStep(nodeFrom.(PostUpdateNode).getPreUpdateNode().asExpr(), true)
   }
 }
 

rust/ql/lib/codeql/rust/dataflow/internal/Node.qll

@@ -472,6 +472,11 @@ newtype TNode =
         any(PrefixExprCfgNode pe | pe.getOperatorName() = "*").getExpr(),
         any(AwaitExprCfgNode a).getExpr(), any(MethodCallExprCfgNode mc).getReceiver()
       ]
+    or
+    exists(ExprCfgNode pred |
+      exists(TExprPostUpdateNode(pred)) and
+      e = getPostUpdateReverseStep(pred, _)
+    )
   } or
   TReceiverNode(MethodCallExprCfgNode mc, Boolean isPost) or
   TSsaNode(SsaImpl::DataFlowIntegration::SsaNode node) or

rust/ql/lib/codeql/rust/dataflow/internal/SsaImpl.qll

@@ -332,6 +332,8 @@ import Cached
 private import codeql.rust.dataflow.Ssa
 
 private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInputSig {
+  private import codeql.rust.dataflow.internal.DataFlowImpl as DataFlowImpl
+
   class Expr extends CfgNodes::AstCfgNode {
     predicate hasCfgNode(SsaInput::BasicBlock bb, int i) { this = bb.getNode(i) }
   }
@@ -343,14 +345,22 @@ private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInpu
     none() // handled in `DataFlowImpl.qll` instead
   }
 
+  private predicate isArg(CfgNodes::CallExprBaseCfgNode call, CfgNodes::ExprCfgNode e) {
+    call.getArgument(_) = e
+    or
+    call.(CfgNodes::MethodCallExprCfgNode).getReceiver() = e
+    or
+    exists(CfgNodes::ExprCfgNode mid |
+      isArg(call, mid) and
+      e = DataFlowImpl::getPostUpdateReverseStep(mid, _)
+    )
+  }
+
   predicate allowFlowIntoUncertainDef(UncertainWriteDefinition def) {
     exists(CfgNodes::CallExprBaseCfgNode call, Variable v, BasicBlock bb, int i |
       def.definesAt(v, bb, i) and
-      mutablyBorrows(bb.getNode(i).getAstNode(), v)
-    |
-      call.getArgument(_) = bb.getNode(i)
-      or
-      call.(CfgNodes::MethodCallExprCfgNode).getReceiver() = bb.getNode(i)
+      mutablyBorrows(bb.getNode(i).getAstNode(), v) and
+      isArg(call, bb.getNode(i))
     )
   }
 

rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll

@@ -53,6 +53,9 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {
       exists(FormatArgsExprCfgNode format | succ.asExpr() = format |
         pred.asExpr() = [format.getArgumentExpr(_), format.getFormatTemplateVariableAccess(_)]
       )
+      or
+      succ.(Node::PostUpdateNode).getPreUpdateNode().asExpr() =
+        getPostUpdateReverseStep(pred.(Node::PostUpdateNode).getPreUpdateNode().asExpr(), false)
     )
     or
     FlowSummaryImpl::Private::Steps::summaryLocalStep(pred.(Node::FlowSummaryNode).getSummaryNode(),

rust/ql/test/library-tests/dataflow/global/inline-flow.expected

@@ -18,6 +18,12 @@ edges
 | main.rs:38:23:38:31 | source(...) | main.rs:38:6:38:11 | [post] &mut a [&ref, MyStruct] | provenance |  |
 | main.rs:39:10:39:10 | a [MyStruct] | main.rs:30:17:30:21 | SelfParam [&ref, MyStruct] | provenance |  |
 | main.rs:39:10:39:10 | a [MyStruct] | main.rs:39:10:39:21 | a.get_data(...) | provenance |  |
+| main.rs:44:12:44:17 | [post] &mut a [&ref, MyStruct] | main.rs:44:17:44:17 | [post] a [MyStruct] | provenance |  |
+| main.rs:44:17:44:17 | [post] a [MyStruct] | main.rs:45:10:45:10 | a [MyStruct] | provenance |  |
+| main.rs:44:30:44:38 | source(...) | main.rs:26:28:26:33 | ...: i64 | provenance |  |
+| main.rs:44:30:44:38 | source(...) | main.rs:44:12:44:17 | [post] &mut a [&ref, MyStruct] | provenance |  |
+| main.rs:45:10:45:10 | a [MyStruct] | main.rs:30:17:30:21 | SelfParam [&ref, MyStruct] | provenance |  |
+| main.rs:45:10:45:10 | a [MyStruct] | main.rs:45:10:45:21 | a.get_data(...) | provenance |  |
 | main.rs:48:12:48:17 | ...: i64 | main.rs:49:10:49:10 | n | provenance |  |
 | main.rs:53:9:53:9 | a | main.rs:54:13:54:13 | a | provenance |  |
 | main.rs:53:13:53:21 | source(...) | main.rs:53:9:53:9 | a | provenance |  |
@@ -110,6 +116,11 @@ nodes
 | main.rs:38:23:38:31 | source(...) | semmle.label | source(...) |
 | main.rs:39:10:39:10 | a [MyStruct] | semmle.label | a [MyStruct] |
 | main.rs:39:10:39:21 | a.get_data(...) | semmle.label | a.get_data(...) |
+| main.rs:44:12:44:17 | [post] &mut a [&ref, MyStruct] | semmle.label | [post] &mut a [&ref, MyStruct] |
+| main.rs:44:17:44:17 | [post] a [MyStruct] | semmle.label | [post] a [MyStruct] |
+| main.rs:44:30:44:38 | source(...) | semmle.label | source(...) |
+| main.rs:45:10:45:10 | a [MyStruct] | semmle.label | a [MyStruct] |
+| main.rs:45:10:45:21 | a.get_data(...) | semmle.label | a.get_data(...) |
 | main.rs:48:12:48:17 | ...: i64 | semmle.label | ...: i64 |
 | main.rs:49:10:49:10 | n | semmle.label | n |
 | main.rs:53:9:53:9 | a | semmle.label | a |
@@ -194,6 +205,8 @@ nodes
 subpaths
 | main.rs:38:23:38:31 | source(...) | main.rs:26:28:26:33 | ...: i64 | main.rs:26:17:26:25 | SelfParam [Return] [&ref, MyStruct] | main.rs:38:6:38:11 | [post] &mut a [&ref, MyStruct] |
 | main.rs:39:10:39:10 | a [MyStruct] | main.rs:30:17:30:21 | SelfParam [&ref, MyStruct] | main.rs:30:31:32:5 | { ... } | main.rs:39:10:39:21 | a.get_data(...) |
+| main.rs:44:30:44:38 | source(...) | main.rs:26:28:26:33 | ...: i64 | main.rs:26:17:26:25 | SelfParam [Return] [&ref, MyStruct] | main.rs:44:12:44:17 | [post] &mut a [&ref, MyStruct] |
+| main.rs:45:10:45:10 | a [MyStruct] | main.rs:30:17:30:21 | SelfParam [&ref, MyStruct] | main.rs:30:31:32:5 | { ... } | main.rs:45:10:45:21 | a.get_data(...) |
 | main.rs:63:26:63:26 | a | main.rs:57:17:57:22 | ...: i64 | main.rs:57:32:59:1 | { ... } | main.rs:63:13:63:27 | pass_through(...) |
 | main.rs:68:26:71:5 | { ... } | main.rs:57:17:57:22 | ...: i64 | main.rs:57:32:59:1 | { ... } | main.rs:68:13:71:6 | pass_through(...) |
 | main.rs:82:26:82:26 | a | main.rs:78:21:78:26 | ...: i64 | main.rs:78:36:80:5 | { ... } | main.rs:82:13:82:27 | pass_through(...) |
@@ -205,6 +218,7 @@ testFailures
 #select
 | main.rs:18:10:18:10 | a | main.rs:13:5:13:13 | source(...) | main.rs:18:10:18:10 | a | $@ | main.rs:13:5:13:13 | source(...) | source(...) |
 | main.rs:39:10:39:21 | a.get_data(...) | main.rs:38:23:38:31 | source(...) | main.rs:39:10:39:21 | a.get_data(...) | $@ | main.rs:38:23:38:31 | source(...) | source(...) |
+| main.rs:45:10:45:21 | a.get_data(...) | main.rs:44:30:44:38 | source(...) | main.rs:45:10:45:21 | a.get_data(...) | $@ | main.rs:44:30:44:38 | source(...) | source(...) |
 | main.rs:49:10:49:10 | n | main.rs:53:13:53:21 | source(...) | main.rs:49:10:49:10 | n | $@ | main.rs:53:13:53:21 | source(...) | source(...) |
 | main.rs:64:10:64:10 | b | main.rs:62:13:62:21 | source(...) | main.rs:64:10:64:10 | b | $@ | main.rs:62:13:62:21 | source(...) | source(...) |
 | main.rs:72:10:72:10 | a | main.rs:70:9:70:18 | source(...) | main.rs:72:10:72:10 | a | $@ | main.rs:70:9:70:18 | source(...) | source(...) |

rust/ql/test/library-tests/dataflow/global/main.rs

@@ -42,7 +42,7 @@ fn data_out_of_call_side_effect1() {
 fn data_out_of_call_side_effect2() {
     let mut a = MyStruct { data: 0 };
     ({ 42; &mut a}).set_data(source(9));
-    sink(a.get_data()); // $ MISSING: hasValueFlow=9
+    sink(a.get_data()); // $ hasValueFlow=9
 }
 
 fn data_in(n: i64) {

rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected

@@ -9,11 +9,13 @@ localStep
 | main.rs:6:9:6:9 | s | main.rs:6:9:6:9 | s |
 | main.rs:6:9:6:14 | ...: i64 | main.rs:6:9:6:9 | s |
 | main.rs:7:14:7:20 | FormatArgsExpr | main.rs:7:14:7:20 | MacroExpr |
+| main.rs:7:14:7:20 | [post] MacroExpr | main.rs:7:14:7:20 | [post] FormatArgsExpr |
 | main.rs:10:13:10:14 | [SSA] sr | main.rs:11:20:11:21 | sr |
 | main.rs:10:13:10:14 | sr | main.rs:10:13:10:14 | [SSA] sr |
 | main.rs:10:13:10:14 | sr | main.rs:10:13:10:14 | sr |
 | main.rs:10:13:10:20 | ...: ... | main.rs:10:13:10:14 | sr |
 | main.rs:11:14:11:21 | FormatArgsExpr | main.rs:11:14:11:21 | MacroExpr |
+| main.rs:11:14:11:21 | [post] MacroExpr | main.rs:11:14:11:21 | [post] FormatArgsExpr |
 | main.rs:22:9:22:9 | [SSA] s | main.rs:23:10:23:10 | s |
 | main.rs:22:9:22:9 | s | main.rs:22:9:22:9 | [SSA] s |
 | main.rs:22:9:22:9 | s | main.rs:22:9:22:9 | s |
@@ -690,6 +692,7 @@ localStep
 | main.rs:462:16:462:16 | s | main.rs:462:16:462:16 | s |
 | main.rs:462:16:462:24 | ...: String | main.rs:462:16:462:16 | s |
 | main.rs:463:14:463:20 | FormatArgsExpr | main.rs:463:14:463:20 | MacroExpr |
+| main.rs:463:14:463:20 | [post] MacroExpr | main.rs:463:14:463:20 | [post] FormatArgsExpr |
 | main.rs:467:9:467:9 | [SSA] a | main.rs:468:13:468:13 | a |
 | main.rs:467:9:467:9 | a | main.rs:467:9:467:9 | [SSA] a |
 | main.rs:467:9:467:9 | a | main.rs:467:9:467:9 | a |
@@ -848,6 +851,7 @@ localStep
 | main.rs:523:14:523:18 | c_ref | main.rs:524:11:524:15 | c_ref |
 | main.rs:551:13:551:33 | result_questionmark(...) | main.rs:551:9:551:9 | _ |
 | main.rs:563:36:563:41 | ...::new(...) | main.rs:563:36:563:41 | MacroExpr |
+| main.rs:563:36:563:41 | [post] MacroExpr | main.rs:563:36:563:41 | [post] ...::new(...) |
 models
 | 1 | Sink: lang:std; crate::io::stdio::_print; log-injection; Argument[0] |
 | 2 | Summary: lang:alloc; <&&str as crate::string::SpecToString>::spec_to_string; Argument[self].Reference.Reference; ReturnValue; value |

rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected

@@ -6,6 +6,7 @@
 | main.rs:18:11:18:11 | a | main.rs:18:10:18:11 | - ... |
 | main.rs:23:13:23:13 | a | main.rs:23:13:23:19 | a as u8 |
 | main.rs:24:10:24:10 | b | main.rs:24:10:24:17 | b as i64 |
+| main.rs:24:10:24:17 | [post] b as i64 | main.rs:24:10:24:10 | [post] b |
 | main.rs:29:23:29:23 | i | main.rs:29:17:29:23 | FormatArgsExpr |
 | main.rs:33:24:33:24 | s | main.rs:33:18:33:24 | FormatArgsExpr |
 | main.rs:38:23:38:23 | s | main.rs:38:23:38:29 | s[...] |