Merge pull request #19881 from hvitved/rust/dataflow-traits

Rust: Data flow through trait methods

Author: hvitved

rust/ql/.generated.list

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Implemented support for data flow through trait functions. For the purpose of data flow, calls to trait functions dispatch to all possible implementations.

rust/ql/.gitattributes

@@ -404,10 +404,20 @@ module RustDataFlow implements InputSig<Location> {
 
   /** Gets a viable implementation of the target of the given `Call`. */
   DataFlowCallable viableCallable(DataFlowCall call) {
-    exists(Callable target | target = call.asCallCfgNode().getCall().getStaticTarget() |
-      target = result.asCfgScope()
+    exists(Call c | c = call.asCallCfgNode().getCall() |
+      result.asCfgScope() = c.getARuntimeTarget()
       or
-      target = result.asSummarizedCallable()
+      exists(SummarizedCallable sc, Function staticTarget |
+        staticTarget = c.getStaticTarget() and
+        sc = result.asSummarizedCallable()
+      |
+        sc = staticTarget
+        or
+        // only apply trait models to concrete implementations when they are not
+        // defined in source code
+        staticTarget.implements(sc) and
+        not staticTarget.fromSource()
+      )
     )
   }
 

rust/ql/lib/change-notes/2025-06-26-dataflow-traits.md

@@ -32,6 +32,8 @@
  *     - `Field[t(i)]`: position `i` inside the variant/struct with canonical path `v`, for example
  *                      `Field[core::option::Option::Some(0)]`.
  *     - `Field[i]`: the `i`th element of a tuple.
+ *     - `Reference`: the referenced value.
+ *     - `Future`: the value being computed asynchronously.
  * 3. The `kind` column is a tag that can be referenced from QL to determine to
  *    which classes the interpreted elements should be added. For example, for
  *    sources `"remote"` indicates a default remote flow source, and for summaries
@@ -211,6 +213,10 @@ private class SummarizedCallableFromModel extends SummarizedCallable::Range {
     this.getCanonicalPath() = path
   }
 
+  override predicate hasProvenance(Provenance provenance) {
+    summaryModel(path, _, _, _, provenance, _)
+  }
+
   override predicate propagatesFlow(
     string input, string output, boolean preservesValue, string model
   ) {

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -1,4 +1,3 @@
-// generated by codegen, remove this comment if you wish to edit this file
 /**
  * This module provides a hand-modifiable wrapper around the generated class `AssocItem`.
  *
@@ -12,6 +11,10 @@ private import codeql.rust.elements.internal.generated.AssocItem
  * be referenced directly.
  */
 module Impl {
+  private import rust
+  private import codeql.rust.internal.PathResolution
+
+  // the following QLdoc is generated: if you need to edit it, do it in the schema file
   /**
    * An associated item in a `Trait` or `Impl`.
    *
@@ -21,5 +24,15 @@ module Impl {
    * //       ^^^^^^^^^^^^^
    * ```
    */
-  class AssocItem extends Generated::AssocItem { }
+  class AssocItem extends Generated::AssocItem {
+    /** Holds if this item implements trait item `other`. */
+    pragma[nomagic]
+    predicate implements(AssocItem other) {
+      exists(TraitItemNode t, ImplItemNode i, string name |
+        other = t.getAssocItem(pragma[only_bind_into](name)) and
+        t = i.resolveTraitTy() and
+        this = i.getAssocItem(pragma[only_bind_into](name))
+      )
+    }
+  }
 }

rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll

@@ -65,6 +65,17 @@ module Impl {
       not exists(TypeInference::resolveMethodCallTarget(this)) and
       result = this.(CallExpr).getStaticTarget()
     }
+
+    /** Gets a runtime target of this call, if any. */
+    pragma[nomagic]
+    Function getARuntimeTarget() {
+      result.hasImplementation() and
+      (
+        result = this.getStaticTarget()
+        or
+        result.implements(this.getStaticTarget())
+      )
+    }
   }
 
   /** Holds if the call expression dispatches to a trait method. */

rust/ql/lib/codeql/rust/elements/internal/AssocItemImpl.qll

@@ -540,6 +540,13 @@ abstract class ImplOrTraitItemNode extends ItemNode {
   /** Gets an associated item belonging to this trait or `impl` block. */
   abstract AssocItemNode getAnAssocItem();
 
+  /** Gets the associated item named `name` belonging to this trait or `impl` block. */
+  pragma[nomagic]
+  AssocItemNode getAssocItem(string name) {
+    result = this.getAnAssocItem() and
+    result.getName() = name
+  }
+
   /** Holds if this trait or `impl` block declares an associated item named `name`. */
   pragma[nomagic]
   predicate hasAssocItem(string name) { name = this.getAnAssocItem().getName() }

rust/ql/lib/codeql/rust/elements/internal/CallImpl.qll

@@ -1,2 +1,2 @@
 multipleCallTargets
-| main.rs:225:14:225:29 | ...::deref(...) |
+| main.rs:272:14:272:29 | ...::deref(...) |