Rust: Add reverse post-update flow steps

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowConsistency.qll

@@ -18,6 +18,8 @@ private module Input implements InputSig<Location, RustDataFlow> {
     // We allow flow into post-update node for receiver expressions (from the
     // synthetic post receiever node).
     n.(Node::PostUpdateNode).getPreUpdateNode().asExpr() = any(Node::ReceiverNode r).getReceiver()
+    or
+    n.(Node::PostUpdateNode).getPreUpdateNode().asExpr() = getPostUpdateReverseStep(_, _)
   }
 
   predicate missingLocationExclude(RustDataFlow::Node n) { not exists(n.asExpr().getLocation()) }

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -213,6 +213,28 @@
   result.(BreakExprCfgNode).getTarget() = e
 }
 
+/**
+ * Holds if a reverse local flow step should be added from the post-update node
+ * for `e` to the post-update node for the result.
+ *
+ * This is needed to allow for side-effects on compound expressions to propagate
+ * to sub components. For example, in
+ *
+ * ```rust
+ * ({ foo(); &mut a}).set_data(taint);
+ * ```
+ *
+ * we add a reverse flow step from `[post] { foo(); &mut a}` to `[post] &mut a`,
+ * in order for the side-effect of `set_data` to reach `&mut a`.
+ */
+ExprCfgNode getPostUpdateReverseStep(ExprCfgNode e, boolean preservesValue) {
+  result = getALastEvalNode(e) and
+  preservesValue = true
+  or
+  result = e.(CastExprCfgNode).getExpr() and
+  preservesValue = false
+}
+
 module LocalFlow {
   predicate flowSummaryLocalStep(Node nodeFrom, Node nodeTo, string model) {
     exists(FlowSummaryImpl::Public::SummarizedCallable c |
@@ -274,6 +296,9 @@
     // The dual step of the above, for the post-update nodes.
     nodeFrom.(PostUpdateNode).getPreUpdateNode().(ReceiverNode).getReceiver() =
       nodeTo.(PostUpdateNode).getPreUpdateNode().asExpr()
+    or
+    nodeTo.(PostUpdateNode).getPreUpdateNode().asExpr() =
+      getPostUpdateReverseStep(nodeFrom.(PostUpdateNode).getPreUpdateNode().asExpr(), true)
   }
 }
 

rust/ql/lib/codeql/rust/dataflow/internal/Node.qll

@@ -29,7 +29,7 @@ abstract class NodePublic extends TNode {
   /**
    * Gets the expression that corresponds to this node, if any.
    */
-  ExprCfgNode asExpr() { none() }
+  final ExprCfgNode asExpr() { this = TExprNode(result) }
 
   /**
    * Gets the parameter that corresponds to this node, if any.
@@ -39,7 +39,7 @@ abstract class NodePublic extends TNode {
   /**
    * Gets the pattern that corresponds to this node, if any.
    */
-  PatCfgNode asPat() { none() }
+  final PatCfgNode asPat() { this = TPatNode(result) }
 }
 
 abstract class Node extends NodePublic {
@@ -144,16 +144,12 @@ class ExprNode extends AstCfgFlowNode, TExprNode {
   override ExprCfgNode n;
 
   ExprNode() { this = TExprNode(n) }
-
-  override ExprCfgNode asExpr() { result = n }
 }
 
 final class PatNode extends AstCfgFlowNode, TPatNode {
   override PatCfgNode n;
 
   PatNode() { this = TPatNode(n) }
-
-  override PatCfgNode asPat() { result = n }
 }
 
 /** A data flow node that corresponds to a name node in the CFG. */
@@ -467,10 +463,12 @@ newtype TNode =
     or
     e =
       [
-        any(IndexExprCfgNode i).getBase(), any(FieldExprCfgNode access).getExpr(),
-        any(TryExprCfgNode try).getExpr(),
-        any(PrefixExprCfgNode pe | pe.getOperatorName() = "*").getExpr(),
-        any(AwaitExprCfgNode a).getExpr(), any(MethodCallExprCfgNode mc).getReceiver()
+        any(IndexExprCfgNode i).getBase(), //
+        any(FieldExprCfgNode access).getExpr(), //
+        any(TryExprCfgNode try).getExpr(), //
+        any(PrefixExprCfgNode pe | pe.getOperatorName() = "*").getExpr(), //
+        any(AwaitExprCfgNode a).getExpr(), any(MethodCallExprCfgNode mc).getReceiver(), //
+        getPostUpdateReverseStep(any(PostUpdateNode n).getPreUpdateNode().asExpr(), _)
       ]
   } or
   TReceiverNode(MethodCallExprCfgNode mc, Boolean isPost) or

rust/ql/lib/codeql/rust/dataflow/internal/SsaImpl.qll

@@ -332,6 +332,8 @@
 private import codeql.rust.dataflow.Ssa
 
 private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInputSig {
+  private import codeql.rust.dataflow.internal.DataFlowImpl as DataFlowImpl
+
   class Expr extends CfgNodes::AstCfgNode {
     predicate hasCfgNode(SsaInput::BasicBlock bb, int i) { this = bb.getNode(i) }
   }
@@ -343,14 +345,22 @@
     none() // handled in `DataFlowImpl.qll` instead
   }
 
+  private predicate isArg(CfgNodes::CallExprBaseCfgNode call, CfgNodes::ExprCfgNode e) {
+    call.getArgument(_) = e
+    or
+    call.(CfgNodes::MethodCallExprCfgNode).getReceiver() = e
+    or
+    exists(CfgNodes::ExprCfgNode mid |
+      isArg(call, mid) and
+      e = DataFlowImpl::getPostUpdateReverseStep(mid, _)
+    )
+  }
+
   predicate allowFlowIntoUncertainDef(UncertainWriteDefinition def) {
     exists(CfgNodes::CallExprBaseCfgNode call, Variable v, BasicBlock bb, int i |
       def.definesAt(v, bb, i) and
-      mutablyBorrows(bb.getNode(i).getAstNode(), v)
-    |
-      call.getArgument(_) = bb.getNode(i)
-      or
-      call.(CfgNodes::MethodCallExprCfgNode).getReceiver() = bb.getNode(i)
+      mutablyBorrows(bb.getNode(i).getAstNode(), v) and
+      isArg(call, bb.getNode(i))
     )
   }
 

rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll

@@ -53,6 +53,9 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {
       exists(FormatArgsExprCfgNode format | succ.asExpr() = format |
         pred.asExpr() = [format.getArgumentExpr(_), format.getFormatTemplateVariableAccess(_)]
       )
+      or
+      succ.(Node::PostUpdateNode).getPreUpdateNode().asExpr() =
+        getPostUpdateReverseStep(pred.(Node::PostUpdateNode).getPreUpdateNode().asExpr(), false)
     )
     or
     FlowSummaryImpl::Private::Steps::summaryLocalStep(pred.(Node::FlowSummaryNode).getSummaryNode(),