wip

Author: hvitved

rust/ql/lib/codeql/rust/frameworks/stdlib/Stdlib.qll

@@ -303,5 +303,6 @@ class Vec extends Struct {
   pragma[nomagic]
   Vec() { this.getCanonicalPath() = "alloc::vec::Vec" }
 
+  /** Gets the type parameter representing the element type. */
   TypeParam getElementTypeParam() { result = this.getGenericParamList().getTypeParam(0) }
 }

rust/ql/lib/codeql/rust/internal/TypeInference.qll

@@ -118,6 +118,9 @@ module SatisfiesBlanketConstraint<
     predicate useUniversalConditions() { none() }
   }
 
+  private module SatisfiesBlanketConstraint =
+    SatisfiesConstraint<ArgumentTypeAndBlanketOffset, SatisfiesBlanketConstraintInput>;
+
   /**
    * Holds if the argument type `at` satisfies the first non-trivial blanket
    * constraint of `impl`.
@@ -127,8 +130,7 @@ module SatisfiesBlanketConstraint<
     exists(ArgumentTypeAndBlanketOffset ato, Trait traitBound |
       ato = MkArgumentTypeAndBlanketOffset(at, _) and
       SatisfiesBlanketConstraintInput::relevantConstraint(ato, impl, traitBound) and
-      SatisfiesConstraint<ArgumentTypeAndBlanketOffset, SatisfiesBlanketConstraintInput>::satisfiesConstraintType(ato,
-        TTrait(traitBound), _, _)
+      SatisfiesBlanketConstraint::satisfiesConstraintType(ato, TTrait(traitBound), _, _)
     )
   }
 }

rust/ql/lib/codeql/rust/internal/typeinference/BlanketImplementation.qll

@@ -117,27 +117,11 @@ predicate functionResolutionDependsOnArgument(
    * method. In that case we will still resolve several methods.
    */
 
-  exists(TraitItemNode trait, string functionName, TypePath path0, Type type0 |
+  exists(TraitItemNode trait, string functionName |
     implHasSibling(impl, trait) and
-    traitTypeParameterOccurrence(trait, _, functionName, pos, path0, _) and
-    functionTypeAtPath(f, pos, path0, type0) and
+    traitTypeParameterOccurrence(trait, _, functionName, pos, path, _) and
+    functionTypeAtPath(f, pos, path, type) and
     f = impl.getASuccessor(functionName) and
     not pos.isReturn()
-  |
-    exists(TypeParameter tp0, TypePath path1, Type type1 |
-      complexSelfRoot(type0, tp0) and
-      path1 = path0.append(TypePath::singleton(tp0)) and
-      functionTypeAtPath(f, pos, path1, type1)
-    |
-      if type1 instanceof TypeParameter
-      then path = path0 and type = type0
-      else (
-        path = path1 and type = type1
-      )
-    )
-    or
-    not complexSelfRoot(type0, _) and
-    path = path0 and
-    type = type0
   )
 }

rust/ql/lib/codeql/rust/internal/typeinference/FunctionOverloading.qll

@@ -241,3 +241,163 @@ Type substituteLookupTraits(Type t) {
   or
   result = TTrait(getALookupTrait(t))
 }
+
+/**
+ * A wrapper around `IsInstantiationOf` which ensures to substitute in lookup
+ * traits when checking whether argument types are instantiations of function
+ * types.
+ */
+module ArgIsInstantiationOf<HasTypeTreeSig Arg, IsInstantiationOfInputSig<Arg, FunctionType> Input> {
+  final private class ArgFinal = Arg;
+
+  private class ArgSubst extends ArgFinal {
+    Type getTypeAt(TypePath path) { result = substituteLookupTraits(super.getTypeAt(path)) }
+  }
+
+  private module IsInstantiationOfInput implements IsInstantiationOfInputSig<ArgSubst, FunctionType>
+  {
+    pragma[nomagic]
+    predicate potentialInstantiationOf(ArgSubst arg, TypeAbstraction abs, FunctionType constraint) {
+      Input::potentialInstantiationOf(arg, abs, constraint)
+    }
+
+    predicate relevantTypeMention(FunctionType constraint) {
+      Input::relevantTypeMention(constraint)
+    }
+  }
+
+  private module ArgSubstIsInstantiationOf =
+    IsInstantiationOf<ArgSubst, FunctionType, IsInstantiationOfInput>;
+
+  predicate argIsInstantiationOf(Arg arg, ImplOrTraitItemNode i, FunctionType constraint) {
+    ArgSubstIsInstantiationOf::isInstantiationOf(arg, i, constraint)
+  }
+
+  predicate argIsNotInstantiationOf(Arg arg, ImplOrTraitItemNode i, FunctionType constraint) {
+    ArgSubstIsInstantiationOf::isNotInstantiationOf(arg, i, constraint)
+  }
+}
+
+/**
+ * Provides the input for `ArgsAreInstantiationsOf`.
+ */
+signature module ArgsAreInstantiationsOfInputSig {
+  /**
+   * Holds if types need to matched against the type `t` at position `pos` of
+   * `f` inside `i`.
+   */
+  predicate toCheck(ImplOrTraitItemNode i, Function f, FunctionTypePosition pos, FunctionType t);
+
+  /** A call whose argument types are to be checked. */
+  class Call {
+    string toString();
+
+    Location getLocation();
+
+    Type getArgType(FunctionTypePosition pos, TypePath path);
+
+    predicate hasTargetCand(ImplOrTraitItemNode i, Function f);
+  }
+}
+
+/**
+ * Provides logic for checking that a set of arguments have types that are
+ * instantiations of the types at the corresponding positions in a function
+ * type.
+ */
+module ArgsAreInstantiationsOf<ArgsAreInstantiationsOfInputSig Input> {
+  pragma[nomagic]
+  private predicate toCheckRanked(
+    ImplOrTraitItemNode i, Function f, FunctionTypePosition pos, int rnk
+  ) {
+    Input::toCheck(i, f, pos, _) and
+    pos =
+      rank[rnk + 1](FunctionTypePosition pos0, int j |
+        Input::toCheck(i, f, pos0, _) and
+        (
+          j = pos0.asPositional()
+          or
+          pos0.isSelf() and j = -1
+          or
+          pos0.isReturn() and j = -2
+        )
+      |
+        pos0 order by j
+      )
+  }
+
+  private newtype TCallAndPos =
+    MkCallAndPos(Input::Call call, FunctionTypePosition pos) { exists(call.getArgType(pos, _)) }
+
+  /** A call tagged with a position. */
+  private class CallAndPos extends MkCallAndPos {
+    Input::Call call;
+    FunctionTypePosition pos;
+
+    CallAndPos() { this = MkCallAndPos(call, pos) }
+
+    Input::Call getCall() { result = call }
+
+    FunctionTypePosition getPos() { result = pos }
+
+    Location getLocation() { result = call.getLocation() }
+
+    Type getTypeAt(TypePath path) { result = call.getArgType(pos, path) }
+
+    string toString() { result = call.toString() + " [arg " + pos + "]" }
+  }
+
+  private module ArgIsInstantiationOfInput implements
+    IsInstantiationOfInputSig<CallAndPos, FunctionType>
+  {
+    pragma[nomagic]
+    private predicate potentialInstantiationOf0(
+      CallAndPos cp, Input::Call call, FunctionTypePosition pos, int rnk, Function f,
+      TypeAbstraction abs, FunctionType constraint
+    ) {
+      cp = MkCallAndPos(call, pos) and
+      call.hasTargetCand(abs, f) and
+      toCheckRanked(abs, f, pos, rnk) and
+      Input::toCheck(abs, f, pos, constraint)
+    }
+
+    pragma[nomagic]
+    predicate potentialInstantiationOf(CallAndPos cp, TypeAbstraction abs, FunctionType constraint) {
+      exists(Input::Call call, FunctionTypePosition pos, int rnk, Function f |
+        potentialInstantiationOf0(cp, call, pos, rnk, f, abs, constraint)
+      |
+        rnk = 0
+        or
+        argsAreInstantiationsOfFromIndex(call, abs, f, rnk - 1)
+      )
+    }
+
+    predicate relevantTypeMention(FunctionType constraint) { Input::toCheck(_, _, _, constraint) }
+  }
+
+  private module ArgIsInstantiationOfFromIndex =
+    ArgIsInstantiationOf<CallAndPos, ArgIsInstantiationOfInput>;
+
+  pragma[nomagic]
+  private predicate argsAreInstantiationsOfFromIndex(
+    Input::Call call, ImplOrTraitItemNode i, Function f, int rnk
+  ) {
+    exists(FunctionTypePosition pos |
+      ArgIsInstantiationOfFromIndex::argIsInstantiationOf(MkCallAndPos(call, pos), i, _) and
+      call.hasTargetCand(i, f) and
+      toCheckRanked(i, f, pos, rnk)
+    )
+  }
+
+  /**
+   * Holds if all arguments of `call` have types that are instantiations of the
+   * types of the corresponding parameters of `f` inside `i`.
+   */
+  pragma[nomagic]
+  predicate argsAreInstantiationsOf(Input::Call call, ImplOrTraitItemNode i, Function f) {
+    exists(int rnk |
+      argsAreInstantiationsOfFromIndex(call, i, f, rnk) and
+      rnk = max(int r | toCheckRanked(i, f, _, r))
+    )
+  }
+}

rust/ql/lib/codeql/rust/internal/typeinference/FunctionType.qll

@@ -5,9 +5,6 @@ multipleCallTargets
 | dereference.rs:184:17:184:30 | ... .foo() |
 | dereference.rs:186:17:186:25 | S.bar(...) |
 | dereference.rs:187:17:187:29 | S.bar(...) |
-| main.rs:2383:9:2383:34 | ...::my_from2(...) |
-| main.rs:2384:9:2384:33 | ...::my_from2(...) |
-| main.rs:2385:9:2385:38 | ...::my_from2(...) |
 | main.rs:2437:13:2437:31 | ...::from(...) |
 | main.rs:2438:13:2438:31 | ...::from(...) |
 | main.rs:2439:13:2439:31 | ...::from(...) |

rust/ql/test/library-tests/type-inference/CONSISTENCY/PathResolutionConsistency.expected

@@ -698,9 +698,9 @@ mod function_trait_bounds {
         T2::assoc(x) // $ target=assoc
     }
     fn call_trait_assoc_2<T1, T2: MyTrait<T1> + Copy>(x: T2) -> T1 {
-        let y = MyTrait::assoc(x); // $ MISSING: target=assoc
-        y; // $ MISSING: type=y:T1
-        MyTrait::assoc(x) // $ MISSING: target=assoc
+        let y = MyTrait::assoc(x); // $ target=assoc
+        y; // $ type=y:T1
+        MyTrait::assoc(x) // $ target=assoc
     }
 
     // Type parameter with bound occurs nested within another type.
@@ -2380,9 +2380,9 @@ mod method_determined_by_argument_type {
         let x = i64::my_from(73i64); // $ target=MyFrom<i64>::my_from
         let y = i64::my_from(true); // $ target=MyFrom<bool>::my_from
         let z: i64 = MyFrom::my_from(73i64); // $ target=MyFrom<i64>::my_from
-        i64::my_from2(73i64, 0i64); // $ target=MyFrom2<i64>::my_from2 $ SPURIOUS: target=MyFrom2<bool>::my_from2
-        i64::my_from2(true, 0i64); // $ target=MyFrom2<bool>::my_from2 $ SPURIOUS: target=MyFrom2<i64>::my_from2
-        MyFrom2::my_from2(73i64, 0i64); // $ target=MyFrom2<i64>::my_from2 $ SPURIOUS: target=MyFrom2<bool>::my_from2
+        i64::my_from2(73i64, 0i64); // $ target=MyFrom2<i64>::my_from2
+        i64::my_from2(true, 0i64); // $ target=MyFrom2<bool>::my_from2
+        MyFrom2::my_from2(73i64, 0i64); // $ target=MyFrom2<i64>::my_from2
 
         i64::f1(73i64); // $ target=MySelfTrait<i64>::f1
         i64::f2(73i64); // $ target=MySelfTrait<i64>::f2
@@ -2446,9 +2446,9 @@ mod loops {
             String::from("bar"), // $ target=from
             String::from("baz"), // $ target=from
         ];
-        for s in strings3 {} // $ MISSING: type=s:String
+        for s in strings3 {} // $ type=s:&T.String
 
-        let callables = [MyCallable::new(), MyCallable::new(), MyCallable::new()]; // $ target=new $ MISSING: type=callables:[T;...].MyCallable; 3
+        let callables = [MyCallable::new(), MyCallable::new(), MyCallable::new()]; // $ target=new $ type=callables:[T;...].MyCallable
         for c // $ type=c:MyCallable
         in callables
         {
@@ -2502,10 +2502,10 @@ mod loops {
         let mut map1 = std::collections::HashMap::new(); // $ target=new type=map1:K.i32 type=map1:V.Box $ MISSING: type=map1:Hashmap type1=map1:V.T.&T.str
         map1.insert(1, Box::new("one")); // $ target=insert target=new
         map1.insert(2, Box::new("two")); // $ target=insert target=new
-        for key in map1.keys() {} // $ target=keys MISSING: type=key:i32
-        for value in map1.values() {} // $ target=values MISSING: type=value:Box type=value:T.&T.str
-        for (key, value) in map1.iter() {} // $ target=iter MISSING: type=key:i32 type=value:Box type=value:T.&T.str
-        for (key, value) in &map1 {} // $ MISSING: type=key:i32 type=value:Box type=value:T.&T.str
+        for key in map1.keys() {} // $ target=keys type=key:&T.i32
+        for value in map1.values() {} // $ target=values type=value:&T.Box type=value:&T.T.&T.str
+        for (key, value) in map1.iter() {} // $ target=iter type=key:&T.i32 type=value:&T.Box type=value:&T.T.&T.str
+        for (key, value) in &map1 {} // $ type=key:&T.i32 type=value:&T.Box type=value:&T.T.&T.str
 
         // while loops
 

rust/ql/test/library-tests/type-inference/main.rs

@@ -1992,7 +1992,10 @@ inferType
 | main.rs:698:19:698:19 | x |  | main.rs:695:31:695:52 | T2 |
 | main.rs:700:55:700:55 | x |  | main.rs:700:31:700:52 | T2 |
 | main.rs:700:68:704:5 | { ... } |  | main.rs:700:27:700:28 | T1 |
+| main.rs:701:13:701:13 | y |  | main.rs:700:27:700:28 | T1 |
+| main.rs:701:17:701:33 | ...::assoc(...) |  | main.rs:700:27:700:28 | T1 |
 | main.rs:701:32:701:32 | x |  | main.rs:700:31:700:52 | T2 |
+| main.rs:702:9:702:9 | y |  | main.rs:700:27:700:28 | T1 |
 | main.rs:703:9:703:25 | ...::assoc(...) |  | main.rs:700:27:700:28 | T1 |
 | main.rs:703:24:703:24 | x |  | main.rs:700:31:700:52 | T2 |
 | main.rs:708:49:708:49 | x |  | main.rs:656:5:659:5 | MyThing |