wip

Author: hvitved

rust/ql/lib/codeql/rust/internal/PathResolution.qll

@@ -4,6 +4,7 @@
 
 private import rust
 private import codeql.rust.elements.internal.generated.ParentChild
+private import codeql.rust.elements.internal.CallExprImpl::Impl as CallExprImpl
 private import codeql.rust.internal.CachedStages
 private import codeql.rust.frameworks.stdlib.Builtins as Builtins
 private import codeql.util.Option
@@ -604,7 +605,13 @@ private class EnumItemNode extends TypeItemNode instanceof Enum {
   }
 }
 
-private class VariantItemNode extends ItemNode instanceof Variant {
+/** An item that can be called with arguments. */
+abstract class CallableItemNode extends ItemNode {
+  /** Gets the number of parameters of this item. */
+  abstract int getNumberOfParameters();
+}
+
+private class VariantItemNode extends CallableItemNode instanceof Variant {
   override string getName() { result = Variant.super.getName().getText() }
 
   override Namespace getNamespace() {
@@ -617,6 +624,10 @@ private class VariantItemNode extends ItemNode instanceof Variant {
 
   override Visibility getVisibility() { result = super.getEnum().getVisibility() }
 
+  override int getNumberOfParameters() {
+    result = super.getFieldList().(TupleFieldList).getNumberOfFields()
+  }
+
   override predicate hasCanonicalPath(Crate c) { this.hasCanonicalPathPrefix(c) }
 
   bindingset[c]
@@ -638,7 +649,7 @@ private class VariantItemNode extends ItemNode instanceof Variant {
   }
 }
 
-class FunctionItemNode extends AssocItemNode instanceof Function {
+class FunctionItemNode extends AssocItemNode, CallableItemNode instanceof Function {
   override string getName() { result = Function.super.getName().getText() }
 
   override predicate hasImplementation() { Function.super.hasImplementation() }
@@ -648,6 +659,13 @@ class FunctionItemNode extends AssocItemNode instanceof Function {
   override TypeParam getTypeParam(int i) { result = super.getGenericParamList().getTypeParam(i) }
 
   override Visibility getVisibility() { result = Function.super.getVisibility() }
+
+  override int getNumberOfParameters() {
+    exists(int arr |
+      arr = super.getNumberOfParams() and
+      if super.hasSelfParam() then result = arr + 1 else result = arr
+    )
+  }
 }
 
 abstract class ImplOrTraitItemNode extends ItemNode {
@@ -867,7 +885,7 @@ private class ImplItemNodeImpl extends ImplItemNode {
   TraitItemNode resolveTraitTyCand() { result = resolvePathCand(this.getTraitPath()) }
 }
 
-private class StructItemNode extends TypeItemNode instanceof Struct {
+private class StructItemNode extends TypeItemNode, CallableItemNode instanceof Struct {
   override string getName() { result = Struct.super.getName().getText() }
 
   override Namespace getNamespace() {
@@ -879,6 +897,10 @@ private class StructItemNode extends TypeItemNode instanceof Struct {
 
   override Visibility getVisibility() { result = Struct.super.getVisibility() }
 
+  override int getNumberOfParameters() {
+    result = super.getFieldList().(TupleFieldList).getNumberOfFields()
+  }
+
   override TypeParam getTypeParam(int i) { result = super.getGenericParamList().getTypeParam(i) }
 
   override predicate hasCanonicalPath(Crate c) { this.hasCanonicalPathPrefix(c) }
@@ -1719,6 +1741,14 @@ private ItemNode resolvePathCand(RelevantPath path) {
     or
     not pathUsesNamespace(path, _) and
     not path = any(MacroCall mc).getPath()
+  ) and
+  (
+    not path = CallExprImpl::getFunctionPath(_)
+    or
+    exists(CallExpr ce |
+      path = CallExprImpl::getFunctionPath(ce) and
+      result.(CallableItemNode).getNumberOfParameters() = ce.getNumberOfArgs()
+    )
   )
 }
 

rust/ql/lib/codeql/rust/internal/TypeInference.qll

@@ -871,11 +871,6 @@ private module FunctionOverloading {
     Impl impl, TraitItemNode trait, Type rootType, TypeMention selfTy
   ) {
     trait = impl.(ImplItemNode).resolveTraitTy() and
-    // If `impl` has an expansion from a macro attribute, then it's been
-    // superseded by the output of the expansion (and usually the expansion
-    // contains the same `impl` block so considering both would give spurious
-    // siblings).
-    not exists(impl.getAttributeMacroExpansion()) and
     selfTy = impl.getSelfTy() and
     rootType = selfTy.resolveType()
   }
@@ -1393,7 +1388,8 @@ private module MethodCallResolution {
     Function m, string name, int arity, ImplItemNode i, FunctionType selfType, TypePath blanketPath,
     TypeParam blanketTypeParam
   ) {
-    methodInfoTypeParam(m, name, arity, i, selfType, blanketPath, blanketTypeParam) and
+    methodInfo(m, name, arity, i, selfType, _, _) and
+    TTypeParamTypeParameter(blanketTypeParam) = selfType.getTypeAt(blanketPath) and
     blanketTypeParam = i.getBlanketImplementationTypeParam()
   }
 
@@ -1702,7 +1698,7 @@ private module MethodCallResolution {
     }
 
     pragma[nomagic]
-    predicate hasInfo(
+    predicate hasSignature(
       MethodCall mc, TypePath strippedTypePath, Type strippedType, string name, int arity
     ) {
       strippedType = this.getTypeAt(strippedTypePath) and
@@ -1728,7 +1724,7 @@ private module MethodCallResolution {
     pragma[nomagic]
     predicate hasNoInherentTarget() {
       exists(TypePath strippedTypePath, Type strippedType, string name, int arity |
-        this.hasInfo(_, strippedTypePath, strippedType, name, arity) and
+        this.hasSignature(_, strippedTypePath, strippedType, name, arity) and
         forall(Impl i |
           methodInfoNonBlanket(_, name, arity, i, _, strippedTypePath, strippedType) and
           not i.hasTrait()
@@ -1800,7 +1796,7 @@ private module MethodCallResolution {
       MethodCallCand mcc, Function m, TypePath blanketPath, TypeParam blanketTypeParam
     ) {
       exists(MethodCall mc, string name, int arity |
-        mcc.hasInfo(mc, _, _, name, arity) and
+        mcc.hasSignature(mc, _, _, name, arity) and
         methodCallBlanketCandidate(mc, m, _, _, blanketPath, blanketTypeParam)
       )
     }
@@ -1821,7 +1817,7 @@ private module MethodCallResolution {
         MethodCall mc, Function m, string name, int arity, TypePath strippedTypePath,
         Type strippedType
       |
-        mcc.hasInfo(mc, strippedTypePath, strippedType, name, arity)
+        mcc.hasSignature(mc, strippedTypePath, strippedType, name, arity)
       |
         methodCallNonBlanketCandidate(mc, m, abs, constraint, strippedTypePath, strippedType)
         or
@@ -2035,7 +2031,21 @@ private Type inferMethodCallExprType(AstNode n, TypePath path) {
   )
 }
 
-/** Provides logic for resolving function calls. */
+/**
+ * Provides logic for resolving function calls.
+ *
+ * We distinguish between three cases:
+ *
+ * 1. The qualifier of the function call is _not_ a trait, and the function call
+ *    can be resolved using path resolution. In this case we use the resolved
+ *    function directly, we do not even check the receiver type in case the resolved
+ *    function is a method.
+ *
+ * 2. The qualifier of the function call _is_ a trait, and the function call can be
+ *    resolved using path resolution. In this case we use the resolved function
+ *  directly, we do not even check the receiver type in case the resolved
+ *    function is a method.
+ */
 private module FunctionCallResolution {
   private import FunctionOverloading
 
@@ -2068,7 +2078,17 @@ private module FunctionCallResolution {
 
   /** A function call, `f(x)`. */
   final class FunctionCall extends CallExpr {
-    private ItemNode getPathResolutionResolvedFunction() {
+    pragma[nomagic]
+    predicate hasSignature(string name, int arity) {
+      name = CallExprImpl::getFunctionPath(this).getText() and
+      arity = this.getNumberOfArgs()
+    }
+
+    /**
+     * Gets the item that this function call resolves to using path resolution,
+     * if any.
+     */
+    ItemNode getPathResolutionResolvedFunction() {
       result = CallExprImpl::getResolvedFunction(this)
     }
 
@@ -2078,7 +2098,7 @@ private module FunctionCallResolution {
     }
 
     pragma[nomagic]
-    predicate hasInfo(
+    predicate hasSignature(
       TypePath strippedTypePath, Type strippedType, TraitItemNode trait, Function resolved
     ) {
       this.getTypeAt(strippedTypePath) = strippedType and
@@ -2089,9 +2109,8 @@ private module FunctionCallResolution {
 
     pragma[nomagic]
     private Function getATargetMethodCand() {
-      exists(TraitItemNode trait, ImplOrTraitItemNode i, FunctionType self |
-        FunctionMethodCallIsInstantiationOfInput::potentialInstantiationOf(this, trait, i, self,
-          result) and
+      exists(ImplOrTraitItemNode i, FunctionType self |
+        FunctionMethodCallIsInstantiationOfInput::potentialInstantiationOf(this, i, self, result) and
         IsInstantiationOf<FunctionCall, FunctionType, FunctionMethodCallIsInstantiationOfInput>::isInstantiationOf(this,
           i, self)
       )
@@ -2156,6 +2175,38 @@ private module FunctionCallResolution {
     }
   }
 
+  private module SatisfiesBlanketConstraintInput implements
+    MethodCallResolution::BlanketImplementation::SatisfiesBlanketConstraintInputSig<FunctionCall>
+  {
+    pragma[nomagic]
+    private predicate hasBlanketCandidate(
+      FunctionCall call, Trait trait, Function m, TypePath blanketPath, TypeParam blanketTypeParam
+    ) {
+      not exists(call.getPathResolutionResolvedFunction()) and
+      exists(string name, int arity, ImplItemNode impl |
+        call.hasSignature(name, arity + 1) and
+        MethodCallResolution::methodInfoBlanket(m, name, arity, impl, _, blanketPath,
+          blanketTypeParam) and
+        trait = impl.resolveTraitTy()
+      )
+    }
+
+    pragma[nomagic]
+    private predicate functionCallTraitCandidate(Element mc, Trait trait) {
+      hasBlanketCandidate(mc, trait, _, _, _)
+    }
+
+    pragma[nomagic]
+    predicate hasBlanketCandidate(
+      FunctionCall call, Function m, TypePath blanketPath, TypeParam blanketTypeParam
+    ) {
+      exists(Trait trait |
+        hasBlanketCandidate(call, trait, m, blanketPath, blanketTypeParam) and
+        TraitIsVisible<functionCallTraitCandidate/2>::traitIsVisible(call, trait)
+      )
+    }
+  }
+
   /**
    * A configuration for matching the type of the first argument in a function call
    * against the type of a `self` parameter.
@@ -2195,15 +2246,21 @@ private module FunctionCallResolution {
 
     pragma[nomagic]
     additional predicate potentialInstantiationOf(
-      FunctionCall call, TraitItemNode trait, ImplOrTraitItemNode i, FunctionType selfType,
-      Function f
+      FunctionCall call, ImplOrTraitItemNode i, FunctionType selfType, Function f
     ) {
-      exists(Function resolved, TypePath strippedTypePath, Type strippedType |
-        call.hasInfo(strippedTypePath, strippedType, trait, resolved)
-      |
-        methodInfo(strippedTypePath, strippedType, trait, f, resolved)
+      (
+        exists(
+          TraitItemNode trait, Function resolved, TypePath strippedTypePath, Type strippedType
+        |
+          call.hasSignature(strippedTypePath, strippedType, trait, resolved)
+        |
+          methodInfo(strippedTypePath, strippedType, trait, f, resolved)
+          or
+          methodInfoTypeParam(strippedTypePath, trait, f, resolved)
+        )
         or
-        methodInfoTypeParam(strippedTypePath, trait, f, resolved)
+        MethodCallResolution::BlanketImplementation::SatisfiesBlanketConstraint<FunctionCall, SatisfiesBlanketConstraintInput>::satisfiesBlanketConstraint(call,
+          f)
       ) and
       MethodCallResolution::methodInfo(f, _, _, i, selfType, _, _)
     }
@@ -2212,7 +2269,7 @@ private module FunctionCallResolution {
     predicate potentialInstantiationOf(
       FunctionCall call, TypeAbstraction abs, FunctionType constraint
     ) {
-      potentialInstantiationOf(call, _, abs, constraint, _)
+      potentialInstantiationOf(call, abs, constraint, _)
     }
 
     predicate relevantTypeMention(FunctionType constraint) {
@@ -2423,7 +2480,7 @@ private module OperationResolution {
     Type getTypeAt(TypePath path) { result = substituteLookupTraits(this.getTypeAt0(path)) }
 
     pragma[nomagic]
-    predicate hasInfo(
+    predicate hasSignature(
       TypePath strippedTypePath, Type strippedType, Trait trait, string name, int arity
     ) {
       name = this.(Call).getMethodName() and
@@ -2461,18 +2518,39 @@ private module OperationResolution {
     }
   }
 
+  private module SatisfiesBlanketConstraintInput implements
+    MethodCallResolution::BlanketImplementation::SatisfiesBlanketConstraintInputSig<Op>
+  {
+    pragma[nomagic]
+    private predicate methodInfoBlanket(
+      Function m, string name, int arity, ImplItemNode impl, Trait trait, TypePath blanketPath,
+      TypeParam blanketTypeParam
+    ) {
+      MethodCallResolution::methodInfoBlanket(m, name, arity, impl, _, blanketPath, blanketTypeParam) and
+      trait = impl.resolveTraitTy()
+    }
+
+    pragma[nomagic]
+    predicate hasBlanketCandidate(
+      Op op, Function m, TypePath blanketPath, TypeParam blanketTypeParam
+    ) {
+      exists(Trait trait, string name, int arity, ImplItemNode impl |
+        op.hasSignature(_, _, trait, name, arity) and
+        methodInfoBlanket(m, name, arity, impl, trait, blanketPath, blanketTypeParam)
+      )
+    }
+  }
+
   private module OperationIsInstantiationOfInput implements
     IsInstantiationOfInputSig<Op, FunctionType>
   {
-    // todo
     bindingset[strippedTypePath]
     private predicate methodInfoNonBlanket(
       TypeAbstraction abs, FunctionType constraint, Trait trait, string name, int arity,
       TypePath strippedTypePath, Type strippedType
     ) {
       MethodCallResolution::methodInfoNonBlanket(_, name, arity, abs, constraint, strippedTypePath,
         strippedType) and
-      not abs.(ImplItemNode).isBlanketImplementation() and
       (
         trait = abs.(ImplItemNode).resolveTraitTy()
         or
@@ -2483,9 +2561,15 @@ private module OperationResolution {
     pragma[nomagic]
     predicate potentialInstantiationOf(Op op, TypeAbstraction abs, FunctionType constraint) {
       exists(Trait trait, string name, int arity, TypePath strippedTypePath, Type strippedType |
-        op.hasInfo(strippedTypePath, strippedType, trait, name, arity) and
+        op.hasSignature(strippedTypePath, strippedType, trait, name, arity) and
         methodInfoNonBlanket(abs, constraint, trait, name, arity, strippedTypePath, strippedType)
       )
+      or
+      exists(Function m |
+        MethodCallResolution::methodInfoBlanket(m, _, _, abs, constraint, _, _) and
+        MethodCallResolution::BlanketImplementation::SatisfiesBlanketConstraint<Op, SatisfiesBlanketConstraintInput>::satisfiesBlanketConstraint(op,
+          m)
+      )
     }
 
     predicate relevantTypeMention(FunctionType constraint) {

rust/ql/test/library-tests/type-inference/blanket_impl.rs

@@ -51,7 +51,7 @@ mod basic_blanket_impl {
         println!("{x3:?}");
         let x4 = (&S1).duplicate(); // $ target=Clone1duplicate
         println!("{x4:?}");
-        let x5 = S1::duplicate(&S1); // $ MISSING: target=Clone1duplicate
+        let x5 = S1::duplicate(&S1); // $ target=Clone1duplicate
         println!("{x5:?}");
         let x6 = S2.duplicate(); // $ MISSING: target=Clone1duplicate
         println!("{x6:?}");
@@ -174,11 +174,11 @@ pub mod sql_exec {
         let c = MySqlConnection {}; // $ certainType=c:MySqlConnection
 
         c.execute1(); // $ target=execute1
-        MySqlConnection::execute1(&c); // $ MISSING: target=execute1
+        MySqlConnection::execute1(&c); // $ target=execute1
 
         c.execute2("SELECT * FROM users"); // $ target=execute2
         c.execute2::<&str>("SELECT * FROM users"); // $ target=execute2
-        MySqlConnection::execute2(&c, "SELECT * FROM users"); // $ MISSING: target=execute2
-        MySqlConnection::execute2::<&str>(&c, "SELECT * FROM users"); // $ MISSING: target=execute2
+        MySqlConnection::execute2(&c, "SELECT * FROM users"); // $ target=execute2
+        MySqlConnection::execute2::<&str>(&c, "SELECT * FROM users"); // $ target=execute2
     }
 }

rust/ql/test/library-tests/type-inference/main.rs

@@ -2630,10 +2630,10 @@ pub mod path_buf {
     }
 }
 
+mod blanket_impl;
 mod closure;
 mod dereference;
 mod dyn_type;
-mod blanket_impl;
 
 fn main() {
     field_access::f(); // $ target=f