Rust: Model slice/array types in path resolution

Author: hvitved

rust/ql/lib/codeql/rust/frameworks/stdlib/Builtins.qll

@@ -136,3 +136,13 @@ class F32 extends FloatingPointTypeImpl {
 class F64 extends FloatingPointTypeImpl {
   F64() { this.getName() = "f64" }
 }
+
+/** The builtin slice type `[T]`. */
+class SliceType extends BuiltinType {
+  SliceType() { this.getName() = "Slice" }
+}
+
+/** The builtin array type `[T; N]`. */
+class ArrayType extends BuiltinType {
+  ArrayType() { this.getName() = "Array" }
+}

rust/ql/lib/codeql/rust/internal/PathResolution.qll

@@ -718,7 +718,19 @@ final class ImplItemNode extends ImplOrTraitItemNode instanceof Impl {
 
   Path getTraitPath() { result = super.getTrait().(PathTypeRepr).getPath() }
 
-  TypeItemNode resolveSelfTy() { result = resolvePath(this.getSelfPath()) }
+  TypeItemNode resolveSelfTyBuiltin() {
+    this.(Impl).getSelfTy() instanceof SliceTypeRepr and
+    result instanceof Builtins::SliceType
+    or
+    this.(Impl).getSelfTy() instanceof ArrayTypeRepr and
+    result instanceof Builtins::ArrayType
+  }
+
+  TypeItemNode resolveSelfTy() {
+    result = resolvePath(this.getSelfPath())
+    or
+    result = this.resolveSelfTyBuiltin()
+  }
 
   TraitItemNode resolveTraitTy() { result = resolvePath(this.getTraitPath()) }
 
@@ -893,7 +905,11 @@ private class ModuleItemNode extends ModuleLikeNode instanceof Module {
 }
 
 private class ImplItemNodeImpl extends ImplItemNode {
-  TypeItemNode resolveSelfTyCand() { result = resolvePathCand(this.getSelfPath()) }
+  TypeItemNode resolveSelfTyCand() {
+    result = resolvePathCand(this.getSelfPath())
+    or
+    result = this.resolveSelfTyBuiltin()
+  }
 
   TraitItemNode resolveTraitTyCand() { result = resolvePathCand(this.getTraitPath()) }
 }
@@ -1743,6 +1759,14 @@ private ItemNode resolvePathCand0(RelevantPath path, Namespace ns) {
   or
   result = resolveUseTreeListItem(_, _, path, _) and
   ns = result.getNamespace()
+  or
+  path.getSegment().getTypeRepr() instanceof SliceTypeRepr and
+  result = any(BuiltinSourceFile b).getASuccessor("Slice") and
+  ns.isType()
+  or
+  path.getSegment().getTypeRepr() instanceof ArrayTypeRepr and
+  result = any(BuiltinSourceFile b).getASuccessor("Array") and
+  ns.isType()
 }
 
 pragma[nomagic]
@@ -2106,7 +2130,8 @@ pragma[nomagic]
 private predicate builtin(string name, ItemNode i) {
   exists(BuiltinSourceFile builtins |
     builtins.getFile().getBaseName() = "types.rs" and
-    i = builtins.getASuccessor(name)
+    i = builtins.getASuccessor(name) and
+    not name = ["Array", "Slice"]
   )
 }
 

rust/ql/lib/codeql/rust/internal/Type.qll

@@ -7,6 +7,7 @@ private import codeql.rust.internal.CachedStages
 private import codeql.rust.elements.internal.generated.Raw
 private import codeql.rust.elements.internal.generated.Synth
 private import codeql.rust.frameworks.stdlib.Stdlib
+private import codeql.rust.frameworks.stdlib.Builtins as Builtins
 
 /**
  * Holds if a dyn trait type should have a type parameter associated with `n`. A
@@ -44,24 +45,20 @@ newtype TType =
   TEnum(Enum e) or
   TTrait(Trait t) or
   TUnion(Union u) or
-  TArrayType() or // todo: add size?
   TRefType() or // todo: add mut?
   TImplTraitType(ImplTraitTypeRepr impl) or
   TDynTraitType(Trait t) { t = any(DynTraitTypeRepr dt).getTrait() } or
-  TSliceType() or
   TNeverType() or
   TPtrType() or
   TTupleTypeParameter(int arity, int i) { exists(TTuple(arity)) and i in [0 .. arity - 1] } or
   TTypeParamTypeParameter(TypeParam t) or
   TAssociatedTypeTypeParameter(TypeAlias t) { any(TraitItemNode trait).getAnAssocItem() = t } or
-  TArrayTypeParameter() or
   TDynTraitTypeParameter(AstNode n) { dynTraitTypeParameter(_, n) } or
   TImplTraitTypeParameter(ImplTraitTypeRepr implTrait, TypeParam tp) {
     implTraitTypeParam(implTrait, _, tp)
   } or
   TRefTypeParameter() or
   TSelfTypeParameter(Trait t) or
-  TSliceTypeParameter() or
   TPtrTypeParameter()
 
 private predicate implTraitTypeParam(ImplTraitTypeRepr implTrait, int i, TypeParam tp) {
@@ -228,17 +225,10 @@ class UnionType extends Type, TUnion {
  * Array types like `[i64; 5]` are modeled as normal generic types
  * with a single type argument.
  */
-class ArrayType extends Type, TArrayType {
-  ArrayType() { this = TArrayType() }
+class ArrayType extends StructType {
+  ArrayType() { this.getStruct() instanceof Builtins::ArrayType }
 
-  override TypeParameter getPositionalTypeParameter(int i) {
-    result = TArrayTypeParameter() and
-    i = 0
-  }
-
-  override string toString() { result = "[]" }
-
-  override Location getLocation() { result instanceof EmptyLocation }
+  override string toString() { result = "[;]" }
 }
 
 /**
@@ -339,17 +329,10 @@ class ImplTraitReturnType extends ImplTraitType {
  * Slice types like `[i64]` are modeled as normal generic types
  * with a single type argument.
  */
-class SliceType extends Type, TSliceType {
-  SliceType() { this = TSliceType() }
-
-  override TypeParameter getPositionalTypeParameter(int i) {
-    result = TSliceTypeParameter() and
-    i = 0
-  }
+class SliceType extends StructType {
+  SliceType() { this.getStruct() instanceof Builtins::SliceType }
 
   override string toString() { result = "[]" }
-
-  override Location getLocation() { result instanceof EmptyLocation }
 }
 
 class NeverType extends Type, TNeverType {
@@ -392,7 +375,14 @@ class TypeParamTypeParameter extends TypeParameter, TTypeParamTypeParameter {
 
   TypeParam getTypeParam() { result = typeParam }
 
-  override string toString() { result = typeParam.toString() }
+  override string toString() {
+    if this = any(ArrayType at).getATypeParameter()
+    then result = "[T;...]"
+    else
+      if this = any(SliceType st).getATypeParameter()
+      then result = "[T]"
+      else result = typeParam.toString()
+  }
 
   override Location getLocation() { result = typeParam.getLocation() }
 }
@@ -454,13 +444,6 @@ class TupleTypeParameter extends TypeParameter, TTupleTypeParameter {
   TupleType getTupleType() { result = TTuple(arity) }
 }
 
-/** An implicit array type parameter. */
-class ArrayTypeParameter extends TypeParameter, TArrayTypeParameter {
-  override string toString() { result = "[T;...]" }
-
-  override Location getLocation() { result instanceof EmptyLocation }
-}
-
 class DynTraitTypeParameter extends TypeParameter, TDynTraitTypeParameter {
   private AstNode n;
 
@@ -515,13 +498,6 @@ class RefTypeParameter extends TypeParameter, TRefTypeParameter {
   override Location getLocation() { result instanceof EmptyLocation }
 }
 
-/** An implicit slice type parameter. */
-class SliceTypeParameter extends TypeParameter, TSliceTypeParameter {
-  override string toString() { result = "[T]" }
-
-  override Location getLocation() { result instanceof EmptyLocation }
-}
-
 class PtrTypeParameter extends TypeParameter, TPtrTypeParameter {
   override string toString() { result = "*T" }
 

rust/ql/lib/codeql/rust/internal/TypeInference.qll

@@ -87,25 +87,15 @@ private module Input1 implements InputSig1<Location> {
   int getTypeParameterId(TypeParameter tp) {
     tp =
       rank[result](TypeParameter tp0, int kind, int id1, int id2 |
-        tp0 instanceof ArrayTypeParameter and
-        kind = 0 and
-        id1 = 0 and
-        id2 = 0
-        or
         tp0 instanceof RefTypeParameter and
         kind = 0 and
         id1 = 0 and
-        id2 = 1
-        or
-        tp0 instanceof SliceTypeParameter and
-        kind = 0 and
-        id1 = 0 and
-        id2 = 2
+        id2 = 0
         or
         tp0 instanceof PtrTypeParameter and
         kind = 0 and
         id1 = 0 and
-        id2 = 3
+        id2 = 1
         or
         kind = 1 and
         id1 = 0 and
@@ -555,6 +545,16 @@ private predicate bodyReturns(Expr body, Expr e) {
   )
 }
 
+pragma[nomagic]
+TypeParamTypeParameter getArrayTypeParameter() {
+  result = any(ArrayType t).getPositionalTypeParameter(0)
+}
+
+pragma[nomagic]
+TypeParamTypeParameter getSliceTypeParameter() {
+  result = any(SliceType t).getPositionalTypeParameter(0)
+}
+
 /**
  * Holds if the type tree of `n1` at `prefix1` should be equal to the type tree
  * of `n2` at `prefix2` and type information should propagate in both directions
@@ -649,12 +649,12 @@ private predicate typeEquality(AstNode n1, TypePath prefix1, AstNode n2, TypePat
       ale.getAnExpr() = n2 and
       ale.getNumberOfExprs() = 1
     ) and
-  prefix1 = TypePath::singleton(TArrayTypeParameter()) and
+  prefix1 = TypePath::singleton(getArrayTypeParameter()) and
   prefix2.isEmpty()
   or
   // an array repeat expression (`[1; 3]`) has the type of the repeat operand
   n1.(ArrayRepeatExpr).getRepeatOperand() = n2 and
-  prefix1 = TypePath::singleton(TArrayTypeParameter()) and
+  prefix1 = TypePath::singleton(getArrayTypeParameter()) and
   prefix2.isEmpty()
   or
   exists(Struct s |
@@ -703,7 +703,7 @@ private predicate lubCoercion(AstNode parent, AstNode child, TypePath prefix) {
       child = ale.getAnExpr() and
       ale.getNumberOfExprs() > 1
     ) and
-  prefix = TypePath::singleton(TArrayTypeParameter())
+  prefix = TypePath::singleton(getArrayTypeParameter())
   or
   bodyReturns(parent, child) and
   strictcount(Expr e | bodyReturns(parent, e)) > 1 and
@@ -2886,7 +2886,7 @@ private Type inferAwaitExprType(AstNode n, TypePath path) {
  * Gets the root type of the array expression `ae`.
  */
 pragma[nomagic]
-private Type inferArrayExprType(ArrayExpr ae) { exists(ae) and result = TArrayType() }
+private Type inferArrayExprType(ArrayExpr ae) { exists(ae) and result instanceof ArrayType }
 
 /**
  * Gets the root type of the range expression `re`.
@@ -2922,11 +2922,11 @@ private Type inferIndexExprType(IndexExpr ie, TypePath path) {
     // todo: remove?
     exprPath.isCons(TTypeParamTypeParameter(any(Vec v).getElementTypeParam()), path)
     or
-    exprPath.isCons(any(ArrayTypeParameter tp), path)
+    exprPath.isCons(getArrayTypeParameter(), path)
     or
     exists(TypePath path0 |
       exprPath.isCons(any(RefTypeParameter tp), path0) and
-      path0.isCons(any(SliceTypeParameter tp), path)
+      path0.isCons(getSliceTypeParameter(), path)
     )
   )
 }
@@ -3071,7 +3071,7 @@ private Type inferForLoopExprType(AstNode n, TypePath path) {
     or
     // TODO: Remove once we can handle the `impl<I: Iterator> IntoIterator for I` implementation
     tp = getIteratorItemTypeParameter() and
-    inferType(fe.getIterable()) != TArrayType()
+    inferType(fe.getIterable()) != getArrayTypeParameter()
   )
 }
 

rust/ql/lib/codeql/rust/internal/TypeMention.qll

@@ -44,11 +44,11 @@ class ParenthesizedArgListMention extends TypeMention instanceof ParenthesizedAr
 class ArrayTypeReprMention extends TypeMention instanceof ArrayTypeRepr {
   override Type resolveTypeAt(TypePath path) {
     path.isEmpty() and
-    result = TArrayType()
+    result instanceof ArrayType
     or
     exists(TypePath suffix |
       result = super.getElementTypeRepr().(TypeMention).resolveTypeAt(suffix) and
-      path = TypePath::cons(TArrayTypeParameter(), suffix)
+      path = TypePath::cons(getArrayTypeParameter(), suffix)
     )
   }
 }
@@ -68,11 +68,11 @@ class RefTypeReprMention extends TypeMention instanceof RefTypeRepr {
 class SliceTypeReprMention extends TypeMention instanceof SliceTypeRepr {
   override Type resolveTypeAt(TypePath path) {
     path.isEmpty() and
-    result = TSliceType()
+    result instanceof SliceType
     or
     exists(TypePath suffix |
       result = super.getTypeRepr().(TypeMention).resolveTypeAt(suffix) and
-      path = TypePath::cons(TSliceTypeParameter(), suffix)
+      path = TypePath::cons(getSliceTypeParameter(), suffix)
     )
   }
 }

rust/ql/lib/codeql/rust/security/Barriers.qll

@@ -7,7 +7,7 @@ import rust
 private import codeql.rust.dataflow.DataFlow
 private import codeql.rust.internal.TypeInference as TypeInference
 private import codeql.rust.internal.Type
-private import codeql.rust.frameworks.stdlib.Builtins
+private import codeql.rust.frameworks.stdlib.Builtins as Builtins
 
 /**
  * A node whose type is a numeric or boolean type, which may be an appropriate
@@ -19,8 +19,8 @@ class NumericTypeBarrier extends DataFlow::Node {
       t = TypeInference::inferType(this.asExpr().getExpr()) and
       s = t.getStruct()
     |
-      s instanceof NumericType or
-      s instanceof Bool
+      s instanceof Builtins::NumericType or
+      s instanceof Builtins::Bool
     )
   }
 }
@@ -35,8 +35,8 @@ class IntegralOrBooleanTypeBarrier extends DataFlow::Node {
       t = TypeInference::inferType(this.asExpr().getExpr()) and
       s = t.getStruct()
     |
-      s instanceof IntegralType or
-      s instanceof Bool
+      s instanceof Builtins::IntegralType or
+      s instanceof Builtins::Bool
     )
   }
 }

rust/ql/test/library-tests/type-inference/main.rs

@@ -2560,7 +2560,7 @@ mod loops {
 
         // for loops with containers
 
-        let vals3 = vec![1, 2, 3]; // $ MISSING: type=vals3:Vec type=vals3:T.i32
+        let vals3 = vec![1, 2, 3]; // $ type=vals3:Vec $ MISSING: type=vals3:T.i32
         for i in vals3 {} // $ MISSING: type=i:i32
 
         let vals4a: Vec<u16> = [1u16, 2, 3].to_vec(); // $ certainType=vals4a:Vec certainType=vals4a:T.u16
@@ -2579,7 +2579,7 @@ mod loops {
         vals7.push(1u8); // $ target=push
         for u in vals7 {} // $ type=u:u8
 
-        let matrix1 = vec![vec![1, 2], vec![3, 4]]; // $ MISSING: type=matrix1:Vec type=matrix1:T.Vec type=matrix1:T.T.i32
+        let matrix1 = vec![vec![1, 2], vec![3, 4]]; // $ type=matrix1:Vec $ MISSING: type=matrix1:T.Vec type=matrix1:T.T.i32
         #[rustfmt::skip]
         let _ = for row in matrix1 { // $ MISSING: type=row:Vec type=row:T.i32
             for cell in row { // $ MISSING: type=cell:i32