Rust: Use nodes from CfgNodes.qll in DataFlowImpl.qll

Author: hvitved

rust/ql/lib/codeql/rust/controlflow/CfgNodes.qll

@@ -16,25 +16,161 @@ class AstCfgNode extends CfgNode {
   AstCfgNode() { node = this.getAstNode() }
 }
 
-/** A CFG node that corresponds to a parameter in the AST. */
-class ParamCfgNode extends AstCfgNode {
-  override Param node;
+/**
+ * An assignment expression, for example
+ *
+ * ```rust
+ * x = y;
+ * ```
+ */
+final class AssignmentExprCfgNode extends BinaryExprCfgNode {
+  AssignmentExpr a;
+
+  AssignmentExprCfgNode() { a = this.getBinaryExpr() }
+
+  /** Gets the underlying `AssignmentExpr`. */
+  AssignmentExpr getAssignmentExpr() { result = a }
+}
+
+/**
+ * A match expression. For example:
+ * ```rust
+ * match x {
+ *     Option::Some(y) => y,
+ *     Option::None => 0,
+ * }
+ * ```
+ * ```rust
+ * match x {
+ *     Some(y) if y != 0 => 1 / y,
+ *     _ => 0,
+ * }
+ * ```
+ */
+final class MatchExprCfgNode extends Nodes::MatchExprCfgNode {
+  private MatchExpr node;
+
+  MatchExprCfgNode() { node = this.getMatchExpr() }
+
+  /**
+   * Gets the pattern of the `i`th match arm, if it exists.
+   */
+  PatCfgNode getArmPat(int i) {
+    any(ChildMapping mapping).hasCfgChild(node, node.getArm(i).getPat(), this, result)
+  }
+
+  /**
+   * Gets the guard of the `i`th match arm, if it exists.
+   */
+  ExprCfgNode getArmGuard(int i) {
+    any(ChildMapping mapping)
+        .hasCfgChild(node, node.getArm(i).getGuard().getCondition(), this, result)
+  }
+
+  /**
+   * Gets the expression of the `i`th match arm, if it exists.
+   */
+  ExprCfgNode getArmExpr(int i) {
+    any(ChildMapping mapping).hasCfgChild(node, node.getArm(i).getExpr(), this, result)
+  }
+}
+
+/**
+ * A block expression. For example:
+ * ```rust
+ * {
+ *     let x = 42;
+ * }
+ * ```
+ * ```rust
+ * 'label: {
+ *     let x = 42;
+ *     x
+ * }
+ * ```
+ */
+final class BlockExprCfgNode extends Nodes::BlockExprCfgNode {
+  private BlockExprChildMapping node;
 
-  /** Gets the underlying parameter. */
-  Param getParam() { result = node }
+  BlockExprCfgNode() { node = this.getAstNode() }
+
+  /**
+   * Gets the tail expression of this block, if it exists.
+   */
+  ExprCfgNode getTailExpr() {
+    any(ChildMapping mapping).hasCfgChild(node, node.getStmtList().getTailExpr(), this, result)
+  }
+}
+
+/**
+ * A break expression. For example:
+ * ```rust
+ * loop {
+ *     if not_ready() {
+ *         break;
+ *      }
+ * }
+ * ```
+ * ```rust
+ * let x = 'label: loop {
+ *     if done() {
+ *         break 'label 42;
+ *     }
+ * };
+ * ```
+ * ```rust
+ * let x = 'label: {
+ *     if exit() {
+ *         break 'label 42;
+ *     }
+ *     0;
+ * };
+ * ```
+ */
+final class BreakExprCfgNode extends Nodes::BreakExprCfgNode {
+  /**
+   * Gets the target of this `break` expression.
+   *
+   * The target is either a `LoopExpr`, a `ForExpr`, a `WhileExpr`, or a
+   * `BlockExpr`.
+   */
+  ExprCfgNode getTarget() {
+    any(ChildMapping mapping)
+        .hasCfgChild(this.getBreakExpr().getTarget(), this.getBreakExpr(), result, this)
+  }
 }
 
-/** A CFG node that corresponds to an expression in the AST. */
-class ExprCfgNode extends AstCfgNode {
-  override Expr node;
+/**
+ * A function or method call expression. See `CallExpr` and `MethodCallExpr` for further details.
+ */
+final class CallExprBaseCfgNode extends Nodes::CallExprBaseCfgNode {
+  private CallExprBaseChildMapping node;
 
-  /** Gets the underlying expression. */
-  Expr getExpr() { result = node }
+  CallExprBaseCfgNode() { node = this.getAstNode() }
+
+  ExprCfgNode getArgument(int i) {
+    any(ChildMapping mapping).hasCfgChild(node, node.getArgList().getArg(i), this, result)
+  }
 }
 
-/** A CFG node that corresponds to a call in the AST. */
-class CallCfgNode extends ExprCfgNode {
-  override CallExpr node;
+/**
+ * A record expression. For example:
+ * ```rust
+ * let first = Foo { a: 1, b: 2 };
+ * let second = Foo { a: 2, ..first };
+ * Foo { a: 1, b: 2 }[2] = 10;
+ * Foo { .. } = second;
+ * ```
+ */
+final class RecordExprCfgNode extends Nodes::RecordExprCfgNode {
+  private RecordExprChildMapping node;
+
+  RecordExprCfgNode() { node = this.getRecordExpr() }
+
+  ExprCfgNode getExpr(int i) {
+    any(ChildMapping mapping)
+        .hasCfgChild(node, node.getRecordExprFieldList().getField(i).getExpr(), this, result)
+  }
 }
 
 final class ExitCfgNode = CfgImpl::ExitNode;

rust/ql/lib/codeql/rust/controlflow/internal/CfgNodes.qll

@@ -14,6 +14,8 @@ private predicate isPostOrder(AstNode n) {
   n instanceof IdentPat
   or
   n instanceof LiteralPat
+  or
+  n instanceof Param
 }
 
 private module CfgNodesInput implements InputSig<Location> {
@@ -37,6 +39,38 @@ private module CfgNodesInput implements InputSig<Location> {
 
 import MakeCfgNodes<Location, CfgNodesInput>
 
+class MatchExprChildMapping extends ParentAstNode, MatchExpr {
+  override predicate relevantChild(AstNode child) {
+    child = this.getAnArm().getPat()
+    or
+    child = this.getAnArm().getGuard().getCondition()
+    or
+    child = this.getAnArm().getExpr()
+  }
+}
+
+class BlockExprChildMapping extends ParentAstNode, BlockExpr {
+  override predicate relevantChild(AstNode child) { child = this.getStmtList().getTailExpr() }
+}
+
+class BreakExprTargetChildMapping extends ParentAstNode, Expr {
+  override predicate relevantChild(AstNode child) { child.(BreakExpr).getTarget() = this }
+}
+
+class CallExprBaseChildMapping extends ParentAstNode, CallExprBase {
+  override predicate relevantChild(AstNode child) { child = this.getArgList().getAnArg() }
+}
+
+class RecordExprChildMapping extends ParentAstNode, RecordExpr {
+  override predicate relevantChild(AstNode child) {
+    child = this.getRecordExprFieldList().getAField().getExpr()
+  }
+}
+
+class FormatArgsExprChildMapping extends ParentAstNode, CfgImpl::ExprTrees::FormatArgsExprTree {
+  override predicate relevantChild(AstNode child) { child = this.getChildNode(_) }
+}
+
 private class ChildMappingImpl extends ChildMapping {
   pragma[nomagic]
   predicate reachesBasicBlock(AstNode parent, AstNode child, CfgNode cfn, BasicBlock bb) {

rust/ql/lib/codeql/rust/dataflow/Ssa.qll

@@ -9,6 +9,7 @@ module Ssa {
   private import rust
   private import codeql.rust.controlflow.BasicBlocks
   private import codeql.rust.controlflow.ControlFlowGraph
+  private import codeql.rust.controlflow.CfgNodes
   private import codeql.rust.controlflow.internal.ControlFlowGraphImpl as CfgImpl
   private import internal.SsaImpl as SsaImpl
 
@@ -221,11 +222,11 @@ module Ssa {
      * end
      * ```
      */
-    predicate assigns(CfgNode value) {
-      exists(AssignmentExpr ae, BasicBlock bb, int i |
+    predicate assigns(ExprCfgNode value) {
+      exists(AssignmentExprCfgNode ae, BasicBlock bb, int i |
         this.definesAt(_, bb, i) and
-        ae.getLhs() = bb.getNode(i).getAstNode() and
-        value.getAstNode() = ae.getRhs()
+        ae.getLhs() = bb.getNode(i) and
+        value = ae.getRhs()
       )
     }
 

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -47,7 +47,7 @@ abstract class DataFlowCall extends TDataFlowCall {
   abstract DataFlowCallable getEnclosingCallable();
 
   /** Gets the underlying source code call, if any. */
-  abstract CallCfgNode asCall();
+  abstract CallExprCfgNode asCall();
 
   /** Gets a textual representation of this call. */
   abstract string toString();
@@ -57,16 +57,14 @@ abstract class DataFlowCall extends TDataFlowCall {
 }
 
 final class NormalCall extends DataFlowCall, TNormalCall {
-  private CallCfgNode c;
+  private CallExprCfgNode c;
 
   NormalCall() { this = TNormalCall(c) }
 
   /** Gets the underlying call in the CFG, if any. */
-  override CallCfgNode asCall() { result = c }
+  override CallExprCfgNode asCall() { result = c }
 
-  override DataFlowCallable getEnclosingCallable() {
-    result = TCfgScope(c.getExpr().getEnclosingCfgScope())
-  }
+  override DataFlowCallable getEnclosingCallable() { result = TCfgScope(c.getExpr().getScope()) }
 
   override string toString() { result = c.toString() }
 
@@ -88,7 +86,7 @@ module Node {
     /**
      * Gets the expression that corresponds to this node, if any.
      */
-    Expr asExpr() { none() }
+    ExprCfgNode asExpr() { none() }
 
     /** Gets the enclosing callable. */
     DataFlowCallable getEnclosingCallable() { result = TCfgScope(this.getCfgScope()) }
@@ -136,13 +134,13 @@ module Node {
 
     ExprNode() { this = TExprNode(n) }
 
-    override CfgScope getCfgScope() { result = this.asExpr().getEnclosingCfgScope() }
+    override CfgScope getCfgScope() { result = this.asExpr().getScope() }
 
-    override Location getLocation() { result = n.getExpr().getLocation() }
+    override Location getLocation() { result = n.getLocation() }
 
-    override string toString() { result = n.getExpr().toString() }
+    override string toString() { result = n.toString() }
 
-    override Expr asExpr() { result = n.getExpr() }
+    override ExprCfgNode asExpr() { result = n }
 
     override CfgNode getCfgNode() { result = n }
   }
@@ -201,7 +199,7 @@ module Node {
   }
 
   final private class ExprOutNode extends ExprNode, OutNode {
-    ExprOutNode() { this.asExpr() instanceof CallExpr }
+    ExprOutNode() { this.asExpr() instanceof CallExprCfgNode }
 
     /** Gets the underlying call CFG node that includes this out node. */
     override DataFlowCall getCall() { result.(NormalCall).asCall() = this.getCfgNode() }
@@ -238,7 +236,7 @@ module SsaFlow {
   Impl::Node asNode(Node n) {
     n = TSsaNode(result)
     or
-    result.(Impl::ExprNode).getExpr() = n.(Node::ExprNode).getCfgNode()
+    result.(Impl::ExprNode).getExpr() = n.asExpr()
     or
     n = toParameterNode(result.(Impl::ParameterNode).getParameter())
   }
@@ -252,29 +250,18 @@ module SsaFlow {
   }
 }
 
-/**
- * Holds for expressions `e` that evaluate to the value of any last (in
- * evaluation order) subexpressions within it. E.g., expressions that propagate
- * a values from a subexpression.
- *
- * For instance, the predicate holds for if expressions as `if b { e1 } else {
- * e2 }` evalates to the value of one of the subexpressions `e1` or `e2`.
- */
-private predicate propagatesValue(Expr e) {
-  e instanceof IfExpr or
-  e instanceof LoopExpr or
-  e instanceof ReturnExpr or
-  e instanceof BreakExpr or
-  e.(BlockExpr).getStmtList().hasTailExpr() or
-  e instanceof MatchExpr
-}
-
 /**
  * Gets a node that may execute last in `n`, and which, when it executes last,
  * will be the value of `n`.
  */
-private ExprCfgNode getALastEvalNode(ExprCfgNode n) {
-  propagatesValue(n.getExpr()) and result.getASuccessor() = n
+private ExprCfgNode getALastEvalNode(ExprCfgNode e) {
+  e = any(IfExprCfgNode n | result = [n.getThen(), n.getElse()]) or
+  result = e.(LoopExprCfgNode).getLoopBody() or
+  result = e.(ReturnExprCfgNode).getExpr() or
+  result = e.(BreakExprCfgNode).getExpr() or
+  result = e.(BlockExprCfgNode).getTailExpr() or
+  result = e.(MatchExprCfgNode).getArmExpr(_) or
+  result.(BreakExprCfgNode).getTarget() = e
 }
 
 module LocalFlow {
@@ -322,7 +309,7 @@ module RustDataFlow implements InputSig<Location> {
   class DataFlowExpr = ExprCfgNode;
 
   /** Gets the node corresponding to `e`. */
-  Node exprNode(DataFlowExpr e) { result.getCfgNode() = e }
+  Node exprNode(DataFlowExpr e) { result.asExpr() = e }
 
   final class DataFlowCall = DataFlowCallAlias;
 
@@ -488,7 +475,7 @@ private module Cached {
     TSsaNode(SsaImpl::DataFlowIntegration::SsaNode node)
 
   cached
-  newtype TDataFlowCall = TNormalCall(CallCfgNode c)
+  newtype TDataFlowCall = TNormalCall(CallExprCfgNode c)
 
   cached
   newtype TOptionalContentSet =