Rust: Implement basic support for blanket implementations

Author: paldepind

rust/ql/lib/codeql/rust/internal/PathResolution.qll

@@ -1006,6 +1006,14 @@ final class TypeParamItemNode extends TypeItemNode instanceof TypeParam {
   Path getABoundPath() { result = this.getTypeBoundAt(_, _).getTypeRepr().(PathTypeRepr).getPath() }
 
   pragma[nomagic]
+  ItemNode resolveBound(int index) {
+    result =
+      rank[index + 1](int i, int j |
+        |
+        resolvePath(this.getTypeBoundAt(i, j).getTypeRepr().(PathTypeRepr).getPath()) order by i, j
+      )
+  }
+
   ItemNode resolveABound() { result = resolvePath(this.getABoundPath()) }
 
   /**

rust/ql/lib/codeql/rust/internal/TypeInference.qll

@@ -1903,6 +1903,10 @@ private predicate methodCandidateTrait(Type type, Trait trait, string name, int
   methodCandidate(type, name, arity, impl)
 }
 
+/**
+ * Holds if `mc` has `rootType` as the root type of the reciever and the target
+ * method is named `name` and has arity `arity`
+ */
 pragma[nomagic]
 private predicate isMethodCall(MethodCall mc, Type rootType, string name, int arity) {
   rootType = mc.getTypeAt(TypePath::nil()) and
@@ -2141,6 +2145,142 @@ private predicate methodCallHasImplCandidate(MethodCall mc, Impl impl) {
   else any()
 }
 
+private module BlanketImplementation {
+  /**
+   * Holds if `impl` is a blanket implementation, that is, an implementation of a
+   * trait for a type parameter.
+   */
+  private TypeParamItemNode getBlanketImplementationTypeParam(Impl impl) {
+    result = impl.(ImplItemNode).resolveSelfTy() and
+    result = impl.getGenericParamList().getAGenericParam() and
+    not exists(impl.getAttributeMacroExpansion())
+  }
+
+  predicate isBlanketImplementation(Impl impl) { exists(getBlanketImplementationTypeParam(impl)) }
+
+  private Impl getPotentialDuplicated(string fileName, string traitName, int arity, string tpName) {
+    tpName = getBlanketImplementationTypeParam(result).getName() and
+    fileName = result.getLocation().getFile().getBaseName() and
+    traitName = result.(ImplItemNode).resolveTraitTy().getName() and
+    arity = result.(ImplItemNode).resolveTraitTy().(Trait).getNumberOfGenericParams()
+  }
+
+  /**
+   * Holds if `impl1` and `impl2` are duplicates and `impl2` is more "canonical"
+   * than `impl1`.
+   */
+  predicate duplicatedImpl(Impl impl1, Impl impl2) {
+    exists(string fileName, string traitName, int arity, string tpName |
+      impl1 = getPotentialDuplicated(fileName, traitName, arity, tpName) and
+      impl2 = getPotentialDuplicated(fileName, traitName, arity, tpName) and
+      impl1.getLocation().getFile().getAbsolutePath() <
+        impl2.getLocation().getFile().getAbsolutePath()
+    )
+  }
+
+  predicate hasNoDuplicates(Impl impl) {
+    not duplicatedImpl(impl, _) and isBlanketImplementation(impl)
+  }
+
+  /**
+   * We currently consider blanket implementations to be in scope "globally",
+   * even though they actually need to be imported to be used. One downside of
+   * this is that the libraries included in the database can often occur several
+   * times for different library versions. This causes the same blanket
+   * implementations to exist multiple times, and these add no useful
+   * information.
+   *
+   * We detect these duplicates based on some files heuristic (same trait name,
+   * file name, etc.). For these duplicates we select the one with the greatest
+   * file name (which usually is also the one with the greatest library version
+   * in the path)
+   */
+  Impl getCanonicalImpl(Impl impl) {
+    result =
+      max(Impl impl0, Location l |
+        duplicatedImpl(impl, impl0) and l = impl0.getLocation()
+      |
+        impl0 order by l.getFile().getAbsolutePath(), l.getStartLine()
+      )
+    or
+    hasNoDuplicates(impl) and result = impl
+  }
+
+  predicate isCanonicalBlanketImplementation(Impl impl) { impl = getCanonicalImpl(impl) }
+
+  /**
+   * Holds if `impl` is a blanket implementation for a type parameter and the type
+   * parameter must implement `trait`.
+   */
+  private predicate blanketImplementationTraitBound(Impl impl, Trait t) {
+    t =
+      min(Trait trait, int i |
+        trait = getBlanketImplementationTypeParam(impl).resolveBound(i) and
+        // Exclude traits that are "trivial" in the sense that they are known to
+        // not narrow things down very much.
+        not trait.getName().getText() =
+          [
+            "Sized", "Clone", "Fn", "FnOnce", "FnMut",
+            // The auto traits
+            "Send", "Sync", "Unpin", "UnwindSafe", "RefUnwindSafe"
+          ]
+      |
+        trait order by i
+      )
+  }
+
+  private predicate blanketImplementationMethod(
+    Impl impl, Trait trait, string name, int arity, Function f
+  ) {
+    isCanonicalBlanketImplementation(impl) and
+    blanketImplementationTraitBound(impl, trait) and
+    f.getParamList().hasSelfParam() and
+    arity = f.getParamList().getNumberOfParams() and
+    (
+      f = impl.(ImplItemNode).getAssocItem(name)
+      or
+      // If the the trait has a method with a default implementation, then that
+      // target is interesting as well.
+      not exists(impl.(ImplItemNode).getAssocItem(name)) and
+      f = impl.(ImplItemNode).resolveTraitTy().getAssocItem(name)
+    ) and
+    // If the method is already available through one of the trait bounds on the
+    // type parameter (because they share a common trait ancestor) then ignore
+    // it.
+    not getBlanketImplementationTypeParam(impl).resolveABound().(TraitItemNode).getASuccessor(name) =
+      f
+  }
+
+  predicate methodCallMatchesBlanketImpl(MethodCall mc, Type t, Impl impl, Trait trait, Function f) {
+    // Only check method calls where we have ruled out inherent method targets.
+    // Ideally we would also check if non-blanket method targets have been ruled
+    // out.
+    methodCallHasNoInherentTarget(mc) and
+    exists(string name, int arity |
+      isMethodCall(mc, t, name, arity) and
+      blanketImplementationMethod(impl, trait, name, arity, f)
+    )
+  }
+
+  module SatisfiesConstraintInput implements SatisfiesConstraintInputSig<MethodCall> {
+    pragma[nomagic]
+    predicate relevantConstraint(MethodCall mc, Type constraint) {
+      methodCallMatchesBlanketImpl(mc, _, _, constraint.(TraitType).getTrait(), _)
+    }
+
+    predicate useUniversalConditions() { none() }
+  }
+
+  predicate hasBlanketImpl(MethodCall mc, Type t, Impl impl, Trait trait, Function f) {
+    SatisfiesConstraint<MethodCall, SatisfiesConstraintInput>::satisfiesConstraintType(mc,
+      TTrait(trait), _, _) and
+    methodCallMatchesBlanketImpl(mc, t, impl, trait, f)
+  }
+
+  pragma[nomagic]
+  Function getMethodFromBlanketImpl(MethodCall mc) { hasBlanketImpl(mc, _, _, _, result) }
+}
+
 /** Gets a method from an `impl` block that matches the method call `mc`. */
 pragma[nomagic]
 private Function getMethodFromImpl(MethodCall mc) {
@@ -2176,6 +2316,8 @@ private Function resolveMethodCallTarget(MethodCall mc) {
   // The method comes from an `impl` block targeting the type of the receiver.
   result = getMethodFromImpl(mc)
   or
+  result = BlanketImplementation::getMethodFromBlanketImpl(mc)
+  or
   // The type of the receiver is a type parameter and the method comes from a
   // trait bound on the type parameter.
   result = getTypeParameterMethod(mc.getTypeAt(TypePath::nil()), mc.getMethodName())

rust/ql/test/library-tests/type-inference/blanket_impl.rs

@@ -32,7 +32,7 @@ mod basic_blanket_impl {
     pub fn test_basic_blanket() {
         let x = S1.clone1(); // $ target=S1::clone1
         println!("{x:?}");
-        let y = S1.duplicate(); // $ MISSING: target=Clone1duplicate
+        let y = S1.duplicate(); // $ target=Clone1duplicate
         println!("{y:?}");
     }
 }
@@ -108,7 +108,7 @@ mod extension_trait_blanket_impl {
 
     fn test() {
         let my_try_flag = MyTryFlag { flag: true };
-        let result = my_try_flag.try_read_flag_twice(); // $ MISSING: target=TryFlagExt::try_read_flag_twice
+        let result = my_try_flag.try_read_flag_twice(); // $ target=TryFlagExt::try_read_flag_twice
 
         let my_flag = MyFlag { flag: true };
         // Here `TryFlagExt::try_read_flag_twice` is since there is a blanket

rust/ql/test/library-tests/type-inference/dyn_type.rs

@@ -101,7 +101,7 @@ fn test_assoc_type(obj: &dyn AssocTrait<i64, AP = bool>) {
 pub fn test() {
     test_basic_dyn_trait(&MyStruct { value: 42 }); // $ target=test_basic_dyn_trait
     test_generic_dyn_trait(&GenStruct {
-        value: "".to_string(),
+        value: "".to_string(), // $ target=to_string
     }); // $ target=test_generic_dyn_trait
     test_poly_dyn_trait(); // $ target=test_poly_dyn_trait
     test_assoc_type(&GenStruct { value: 100 }); // $ target=test_assoc_type

rust/ql/test/library-tests/type-inference/main.rs

@@ -365,7 +365,7 @@ mod method_non_parametric_trait_impl {
 
     fn type_bound_type_parameter_impl<TP: MyTrait<S1>>(thing: TP) -> S1 {
         // The trait bound on `TP` makes the implementation of `ConvertTo` valid
-        thing.convert_to() // $ MISSING: target=T::convert_to
+        thing.convert_to() // $ target=T::convert_to
     }
 
     pub fn f() {
@@ -437,7 +437,7 @@ mod method_non_parametric_trait_impl {
         let x = get_snd_fst(c); // $ type=x:S1 target=get_snd_fst
 
         let thing = MyThing { a: S1 };
-        let i = thing.convert_to(); // $ MISSING: type=i:S1 target=T::convert_to
+        let i = thing.convert_to(); // $ type=i:S1 target=T::convert_to
         let j = convert_to(thing); // $ type=j:S1 target=convert_to
     }
 }
@@ -1376,7 +1376,7 @@ mod method_call_type_conversion {
         let t = x7.m1(); // $ target=m1 type=t:& type=t:&T.S2
         println!("{:?}", x7);
 
-        let x9: String = "Hello".to_string(); // $ certainType=x9:String
+        let x9: String = "Hello".to_string(); // $ certainType=x9:String target=to_string
 
         // Implicit `String` -> `str` conversion happens via the `Deref` trait:
         // https://doc.rust-lang.org/std/string/struct.String.html#deref.