wip5

hvitved · hvitved · commit d10c1454a047 · 2025-09-15T11:38:33.000+02:00
diff --git a/rust/ql/lib/codeql/rust/internal/TypeInference.qll b/rust/ql/lib/codeql/rust/internal/TypeInference.qll
@@ -1161,18 +1161,32 @@ private module MethodCallResolution {
     )
   }
 
-  pragma[nomagic]
-  private predicate traitMethodInfo(string name, int arity, Trait trait) {
-    exists(ImplItemNode i |
-      methodInfo(_, name, arity, i, _, _, _) and
-      trait = i.resolveTraitTy()
-    )
+  /**
+   * todo
+   *
+   * Holds if method `f` with the name `name` and the arity `arity` exists in
+   * `i`, and the type of the `self` parameter is `selfType`.
+   *
+   * `rootTypePath` points to the type `rootType` inside `selfType`, which is
+   * the (possibly `&`-stripped) root type of `selfType`.
+   */
+  pragma[inline]
+  predicate methodInfoMatch(
+    Function f, string name, int arity, ImplOrTraitItemNode i, FunctionType selfType,
+    TypePath rootTypePath, Type rootType
+  ) {
+    methodInfo(f, name, arity, i, selfType, rootTypePath, rootType)
+    or
+    methodInfo(f, name, arity, i, selfType, rootTypePath, TTypeParamTypeParameter(_))
   }
 
   pragma[nomagic]
   private predicate methodCallTraitCandidate(Element mc, Trait trait) {
     exists(string name, int arity | mc.(MethodCall).isMethodCall(name, arity) |
-      traitMethodInfo(name, arity, trait)
+      exists(ImplItemNode i |
+        methodInfo(_, name, arity, i, _, _, _) and
+        trait = i.resolveTraitTy()
+      )
       or
       methodInfo(_, name, arity, trait, _, _, _)
     )
@@ -1209,7 +1223,7 @@ private module MethodCallResolution {
   ) {
     exists(string name, int arity |
       mc.isMethodCall(name, arity) and
-      methodInfo(_, name, arity, i, self, rootTypePath, rootType)
+      methodInfoMatch(_, name, arity, i, self, rootTypePath, rootType)
     |
       i =
         any(Impl impl |
@@ -1472,7 +1486,7 @@ private module MethodCallResolution {
         this.isMethodCall(_, rootTypePath, rootType, name, arity) and
         isRefStrippedRoot(rootTypePath, rootType) and
         forall(Impl i |
-          methodInfo(_, name, arity, i, _, rootTypePath, rootType) and
+          methodInfoMatch(_, name, arity, i, _, rootTypePath, rootType) and
           not i.hasTrait()
         |
           this.isNotInherentCandidate(i)
@@ -1883,7 +1897,7 @@ private module FunctionCallResolution {
       exists(TypePath rootTypePath, Type rootType |
         f = call.getPathResolutionResolvedFunctionOrImplementation(resolved) and
         trait = call.(Call).getTrait() and
-        MethodCallResolution::methodInfo(f, _, _, i, self, rootTypePath, rootType) and
+        MethodCallResolution::methodInfoMatch(f, _, _, i, self, rootTypePath, rootType) and
         call.getTypeAt(rootTypePath) = rootType
       )
     }
@@ -2178,12 +2192,12 @@ private module OperationResolution {
   private module OperationIsInstantiationOfInput implements
     IsInstantiationOfInputSig<Op, FunctionType>
   {
-    pragma[nomagic]
-    private predicate methodInfo(
+    pragma[inline]
+    private predicate methodInfoMatch(
       TypeAbstraction abs, FunctionType constraint, Trait trait, string name, int arity,
       TypePath rootTypePath, Type rootType
     ) {
-      MethodCallResolution::methodInfo(_, name, arity, abs, constraint, rootTypePath, rootType) and
+      MethodCallResolution::methodInfoMatch(_, name, arity, abs, constraint, rootTypePath, rootType) and
       (
         trait = abs.(ImplItemNode).resolveTraitTy()
         or
@@ -2195,7 +2209,7 @@ private module OperationResolution {
     predicate potentialInstantiationOf(Op op, TypeAbstraction abs, FunctionType constraint) {
       exists(Trait trait, string name, int arity, TypePath rootTypePath, Type rootType |
         op.isOperation(rootTypePath, rootType, trait, name, arity) and
-        methodInfo(abs, constraint, trait, name, arity, rootTypePath, rootType)
+        methodInfoMatch(abs, constraint, trait, name, arity, rootTypePath, rootType)
       )
     }
 
diff --git a/rust/ql/test/library-tests/dataflow/models/CONSISTENCY/PathResolutionConsistency.expected b/rust/ql/test/library-tests/dataflow/models/CONSISTENCY/PathResolutionConsistency.expected
@@ -1,2 +1,4 @@
 multipleCallTargets
+| main.rs:322:14:322:33 | ... .cmp(...) |
+| main.rs:334:9:334:28 | ... .cmp(...) |
 | main.rs:362:14:362:30 | ... .lt(...) |
diff --git a/rust/ql/test/library-tests/dataflow/sources/CONSISTENCY/PathResolutionConsistency.expected b/rust/ql/test/library-tests/dataflow/sources/CONSISTENCY/PathResolutionConsistency.expected
@@ -11,6 +11,8 @@ multipleCallTargets
 | test.rs:179:30:179:68 | ...::_print(...) |
 | test.rs:188:26:188:105 | ...::_print(...) |
 | test.rs:229:22:229:72 | ... .read_to_string(...) |
+| test.rs:639:26:639:43 | file1.chain(...) |
+| test.rs:647:26:647:40 | file1.take(...) |
 | test.rs:697:18:697:38 | ...::_print(...) |
 | test.rs:702:18:702:45 | ...::_print(...) |
 | test.rs:720:38:720:42 | ...::_print(...) |
diff --git a/rust/ql/test/library-tests/dataflow/sources/test.rs b/rust/ql/test/library-tests/dataflow/sources/test.rs
@@ -638,15 +638,15 @@ async fn test_tokio_file() -> std::io::Result<()> {
         let file2 = tokio::fs::File::open("another_file.txt").await?; // $ Alert[rust/summary/taint-sources]
         let mut reader = file1.chain(file2);
         reader.read_to_string(&mut buffer).await?;
-        sink(&buffer); // $ MISSING: hasTaintFlow="file.txt" hasTaintFlow="another_file.txt" -- we cannot resolve the `chain` and `read_to_string` calls above, which comes from `impl<R: AsyncRead + ?Sized> AsyncReadExt for R {}` in `async_read_ext.rs`
+        sink(&buffer); // $ hasTaintFlow="file.txt" hasTaintFlow="another_file.txt"
     }
 
     {
         let mut buffer = String::new();
         let file1 = tokio::fs::File::open("file.txt").await?; // $ Alert[rust/summary/taint-sources]
         let mut reader = file1.take(100);
         reader.read_to_string(&mut buffer).await?;
-        sink(&buffer); // $ MISSING: hasTaintFlow="file.txt" -- we cannot resolve the `take` and `read_to_string` calls above, which comes from `impl<R: AsyncRead + ?Sized> AsyncReadExt for R {}` in `async_read_ext.rs`
+        sink(&buffer); // $ hasTaintFlow="file.txt"
     }
 
     Ok(())
diff --git a/rust/ql/test/library-tests/type-inference/CONSISTENCY/PathResolutionConsistency.expected b/rust/ql/test/library-tests/type-inference/CONSISTENCY/PathResolutionConsistency.expected
@@ -5,6 +5,7 @@ multipleCallTargets
 | dereference.rs:184:17:184:30 | ... .foo() |
 | dereference.rs:186:17:186:25 | S.bar(...) |
 | dereference.rs:187:17:187:29 | S.bar(...) |
+| main.rs:1803:13:1803:63 | ... .partial_cmp(...) |
 | main.rs:2318:9:2318:34 | ...::my_from2(...) |
 | main.rs:2319:9:2319:33 | ...::my_from2(...) |
 | main.rs:2320:9:2320:38 | ...::my_from2(...) |

Original file line number	Diff line number	Diff line change
`@@ -638,15 +638,15 @@ async fn test_tokio_file() -> std::io::Result<()> {`
`638`	`638`	`let file2 = tokio::fs::File::open("another_file.txt").await?; // $ Alert[rust/summary/taint-sources]`
`639`	`639`	`let mut reader = file1.chain(file2);`
`640`	`640`	`reader.read_to_string(&mut buffer).await?;`
`641`		- sink(&buffer); // $ MISSING: hasTaintFlow="file.txt" hasTaintFlow="another_file.txt" -- we cannot resolve the `chain` and `read_to_string` calls above, which comes from `impl<R: AsyncRead + ?Sized> AsyncReadExt for R {}` in `async_read_ext.rs`
	`641`	`+ sink(&buffer); // $ hasTaintFlow="file.txt" hasTaintFlow="another_file.txt"`
`642`	`642`	`}`
`643`	`643`
`644`	`644`	`{`
`645`	`645`	`let mut buffer = String::new();`
`646`	`646`	`let file1 = tokio::fs::File::open("file.txt").await?; // $ Alert[rust/summary/taint-sources]`
`647`	`647`	`let mut reader = file1.take(100);`
`648`	`648`	`reader.read_to_string(&mut buffer).await?;`
`649`		- sink(&buffer); // $ MISSING: hasTaintFlow="file.txt" -- we cannot resolve the `take` and `read_to_string` calls above, which comes from `impl<R: AsyncRead + ?Sized> AsyncReadExt for R {}` in `async_read_ext.rs`
	`649`	`+ sink(&buffer); // $ hasTaintFlow="file.txt"`
`650`	`650`	`}`
`651`	`651`
`652`	`652`	`Ok(())`