Rust: Type inference and path resolution for builtins

Author: hvitved

rust/ql/lib/codeql/rust/frameworks/stdlib/Bultins.qll

@@ -0,0 +1,109 @@
+/**
+ * Provides classes for builtins.
+ */
+
+private import rust
+
+/** The folder containing builtins. */
+class BuiltinsFolder extends Folder {
+  BuiltinsFolder() {
+    this.getBaseName() = "builtins" and
+    this.getParentContainer().getBaseName() = "tools"
+  }
+}
+
+private class BuiltinsTypesFile extends File {
+  BuiltinsTypesFile() {
+    this.getBaseName() = "types.rs" and
+    this.getParentContainer() instanceof BuiltinsFolder
+  }
+}
+
+private class BuiltinType extends Struct {
+  BuiltinType() { this.getFile() instanceof BuiltinsTypesFile }
+}
+
+/** The builtin `bool` type. */
+class Bool extends BuiltinType {
+  Bool() { this.getName().getText() = "bool" }
+}
+
+/** The builtin `char` type. */
+class Char extends BuiltinType {
+  Char() { this.getName().getText() = "char" }
+}
+
+/** The builtin `str` type. */
+class Str extends BuiltinType {
+  Str() { this.getName().getText() = "str" }
+}
+
+/** The builtin `i8` type. */
+class I8 extends BuiltinType {
+  I8() { this.getName().getText() = "i8" }
+}
+
+/** The builtin `i16` type. */
+class I16 extends BuiltinType {
+  I16() { this.getName().getText() = "i16" }
+}
+
+/** The builtin `i32` type. */
+class I32 extends BuiltinType {
+  I32() { this.getName().getText() = "i32" }
+}
+
+/** The builtin `i64` type. */
+class I64 extends BuiltinType {
+  I64() { this.getName().getText() = "i64" }
+}
+
+/** The builtin `i128` type. */
+class I128 extends BuiltinType {
+  I128() { this.getName().getText() = "i128" }
+}
+
+/** The builtin `u8` type. */
+class U8 extends BuiltinType {
+  U8() { this.getName().getText() = "u8" }
+}
+
+/** The builtin `u16` type. */
+class U16 extends BuiltinType {
+  U16() { this.getName().getText() = "u16" }
+}
+
+/** The builtin `u32` type. */
+class U32 extends BuiltinType {
+  U32() { this.getName().getText() = "u32" }
+}
+
+/** The builtin `u64` type. */
+class U64 extends BuiltinType {
+  U64() { this.getName().getText() = "u64" }
+}
+
+/** The builtin `u128` type. */
+class U128 extends BuiltinType {
+  U128() { this.getName().getText() = "u128" }
+}
+
+/** The builtin `usize` type. */
+class USize extends BuiltinType {
+  USize() { this.getName().getText() = "usize" }
+}
+
+/** The builtin `isize` type. */
+class ISize extends BuiltinType {
+  ISize() { this.getName().getText() = "isize" }
+}
+
+/** The builtin `f32` type. */
+class F32 extends BuiltinType {
+  F32() { this.getName().getText() = "f32" }
+}
+
+/** The builtin `f64` type. */
+class F64 extends BuiltinType {
+  F64() { this.getName().getText() = "f64" }
+}

rust/ql/lib/codeql/rust/internal/PathResolution.qll

@@ -180,6 +180,8 @@ abstract class ItemNode extends Locatable {
     or
     preludeEdge(this, name, result) and not declares(this, _, name)
     or
+    builtinEdge(this, name, result)
+    or
     name = "super" and
     if this instanceof Module or this instanceof SourceFile
     then result = this.getImmediateParentModule()
@@ -1184,6 +1186,21 @@ private predicate preludeEdge(SourceFile f, string name, ItemNode i) {
   )
 }
 
+private import codeql.rust.frameworks.stdlib.Bultins as Builtins
+
+pragma[nomagic]
+private predicate builtinEdge(ModuleLikeNode m, string name, ItemNode i) {
+  (
+    m instanceof SourceFile
+    or
+    m = any(CrateItemNode c).getModuleNode()
+  ) and
+  exists(SourceFileItemNode builtins |
+    builtins.getFile().getParentContainer() instanceof Builtins::BuiltinsFolder and
+    i = builtins.getASuccessorRec(name)
+  )
+}
+
 /** Provides predicates for debugging the path resolution implementation. */
 private module Debug {
   private Locatable getRelevantLocatable() {

rust/ql/lib/codeql/rust/internal/TypeInference.qll

@@ -885,6 +885,80 @@ private Type inferTryExprType(TryExpr te, TypePath path) {
   )
 }
 
+private import codeql.rust.frameworks.stdlib.Bultins as Builtins
+
+pragma[nomagic]
+private StructType inferLiteralType(LiteralExpr le) {
+  le instanceof CharLiteralExpr and
+  result = TStruct(any(Builtins::Char t))
+  or
+  le instanceof StringLiteralExpr and
+  result = TStruct(any(Builtins::Str t))
+  or
+  le =
+    any(IntegerLiteralExpr n |
+      not exists(n.getSuffix()) and
+      result = TStruct(any(Builtins::I32 t))
+      or
+      n.getSuffix() =
+        any(string suffix |
+          suffix = "u8" and
+          result = TStruct(any(Builtins::U8 t))
+          or
+          suffix = "i8" and
+          result = TStruct(any(Builtins::I8 t))
+          or
+          suffix = "u16" and
+          result = TStruct(any(Builtins::U16 t))
+          or
+          suffix = "i16" and
+          result = TStruct(any(Builtins::I16 t))
+          or
+          suffix = "u32" and
+          result = TStruct(any(Builtins::U32 t))
+          or
+          suffix = "i32" and
+          result = TStruct(any(Builtins::I32 t))
+          or
+          suffix = "u64" and
+          result = TStruct(any(Builtins::U64 t))
+          or
+          suffix = "i64" and
+          result = TStruct(any(Builtins::I64 t))
+          or
+          suffix = "u128" and
+          result = TStruct(any(Builtins::U128 t))
+          or
+          suffix = "i128" and
+          result = TStruct(any(Builtins::I128 t))
+          or
+          suffix = "usize" and
+          result = TStruct(any(Builtins::USize t))
+          or
+          suffix = "isize" and
+          result = TStruct(any(Builtins::ISize t))
+        )
+    )
+  or
+  le =
+    any(FloatLiteralExpr n |
+      not exists(n.getSuffix()) and
+      result = TStruct(any(Builtins::F32 t))
+      or
+      n.getSuffix() =
+        any(string suffix |
+          suffix = "f32" and
+          result = TStruct(any(Builtins::F32 t))
+          or
+          suffix = "f64" and
+          result = TStruct(any(Builtins::F64 t))
+        )
+    )
+  or
+  le instanceof BooleanLiteralExpr and
+  result = TStruct(any(Builtins::Bool t))
+}
+
 cached
 private module Cached {
   private import codeql.rust.internal.CachedStages
@@ -1026,6 +1100,9 @@ private module Cached {
     result = inferRefExprType(n, path)
     or
     result = inferTryExprType(n, path)
+    or
+    result = inferLiteralType(n) and
+    path.isEmpty()
   }
 }
 

rust/ql/test/library-tests/dataflow/local/CONSISTENCY/PathResolutionConsistency.expected

@@ -0,0 +1,15 @@
+multiplePathResolutions
+| main.rs:532:10:532:18 | ...::from | file://:0:0:0:0 | fn from |
+| main.rs:532:10:532:18 | ...::from | file://:0:0:0:0 | fn from |
+| main.rs:532:10:532:18 | ...::from | file://:0:0:0:0 | fn from |
+| main.rs:532:10:532:18 | ...::from | file://:0:0:0:0 | fn from |
+| main.rs:532:10:532:18 | ...::from | file://:0:0:0:0 | fn from |
+| main.rs:532:10:532:18 | ...::from | file://:0:0:0:0 | fn from |
+| main.rs:532:10:532:18 | ...::from | file://:0:0:0:0 | fn from |
+| main.rs:538:10:538:18 | ...::from | file://:0:0:0:0 | fn from |
+| main.rs:538:10:538:18 | ...::from | file://:0:0:0:0 | fn from |
+| main.rs:538:10:538:18 | ...::from | file://:0:0:0:0 | fn from |
+| main.rs:538:10:538:18 | ...::from | file://:0:0:0:0 | fn from |
+| main.rs:538:10:538:18 | ...::from | file://:0:0:0:0 | fn from |
+| main.rs:538:10:538:18 | ...::from | file://:0:0:0:0 | fn from |
+| main.rs:538:10:538:18 | ...::from | file://:0:0:0:0 | fn from |

rust/ql/test/library-tests/dataflow/modeled/inline-flow.expected

@@ -3,8 +3,9 @@ models
 | 2 | Summary: lang:core; <crate::option::Option>::unwrap; Argument[self].Field[crate::option::Option::Some(0)]; ReturnValue; value |
 | 3 | Summary: lang:core; <crate::option::Option>::zip; Argument[0].Field[crate::option::Option::Some(0)]; ReturnValue.Field[crate::option::Option::Some(0)].Field[1]; value |
 | 4 | Summary: lang:core; <crate::result::Result>::unwrap; Argument[self].Field[crate::result::Result::Ok(0)]; ReturnValue; value |
-| 5 | Summary: lang:core; crate::ptr::read; Argument[0].Reference; ReturnValue; value |
-| 6 | Summary: lang:core; crate::ptr::write; Argument[1]; Argument[0].Reference; value |
+| 5 | Summary: lang:core; <i64 as crate::clone::Clone>::clone; Argument[self].Reference; ReturnValue; value |
+| 6 | Summary: lang:core; crate::ptr::read; Argument[0].Reference; ReturnValue; value |
+| 7 | Summary: lang:core; crate::ptr::write; Argument[1]; Argument[0].Reference; value |
 edges
 | main.rs:12:9:12:9 | a [Some] | main.rs:13:10:13:19 | a.unwrap() | provenance | MaD:2 |
 | main.rs:12:9:12:9 | a [Some] | main.rs:14:13:14:13 | a [Some] | provenance |  |
@@ -22,7 +23,12 @@ edges
 | main.rs:21:13:21:13 | a [Ok] | main.rs:21:13:21:21 | a.clone() [Ok] | provenance | generated |
 | main.rs:21:13:21:21 | a.clone() [Ok] | main.rs:21:9:21:9 | b [Ok] | provenance |  |
 | main.rs:26:9:26:9 | a | main.rs:27:10:27:10 | a | provenance |  |
+| main.rs:26:9:26:9 | a | main.rs:28:13:28:13 | a | provenance |  |
 | main.rs:26:13:26:22 | source(...) | main.rs:26:9:26:9 | a | provenance |  |
+| main.rs:28:9:28:9 | b | main.rs:29:10:29:10 | b | provenance |  |
+| main.rs:28:13:28:13 | a | main.rs:28:13:28:21 | a.clone() | provenance | MaD:5 |
+| main.rs:28:13:28:13 | a | main.rs:28:13:28:21 | a.clone() | provenance | generated |
+| main.rs:28:13:28:21 | a.clone() | main.rs:28:9:28:9 | b | provenance |  |
 | main.rs:41:13:41:13 | w [Wrapper] | main.rs:42:15:42:15 | w [Wrapper] | provenance |  |
 | main.rs:41:17:41:41 | Wrapper {...} [Wrapper] | main.rs:41:13:41:13 | w [Wrapper] | provenance |  |
 | main.rs:41:30:41:39 | source(...) | main.rs:41:17:41:41 | Wrapper {...} [Wrapper] | provenance |  |
@@ -47,8 +53,8 @@ edges
 | main.rs:61:18:61:23 | TuplePat [tuple.1] | main.rs:61:22:61:22 | m | provenance |  |
 | main.rs:61:22:61:22 | m | main.rs:63:22:63:22 | m | provenance |  |
 | main.rs:84:29:84:29 | [post] y [&ref] | main.rs:85:33:85:33 | y [&ref] | provenance |  |
-| main.rs:84:32:84:41 | source(...) | main.rs:84:29:84:29 | [post] y [&ref] | provenance | MaD:6 |
-| main.rs:85:33:85:33 | y [&ref] | main.rs:85:18:85:34 | ...::read(...) | provenance | MaD:5 |
+| main.rs:84:32:84:41 | source(...) | main.rs:84:29:84:29 | [post] y [&ref] | provenance | MaD:7 |
+| main.rs:85:33:85:33 | y [&ref] | main.rs:85:18:85:34 | ...::read(...) | provenance | MaD:6 |
 nodes
 | main.rs:12:9:12:9 | a [Some] | semmle.label | a [Some] |
 | main.rs:12:13:12:28 | Some(...) [Some] | semmle.label | Some(...) [Some] |
@@ -69,6 +75,10 @@ nodes
 | main.rs:26:9:26:9 | a | semmle.label | a |
 | main.rs:26:13:26:22 | source(...) | semmle.label | source(...) |
 | main.rs:27:10:27:10 | a | semmle.label | a |
+| main.rs:28:9:28:9 | b | semmle.label | b |
+| main.rs:28:13:28:13 | a | semmle.label | a |
+| main.rs:28:13:28:21 | a.clone() | semmle.label | a.clone() |
+| main.rs:29:10:29:10 | b | semmle.label | b |
 | main.rs:41:13:41:13 | w [Wrapper] | semmle.label | w [Wrapper] |
 | main.rs:41:17:41:41 | Wrapper {...} [Wrapper] | semmle.label | Wrapper {...} [Wrapper] |
 | main.rs:41:30:41:39 | source(...) | semmle.label | source(...) |
@@ -106,6 +116,7 @@ testFailures
 | main.rs:20:10:20:19 | a.unwrap() | main.rs:19:34:19:43 | source(...) | main.rs:20:10:20:19 | a.unwrap() | $@ | main.rs:19:34:19:43 | source(...) | source(...) |
 | main.rs:22:10:22:19 | b.unwrap() | main.rs:19:34:19:43 | source(...) | main.rs:22:10:22:19 | b.unwrap() | $@ | main.rs:19:34:19:43 | source(...) | source(...) |
 | main.rs:27:10:27:10 | a | main.rs:26:13:26:22 | source(...) | main.rs:27:10:27:10 | a | $@ | main.rs:26:13:26:22 | source(...) | source(...) |
+| main.rs:29:10:29:10 | b | main.rs:26:13:26:22 | source(...) | main.rs:29:10:29:10 | b | $@ | main.rs:26:13:26:22 | source(...) | source(...) |
 | main.rs:43:38:43:38 | n | main.rs:41:30:41:39 | source(...) | main.rs:43:38:43:38 | n | $@ | main.rs:41:30:41:39 | source(...) | source(...) |
 | main.rs:47:38:47:38 | n | main.rs:41:30:41:39 | source(...) | main.rs:47:38:47:38 | n | $@ | main.rs:41:30:41:39 | source(...) | source(...) |
 | main.rs:63:22:63:22 | m | main.rs:58:22:58:31 | source(...) | main.rs:63:22:63:22 | m | $@ | main.rs:58:22:58:31 | source(...) | source(...) |

rust/ql/test/library-tests/dataflow/modeled/main.rs

@@ -26,7 +26,7 @@ fn i64_clone() {
     let a = source(12);
     sink(a); // $ hasValueFlow=12
     let b = a.clone();
-    sink(b); // $ MISSING: hasValueFlow=12 - lack of builtins means that we cannot resolve clone call above, and hence not insert implicit borrow
+    sink(b); // $ hasValueFlow=12
 }
 
 mod my_clone {

rust/ql/test/library-tests/path-resolution/main.rs

@@ -75,7 +75,7 @@ fn i() {
 
     {
         struct Foo {
-            x: i32,
+            x: i32, // $ item=i32
         } // I30
 
         let _ = Foo { x: 0 }; // $ item=I30
@@ -121,9 +121,13 @@ mod m6 {
 
 mod m7 {
     pub enum MyEnum {
-        A(i32),       // I42
-        B { x: i32 }, // I43
-        C,            // I44
+        A(
+            i32, // $ item=i32
+        ), // I42
+        B {
+            x: i32, // $ item=i32
+        }, // I43
+        C, // I44
     } // I41
 
     #[rustfmt::skip]

rust/ql/test/library-tests/path-resolution/my.rs

@@ -25,9 +25,9 @@ type Result<
 >; // my::Result
 
 fn int_div(
-    x: i32, //
-    y: i32,
-) -> Result<i32> // $ item=my::Result
+    x: i32, // $ item=i32
+    y: i32, // $ item=i32
+) -> Result<i32> // $ item=my::Result $ item=i32
 {
     if y == 0 {
         return Err("Div by zero".to_string());