From 11055760a442deaf583d7be8a1bf512be0c23821 Mon Sep 17 00:00:00 2001
From: Simon Friis Vindum <simonfv@gmail.com>
Date: Fri, 7 Feb 2025 13:53:17 +0100
Subject: [PATCH] Rust: Handle writes to references and add encoding of
 reference content

---
 .../rust/dataflow/internal/DataFlowImpl.qll   | 15 +++++++++
 .../dataflow/internal/FlowSummaryImpl.qll     |  4 +++
 .../modelgenerator/internal/CaptureModels.qll |  5 ++-
 .../dataflow/global/inline-flow.expected      | 17 ++++++++++
 .../library-tests/dataflow/global/main.rs     |  2 +-
 .../dataflow/pointers/inline-flow.expected    |  8 +++++
 .../library-tests/dataflow/pointers/main.rs   |  2 +-
 .../test/utils-tests/modelgenerator/option.rs | 32 +++++++++++--------
 .../utils-tests/modelgenerator/summaries.rs   |  3 +-
 9 files changed, 69 insertions(+), 19 deletions(-)

diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
index 6c539e9642df..70736818cad6 100644
--- a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
+++ b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
@@ -1211,6 +1211,17 @@ module RustDataFlow implements InputSig<Location> {
     )
   }
 
+  pragma[nomagic]
+  private predicate referenceAssignment(Node node1, Node node2, ReferenceContent c) {
+    exists(AssignmentExprCfgNode assignment, PrefixExprCfgNode deref |
+      assignment.getLhs() = deref and
+      deref.getOperatorName() = "*" and
+      node1.asExpr() = assignment.getRhs() and
+      node2.asExpr() = deref.getExpr() and
+      exists(c)
+    )
+  }
+
   pragma[nomagic]
   private predicate storeContentStep(Node node1, Content c, Node node2) {
     exists(CallExprCfgNode call, int pos |
@@ -1242,6 +1253,8 @@ module RustDataFlow implements InputSig<Location> {
     or
     fieldAssignment(node1, node2.(PostUpdateNode).getPreUpdateNode(), c)
     or
+    referenceAssignment(node1, node2.(PostUpdateNode).getPreUpdateNode(), c)
+    or
     exists(AssignmentExprCfgNode assignment, IndexExprCfgNode index |
       c instanceof ElementContent and
       assignment.getLhs() = index and
@@ -1285,6 +1298,8 @@ module RustDataFlow implements InputSig<Location> {
   predicate clearsContent(Node n, ContentSet cs) {
     fieldAssignment(_, n, cs.(SingletonContentSet).getContent())
     or
+    referenceAssignment(_, n, cs.(SingletonContentSet).getContent())
+    or
     FlowSummaryImpl::Private::Steps::summaryClearsContent(n.(Node::FlowSummaryNode).getSummaryNode(),
       cs)
     or
diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll
index b716e81b129e..8ef1473b62e9 100644
--- a/rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll
+++ b/rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll
@@ -89,6 +89,10 @@ module Input implements InputSig<Location, RustDataFlow> {
           arg = v.getExtendedCanonicalPath() + "(" + v.getPosition() + ")"
         )
       or
+      result = "Reference" and
+      c = TReferenceContent() and
+      arg = ""
+      or
       result = "Element" and
       c = TElementContent() and
       arg = ""
diff --git a/rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll b/rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll
index 21269cacec25..a04367055f66 100644
--- a/rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll
+++ b/rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll
@@ -81,9 +81,8 @@ module ModelGeneratorInput implements ModelGeneratorInputSig<Location, RustDataF
   }
 
   bindingset[c]
-  string paramReturnNodeAsOutput(R::Callable c, ParameterPosition pos) {
-    // TODO: Implement this to support returning through parameters.
-    result = "paramReturnNodeAsOutput(" + c + ", " + pos + ")"
+  string paramReturnNodeAsOutput(Callable c, ParameterPosition pos) {
+    result = paramReturnNodeAsContentOutput(c, pos)
   }
 
   bindingset[c]
diff --git a/rust/ql/test/library-tests/dataflow/global/inline-flow.expected b/rust/ql/test/library-tests/dataflow/global/inline-flow.expected
index c9eab0e3acf9..9f1d95955e1a 100644
--- a/rust/ql/test/library-tests/dataflow/global/inline-flow.expected
+++ b/rust/ql/test/library-tests/dataflow/global/inline-flow.expected
@@ -42,6 +42,13 @@ edges
 | main.rs:101:13:101:30 | mn.data_through(...) | main.rs:101:9:101:9 | b | provenance |  |
 | main.rs:101:29:101:29 | a | main.rs:77:28:77:33 | ...: i64 | provenance |  |
 | main.rs:101:29:101:29 | a | main.rs:101:13:101:30 | mn.data_through(...) | provenance |  |
+| main.rs:139:25:139:30 | ...: i64 | main.rs:140:10:140:10 | c | provenance |  |
+| main.rs:140:6:140:6 | [post] n [&ref] | main.rs:139:12:139:22 | ...: ... [Return] [&ref] | provenance |  |
+| main.rs:140:10:140:10 | c | main.rs:140:6:140:6 | [post] n [&ref] | provenance |  |
+| main.rs:148:13:148:13 | [post] m [&ref] | main.rs:149:11:149:11 | m [&ref] | provenance |  |
+| main.rs:148:16:148:25 | source(...) | main.rs:139:25:139:30 | ...: i64 | provenance |  |
+| main.rs:148:16:148:25 | source(...) | main.rs:148:13:148:13 | [post] m [&ref] | provenance |  |
+| main.rs:149:11:149:11 | m [&ref] | main.rs:149:10:149:11 | * ... | provenance |  |
 nodes
 | main.rs:12:28:14:1 | { ... } | semmle.label | { ... } |
 | main.rs:13:5:13:13 | source(...) | semmle.label | source(...) |
@@ -92,11 +99,20 @@ nodes
 | main.rs:101:13:101:30 | mn.data_through(...) | semmle.label | mn.data_through(...) |
 | main.rs:101:29:101:29 | a | semmle.label | a |
 | main.rs:102:10:102:10 | b | semmle.label | b |
+| main.rs:139:12:139:22 | ...: ... [Return] [&ref] | semmle.label | ...: ... [Return] [&ref] |
+| main.rs:139:25:139:30 | ...: i64 | semmle.label | ...: i64 |
+| main.rs:140:6:140:6 | [post] n [&ref] | semmle.label | [post] n [&ref] |
+| main.rs:140:10:140:10 | c | semmle.label | c |
+| main.rs:148:13:148:13 | [post] m [&ref] | semmle.label | [post] m [&ref] |
+| main.rs:148:16:148:25 | source(...) | semmle.label | source(...) |
+| main.rs:149:10:149:11 | * ... | semmle.label | * ... |
+| main.rs:149:11:149:11 | m [&ref] | semmle.label | m [&ref] |
 subpaths
 | main.rs:36:26:36:26 | a | main.rs:30:17:30:22 | ...: i64 | main.rs:30:32:32:1 | { ... } | main.rs:36:13:36:27 | pass_through(...) |
 | main.rs:41:26:44:5 | { ... } | main.rs:30:17:30:22 | ...: i64 | main.rs:30:32:32:1 | { ... } | main.rs:41:13:44:6 | pass_through(...) |
 | main.rs:55:26:55:26 | a | main.rs:51:21:51:26 | ...: i64 | main.rs:51:36:53:5 | { ... } | main.rs:55:13:55:27 | pass_through(...) |
 | main.rs:101:29:101:29 | a | main.rs:77:28:77:33 | ...: i64 | main.rs:77:43:83:5 | { ... } | main.rs:101:13:101:30 | mn.data_through(...) |
+| main.rs:148:16:148:25 | source(...) | main.rs:139:25:139:30 | ...: i64 | main.rs:139:12:139:22 | ...: ... [Return] [&ref] | main.rs:148:13:148:13 | [post] m [&ref] |
 testFailures
 #select
 | main.rs:18:10:18:10 | a | main.rs:13:5:13:13 | source(...) | main.rs:18:10:18:10 | a | $@ | main.rs:13:5:13:13 | source(...) | source(...) |
@@ -107,3 +123,4 @@ testFailures
 | main.rs:68:14:68:14 | n | main.rs:94:13:94:21 | source(...) | main.rs:68:14:68:14 | n | $@ | main.rs:94:13:94:21 | source(...) | source(...) |
 | main.rs:89:10:89:10 | a | main.rs:74:13:74:21 | source(...) | main.rs:89:10:89:10 | a | $@ | main.rs:74:13:74:21 | source(...) | source(...) |
 | main.rs:102:10:102:10 | b | main.rs:100:13:100:21 | source(...) | main.rs:102:10:102:10 | b | $@ | main.rs:100:13:100:21 | source(...) | source(...) |
+| main.rs:149:10:149:11 | * ... | main.rs:148:16:148:25 | source(...) | main.rs:149:10:149:11 | * ... | $@ | main.rs:148:16:148:25 | source(...) | source(...) |
diff --git a/rust/ql/test/library-tests/dataflow/global/main.rs b/rust/ql/test/library-tests/dataflow/global/main.rs
index 2b6f60e831a7..fee598793cfb 100644
--- a/rust/ql/test/library-tests/dataflow/global/main.rs
+++ b/rust/ql/test/library-tests/dataflow/global/main.rs
@@ -146,7 +146,7 @@ fn mutates_argument_1() {
     let m = &mut n;
     sink(*m);
     set_int(m, source(37));
-    sink(*m); // $ MISSING: hasValueFlow=37
+    sink(*m); // $ hasValueFlow=37
 }
 
 fn mutates_argument_2() {
diff --git a/rust/ql/test/library-tests/dataflow/pointers/inline-flow.expected b/rust/ql/test/library-tests/dataflow/pointers/inline-flow.expected
index de53d1855af5..f61a1642f91c 100644
--- a/rust/ql/test/library-tests/dataflow/pointers/inline-flow.expected
+++ b/rust/ql/test/library-tests/dataflow/pointers/inline-flow.expected
@@ -8,6 +8,9 @@ edges
 | main.rs:15:9:15:9 | c | main.rs:16:10:16:10 | c | provenance |  |
 | main.rs:15:13:15:14 | * ... | main.rs:15:9:15:9 | c | provenance |  |
 | main.rs:15:14:15:14 | b [&ref] | main.rs:15:13:15:14 | * ... | provenance |  |
+| main.rs:31:6:31:6 | [post] b [&ref] | main.rs:32:11:32:11 | b [&ref] | provenance |  |
+| main.rs:31:10:31:19 | source(...) | main.rs:31:6:31:6 | [post] b [&ref] | provenance |  |
+| main.rs:32:11:32:11 | b [&ref] | main.rs:32:10:32:11 | * ... | provenance |  |
 | main.rs:37:25:37:26 | &... [&ref] | main.rs:37:26:37:26 | n | provenance |  |
 | main.rs:37:25:37:32 | ...: ... [&ref] | main.rs:37:25:37:26 | &... [&ref] | provenance |  |
 | main.rs:37:26:37:26 | n | main.rs:38:10:38:10 | n | provenance |  |
@@ -54,6 +57,10 @@ nodes
 | main.rs:15:13:15:14 | * ... | semmle.label | * ... |
 | main.rs:15:14:15:14 | b [&ref] | semmle.label | b [&ref] |
 | main.rs:16:10:16:10 | c | semmle.label | c |
+| main.rs:31:6:31:6 | [post] b [&ref] | semmle.label | [post] b [&ref] |
+| main.rs:31:10:31:19 | source(...) | semmle.label | source(...) |
+| main.rs:32:10:32:11 | * ... | semmle.label | * ... |
+| main.rs:32:11:32:11 | b [&ref] | semmle.label | b [&ref] |
 | main.rs:37:25:37:26 | &... [&ref] | semmle.label | &... [&ref] |
 | main.rs:37:25:37:32 | ...: ... [&ref] | semmle.label | ...: ... [&ref] |
 | main.rs:37:26:37:26 | n | semmle.label | n |
@@ -100,6 +107,7 @@ subpaths
 testFailures
 #select
 | main.rs:16:10:16:10 | c | main.rs:13:13:13:22 | source(...) | main.rs:16:10:16:10 | c | $@ | main.rs:13:13:13:22 | source(...) | source(...) |
+| main.rs:32:10:32:11 | * ... | main.rs:31:10:31:19 | source(...) | main.rs:32:10:32:11 | * ... | $@ | main.rs:31:10:31:19 | source(...) | source(...) |
 | main.rs:38:10:38:10 | n | main.rs:42:15:42:24 | source(...) | main.rs:38:10:38:10 | n | $@ | main.rs:42:15:42:24 | source(...) | source(...) |
 | main.rs:70:10:70:30 | my_number.to_number(...) | main.rs:69:40:69:49 | source(...) | main.rs:70:10:70:30 | my_number.to_number(...) | $@ | main.rs:69:40:69:49 | source(...) | source(...) |
 | main.rs:80:10:80:31 | my_number.get_number(...) | main.rs:79:41:79:50 | source(...) | main.rs:80:10:80:31 | my_number.get_number(...) | $@ | main.rs:79:41:79:50 | source(...) | source(...) |
diff --git a/rust/ql/test/library-tests/dataflow/pointers/main.rs b/rust/ql/test/library-tests/dataflow/pointers/main.rs
index 7ff8fefc6c68..d48db5502720 100644
--- a/rust/ql/test/library-tests/dataflow/pointers/main.rs
+++ b/rust/ql/test/library-tests/dataflow/pointers/main.rs
@@ -29,7 +29,7 @@ fn write_and_read_through_borrow() {
     let b = &mut a;
     sink(*b);
     *b = source(37);
-    sink(*b); // $ MISSING: hasValueFlow=37
+    sink(*b); // $ hasValueFlow=37
     *b = 0;
     sink(*b); // now cleared
 }
diff --git a/rust/ql/test/utils-tests/modelgenerator/option.rs b/rust/ql/test/utils-tests/modelgenerator/option.rs
index f1211170fffa..296e7ba9567d 100644
--- a/rust/ql/test/utils-tests/modelgenerator/option.rs
+++ b/rust/ql/test/utils-tests/modelgenerator/option.rs
@@ -44,7 +44,9 @@ impl<T> MyOption<T> {
         }
     }
 
-    // summary=repo::test;<crate::option::MyOption>::as_ref;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
+    // NOTE: The returned value inside the variant should be inside a `Reference`, requires handling
+    // `ref` in patterns.
+    // summary=repo::test;<crate::option::MyOption>::as_ref;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
     pub fn as_ref(&self) -> MyOption<&T> {
         match *self {
             MySome(ref x) => MySome(x),
@@ -52,7 +54,7 @@ impl<T> MyOption<T> {
         }
     }
 
-    // summary=repo::test;<crate::option::MyOption>::as_mut;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
+    // summary=repo::test;<crate::option::MyOption>::as_mut;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
     pub fn as_mut(&mut self) -> MyOption<&mut T> {
         match *self {
             MySome(ref mut x) => MySome(x),
@@ -285,8 +287,11 @@ impl<T> MyOption<T> {
         }
     }
 
-    // MISSING: summary=repo::test;<crate::option::MyOption>::insert;Argument[0];ReturnValue;value;dfc-generated
-    // SPURIOUS-summary=repo::test;<crate::option::MyOption>::insert;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated
+    // summary=repo::test;<crate::option::MyOption>::insert;Argument[0];Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
+    // The below should be `ReturnValue.Reference` and not just `ReturnValue`.
+    // SPURIOUS-summary=repo::test;<crate::option::MyOption>::insert;Argument[0];ReturnValue;value;dfc-generated
+    // The content of `self` is overwritten so it does not flow to the return value.
+    // SPURIOUS-summary=repo::test;<crate::option::MyOption>::insert;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated
     pub fn insert(&mut self, value: T) -> &mut T {
         *self = MySome(value);
 
@@ -294,13 +299,14 @@ impl<T> MyOption<T> {
         unsafe { self.as_mut().unwrap_unchecked() }
     }
 
-    // summary=repo::test;<crate::option::MyOption>::get_or_insert;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated
-    // MISSING: repo::test;<crate::option::MyOption>::get_or_insert;Argument[0];ReturnValue;value;dfc-generated
+    // summary=repo::test;<crate::option::MyOption>::get_or_insert;Argument[0];Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
+    // summary=repo::test;<crate::option::MyOption>::get_or_insert;Argument[0];ReturnValue;value;dfc-generated
+    // summary=repo::test;<crate::option::MyOption>::get_or_insert;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated
     pub fn get_or_insert(&mut self, value: T) -> &mut T {
         self.get_or_insert_with(|| value)
     }
 
-    // summary=repo::test;<crate::option::MyOption>::get_or_insert_default;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated
+    // summary=repo::test;<crate::option::MyOption>::get_or_insert_default;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated
     pub fn get_or_insert_default(&mut self) -> &mut T
     where
         T: Default,
@@ -308,7 +314,7 @@ impl<T> MyOption<T> {
         self.get_or_insert_with(T::default)
     }
 
-    // summary=repo::test;<crate::option::MyOption>::get_or_insert_with;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated
+    // summary=repo::test;<crate::option::MyOption>::get_or_insert_with;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue;value;dfc-generated
     // MISSING: Mutating `self` parameter.
     pub fn get_or_insert_with<F>(&mut self, f: F) -> &mut T
     where
@@ -329,7 +335,7 @@ impl<T> MyOption<T> {
         mem::replace(self, MyNone)
     }
 
-    // summary=repo::test;<crate::option::MyOption>::take_if;Argument[self].Variant[crate::option::MyOption::MySome(0)];Argument[0].Parameter[0];value;dfc-generated
+    // summary=repo::test;<crate::option::MyOption>::take_if;Argument[self].Reference.Variant[crate::option::MyOption::MySome(0)];Argument[0].Parameter[0];value;dfc-generated
     // MISSING: Uses `take` which doesn't have flow
     pub fn take_if<P>(&mut self, predicate: P) -> MyOption<T>
     where
@@ -378,7 +384,7 @@ impl<T, U> MyOption<(T, U)> {
 }
 
 impl<T> MyOption<&T> {
-    // summary=repo::test;<crate::option::MyOption>::copied;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
+    // summary=repo::test;<crate::option::MyOption>::copied;Argument[self].Variant[crate::option::MyOption::MySome(0)].Reference;ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
     pub fn copied(self) -> MyOption<T>
     where
         T: Copy,
@@ -404,7 +410,7 @@ impl<T> MyOption<&T> {
 }
 
 impl<T> MyOption<&mut T> {
-    // summary=repo::test;<crate::option::MyOption>::copied;Argument[self].Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
+    // summary=repo::test;<crate::option::MyOption>::copied;Argument[self].Variant[crate::option::MyOption::MySome(0)].Reference;ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
     pub fn copied(self) -> MyOption<T>
     where
         T: Copy,
@@ -474,14 +480,14 @@ impl<T> From<T> for MyOption<T> {
 }
 
 impl<'a, T> From<&'a MyOption<T>> for MyOption<&'a T> {
-    // summary=repo::test;<crate::option::MyOption as crate::convert::From>::from;Argument[0].Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
+    // summary=repo::test;<crate::option::MyOption as crate::convert::From>::from;Argument[0].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
     fn from(o: &'a MyOption<T>) -> MyOption<&'a T> {
         o.as_ref()
     }
 }
 
 impl<'a, T> From<&'a mut MyOption<T>> for MyOption<&'a mut T> {
-    // summary=repo::test;<crate::option::MyOption as crate::convert::From>::from;Argument[0].Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
+    // summary=repo::test;<crate::option::MyOption as crate::convert::From>::from;Argument[0].Reference.Variant[crate::option::MyOption::MySome(0)];ReturnValue.Variant[crate::option::MyOption::MySome(0)];value;dfc-generated
     fn from(o: &'a mut MyOption<T>) -> MyOption<&'a mut T> {
         o.as_mut()
     }
diff --git a/rust/ql/test/utils-tests/modelgenerator/summaries.rs b/rust/ql/test/utils-tests/modelgenerator/summaries.rs
index db1158640c25..3e6b0995971f 100644
--- a/rust/ql/test/utils-tests/modelgenerator/summaries.rs
+++ b/rust/ql/test/utils-tests/modelgenerator/summaries.rs
@@ -79,11 +79,12 @@ pub fn apply<F>(n: i64, f: F) -> i64 where F : FnOnce(i64) -> i64 {
 
 // Flow out of mutated arguments
 
+// summary=repo::test;crate::summaries::set_int;Argument[1];Argument[0].Reference;value;dfc-generated
 pub fn set_int(n: &mut i64, c: i64) {
     *n = c;
 }
 
-// summary=repo::test;crate::summaries::read_int;Argument[0];ReturnValue;value;dfc-generated
+// summary=repo::test;crate::summaries::read_int;Argument[0].Reference;ReturnValue;value;dfc-generated
 pub fn read_int(n: &mut i64) -> i64 {
     *n
 }