Rust: Fix types for * to deref overload

paldepind · paldepind · commit 09bf05f0df80 · 2025-06-19T21:01:26.000+02:00
diff --git a/rust/ql/lib/codeql/rust/elements/internal/CallImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/CallImpl.qll
@@ -35,7 +35,7 @@ module Impl {
    */
   abstract class Call extends ExprImpl::Expr {
     /** Holds if the receiver of this call is implicitly borrowed. */
-    predicate receiverImplicitlyBorrowed() { this.implicitBorrowAt(TSelfArgumentPosition()) }
+    predicate receiverImplicitlyBorrowed() { this.implicitBorrowAt(TSelfArgumentPosition(), _) }
 
     /** Gets the trait targeted by this call, if any. */
     abstract Trait getTrait();
@@ -47,7 +47,7 @@ module Impl {
     abstract Expr getArgument(ArgumentPosition pos);
 
     /** Holds if the argument at `pos` might be implicitly borrowed. */
-    abstract predicate implicitBorrowAt(ArgumentPosition pos);
+    abstract predicate implicitBorrowAt(ArgumentPosition pos, boolean certain);
 
     /** Gets the number of arguments _excluding_ any `self` argument. */
     int getNumberOfArguments() { result = count(this.getArgument(TPositionalArgumentPosition(_))) }
@@ -85,7 +85,7 @@ module Impl {
 
     override Trait getTrait() { none() }
 
-    override predicate implicitBorrowAt(ArgumentPosition pos) { none() }
+    override predicate implicitBorrowAt(ArgumentPosition pos, boolean certain) { none() }
 
     override Expr getArgument(ArgumentPosition pos) {
       result = super.getArgList().getArg(pos.asPosition())
@@ -109,7 +109,7 @@ module Impl {
       qualifier.toString() != "Self"
     }
 
-    override predicate implicitBorrowAt(ArgumentPosition pos) { none() }
+    override predicate implicitBorrowAt(ArgumentPosition pos, boolean certain) { none() }
 
     override Expr getArgument(ArgumentPosition pos) {
       pos.isSelf() and result = super.getArgList().getArg(0)
@@ -123,7 +123,9 @@ module Impl {
 
     override Trait getTrait() { none() }
 
-    override predicate implicitBorrowAt(ArgumentPosition pos) { pos.isSelf() }
+    override predicate implicitBorrowAt(ArgumentPosition pos, boolean certain) {
+      pos.isSelf() and certain = false
+    }
 
     override Expr getArgument(ArgumentPosition pos) {
       pos.isSelf() and result = this.(MethodCallExpr).getReceiver()
@@ -143,10 +145,13 @@ module Impl {
 
     override Trait getTrait() { result = trait }
 
-    override predicate implicitBorrowAt(ArgumentPosition pos) {
-      pos.isSelf() and borrows >= 1
-      or
-      pos.asPosition() = 0 and borrows = 2
+    override predicate implicitBorrowAt(ArgumentPosition pos, boolean certain) {
+      (
+        pos.isSelf() and borrows >= 1
+        or
+        pos.asPosition() = 0 and borrows = 2
+      ) and
+      certain = true
     }
 
     override Expr getArgument(ArgumentPosition pos) {
diff --git a/rust/ql/lib/codeql/rust/elements/internal/OperationImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/OperationImpl.qll
@@ -22,7 +22,7 @@ private predicate isOverloaded(string op, int arity, string path, string method,
     op = "!" and path = "core::ops::bit::Not" and method = "not" and borrows = 0
     or
     // Dereference
-    op = "*" and path = "core::ops::deref::Deref" and method = "deref" and borrows = 0
+    op = "*" and path = "core::ops::deref::Deref" and method = "deref" and borrows = 1
   )
   or
   arity = 2 and
diff --git a/rust/ql/lib/codeql/rust/internal/TypeInference.qll b/rust/ql/lib/codeql/rust/internal/TypeInference.qll
@@ -273,10 +273,6 @@ private predicate typeEquality(AstNode n1, TypePath prefix1, AstNode n2, TypePat
   prefix1.isEmpty() and
   prefix2 = TypePath::singleton(TRefTypeParameter())
   or
-  n1 = n2.(DerefExpr).getExpr() and
-  prefix1 = TypePath::singleton(TRefTypeParameter()) and
-  prefix2.isEmpty()
-  or
   exists(BlockExpr be |
     n1 = be and
     n2 = be.getStmtList().getTailExpr() and
@@ -640,20 +636,20 @@ private module CallExprBaseMatchingInput implements MatchingInputSig {
   }
 
   private newtype TAccessPosition =
-    TArgumentAccessPosition(ArgumentPosition pos, Boolean borrowed) or
+    TArgumentAccessPosition(ArgumentPosition pos, Boolean borrowed, Boolean certain) or
     TReturnAccessPosition()
 
   class AccessPosition extends TAccessPosition {
-    ArgumentPosition getArgumentPosition() { this = TArgumentAccessPosition(result, _) }
+    ArgumentPosition getArgumentPosition() { this = TArgumentAccessPosition(result, _, _) }
 
-    predicate isBorrowed() { this = TArgumentAccessPosition(_, true) }
+    predicate isBorrowed(boolean certain) { this = TArgumentAccessPosition(_, true, certain) }
 
     predicate isReturn() { this = TReturnAccessPosition() }
 
     string toString() {
-      exists(ArgumentPosition pos, boolean borrowed |
-        this = TArgumentAccessPosition(pos, borrowed) and
-        result = pos + ":" + borrowed
+      exists(ArgumentPosition pos, boolean borrowed, boolean certain |
+        this = TArgumentAccessPosition(pos, borrowed, certain) and
+        result = pos + ":" + borrowed + ":" + certain
       )
       or
       this.isReturn() and
@@ -674,10 +670,15 @@ private module CallExprBaseMatchingInput implements MatchingInputSig {
     }
 
     AstNode getNodeAt(AccessPosition apos) {
-      exists(ArgumentPosition pos, boolean borrowed |
-        apos = TArgumentAccessPosition(pos, borrowed) and
-        result = this.getArgument(pos) and
-        if this.implicitBorrowAt(pos) then borrowed = true else borrowed = false
+      exists(ArgumentPosition pos, boolean borrowed, boolean certain |
+        apos = TArgumentAccessPosition(pos, borrowed, certain) and
+        result = this.getArgument(pos)
+      |
+        if this.implicitBorrowAt(pos, _)
+        then borrowed = true and this.implicitBorrowAt(pos, certain)
+        else (
+          borrowed = false and certain = true
+        )
       )
       or
       result = this and apos.isReturn()
@@ -705,51 +706,54 @@ private module CallExprBaseMatchingInput implements MatchingInputSig {
   predicate adjustAccessType(
     AccessPosition apos, Declaration target, TypePath path, Type t, TypePath pathAdj, Type tAdj
   ) {
-    if apos.isBorrowed()
-    then
-      exists(Type selfParamType |
-        selfParamType =
-          target
-              .getParameterType(TArgumentDeclarationPosition(apos.getArgumentPosition()),
-                TypePath::nil())
-      |
-        if selfParamType = TRefType()
+    apos.isBorrowed(true) and
+    pathAdj = TypePath::cons(TRefTypeParameter(), path) and
+    tAdj = t
+    or
+    apos.isBorrowed(false) and
+    exists(Type selfParamType |
+      selfParamType =
+        target
+            .getParameterType(TArgumentDeclarationPosition(apos.getArgumentPosition()),
+              TypePath::nil())
+    |
+      if selfParamType = TRefType()
+      then
+        if t != TRefType() and path.isEmpty()
         then
-          if t != TRefType() and path.isEmpty()
+          // adjust for implicit borrow
+          pathAdj.isEmpty() and
+          tAdj = TRefType()
+          or
+          // adjust for implicit borrow
+          pathAdj = TypePath::singleton(TRefTypeParameter()) and
+          tAdj = t
+        else
+          if path.isCons(TRefTypeParameter(), _)
           then
+            pathAdj = path and
+            tAdj = t
+          else (
             // adjust for implicit borrow
-            pathAdj.isEmpty() and
-            tAdj = TRefType()
-            or
-            // adjust for implicit borrow
-            pathAdj = TypePath::singleton(TRefTypeParameter()) and
+            not (t = TRefType() and path.isEmpty()) and
+            pathAdj = TypePath::cons(TRefTypeParameter(), path) and
             tAdj = t
-          else
-            if path.isCons(TRefTypeParameter(), _)
-            then
-              pathAdj = path and
-              tAdj = t
-            else (
-              // adjust for implicit borrow
-              not (t = TRefType() and path.isEmpty()) and
-              pathAdj = TypePath::cons(TRefTypeParameter(), path) and
-              tAdj = t
-            )
-        else (
-          // adjust for implicit deref
-          path.isCons(TRefTypeParameter(), pathAdj) and
-          tAdj = t
-          or
-          not path.isCons(TRefTypeParameter(), _) and
-          not (t = TRefType() and path.isEmpty()) and
-          pathAdj = path and
-          tAdj = t
-        )
+          )
+      else (
+        // adjust for implicit deref
+        path.isCons(TRefTypeParameter(), pathAdj) and
+        tAdj = t
+        or
+        not path.isCons(TRefTypeParameter(), _) and
+        not (t = TRefType() and path.isEmpty()) and
+        pathAdj = path and
+        tAdj = t
       )
-    else (
-      pathAdj = path and
-      tAdj = t
     )
+    or
+    not apos.isBorrowed(_) and
+    pathAdj = path and
+    tAdj = t
   }
 }
 
@@ -766,35 +770,47 @@ private Type inferCallExprBaseType(AstNode n, TypePath path) {
     TypePath path0
   |
     n = a.getNodeAt(apos) and
-    result = CallExprBaseMatching::inferAccessType(a, apos, path0) and
-    if apos.isBorrowed()
-    then
-      exists(Type argType | argType = inferType(n) |
-        if argType = TRefType()
-        then
-          path = path0 and
-          path0.isCons(TRefTypeParameter(), _)
-          or
-          // adjust for implicit deref
+    result = CallExprBaseMatching::inferAccessType(a, apos, path0)
+  |
+    (
+      apos.isBorrowed(true)
+      or
+      // The desugaring of the unary `*e` is `*Deref::deref(&e)`. To handle the
+      // deref expression after the call we must strip a `&` from the type at
+      // the return position.
+      apos.isReturn() and a instanceof DerefExpr
+    ) and
+    path0.isCons(TRefTypeParameter(), path)
+    or
+    apos.isBorrowed(false) and
+    exists(Type argType | argType = inferType(n) |
+      if argType = TRefType()
+      then
+        path = path0 and
+        path0.isCons(TRefTypeParameter(), _)
+        or
+        // adjust for implicit deref
+        not path0.isCons(TRefTypeParameter(), _) and
+        not (path0.isEmpty() and result = TRefType()) and
+        path = TypePath::cons(TRefTypeParameter(), path0)
+      else (
+        not (
+          argType.(StructType).asItemNode() instanceof StringStruct and
+          result.(StructType).asItemNode() instanceof Builtins::Str
+        ) and
+        (
           not path0.isCons(TRefTypeParameter(), _) and
           not (path0.isEmpty() and result = TRefType()) and
-          path = TypePath::cons(TRefTypeParameter(), path0)
-        else (
-          not (
-            argType.(StructType).asItemNode() instanceof StringStruct and
-            result.(StructType).asItemNode() instanceof Builtins::Str
-          ) and
-          (
-            not path0.isCons(TRefTypeParameter(), _) and
-            not (path0.isEmpty() and result = TRefType()) and
-            path = path0
-            or
-            // adjust for implicit borrow
-            path0.isCons(TRefTypeParameter(), path)
-          )
+          path = path0
+          or
+          // adjust for implicit borrow
+          path0.isCons(TRefTypeParameter(), path)
         )
       )
-    else path = path0
+    )
+    or
+    not apos.isBorrowed(_) and
+    path = path0
   )
 }
 
@@ -1387,7 +1403,7 @@ private module Cached {
   predicate receiverHasImplicitDeref(AstNode receiver) {
     exists(CallExprBaseMatchingInput::Access a, CallExprBaseMatchingInput::AccessPosition apos |
       apos.getArgumentPosition().isSelf() and
-      apos.isBorrowed() and
+      apos.isBorrowed(_) and
       receiver = a.getNodeAt(apos) and
       inferType(receiver) = TRefType() and
       CallExprBaseMatching::inferAccessType(a, apos, TypePath::nil()) != TRefType()
@@ -1399,7 +1415,7 @@ private module Cached {
   predicate receiverHasImplicitBorrow(AstNode receiver) {
     exists(CallExprBaseMatchingInput::Access a, CallExprBaseMatchingInput::AccessPosition apos |
       apos.getArgumentPosition().isSelf() and
-      apos.isBorrowed() and
+      apos.isBorrowed(_) and
       receiver = a.getNodeAt(apos) and
       CallExprBaseMatching::inferAccessType(a, apos, TypePath::nil()) = TRefType() and
       inferType(receiver) != TRefType()
diff --git a/rust/ql/test/library-tests/type-inference/dereference.rs b/rust/ql/test/library-tests/type-inference/dereference.rs
@@ -34,7 +34,7 @@ fn explicit_monomorphic_dereference() {
 
     // Dereference with overloaded dereference operator
     let a2 = MyIntPointer { value: 34i64 };
-    let _b2 = *a2; // $ method=MyIntPointer::deref MISSING: type=_b2:i64
+    let _b2 = *a2; // $ method=MyIntPointer::deref type=_b2:i64
 
     // Call method on explicitly dereferenced value
     let a3 = MyIntPointer { value: 34i64 };
@@ -48,11 +48,11 @@ fn explicit_polymorphic_dereference() {
 
     // Explicit dereference with type parameter
     let c2 = MySmartPointer { value: 'a' };
-    let _d2 = *c2; // $ method=MySmartPointer::deref MISSING: type=_d2:char
+    let _d2 = *c2; // $ method=MySmartPointer::deref type=_d2:char
 
     // Call method on explicitly dereferenced value with type parameter
     let c3 = MySmartPointer { value: 34i64 };
-    let _d3 = (*c3).is_positive(); // $ method=MySmartPointer::deref MISSING: method=is_positive type=_d3:bool
+    let _d3 = (*c3).is_positive(); // $ method=MySmartPointer::deref method=is_positive type=_d3:bool
 }
 
 fn explicit_ref_dereference() {
@@ -76,11 +76,11 @@ fn explicit_box_dereference() {
 
     // Explicit dereference with type parameter
     let g2: Box<char> = Box::new('a');
-    let _h2 = *g2; // $ method=deref MISSING: type=_h2:char
+    let _h2 = *g2; // $ method=deref type=_h2:char
 
     // Call method on explicitly dereferenced value with type parameter
     let g3: Box<i64> = Box::new(34i64);
-    let _h3 = (*g3).is_positive(); // $ method=deref MISSING: method=is_positive type=_h3:bool
+    let _h3 = (*g3).is_positive(); // $ method=deref method=is_positive type=_h3:bool
 }
 
 fn implicit_dereference() {
diff --git a/rust/ql/test/library-tests/type-inference/main.rs b/rust/ql/test/library-tests/type-inference/main.rs
@@ -1140,7 +1140,7 @@ mod method_call_type_conversion {
         println!("{:?}", x5.m1()); // $ method=m1
         println!("{:?}", x5.0); // $ fieldof=S
 
-        let x6 = &S(S2); // $ SPURIOUS: type=x6:&T.&T.S
+        let x6 = &S(S2);
 
         // explicit dereference
         println!("{:?}", (*x6).m1()); // $ method=m1 method=deref
@@ -1717,7 +1717,7 @@ mod overloadable_operators {
 
         // Here the type of `default_vec2` must be inferred from the `==` call
         // and the type of the borrowed second argument is unknown at the call.
-        let default_vec2 = Default::default(); // $ MISSING: type=default_vec2:Vec2
+        let default_vec2 = Default::default(); // $ type=default_vec2:Vec2
         let vec2_zero_plus = Vec2 { x: 0, y: 0 } == default_vec2; // $ method=Vec2::eq
     }
 }
diff --git a/rust/ql/test/library-tests/type-inference/type-inference.expected b/rust/ql/test/library-tests/type-inference/type-inference.expected

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ private predicate isOverloaded(string op, int arity, string path, string method,`
`22`	`22`	`op = "!" and path = "core::ops::bit::Not" and method = "not" and borrows = 0`
`23`	`23`	`or`
`24`	`24`	`// Dereference`
`25`		`- op = "*" and path = "core::ops::deref::Deref" and method = "deref" and borrows = 0`
	`25`	`+ op = "*" and path = "core::ops::deref::Deref" and method = "deref" and borrows = 1`
`26`	`26`	`)`
`27`	`27`	`or`
`28`	`28`	`arity = 2 and`
Original file line number	Diff line number	Diff line change
`@@ -1140,7 +1140,7 @@ mod method_call_type_conversion {`
`1140`	`1140`	`println!("{:?}", x5.m1()); // $ method=m1`
`1141`	`1141`	`println!("{:?}", x5.0); // $ fieldof=S`
`1142`	`1142`
`1143`		`- let x6 = &S(S2); // $ SPURIOUS: type=x6:&T.&T.S`
	`1143`	`+ let x6 = &S(S2);`
`1144`	`1144`
`1145`	`1145`	`// explicit dereference`
`1146`	`1146`	`println!("{:?}", (*x6).m1()); // $ method=m1 method=deref`
`@@ -1717,7 +1717,7 @@ mod overloadable_operators {`
`1717`	`1717`
`1718`	`1718`	// Here the type of `default_vec2` must be inferred from the `==` call
`1719`	`1719`	`// and the type of the borrowed second argument is unknown at the call.`
`1720`		`- let default_vec2 = Default::default(); // $ MISSING: type=default_vec2:Vec2`
	`1720`	`+ let default_vec2 = Default::default(); // $ type=default_vec2:Vec2`
`1721`	`1721`	`let vec2_zero_plus = Vec2 { x: 0, y: 0 } == default_vec2; // $ method=Vec2::eq`
`1722`	`1722`	`}`
`1723`	`1723`	`}`