Rust: Restrict type propagation into arguments

Author: hvitved

rust/ql/lib/codeql/rust/internal/Type.qll

@@ -51,6 +51,7 @@ newtype TType =
   TSliceType() or
   TNeverType() or
   TPtrType() or
+  TContextType() or
   TTupleTypeParameter(int arity, int i) { exists(TTuple(arity)) and i in [0 .. arity - 1] } or
   TTypeParamTypeParameter(TypeParam t) or
   TAssociatedTypeTypeParameter(TypeAlias t) { any(TraitItemNode trait).getAnAssocItem() = t } or
@@ -371,6 +372,30 @@ class PtrType extends Type, TPtrType {
   override Location getLocation() { result instanceof EmptyLocation }
 }
 
+/**
+ * A special pseudo type used to indicate that the actual type may have to be
+ * inferred from a context.
+ *
+ * For example, a call like `Default::default()` is assigned this type, which
+ * means that the actual type is to be inferred from the context in which the call
+ * occurs.
+ *
+ * Context types are not restricted to root types, for example in a call like
+ * `Vec::new()` we assign this type at the type path corresponding to the type
+ * parameter of `Vec`.
+ *
+ * Context types are used to restrict when type information is allowed to flow
+ * into call arguments (including method call receivers), in order to avoid
+ * combinatorial explosions.
+ */
+class ContextType extends Type, TContextType {
+  override TypeParameter getPositionalTypeParameter(int i) { none() }
+
+  override string toString() { result = "(context typed)" }
+
+  override Location getLocation() { result instanceof EmptyLocation }
+}
+
 /** A type parameter. */
 abstract class TypeParameter extends Type {
   override TypeParameter getPositionalTypeParameter(int i) { none() }

rust/ql/lib/codeql/rust/internal/TypeInference.qll

@@ -909,6 +909,113 @@ private Type getCallExprTypeQualifier(CallExpr ce, TypePath path) {
   )
 }
 
+/**
+ * Provides functionality related to context-based typing of calls.
+ */
+private module ContextTyping {
+  /**
+   * Holds if the return type of the function `f` at path `path` is `tp`,
+   * and `tp` does not appear in the type of any parameter of `f`.
+   *
+   * In this case, the context in which `f` is called may be needed to infer
+   * the instantiation of `tp`.
+   */
+  pragma[nomagic]
+  private predicate assocFunctionReturnContextTypedAt(
+    Function f, FunctionPosition pos, TypePath path, TypeParameter tp
+  ) {
+    exists(ImplOrTraitItemNode i |
+      pos.isReturn() and
+      tp = getAssocFunctionTypeAt(f, i, pos, path) and
+      not exists(FunctionPosition nonResPos |
+        not nonResPos.isReturn() and
+        tp = getAssocFunctionTypeAt(f, i, nonResPos, _)
+      )
+    )
+  }
+
+  /**
+   * A call where the type of the result may have to be inferred from the
+   * context in which the call appears, for example a call like
+   * `Default::default()`.
+   */
+  abstract class ContextTypedCallCand extends AstNode {
+    abstract Type getTypeArgument(TypeArgumentPosition apos, TypePath path);
+
+    private predicate hasTypeArgument(TypeArgumentPosition apos) {
+      exists(this.getTypeArgument(apos, _))
+    }
+
+    /**
+     * Holds if `this` call resolves to `target` and the type at `pos` and `path`
+     * may have to be inferred from the context.
+     */
+    bindingset[this, target]
+    predicate isContextTypedAt(Function target, TypePath path, FunctionPosition pos) {
+      exists(TypeParameter tp |
+        assocFunctionReturnContextTypedAt(target, pos, path, tp) and
+        // check that no explicit type arguments have been supplied for `tp`
+        not exists(TypeArgumentPosition tapos | this.hasTypeArgument(tapos) |
+          exists(int i |
+            i = tapos.asMethodTypeArgumentPosition() and
+            tp = TTypeParamTypeParameter(target.getGenericParamList().getTypeParam(i))
+          )
+          or
+          TTypeParamTypeParameter(tapos.asTypeParam()) = tp
+        ) and
+        not (
+          tp instanceof TSelfTypeParameter and
+          exists(getCallExprTypeQualifier(this, _))
+        )
+      )
+    }
+  }
+
+  pragma[nomagic]
+  private predicate isContextTyped(AstNode n, TypePath path) { inferType(n, path) = TContextType() }
+
+  pragma[nomagic]
+  private predicate isContextTyped(AstNode n) { isContextTyped(n, _) }
+
+  signature Type inferCallTypeSig(AstNode n, FunctionPosition pos, TypePath path);
+
+  /**
+   * Given a predicate `inferCallType` for inferring the type of a call at a given
+   * position, this module exposes the predicate `check`, which wraps the input
+   * predicate and checks that types are only propagated into arguments when they
+   * are context-typed.
+   */
+  module CheckContextTyping<inferCallTypeSig/3 inferCallType> {
+    pragma[nomagic]
+    private Type inferCallTypeFromContextCand(
+      AstNode n, FunctionPosition pos, TypePath path, TypePath prefix
+    ) {
+      result = inferCallType(n, pos, path) and
+      not pos.isReturn() and
+      isContextTyped(n) and
+      prefix = path
+      or
+      exists(TypePath mid |
+        result = inferCallTypeFromContextCand(n, pos, path, mid) and
+        mid.isSnoc(prefix, _)
+      )
+    }
+
+    pragma[nomagic]
+    Type check(AstNode n, TypePath path) {
+      exists(FunctionPosition pos |
+        result = inferCallType(n, pos, path) and
+        pos.isReturn()
+        or
+        exists(TypePath prefix |
+          result = inferCallTypeFromContextCand(n, pos, path, prefix) and
+          isContextTyped(n, prefix)
+        )
+      )
+    }
+  }
+}
+
 /**
  * Holds if function `f` with the name `name` and the arity `arity` exists in
  * `i`, and the type at position `pos` is `t`.
@@ -1569,7 +1676,8 @@ private module MethodResolution {
 
     Type getTypeAt(TypePath path) {
       result = mc_.getACandidateReceiverTypeAtSubstituteLookupTraits(derefChain, borrow, path) and
-      not result = TNeverType()
+      not result = TNeverType() and
+      not result = TContextType()
     }
 
     pragma[nomagic]
@@ -1918,14 +2026,14 @@ private module MethodCallMatchingInput implements MatchingWithEnvironmentInputSi
 
   final private class MethodCallFinal = MethodResolution::MethodCall;
 
-  class Access extends MethodCallFinal {
+  class Access extends MethodCallFinal, ContextTyping::ContextTypedCallCand {
     Access() {
       // handled in the `OperationMatchingInput` module
       not this instanceof Operation
     }
 
     pragma[nomagic]
-    Type getTypeArgument(TypeArgumentPosition apos, TypePath path) {
+    override Type getTypeArgument(TypeArgumentPosition apos, TypePath path) {
       exists(TypeMention arg | result = arg.resolveTypeAt(path) |
         arg =
           this.(MethodCallExpr).getGenericArgList().getTypeArg(apos.asMethodTypeArgumentPosition())
@@ -1989,7 +2097,12 @@ private Type inferMethodCallType0(
 ) {
   exists(TypePath path0 |
     n = a.getNodeAt(apos) and
-    result = MethodCallMatching::inferAccessType(a, derefChainBorrow, apos, path0)
+    (
+      result = MethodCallMatching::inferAccessType(a, derefChainBorrow, apos, path0)
+      or
+      a.isContextTypedAt(a.getTarget(derefChainBorrow), path0, apos) and
+      result = TContextType()
+    )
   |
     if
       // index expression `x[i]` desugars to `*x.index(i)`, so we must account for
@@ -2001,16 +2114,11 @@ private Type inferMethodCallType0(
   )
 }
 
-/**
- * Gets the type of `n` at `path`, where `n` is either a method call or an
- * argument/receiver of a method call.
- */
 pragma[nomagic]
-private Type inferMethodCallType(AstNode n, TypePath path) {
-  exists(
-    MethodCallMatchingInput::Access a, MethodCallMatchingInput::AccessPosition apos,
-    string derefChainBorrow, TypePath path0
-  |
+private Type inferMethodCallType1(
+  AstNode n, MethodCallMatchingInput::AccessPosition apos, TypePath path
+) {
+  exists(MethodCallMatchingInput::Access a, string derefChainBorrow, TypePath path0 |
     result = inferMethodCallType0(a, apos, n, derefChainBorrow, path0)
   |
     (
@@ -2032,6 +2140,13 @@ private Type inferMethodCallType(AstNode n, TypePath path) {
   )
 }
 
+/**
+ * Gets the type of `n` at `path`, where `n` is either a method call or an
+ * argument/receiver of a method call.
+ */
+private predicate inferMethodCallType =
+  ContextTyping::CheckContextTyping<inferMethodCallType1/3>::check/2;
+
 /**
  * Provides logic for resolving calls to non-method items. This includes
  * "calls" to tuple variants and tuple structs.
@@ -2199,6 +2314,12 @@ private module NonMethodResolution {
       or
       result = this.resolveCallTargetRec()
     }
+
+    pragma[nomagic]
+    Function resolveTraitFunction() {
+      this.(Call).hasTrait() and
+      result = this.getPathResolutionResolved()
+    }
   }
 
   private newtype TCallAndBlanketPos =
@@ -2433,9 +2554,9 @@ private module NonMethodCallMatchingInput implements MatchingInputSig {
     }
   }
 
-  class Access extends NonMethodResolution::NonMethodCall {
+  class Access extends NonMethodResolution::NonMethodCall, ContextTyping::ContextTypedCallCand {
     pragma[nomagic]
-    Type getTypeArgument(TypeArgumentPosition apos, TypePath path) {
+    override Type getTypeArgument(TypeArgumentPosition apos, TypePath path) {
       result = getCallExprTypeArgument(this, apos).resolveTypeAt(path)
     }
 
@@ -2456,13 +2577,20 @@ private module NonMethodCallMatchingInput implements MatchingInputSig {
 private module NonMethodCallMatching = Matching<NonMethodCallMatchingInput>;
 
 pragma[nomagic]
-private Type inferNonMethodCallType(AstNode n, TypePath path) {
-  exists(NonMethodCallMatchingInput::Access a, NonMethodCallMatchingInput::AccessPosition apos |
-    n = a.getNodeAt(apos) and
+private Type inferNonMethodCallType0(
+  AstNode n, NonMethodCallMatchingInput::AccessPosition apos, TypePath path
+) {
+  exists(NonMethodCallMatchingInput::Access a | n = a.getNodeAt(apos) |
     result = NonMethodCallMatching::inferAccessType(a, apos, path)
+    or
+    a.isContextTypedAt([a.resolveCallTarget().(Function), a.resolveTraitFunction()], path, apos) and
+    result = TContextType()
   )
 }
 
+private predicate inferNonMethodCallType =
+  ContextTyping::CheckContextTyping<inferNonMethodCallType0/3>::check/2;
+
 /**
  * A matching configuration for resolving types of operations like `a + b`.
  */
@@ -2535,13 +2663,18 @@ private module OperationMatchingInput implements MatchingInputSig {
 private module OperationMatching = Matching<OperationMatchingInput>;
 
 pragma[nomagic]
-private Type inferOperationType(AstNode n, TypePath path) {
-  exists(OperationMatchingInput::Access a, OperationMatchingInput::AccessPosition apos |
+private Type inferOperationType0(
+  AstNode n, OperationMatchingInput::AccessPosition apos, TypePath path
+) {
+  exists(OperationMatchingInput::Access a |
     n = a.getNodeAt(apos) and
     result = OperationMatching::inferAccessType(a, apos, path)
   )
 }
 
+private predicate inferOperationType =
+  ContextTyping::CheckContextTyping<inferOperationType0/3>::check/2;
+
 pragma[nomagic]
 private Type getFieldExprLookupType(FieldExpr fe, string name) {
   exists(TypePath path |

rust/ql/lib/codeql/rust/internal/typeinference/BlanketImplementation.qll

@@ -92,7 +92,8 @@ module SatisfiesBlanketConstraint<
 
     Type getTypeAt(TypePath path) {
       result = at.getTypeAt(blanketPath.appendInverse(path)) and
-      not result = TNeverType()
+      not result = TNeverType() and
+      not result = TContextType()
     }
 
     string toString() { result = at.toString() + " [blanket at " + blanketPath.toString() + "]" }

rust/ql/lib/codeql/rust/internal/typeinference/FunctionType.qll

@@ -229,7 +229,8 @@ module ArgIsInstantiationOf<
   private class ArgSubst extends ArgFinal {
     Type getTypeAt(TypePath path) {
       result = substituteLookupTraits(super.getTypeAt(path)) and
-      not result = TNeverType()
+      not result = TNeverType() and
+      not result = TContextType()
     }
   }
 

rust/ql/test/library-tests/sensitivedata/CONSISTENCY/PathResolutionConsistency.expected

@@ -0,0 +1,2 @@
+multipleCallTargets
+| test.rs:288:7:288:36 | ... .as_str() |