Rust: Take prelude into account when resolving paths

Author: hvitved

rust/ql/lib/codeql/rust/dataflow/internal/Content.qll

@@ -255,8 +255,6 @@ cached
 newtype TContent =
   TTupleFieldContent(TupleField field) { Stages::DataFlowStage::ref() } or
   TStructFieldContent(StructField field) or
-  // TODO: Remove once library types are extracted
-  TVariantInLibTupleFieldContent(VariantInLib::VariantInLib v, int pos) { pos = v.getAPosition() } or
   TElementContent() or
   TFutureContent() or
   TTuplePositionContent(int pos) {

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -302,125 +302,6 @@ module LocalFlow {
   }
 }
 
-/**
- * Provides temporary modeling of built-in variants, for which no source code
- * `Item`s are available.
- *
- * TODO: Remove once library code is extracted.
- */
-module VariantInLib {
-  private import codeql.util.Option
-
-  private class CrateOrigin extends string {
-    CrateOrigin() { this = any(Resolvable r).getResolvedCrateOrigin() }
-  }
-
-  private class CrateOriginOption = Option<CrateOrigin>::Option;
-
-  private CrateOriginOption langCoreCrate() { result.asSome() = "lang:core" }
-
-  private newtype TVariantInLib =
-    MkVariantInLib(CrateOriginOption crate, string path, string name) {
-      crate = langCoreCrate() and
-      (
-        path = "crate::option::Option" and
-        name = "Some"
-        or
-        path = "crate::result::Result" and
-        name = ["Ok", "Err"]
-      )
-    }
-
-  /** An enum variant from library code, represented by the enum's canonical path and the variant's name. */
-  class VariantInLib extends MkVariantInLib {
-    CrateOriginOption crate;
-    string path;
-    string name;
-
-    VariantInLib() { this = MkVariantInLib(crate, path, name) }
-
-    int getAPosition() {
-      this = MkVariantInLib(langCoreCrate(), "crate::option::Option", "Some") and
-      result = 0
-      or
-      this = MkVariantInLib(langCoreCrate(), "crate::result::Result", ["Ok", "Err"]) and
-      result = 0
-    }
-
-    string getExtendedCanonicalPath() { result = path + "::" + name }
-
-    string toString() { result = name }
-  }
-
-  /** A tuple variant from library code. */
-  class VariantInLibTupleFieldContent extends Content, TVariantInLibTupleFieldContent {
-    private VariantInLib::VariantInLib v;
-    private int pos_;
-
-    VariantInLibTupleFieldContent() { this = TVariantInLibTupleFieldContent(v, pos_) }
-
-    VariantInLib::VariantInLib getVariantInLib(int pos) { result = v and pos = pos_ }
-
-    string getExtendedCanonicalPath() { result = v.getExtendedCanonicalPath() }
-
-    int getPosition() { result = pos_ }
-
-    final override string toString() {
-      // only print indices when the arity is > 1
-      if exists(TVariantInLibTupleFieldContent(v, 1))
-      then result = v.toString() + "(" + pos_ + ")"
-      else result = v.toString()
-    }
-
-    final override Location getLocation() { result instanceof EmptyLocation }
-  }
-
-  pragma[nomagic]
-  private predicate resolveExtendedCanonicalPath(Resolvable r, CrateOriginOption crate, string path) {
-    path = r.getResolvedPath() and
-    (
-      crate.asSome() = r.getResolvedCrateOrigin()
-      or
-      crate.isNone() and
-      not r.hasResolvedCrateOrigin()
-    )
-  }
-
-  /** Holds if path `p` resolves to variant `v`. */
-  private predicate pathResolveToVariantInLib(PathAstNode p, VariantInLib v) {
-    exists(CrateOriginOption crate, string path, string name |
-      resolveExtendedCanonicalPath(p, pragma[only_bind_into](crate), path + "::" + name) and
-      v = MkVariantInLib(pragma[only_bind_into](crate), path, name)
-    )
-  }
-
-  /** Holds if `p` destructs an enum variant `v`. */
-  pragma[nomagic]
-  private predicate tupleVariantCanonicalDestruction(TupleStructPat p, VariantInLib v) {
-    pathResolveToVariantInLib(p, v)
-  }
-
-  bindingset[pos]
-  predicate tupleVariantCanonicalDestruction(
-    TupleStructPat pat, VariantInLibTupleFieldContent c, int pos
-  ) {
-    tupleVariantCanonicalDestruction(pat, c.getVariantInLib(pos))
-  }
-
-  /** Holds if `ce` constructs an enum value of type `v`. */
-  pragma[nomagic]
-  private predicate tupleVariantCanonicalConstruction(CallExpr ce, VariantInLib v) {
-    pathResolveToVariantInLib(ce.getFunction().(PathExpr), v)
-  }
-
-  bindingset[pos]
-  predicate tupleVariantCanonicalConstruction(CallExpr ce, VariantInLibTupleFieldContent c, int pos) {
-    tupleVariantCanonicalConstruction(ce, c.getVariantInLib(pos))
-  }
-}
-
-class VariantInLibTupleFieldContent = VariantInLib::VariantInLibTupleFieldContent;
-
 class LambdaCallKind = Unit;
 
 /** Holds if `creation` is an expression that creates a lambda of kind `kind`. */
@@ -486,6 +367,7 @@ module RustDataFlow implements InputSig<Location> {
   private import Aliases
   private import codeql.rust.dataflow.DataFlow
   private import Node as Node
+  private import codeql.rust.frameworks.stdlib.Stdlib
 
   /**
    * An element, viewed as a node in a data flow graph. Either an expression
@@ -671,11 +553,8 @@ module RustDataFlow implements InputSig<Location> {
     exists(Content c | c = cs.(SingletonContentSet).getContent() |
       exists(TupleStructPatCfgNode pat, int pos |
         pat = node1.asPat() and
-        node2.asPat() = pat.getField(pos)
-      |
+        node2.asPat() = pat.getField(pos) and
         c = TTupleFieldContent(pat.getTupleStructPat().getTupleField(pos))
-        or
-        VariantInLib::tupleVariantCanonicalDestruction(pat.getPat(), c, pos)
       )
       or
       exists(TuplePatCfgNode pat, int pos |
@@ -720,8 +599,8 @@ module RustDataFlow implements InputSig<Location> {
       exists(TryExprCfgNode try |
         node1.asExpr() = try.getExpr() and
         node2.asExpr() = try and
-        c.(VariantInLibTupleFieldContent).getVariantInLib(0).getExtendedCanonicalPath() =
-          ["crate::option::Option::Some", "crate::result::Result::Ok"]
+        c.(TupleFieldContent)
+            .isVariantField([any(OptionEnum o).getSome(), any(ResultEnum r).getOk()], 0)
       )
       or
       exists(PrefixExprCfgNode deref |
@@ -797,11 +676,8 @@ module RustDataFlow implements InputSig<Location> {
   private predicate storeContentStep(Node node1, Content c, Node node2) {
     exists(CallExprCfgNode call, int pos |
       node1.asExpr() = call.getArgument(pragma[only_bind_into](pos)) and
-      node2.asExpr() = call
-    |
+      node2.asExpr() = call and
       c = TTupleFieldContent(call.getCallExpr().getTupleField(pragma[only_bind_into](pos)))
-      or
-      VariantInLib::tupleVariantCanonicalConstruction(call.getCallExpr(), c, pos)
     )
     or
     exists(StructExprCfgNode re, string field |

rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll

@@ -11,6 +11,7 @@ private import Content
 
 module Input implements InputSig<Location, RustDataFlow> {
   private import codeql.rust.elements.internal.CallExprBaseImpl::Impl as CallExprBaseImpl
+  private import codeql.rust.frameworks.stdlib.Stdlib
 
   class SummarizedCallableBase = string;
 
@@ -66,9 +67,20 @@ module Input implements InputSig<Location, RustDataFlow> {
     exists(Content c | cs = TSingletonContentSet(c) |
       result = "Field" and
       (
-        exists(Addressable a, int pos |
+        exists(Addressable a, int pos, string prefix |
           // TODO: calculate in QL
-          arg = a.getExtendedCanonicalPath() + "(" + pos + ")"
+          arg = prefix + "(" + pos + ")" and
+          (
+            prefix = a.getExtendedCanonicalPath()
+            or
+            a = any(OptionEnum o).getSome() and
+            prefix = "crate::option::Option::Some"
+            or
+            exists(string name |
+              a = any(ResultEnum r).getVariant(name) and
+              prefix = "crate::result::Result::" + name
+            )
+          )
         |
           c.(TupleFieldContent).isStructField(a, pos)
           or
@@ -84,11 +96,6 @@ module Input implements InputSig<Location, RustDataFlow> {
           c.(StructFieldContent).isVariantField(a, field)
         )
         or
-        c =
-          any(VariantInLibTupleFieldContent v |
-            arg = v.getExtendedCanonicalPath() + "(" + v.getPosition() + ")"
-          )
-        or
         exists(int pos |
           c = TTuplePositionContent(pos) and
           arg = pos.toString()

rust/ql/lib/codeql/rust/elements/internal/EnumImpl.qll

@@ -11,6 +11,8 @@ private import codeql.rust.elements.internal.generated.Enum
  * be referenced directly.
  */
 module Impl {
+  private import rust
+
   // the following QLdoc is generated: if you need to edit it, do it in the schema file
   /**
    * A Enum. For example:
@@ -20,5 +22,12 @@ module Impl {
    */
   class Enum extends Generated::Enum {
     override string toStringImpl() { result = "enum " + this.getName().getText() }
+
+    /** Gets the variant named `name`, if any. */
+    pragma[nomagic]
+    Variant getVariant(string name) {
+      result = this.getVariantList().getAVariant() and
+      result.getName().getText() = name
+    }
   }
 }

rust/ql/lib/codeql/rust/elements/internal/PathImpl.qll

@@ -40,6 +40,18 @@ module Impl {
      */
     pragma[nomagic]
     string getText() { result = this.getPart().getNameRef().getText() }
+
+    /**
+     * Gets the full text of this path, including the qualifier.
+     *
+     * Should only be used for debugging purposes.
+     */
+    string toStringDebug() {
+      not this.hasQualifier() and
+      result = this.getText()
+      or
+      result = this.getQualifier().toStringDebug() + "::" + this.getText()
+    }
   }
 
   /** A simple identifier path. */

rust/ql/lib/codeql/rust/frameworks/stdlib/Stdlib.qll

@@ -21,3 +21,48 @@ private class StartswithCall extends Path::SafeAccessCheck::Range, CfgNodes::Met
     branch = true
   }
 }
+
+/**
+ * The [`Option` enum][1].
+ *
+ * [1]: https://doc.rust-lang.org/std/option/enum.Option.html
+ */
+class OptionEnum extends Enum {
+  OptionEnum() {
+    // todo: replace with canonical path, once calculated in QL
+    exists(Crate core, Module m |
+      core.getName() = "core" and
+      m = core.getModule().getItemList().getAnItem() and
+      m.getName().getText() = "option" and
+      this = m.getItemList().getAnItem() and
+      this.getName().getText() = "Option"
+    )
+  }
+
+  /** Gets the `Some` variant. */
+  Variant getSome() { result = this.getVariant("Some") }
+}
+
+/**
+ * The [`Result` enum][1].
+ *
+ * [1]: https://doc.rust-lang.org/stable/std/result/enum.Result.html
+ */
+class ResultEnum extends Enum {
+  ResultEnum() {
+    // todo: replace with canonical path, once calculated in QL
+    exists(Crate core, Module m |
+      core.getName() = "core" and
+      m = core.getModule().getItemList().getAnItem() and
+      m.getName().getText() = "result" and
+      this = m.getItemList().getAnItem() and
+      this.getName().getText() = "Result"
+    )
+  }
+
+  /** Gets the `Ok` variant. */
+  Variant getOk() { result = this.getVariant("Ok") }
+
+  /** Gets the `Err` variant. */
+  Variant getErr() { result = this.getVariant("Err") }
+}

rust/ql/lib/codeql/rust/internal/PathResolution.qll

@@ -175,6 +175,8 @@ abstract class ItemNode extends Locatable {
   ItemNode getASuccessor(string name) {
     result = this.getASuccessorRec(name)
     or
+    preludeEdge(this, name, result)
+    or
     name = "super" and
     if this instanceof Module or this instanceof SourceFile
     then result = this.getImmediateParentModule()
@@ -214,6 +216,16 @@ abstract private class ModuleLikeNode extends ItemNode {
       not mid instanceof ModuleLikeNode
     )
   }
+
+  /**
+   * Holds if this is a root module, meaning either a source file or
+   * the entry module of a crate.
+   */
+  predicate isRoot() {
+    this instanceof SourceFileItemNode
+    or
+    this = any(CrateItemNode c).getModuleNode()
+  }
 }
 
 private class SourceFileItemNode extends ModuleLikeNode, SourceFile {
@@ -807,9 +819,9 @@ private predicate unqualifiedPathLookup(RelevantPath p, string name, Namespace n
       )
     |
       // nested modules do not have unqualified access to items from outer modules,
-      // except for items declared at top-level in the source file
+      // except for items declared at top-level in the root module
       if mid instanceof Module
-      then encl0.(SourceFileItemNode) = mid.getImmediateParent+()
+      then encl0 = mid.getImmediateParent+() and encl0.(ModuleLikeNode).isRoot()
       else encl0 = mid.getImmediateParent()
     )
   |
@@ -1021,6 +1033,26 @@ private predicate useImportEdge(Use use, string name, ItemNode item) {
   )
 }
 
+/**
+ * Holds if `i` is available inside `f` because it is reexported in [the prelude][1].
+ *
+ * We don't yet have access to prelude information from the extractor, so for now
+ * we include all the preludes for Rust 2015, 2018, 2021, and 2024.
+ *
+ * [1]: https://doc.rust-lang.org/core/prelude/index.html
+ */
+private predicate preludeEdge(SourceFile f, string name, ItemNode i) {
+  exists(Crate core, ModuleItemNode mod, ModuleItemNode prelude, ModuleItemNode rust |
+    f = any(Crate c0 | core = c0.getDependency(_)).getASourceFile() and
+    core.getName() = "core" and
+    mod = core.getModule() and
+    prelude = mod.getASuccessorRec("prelude") and
+    rust = prelude.getASuccessorRec(["rust_2015", "rust_2018", "rust_2021", "rust_2024"]) and
+    i = rust.getASuccessorRec(name) and
+    not i instanceof Use
+  )
+}
+
 /** Provides predicates for debugging the path resolution implementation. */
 private module Debug {
   private Locatable getRelevantLocatable() {