Skip to content

Rust: Generalize some models #20652

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Oct 20, 2025
Merged

Rust: Generalize some models #20652

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
ea6c7cf
Rust: Generalize stdlib 'a as b' models.
geoffw0 Oct 15, 2025
483ab59
Rust: Combine and expand some of the models.
geoffw0 Oct 15, 2025
612e95b
Rust: More deduplication.
geoffw0 Oct 15, 2025
5105976
Rust: Change note.
geoffw0 Oct 15, 2025
217508e
Merge branch 'main' into gen1
geoffw0 Oct 16, 2025
c30e9a9
Rust: Accept changes to other test expectations.
geoffw0 Oct 16, 2025
c56de30
Rust: Fix merge conflict in .expected file.
geoffw0 Oct 16, 2025
ee86655
Rust: Update another affected test.
geoffw0 Oct 16, 2025
b933f8d
Merge branch 'main' into gen1
geoffw0 Oct 16, 2025
d4a599c
Rust: Accept more minor test expectation changes.
geoffw0 Oct 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions rust/ql/lib/change-notes/2025-10-15-models.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Generalized some existing models to improve data flow.
24 changes: 8 additions & 16 deletions rust/ql/lib/codeql/rust/frameworks/stdlib/alloc.model.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,19 +14,11 @@ extensions:
- ["alloc::alloc::alloc_zeroed", "Argument[0]", "alloc-layout", "manual"]
- ["alloc::alloc::realloc", "Argument[2]", "alloc-size", "manual"]
- ["<_ as core::alloc::global::GlobalAlloc>::alloc", "Argument[0]", "alloc-layout", "manual"]
- ["<std::alloc::System as core::alloc::global::GlobalAlloc>::alloc", "Argument[0]", "alloc-layout", "manual"]
- ["<_ as core::alloc::global::GlobalAlloc>::alloc_zeroed", "Argument[0]", "alloc-layout", "manual"]
- ["<std::alloc::System as core::alloc::global::GlobalAlloc>::alloc_zeroed", "Argument[0]", "alloc-layout", "manual"]
- ["<std::alloc::System as core::alloc::Allocator>::allocate", "Argument[0]", "alloc-layout", "manual"]
- ["<std::alloc::System as core::alloc::Allocator>::allocate_zeroed", "Argument[0]", "alloc-layout", "manual"]
- ["<std::alloc::System as core::alloc::Allocator>::grow", "Argument[2]", "alloc-layout", "manual"]
- ["<std::alloc::System as core::alloc::Allocator>::grow_zeroed", "Argument[2]", "alloc-layout", "manual"]
- ["<alloc::alloc::Global as core::alloc::global::GlobalAlloc>::alloc", "Argument[0]", "alloc-layout", "manual"]
- ["<alloc::alloc::Global as core::alloc::global::GlobalAlloc>::alloc_zeroed", "Argument[0]", "alloc-layout", "manual"]
- ["<alloc::alloc::Global as core::alloc::Allocator>::allocate", "Argument[0]", "alloc-layout", "manual"]
- ["<alloc::alloc::Global as core::alloc::Allocator>::allocate_zeroed", "Argument[0]", "alloc-layout", "manual"]
- ["<alloc::alloc::Global as core::alloc::Allocator>::grow", "Argument[2]", "alloc-layout", "manual"]
- ["<alloc::alloc::Global as core::alloc::Allocator>::grow_zeroed", "Argument[2]", "alloc-layout", "manual"]
- ["<_ as core::alloc::Allocator>::allocate", "Argument[0]", "alloc-layout", "manual"]
- ["<_ as core::alloc::Allocator>::allocate_zeroed", "Argument[0]", "alloc-layout", "manual"]
- ["<_ as core::alloc::Allocator>::grow", "Argument[2]", "alloc-layout", "manual"]
- ["<_ as core::alloc::Allocator>::grow_zeroed", "Argument[2]", "alloc-layout", "manual"]
- addsTo:
pack: codeql/rust-all
extensible: summaryModel
Expand All @@ -42,11 +34,11 @@ extensions:
- ["<core::str>::as_bytes", "Argument[self]", "ReturnValue", "value", "manual"]
- ["<alloc::string::String>::as_str", "Argument[self]", "ReturnValue", "value", "manual"]
- ["<alloc::string::String>::as_bytes", "Argument[self]", "ReturnValue", "value", "manual"]
- ["<alloc::str as alloc::string::ToString>::to_string", "Argument[self]", "ReturnValue", "taint", "manual"]
- ["<alloc::string::String as alloc::string::ToString>::to_string", "Argument[self]", "ReturnValue", "taint", "manual"]
- ["<_ as alloc::string::ToString>::to_string", "Argument[self]", "ReturnValue", "taint", "manual"]
- ["<core::str>::parse", "Argument[self]", "ReturnValue.Field[core::result::Result::Ok(0)]", "taint", "manual"]
- ["<core::str>::trim", "Argument[self]", "ReturnValue.Reference", "taint", "manual"]
- ["<alloc::string::String as core::ops::arith::Add>::add", "Argument[self]", "ReturnValue", "taint", "manual"]
- ["<alloc::string::String as core::ops::arith::Add>::add", "Argument[0].Reference", "ReturnValue", "taint", "manual"]
- ["<_ as core::ops::arith::Add>::add", "Argument[self]", "ReturnValue", "taint", "manual"]
- ["<_ as core::ops::arith::Add>::add", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["<_ as core::ops::arith::Add>::add", "Argument[0].Reference", "ReturnValue", "taint", "manual"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this model needed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes - its needed for this line in the dataflow/strings test:

sink("Hello ".to_string() + &s1); // $ hasTaintFlow=37

i.e. its a workaround for dealing with the implicit dereference on the RHS when the + is appending strings.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should have made the model more explicit then, i.e. alloc::string::String as core::ops::arith::Add, since the implementation of + uses a &str as the RHS type instead of the default Self: https://doc.rust-lang.org/std/string/struct.String.html#impl-Add%3C%26str%3E-for-String.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd rather keep it general I think - I don't think there's anything stopping people implementing it that way for other types and if they do, we'll cover that.

# Vec
- ["alloc::vec::from_elem", "Argument[0]", "ReturnValue.Element", "value", "manual"]
11 changes: 3 additions & 8 deletions rust/ql/lib/codeql/rust/frameworks/stdlib/core.model.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,25 +9,20 @@ extensions:
- ["<core::alloc::layout::Layout>::align_to", "Argument[self].Element", "ReturnValue.Field[0,1,2].Reference.Element", "taint", "manual"]
- ["<_ as core::convert::Into>::into", "Argument[self].Element", "ReturnValue.Element", "taint", "manual"]
- ["<_ as core::convert::Into>::into", "Argument[self].Reference.Element", "ReturnValue.Element", "taint", "manual"]
- ["<alloc::string::String as core::convert::Into>::into", "Argument[self].Element", "ReturnValue.Element", "taint", "manual"]
- ["<alloc::string::String as core::convert::Into>::into", "Argument[self].Reference.Element", "ReturnValue.Element", "taint", "manual"]
# From
- ["<_ as core::convert::From>::from", "Argument[0]", "ReturnValue", "taint", "manual"]
# Iterator
- ["<core::result::Result>::iter", "Argument[self].Element", "ReturnValue.Element", "value", "manual"]
- ["<alloc::vec::Vec as value_trait::array::Array>::iter", "Argument[self].Element", "ReturnValue.Element", "value", "manual"]
- ["<_ as value_trait::array::Array>::iter", "Argument[self].Element", "ReturnValue.Element", "value", "manual"]
- ["<core::result::Result>::iter_mut", "Argument[self].Element", "ReturnValue.Element", "value", "manual"]
- ["<core::result::Result>::into_iter", "Argument[self].Element", "ReturnValue.Element", "value", "manual"]
- ["<_ as core::iter::traits::iterator::Iterator>::for_each", "Argument[self].Element", "Argument[0].Parameter[0]", "value", "manual"]
- ["<_ as core::iter::traits::iterator::Iterator>::nth", "Argument[self].Element", "ReturnValue.Field[core::option::Option::Some(0)]", "value", "manual"]
- ["<_ as core::iter::traits::iterator::Iterator>::next", "Argument[self].Element", "ReturnValue.Field[core::option::Option::Some(0)]", "value", "manual"]
- ["<_ as core::iter::traits::iterator::Iterator>::next", "Argument[self].Element", "ReturnValue.Field[core::option::Option::Some(0)].Field[core::result::Result::Ok(0)]", "value", "manual"]
- ["<_ as core::iter::traits::iterator::Iterator>::collect", "Argument[self].Element", "ReturnValue.Element", "value", "manual"]
- ["<_ as core::iter::traits::iterator::Iterator>::map", "Argument[self].Element", "Argument[0].Parameter[0]", "value", "manual"]
- ["<_ as core::iter::traits::iterator::Iterator>::for_each", "Argument[self].Element", "Argument[0].Parameter[0]", "value", "manual"]
- ["<core::slice::iter::Iter as core::iter::traits::iterator::Iterator>::nth", "Argument[self].Element", "ReturnValue.Field[core::option::Option::Some(0)]", "value", "manual"]
- ["<core::slice::iter::Iter as core::iter::traits::iterator::Iterator>::next", "Argument[self].Element", "ReturnValue.Field[core::option::Option::Some(0)]", "value", "manual"]
- ["<core::slice::iter::Iter as core::iter::traits::iterator::Iterator>::collect", "Argument[self].Element", "ReturnValue.Element", "value", "manual"]
- ["<core::slice::iter::Iter as core::iter::traits::iterator::Iterator>::map", "Argument[self].Element", "Argument[0].Parameter[0]", "value", "manual"]
- ["<_ as core::iter::traits::iterator::Iterator>::for_each", "Argument[self].Element", "Argument[0].Parameter[0]", "value", "manual"]
# Layout
- ["<core::alloc::layout::Layout>::from_size_align", "Argument[0]", "ReturnValue.Field[core::result::Result::Ok(0)]", "taint", "manual"]
- ["<core::alloc::layout::Layout>::from_size_align_unchecked", "Argument[0]", "ReturnValue", "taint", "manual"]
Expand Down
15 changes: 1 addition & 14 deletions rust/ql/lib/codeql/rust/frameworks/stdlib/io.model.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,23 +9,11 @@ extensions:
extensible: summaryModel
data:
- ["<std::io::buffered::bufreader::BufReader>::new", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["<std::io::buffered::bufreader::BufReader as std::io::BufRead>::fill_buf", "Argument[self]", "ReturnValue.Field[core::result::Result::Ok(0)]", "taint", "manual"]
- ["<_ as std::io::BufRead>::fill_buf", "Argument[self]", "ReturnValue.Field[core::result::Result::Ok(0)]", "taint", "manual"]
- ["<std::io::buffered::bufreader::BufReader>::buffer", "Argument[self]", "ReturnValue", "taint", "manual"]
- ["<std::io::stdio::Stdin as std::io::Read>::read", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["<std::io::stdio::StdinLock as std::io::Read>::read", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["<std::fs::File as std::io::Read>::read", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["<_ as std::io::Read>::read", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["<std::io::stdio::Stdin as std::io::Read>::read_to_string", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["<std::io::stdio::StdinLock as std::io::Read>::read_to_string", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["<std::fs::File as std::io::Read>::read_to_string", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["<_ as std::io::Read>::read_to_string", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["<std::io::stdio::Stdin as std::io::Read>::read_to_end", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["<std::io::stdio::StdinLock as std::io::Read>::read_to_end", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["<std::fs::File as std::io::Read>::read_to_end", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["<_ as std::io::Read>::read_to_end", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["<std::io::stdio::Stdin as std::io::Read>::read_exact", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["<std::io::stdio::StdinLock as std::io::Read>::read_exact", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["<std::fs::File as std::io::Read>::read_exact", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["<_ as std::io::Read>::read_exact", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["<_ as std::io::BufRead>::read_line", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["<_ as std::io::BufRead>::read_until", "Argument[self]", "Argument[1].Reference", "taint", "manual"]
Expand All @@ -36,4 +24,3 @@ extensions:
- ["<_ as std::io::Read>::chain", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["<_ as std::io::Read>::take", "Argument[self]", "ReturnValue", "taint", "manual"]
- ["<std::io::stdio::Stdin>::lock", "Argument[self]", "ReturnValue", "taint", "manual"]
- ["<std::io::Split as core::iter::traits::iterator::Iterator>::next", "Argument[self]", "ReturnValue.Field[core::option::Option::Some(0)].Field[core::result::Result::Ok(0)]", "taint", "manual"]
6 changes: 3 additions & 3 deletions rust/ql/test/library-tests/dataflow/local/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -508,9 +508,9 @@ fn parse() {
let d: i64 = b.parse().unwrap();

sink(a); // $ hasValueFlow=90
sink_string(b); // $ MISSING: we are not currently able to resolve the `to_string` call above, which comes from `impl<T: fmt::Display + ?Sized> ToString for T`
sink(c); // $ MISSING: hasTaintFlow=90 - we are not currently able to resolve the `parse` call above
sink(d); // $ MISSING: hasTaintFlow=90 - we are not currently able to resolve the `parse` call above
sink_string(b); // $ hasTaintFlow=90
sink(c); // $ hasTaintFlow=90
sink(d); // $ hasTaintFlow=90
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! 🎉

}

fn iterators() {
Expand Down
Loading