Rust: Model Deref trait in type inference

Author: hvitved

rust/ql/lib/codeql/rust/internal/TypeInference.qll

@@ -1441,24 +1441,13 @@ private module MethodResolution {
      * Same as `getACandidateReceiverTypeAt`, but without borrows.
      */
     pragma[nomagic]
-    private Type getACandidateReceiverTypeAtNoBorrow(string derefChain, TypePath path) {
+    Type getACandidateReceiverTypeAtNoBorrow(string derefChain, TypePath path) {
       result = this.getReceiverTypeAt(path) and
       derefChain = ""
       or
-      this.supportsAutoDerefAndBorrow() and
-      exists(TypePath path0, Type t0, string derefChain0 |
-        this.hasNoCompatibleTargetMutBorrow(derefChain0) and
-        t0 = this.getACandidateReceiverTypeAtNoBorrow(derefChain0, path0)
-      |
-        path0.isCons(getRefTypeParameter(), path) and
-        result = t0 and
-        derefChain = derefChain0 + ".ref"
-        or
-        path0.isEmpty() and
-        path = path0 and
-        t0 = getStringStruct() and
-        result = getStrStruct() and
-        derefChain = derefChain0 + ".str"
+      exists(ImplicitDeref::DerefImplItemNode impl, string derefChain0 |
+        result = ImplicitDeref::getDereferencedCandidateReceiverType(this, impl, derefChain0, path) and
+        derefChain = derefChain0 + "." + impl.getId()
       )
     }
 
@@ -1698,8 +1687,11 @@ private module MethodResolution {
     }
 
     predicate receiverHasImplicitDeref(AstNode receiver) {
-      exists(this.resolveCallTarget(_, ".ref", TNoBorrowKind())) and
-      receiver = this.getArg(any(ArgumentPosition pos | pos.isSelf()))
+      exists(ImplicitDeref::DerefImplItemNode impl |
+        impl.isRefImpl() and
+        exists(this.resolveCallTarget(_, "." + impl.getId(), TNoBorrowKind())) and
+        receiver = this.getArg(any(ArgumentPosition pos | pos.isSelf()))
+      )
     }
 
     predicate argumentHasImplicitBorrow(AstNode arg, BorrowKind borrow) {
@@ -1969,6 +1961,98 @@ private module MethodResolution {
     Location getLocation() { result = mc_.getLocation() }
   }
 
+  module ImplicitDeref {
+    private import codeql.rust.elements.internal.generated.Raw
+    private import codeql.rust.elements.internal.generated.Synth
+
+    /** An `impl` block that implements the `Deref` trait. */
+    class DerefImplItemNode extends ImplItemNode {
+      DerefImplItemNode() { this.resolveTraitTy() instanceof DerefTrait }
+
+      /**
+       * Holds if this `impl` block is the special `Deref` implementation for
+       * `&T` or `&mut T`:
+       *
+       * ```rust
+       * impl<T: ?Sized> const Deref for &T
+       * ```
+       *
+       * or
+       *
+       * ```rust
+       * impl<T: ?Sized> const Deref for &mut T
+       * ```
+       */
+      predicate isRefImpl() { this.resolveSelfTyBuiltin() instanceof Builtins::RefType }
+
+      /** Gets an internal unique ID used to identify this block amongst all `Deref` impl blocks. */
+      int getId() { idOfRaw(Synth::convertAstNodeToRaw(this), result) }
+    }
+
+    private class DerefImplItemRaw extends Raw::Impl {
+      DerefImplItemRaw() { this = Synth::convertAstNodeToRaw(any(DerefImplItemNode i)) }
+    }
+
+    private predicate id(DerefImplItemRaw x, DerefImplItemRaw y) { x = y }
+
+    private predicate idOfRaw(DerefImplItemRaw x, int y) = equivalenceRelation(id/2)(x, y)
+
+    private newtype TMethodCallDerefCand =
+      MkMethodCallDerefCand(MethodCall mc, string derefChain) {
+        mc.supportsAutoDerefAndBorrow() and
+        mc.hasNoCompatibleTargetMutBorrow(derefChain) and
+        exists(mc.getACandidateReceiverTypeAtNoBorrow(derefChain, _))
+      }
+
+    private class MethodCallDerefCand extends MkMethodCallDerefCand {
+      MethodCall mc_;
+      string derefChain;
+
+      MethodCallDerefCand() { this = MkMethodCallDerefCand(mc_, derefChain) }
+
+      MethodCall getMethodCall() { result = mc_ }
+
+      Type getTypeAt(TypePath path) {
+        result = substituteLookupTraits(mc_.getACandidateReceiverTypeAtNoBorrow(derefChain, path)) and
+        not result = TNeverType() and
+        not result = TUnknownType()
+      }
+
+      string toString() { result = mc_.toString() + " [" + derefChain + "]" }
+
+      Location getLocation() { result = mc_.getLocation() }
+    }
+
+    private module MethodCallSatisfiesConstraintInput implements
+      SatisfiesConstraintInputSig<MethodCallDerefCand>
+    {
+      pragma[nomagic]
+      predicate relevantConstraint(MethodCallDerefCand mc, Type constraint) {
+        exists(mc) and
+        constraint.(TraitType).getTrait() instanceof DerefTrait
+      }
+
+      predicate useUniversalConditions() { none() }
+    }
+
+    pragma[nomagic]
+    private AssociatedTypeTypeParameter getDerefTargetTypeParameter() {
+      result.getTypeAlias() = any(DerefTrait ft).getTargetType()
+    }
+
+    pragma[nomagic]
+    Type getDereferencedCandidateReceiverType(
+      MethodCall mc, DerefImplItemNode impl, string derefChain, TypePath path
+    ) {
+      exists(MethodCallDerefCand mcc, TypePath exprPath |
+        mcc = MkMethodCallDerefCand(mc, derefChain) and
+        SatisfiesConstraint<MethodCallDerefCand, MethodCallSatisfiesConstraintInput>::satisfiesConstraintType(mcc,
+          impl, _, exprPath, result) and
+        exprPath.isCons(getDerefTargetTypeParameter(), path)
+      )
+    }
+  }
+
   private module ReceiverSatisfiesBlanketLikeConstraintInput implements
     BlanketImplementation::SatisfiesBlanketConstraintInputSig<MethodCallCand>
   {
@@ -2347,9 +2431,12 @@ private Type inferMethodCallType1(AstNode n, boolean isReturn, TypePath path) {
     path = path0
     or
     // adjust for implicit deref
-    apos.isSelf() and
-    derefChainBorrow = ".ref;" and
-    path = TypePath::cons(getRefTypeParameter(), path0)
+    exists(MethodResolution::ImplicitDeref::DerefImplItemNode impl |
+      impl.isRefImpl() and
+      apos.isSelf() and
+      derefChainBorrow = "." + impl.getId() + ";" and
+      path = TypePath::cons(getRefTypeParameter(), path0)
+    )
     or
     // adjust for implicit borrow
     apos.isSelf() and
@@ -3156,9 +3243,6 @@ private Type inferTryExprType(TryExpr te, TypePath path) {
 pragma[nomagic]
 private StructType getStrStruct() { result = TStruct(any(Builtins::Str s)) }
 
-pragma[nomagic]
-private StructType getStringStruct() { result = TStruct(any(StringStruct s)) }
-
 pragma[nomagic]
 private Type inferLiteralType(LiteralExpr le, TypePath path, boolean certain) {
   path.isEmpty() and

rust/ql/test/library-tests/type-inference/blanket_impl.rs

@@ -53,9 +53,9 @@ mod basic_blanket_impl {
         println!("{x4:?}");
         let x5 = S1::duplicate(&S1); // $ target=Clone1duplicate
         println!("{x5:?}");
-        let x6 = S2.duplicate(); // $ MISSING: target=Clone1duplicate
+        let x6 = S2.duplicate(); // $ target=Clone1duplicate
         println!("{x6:?}");
-        let x7 = (&S2).duplicate(); // $ MISSING: target=Clone1duplicate
+        let x7 = (&S2).duplicate(); // $ target=Clone1duplicate
         println!("{x7:?}");
     }
 }

rust/ql/test/library-tests/type-inference/dereference.rs

@@ -102,18 +102,18 @@ fn explicit_box_dereference() {
 fn implicit_dereference() {
     // Call method on implicitly dereferenced value
     let x = MyIntPointer { value: 34i64 };
-    let _y = x.is_positive(); // $ MISSING: target=is_positive type=_y:bool
+    let _y = x.is_positive(); // $ target=is_positive type=_y:bool
 
     // Call method on implicitly dereferenced value
     let x = MySmartPointer { value: 34i64 };
-    let _y = x.is_positive(); // $ MISSING: target=is_positive type=_y:bool
+    let _y = x.is_positive(); // $ target=is_positive type=_y:bool
 
     let z = MySmartPointer { value: S(0i64) };
-    let z_ = z.foo(); // $ MISSING: target=foo type=z_:TRef.i64
+    let z_ = z.foo(); // $ target=foo type=z_:TRef.i64
 
     let v = Vec::new(); // $ target=new $ MISSING: type=x:T.i32
     let mut x = MySmartPointer { value: v };
-    x.push(0); // $ MISSING: target=push
+    x.push(0); // $ target=push
 }
 
 mod implicit_deref_coercion_cycle {

rust/ql/test/library-tests/type-inference/main.rs

@@ -2888,8 +2888,8 @@ pub mod path_buf {
         let path3 = path2.unwrap(); // $ target=unwrap type=path3:PathBuf
 
         let pathbuf1 = PathBuf::new(); // $ target=new certainType=pathbuf1:PathBuf
-        let pathbuf2 = pathbuf1.canonicalize(); // $ MISSING: target=canonicalize
-        let pathbuf3 = pathbuf2.unwrap(); // $ MISSING: target=unwrap type=pathbuf3:PathBuf
+        let pathbuf2 = pathbuf1.canonicalize(); // $ target=canonicalize
+        let pathbuf3 = pathbuf2.unwrap(); // $ target=unwrap type=pathbuf3:PathBuf
     }
 }
 

rust/ql/test/library-tests/type-inference/type-inference.expected

@@ -4573,20 +4573,26 @@ inferType
 | blanket_impl.rs:55:18:55:25 | ...::_print(...) |  | {EXTERNAL LOCATION} | () |
 | blanket_impl.rs:55:18:55:25 | { ... } |  | {EXTERNAL LOCATION} | () |
 | blanket_impl.rs:55:20:55:21 | x5 |  | blanket_impl.rs:6:5:7:14 | S1 |
+| blanket_impl.rs:56:13:56:14 | x6 |  | blanket_impl.rs:6:5:7:14 | S1 |
 | blanket_impl.rs:56:18:56:19 | S2 |  | blanket_impl.rs:9:5:10:14 | S2 |
+| blanket_impl.rs:56:18:56:31 | S2.duplicate() |  | blanket_impl.rs:6:5:7:14 | S1 |
 | blanket_impl.rs:57:18:57:25 | "{x6:?}\\n" |  | {EXTERNAL LOCATION} | & |
 | blanket_impl.rs:57:18:57:25 | "{x6:?}\\n" | TRef | {EXTERNAL LOCATION} | str |
 | blanket_impl.rs:57:18:57:25 | ...::_print(...) |  | {EXTERNAL LOCATION} | () |
 | blanket_impl.rs:57:18:57:25 | { ... } |  | {EXTERNAL LOCATION} | () |
+| blanket_impl.rs:57:20:57:21 | x6 |  | blanket_impl.rs:6:5:7:14 | S1 |
+| blanket_impl.rs:58:13:58:14 | x7 |  | blanket_impl.rs:6:5:7:14 | S1 |
 | blanket_impl.rs:58:18:58:22 | (...) |  | {EXTERNAL LOCATION} | & |
 | blanket_impl.rs:58:18:58:22 | (...) | TRef | blanket_impl.rs:9:5:10:14 | S2 |
+| blanket_impl.rs:58:18:58:34 | ... .duplicate() |  | blanket_impl.rs:6:5:7:14 | S1 |
 | blanket_impl.rs:58:19:58:21 | &S2 |  | {EXTERNAL LOCATION} | & |
 | blanket_impl.rs:58:19:58:21 | &S2 | TRef | blanket_impl.rs:9:5:10:14 | S2 |
 | blanket_impl.rs:58:20:58:21 | S2 |  | blanket_impl.rs:9:5:10:14 | S2 |
 | blanket_impl.rs:59:18:59:25 | "{x7:?}\\n" |  | {EXTERNAL LOCATION} | & |
 | blanket_impl.rs:59:18:59:25 | "{x7:?}\\n" | TRef | {EXTERNAL LOCATION} | str |
 | blanket_impl.rs:59:18:59:25 | ...::_print(...) |  | {EXTERNAL LOCATION} | () |
 | blanket_impl.rs:59:18:59:25 | { ... } |  | {EXTERNAL LOCATION} | () |
+| blanket_impl.rs:59:20:59:21 | x7 |  | blanket_impl.rs:6:5:7:14 | S1 |
 | blanket_impl.rs:68:24:68:24 | x |  | {EXTERNAL LOCATION} | i64 |
 | blanket_impl.rs:68:32:68:32 | y |  | blanket_impl.rs:67:5:69:5 | Self [trait Trait1] |
 | blanket_impl.rs:72:24:72:24 | x |  | {EXTERNAL LOCATION} | i64 |
@@ -5214,14 +5220,18 @@ inferType
 | dereference.rs:104:9:104:9 | x |  | dereference.rs:5:1:7:1 | MyIntPointer |
 | dereference.rs:104:13:104:41 | MyIntPointer {...} |  | dereference.rs:5:1:7:1 | MyIntPointer |
 | dereference.rs:104:35:104:39 | 34i64 |  | {EXTERNAL LOCATION} | i64 |
+| dereference.rs:105:9:105:10 | _y |  | {EXTERNAL LOCATION} | bool |
 | dereference.rs:105:14:105:14 | x |  | dereference.rs:5:1:7:1 | MyIntPointer |
+| dereference.rs:105:14:105:28 | x.is_positive() |  | {EXTERNAL LOCATION} | bool |
 | dereference.rs:108:9:108:9 | x |  | dereference.rs:18:1:20:1 | MySmartPointer |
 | dereference.rs:108:9:108:9 | x | T | {EXTERNAL LOCATION} | i64 |
 | dereference.rs:108:13:108:43 | MySmartPointer {...} |  | dereference.rs:18:1:20:1 | MySmartPointer |
 | dereference.rs:108:13:108:43 | MySmartPointer {...} | T | {EXTERNAL LOCATION} | i64 |
 | dereference.rs:108:37:108:41 | 34i64 |  | {EXTERNAL LOCATION} | i64 |
+| dereference.rs:109:9:109:10 | _y |  | {EXTERNAL LOCATION} | bool |
 | dereference.rs:109:14:109:14 | x |  | dereference.rs:18:1:20:1 | MySmartPointer |
 | dereference.rs:109:14:109:14 | x | T | {EXTERNAL LOCATION} | i64 |
+| dereference.rs:109:14:109:28 | x.is_positive() |  | {EXTERNAL LOCATION} | bool |
 | dereference.rs:111:9:111:9 | z |  | dereference.rs:18:1:20:1 | MySmartPointer |
 | dereference.rs:111:9:111:9 | z | T | dereference.rs:38:1:38:15 | S |
 | dereference.rs:111:9:111:9 | z | T.T | {EXTERNAL LOCATION} | i64 |
@@ -5231,9 +5241,13 @@ inferType
 | dereference.rs:111:37:111:43 | S(...) |  | dereference.rs:38:1:38:15 | S |
 | dereference.rs:111:37:111:43 | S(...) | T | {EXTERNAL LOCATION} | i64 |
 | dereference.rs:111:39:111:42 | 0i64 |  | {EXTERNAL LOCATION} | i64 |
+| dereference.rs:112:9:112:10 | z_ |  | {EXTERNAL LOCATION} | & |
+| dereference.rs:112:9:112:10 | z_ | TRef | {EXTERNAL LOCATION} | i64 |
 | dereference.rs:112:14:112:14 | z |  | dereference.rs:18:1:20:1 | MySmartPointer |
 | dereference.rs:112:14:112:14 | z | T | dereference.rs:38:1:38:15 | S |
 | dereference.rs:112:14:112:14 | z | T.T | {EXTERNAL LOCATION} | i64 |
+| dereference.rs:112:14:112:20 | z.foo() |  | {EXTERNAL LOCATION} | & |
+| dereference.rs:112:14:112:20 | z.foo() | TRef | {EXTERNAL LOCATION} | i64 |
 | dereference.rs:114:9:114:9 | v |  | {EXTERNAL LOCATION} | Vec |
 | dereference.rs:114:9:114:9 | v | A | {EXTERNAL LOCATION} | Global |
 | dereference.rs:114:13:114:22 | ...::new(...) |  | {EXTERNAL LOCATION} | Vec |
@@ -5249,6 +5263,7 @@ inferType
 | dereference.rs:116:5:116:5 | x |  | dereference.rs:18:1:20:1 | MySmartPointer |
 | dereference.rs:116:5:116:5 | x | T | {EXTERNAL LOCATION} | Vec |
 | dereference.rs:116:5:116:5 | x | T.A | {EXTERNAL LOCATION} | Global |
+| dereference.rs:116:5:116:13 | x.push(...) |  | {EXTERNAL LOCATION} | () |
 | dereference.rs:116:12:116:12 | 0 |  | {EXTERNAL LOCATION} | i32 |
 | dereference.rs:143:19:151:5 | { ... } |  | {EXTERNAL LOCATION} | () |
 | dereference.rs:144:17:144:26 | key_to_key |  | {EXTERNAL LOCATION} | HashMap |
@@ -10731,7 +10746,18 @@ inferType
 | main.rs:2888:21:2888:34 | path2.unwrap() |  | main.rs:2865:5:2865:25 | PathBuf |
 | main.rs:2890:13:2890:20 | pathbuf1 |  | main.rs:2865:5:2865:25 | PathBuf |
 | main.rs:2890:24:2890:37 | ...::new(...) |  | main.rs:2865:5:2865:25 | PathBuf |
+| main.rs:2891:13:2891:20 | pathbuf2 |  | {EXTERNAL LOCATION} | Result |
+| main.rs:2891:13:2891:20 | pathbuf2 | E | {EXTERNAL LOCATION} | () |
+| main.rs:2891:13:2891:20 | pathbuf2 | T | main.rs:2865:5:2865:25 | PathBuf |
 | main.rs:2891:24:2891:31 | pathbuf1 |  | main.rs:2865:5:2865:25 | PathBuf |
+| main.rs:2891:24:2891:46 | pathbuf1.canonicalize() |  | {EXTERNAL LOCATION} | Result |
+| main.rs:2891:24:2891:46 | pathbuf1.canonicalize() | E | {EXTERNAL LOCATION} | () |
+| main.rs:2891:24:2891:46 | pathbuf1.canonicalize() | T | main.rs:2865:5:2865:25 | PathBuf |
+| main.rs:2892:13:2892:20 | pathbuf3 |  | main.rs:2865:5:2865:25 | PathBuf |
+| main.rs:2892:24:2892:31 | pathbuf2 |  | {EXTERNAL LOCATION} | Result |
+| main.rs:2892:24:2892:31 | pathbuf2 | E | {EXTERNAL LOCATION} | () |
+| main.rs:2892:24:2892:31 | pathbuf2 | T | main.rs:2865:5:2865:25 | PathBuf |
+| main.rs:2892:24:2892:40 | pathbuf2.unwrap() |  | main.rs:2865:5:2865:25 | PathBuf |
 | main.rs:2898:14:2898:18 | SelfParam |  | {EXTERNAL LOCATION} | & |
 | main.rs:2898:14:2898:18 | SelfParam | TRef | main.rs:2897:5:2899:5 | Self [trait MyTrait] |
 | main.rs:2905:14:2905:18 | SelfParam |  | {EXTERNAL LOCATION} | & |

shared/typeinference/codeql/typeinference/internal/TypeInference.qll

@@ -1059,9 +1059,10 @@ module Make1<LocationSig Location, InputSig1<Location> Input1> {
 
       pragma[nomagic]
       private predicate satisfiesConstraintTypeMention1(
-        HasTypeTree tt, Type constraint, TypePath path, TypePath pathToTypeParamInSub
+        HasTypeTree tt, TypeAbstraction abs, Type constraint, TypePath path,
+        TypePath pathToTypeParamInSub
       ) {
-        exists(TypeAbstraction abs, TypeMention sub, TypeParameter tp |
+        exists(TypeMention sub, TypeParameter tp |
           satisfiesConstraintTypeMention0(tt, constraint, abs, sub, path, tp) and
           tp = abs.getATypeParameter() and
           sub.resolveTypeAt(pathToTypeParamInSub) = tp
@@ -1073,17 +1074,26 @@ module Make1<LocationSig Location, InputSig1<Location> Input1> {
        * with the type `t` at `path`.
        */
       pragma[nomagic]
-      predicate satisfiesConstraintType(HasTypeTree tt, Type constraint, TypePath path, Type t) {
-        exists(TypeAbstraction abs |
-          satisfiesConstraintTypeMention0(tt, constraint, abs, _, path, t) and
-          not t = abs.getATypeParameter()
-        )
+      predicate satisfiesConstraintType(
+        HasTypeTree tt, TypeAbstraction abs, Type constraint, TypePath path, Type t
+      ) {
+        satisfiesConstraintTypeMention0(tt, constraint, abs, _, path, t) and
+        not t = abs.getATypeParameter()
         or
         exists(TypePath prefix0, TypePath pathToTypeParamInSub, TypePath suffix |
-          satisfiesConstraintTypeMention1(tt, constraint, prefix0, pathToTypeParamInSub) and
+          satisfiesConstraintTypeMention1(tt, abs, constraint, prefix0, pathToTypeParamInSub) and
           tt.getTypeAt(pathToTypeParamInSub.appendInverse(suffix)) = t and
           path = prefix0.append(suffix)
         )
+      }
+
+      /**
+       * Holds if the type tree at `tt` satisfies the constraint `constraint`
+       * with the type `t` at `path`.
+       */
+      pragma[nomagic]
+      predicate satisfiesConstraintType(HasTypeTree tt, Type constraint, TypePath path, Type t) {
+        satisfiesConstraintType(tt, _, constraint, path, t)
         or
         hasTypeConstraint(tt, constraint, constraint) and
         t = tt.getTypeAt(path)