Merge pull request #20547 from paldepind/rust/function-as-lambda

Rust: Handle functions as data flow lambdas

Author: paldepind

rust/ql/lib/change-notes/2025-09-29-data-flow-function-pointer.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improve data flow through functions being passed as function pointers. 

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -295,13 +295,10 @@ module LocalFlow {
 class LambdaCallKind = Unit;
 
 /** Holds if `creation` is an expression that creates a lambda of kind `kind`. */
-predicate lambdaCreationExpr(Expr creation, LambdaCallKind kind) {
-  (
-    creation instanceof ClosureExpr
-    or
-    creation instanceof Scope::AsyncBlockScope
-  ) and
-  exists(kind)
+predicate lambdaCreationExpr(Expr creation) {
+  creation instanceof ClosureExpr
+  or
+  creation instanceof Scope::AsyncBlockScope
 }
 
 /**
@@ -810,8 +807,15 @@ module RustDataFlow implements InputSig<Location> {
 
   /** Holds if `creation` is an expression that creates a lambda of kind `kind` for `c`. */
   predicate lambdaCreation(Node creation, LambdaCallKind kind, DataFlowCallable c) {
-    exists(Expr e |
-      e = creation.asExpr().getExpr() and lambdaCreationExpr(e, kind) and e = c.asCfgScope()
+    exists(kind) and
+    exists(Expr e | e = creation.asExpr().getExpr() |
+      lambdaCreationExpr(e) and e = c.asCfgScope()
+      or
+      // A path expression, that resolves to a function, evaluates to a function
+      // pointer. Except if the path occurs directly in a call, then it's just a
+      // call to the function and not a function being passed as data.
+      resolvePath(e.(PathExpr).getPath()) = c.asCfgScope() and
+      not any(CallExpr call).getFunction() = e
     )
   }
 
@@ -931,7 +935,7 @@ module VariableCapture {
     }
 
     class ClosureExpr extends Expr instanceof ExprCfgNode {
-      ClosureExpr() { lambdaCreationExpr(super.getExpr(), _) }
+      ClosureExpr() { lambdaCreationExpr(super.getExpr()) }
 
       predicate hasBody(Callable body) { body = super.getExpr() }
 

rust/ql/lib/codeql/rust/dataflow/internal/Node.qll

@@ -454,7 +454,7 @@ newtype TNode =
     or
     lambdaCallExpr(_, _, e)
     or
-    lambdaCreationExpr(e.getExpr(), _)
+    lambdaCreationExpr(e.getExpr())
     or
     // Whenever `&mut e` has a post-update node we also create one for `e`.
     // E.g., for `e` in `f(..., &mut e, ...)` or `*(&mut e) = ...`.
@@ -478,5 +478,5 @@ newtype TNode =
   } or
   TSsaNode(SsaImpl::DataFlowIntegration::SsaNode node) or
   TFlowSummaryNode(FlowSummaryImpl::Private::SummaryNode sn) or
-  TClosureSelfReferenceNode(CfgScope c) { lambdaCreationExpr(c, _) } or
+  TClosureSelfReferenceNode(CfgScope c) { lambdaCreationExpr(c) } or
   TCaptureNode(VariableCapture::Flow::SynthesizedCaptureNode cn)

rust/ql/test/library-tests/dataflow/closures/inline-flow.expected

@@ -0,0 +1,83 @@
+models
+edges
+| main.rs:10:20:10:52 | if cond {...} else {...} | main.rs:11:10:11:16 | f(...) | provenance |  |
+| main.rs:10:30:10:39 | source(...) | main.rs:10:20:10:52 | if cond {...} else {...} | provenance |  |
+| main.rs:15:20:15:23 | ... | main.rs:17:18:17:21 | data | provenance |  |
+| main.rs:22:9:22:9 | a | main.rs:23:13:23:13 | a | provenance |  |
+| main.rs:22:13:22:22 | source(...) | main.rs:22:9:22:9 | a | provenance |  |
+| main.rs:23:13:23:13 | a | main.rs:15:20:15:23 | ... | provenance |  |
+| main.rs:27:20:27:23 | ... | main.rs:27:26:27:52 | if cond {...} else {...} | provenance |  |
+| main.rs:28:9:28:9 | a | main.rs:29:21:29:21 | a | provenance |  |
+| main.rs:28:13:28:22 | source(...) | main.rs:28:9:28:9 | a | provenance |  |
+| main.rs:29:9:29:9 | b | main.rs:30:10:30:10 | b | provenance |  |
+| main.rs:29:13:29:22 | f(...) | main.rs:29:9:29:9 | b | provenance |  |
+| main.rs:29:21:29:21 | a | main.rs:27:20:27:23 | ... | provenance |  |
+| main.rs:29:21:29:21 | a | main.rs:29:13:29:22 | f(...) | provenance |  |
+| main.rs:37:16:37:25 | source(...) | main.rs:39:5:39:5 | [post] f [captured capt] | provenance |  |
+| main.rs:39:5:39:5 | [post] f [captured capt] | main.rs:40:10:40:13 | capt | provenance |  |
+| main.rs:39:5:39:5 | [post] f [captured capt] | main.rs:44:5:44:5 | g [captured capt] | provenance |  |
+| main.rs:44:5:44:5 | g [captured capt] | main.rs:42:14:42:17 | capt | provenance |  |
+| main.rs:47:29:49:1 | { ... } | main.rs:57:10:57:12 | f(...) | provenance |  |
+| main.rs:48:5:48:14 | source(...) | main.rs:47:29:49:1 | { ... } | provenance |  |
+| main.rs:51:17:51:25 | ...: i64 | main.rs:52:10:52:13 | data | provenance |  |
+| main.rs:62:9:62:9 | a | main.rs:63:7:63:7 | a | provenance |  |
+| main.rs:62:13:62:22 | source(...) | main.rs:62:9:62:9 | a | provenance |  |
+| main.rs:63:7:63:7 | a | main.rs:51:17:51:25 | ...: i64 | provenance |  |
+| main.rs:66:24:66:32 | ...: i64 | main.rs:66:42:72:1 | { ... } | provenance |  |
+| main.rs:76:9:76:9 | a | main.rs:77:21:77:21 | a | provenance |  |
+| main.rs:76:13:76:22 | source(...) | main.rs:76:9:76:9 | a | provenance |  |
+| main.rs:77:9:77:9 | b | main.rs:78:10:78:10 | b | provenance |  |
+| main.rs:77:13:77:22 | f(...) | main.rs:77:9:77:9 | b | provenance |  |
+| main.rs:77:21:77:21 | a | main.rs:66:24:66:32 | ...: i64 | provenance |  |
+| main.rs:77:21:77:21 | a | main.rs:77:13:77:22 | f(...) | provenance |  |
+nodes
+| main.rs:10:20:10:52 | if cond {...} else {...} | semmle.label | if cond {...} else {...} |
+| main.rs:10:30:10:39 | source(...) | semmle.label | source(...) |
+| main.rs:11:10:11:16 | f(...) | semmle.label | f(...) |
+| main.rs:15:20:15:23 | ... | semmle.label | ... |
+| main.rs:17:18:17:21 | data | semmle.label | data |
+| main.rs:22:9:22:9 | a | semmle.label | a |
+| main.rs:22:13:22:22 | source(...) | semmle.label | source(...) |
+| main.rs:23:13:23:13 | a | semmle.label | a |
+| main.rs:27:20:27:23 | ... | semmle.label | ... |
+| main.rs:27:26:27:52 | if cond {...} else {...} | semmle.label | if cond {...} else {...} |
+| main.rs:28:9:28:9 | a | semmle.label | a |
+| main.rs:28:13:28:22 | source(...) | semmle.label | source(...) |
+| main.rs:29:9:29:9 | b | semmle.label | b |
+| main.rs:29:13:29:22 | f(...) | semmle.label | f(...) |
+| main.rs:29:21:29:21 | a | semmle.label | a |
+| main.rs:30:10:30:10 | b | semmle.label | b |
+| main.rs:37:16:37:25 | source(...) | semmle.label | source(...) |
+| main.rs:39:5:39:5 | [post] f [captured capt] | semmle.label | [post] f [captured capt] |
+| main.rs:40:10:40:13 | capt | semmle.label | capt |
+| main.rs:42:14:42:17 | capt | semmle.label | capt |
+| main.rs:44:5:44:5 | g [captured capt] | semmle.label | g [captured capt] |
+| main.rs:47:29:49:1 | { ... } | semmle.label | { ... } |
+| main.rs:48:5:48:14 | source(...) | semmle.label | source(...) |
+| main.rs:51:17:51:25 | ...: i64 | semmle.label | ...: i64 |
+| main.rs:52:10:52:13 | data | semmle.label | data |
+| main.rs:57:10:57:12 | f(...) | semmle.label | f(...) |
+| main.rs:62:9:62:9 | a | semmle.label | a |
+| main.rs:62:13:62:22 | source(...) | semmle.label | source(...) |
+| main.rs:63:7:63:7 | a | semmle.label | a |
+| main.rs:66:24:66:32 | ...: i64 | semmle.label | ...: i64 |
+| main.rs:66:42:72:1 | { ... } | semmle.label | { ... } |
+| main.rs:76:9:76:9 | a | semmle.label | a |
+| main.rs:76:13:76:22 | source(...) | semmle.label | source(...) |
+| main.rs:77:9:77:9 | b | semmle.label | b |
+| main.rs:77:13:77:22 | f(...) | semmle.label | f(...) |
+| main.rs:77:21:77:21 | a | semmle.label | a |
+| main.rs:78:10:78:10 | b | semmle.label | b |
+subpaths
+| main.rs:29:21:29:21 | a | main.rs:27:20:27:23 | ... | main.rs:27:26:27:52 | if cond {...} else {...} | main.rs:29:13:29:22 | f(...) |
+| main.rs:77:21:77:21 | a | main.rs:66:24:66:32 | ...: i64 | main.rs:66:42:72:1 | { ... } | main.rs:77:13:77:22 | f(...) |
+testFailures
+#select
+| main.rs:11:10:11:16 | f(...) | main.rs:10:30:10:39 | source(...) | main.rs:11:10:11:16 | f(...) | $@ | main.rs:10:30:10:39 | source(...) | source(...) |
+| main.rs:17:18:17:21 | data | main.rs:22:13:22:22 | source(...) | main.rs:17:18:17:21 | data | $@ | main.rs:22:13:22:22 | source(...) | source(...) |
+| main.rs:30:10:30:10 | b | main.rs:28:13:28:22 | source(...) | main.rs:30:10:30:10 | b | $@ | main.rs:28:13:28:22 | source(...) | source(...) |
+| main.rs:40:10:40:13 | capt | main.rs:37:16:37:25 | source(...) | main.rs:40:10:40:13 | capt | $@ | main.rs:37:16:37:25 | source(...) | source(...) |
+| main.rs:42:14:42:17 | capt | main.rs:37:16:37:25 | source(...) | main.rs:42:14:42:17 | capt | $@ | main.rs:37:16:37:25 | source(...) | source(...) |
+| main.rs:52:10:52:13 | data | main.rs:62:13:62:22 | source(...) | main.rs:52:10:52:13 | data | $@ | main.rs:62:13:62:22 | source(...) | source(...) |
+| main.rs:57:10:57:12 | f(...) | main.rs:48:5:48:14 | source(...) | main.rs:57:10:57:12 | f(...) | $@ | main.rs:48:5:48:14 | source(...) | source(...) |
+| main.rs:78:10:78:10 | b | main.rs:76:13:76:22 | source(...) | main.rs:78:10:78:10 | b | $@ | main.rs:76:13:76:22 | source(...) | source(...) |

rust/ql/test/library-tests/dataflow/closures/Cargo.lock renamed to rust/ql/test/library-tests/dataflow/lambdas/Cargo.lock

@@ -6,30 +6,25 @@ fn sink(s: i64) {
     println!("{}", s);
 }
 
-
 fn closure_flow_out() {
     let f = |cond| if cond { source(92) } else { 0 };
     sink(f(true)); // $ hasValueFlow=92
 }
 
 fn closure_flow_in() {
-    let f = |cond, data|
+    let f = |cond, data| {
         if cond {
             sink(data); // $ hasValueFlow=87
         } else {
             sink(0)
-        };
+        }
+    };
     let a = source(87);
     f(true, a);
 }
 
 fn closure_flow_through() {
-    let f = |cond, data|
-        if cond {
-            data
-        } else {
-            0
-        };
+    let f = |cond, data| if cond { data } else { 0 };
     let a = source(43);
     let b = f(true, a);
     sink(b); // $ hasValueFlow=43
@@ -49,9 +44,46 @@ fn closure_captured_variable() {
     g();
 }
 
+fn get_from_source() -> i64 {
+    source(93)
+}
+
+fn pass_to_sink(data: i64) {
+    sink(data); // $ hasValueFlow=34
+}
+
+fn function_flow_out() {
+    let f = get_from_source;
+    sink(f()); // $ hasValueFlow=93
+}
+
+fn function_flow_in() {
+    let f = pass_to_sink;
+    let a = source(34);
+    f(a);
+}
+
+fn get_arg(cond: bool, data: i64) -> i64 {
+    if cond {
+        data
+    } else {
+        0
+    }
+}
+
+fn function_flows_through() {
+    let f = get_arg;
+    let a = source(56);
+    let b = f(true, a);
+    sink(b); // $ hasValueFlow=56
+}
+
 fn main() {
     closure_flow_out();
     closure_flow_in();
     closure_flow_through();
     closure_captured_variable();
+    function_flow_in();
+    function_flow_out();
+    function_flows_through();
 }