From 23bfa8a9bcbb459d6d23743f61b53b5d01aff23c Mon Sep 17 00:00:00 2001
From: Simon Friis Vindum <simonfv@gmail.com>
Date: Tue, 19 Nov 2024 12:19:47 +0100
Subject: [PATCH] Rust: Add local data flow edge for SSA definitons

---
 .../rust/dataflow/internal/DataFlowImpl.qll   | 15 +++++++++--
 .../dataflow/local/DataFlowStep.expected      | 25 +++++++++++++++++++
 .../dataflow/local/inline-flow.expected       | 16 ++++++++++++
 .../test/library-tests/dataflow/local/main.rs |  8 +++---
 4 files changed, 58 insertions(+), 6 deletions(-)

diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
index def57805373..d4400213936 100644
--- a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
+++ b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
@@ -145,7 +145,7 @@ module Node {
 
     PatNode() { this = TPatNode(n) }
 
-    /** Gets the Pat in the AST that this node corresponds to. */
+    /** Gets the `Pat` in the AST that this node corresponds to. */
     Pat getPat() { result = n.getPat() }
   }
 
@@ -282,6 +282,10 @@ module LocalFlow {
       nodeFrom.getCfgNode().getAstNode() = s.getInitializer() and
       nodeTo.getCfgNode().getAstNode() = s.getPat()
     )
+    or
+    // An edge from a pattern to its corresponding SSA definition.
+    nodeFrom.(Node::PatNode).getPat() =
+      nodeTo.(Node::SsaNode).getDefinitionExt().getSourceVariable().getPat()
   }
 }
 
@@ -395,7 +399,14 @@ module RustDataFlow implements InputSig<Location> {
    * Holds if there is a simple local flow step from `node1` to `node2`. These
    * are the value-preserving intra-callable flow steps.
    */
-  predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo, string model) { none() }
+  predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo, string model) {
+    (
+      LocalFlow::localFlowStepCommon(nodeFrom, nodeTo)
+      or
+      SsaFlow::localFlowStep(_, nodeFrom, nodeTo, _)
+    ) and
+    model = ""
+  }
 
   /**
    * Holds if data can flow from `node1` to `node2` through a non-local step
diff --git a/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected b/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected
index 7803c981855..b8a6f6b6201 100644
--- a/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected
+++ b/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected
@@ -1,61 +1,86 @@
 | main.rs:3:11:3:11 | [SSA] i | main.rs:4:12:4:12 | i |
+| main.rs:3:11:3:11 | i | main.rs:3:11:3:11 | [SSA] i |
 | main.rs:4:5:4:12 | ... + ... | main.rs:3:26:5:1 | BlockExpr |
 | main.rs:7:9:7:9 | [SSA] s | main.rs:8:20:8:20 | s |
+| main.rs:7:9:7:9 | s | main.rs:7:9:7:9 | [SSA] s |
 | main.rs:19:9:19:9 | [SSA] s | main.rs:20:10:20:10 | s |
+| main.rs:19:9:19:9 | s | main.rs:19:9:19:9 | [SSA] s |
 | main.rs:19:13:19:21 | CallExpr | main.rs:19:9:19:9 | s |
 | main.rs:23:18:23:21 | [SSA] cond | main.rs:26:16:26:19 | cond |
+| main.rs:23:18:23:21 | cond | main.rs:23:18:23:21 | [SSA] cond |
 | main.rs:24:9:24:9 | [SSA] a | main.rs:26:23:26:23 | a |
+| main.rs:24:9:24:9 | a | main.rs:24:9:24:9 | [SSA] a |
 | main.rs:24:13:24:21 | CallExpr | main.rs:24:9:24:9 | a |
 | main.rs:25:9:25:9 | [SSA] b | main.rs:26:34:26:34 | b |
+| main.rs:25:9:25:9 | b | main.rs:25:9:25:9 | [SSA] b |
 | main.rs:25:13:25:13 | 2 | main.rs:25:9:25:9 | b |
 | main.rs:26:9:26:9 | [SSA] c | main.rs:27:10:27:10 | c |
+| main.rs:26:9:26:9 | c | main.rs:26:9:26:9 | [SSA] c |
 | main.rs:26:13:26:36 | IfExpr | main.rs:26:9:26:9 | c |
 | main.rs:26:21:26:25 | BlockExpr | main.rs:26:13:26:36 | IfExpr |
 | main.rs:26:23:26:23 | a | main.rs:26:21:26:25 | BlockExpr |
 | main.rs:26:32:26:36 | BlockExpr | main.rs:26:13:26:36 | IfExpr |
 | main.rs:26:34:26:34 | b | main.rs:26:32:26:36 | BlockExpr |
 | main.rs:30:21:30:21 | [SSA] m | main.rs:32:19:32:19 | m |
+| main.rs:30:21:30:21 | m | main.rs:30:21:30:21 | [SSA] m |
 | main.rs:31:9:31:9 | [SSA] a | main.rs:33:20:33:20 | a |
+| main.rs:31:9:31:9 | a | main.rs:31:9:31:9 | [SSA] a |
 | main.rs:31:13:31:21 | CallExpr | main.rs:31:9:31:9 | a |
 | main.rs:32:9:32:9 | [SSA] b | main.rs:36:10:36:10 | b |
+| main.rs:32:9:32:9 | b | main.rs:32:9:32:9 | [SSA] b |
 | main.rs:32:13:35:5 | MatchExpr | main.rs:32:9:32:9 | b |
 | main.rs:33:20:33:20 | a | main.rs:32:13:35:5 | MatchExpr |
 | main.rs:34:17:34:17 | 0 | main.rs:32:13:35:5 | MatchExpr |
 | main.rs:40:9:40:9 | [SSA] a | main.rs:43:10:43:10 | a |
+| main.rs:40:9:40:9 | a | main.rs:40:9:40:9 | [SSA] a |
 | main.rs:40:13:42:5 | LoopExpr | main.rs:40:9:40:9 | a |
 | main.rs:41:9:41:15 | BreakExpr | main.rs:40:13:42:5 | LoopExpr |
 | main.rs:41:15:41:15 | 1 | main.rs:41:9:41:15 | BreakExpr |
 | main.rs:44:9:44:9 | [SSA] b | main.rs:47:10:47:10 | b |
+| main.rs:44:9:44:9 | b | main.rs:44:9:44:9 | [SSA] b |
 | main.rs:44:13:46:5 | LoopExpr | main.rs:44:9:44:9 | b |
 | main.rs:45:9:45:23 | BreakExpr | main.rs:44:13:46:5 | LoopExpr |
 | main.rs:45:15:45:23 | CallExpr | main.rs:45:9:45:23 | BreakExpr |
 | main.rs:51:9:51:13 | [SSA] i | main.rs:52:10:52:10 | i |
+| main.rs:51:9:51:13 | i | main.rs:51:9:51:13 | [SSA] i |
+| main.rs:51:9:51:13 | i | main.rs:53:5:53:5 | [SSA] i |
 | main.rs:51:17:51:17 | 1 | main.rs:51:9:51:13 | i |
 | main.rs:53:5:53:5 | [SSA] i | main.rs:54:10:54:10 | i |
 | main.rs:53:5:53:5 | i | main.rs:53:5:53:5 | [SSA] i |
 | main.rs:61:9:61:9 | [SSA] i | main.rs:62:11:62:11 | i |
+| main.rs:61:9:61:9 | i | main.rs:61:9:61:9 | [SSA] i |
 | main.rs:61:13:61:31 | CallExpr | main.rs:61:9:61:9 | i |
 | main.rs:66:9:66:9 | [SSA] a | main.rs:67:10:67:10 | a |
+| main.rs:66:9:66:9 | a | main.rs:66:9:66:9 | [SSA] a |
 | main.rs:66:13:66:26 | TupleExpr | main.rs:66:9:66:9 | a |
 | main.rs:67:10:67:10 | a | main.rs:68:10:68:10 | a |
 | main.rs:78:9:78:9 | [SSA] p | main.rs:83:10:83:10 | p |
+| main.rs:78:9:78:9 | p | main.rs:78:9:78:9 | [SSA] p |
 | main.rs:78:13:82:5 | RecordExpr | main.rs:78:9:78:9 | p |
 | main.rs:83:10:83:10 | p | main.rs:84:10:84:10 | p |
 | main.rs:84:10:84:10 | p | main.rs:85:10:85:10 | p |
 | main.rs:92:9:92:9 | [SSA] p | main.rs:97:38:97:38 | p |
+| main.rs:92:9:92:9 | p | main.rs:92:9:92:9 | [SSA] p |
 | main.rs:92:13:96:5 | RecordExpr | main.rs:92:9:92:9 | p |
 | main.rs:97:20:97:20 | [SSA] a | main.rs:98:10:98:10 | a |
+| main.rs:97:20:97:20 | a | main.rs:97:20:97:20 | [SSA] a |
 | main.rs:97:26:97:26 | [SSA] b | main.rs:99:10:99:10 | b |
+| main.rs:97:26:97:26 | b | main.rs:97:26:97:26 | [SSA] b |
 | main.rs:97:32:97:32 | [SSA] c | main.rs:100:10:100:10 | c |
+| main.rs:97:32:97:32 | c | main.rs:97:32:97:32 | [SSA] c |
 | main.rs:97:38:97:38 | p | main.rs:97:9:97:34 | RecordPat |
 | main.rs:104:9:104:10 | [SSA] s1 | main.rs:106:11:106:12 | s1 |
+| main.rs:104:9:104:10 | s1 | main.rs:104:9:104:10 | [SSA] s1 |
 | main.rs:104:14:104:28 | CallExpr | main.rs:104:9:104:10 | s1 |
 | main.rs:105:9:105:10 | [SSA] s2 | main.rs:110:11:110:12 | s2 |
+| main.rs:105:9:105:10 | s2 | main.rs:105:9:105:10 | [SSA] s2 |
 | main.rs:105:14:105:20 | CallExpr | main.rs:105:9:105:10 | s2 |
 | main.rs:107:14:107:14 | [SSA] n | main.rs:107:25:107:25 | n |
+| main.rs:107:14:107:14 | n | main.rs:107:14:107:14 | [SSA] n |
 | main.rs:107:20:107:26 | CallExpr | main.rs:106:5:109:5 | MatchExpr |
 | main.rs:108:17:108:23 | CallExpr | main.rs:106:5:109:5 | MatchExpr |
 | main.rs:110:5:113:5 | MatchExpr | main.rs:103:27:114:1 | BlockExpr |
 | main.rs:111:14:111:14 | [SSA] n | main.rs:111:25:111:25 | n |
+| main.rs:111:14:111:14 | n | main.rs:111:14:111:14 | [SSA] n |
 | main.rs:111:20:111:26 | CallExpr | main.rs:110:5:113:5 | MatchExpr |
 | main.rs:112:17:112:23 | CallExpr | main.rs:110:5:113:5 | MatchExpr |
diff --git a/rust/ql/test/library-tests/dataflow/local/inline-flow.expected b/rust/ql/test/library-tests/dataflow/local/inline-flow.expected
index 816045223e2..72273334c6f 100644
--- a/rust/ql/test/library-tests/dataflow/local/inline-flow.expected
+++ b/rust/ql/test/library-tests/dataflow/local/inline-flow.expected
@@ -1,8 +1,24 @@
 models
 edges
+| main.rs:19:13:19:21 | CallExpr : unit | main.rs:20:10:20:10 | s | provenance |  |
+| main.rs:24:13:24:21 | CallExpr : unit | main.rs:27:10:27:10 | c | provenance |  |
+| main.rs:31:13:31:21 | CallExpr : unit | main.rs:36:10:36:10 | b | provenance |  |
+| main.rs:45:15:45:23 | CallExpr : unit | main.rs:47:10:47:10 | b | provenance |  |
 nodes
 | main.rs:15:10:15:18 | CallExpr | semmle.label | CallExpr |
+| main.rs:19:13:19:21 | CallExpr : unit | semmle.label | CallExpr : unit |
+| main.rs:20:10:20:10 | s | semmle.label | s |
+| main.rs:24:13:24:21 | CallExpr : unit | semmle.label | CallExpr : unit |
+| main.rs:27:10:27:10 | c | semmle.label | c |
+| main.rs:31:13:31:21 | CallExpr : unit | semmle.label | CallExpr : unit |
+| main.rs:36:10:36:10 | b | semmle.label | b |
+| main.rs:45:15:45:23 | CallExpr : unit | semmle.label | CallExpr : unit |
+| main.rs:47:10:47:10 | b | semmle.label | b |
 subpaths
 testFailures
 #select
 | main.rs:15:10:15:18 | CallExpr | main.rs:15:10:15:18 | CallExpr | main.rs:15:10:15:18 | CallExpr | $@ | main.rs:15:10:15:18 | CallExpr | CallExpr |
+| main.rs:20:10:20:10 | s | main.rs:19:13:19:21 | CallExpr : unit | main.rs:20:10:20:10 | s | $@ | main.rs:19:13:19:21 | CallExpr : unit | CallExpr : unit |
+| main.rs:27:10:27:10 | c | main.rs:24:13:24:21 | CallExpr : unit | main.rs:27:10:27:10 | c | $@ | main.rs:24:13:24:21 | CallExpr : unit | CallExpr : unit |
+| main.rs:36:10:36:10 | b | main.rs:31:13:31:21 | CallExpr : unit | main.rs:36:10:36:10 | b | $@ | main.rs:31:13:31:21 | CallExpr : unit | CallExpr : unit |
+| main.rs:47:10:47:10 | b | main.rs:45:15:45:23 | CallExpr : unit | main.rs:47:10:47:10 | b | $@ | main.rs:45:15:45:23 | CallExpr : unit | CallExpr : unit |
diff --git a/rust/ql/test/library-tests/dataflow/local/main.rs b/rust/ql/test/library-tests/dataflow/local/main.rs
index f4c2eeec2e1..fb79baa70bd 100644
--- a/rust/ql/test/library-tests/dataflow/local/main.rs
+++ b/rust/ql/test/library-tests/dataflow/local/main.rs
@@ -17,14 +17,14 @@ fn direct() {
 
 fn variable_usage() {
     let s = source(1);
-    sink(s); // $ MISSING: hasValueFlow=1
+    sink(s); // $ hasValueFlow=1
 }
 
 fn if_expression(cond: bool) {
     let a = source(1);
     let b = 2;
     let c = if cond { a } else { b };
-    sink(c); // $ MISSING: hasValueFlow=1
+    sink(c); // $ hasValueFlow=1
 }
 
 fn match_expression(m: Option<i64>) {
@@ -33,7 +33,7 @@ fn match_expression(m: Option<i64>) {
         Some(_) => a,
         None => 0,
     };
-    sink(b); // $ MISSING: hasValueFlow=1
+    sink(b); // $ hasValueFlow=1
 }
 
 fn loop_with_break() {
@@ -44,7 +44,7 @@ fn loop_with_break() {
     let b = loop {
         break source(1);
     };
-    sink(b); // $ MISSING: hasValueFlow=1
+    sink(b); // $ hasValueFlow=1
 }
 
 fn assignment() {