Rust: Handle chained let expressions

Author: hvitved

rust/ql/lib/codeql/rust/controlflow/internal/ControlFlowGraphImpl.qll

@@ -200,8 +200,7 @@ class TypeReprTree extends LeafTree instanceof TypeRepr { }
 /**
  * Provides `ControlFlowTree`s for expressions.
  *
- * Since expressions construct values, they are modeled in post-order, except for
- * `LetExpr`s.
+ * Since expressions construct values, they are modeled in post-order.
  */
 module ExprTrees {
   class ArrayExprTree extends StandardPostOrderTree, ArrayExpr {
@@ -341,21 +340,15 @@ module ExprTrees {
       child = [super.getCondition(), super.getABranch()]
     }
 
-    private ConditionalCompletion conditionCompletion(Completion c) {
-      if super.getCondition() instanceof LetExpr
-      then result = c.(MatchCompletion)
-      else result = c.(BooleanCompletion)
-    }
-
     override predicate succ(AstNode pred, AstNode succ, Completion c) {
       // Edges from the condition to the branches
       last(super.getCondition(), pred, c) and
       (
-        first(super.getThen(), succ) and this.conditionCompletion(c).succeeded()
+        first(super.getThen(), succ) and c.(ConditionalCompletion).succeeded()
         or
-        first(super.getElse(), succ) and this.conditionCompletion(c).failed()
+        first(super.getElse(), succ) and c.(ConditionalCompletion).failed()
         or
-        not super.hasElse() and succ = this and this.conditionCompletion(c).failed()
+        not super.hasElse() and succ = this and c.(ConditionalCompletion).failed()
       )
       or
       // An edge from the then branch to the last node
@@ -401,10 +394,7 @@ module ExprTrees {
     }
   }
 
-  // `LetExpr` is a pre-order tree such that the pattern itself ends up
-  // dominating successors in the graph in the same way that patterns do in
-  // `match` expressions.
-  class LetExprTree extends StandardPreOrderTree, LetExpr {
+  class LetExprTree extends StandardPostOrderTree, LetExpr {
     override AstNode getChildNode(int i) {
       i = 0 and
       result = this.getScrutinee()
@@ -456,21 +446,15 @@ module ExprTrees {
 
     override predicate first(AstNode node) { first(super.getCondition(), node) }
 
-    private ConditionalCompletion conditionCompletion(Completion c) {
-      if super.getCondition() instanceof LetExpr
-      then result = c.(MatchCompletion)
-      else result = c.(BooleanCompletion)
-    }
-
     override predicate succ(AstNode pred, AstNode succ, Completion c) {
       super.succ(pred, succ, c)
       or
       last(super.getCondition(), pred, c) and
-      this.conditionCompletion(c).succeeded() and
+      c.(ConditionalCompletion).succeeded() and
       first(this.getLoopBody(), succ)
       or
       last(super.getCondition(), pred, c) and
-      this.conditionCompletion(c).failed() and
+      c.(ConditionalCompletion).failed() and
       succ = this
     }
   }

rust/ql/lib/codeql/rust/controlflow/internal/Splitting.qll

@@ -71,13 +71,7 @@ module ConditionalCompletionSplitting {
       child = parent.(LogicalNotExpr).getExpr() and
       childCompletion.getDual() = parentCompletion
       or
-      (
-        childCompletion = parentCompletion
-        or
-        // needed for `let` expressions
-        childCompletion.(MatchCompletion).getValue() =
-          parentCompletion.(BooleanCompletion).getValue()
-      ) and
+      childCompletion = parentCompletion and
       (
         child = parent.(BinaryLogicalOperation).getAnOperand()
         or
@@ -92,6 +86,9 @@ module ConditionalCompletionSplitting {
         or
         child = parent.(PatternTrees::PostOrderPatTree).getPat(_)
       )
+      or
+      child = parent.(LetExpr).getPat() and
+      childCompletion.(MatchCompletion).getValue() = parentCompletion.(BooleanCompletion).getValue()
     }
   }
 

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -241,6 +241,12 @@ module LocalFlow {
       nodeTo.getCfgNode() = s.getPat()
     )
     or
+    // An edge from the right-hand side of a let expression to the left-hand side.
+    exists(LetExprCfgNode e |
+      nodeFrom.getCfgNode() = e.getScrutinee() and
+      nodeTo.getCfgNode() = e.getPat()
+    )
+    or
     exists(IdentPatCfgNode p |
       not p.isRef() and
       nodeFrom.getCfgNode() = p and
@@ -379,6 +385,8 @@ module RustDataFlow implements InputSig<Location> {
   predicate neverSkipInPathGraph(Node node) {
     node.(Node::Node).getCfgNode() = any(LetStmtCfgNode s).getPat()
     or
+    node.(Node::Node).getCfgNode() = any(LetExprCfgNode e).getPat()
+    or
     node.(Node::Node).getCfgNode() = any(AssignmentExprCfgNode a).getLhs()
     or
     exists(MatchExprCfgNode match |
@@ -899,6 +907,12 @@ module VariableCapture {
           v.getPat() = ls.getPat().getPat() and
           ls.getInitializer() = source
         )
+        or
+        exists(LetExprCfgNode le |
+          this = le and
+          v.getPat() = le.getPat().getPat() and
+          le.getScrutinee() = source
+        )
       }
 
       CapturedVariable getVariable() { result = v }

rust/ql/lib/codeql/rust/elements/internal/VariableImpl.qll

@@ -55,6 +55,12 @@ module Impl {
     not exists(getEnclosingOrPat(result))
   }
 
+  private predicate testvariableDecl(AstNode definingNode, Name name, string text) {
+    variableDecl(definingNode, name, text) and
+    definingNode.fromSource() and
+    definingNode.getLocation().getStartLine() = 276
+  }
+
   /**
    * Holds if `name` declares a variable named `text` at `definingNode`.
    * Normally, `definingNode = name`, except in cases like
@@ -152,8 +158,14 @@ module Impl {
     /** Gets the `let` statement that introduces this variable, if any. */
     LetStmt getLetStmt() { this.getPat() = result.getPat() }
 
+    /** Gets the `let` expression that introduces this variable, if any. */
+    LetExpr getLetExpr() { this.getPat() = result.getPat() }
+
     /** Gets the initial value of this variable, if any. */
-    Expr getInitializer() { result = this.getLetStmt().getInitializer() }
+    Expr getInitializer() {
+      result = this.getLetStmt().getInitializer() or
+      result = this.getLetExpr().getScrutinee()
+    }
 
     /** Holds if this variable is captured. */
     predicate isCaptured() { this.getAnAccess().isCapture() }
@@ -198,6 +210,7 @@ module Impl {
       n instanceof Pat or
       n instanceof VariableAccessCand or
       n instanceof LetStmt or
+      n instanceof LetExpr or
       n instanceof VariableScope
     ) and
     exists(AstNode n0 |
@@ -243,6 +256,7 @@ module Impl {
       this instanceof VariableScope or
       this instanceof VariableAccessCand or
       this instanceof LetStmt or
+      this instanceof LetExpr or
       getImmediateChild(this, _) instanceof RelevantElement
     }
 
@@ -354,6 +368,14 @@ module Impl {
           ord = getLastPreOrderNumbering(scope, let) + 1
         )
         or
+        exists(LetExpr let |
+          let.getPat() = pat and
+          scope = getEnclosingScope(let) and
+          // for `let` expressions, variables are bound _after_ the statement, i.e.
+          // not in the RHS
+          ord = getLastPreOrderNumbering(scope, let) + 1
+        )
+        or
         exists(IfExpr ie, LetExpr let |
           let.getPat() = pat and
           ie.getCondition() = let and

rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected

@@ -30,9 +30,17 @@ localStep
 | main.rs:26:12:26:12 | [SSA] x | main.rs:27:14:27:14 | x |
 | main.rs:26:12:26:12 | x | main.rs:26:12:26:12 | [SSA] x |
 | main.rs:26:12:26:12 | x | main.rs:26:12:26:12 | x |
+| main.rs:26:16:26:16 | s | main.rs:26:12:26:12 | x |
 | main.rs:26:16:26:16 | s | main.rs:30:16:30:16 | s |
 | main.rs:26:18:28:5 | { ... } | main.rs:26:5:28:5 | if ... {...} |
+| main.rs:30:12:30:12 | [SSA] x | main.rs:32:18:32:18 | x |
+| main.rs:30:12:30:12 | x | main.rs:30:12:30:12 | [SSA] x |
 | main.rs:30:12:30:12 | x | main.rs:30:12:30:12 | x |
+| main.rs:30:16:30:16 | s | main.rs:30:12:30:12 | x |
+| main.rs:32:18:32:18 | [post] x | main.rs:36:14:36:14 | x |
+| main.rs:32:18:32:18 | x | main.rs:36:14:36:14 | x |
+| main.rs:33:13:33:16 | true | main.rs:31:12:34:9 | { ... } |
+| main.rs:35:5:37:5 | { ... } | main.rs:30:5:37:5 | if ... {...} |
 | main.rs:40:18:40:21 | [SSA] cond | main.rs:43:16:43:19 | cond |
 | main.rs:40:18:40:21 | cond | main.rs:40:18:40:21 | [SSA] cond |
 | main.rs:40:18:40:21 | cond | main.rs:40:18:40:21 | cond |
@@ -294,7 +302,14 @@ localStep
 | main.rs:254:9:254:10 | s1 | main.rs:254:9:254:10 | [SSA] s1 |
 | main.rs:254:9:254:10 | s1 | main.rs:254:9:254:10 | s1 |
 | main.rs:254:14:254:29 | Some(...) | main.rs:254:9:254:10 | s1 |
+| main.rs:255:5:262:5 | if ... {...} | main.rs:253:25:263:1 | { ... } |
+| main.rs:255:17:255:17 | [SSA] n | main.rs:257:18:257:18 | n |
+| main.rs:255:17:255:17 | n | main.rs:255:17:255:17 | [SSA] n |
 | main.rs:255:17:255:17 | n | main.rs:255:17:255:17 | n |
+| main.rs:257:18:257:18 | [post] n | main.rs:261:14:261:14 | n |
+| main.rs:257:18:257:18 | n | main.rs:261:14:261:14 | n |
+| main.rs:258:13:258:16 | true | main.rs:256:12:259:9 | { ... } |
+| main.rs:260:5:262:5 | { ... } | main.rs:255:5:262:5 | if ... {...} |
 | main.rs:266:9:266:10 | [SSA] s1 | main.rs:267:10:267:11 | s1 |
 | main.rs:266:9:266:10 | s1 | main.rs:266:9:266:10 | [SSA] s1 |
 | main.rs:266:9:266:10 | s1 | main.rs:266:9:266:10 | s1 |

rust/ql/test/library-tests/dataflow/local/inline-flow.expected

@@ -11,7 +11,12 @@ models
 | 10 | Summary: <core::result::Result>::ok; Argument[self].Field[core::result::Result::Ok(0)]; ReturnValue.Field[core::option::Option::Some(0)]; value |
 edges
 | main.rs:23:9:23:9 | s | main.rs:24:10:24:10 | s | provenance |  |
+| main.rs:23:9:23:9 | s | main.rs:26:12:26:12 | x | provenance |  |
+| main.rs:23:9:23:9 | s | main.rs:30:12:30:12 | x | provenance |  |
 | main.rs:23:13:23:21 | source(...) | main.rs:23:9:23:9 | s | provenance |  |
+| main.rs:26:12:26:12 | x | main.rs:27:14:27:14 | x | provenance |  |
+| main.rs:30:12:30:12 | x | main.rs:32:18:32:18 | x | provenance |  |
+| main.rs:30:12:30:12 | x | main.rs:36:14:36:14 | x | provenance |  |
 | main.rs:41:9:41:9 | a | main.rs:43:9:43:9 | c | provenance |  |
 | main.rs:41:13:41:21 | source(...) | main.rs:41:9:41:9 | a | provenance |  |
 | main.rs:43:9:43:9 | c | main.rs:44:10:44:10 | c | provenance |  |
@@ -240,6 +245,11 @@ nodes
 | main.rs:23:9:23:9 | s | semmle.label | s |
 | main.rs:23:13:23:21 | source(...) | semmle.label | source(...) |
 | main.rs:24:10:24:10 | s | semmle.label | s |
+| main.rs:26:12:26:12 | x | semmle.label | x |
+| main.rs:27:14:27:14 | x | semmle.label | x |
+| main.rs:30:12:30:12 | x | semmle.label | x |
+| main.rs:32:18:32:18 | x | semmle.label | x |
+| main.rs:36:14:36:14 | x | semmle.label | x |
 | main.rs:41:9:41:9 | a | semmle.label | a |
 | main.rs:41:13:41:21 | source(...) | semmle.label | source(...) |
 | main.rs:43:9:43:9 | c | semmle.label | c |
@@ -512,6 +522,9 @@ testFailures
 #select
 | main.rs:19:10:19:18 | source(...) | main.rs:19:10:19:18 | source(...) | main.rs:19:10:19:18 | source(...) | $@ | main.rs:19:10:19:18 | source(...) | source(...) |
 | main.rs:24:10:24:10 | s | main.rs:23:13:23:21 | source(...) | main.rs:24:10:24:10 | s | $@ | main.rs:23:13:23:21 | source(...) | source(...) |
+| main.rs:27:14:27:14 | x | main.rs:23:13:23:21 | source(...) | main.rs:27:14:27:14 | x | $@ | main.rs:23:13:23:21 | source(...) | source(...) |
+| main.rs:32:18:32:18 | x | main.rs:23:13:23:21 | source(...) | main.rs:32:18:32:18 | x | $@ | main.rs:23:13:23:21 | source(...) | source(...) |
+| main.rs:36:14:36:14 | x | main.rs:23:13:23:21 | source(...) | main.rs:36:14:36:14 | x | $@ | main.rs:23:13:23:21 | source(...) | source(...) |
 | main.rs:44:10:44:10 | c | main.rs:41:13:41:21 | source(...) | main.rs:44:10:44:10 | c | $@ | main.rs:41:13:41:21 | source(...) | source(...) |
 | main.rs:53:10:53:10 | b | main.rs:48:13:48:21 | source(...) | main.rs:53:10:53:10 | b | $@ | main.rs:48:13:48:21 | source(...) | source(...) |
 | main.rs:64:10:64:10 | b | main.rs:62:15:62:23 | source(...) | main.rs:64:10:64:10 | b | $@ | main.rs:62:15:62:23 | source(...) | source(...) |

rust/ql/test/library-tests/dataflow/local/main.rs

@@ -24,16 +24,16 @@ fn variable_usage() {
     sink(s); // $ hasValueFlow=2
 
     if let x = s {
-        sink(x); // $ MISSING: hasValueFlow=2
+        sink(x); // $ hasValueFlow=2
     };
 
     if let x = s
         && {
-            sink(x); // $ MISSING: hasValueFlow=2
+            sink(x); // $ hasValueFlow=2
             true
         }
     {
-        sink(x); // $ MISSING: hasValueFlow=2
+        sink(x); // $ hasValueFlow=2
     };
 }