Skip to content

Rust: Update legacy MaD models 4 #19948

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Rust: Update legacy MaD models 4 #19948

wants to merge 6 commits into from

Conversation

geoffw0
Copy link
Contributor

@geoffw0 geoffw0 commented Jul 1, 2025

Final update of legacy MaD models to the new model format (continues from #19946 and should be independent of that).

There's a lot of guesswork involved in this last set of changes - i.e. cases where I couldn't find a real getCanonicalPath. There should be tests for most of them though so we will find out if we're way off.

@geoffw0 geoffw0 added no-change-note-required This PR does not need a change note Rust Pull requests that update Rust code labels Jul 1, 2025
@geoffw0
Copy link
Contributor Author

geoffw0 commented Jul 2, 2025

I think it will be prudent to get the first two/three PRs merged before attempting to address the test failures here.

@aibaars
Copy link
Contributor

aibaars commented Jul 4, 2025
edited
Loading

The test failures look libc related. It looks like the fn free() in libc doesn't have a result for ItemNode::getCanonicalPath() .

The relevant bits of code are

I would expect the canonical path to be either libc::unix::free or libc::free.

This should address the underlying issue #19988

@geoffw0
Copy link
Contributor Author

geoffw0 commented Jul 8, 2025

I've brought in the fix for extern blocks from main, fixed the libc models, and fixed a couple of typos in other models. There are still a few regressions, but I feel they're at a level where we can merge this and come back to them later.

@geoffw0 geoffw0 marked this pull request as ready for review July 8, 2025 10:49
@Copilot Copilot AI review requested due to automatic review settings July 8, 2025 10:49
@geoffw0 geoffw0 requested a review from a team as a code owner July 8, 2025 10:49
Copilot
Copilot AI reviewed Jul 8, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

aibaars
aibaars reviewed Jul 8, 2025
View reviewed changes
rust/ql/lib/codeql/rust/frameworks/futures.model.yml
Comment on lines +8 to +17
- ["futures-util::io::AsyncReadExt::read", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["futures-util::io::AsyncReadExt::read", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
- ["futures-util::io::AsyncReadExt::read_to_end", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["futures-util::io::AsyncReadExt::read_to_end", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
- ["futures-util::io::AsyncBufReadExt::read_line", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["futures-util::io::AsyncBufReadExt::read_line", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
- ["futures-util::io::AsyncBufReadExt::read_until", "Argument[self]", "Argument[1].Reference", "taint", "manual"]
- ["futures-util::io::AsyncBufReadExt::read_until", "Argument[self].Reference", "Argument[1].Reference", "taint", "manual"]
- ["futures-util::io::AsyncBufReadExt::fill_buf", "Argument[self]", "ReturnValue.Future.Field[core::result::Result::Ok(0)]", "taint", "manual"]
- ["futures-util::io::AsyncBufReadExt::lines", "Argument[self]", "ReturnValue", "taint", "manual"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be futures_util.

Suggested change
- ["futures-util::io::AsyncReadExt::read", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["futures-util::io::AsyncReadExt::read", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
- ["futures-util::io::AsyncReadExt::read_to_end", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["futures-util::io::AsyncReadExt::read_to_end", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
- ["futures-util::io::AsyncBufReadExt::read_line", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["futures-util::io::AsyncBufReadExt::read_line", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
- ["futures-util::io::AsyncBufReadExt::read_until", "Argument[self]", "Argument[1].Reference", "taint", "manual"]
- ["futures-util::io::AsyncBufReadExt::read_until", "Argument[self].Reference", "Argument[1].Reference", "taint", "manual"]
- ["futures-util::io::AsyncBufReadExt::fill_buf", "Argument[self]", "ReturnValue.Future.Field[core::result::Result::Ok(0)]", "taint", "manual"]
- ["futures-util::io::AsyncBufReadExt::lines", "Argument[self]", "ReturnValue", "taint", "manual"]
- ["futures_util::io::AsyncReadExt::read", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["futures_util::io::AsyncReadExt::read", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
- ["futures_util::io::AsyncReadExt::read_to_end", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["futures_util::io::AsyncReadExt::read_to_end", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
- ["futures_util::io::AsyncBufReadExt::read_line", "Argument[self]", "Argument[0].Reference", "taint", "manual"]
- ["futures_util::io::AsyncBufReadExt::read_line", "Argument[self].Reference", "Argument[0].Reference", "taint", "manual"]
- ["futures_util::io::AsyncBufReadExt::read_until", "Argument[self]", "Argument[1].Reference", "taint", "manual"]
- ["futures_util::io::AsyncBufReadExt::read_until", "Argument[self].Reference", "Argument[1].Reference", "taint", "manual"]
- ["futures_util::io::AsyncBufReadExt::fill_buf", "Argument[self]", "ReturnValue.Future.Field[core::result::Result::Ok(0)]", "taint", "manual"]
- ["futures_util::io::AsyncBufReadExt::lines", "Argument[self]", "ReturnValue", "taint", "manual"]

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually might need to be <_ as futures_util::io::AsyncReadExt>::read etc.

aibaars
aibaars reviewed Jul 8, 2025
View reviewed changes
rust/ql/test/library-tests/dataflow/sources/test_futures_io.rs
@@ -61,16 +61,16 @@ async fn test_futures_rustls_futures_io() -> io::Result<()> {
let mut cx = Context::from_waker(futures::task::noop_waker_ref());
let buffer = pinned.poll_fill_buf(&mut cx);
if let Poll::Ready(Ok(buf)) = buffer {
sink(&buffer); // $ hasTaintFlow=url
sink(&buffer); // $ MISSING: hasTaintFlow=url
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently the computed canonical path for this function is <core::pin::Pin as tokio::io::async_buf_read::AsyncBufRead>::poll_fill_buf which makes very little sense. I guess we should implement some auto-unpinning or something @hvitved , what do you think?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm the impl<P> AsyncBufRead for Pin<P> actually exists in futures-io so that canonical path is perhaps fine. Although rust-analyzer resolves the call to impl<R: AsyncRead> AsyncBufRead for BufReader<R> from futures-util. Not sure which one is best. I guess if the Pin version is in scope then it would make sense, if not, then rust-analyzer is probably right and we should have auto-unpinned somehow.

aibaars
aibaars reviewed Jul 8, 2025
View reviewed changes
Copy link
Contributor

@aibaars aibaars left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think all the MISSING annotations can be fixed by updating the models to match the actual canonical paths. The following queries can come in handy to investigate what the computed canonical paths are:

query predicate resolvedPaths2(CallExprBase e, string path, Addressable target) {
  toBeTested(e) and
  target = e.getStaticTarget() and
  path = concat(target.getCanonicalPath())
}

query predicate resolvedPaths3( Addressable target, string path) { path = target.getCanonicalPath() }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aibaars aibaars aibaars left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
no-change-note-required This PR does not need a change note Rust Pull requests that update Rust code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@geoffw0 @aibaars