Rust: Taint flow tests for operations

hvitved · hvitved · commit 594e8acc01b0 · 2025-12-02T15:33:12.000+01:00
diff --git a/rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected b/rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected
@@ -1,22 +1,24 @@
 | main.rs:4:5:4:8 | 1000 | main.rs:4:5:4:12 | ... + ... |
 | main.rs:4:12:4:12 | i | main.rs:4:5:4:12 | ... + ... |
 | main.rs:8:20:8:20 | s | main.rs:8:14:8:20 | FormatArgsExpr |
-| main.rs:13:10:13:10 | a | main.rs:13:10:13:14 | ... + ... |
-| main.rs:13:14:13:14 | 1 | main.rs:13:10:13:14 | ... + ... |
-| main.rs:18:11:18:11 | a | main.rs:18:10:18:11 | - ... |
-| main.rs:23:13:23:13 | a | main.rs:23:13:23:19 | a as u8 |
-| main.rs:24:10:24:10 | b | main.rs:24:10:24:17 | b as i64 |
-| main.rs:24:10:24:17 | [post] b as i64 | main.rs:24:10:24:10 | [post] b |
-| main.rs:29:23:29:23 | i | main.rs:29:17:29:23 | FormatArgsExpr |
-| main.rs:33:24:33:24 | s | main.rs:33:18:33:24 | FormatArgsExpr |
-| main.rs:38:23:38:23 | [post] s [borrowed] | main.rs:38:23:38:23 | [post] s |
-| main.rs:38:23:38:23 | s | main.rs:38:23:38:29 | s[...] |
-| main.rs:38:23:38:29 | s[...] [pre-dereferenced] | main.rs:38:23:38:29 | s[...] |
-| main.rs:49:24:49:24 | i | main.rs:49:18:49:24 | FormatArgsExpr |
-| main.rs:54:14:54:16 | [post] arr [borrowed] | main.rs:54:14:54:16 | [post] arr |
-| main.rs:54:14:54:19 | arr[1] [pre-dereferenced] | main.rs:54:14:54:19 | arr[1] |
-| main.rs:64:24:64:24 | [post] s [borrowed] | main.rs:64:24:64:24 | [post] s |
-| main.rs:64:24:64:27 | s[1] | main.rs:64:18:64:27 | FormatArgsExpr |
-| main.rs:64:24:64:27 | s[1] [pre-dereferenced] | main.rs:64:24:64:27 | s[1] |
-| main.rs:69:9:69:12 | [post] arr2 [borrowed] | main.rs:69:9:69:12 | [post] arr2 |
-| main.rs:69:9:69:15 | arr2[1] [pre-dereferenced] | main.rs:69:9:69:15 | arr2[1] |
+| main.rs:13:10:13:10 | a | main.rs:13:10:13:17 | ... + ... |
+| main.rs:13:14:13:17 | 1i64 | main.rs:13:10:13:17 | ... + ... |
+| main.rs:16:5:16:5 | [post] b [borrowed] | main.rs:16:5:16:5 | [post] b |
+| main.rs:20:5:20:5 | [post] c [borrowed] | main.rs:20:5:20:5 | [post] c |
+| main.rs:26:11:26:11 | a | main.rs:26:10:26:11 | - ... |
+| main.rs:31:13:31:13 | a | main.rs:31:13:31:19 | a as u8 |
+| main.rs:32:10:32:10 | b | main.rs:32:10:32:17 | b as i64 |
+| main.rs:32:10:32:17 | [post] b as i64 | main.rs:32:10:32:10 | [post] b |
+| main.rs:37:23:37:23 | i | main.rs:37:17:37:23 | FormatArgsExpr |
+| main.rs:41:24:41:24 | s | main.rs:41:18:41:24 | FormatArgsExpr |
+| main.rs:46:23:46:23 | [post] s [borrowed] | main.rs:46:23:46:23 | [post] s |
+| main.rs:46:23:46:23 | s | main.rs:46:23:46:29 | s[...] |
+| main.rs:46:23:46:29 | s[...] [pre-dereferenced] | main.rs:46:23:46:29 | s[...] |
+| main.rs:57:24:57:24 | i | main.rs:57:18:57:24 | FormatArgsExpr |
+| main.rs:62:14:62:16 | [post] arr [borrowed] | main.rs:62:14:62:16 | [post] arr |
+| main.rs:62:14:62:19 | arr[1] [pre-dereferenced] | main.rs:62:14:62:19 | arr[1] |
+| main.rs:72:24:72:24 | [post] s [borrowed] | main.rs:72:24:72:24 | [post] s |
+| main.rs:72:24:72:27 | s[1] | main.rs:72:18:72:27 | FormatArgsExpr |
+| main.rs:72:24:72:27 | s[1] [pre-dereferenced] | main.rs:72:24:72:27 | s[1] |
+| main.rs:77:9:77:12 | [post] arr2 [borrowed] | main.rs:77:9:77:12 | [post] arr2 |
+| main.rs:77:9:77:15 | arr2[1] [pre-dereferenced] | main.rs:77:9:77:15 | arr2[1] |
diff --git a/rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.expected b/rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.expected
@@ -1,60 +1,72 @@
 models
-| 1 | Summary: <_ as core::ops::index::Index>::index; Argument[self].Reference.Element; ReturnValue.Reference; value |
-| 2 | Summary: <core::i64 as core::ops::arith::Neg>::neg; Argument[self]; ReturnValue; taint |
+| 1 | Summary: <_ as core::ops::arith::Add>::add; Argument[self]; ReturnValue; taint |
+| 2 | Summary: <_ as core::ops::index::Index>::index; Argument[self].Reference.Element; ReturnValue.Reference; value |
+| 3 | Summary: <core::i64 as core::ops::arith::Add>::add; Argument[self]; ReturnValue; taint |
+| 4 | Summary: <core::i64 as core::ops::arith::Neg>::neg; Argument[self]; ReturnValue; taint |
 edges
-| main.rs:12:9:12:9 | a | main.rs:13:10:13:14 | ... + ... | provenance |  |
+| main.rs:12:9:12:9 | a | main.rs:13:10:13:10 | a | provenance |  |
+| main.rs:12:9:12:9 | a | main.rs:13:10:13:17 | ... + ... | provenance |  |
 | main.rs:12:13:12:22 | source(...) | main.rs:12:9:12:9 | a | provenance |  |
-| main.rs:17:9:17:9 | a | main.rs:18:10:18:11 | - ... | provenance |  |
-| main.rs:17:9:17:9 | a | main.rs:18:11:18:11 | a | provenance |  |
-| main.rs:17:13:17:22 | source(...) | main.rs:17:9:17:9 | a | provenance |  |
-| main.rs:18:11:18:11 | a | main.rs:18:10:18:11 | - ... | provenance | MaD:2 |
-| main.rs:22:9:22:9 | a | main.rs:23:9:23:9 | b | provenance |  |
-| main.rs:22:13:22:22 | source(...) | main.rs:22:9:22:9 | a | provenance |  |
-| main.rs:23:9:23:9 | b | main.rs:24:10:24:17 | b as i64 | provenance |  |
-| main.rs:37:13:37:13 | s | main.rs:38:23:38:23 | s | provenance |  |
-| main.rs:37:13:37:13 | s | main.rs:38:23:38:29 | s[...] | provenance |  |
-| main.rs:37:17:37:26 | source(...) | main.rs:37:13:37:13 | s | provenance |  |
-| main.rs:38:13:38:18 | sliced [&ref] | main.rs:39:14:39:19 | sliced | provenance |  |
-| main.rs:38:22:38:29 | &... [&ref] | main.rs:38:13:38:18 | sliced [&ref] | provenance |  |
-| main.rs:38:23:38:23 | s | main.rs:38:23:38:29 | s[...] | provenance | MaD:1 |
-| main.rs:38:23:38:29 | s[...] | main.rs:38:22:38:29 | &... [&ref] | provenance |  |
-| main.rs:53:13:53:15 | arr | main.rs:54:14:54:16 | arr | provenance |  |
-| main.rs:53:19:53:28 | source(...) | main.rs:53:13:53:15 | arr | provenance |  |
-| main.rs:54:14:54:16 | arr | main.rs:54:14:54:19 | arr[1] | provenance | MaD:1 |
-| main.rs:69:9:69:12 | [post] arr2 [element] | main.rs:70:14:70:17 | arr2 | provenance |  |
-| main.rs:69:19:69:28 | source(...) | main.rs:69:9:69:12 | [post] arr2 [element] | provenance |  |
+| main.rs:13:10:13:10 | a | main.rs:13:10:13:17 | ... + ... | provenance | MaD:1 |
+| main.rs:13:10:13:10 | a | main.rs:13:10:13:17 | ... + ... | provenance | MaD:3 |
+| main.rs:15:9:15:13 | mut b | main.rs:17:10:17:10 | b | provenance |  |
+| main.rs:15:17:15:26 | source(...) | main.rs:15:9:15:13 | mut b | provenance |  |
+| main.rs:25:9:25:9 | a | main.rs:26:10:26:11 | - ... | provenance |  |
+| main.rs:25:9:25:9 | a | main.rs:26:11:26:11 | a | provenance |  |
+| main.rs:25:13:25:22 | source(...) | main.rs:25:9:25:9 | a | provenance |  |
+| main.rs:26:11:26:11 | a | main.rs:26:10:26:11 | - ... | provenance | MaD:4 |
+| main.rs:30:9:30:9 | a | main.rs:31:9:31:9 | b | provenance |  |
+| main.rs:30:13:30:22 | source(...) | main.rs:30:9:30:9 | a | provenance |  |
+| main.rs:31:9:31:9 | b | main.rs:32:10:32:17 | b as i64 | provenance |  |
+| main.rs:45:13:45:13 | s | main.rs:46:23:46:23 | s | provenance |  |
+| main.rs:45:13:45:13 | s | main.rs:46:23:46:29 | s[...] | provenance |  |
+| main.rs:45:17:45:26 | source(...) | main.rs:45:13:45:13 | s | provenance |  |
+| main.rs:46:13:46:18 | sliced [&ref] | main.rs:47:14:47:19 | sliced | provenance |  |
+| main.rs:46:22:46:29 | &... [&ref] | main.rs:46:13:46:18 | sliced [&ref] | provenance |  |
+| main.rs:46:23:46:23 | s | main.rs:46:23:46:29 | s[...] | provenance | MaD:2 |
+| main.rs:46:23:46:29 | s[...] | main.rs:46:22:46:29 | &... [&ref] | provenance |  |
+| main.rs:61:13:61:15 | arr | main.rs:62:14:62:16 | arr | provenance |  |
+| main.rs:61:19:61:28 | source(...) | main.rs:61:13:61:15 | arr | provenance |  |
+| main.rs:62:14:62:16 | arr | main.rs:62:14:62:19 | arr[1] | provenance | MaD:2 |
+| main.rs:77:9:77:12 | [post] arr2 [element] | main.rs:78:14:78:17 | arr2 | provenance |  |
+| main.rs:77:19:77:28 | source(...) | main.rs:77:9:77:12 | [post] arr2 [element] | provenance |  |
 nodes
 | main.rs:12:9:12:9 | a | semmle.label | a |
 | main.rs:12:13:12:22 | source(...) | semmle.label | source(...) |
-| main.rs:13:10:13:14 | ... + ... | semmle.label | ... + ... |
-| main.rs:17:9:17:9 | a | semmle.label | a |
-| main.rs:17:13:17:22 | source(...) | semmle.label | source(...) |
-| main.rs:18:10:18:11 | - ... | semmle.label | - ... |
-| main.rs:18:11:18:11 | a | semmle.label | a |
-| main.rs:22:9:22:9 | a | semmle.label | a |
-| main.rs:22:13:22:22 | source(...) | semmle.label | source(...) |
-| main.rs:23:9:23:9 | b | semmle.label | b |
-| main.rs:24:10:24:17 | b as i64 | semmle.label | b as i64 |
-| main.rs:37:13:37:13 | s | semmle.label | s |
-| main.rs:37:17:37:26 | source(...) | semmle.label | source(...) |
-| main.rs:38:13:38:18 | sliced [&ref] | semmle.label | sliced [&ref] |
-| main.rs:38:22:38:29 | &... [&ref] | semmle.label | &... [&ref] |
-| main.rs:38:23:38:23 | s | semmle.label | s |
-| main.rs:38:23:38:29 | s[...] | semmle.label | s[...] |
-| main.rs:39:14:39:19 | sliced | semmle.label | sliced |
-| main.rs:53:13:53:15 | arr | semmle.label | arr |
-| main.rs:53:19:53:28 | source(...) | semmle.label | source(...) |
-| main.rs:54:14:54:16 | arr | semmle.label | arr |
-| main.rs:54:14:54:19 | arr[1] | semmle.label | arr[1] |
-| main.rs:69:9:69:12 | [post] arr2 [element] | semmle.label | [post] arr2 [element] |
-| main.rs:69:19:69:28 | source(...) | semmle.label | source(...) |
-| main.rs:70:14:70:17 | arr2 | semmle.label | arr2 |
+| main.rs:13:10:13:10 | a | semmle.label | a |
+| main.rs:13:10:13:17 | ... + ... | semmle.label | ... + ... |
+| main.rs:15:9:15:13 | mut b | semmle.label | mut b |
+| main.rs:15:17:15:26 | source(...) | semmle.label | source(...) |
+| main.rs:17:10:17:10 | b | semmle.label | b |
+| main.rs:25:9:25:9 | a | semmle.label | a |
+| main.rs:25:13:25:22 | source(...) | semmle.label | source(...) |
+| main.rs:26:10:26:11 | - ... | semmle.label | - ... |
+| main.rs:26:11:26:11 | a | semmle.label | a |
+| main.rs:30:9:30:9 | a | semmle.label | a |
+| main.rs:30:13:30:22 | source(...) | semmle.label | source(...) |
+| main.rs:31:9:31:9 | b | semmle.label | b |
+| main.rs:32:10:32:17 | b as i64 | semmle.label | b as i64 |
+| main.rs:45:13:45:13 | s | semmle.label | s |
+| main.rs:45:17:45:26 | source(...) | semmle.label | source(...) |
+| main.rs:46:13:46:18 | sliced [&ref] | semmle.label | sliced [&ref] |
+| main.rs:46:22:46:29 | &... [&ref] | semmle.label | &... [&ref] |
+| main.rs:46:23:46:23 | s | semmle.label | s |
+| main.rs:46:23:46:29 | s[...] | semmle.label | s[...] |
+| main.rs:47:14:47:19 | sliced | semmle.label | sliced |
+| main.rs:61:13:61:15 | arr | semmle.label | arr |
+| main.rs:61:19:61:28 | source(...) | semmle.label | source(...) |
+| main.rs:62:14:62:16 | arr | semmle.label | arr |
+| main.rs:62:14:62:19 | arr[1] | semmle.label | arr[1] |
+| main.rs:77:9:77:12 | [post] arr2 [element] | semmle.label | [post] arr2 [element] |
+| main.rs:77:19:77:28 | source(...) | semmle.label | source(...) |
+| main.rs:78:14:78:17 | arr2 | semmle.label | arr2 |
 subpaths
 testFailures
 #select
-| main.rs:13:10:13:14 | ... + ... | main.rs:12:13:12:22 | source(...) | main.rs:13:10:13:14 | ... + ... | $@ | main.rs:12:13:12:22 | source(...) | source(...) |
-| main.rs:18:10:18:11 | - ... | main.rs:17:13:17:22 | source(...) | main.rs:18:10:18:11 | - ... | $@ | main.rs:17:13:17:22 | source(...) | source(...) |
-| main.rs:24:10:24:17 | b as i64 | main.rs:22:13:22:22 | source(...) | main.rs:24:10:24:17 | b as i64 | $@ | main.rs:22:13:22:22 | source(...) | source(...) |
-| main.rs:39:14:39:19 | sliced | main.rs:37:17:37:26 | source(...) | main.rs:39:14:39:19 | sliced | $@ | main.rs:37:17:37:26 | source(...) | source(...) |
-| main.rs:54:14:54:19 | arr[1] | main.rs:53:19:53:28 | source(...) | main.rs:54:14:54:19 | arr[1] | $@ | main.rs:53:19:53:28 | source(...) | source(...) |
-| main.rs:70:14:70:17 | arr2 | main.rs:69:19:69:28 | source(...) | main.rs:70:14:70:17 | arr2 | $@ | main.rs:69:19:69:28 | source(...) | source(...) |
+| main.rs:13:10:13:17 | ... + ... | main.rs:12:13:12:22 | source(...) | main.rs:13:10:13:17 | ... + ... | $@ | main.rs:12:13:12:22 | source(...) | source(...) |
+| main.rs:17:10:17:10 | b | main.rs:15:17:15:26 | source(...) | main.rs:17:10:17:10 | b | $@ | main.rs:15:17:15:26 | source(...) | source(...) |
+| main.rs:26:10:26:11 | - ... | main.rs:25:13:25:22 | source(...) | main.rs:26:10:26:11 | - ... | $@ | main.rs:25:13:25:22 | source(...) | source(...) |
+| main.rs:32:10:32:17 | b as i64 | main.rs:30:13:30:22 | source(...) | main.rs:32:10:32:17 | b as i64 | $@ | main.rs:30:13:30:22 | source(...) | source(...) |
+| main.rs:47:14:47:19 | sliced | main.rs:45:17:45:26 | source(...) | main.rs:47:14:47:19 | sliced | $@ | main.rs:45:17:45:26 | source(...) | source(...) |
+| main.rs:62:14:62:19 | arr[1] | main.rs:61:19:61:28 | source(...) | main.rs:62:14:62:19 | arr[1] | $@ | main.rs:61:19:61:28 | source(...) | source(...) |
+| main.rs:78:14:78:17 | arr2 | main.rs:77:19:77:28 | source(...) | main.rs:78:14:78:17 | arr2 | $@ | main.rs:77:19:77:28 | source(...) | source(...) |
diff --git a/rust/ql/test/library-tests/dataflow/taint/main.rs b/rust/ql/test/library-tests/dataflow/taint/main.rs
@@ -10,7 +10,15 @@ fn sink(s: i64) {
 
 fn addition() {
     let a = source(42);
-    sink(a + 1); // $ hasTaintFlow=42
+    sink(a + 1i64); // $ hasTaintFlow=42 -- for now, we cannot resolve `+` when `1i64` is replaced with `1`
+
+    let mut b = source(58);
+    b += 2i64;
+    sink(b); // $ MISSING: hasTaintFlow=58 $ SPURIOUS: hasValueFlow=58
+
+    let mut c = 0i64; // for now, we cannot resolve `+=` when `0i64` is replaced with `0`
+    c += source(99);
+    sink(c); // $ MISSING: hasTaintFlow=99
 }
 
 fn negation() {
