Rust: Model address-of and dereference as stores and loads

paldepind · paldepind · commit aab3428bc771 · 2024-12-16T11:31:15.000+01:00
diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
@@ -712,6 +712,11 @@ private class CapturedVariableContent extends Content, TCapturedVariableContent
   override string toString() { result = "captured " + v }
 }
 
+/** A value refered to by a reference. */
+final class ReferenceContent extends Content, TReferenceContent {
+  override string toString() { result = "&ref" }
+}
+
 /**
  * An element in an array.
  */
@@ -1040,6 +1045,13 @@ module RustDataFlow implements InputSig<Location> {
           ["crate::option::Option::Some", "crate::result::Result::Ok"]
       )
       or
+      exists(PrefixExprCfgNode deref |
+        c instanceof ReferenceContent and
+        deref.getOperatorName() = "*" and
+        node1.asExpr() = deref.getExpr() and
+        node2.asExpr() = deref
+      )
+      or
       VariableCapture::readStep(node1, c, node2)
     )
     or
@@ -1123,6 +1135,12 @@ module RustDataFlow implements InputSig<Location> {
         node2.(PostUpdateNode).getPreUpdateNode().asExpr() = index.getBase()
       )
       or
+      exists(RefExprCfgNode ref |
+        c instanceof ReferenceContent and
+        node1.asExpr() = ref.getExpr() and
+        node2.asExpr() = ref
+      )
+      or
       VariableCapture::storeStep(node1, c, node2)
     )
     or
@@ -1382,7 +1400,8 @@ private module Cached {
       e =
         [
           any(IndexExprCfgNode i).getBase(), any(FieldExprCfgNode access).getExpr(),
-          any(TryExprCfgNode try).getExpr()
+          any(TryExprCfgNode try).getExpr(),
+          any(PrefixExprCfgNode pe | pe.getOperatorName() = "*").getExpr()
         ]
     } or
     TSsaNode(SsaImpl::DataFlowIntegration::SsaNode node) or
@@ -1482,7 +1501,8 @@ private module Cached {
     TStructFieldContent(StructCanonicalPath s, string field) {
       field = s.getStruct().getFieldList().(RecordFieldList).getAField().getName().getText()
     } or
-    TCapturedVariableContent(VariableCapture::CapturedVariable v)
+    TCapturedVariableContent(VariableCapture::CapturedVariable v) or
+    TReferenceContent()
 
   cached
   newtype TContentSet = TSingletonContentSet(Content c)
diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll
@@ -46,6 +46,8 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {
         RustDataFlow::readStep(pred, cs, succ) and
         cs.getContent() instanceof ArrayElementContent
       )
+      or
+      pred.asExpr() = succ.asExpr().(RefExprCfgNode).getExpr()
     )
     or
     FlowSummaryImpl::Private::Steps::summaryLocalStep(pred.(Node::FlowSummaryNode).getSummaryNode(),
@@ -59,7 +61,10 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {
   bindingset[node]
   predicate defaultImplicitTaintRead(Node::Node node, ContentSet cs) {
     exists(node) and
-    cs.(SingletonContentSet).getContent() instanceof ArrayElementContent
+    exists(Content c | c = cs.(SingletonContentSet).getContent() |
+      c instanceof ArrayElementContent or
+      c instanceof ReferenceContent
+    )
   }
 
   /**
diff --git a/rust/ql/lib/codeql/rust/elements/internal/VariableImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/VariableImpl.qll
@@ -484,7 +484,6 @@ module Impl {
   class VariableReadAccess extends VariableAccess {
     VariableReadAccess() {
       not this instanceof VariableWriteAccess and
-      not this = any(RefExpr re).getExpr() and
       not this = any(CompoundAssignmentExpr cae).getLhs()
     }
   }
diff --git a/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected b/rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected
@@ -530,6 +530,7 @@ storeStep
 readStep
 | file://:0:0:0:0 | [summary param] self in lang:core::_::<crate::option::Option>::unwrap | Some | file://:0:0:0:0 | [summary] read: Argument[self].Variant[crate::option::Option::Some(0)] in lang:core::_::<crate::option::Option>::unwrap |
 | main.rs:33:9:33:15 | Some(...) | Some | main.rs:33:14:33:14 | _ |
+| main.rs:87:11:87:11 | i | &ref | main.rs:87:10:87:11 | * ... |
 | main.rs:95:10:95:10 | a | tuple.0 | main.rs:95:10:95:12 | a.0 |
 | main.rs:96:10:96:10 | a | tuple.1 | main.rs:96:10:96:12 | a.1 |
 | main.rs:109:10:109:10 | a | tuple.0 | main.rs:109:10:109:12 | a.0 |
diff --git a/rust/ql/test/library-tests/dataflow/pointers/inline-flow.expected b/rust/ql/test/library-tests/dataflow/pointers/inline-flow.expected
@@ -1,5 +1,10 @@
 models
 edges
+| main.rs:13:13:13:22 | source(...) | main.rs:14:14:14:14 | a | provenance |  |
+| main.rs:14:13:14:14 | &a [&ref] | main.rs:15:14:15:14 | b [&ref] | provenance |  |
+| main.rs:14:14:14:14 | a | main.rs:14:13:14:14 | &a [&ref] | provenance |  |
+| main.rs:15:13:15:14 | * ... | main.rs:16:10:16:10 | c | provenance |  |
+| main.rs:15:14:15:14 | b [&ref] | main.rs:15:13:15:14 | * ... | provenance |  |
 | main.rs:40:18:40:21 | SelfParam [MyNumber] | main.rs:42:13:42:38 | ...::MyNumber(...) [MyNumber] | provenance |  |
 | main.rs:42:13:42:38 | ...::MyNumber(...) [MyNumber] | main.rs:42:32:42:37 | number | provenance |  |
 | main.rs:42:32:42:37 | number | main.rs:40:31:46:5 | { ... } | provenance |  |
@@ -8,6 +13,12 @@ edges
 | main.rs:59:10:59:18 | my_number [MyNumber] | main.rs:40:18:40:21 | SelfParam [MyNumber] | provenance |  |
 | main.rs:59:10:59:18 | my_number [MyNumber] | main.rs:59:10:59:30 | my_number.to_number(...) | provenance |  |
 nodes
+| main.rs:13:13:13:22 | source(...) | semmle.label | source(...) |
+| main.rs:14:13:14:14 | &a [&ref] | semmle.label | &a [&ref] |
+| main.rs:14:14:14:14 | a | semmle.label | a |
+| main.rs:15:13:15:14 | * ... | semmle.label | * ... |
+| main.rs:15:14:15:14 | b [&ref] | semmle.label | b [&ref] |
+| main.rs:16:10:16:10 | c | semmle.label | c |
 | main.rs:40:18:40:21 | SelfParam [MyNumber] | semmle.label | SelfParam [MyNumber] |
 | main.rs:40:31:46:5 | { ... } | semmle.label | { ... } |
 | main.rs:42:13:42:38 | ...::MyNumber(...) [MyNumber] | semmle.label | ...::MyNumber(...) [MyNumber] |
@@ -20,4 +31,5 @@ subpaths
 | main.rs:59:10:59:18 | my_number [MyNumber] | main.rs:40:18:40:21 | SelfParam [MyNumber] | main.rs:40:31:46:5 | { ... } | main.rs:59:10:59:30 | my_number.to_number(...) |
 testFailures
 #select
+| main.rs:16:10:16:10 | c | main.rs:13:13:13:22 | source(...) | main.rs:16:10:16:10 | c | $@ | main.rs:13:13:13:22 | source(...) | source(...) |
 | main.rs:59:10:59:30 | my_number.to_number(...) | main.rs:58:40:58:49 | source(...) | main.rs:59:10:59:30 | my_number.to_number(...) | $@ | main.rs:58:40:58:49 | source(...) | source(...) |
diff --git a/rust/ql/test/library-tests/dataflow/pointers/main.rs b/rust/ql/test/library-tests/dataflow/pointers/main.rs
@@ -13,7 +13,7 @@ fn read_through_borrow() {
     let a = source(21);
     let b = &a;
     let c = *b;
-    sink(c); // $ MISSING: hasValueFlow=21
+    sink(c); // $ hasValueFlow=21
 }
 
 fn write_through_borrow() {
diff --git a/rust/ql/test/library-tests/dataflow/strings/inline-taint-flow.expected b/rust/ql/test/library-tests/dataflow/strings/inline-taint-flow.expected
@@ -1,10 +1,23 @@
 models
 edges
+| main.rs:20:13:20:22 | source(...) | main.rs:21:19:21:25 | s[...] | provenance |  |
+| main.rs:20:13:20:22 | source(...) | main.rs:22:16:22:21 | sliced | provenance |  |
+| main.rs:21:18:21:25 | &... [&ref] | main.rs:22:16:22:21 | sliced | provenance |  |
+| main.rs:21:19:21:25 | s[...] | main.rs:21:18:21:25 | &... [&ref] | provenance |  |
 | main.rs:26:14:26:23 | source(...) | main.rs:32:10:32:11 | s4 | provenance |  |
+| main.rs:37:14:37:23 | source(...) | main.rs:40:10:40:35 | ... + ... | provenance |  |
 nodes
+| main.rs:20:13:20:22 | source(...) | semmle.label | source(...) |
+| main.rs:21:18:21:25 | &... [&ref] | semmle.label | &... [&ref] |
+| main.rs:21:19:21:25 | s[...] | semmle.label | s[...] |
+| main.rs:22:16:22:21 | sliced | semmle.label | sliced |
 | main.rs:26:14:26:23 | source(...) | semmle.label | source(...) |
 | main.rs:32:10:32:11 | s4 | semmle.label | s4 |
+| main.rs:37:14:37:23 | source(...) | semmle.label | source(...) |
+| main.rs:40:10:40:35 | ... + ... | semmle.label | ... + ... |
 subpaths
 testFailures
 #select
+| main.rs:22:16:22:21 | sliced | main.rs:20:13:20:22 | source(...) | main.rs:22:16:22:21 | sliced | $@ | main.rs:20:13:20:22 | source(...) | source(...) |
 | main.rs:32:10:32:11 | s4 | main.rs:26:14:26:23 | source(...) | main.rs:32:10:32:11 | s4 | $@ | main.rs:26:14:26:23 | source(...) | source(...) |
+| main.rs:40:10:40:35 | ... + ... | main.rs:37:14:37:23 | source(...) | main.rs:40:10:40:35 | ... + ... | $@ | main.rs:37:14:37:23 | source(...) | source(...) |
diff --git a/rust/ql/test/library-tests/dataflow/strings/main.rs b/rust/ql/test/library-tests/dataflow/strings/main.rs
@@ -19,7 +19,7 @@ fn sink(s: String) {
 fn string_slice() {
     let s = source(35);
     let sliced = &s[1..3];
-    sink_slice(sliced); // $ MISSING: hasTaintFlow=35
+    sink_slice(sliced); // $ hasTaintFlow=35
 }
 
 fn string_add() {
@@ -37,7 +37,7 @@ fn string_add_reference() {
     let s1 = source(37);
     let s2 = "1".to_string();
 
-    sink("Hello ".to_string() + &s1); // $ MISSING: hasTaintFlow=37
+    sink("Hello ".to_string() + &s1); // $ hasTaintFlow=37
     sink("Hello ".to_string() + &s2);
 }
 
diff --git a/rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected b/rust/ql/test/library-tests/dataflow/taint/TaintFlowStep.expected
@@ -6,6 +6,7 @@
 | main.rs:23:13:23:13 | a | main.rs:23:13:23:19 | a as u8 |  |
 | main.rs:24:10:24:10 | b | main.rs:24:10:24:17 | b as i64 |  |
 | main.rs:38:23:38:23 | s | main.rs:38:23:38:29 | s[...] |  |
+| main.rs:38:23:38:29 | s[...] | main.rs:38:22:38:29 | &... |  |
 | main.rs:54:14:54:16 | arr | main.rs:54:14:54:19 | arr[1] |  |
 | main.rs:64:24:64:24 | s | main.rs:64:24:64:27 | s[1] |  |
 | main.rs:69:9:69:12 | arr2 | main.rs:69:9:69:15 | arr2[1] |  |
diff --git a/rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.expected b/rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.expected
@@ -3,6 +3,10 @@ edges
 | main.rs:12:13:12:22 | source(...) | main.rs:13:10:13:14 | ... + ... | provenance |  |
 | main.rs:17:13:17:22 | source(...) | main.rs:18:10:18:11 | - ... | provenance |  |
 | main.rs:22:13:22:22 | source(...) | main.rs:24:10:24:17 | b as i64 | provenance |  |
+| main.rs:37:17:37:26 | source(...) | main.rs:38:23:38:29 | s[...] | provenance |  |
+| main.rs:37:17:37:26 | source(...) | main.rs:39:14:39:19 | sliced | provenance |  |
+| main.rs:38:22:38:29 | &... [&ref] | main.rs:39:14:39:19 | sliced | provenance |  |
+| main.rs:38:23:38:29 | s[...] | main.rs:38:22:38:29 | &... [&ref] | provenance |  |
 | main.rs:53:19:53:28 | source(...) | main.rs:54:14:54:19 | arr[1] | provenance |  |
 | main.rs:69:9:69:12 | [post] arr2 [array[]] | main.rs:70:14:70:17 | arr2 | provenance |  |
 | main.rs:69:19:69:28 | source(...) | main.rs:69:9:69:12 | [post] arr2 [array[]] | provenance |  |
@@ -13,6 +17,10 @@ nodes
 | main.rs:18:10:18:11 | - ... | semmle.label | - ... |
 | main.rs:22:13:22:22 | source(...) | semmle.label | source(...) |
 | main.rs:24:10:24:17 | b as i64 | semmle.label | b as i64 |
+| main.rs:37:17:37:26 | source(...) | semmle.label | source(...) |
+| main.rs:38:22:38:29 | &... [&ref] | semmle.label | &... [&ref] |
+| main.rs:38:23:38:29 | s[...] | semmle.label | s[...] |
+| main.rs:39:14:39:19 | sliced | semmle.label | sliced |
 | main.rs:53:19:53:28 | source(...) | semmle.label | source(...) |
 | main.rs:54:14:54:19 | arr[1] | semmle.label | arr[1] |
 | main.rs:69:9:69:12 | [post] arr2 [array[]] | semmle.label | [post] arr2 [array[]] |
@@ -24,5 +32,6 @@ testFailures
 | main.rs:13:10:13:14 | ... + ... | main.rs:12:13:12:22 | source(...) | main.rs:13:10:13:14 | ... + ... | $@ | main.rs:12:13:12:22 | source(...) | source(...) |
 | main.rs:18:10:18:11 | - ... | main.rs:17:13:17:22 | source(...) | main.rs:18:10:18:11 | - ... | $@ | main.rs:17:13:17:22 | source(...) | source(...) |
 | main.rs:24:10:24:17 | b as i64 | main.rs:22:13:22:22 | source(...) | main.rs:24:10:24:17 | b as i64 | $@ | main.rs:22:13:22:22 | source(...) | source(...) |
+| main.rs:39:14:39:19 | sliced | main.rs:37:17:37:26 | source(...) | main.rs:39:14:39:19 | sliced | $@ | main.rs:37:17:37:26 | source(...) | source(...) |
 | main.rs:54:14:54:19 | arr[1] | main.rs:53:19:53:28 | source(...) | main.rs:54:14:54:19 | arr[1] | $@ | main.rs:53:19:53:28 | source(...) | source(...) |
 | main.rs:70:14:70:17 | arr2 | main.rs:69:19:69:28 | source(...) | main.rs:70:14:70:17 | arr2 | $@ | main.rs:69:19:69:28 | source(...) | source(...) |
diff --git a/rust/ql/test/library-tests/dataflow/taint/main.rs b/rust/ql/test/library-tests/dataflow/taint/main.rs
@@ -36,7 +36,7 @@ mod string {
     pub fn string_slice() {
         let s = source(35);
         let sliced = &s[1..3];
-        sink(sliced); // $ MISSING: hasTaintFlow=35
+        sink(sliced); // $ hasTaintFlow=35
     }
 }
 
diff --git a/rust/ql/test/library-tests/variables/Ssa.expected b/rust/ql/test/library-tests/variables/Ssa.expected
@@ -152,6 +152,8 @@ read
 | variables.rs:16:9:16:10 | x1 | variables.rs:16:9:16:10 | x1 | variables.rs:17:15:17:16 | x1 |
 | variables.rs:21:9:21:14 | x2 | variables.rs:21:13:21:14 | x2 | variables.rs:22:15:22:16 | x2 |
 | variables.rs:23:5:23:6 | x2 | variables.rs:21:13:21:14 | x2 | variables.rs:24:15:24:16 | x2 |
+| variables.rs:28:9:28:13 | x | variables.rs:28:13:28:13 | x | variables.rs:29:20:29:20 | x |
+| variables.rs:30:5:30:5 | x | variables.rs:28:13:28:13 | x | variables.rs:31:20:31:20 | x |
 | variables.rs:35:9:35:10 | x3 | variables.rs:35:9:35:10 | x3 | variables.rs:36:15:36:16 | x3 |
 | variables.rs:35:9:35:10 | x3 | variables.rs:35:9:35:10 | x3 | variables.rs:38:9:38:10 | x3 |
 | variables.rs:37:9:37:10 | x3 | variables.rs:37:9:37:10 | x3 | variables.rs:39:15:39:16 | x3 |
@@ -276,7 +278,9 @@ read
 | variables.rs:510:9:510:13 | a | variables.rs:510:13:510:13 | a | variables.rs:512:5:512:5 | a |
 | variables.rs:510:9:510:13 | a | variables.rs:510:13:510:13 | a | variables.rs:513:15:513:15 | a |
 | variables.rs:514:5:514:5 | a | variables.rs:510:13:510:13 | a | variables.rs:515:15:515:15 | a |
+| variables.rs:519:9:519:9 | x | variables.rs:519:9:519:9 | x | variables.rs:520:20:520:20 | x |
 | variables.rs:519:9:519:9 | x | variables.rs:519:9:519:9 | x | variables.rs:521:15:521:15 | x |
+| variables.rs:523:9:523:9 | z | variables.rs:523:9:523:9 | z | variables.rs:524:20:524:20 | z |
 | variables.rs:532:10:532:18 | SelfParam | variables.rs:532:15:532:18 | self | variables.rs:533:6:533:9 | self |
 firstRead
 | variables.rs:3:14:3:14 | s | variables.rs:3:14:3:14 | s | variables.rs:4:20:4:20 | s |
@@ -285,6 +289,8 @@ firstRead
 | variables.rs:16:9:16:10 | x1 | variables.rs:16:9:16:10 | x1 | variables.rs:17:15:17:16 | x1 |
 | variables.rs:21:9:21:14 | x2 | variables.rs:21:13:21:14 | x2 | variables.rs:22:15:22:16 | x2 |
 | variables.rs:23:5:23:6 | x2 | variables.rs:21:13:21:14 | x2 | variables.rs:24:15:24:16 | x2 |
+| variables.rs:28:9:28:13 | x | variables.rs:28:13:28:13 | x | variables.rs:29:20:29:20 | x |
+| variables.rs:30:5:30:5 | x | variables.rs:28:13:28:13 | x | variables.rs:31:20:31:20 | x |
 | variables.rs:35:9:35:10 | x3 | variables.rs:35:9:35:10 | x3 | variables.rs:36:15:36:16 | x3 |
 | variables.rs:37:9:37:10 | x3 | variables.rs:37:9:37:10 | x3 | variables.rs:39:15:39:16 | x3 |
 | variables.rs:43:9:43:10 | x4 | variables.rs:43:9:43:10 | x4 | variables.rs:44:15:44:16 | x4 |
@@ -383,7 +389,9 @@ firstRead
 | variables.rs:491:22:491:22 | n | variables.rs:491:22:491:22 | n | variables.rs:493:25:493:25 | n |
 | variables.rs:510:9:510:13 | a | variables.rs:510:13:510:13 | a | variables.rs:511:15:511:15 | a |
 | variables.rs:514:5:514:5 | a | variables.rs:510:13:510:13 | a | variables.rs:515:15:515:15 | a |
+| variables.rs:519:9:519:9 | x | variables.rs:519:9:519:9 | x | variables.rs:520:20:520:20 | x |
 | variables.rs:519:9:519:9 | x | variables.rs:519:9:519:9 | x | variables.rs:521:15:521:15 | x |
+| variables.rs:523:9:523:9 | z | variables.rs:523:9:523:9 | z | variables.rs:524:20:524:20 | z |
 | variables.rs:532:10:532:18 | SelfParam | variables.rs:532:15:532:18 | self | variables.rs:533:6:533:9 | self |
 lastRead
 | variables.rs:3:14:3:14 | s | variables.rs:3:14:3:14 | s | variables.rs:4:20:4:20 | s |
@@ -523,6 +531,7 @@ adjacentReads
 | variables.rs:491:13:491:17 | f | variables.rs:491:17:491:17 | f | variables.rs:495:9:495:9 | f | variables.rs:496:9:496:9 | f |
 | variables.rs:510:9:510:13 | a | variables.rs:510:13:510:13 | a | variables.rs:511:15:511:15 | a | variables.rs:512:5:512:5 | a |
 | variables.rs:510:9:510:13 | a | variables.rs:510:13:510:13 | a | variables.rs:512:5:512:5 | a | variables.rs:513:15:513:15 | a |
+| variables.rs:519:9:519:9 | x | variables.rs:519:9:519:9 | x | variables.rs:520:20:520:20 | x | variables.rs:521:15:521:15 | x |
 phi
 | variables.rs:191:9:191:44 | [match(true)] phi | variables.rs:191:9:191:44 | a3 | variables.rs:191:22:191:23 | a3 |
 | variables.rs:191:9:191:44 | [match(true)] phi | variables.rs:191:9:191:44 | a3 | variables.rs:191:42:191:43 | a3 |
diff --git a/rust/ql/test/library-tests/variables/variables.expected b/rust/ql/test/library-tests/variables/variables.expected
@@ -293,6 +293,8 @@ variableReadAccess
 | variables.rs:17:15:17:16 | x1 | variables.rs:16:9:16:10 | x1 |
 | variables.rs:22:15:22:16 | x2 | variables.rs:21:13:21:14 | x2 |
 | variables.rs:24:15:24:16 | x2 | variables.rs:21:13:21:14 | x2 |
+| variables.rs:29:20:29:20 | x | variables.rs:28:13:28:13 | x |
+| variables.rs:31:20:31:20 | x | variables.rs:28:13:28:13 | x |
 | variables.rs:36:15:36:16 | x3 | variables.rs:35:9:35:10 | x3 |
 | variables.rs:38:9:38:10 | x3 | variables.rs:35:9:35:10 | x3 |
 | variables.rs:39:15:39:16 | x3 | variables.rs:37:9:37:10 | x3 |
@@ -369,7 +371,9 @@ variableReadAccess
 | variables.rs:335:12:335:12 | v | variables.rs:332:9:332:9 | v |
 | variables.rs:336:19:336:22 | text | variables.rs:334:9:334:12 | text |
 | variables.rs:343:15:343:15 | a | variables.rs:341:13:341:13 | a |
+| variables.rs:344:11:344:11 | a | variables.rs:341:13:341:13 | a |
 | variables.rs:345:15:345:15 | a | variables.rs:341:13:341:13 | a |
+| variables.rs:351:14:351:14 | i | variables.rs:349:13:349:13 | i |
 | variables.rs:352:6:352:10 | ref_i | variables.rs:350:9:350:13 | ref_i |
 | variables.rs:353:15:353:15 | i | variables.rs:349:13:349:13 | i |
 | variables.rs:357:6:357:6 | x | variables.rs:356:17:356:17 | x |
@@ -381,11 +385,15 @@ variableReadAccess
 | variables.rs:366:10:366:10 | x | variables.rs:363:22:363:22 | x |
 | variables.rs:367:6:367:6 | y | variables.rs:363:39:363:39 | y |
 | variables.rs:368:9:368:9 | x | variables.rs:363:22:363:22 | x |
+| variables.rs:374:27:374:27 | x | variables.rs:372:13:372:13 | x |
 | variables.rs:375:6:375:6 | y | variables.rs:373:9:373:9 | y |
 | variables.rs:377:15:377:15 | x | variables.rs:372:13:372:13 | x |
+| variables.rs:381:19:381:19 | x | variables.rs:372:13:372:13 | x |
+| variables.rs:383:14:383:14 | z | variables.rs:379:13:379:13 | z |
 | variables.rs:384:9:384:9 | w | variables.rs:380:9:380:9 | w |
 | variables.rs:386:7:386:7 | w | variables.rs:380:9:380:9 | w |
 | variables.rs:388:15:388:15 | z | variables.rs:379:13:379:13 | z |
+| variables.rs:394:14:394:14 | x | variables.rs:392:13:392:13 | x |
 | variables.rs:395:6:395:6 | y | variables.rs:393:9:393:9 | y |
 | variables.rs:396:15:396:15 | x | variables.rs:392:13:392:13 | x |
 | variables.rs:403:19:403:19 | x | variables.rs:400:9:400:9 | x |
@@ -429,7 +437,9 @@ variableReadAccess
 | variables.rs:512:5:512:5 | a | variables.rs:510:13:510:13 | a |
 | variables.rs:513:15:513:15 | a | variables.rs:510:13:510:13 | a |
 | variables.rs:515:15:515:15 | a | variables.rs:510:13:510:13 | a |
+| variables.rs:520:20:520:20 | x | variables.rs:519:9:519:9 | x |
 | variables.rs:521:15:521:15 | x | variables.rs:519:9:519:9 | x |
+| variables.rs:524:20:524:20 | z | variables.rs:523:9:523:9 | z |
 | variables.rs:533:6:533:9 | self | variables.rs:532:15:532:18 | self |
 | variables.rs:539:3:539:3 | a | variables.rs:538:11:538:11 | a |
 | variables.rs:541:13:541:13 | a | variables.rs:538:11:538:11 | a |
diff --git a/rust/ql/test/library-tests/variables/variables.rs b/rust/ql/test/library-tests/variables/variables.rs

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,8 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {`
`46`	`46`	`RustDataFlow::readStep(pred, cs, succ) and`
`47`	`47`	`cs.getContent() instanceof ArrayElementContent`
`48`	`48`	`)`
	`49`	`+ or`
	`50`	`+ pred.asExpr() = succ.asExpr().(RefExprCfgNode).getExpr()`
`49`	`51`	`)`
`50`	`52`	`or`
`51`	`53`	`FlowSummaryImpl::Private::Steps::summaryLocalStep(pred.(Node::FlowSummaryNode).getSummaryNode(),`
`@@ -59,7 +61,10 @@ module RustTaintTracking implements InputSig<Location, RustDataFlow> {`
`59`	`61`	`bindingset[node]`
`60`	`62`	`predicate defaultImplicitTaintRead(Node::Node node, ContentSet cs) {`
`61`	`63`	`exists(node) and`
`62`		`- cs.(SingletonContentSet).getContent() instanceof ArrayElementContent`
	`64`	`+ exists(Content c \| c = cs.(SingletonContentSet).getContent() \|`
	`65`	`+ c instanceof ArrayElementContent or`
	`66`	`+ c instanceof ReferenceContent`
	`67`	`+ )`
`63`	`68`	`}`
`64`	`69`
`65`	`70`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -484,7 +484,6 @@ module Impl {`
`484`	`484`	`class VariableReadAccess extends VariableAccess {`
`485`	`485`	`VariableReadAccess() {`
`486`	`486`	`not this instanceof VariableWriteAccess and`
`487`		`- not this = any(RefExpr re).getExpr() and`
`488`	`487`	`not this = any(CompoundAssignmentExpr cae).getLhs()`
`489`	`488`	`}`
`490`	`489`	`}`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ fn read_through_borrow() {`
`13`	`13`	`let a = source(21);`
`14`	`14`	`let b = &a;`
`15`	`15`	`let c = *b;`
`16`		`- sink(c); // $ MISSING: hasValueFlow=21`
	`16`	`+ sink(c); // $ hasValueFlow=21`
`17`	`17`	`}`
`18`	`18`
`19`	`19`	`fn write_through_borrow() {`
Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ fn sink(s: String) {`
`19`	`19`	`fn string_slice() {`
`20`	`20`	`let s = source(35);`
`21`	`21`	`let sliced = &s[1..3];`
`22`		`- sink_slice(sliced); // $ MISSING: hasTaintFlow=35`
	`22`	`+ sink_slice(sliced); // $ hasTaintFlow=35`
`23`	`23`	`}`
`24`	`24`
`25`	`25`	`fn string_add() {`
`@@ -37,7 +37,7 @@ fn string_add_reference() {`
`37`	`37`	`let s1 = source(37);`
`38`	`38`	`let s2 = "1".to_string();`
`39`	`39`
`40`		`- sink("Hello ".to_string() + &s1); // $ MISSING: hasTaintFlow=37`
	`40`	`+ sink("Hello ".to_string() + &s1); // $ hasTaintFlow=37`
`41`	`41`	`sink("Hello ".to_string() + &s2);`
`42`	`42`	`}`
`43`	`43`