Rust: Add a test of repeat sinks.

geoffw0 · geoffw0 · commit b7044bdcde3f · 2025-03-24T12:04:43.000Z
diff --git a/rust/ql/test/query-tests/security/CWE-825/AccessInvalidPointer.expected b/rust/ql/test/query-tests/security/CWE-825/AccessInvalidPointer.expected
@@ -1,44 +1,48 @@
 #select
 | deallocation.rs:26:15:26:16 | m1 | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:26:15:26:16 | m1 | This operation dereferences a pointer that may be $@. | deallocation.rs:20:23:20:24 | m1 | invalid |
-| deallocation.rs:33:14:33:33 | ...::read::<...> | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:33:14:33:33 | ...::read::<...> | This operation dereferences a pointer that may be $@. | deallocation.rs:20:23:20:24 | m1 | invalid |
-| deallocation.rs:40:6:40:7 | m1 | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:40:6:40:7 | m1 | This operation dereferences a pointer that may be $@. | deallocation.rs:20:23:20:24 | m1 | invalid |
-| deallocation.rs:45:5:45:25 | ...::write::<...> | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:45:5:45:25 | ...::write::<...> | This operation dereferences a pointer that may be $@. | deallocation.rs:20:23:20:24 | m1 | invalid |
-| deallocation.rs:72:16:72:17 | m2 | deallocation.rs:66:23:66:24 | m2 | deallocation.rs:72:16:72:17 | m2 | This operation dereferences a pointer that may be $@. | deallocation.rs:66:23:66:24 | m2 | invalid |
-| deallocation.rs:77:16:77:17 | m2 | deallocation.rs:66:23:66:24 | m2 | deallocation.rs:77:16:77:17 | m2 | This operation dereferences a pointer that may be $@. | deallocation.rs:66:23:66:24 | m2 | invalid |
-| deallocation.rs:82:7:82:8 | m2 | deallocation.rs:66:23:66:24 | m2 | deallocation.rs:82:7:82:8 | m2 | This operation dereferences a pointer that may be $@. | deallocation.rs:66:23:66:24 | m2 | invalid |
-| deallocation.rs:86:7:86:8 | m2 | deallocation.rs:66:23:66:24 | m2 | deallocation.rs:86:7:86:8 | m2 | This operation dereferences a pointer that may be $@. | deallocation.rs:66:23:66:24 | m2 | invalid |
-| deallocation.rs:91:5:91:31 | ...::write::<...> | deallocation.rs:66:23:66:24 | m2 | deallocation.rs:91:5:91:31 | ...::write::<...> | This operation dereferences a pointer that may be $@. | deallocation.rs:66:23:66:24 | m2 | invalid |
-| deallocation.rs:111:13:111:18 | my_ptr | deallocation.rs:108:14:108:19 | my_ptr | deallocation.rs:111:13:111:18 | my_ptr | This operation dereferences a pointer that may be $@. | deallocation.rs:108:14:108:19 | my_ptr | invalid |
-| deallocation.rs:126:14:126:15 | p1 | deallocation.rs:119:23:119:40 | ...::dangling | deallocation.rs:126:14:126:15 | p1 | This operation dereferences a pointer that may be $@. | deallocation.rs:119:23:119:40 | ...::dangling | invalid |
-| deallocation.rs:127:14:127:15 | p2 | deallocation.rs:120:21:120:42 | ...::dangling_mut | deallocation.rs:127:14:127:15 | p2 | This operation dereferences a pointer that may be $@. | deallocation.rs:120:21:120:42 | ...::dangling_mut | invalid |
-| deallocation.rs:128:14:128:15 | p3 | deallocation.rs:121:23:121:36 | ...::null | deallocation.rs:128:14:128:15 | p3 | This operation dereferences a pointer that may be $@. | deallocation.rs:121:23:121:36 | ...::null | invalid |
-| deallocation.rs:176:15:176:16 | p1 | deallocation.rs:172:27:172:28 | p1 | deallocation.rs:176:15:176:16 | p1 | This operation dereferences a pointer that may be $@. | deallocation.rs:172:27:172:28 | p1 | invalid |
-| deallocation.rs:210:18:210:20 | ptr | deallocation.rs:204:27:204:29 | ptr | deallocation.rs:210:18:210:20 | ptr | This operation dereferences a pointer that may be $@. | deallocation.rs:204:27:204:29 | ptr | invalid |
+| deallocation.rs:32:16:32:17 | m1 | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:32:16:32:17 | m1 | This operation dereferences a pointer that may be $@. | deallocation.rs:20:23:20:24 | m1 | invalid |
+| deallocation.rs:33:16:33:17 | m1 | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:33:16:33:17 | m1 | This operation dereferences a pointer that may be $@. | deallocation.rs:20:23:20:24 | m1 | invalid |
+| deallocation.rs:37:14:37:33 | ...::read::<...> | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:37:14:37:33 | ...::read::<...> | This operation dereferences a pointer that may be $@. | deallocation.rs:20:23:20:24 | m1 | invalid |
+| deallocation.rs:44:6:44:7 | m1 | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:44:6:44:7 | m1 | This operation dereferences a pointer that may be $@. | deallocation.rs:20:23:20:24 | m1 | invalid |
+| deallocation.rs:49:5:49:25 | ...::write::<...> | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:49:5:49:25 | ...::write::<...> | This operation dereferences a pointer that may be $@. | deallocation.rs:20:23:20:24 | m1 | invalid |
+| deallocation.rs:76:16:76:17 | m2 | deallocation.rs:70:23:70:24 | m2 | deallocation.rs:76:16:76:17 | m2 | This operation dereferences a pointer that may be $@. | deallocation.rs:70:23:70:24 | m2 | invalid |
+| deallocation.rs:81:16:81:17 | m2 | deallocation.rs:70:23:70:24 | m2 | deallocation.rs:81:16:81:17 | m2 | This operation dereferences a pointer that may be $@. | deallocation.rs:70:23:70:24 | m2 | invalid |
+| deallocation.rs:86:7:86:8 | m2 | deallocation.rs:70:23:70:24 | m2 | deallocation.rs:86:7:86:8 | m2 | This operation dereferences a pointer that may be $@. | deallocation.rs:70:23:70:24 | m2 | invalid |
+| deallocation.rs:90:7:90:8 | m2 | deallocation.rs:70:23:70:24 | m2 | deallocation.rs:90:7:90:8 | m2 | This operation dereferences a pointer that may be $@. | deallocation.rs:70:23:70:24 | m2 | invalid |
+| deallocation.rs:95:5:95:31 | ...::write::<...> | deallocation.rs:70:23:70:24 | m2 | deallocation.rs:95:5:95:31 | ...::write::<...> | This operation dereferences a pointer that may be $@. | deallocation.rs:70:23:70:24 | m2 | invalid |
+| deallocation.rs:115:13:115:18 | my_ptr | deallocation.rs:112:14:112:19 | my_ptr | deallocation.rs:115:13:115:18 | my_ptr | This operation dereferences a pointer that may be $@. | deallocation.rs:112:14:112:19 | my_ptr | invalid |
+| deallocation.rs:130:14:130:15 | p1 | deallocation.rs:123:23:123:40 | ...::dangling | deallocation.rs:130:14:130:15 | p1 | This operation dereferences a pointer that may be $@. | deallocation.rs:123:23:123:40 | ...::dangling | invalid |
+| deallocation.rs:131:14:131:15 | p2 | deallocation.rs:124:21:124:42 | ...::dangling_mut | deallocation.rs:131:14:131:15 | p2 | This operation dereferences a pointer that may be $@. | deallocation.rs:124:21:124:42 | ...::dangling_mut | invalid |
+| deallocation.rs:132:14:132:15 | p3 | deallocation.rs:125:23:125:36 | ...::null | deallocation.rs:132:14:132:15 | p3 | This operation dereferences a pointer that may be $@. | deallocation.rs:125:23:125:36 | ...::null | invalid |
+| deallocation.rs:180:15:180:16 | p1 | deallocation.rs:176:27:176:28 | p1 | deallocation.rs:180:15:180:16 | p1 | This operation dereferences a pointer that may be $@. | deallocation.rs:176:27:176:28 | p1 | invalid |
+| deallocation.rs:214:18:214:20 | ptr | deallocation.rs:208:27:208:29 | ptr | deallocation.rs:214:18:214:20 | ptr | This operation dereferences a pointer that may be $@. | deallocation.rs:208:27:208:29 | ptr | invalid |
 edges
 | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:26:15:26:16 | m1 | provenance |  |
-| deallocation.rs:20:23:20:24 | m1 | deallocation.rs:33:35:33:36 | m1 | provenance |  |
-| deallocation.rs:20:23:20:24 | m1 | deallocation.rs:40:6:40:7 | m1 | provenance |  |
-| deallocation.rs:20:23:20:24 | m1 | deallocation.rs:45:27:45:28 | m1 | provenance |  |
-| deallocation.rs:33:35:33:36 | m1 | deallocation.rs:33:14:33:33 | ...::read::<...> | provenance | MaD:1 Sink:MaD:1 |
-| deallocation.rs:45:27:45:28 | m1 | deallocation.rs:45:5:45:25 | ...::write::<...> | provenance | MaD:2 Sink:MaD:2 |
-| deallocation.rs:66:23:66:24 | m2 | deallocation.rs:72:16:72:17 | m2 | provenance |  |
-| deallocation.rs:66:23:66:24 | m2 | deallocation.rs:77:16:77:17 | m2 | provenance |  |
-| deallocation.rs:66:23:66:24 | m2 | deallocation.rs:82:7:82:8 | m2 | provenance |  |
-| deallocation.rs:66:23:66:24 | m2 | deallocation.rs:86:7:86:8 | m2 | provenance |  |
-| deallocation.rs:66:23:66:24 | m2 | deallocation.rs:91:33:91:34 | m2 | provenance |  |
-| deallocation.rs:91:33:91:34 | m2 | deallocation.rs:91:5:91:31 | ...::write::<...> | provenance | MaD:2 Sink:MaD:2 |
-| deallocation.rs:108:14:108:19 | my_ptr | deallocation.rs:111:13:111:18 | my_ptr | provenance |  |
-| deallocation.rs:119:6:119:7 | p1 | deallocation.rs:126:14:126:15 | p1 | provenance |  |
-| deallocation.rs:119:23:119:40 | ...::dangling | deallocation.rs:119:23:119:42 | ...::dangling(...) | provenance | Src:MaD:3 MaD:3 |
-| deallocation.rs:119:23:119:42 | ...::dangling(...) | deallocation.rs:119:6:119:7 | p1 | provenance |  |
-| deallocation.rs:120:6:120:7 | p2 | deallocation.rs:127:14:127:15 | p2 | provenance |  |
-| deallocation.rs:120:21:120:42 | ...::dangling_mut | deallocation.rs:120:21:120:44 | ...::dangling_mut(...) | provenance | Src:MaD:4 MaD:4 |
-| deallocation.rs:120:21:120:44 | ...::dangling_mut(...) | deallocation.rs:120:6:120:7 | p2 | provenance |  |
-| deallocation.rs:121:6:121:7 | p3 | deallocation.rs:128:14:128:15 | p3 | provenance |  |
-| deallocation.rs:121:23:121:36 | ...::null | deallocation.rs:121:23:121:38 | ...::null(...) | provenance | Src:MaD:5 MaD:5 |
-| deallocation.rs:121:23:121:38 | ...::null(...) | deallocation.rs:121:6:121:7 | p3 | provenance |  |
-| deallocation.rs:172:27:172:28 | p1 | deallocation.rs:176:15:176:16 | p1 | provenance |  |
-| deallocation.rs:204:27:204:29 | ptr | deallocation.rs:210:18:210:20 | ptr | provenance |  |
+| deallocation.rs:20:23:20:24 | m1 | deallocation.rs:32:16:32:17 | m1 | provenance |  |
+| deallocation.rs:20:23:20:24 | m1 | deallocation.rs:33:16:33:17 | m1 | provenance |  |
+| deallocation.rs:20:23:20:24 | m1 | deallocation.rs:37:35:37:36 | m1 | provenance |  |
+| deallocation.rs:20:23:20:24 | m1 | deallocation.rs:44:6:44:7 | m1 | provenance |  |
+| deallocation.rs:20:23:20:24 | m1 | deallocation.rs:49:27:49:28 | m1 | provenance |  |
+| deallocation.rs:37:35:37:36 | m1 | deallocation.rs:37:14:37:33 | ...::read::<...> | provenance | MaD:1 Sink:MaD:1 |
+| deallocation.rs:49:27:49:28 | m1 | deallocation.rs:49:5:49:25 | ...::write::<...> | provenance | MaD:2 Sink:MaD:2 |
+| deallocation.rs:70:23:70:24 | m2 | deallocation.rs:76:16:76:17 | m2 | provenance |  |
+| deallocation.rs:70:23:70:24 | m2 | deallocation.rs:81:16:81:17 | m2 | provenance |  |
+| deallocation.rs:70:23:70:24 | m2 | deallocation.rs:86:7:86:8 | m2 | provenance |  |
+| deallocation.rs:70:23:70:24 | m2 | deallocation.rs:90:7:90:8 | m2 | provenance |  |
+| deallocation.rs:70:23:70:24 | m2 | deallocation.rs:95:33:95:34 | m2 | provenance |  |
+| deallocation.rs:95:33:95:34 | m2 | deallocation.rs:95:5:95:31 | ...::write::<...> | provenance | MaD:2 Sink:MaD:2 |
+| deallocation.rs:112:14:112:19 | my_ptr | deallocation.rs:115:13:115:18 | my_ptr | provenance |  |
+| deallocation.rs:123:6:123:7 | p1 | deallocation.rs:130:14:130:15 | p1 | provenance |  |
+| deallocation.rs:123:23:123:40 | ...::dangling | deallocation.rs:123:23:123:42 | ...::dangling(...) | provenance | Src:MaD:3 MaD:3 |
+| deallocation.rs:123:23:123:42 | ...::dangling(...) | deallocation.rs:123:6:123:7 | p1 | provenance |  |
+| deallocation.rs:124:6:124:7 | p2 | deallocation.rs:131:14:131:15 | p2 | provenance |  |
+| deallocation.rs:124:21:124:42 | ...::dangling_mut | deallocation.rs:124:21:124:44 | ...::dangling_mut(...) | provenance | Src:MaD:4 MaD:4 |
+| deallocation.rs:124:21:124:44 | ...::dangling_mut(...) | deallocation.rs:124:6:124:7 | p2 | provenance |  |
+| deallocation.rs:125:6:125:7 | p3 | deallocation.rs:132:14:132:15 | p3 | provenance |  |
+| deallocation.rs:125:23:125:36 | ...::null | deallocation.rs:125:23:125:38 | ...::null(...) | provenance | Src:MaD:5 MaD:5 |
+| deallocation.rs:125:23:125:38 | ...::null(...) | deallocation.rs:125:6:125:7 | p3 | provenance |  |
+| deallocation.rs:176:27:176:28 | p1 | deallocation.rs:180:15:180:16 | p1 | provenance |  |
+| deallocation.rs:208:27:208:29 | ptr | deallocation.rs:214:18:214:20 | ptr | provenance |  |
 models
 | 1 | Sink: lang:core; crate::ptr::read; pointer-access; Argument[0] |
 | 2 | Sink: lang:core; crate::ptr::write; pointer-access; Argument[0] |
@@ -48,34 +52,36 @@ models
 nodes
 | deallocation.rs:20:23:20:24 | m1 | semmle.label | m1 |
 | deallocation.rs:26:15:26:16 | m1 | semmle.label | m1 |
-| deallocation.rs:33:14:33:33 | ...::read::<...> | semmle.label | ...::read::<...> |
-| deallocation.rs:33:35:33:36 | m1 | semmle.label | m1 |
-| deallocation.rs:40:6:40:7 | m1 | semmle.label | m1 |
-| deallocation.rs:45:5:45:25 | ...::write::<...> | semmle.label | ...::write::<...> |
-| deallocation.rs:45:27:45:28 | m1 | semmle.label | m1 |
-| deallocation.rs:66:23:66:24 | m2 | semmle.label | m2 |
-| deallocation.rs:72:16:72:17 | m2 | semmle.label | m2 |
-| deallocation.rs:77:16:77:17 | m2 | semmle.label | m2 |
-| deallocation.rs:82:7:82:8 | m2 | semmle.label | m2 |
+| deallocation.rs:32:16:32:17 | m1 | semmle.label | m1 |
+| deallocation.rs:33:16:33:17 | m1 | semmle.label | m1 |
+| deallocation.rs:37:14:37:33 | ...::read::<...> | semmle.label | ...::read::<...> |
+| deallocation.rs:37:35:37:36 | m1 | semmle.label | m1 |
+| deallocation.rs:44:6:44:7 | m1 | semmle.label | m1 |
+| deallocation.rs:49:5:49:25 | ...::write::<...> | semmle.label | ...::write::<...> |
+| deallocation.rs:49:27:49:28 | m1 | semmle.label | m1 |
+| deallocation.rs:70:23:70:24 | m2 | semmle.label | m2 |
+| deallocation.rs:76:16:76:17 | m2 | semmle.label | m2 |
+| deallocation.rs:81:16:81:17 | m2 | semmle.label | m2 |
 | deallocation.rs:86:7:86:8 | m2 | semmle.label | m2 |
-| deallocation.rs:91:5:91:31 | ...::write::<...> | semmle.label | ...::write::<...> |
-| deallocation.rs:91:33:91:34 | m2 | semmle.label | m2 |
-| deallocation.rs:108:14:108:19 | my_ptr | semmle.label | my_ptr |
-| deallocation.rs:111:13:111:18 | my_ptr | semmle.label | my_ptr |
-| deallocation.rs:119:6:119:7 | p1 | semmle.label | p1 |
-| deallocation.rs:119:23:119:40 | ...::dangling | semmle.label | ...::dangling |
-| deallocation.rs:119:23:119:42 | ...::dangling(...) | semmle.label | ...::dangling(...) |
-| deallocation.rs:120:6:120:7 | p2 | semmle.label | p2 |
-| deallocation.rs:120:21:120:42 | ...::dangling_mut | semmle.label | ...::dangling_mut |
-| deallocation.rs:120:21:120:44 | ...::dangling_mut(...) | semmle.label | ...::dangling_mut(...) |
-| deallocation.rs:121:6:121:7 | p3 | semmle.label | p3 |
-| deallocation.rs:121:23:121:36 | ...::null | semmle.label | ...::null |
-| deallocation.rs:121:23:121:38 | ...::null(...) | semmle.label | ...::null(...) |
-| deallocation.rs:126:14:126:15 | p1 | semmle.label | p1 |
-| deallocation.rs:127:14:127:15 | p2 | semmle.label | p2 |
-| deallocation.rs:128:14:128:15 | p3 | semmle.label | p3 |
-| deallocation.rs:172:27:172:28 | p1 | semmle.label | p1 |
-| deallocation.rs:176:15:176:16 | p1 | semmle.label | p1 |
-| deallocation.rs:204:27:204:29 | ptr | semmle.label | ptr |
-| deallocation.rs:210:18:210:20 | ptr | semmle.label | ptr |
+| deallocation.rs:90:7:90:8 | m2 | semmle.label | m2 |
+| deallocation.rs:95:5:95:31 | ...::write::<...> | semmle.label | ...::write::<...> |
+| deallocation.rs:95:33:95:34 | m2 | semmle.label | m2 |
+| deallocation.rs:112:14:112:19 | my_ptr | semmle.label | my_ptr |
+| deallocation.rs:115:13:115:18 | my_ptr | semmle.label | my_ptr |
+| deallocation.rs:123:6:123:7 | p1 | semmle.label | p1 |
+| deallocation.rs:123:23:123:40 | ...::dangling | semmle.label | ...::dangling |
+| deallocation.rs:123:23:123:42 | ...::dangling(...) | semmle.label | ...::dangling(...) |
+| deallocation.rs:124:6:124:7 | p2 | semmle.label | p2 |
+| deallocation.rs:124:21:124:42 | ...::dangling_mut | semmle.label | ...::dangling_mut |
+| deallocation.rs:124:21:124:44 | ...::dangling_mut(...) | semmle.label | ...::dangling_mut(...) |
+| deallocation.rs:125:6:125:7 | p3 | semmle.label | p3 |
+| deallocation.rs:125:23:125:36 | ...::null | semmle.label | ...::null |
+| deallocation.rs:125:23:125:38 | ...::null(...) | semmle.label | ...::null(...) |
+| deallocation.rs:130:14:130:15 | p1 | semmle.label | p1 |
+| deallocation.rs:131:14:131:15 | p2 | semmle.label | p2 |
+| deallocation.rs:132:14:132:15 | p3 | semmle.label | p3 |
+| deallocation.rs:176:27:176:28 | p1 | semmle.label | p1 |
+| deallocation.rs:180:15:180:16 | p1 | semmle.label | p1 |
+| deallocation.rs:208:27:208:29 | ptr | semmle.label | ptr |
+| deallocation.rs:214:18:214:20 | ptr | semmle.label | ptr |
 subpaths
diff --git a/rust/ql/test/query-tests/security/CWE-825/deallocation.rs b/rust/ql/test/query-tests/security/CWE-825/deallocation.rs
@@ -27,6 +27,10 @@ pub fn test_alloc(mode: i32) {
 				let v6 = *m2; // $ MISSING: Alert
 				println!("	v5 = {v5} (!)"); // corrupt in practice
 				println!("	v6 = {v6} (!)"); // corrupt in practice
+
+				// test repeat reads (we don't want lots of very similar results for the same dealloc)
+				let v5b = *m1; // $ Alert[rust/access-invalid-pointer]=dealloc
+				let v5c = *m1; // $ Alert[rust/access-invalid-pointer]=dealloc
 			},
 			100 => {
 				// more reads
