Rust: Don't report excessive results for the same source.

geoffw0 · geoffw0 · commit e4cadf09ce49 · 2025-03-24T12:12:42.000Z
diff --git a/rust/ql/src/queries/security/CWE-825/AccessInvalidPointer.ql b/rust/ql/src/queries/security/CWE-825/AccessInvalidPointer.ql
@@ -26,6 +26,11 @@ module AccessInvalidPointerConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node node) { node instanceof AccessInvalidPointer::Sink }
 
   predicate isBarrier(DataFlow::Node barrier) { barrier instanceof AccessInvalidPointer::Barrier }
+
+  predicate isBarrierOut(DataFlow::Node node) {
+    // make sinks barriers so that we only report the closest instance
+    isSink(node)
+  }
 }
 
 module AccessInvalidPointerFlow = DataFlow::Global<AccessInvalidPointerConfig>;
diff --git a/rust/ql/test/query-tests/security/CWE-825/AccessInvalidPointer.expected b/rust/ql/test/query-tests/security/CWE-825/AccessInvalidPointer.expected
@@ -1,7 +1,5 @@
 #select
 | deallocation.rs:26:15:26:16 | m1 | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:26:15:26:16 | m1 | This operation dereferences a pointer that may be $@. | deallocation.rs:20:23:20:24 | m1 | invalid |
-| deallocation.rs:32:16:32:17 | m1 | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:32:16:32:17 | m1 | This operation dereferences a pointer that may be $@. | deallocation.rs:20:23:20:24 | m1 | invalid |
-| deallocation.rs:33:16:33:17 | m1 | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:33:16:33:17 | m1 | This operation dereferences a pointer that may be $@. | deallocation.rs:20:23:20:24 | m1 | invalid |
 | deallocation.rs:37:14:37:33 | ...::read::<...> | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:37:14:37:33 | ...::read::<...> | This operation dereferences a pointer that may be $@. | deallocation.rs:20:23:20:24 | m1 | invalid |
 | deallocation.rs:44:6:44:7 | m1 | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:44:6:44:7 | m1 | This operation dereferences a pointer that may be $@. | deallocation.rs:20:23:20:24 | m1 | invalid |
 | deallocation.rs:49:5:49:25 | ...::write::<...> | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:49:5:49:25 | ...::write::<...> | This operation dereferences a pointer that may be $@. | deallocation.rs:20:23:20:24 | m1 | invalid |
@@ -18,8 +16,6 @@
 | deallocation.rs:214:18:214:20 | ptr | deallocation.rs:208:27:208:29 | ptr | deallocation.rs:214:18:214:20 | ptr | This operation dereferences a pointer that may be $@. | deallocation.rs:208:27:208:29 | ptr | invalid |
 edges
 | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:26:15:26:16 | m1 | provenance |  |
-| deallocation.rs:20:23:20:24 | m1 | deallocation.rs:32:16:32:17 | m1 | provenance |  |
-| deallocation.rs:20:23:20:24 | m1 | deallocation.rs:33:16:33:17 | m1 | provenance |  |
 | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:37:35:37:36 | m1 | provenance |  |
 | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:44:6:44:7 | m1 | provenance |  |
 | deallocation.rs:20:23:20:24 | m1 | deallocation.rs:49:27:49:28 | m1 | provenance |  |
@@ -52,8 +48,6 @@ models
 nodes
 | deallocation.rs:20:23:20:24 | m1 | semmle.label | m1 |
 | deallocation.rs:26:15:26:16 | m1 | semmle.label | m1 |
-| deallocation.rs:32:16:32:17 | m1 | semmle.label | m1 |
-| deallocation.rs:33:16:33:17 | m1 | semmle.label | m1 |
 | deallocation.rs:37:14:37:33 | ...::read::<...> | semmle.label | ...::read::<...> |
 | deallocation.rs:37:35:37:36 | m1 | semmle.label | m1 |
 | deallocation.rs:44:6:44:7 | m1 | semmle.label | m1 |
diff --git a/rust/ql/test/query-tests/security/CWE-825/deallocation.rs b/rust/ql/test/query-tests/security/CWE-825/deallocation.rs
@@ -29,8 +29,8 @@ pub fn test_alloc(mode: i32) {
 				println!("	v6 = {v6} (!)"); // corrupt in practice
 
 				// test repeat reads (we don't want lots of very similar results for the same dealloc)
-				let v5b = *m1; // $ Alert[rust/access-invalid-pointer]=dealloc
-				let v5c = *m1; // $ Alert[rust/access-invalid-pointer]=dealloc
+				let v5b = *m1;
+				let v5c = *m1;
 			},
 			100 => {
 				// more reads
