wip3

Author: hvitved

rust/ql/lib/codeql/rust/internal/typeinference/TypeInference.qll

@@ -352,15 +352,6 @@ private module Input3 implements InputSig3 {
     AstNode getExpr() { result = super.getExpr() }
   }
 
-  /** A ternary conditional expression. */
-  class ConditionalExpr extends AstNode, IfExpr {
-    AstNode getCondition() { result = super.getCondition() }
-
-    AstNode getThen() { result = super.getThen() }
-
-    AstNode getElse() { result = super.getElse() }
-  }
-
   predicate certainTypeEqualityInput(AstNode n1, TypePath prefix1, AstNode n2, TypePath prefix2) {
     n1 =
       any(IdentPat ip |
@@ -392,65 +383,10 @@ private module Input3 implements InputSig3 {
 
   predicate inferCertainTypeInput = CertainTypeInferenceInput::inferCertainTypeInput/2;
 
-  /**
-   * Holds if `child` is a child of `parent`, and the Rust compiler applies [least
-   * upper bound (LUB) coercion][1] to infer the type of `parent` from the type of
-   * `child`.
-   *
-   * In this case, we want type information to only flow from `child` to `parent`,
-   * to avoid (a) either having to model LUB coercions, or (b) risk combinatorial
-   * explosion in inferred types.
-   *
-   * [1]: https://doc.rust-lang.org/reference/type-coercions.html#r-coerce.least-upper-bound
-   */
-  predicate lubCoercionInput(AstNode parent, AstNode child, TypePath prefix) {
-    parent =
-      any(MatchExpr me |
-        child = me.getAnArm().getExpr() and
-        me.getNumberOfArms() > 1
-      ) and
-    prefix.isEmpty()
-    or
-    parent =
-      any(ArrayListExpr ale |
-        child = ale.getAnExpr() and
-        ale.getNumberOfExprs() > 1
-      ) and
-    prefix = TypePath::singleton(getArrayTypeParameter())
-    or
-    bodyReturns(parent, child) and
-    strictcount(Expr e | bodyReturns(parent, e)) > 1 and
-    prefix.isEmpty()
-    or
-    parent = any(ClosureExpr ce | not ce.hasRetType() and ce.getClosureBody() = child) and
-    prefix = closureReturnPath()
-    or
-    exists(Struct s |
-      child = [parent.(RangeExpr).getStart(), parent.(RangeExpr).getEnd()] and
-      prefix = TypePath::singleton(TTypeParamTypeParameter(s.getGenericParamList().getATypeParam())) and
-      s = getRangeType(parent)
-    )
-  }
-
-  predicate typeEqualityAsymmetricInput(AstNode n1, TypePath prefix1, AstNode n2, TypePath prefix2) {
-    // When `n2` is `*n1` propagate type information from a raw pointer type
-    // parameter at `n1`. The other direction is handled in
-    // `inferDereferencedExprPtrType`.
-    n1 = n2.(DerefExpr).getExpr() and
-    prefix1 = TypePath::singleton(getPtrTypeParameter()) and
-    prefix2.isEmpty()
-  }
-
   predicate typeEqualityInput(AstNode n1, TypePath prefix1, AstNode n2, TypePath prefix2) {
     prefix1.isEmpty() and
     prefix2.isEmpty() and
     (
-      n2 =
-        any(MatchExpr me |
-          n1 = me.getAnArm().getExpr() and
-          me.getNumberOfArms() = 1
-        )
-      or
       exists(MatchExpr me |
         n1 = me.getScrutinee() and
         n2 = me.getAnArm().getPat()
@@ -471,9 +407,6 @@ private module Input3 implements InputSig3 {
       not isPanicMacroCall(n2)
       or
       n1 = n2.(MacroPat).getMacroCall().getMacroCallExpansion()
-      or
-      bodyReturns(n1, n2) and
-      strictcount(Expr e | bodyReturns(n1, e)) = 1
     )
     or
     n2 =
@@ -516,21 +449,56 @@ private module Input3 implements InputSig3 {
       )
     )
     or
-    // an array list expression with only one element (such as `[1]`) has type from that element
-    n1 =
-      any(ArrayListExpr ale |
-        ale.getAnExpr() = n2 and
-        ale.getNumberOfExprs() = 1
-      ) and
-    prefix1 = TypePath::singleton(getArrayTypeParameter()) and
-    prefix2.isEmpty()
-    or
     // an array repeat expression (`[1; 3]`) has the type of the repeat operand
     n1.(ArrayRepeatExpr).getRepeatOperand() = n2 and
     prefix1 = TypePath::singleton(getArrayTypeParameter()) and
     prefix2.isEmpty()
   }
 
+  predicate typeEqualityAsymmetricInput(AstNode n1, TypePath prefix1, AstNode n2, TypePath prefix2) {
+    // When `n2` is `*n1` propagate type information from a raw pointer type
+    // parameter at `n1`. The other direction is handled in
+    // `inferDereferencedExprPtrType`.
+    n1 = n2.(DerefExpr).getExpr() and
+    prefix1 = TypePath::singleton(getPtrTypeParameter()) and
+    prefix2.isEmpty()
+    or
+    n2 = any(ClosureExpr ce | not ce.hasRetType() and ce.getClosureBody() = n1) and
+    prefix2 = closureReturnPath() and
+    prefix1.isEmpty()
+  }
+
+  /**
+   * Holds if `child` is a child of `parent`, and the Rust compiler applies [least
+   * upper bound (LUB) coercion][1] to infer the type of `parent` from the type of
+   * `child`.
+   *
+   * In this case, we want type information to only flow from `child` to `parent`,
+   * to avoid (a) either having to model LUB coercions, or (b) risk combinatorial
+   * explosion in inferred types.
+   *
+   * [1]: https://doc.rust-lang.org/reference/type-coercions.html#r-coerce.least-upper-bound
+   */
+  predicate parentChildType(AstNode parent, AstNode child, TypePath prefix) {
+    child = parent.(IfExpr).getABranch() and
+    prefix.isEmpty()
+    or
+    parent = any(MatchExpr me | child = me.getAnArm().getExpr()) and
+    prefix.isEmpty()
+    or
+    parent = any(ArrayListExpr ale | child = ale.getAnExpr()) and
+    prefix = TypePath::singleton(getArrayTypeParameter())
+    or
+    bodyReturns(parent, child) and
+    prefix.isEmpty()
+    or
+    exists(Struct s |
+      child = [parent.(RangeExpr).getStart(), parent.(RangeExpr).getEnd()] and
+      prefix = TypePath::singleton(TTypeParamTypeParameter(s.getGenericParamList().getATypeParam())) and
+      s = getRangeType(parent)
+    )
+  }
+
   Type inferTypeInput(AstNode n, TypePath path) {
     result = inferAssignmentOperationType(n, path)
     or

shared/typeinference/codeql/typeinference/internal/TypeInference.qll

@@ -2199,18 +2199,6 @@ module Make1<LocationSig Location, InputSig1<Location> Input1> {
         AstNode getExpr();
       }
 
-      /** A ternary conditional expression. */
-      class ConditionalExpr extends AstNode {
-        /** Gets the condition of this expression. */
-        AstNode getCondition();
-
-        /** Gets the true branch of this expression. */
-        AstNode getThen();
-
-        /** Gets the false branch of this expression. */
-        AstNode getElse();
-      }
-
       /**
        * Holds if the types of `n1` at `path1` and `n2` at `path2` are certainly equal.
        */
@@ -2220,14 +2208,10 @@ module Make1<LocationSig Location, InputSig1<Location> Input1> {
       Type inferCertainTypeInput(AstNode n, TypePath path);
 
       /**
-       * Holds if `child` is a child of `parent`, and a least upper bound (LUB) coercion
-       * may be applied to infer the type of `parent` from the type of `child`.
-       *
-       * In this case, we want type information to only flow from `child` to `parent`,
-       * to avoid (a) either having to model LUB coercions, or (b) risk combinatorial
-       * explosion in inferred types.
+       * Holds if the types of `n1` at `path1` and `n2` at `path2` are possibly equal,
+       * and type information should be allowed to flow in both directions between them.
        */
-      predicate lubCoercionInput(AstNode parent, AstNode child, TypePath prefix);
+      predicate typeEqualityInput(AstNode n1, TypePath path1, AstNode n2, TypePath path2);
 
       /**
        * Holds if the type tree of `n1` at `path1` should be equal to the type tree
@@ -2237,9 +2221,12 @@ module Make1<LocationSig Location, InputSig1<Location> Input1> {
       predicate typeEqualityAsymmetricInput(AstNode n1, TypePath path1, AstNode n2, TypePath path2);
 
       /**
-       * Holds if the types of `n1` at `path1` and `n2` at `path2` are possibly equal.
+       * Holds if `child` is a child of `parent` and the type of `parent` at `prefix` can be
+       * inferred from the type of `child`.
+       *
+       * When `child` is unique, we also allow type information to flow from `parent` to `child`.
        */
-      predicate typeEqualityInput(AstNode n1, TypePath path1, AstNode n2, TypePath path2);
+      predicate parentChildType(AstNode parent, AstNode child, TypePath prefix);
 
       /** Gets the inferred type of `n` at `path`. */
       Type inferTypeInput(AstNode n, TypePath path);
@@ -2355,13 +2342,16 @@ module Make1<LocationSig Location, InputSig1<Location> Input1> {
         )
         or
         typeEqualityInput(n1, path1, n2, path2)
+        or
+        n2 = unique(AstNode child | parentChildType(n1, child, path1) | child) and
+        path2.isEmpty()
       }
 
       private predicate lubCoercion(AstNode parent, AstNode child, TypePath prefix) {
-        parent = any(ConditionalExpr ce | child = [ce.getThen(), ce.getElse()]) and
-        prefix.isEmpty()
+        parentChildType(parent, child, prefix) and
+        strictcount(AstNode child0 | parentChildType(parent, child0, prefix) | child0) > 1
         or
-        lubCoercionInput(parent, child, prefix)
+        typeEqualityAsymmetricInput(child, TypePath::nil(), parent, prefix)
       }
 
       private predicate typeEqualityAsymmetric(