Open
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
hvitved
force-pushed
the
rust/type-inference-unify
branch
from
46c92f3 to
ed0c757
Compare
hvitved
force-pushed
the
rust/type-inference-unify
branch
from
786d5bd to
9a87116
Compare
hvitved
force-pushed
the
rust/type-inference-unify
branch
4 times, most recently
from
0eaade9 to
237b806
Compare
hvitved
force-pushed
the
rust/type-inference-unify
branch
from
237b806 to
b647e6f
Compare
hvitved
force-pushed
the
rust/type-inference-unify
branch
7 times, most recently
from
7bd16e0 to
331d5d5
Compare
hvitved
force-pushed
the
rust/type-inference-unify
branch
7 times, most recently
from
d7ac787 to
eeb8264
Compare
hvitved
force-pushed
the
rust/type-inference-unify
branch
3 times, most recently
from
9db7fbd to
aca2ce0
Compare
hvitved
force-pushed
the
rust/type-inference-unify
branch
8 times, most recently
from
27d4522 to
6a6ccd9
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR refactors Rust call resolution/type inference to use a unified implementation for resolving all associated function calls (methods and non-method associated functions), addressing missed/incorrect call targets in cases involving multiple trait bounds and reducing duplication in the type inference library.
Changes:
- Unifies method and non-method associated-function resolution into a single associated-function-based resolver and matching pipeline, using function-call-syntax–adjusted positions throughout.
- Adjusts blanket-implementation handling and supporting utilities used by call resolution/type inference.
- Updates/extends Rust type-inference, dataflow, and security query tests to reflect improved call-target resolution and taint/value flows.
Reviewed changes
Copilot reviewed 14 out of 15 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| shared/util/codeql/util/Option.qll | Adds a none_() constructor to complement some(...), used by new resolution logic. |
| rust/ql/lib/codeql/rust/internal/typeinference/TypeInference.qll | Major refactor: unifies associated-function resolution/matching and splits tuple-like construction matching. |
| rust/ql/lib/codeql/rust/internal/typeinference/FunctionType.qll | Updates function-position “function-call adjusted” logic used by the unified resolution/matching. |
| rust/ql/lib/codeql/rust/internal/typeinference/BlanketImplementation.qll | Tightens blanket-like implementation identification used during resolution. |
| rust/ql/lib/codeql/rust/elements/internal/InvocationExprImpl.qll | Adjusts argument-position domain for invocation expressions. |
| rust/ql/lib/codeql/rust/elements/internal/ImplImpl.qll | Adds isInherent() helper for impl blocks. |
| rust/ql/test/library-tests/type-inference/regressions.rs | Adds a regression covering associated-function resolution with multiple trait bounds. |
| rust/ql/test/library-tests/type-inference/overloading.rs | Adds overloading scenarios for inherent-vs-trait associated-function targeting. |
| rust/ql/test/library-tests/type-inference/type-inference.expected | Updates expected type inference results for new resolution behavior. |
| rust/ql/test/library-tests/dataflow/taint/main.rs | Updates inline flow expectations where call targets now resolve. |
| rust/ql/test/library-tests/dataflow/taint/inline-taint-flow.expected | Updates expected taint-flow graph to reflect newly resolved call edges. |
| rust/ql/test/library-tests/dataflow/sources/net/CONSISTENCY/PathResolutionConsistency.expected | Removes previously-expected multiple-resolved-target consistency entries. |
| rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/test_cipher.rs | Updates expectations for newly detected weak-crypto alerts. |
| rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/BrokenCryptoAlgorithm.expected | Updates expected alert set/locations after improved call resolution. |
| rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/CONSISTENCY/PathResolutionConsistency.expected | Removes now-resolved path-resolution inconsistency expectation. |
hvitved
force-pushed
the
rust/type-inference-unify
branch
from
6a6ccd9 to
b03dcdd
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
I was investigating a type inference performance issue on
tayu0110/exml, and came up with a small reproduction case (first commit,regressions.rs), which revealed that we are not correctly handling resolution of calls to non-method associated functions when the argument used to resolve the call has multiple trait bounds.For method calls we are handling multiple trait bounds correctly since #21043, so the obvious solution would be to replicate this logic for non-method calls as well.
However, with #21217 we have:
which allows us to instead unify the resolution logic for calls to methods (module
MethodResolution) and calls to non-methods (moduleNonMethodResolution) in a single implementation encompassing calls to all associated functions (moduleAssocFunctionResolution). Calls to non-associated functions does not rely on type inference (but instead on path resolution only), which is handled in the classNonAssocCallExpr.Just like we can unify call resolution logic, we can also unify propagation of type information through resolved calls for calls to methods (module
MethodCallMatching) and calls to non-methods (moduleNonMethodCallMatching) in a single implementation (moduleFunctionCallMatching), and type inference for tuple-like variant and struct constructions such asOption::Some(42)is then done in a separate moduleTupleLikeConstructionMatching.A common theme in the changes on this PR is that we use function-call syntax adjusted positions for both calls and functions, which means that for example
xinx.m()andselfinfn method(self,...)have position0instead of positionself. This change is needed since now that we are no longer distinguishing between methods and non-methods in resolution, we cannot know up front whetherxinFoo::m(x)should map to aselfparameter (whenmis a method) or the first positional parameter (whenmis not a method).Impact
tayu0110/exmlis resolved, which was the original motivation for this work.TypeInference.qll, a net reduction in 100 lines, reducing maintenance burden going forward.Percentage of calls with call targetfrom83.02 %to84.28while at the same time reducingPath resolution inconsistencies, which means that the added call targets are genuinely new resolved calls.rust; this happens because we are now resolving more calls, making the data flow computation forAccessAfterLifetime.qlmuch more expensive. Turning off trait dispatch makes the query run fast again, which suggests that we should at some point consider doing type-based pruning like for other static languages. This, however, is not the responsibility of the type inference library.