Merge pull request #18482 from hvitved/rust/nested-functions

Rust: Take nested functions into account when resolving variables

rust/ql/lib/codeql/rust/elements/internal/VariableImpl.qll

@@ -397,20 +397,23 @@ module Impl {
     )
   }
 
-  private newtype TVariableOrAccessCand =
-    TVariableOrAccessCandVariable(Variable v) or
-    TVariableOrAccessCandVariableAccessCand(VariableAccessCand va)
+  private newtype TDefOrAccessCand =
+    TDefOrAccessCandNestedFunction(Function f, BlockExprScope scope) {
+      f = scope.getStmtList().getAStatement()
+    } or
+    TDefOrAccessCandVariable(Variable v) or
+    TDefOrAccessCandVariableAccessCand(VariableAccessCand va)
 
   /**
-   * A variable declaration or variable access candidate.
+   * A nested function declaration, variable declaration, or variable (or function)
+   * access candidate.
    *
-   * In order to determine whether a candidate is an actual variable access,
-   * we rank declarations and candidates by their position in source code.
+   * In order to determine whether a candidate is an actual variable/function access,
+   * we rank declarations and candidates by their position in the AST.
    *
-   * The ranking must take variable names into account, but also variable scopes;
-   * below a comment `rank(scope, name, i)` means that the declaration/access on
-   * the given line has rank `i` amongst all declarations/accesses inside variable
-   * scope `scope`, for variable name `name`:
+   * The ranking must take names into account, but also variable scopes; below a comment
+   * `rank(scope, name, i)` means that the declaration/access on the given line has rank
+   * `i` amongst all declarations/accesses inside variable scope `scope`, for name `name`:
    *
    * ```rust
    * fn f() {           // scope0
@@ -430,8 +433,8 @@ module Impl {
    * }
    * ```
    *
-   * Variable declarations are only ranked in the scope that they bind into, while
-   * accesses candidates propagate outwards through scopes, as they may access
+   * Function/variable declarations are only ranked in the scope that they bind into,
+   * while accesses candidates propagate outwards through scopes, as they may access
    * declarations from outer scopes.
    *
    * For an access candidate with ranks `{ rank(scope_i, name, rnk_i) | i in I }` and
@@ -448,41 +451,80 @@ module Impl {
    * i.e., its the nearest declaration before the access in the same (or outer) scope
    * as the access.
    */
-  private class VariableOrAccessCand extends TVariableOrAccessCand {
-    Variable asVariable() { this = TVariableOrAccessCandVariable(result) }
+  abstract private class DefOrAccessCand extends TDefOrAccessCand {
+    abstract string toString();
 
-    VariableAccessCand asVariableAccessCand() {
-      this = TVariableOrAccessCandVariableAccessCand(result)
-    }
+    abstract Location getLocation();
 
-    string toString() {
-      result = this.asVariable().toString() or result = this.asVariableAccessCand().toString()
-    }
+    pragma[nomagic]
+    abstract predicate rankBy(string name, VariableScope scope, int ord, int kind);
+  }
 
-    Location getLocation() {
-      result = this.asVariable().getLocation() or result = this.asVariableAccessCand().getLocation()
-    }
+  abstract private class NestedFunctionOrVariable extends DefOrAccessCand { }
 
-    pragma[nomagic]
-    predicate rankBy(string name, VariableScope scope, int ord, int kind) {
-      variableDeclInScope(this.asVariable(), scope, name, ord) and
+  private class DefOrAccessCandNestedFunction extends NestedFunctionOrVariable,
+    TDefOrAccessCandNestedFunction
+  {
+    private Function f;
+    private BlockExprScope scope_;
+
+    DefOrAccessCandNestedFunction() { this = TDefOrAccessCandNestedFunction(f, scope_) }
+
+    override string toString() { result = f.toString() }
+
+    override Location getLocation() { result = f.getLocation() }
+
+    override predicate rankBy(string name, VariableScope scope, int ord, int kind) {
+      // nested functions behave as if they are defined at the beginning of the scope
+      name = f.getName().getText() and
+      scope = scope_ and
+      ord = 0 and
       kind = 0
-      or
-      variableAccessCandInScope(this.asVariableAccessCand(), scope, name, _, ord) and
+    }
+  }
+
+  private class DefOrAccessCandVariable extends NestedFunctionOrVariable, TDefOrAccessCandVariable {
+    private Variable v;
+
+    DefOrAccessCandVariable() { this = TDefOrAccessCandVariable(v) }
+
+    override string toString() { result = v.toString() }
+
+    override Location getLocation() { result = v.getLocation() }
+
+    override predicate rankBy(string name, VariableScope scope, int ord, int kind) {
+      variableDeclInScope(v, scope, name, ord) and
       kind = 1
     }
   }
 
+  private class DefOrAccessCandVariableAccessCand extends DefOrAccessCand,
+    TDefOrAccessCandVariableAccessCand
+  {
+    private VariableAccessCand va;
+
+    DefOrAccessCandVariableAccessCand() { this = TDefOrAccessCandVariableAccessCand(va) }
+
+    override string toString() { result = va.toString() }
+
+    override Location getLocation() { result = va.getLocation() }
+
+    override predicate rankBy(string name, VariableScope scope, int ord, int kind) {
+      variableAccessCandInScope(va, scope, name, _, ord) and
+      kind = 2
+    }
+  }
+
   private module DenseRankInput implements DenseRankInputSig2 {
     class C1 = VariableScope;
 
     class C2 = string;
 
-    class Ranked = VariableOrAccessCand;
+    class Ranked = DefOrAccessCand;
 
-    int getRank(VariableScope scope, string name, VariableOrAccessCand v) {
+    int getRank(VariableScope scope, string name, DefOrAccessCand v) {
       v =
-        rank[result](VariableOrAccessCand v0, int ord, int kind |
+        rank[result](DefOrAccessCand v0, int ord, int kind |
           v0.rankBy(name, scope, ord, kind)
         |
           v0 order by ord, kind
@@ -494,7 +536,7 @@ module Impl {
    * Gets the rank of `v` amongst all other declarations or access candidates
    * to a variable named `name` in the variable scope `scope`.
    */
-  private int rankVariableOrAccess(VariableScope scope, string name, VariableOrAccessCand v) {
+  private int rankVariableOrAccess(VariableScope scope, string name, DefOrAccessCand v) {
     v = DenseRank2<DenseRankInput>::denseRank(scope, name, result + 1)
   }
 
@@ -512,25 +554,38 @@ module Impl {
    * the declaration at rank 0 can only reach the access at rank 1, while the declaration
    * at rank 2 can only reach the access at rank 3.
    */
-  private predicate variableReachesRank(VariableScope scope, string name, Variable v, int rnk) {
-    rnk = rankVariableOrAccess(scope, name, TVariableOrAccessCandVariable(v))
+  private predicate variableReachesRank(
+    VariableScope scope, string name, NestedFunctionOrVariable v, int rnk
+  ) {
+    rnk = rankVariableOrAccess(scope, name, v)
     or
     variableReachesRank(scope, name, v, rnk - 1) and
-    rnk = rankVariableOrAccess(scope, name, TVariableOrAccessCandVariableAccessCand(_))
+    rnk = rankVariableOrAccess(scope, name, TDefOrAccessCandVariableAccessCand(_))
   }
 
   private predicate variableReachesCand(
-    VariableScope scope, string name, Variable v, VariableAccessCand cand, int nestLevel
+    VariableScope scope, string name, NestedFunctionOrVariable v, VariableAccessCand cand,
+    int nestLevel
   ) {
     exists(int rnk |
       variableReachesRank(scope, name, v, rnk) and
-      rnk = rankVariableOrAccess(scope, name, TVariableOrAccessCandVariableAccessCand(cand)) and
+      rnk = rankVariableOrAccess(scope, name, TDefOrAccessCandVariableAccessCand(cand)) and
       variableAccessCandInScope(cand, scope, name, nestLevel, _)
     )
   }
 
+  pragma[nomagic]
+  predicate access(string name, NestedFunctionOrVariable v, VariableAccessCand cand) {
+    v =
+      min(NestedFunctionOrVariable v0, int nestLevel |
+        variableReachesCand(_, name, v0, cand, nestLevel)
+      |
+        v0 order by nestLevel
+      )
+  }
+
   /** A variable access. */
-  class VariableAccess extends PathExprBaseImpl::PathExprBase instanceof VariableAccessCand {
+  class VariableAccess extends PathExprBaseImpl::PathExprBase {
     private string name;
     private Variable v;
 
@@ -574,6 +629,16 @@ module Impl {
     }
   }
 
+  /** A nested function access. */
+  class NestedFunctionAccess extends PathExprBaseImpl::PathExprBase {
+    private Function f;
+
+    NestedFunctionAccess() { nestedFunctionAccess(_, f, this) }
+
+    /** Gets the function being accessed. */
+    Function getFunction() { result = f }
+  }
+
   cached
   private module Cached {
     cached
@@ -582,12 +647,12 @@ module Impl {
 
     cached
     predicate variableAccess(string name, Variable v, VariableAccessCand cand) {
-      v =
-        min(Variable v0, int nestLevel |
-          variableReachesCand(_, name, v0, cand, nestLevel)
-        |
-          v0 order by nestLevel
-        )
+      access(name, TDefOrAccessCandVariable(v), cand)
+    }
+
+    cached
+    predicate nestedFunctionAccess(string name, Function f, VariableAccessCand cand) {
+      access(name, TDefOrAccessCandNestedFunction(f, _), cand)
     }
   }
 

rust/ql/test/library-tests/dataflow/global/inline-flow.expected

@@ -20,21 +20,28 @@ edges
 | main.rs:41:26:44:5 | { ... } | main.rs:30:17:30:22 | ...: i64 | provenance |  |
 | main.rs:41:26:44:5 | { ... } | main.rs:41:13:44:6 | pass_through(...) | provenance |  |
 | main.rs:43:9:43:18 | source(...) | main.rs:41:26:44:5 | { ... } | provenance |  |
-| main.rs:56:23:56:28 | ...: i64 | main.rs:57:14:57:14 | n | provenance |  |
-| main.rs:59:31:65:5 | { ... } | main.rs:77:13:77:25 | mn.get_data(...) | provenance |  |
-| main.rs:63:13:63:21 | source(...) | main.rs:59:31:65:5 | { ... } | provenance |  |
-| main.rs:66:28:66:33 | ...: i64 | main.rs:66:43:72:5 | { ... } | provenance |  |
-| main.rs:77:9:77:9 | a | main.rs:78:10:78:10 | a | provenance |  |
-| main.rs:77:13:77:25 | mn.get_data(...) | main.rs:77:9:77:9 | a | provenance |  |
-| main.rs:83:9:83:9 | a | main.rs:84:16:84:16 | a | provenance |  |
-| main.rs:83:13:83:21 | source(...) | main.rs:83:9:83:9 | a | provenance |  |
-| main.rs:84:16:84:16 | a | main.rs:56:23:56:28 | ...: i64 | provenance |  |
-| main.rs:89:9:89:9 | a | main.rs:90:29:90:29 | a | provenance |  |
-| main.rs:89:13:89:21 | source(...) | main.rs:89:9:89:9 | a | provenance |  |
-| main.rs:90:9:90:9 | b | main.rs:91:10:91:10 | b | provenance |  |
-| main.rs:90:13:90:30 | mn.data_through(...) | main.rs:90:9:90:9 | b | provenance |  |
-| main.rs:90:29:90:29 | a | main.rs:66:28:66:33 | ...: i64 | provenance |  |
-| main.rs:90:29:90:29 | a | main.rs:90:13:90:30 | mn.data_through(...) | provenance |  |
+| main.rs:49:9:49:9 | a | main.rs:55:26:55:26 | a | provenance |  |
+| main.rs:49:13:49:22 | source(...) | main.rs:49:9:49:9 | a | provenance |  |
+| main.rs:51:21:51:26 | ...: i64 | main.rs:51:36:53:5 | { ... } | provenance |  |
+| main.rs:55:9:55:9 | b | main.rs:56:10:56:10 | b | provenance |  |
+| main.rs:55:13:55:27 | pass_through(...) | main.rs:55:9:55:9 | b | provenance |  |
+| main.rs:55:26:55:26 | a | main.rs:51:21:51:26 | ...: i64 | provenance |  |
+| main.rs:55:26:55:26 | a | main.rs:55:13:55:27 | pass_through(...) | provenance |  |
+| main.rs:67:23:67:28 | ...: i64 | main.rs:68:14:68:14 | n | provenance |  |
+| main.rs:70:31:76:5 | { ... } | main.rs:88:13:88:25 | mn.get_data(...) | provenance |  |
+| main.rs:74:13:74:21 | source(...) | main.rs:70:31:76:5 | { ... } | provenance |  |
+| main.rs:77:28:77:33 | ...: i64 | main.rs:77:43:83:5 | { ... } | provenance |  |
+| main.rs:88:9:88:9 | a | main.rs:89:10:89:10 | a | provenance |  |
+| main.rs:88:13:88:25 | mn.get_data(...) | main.rs:88:9:88:9 | a | provenance |  |
+| main.rs:94:9:94:9 | a | main.rs:95:16:95:16 | a | provenance |  |
+| main.rs:94:13:94:21 | source(...) | main.rs:94:9:94:9 | a | provenance |  |
+| main.rs:95:16:95:16 | a | main.rs:67:23:67:28 | ...: i64 | provenance |  |
+| main.rs:100:9:100:9 | a | main.rs:101:29:101:29 | a | provenance |  |
+| main.rs:100:13:100:21 | source(...) | main.rs:100:9:100:9 | a | provenance |  |
+| main.rs:101:9:101:9 | b | main.rs:102:10:102:10 | b | provenance |  |
+| main.rs:101:13:101:30 | mn.data_through(...) | main.rs:101:9:101:9 | b | provenance |  |
+| main.rs:101:29:101:29 | a | main.rs:77:28:77:33 | ...: i64 | provenance |  |
+| main.rs:101:29:101:29 | a | main.rs:101:13:101:30 | mn.data_through(...) | provenance |  |
 nodes
 | main.rs:12:28:14:1 | { ... } | semmle.label | { ... } |
 | main.rs:13:5:13:13 | source(...) | semmle.label | source(...) |
@@ -59,34 +66,44 @@ nodes
 | main.rs:41:26:44:5 | { ... } | semmle.label | { ... } |
 | main.rs:43:9:43:18 | source(...) | semmle.label | source(...) |
 | main.rs:45:10:45:10 | a | semmle.label | a |
-| main.rs:56:23:56:28 | ...: i64 | semmle.label | ...: i64 |
-| main.rs:57:14:57:14 | n | semmle.label | n |
-| main.rs:59:31:65:5 | { ... } | semmle.label | { ... } |
-| main.rs:63:13:63:21 | source(...) | semmle.label | source(...) |
-| main.rs:66:28:66:33 | ...: i64 | semmle.label | ...: i64 |
-| main.rs:66:43:72:5 | { ... } | semmle.label | { ... } |
-| main.rs:77:9:77:9 | a | semmle.label | a |
-| main.rs:77:13:77:25 | mn.get_data(...) | semmle.label | mn.get_data(...) |
-| main.rs:78:10:78:10 | a | semmle.label | a |
-| main.rs:83:9:83:9 | a | semmle.label | a |
-| main.rs:83:13:83:21 | source(...) | semmle.label | source(...) |
-| main.rs:84:16:84:16 | a | semmle.label | a |
-| main.rs:89:9:89:9 | a | semmle.label | a |
-| main.rs:89:13:89:21 | source(...) | semmle.label | source(...) |
-| main.rs:90:9:90:9 | b | semmle.label | b |
-| main.rs:90:13:90:30 | mn.data_through(...) | semmle.label | mn.data_through(...) |
-| main.rs:90:29:90:29 | a | semmle.label | a |
-| main.rs:91:10:91:10 | b | semmle.label | b |
+| main.rs:49:9:49:9 | a | semmle.label | a |
+| main.rs:49:13:49:22 | source(...) | semmle.label | source(...) |
+| main.rs:51:21:51:26 | ...: i64 | semmle.label | ...: i64 |
+| main.rs:51:36:53:5 | { ... } | semmle.label | { ... } |
+| main.rs:55:9:55:9 | b | semmle.label | b |
+| main.rs:55:13:55:27 | pass_through(...) | semmle.label | pass_through(...) |
+| main.rs:55:26:55:26 | a | semmle.label | a |
+| main.rs:56:10:56:10 | b | semmle.label | b |
+| main.rs:67:23:67:28 | ...: i64 | semmle.label | ...: i64 |
+| main.rs:68:14:68:14 | n | semmle.label | n |
+| main.rs:70:31:76:5 | { ... } | semmle.label | { ... } |
+| main.rs:74:13:74:21 | source(...) | semmle.label | source(...) |
+| main.rs:77:28:77:33 | ...: i64 | semmle.label | ...: i64 |
+| main.rs:77:43:83:5 | { ... } | semmle.label | { ... } |
+| main.rs:88:9:88:9 | a | semmle.label | a |
+| main.rs:88:13:88:25 | mn.get_data(...) | semmle.label | mn.get_data(...) |
+| main.rs:89:10:89:10 | a | semmle.label | a |
+| main.rs:94:9:94:9 | a | semmle.label | a |
+| main.rs:94:13:94:21 | source(...) | semmle.label | source(...) |
+| main.rs:95:16:95:16 | a | semmle.label | a |
+| main.rs:100:9:100:9 | a | semmle.label | a |
+| main.rs:100:13:100:21 | source(...) | semmle.label | source(...) |
+| main.rs:101:9:101:9 | b | semmle.label | b |
+| main.rs:101:13:101:30 | mn.data_through(...) | semmle.label | mn.data_through(...) |
+| main.rs:101:29:101:29 | a | semmle.label | a |
+| main.rs:102:10:102:10 | b | semmle.label | b |
 subpaths
 | main.rs:36:26:36:26 | a | main.rs:30:17:30:22 | ...: i64 | main.rs:30:32:32:1 | { ... } | main.rs:36:13:36:27 | pass_through(...) |
 | main.rs:41:26:44:5 | { ... } | main.rs:30:17:30:22 | ...: i64 | main.rs:30:32:32:1 | { ... } | main.rs:41:13:44:6 | pass_through(...) |
-| main.rs:90:29:90:29 | a | main.rs:66:28:66:33 | ...: i64 | main.rs:66:43:72:5 | { ... } | main.rs:90:13:90:30 | mn.data_through(...) |
+| main.rs:55:26:55:26 | a | main.rs:51:21:51:26 | ...: i64 | main.rs:51:36:53:5 | { ... } | main.rs:55:13:55:27 | pass_through(...) |
+| main.rs:101:29:101:29 | a | main.rs:77:28:77:33 | ...: i64 | main.rs:77:43:83:5 | { ... } | main.rs:101:13:101:30 | mn.data_through(...) |
 testFailures
 #select
 | main.rs:18:10:18:10 | a | main.rs:13:5:13:13 | source(...) | main.rs:18:10:18:10 | a | $@ | main.rs:13:5:13:13 | source(...) | source(...) |
 | main.rs:22:10:22:10 | n | main.rs:26:13:26:21 | source(...) | main.rs:22:10:22:10 | n | $@ | main.rs:26:13:26:21 | source(...) | source(...) |
 | main.rs:37:10:37:10 | b | main.rs:35:13:35:21 | source(...) | main.rs:37:10:37:10 | b | $@ | main.rs:35:13:35:21 | source(...) | source(...) |
 | main.rs:45:10:45:10 | a | main.rs:43:9:43:18 | source(...) | main.rs:45:10:45:10 | a | $@ | main.rs:43:9:43:18 | source(...) | source(...) |
-| main.rs:57:14:57:14 | n | main.rs:83:13:83:21 | source(...) | main.rs:57:14:57:14 | n | $@ | main.rs:83:13:83:21 | source(...) | source(...) |
-| main.rs:78:10:78:10 | a | main.rs:63:13:63:21 | source(...) | main.rs:78:10:78:10 | a | $@ | main.rs:63:13:63:21 | source(...) | source(...) |
-| main.rs:91:10:91:10 | b | main.rs:89:13:89:21 | source(...) | main.rs:91:10:91:10 | b | $@ | main.rs:89:13:89:21 | source(...) | source(...) |
+| main.rs:56:10:56:10 | b | main.rs:49:13:49:22 | source(...) | main.rs:56:10:56:10 | b | $@ | main.rs:49:13:49:22 | source(...) | source(...) |
+| main.rs:68:14:68:14 | n | main.rs:94:13:94:21 | source(...) | main.rs:68:14:68:14 | n | $@ | main.rs:94:13:94:21 | source(...) | source(...) |
+| main.rs:89:10:89:10 | a | main.rs:74:13:74:21 | source(...) | main.rs:89:10:89:10 | a | $@ | main.rs:74:13:74:21 | source(...) | source(...) |
+| main.rs:102:10:102:10 | b | main.rs:100:13:100:21 | source(...) | main.rs:102:10:102:10 | b | $@ | main.rs:100:13:100:21 | source(...) | source(...) |

rust/ql/test/library-tests/dataflow/global/main.rs

@@ -45,6 +45,17 @@ fn block_expression_as_argument() {
     sink(a); // $ hasValueFlow=14
 }
 
+fn data_through_nested_function() {
+    let a = source(15);
+
+    fn pass_through(i: i64) -> i64 {
+        i
+    }
+
+    let b = pass_through(a);
+    sink(b); // $ hasValueFlow=15
+}
+
 // -----------------------------------------------------------------------------
 // Data flow in, out, and through method.
 
@@ -127,6 +138,7 @@ fn main() {
     data_out_of_call();
     data_in_to_call();
     data_through_call();
+    data_through_nested_function();
 
     data_out_of_method();
     data_in_to_method_call();

rust/ql/test/library-tests/dataflow/global/viableCallable.expected

@@ -10,26 +10,30 @@
 | main.rs:41:13:44:6 | pass_through(...) | main.rs:30:1:32:1 | fn pass_through |
 | main.rs:43:9:43:18 | source(...) | main.rs:1:1:3:1 | fn source |
 | main.rs:45:5:45:11 | sink(...) | main.rs:5:1:7:1 | fn sink |
-| main.rs:57:9:57:15 | sink(...) | main.rs:5:1:7:1 | fn sink |
-| main.rs:63:13:63:21 | source(...) | main.rs:1:1:3:1 | fn source |
-| main.rs:77:13:77:25 | mn.get_data(...) | main.rs:59:5:65:5 | fn get_data |
-| main.rs:78:5:78:11 | sink(...) | main.rs:5:1:7:1 | fn sink |
-| main.rs:83:13:83:21 | source(...) | main.rs:1:1:3:1 | fn source |
-| main.rs:84:5:84:17 | mn.data_in(...) | main.rs:56:5:58:5 | fn data_in |
-| main.rs:89:13:89:21 | source(...) | main.rs:1:1:3:1 | fn source |
-| main.rs:90:13:90:30 | mn.data_through(...) | main.rs:66:5:72:5 | fn data_through |
-| main.rs:91:5:91:11 | sink(...) | main.rs:5:1:7:1 | fn sink |
-| main.rs:110:28:110:36 | source(...) | main.rs:1:1:3:1 | fn source |
-| main.rs:113:5:113:17 | sink(...) | main.rs:5:1:7:1 | fn sink |
-| main.rs:116:28:116:36 | source(...) | main.rs:1:1:3:1 | fn source |
-| main.rs:118:5:118:17 | sink(...) | main.rs:5:1:7:1 | fn sink |
-| main.rs:120:28:120:36 | source(...) | main.rs:1:1:3:1 | fn source |
-| main.rs:122:13:122:20 | a.add(...) | main.rs:103:5:106:5 | fn add |
-| main.rs:123:5:123:17 | sink(...) | main.rs:5:1:7:1 | fn sink |
-| main.rs:127:5:127:22 | data_out_of_call(...) | main.rs:16:1:19:1 | fn data_out_of_call |
-| main.rs:128:5:128:21 | data_in_to_call(...) | main.rs:25:1:28:1 | fn data_in_to_call |
-| main.rs:129:5:129:23 | data_through_call(...) | main.rs:34:1:38:1 | fn data_through_call |
-| main.rs:131:5:131:24 | data_out_of_method(...) | main.rs:75:1:79:1 | fn data_out_of_method |
-| main.rs:132:5:132:28 | data_in_to_method_call(...) | main.rs:81:1:85:1 | fn data_in_to_method_call |
-| main.rs:133:5:133:25 | data_through_method(...) | main.rs:87:1:92:1 | fn data_through_method |
-| main.rs:135:5:135:31 | test_operator_overloading(...) | main.rs:109:1:124:1 | fn test_operator_overloading |
+| main.rs:49:13:49:22 | source(...) | main.rs:1:1:3:1 | fn source |
+| main.rs:55:13:55:27 | pass_through(...) | main.rs:51:5:53:5 | fn pass_through |
+| main.rs:56:5:56:11 | sink(...) | main.rs:5:1:7:1 | fn sink |
+| main.rs:68:9:68:15 | sink(...) | main.rs:5:1:7:1 | fn sink |
+| main.rs:74:13:74:21 | source(...) | main.rs:1:1:3:1 | fn source |
+| main.rs:88:13:88:25 | mn.get_data(...) | main.rs:70:5:76:5 | fn get_data |
+| main.rs:89:5:89:11 | sink(...) | main.rs:5:1:7:1 | fn sink |
+| main.rs:94:13:94:21 | source(...) | main.rs:1:1:3:1 | fn source |
+| main.rs:95:5:95:17 | mn.data_in(...) | main.rs:67:5:69:5 | fn data_in |
+| main.rs:100:13:100:21 | source(...) | main.rs:1:1:3:1 | fn source |
+| main.rs:101:13:101:30 | mn.data_through(...) | main.rs:77:5:83:5 | fn data_through |
+| main.rs:102:5:102:11 | sink(...) | main.rs:5:1:7:1 | fn sink |
+| main.rs:121:28:121:36 | source(...) | main.rs:1:1:3:1 | fn source |
+| main.rs:124:5:124:17 | sink(...) | main.rs:5:1:7:1 | fn sink |
+| main.rs:127:28:127:36 | source(...) | main.rs:1:1:3:1 | fn source |
+| main.rs:129:5:129:17 | sink(...) | main.rs:5:1:7:1 | fn sink |
+| main.rs:131:28:131:36 | source(...) | main.rs:1:1:3:1 | fn source |
+| main.rs:133:13:133:20 | a.add(...) | main.rs:114:5:117:5 | fn add |
+| main.rs:134:5:134:17 | sink(...) | main.rs:5:1:7:1 | fn sink |
+| main.rs:138:5:138:22 | data_out_of_call(...) | main.rs:16:1:19:1 | fn data_out_of_call |
+| main.rs:139:5:139:21 | data_in_to_call(...) | main.rs:25:1:28:1 | fn data_in_to_call |
+| main.rs:140:5:140:23 | data_through_call(...) | main.rs:34:1:38:1 | fn data_through_call |
+| main.rs:141:5:141:34 | data_through_nested_function(...) | main.rs:48:1:57:1 | fn data_through_nested_function |
+| main.rs:143:5:143:24 | data_out_of_method(...) | main.rs:86:1:90:1 | fn data_out_of_method |
+| main.rs:144:5:144:28 | data_in_to_method_call(...) | main.rs:92:1:96:1 | fn data_in_to_method_call |
+| main.rs:145:5:145:25 | data_through_method(...) | main.rs:98:1:103:1 | fn data_through_method |
+| main.rs:147:5:147:31 | test_operator_overloading(...) | main.rs:120:1:135:1 | fn test_operator_overloading |

rust/ql/test/library-tests/variables/main.rs

@@ -328,6 +328,36 @@ fn closure_variable() {
     print_i64(n2); // $ read_access=n2
 }
 
+fn nested_function() {
+    // local variables shadow local functions
+    let f = // f1
+        |x: i64| // x_1
+        x; // $ read_access=x_1
+    print_i64(f(1)); // $ read_access=f1
+
+    fn f(x: i64) -> i64 { // x_2
+        x + 1 // $ read_access=x_2
+    }
+
+    print_i64(f(2)); // $ read_access=f1
+
+    {
+        print_i64(f(3));
+        fn f(x: i64) -> i64 { // x_3
+            2 * x // $ read_access=x_3
+        }
+
+        {
+            print_i64(f(4));
+        }
+
+        let f = // f2
+            |x: i64| // x_4
+            x; // $ read_access=x_4
+        print_i64(f(5)); // $ read_access=f2
+    }
+}
+
 fn for_variable() {
     let v = &["apples", "cake", "coffee"]; // v
 
@@ -594,6 +624,7 @@ fn main() {
     param_pattern2(Either::Left(45));
     destruct_assignment();
     closure_variable();
+    nested_function();
     for_variable();
     add_assign();
     mutate();

rust/ql/test/library-tests/variables/variables.ql

@@ -1,5 +1,6 @@
 import rust
 import utils.test.InlineExpectationsTest
+import codeql.rust.elements.internal.VariableImpl::Impl as VariableImpl
 
 query predicate variable(Variable v) { any() }
 
@@ -15,6 +16,10 @@ query predicate capturedVariable(Variable v) { v.isCaptured() }
 
 query predicate capturedAccess(VariableAccess va) { va.isCapture() }
 
+query predicate nestedFunctionAccess(VariableImpl::NestedFunctionAccess nfa, Function f) {
+  f = nfa.getFunction()
+}
+
 module VariableAccessTest implements TestSig {
   string getARelevantTag() { result = ["", "write_", "read_"] + "access" }