Rust: Fix the false positives.

geoffw0 · geoffw0 · commit 32e9fdfe19f3 · 2025-12-04T17:19:41.000Z
diff --git a/rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll b/rust/ql/lib/codeql/rust/security/AccessAfterLifetimeExtensions.qll
@@ -99,11 +99,17 @@ module AccessAfterLifetime {
     // `b` is a child of `a`
     a = b.getEnclosingBlock*()
     or
-    // propagate through function calls
+    // propagate through function calls (static target)
     exists(CallExprBase ce |
       mayEncloseOnStack(a, ce.getEnclosingBlock()) and
       ce.getStaticTarget() = b.getEnclosingCallable()
     )
+    or
+    // propagate through function calls (runtime target)
+    exists(Call c |
+      mayEncloseOnStack(a, c.getEnclosingBlock()) and
+      c.getARuntimeTarget() = b.getEnclosingCallable()
+    )
   }
 
   /**
diff --git a/rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected b/rust/ql/test/query-tests/security/CWE-825/AccessAfterLifetime.expected
@@ -22,7 +22,6 @@
 | lifetime.rs:667:14:667:17 | ref1 | lifetime.rs:655:11:655:25 | &raw const str2 | lifetime.rs:667:14:667:17 | ref1 | Access of a pointer to $@ after its lifetime has ended. | lifetime.rs:651:7:651:10 | str2 | str2 |
 | lifetime.rs:789:12:789:13 | p1 | lifetime.rs:781:9:781:19 | &my_local10 | lifetime.rs:789:12:789:13 | p1 | Access of a pointer to $@ after its lifetime has ended. | lifetime.rs:779:6:779:15 | my_local10 | my_local10 |
 | lifetime.rs:808:23:808:25 | ptr | lifetime.rs:798:9:798:12 | &val | lifetime.rs:808:23:808:25 | ptr | Access of a pointer to $@ after its lifetime has ended. | lifetime.rs:796:6:796:8 | val | val |
-| lifetime.rs:843:12:843:14 | ptr | lifetime.rs:851:12:851:23 | &local_value | lifetime.rs:843:12:843:14 | ptr | Access of a pointer to $@ after its lifetime has ended. | lifetime.rs:850:6:850:16 | local_value | local_value |
 | main.rs:64:23:64:24 | p2 | main.rs:44:26:44:28 | &b2 | main.rs:64:23:64:24 | p2 | Access of a pointer to $@ after its lifetime has ended. | main.rs:43:13:43:14 | b2 | b2 |
 edges
 | deallocation.rs:242:6:242:7 | p1 | deallocation.rs:245:14:245:15 | p1 | provenance |  |
diff --git a/rust/ql/test/query-tests/security/CWE-825/lifetime.rs b/rust/ql/test/query-tests/security/CWE-825/lifetime.rs
@@ -840,15 +840,15 @@ struct MyProcessor {
 impl Processor for MyProcessor {
 	fn process(ptr: *const i64) -> i64 {
 		unsafe {
-			return *ptr; // $ SPURIOUS: Alert[rust/access-after-lifetime-ended]=local_value
+			return *ptr; // good
 		}
 	}
 }
 
 fn generic_caller<T: Processor>() -> i64
 {
 	let local_value: i64 = 10;
-	let ptr = &local_value as *const i64; // $ Source[rust/access-after-lifetime-ended]=local_value
+	let ptr = &local_value as *const i64;
 
 	return T::process(ptr);
 }

Original file line number	Diff line number	Diff line change
`@@ -840,15 +840,15 @@ struct MyProcessor {`
`840`	`840`	`impl Processor for MyProcessor {`
`841`	`841`	`fn process(ptr: *const i64) -> i64 {`
`842`	`842`	`unsafe {`
`843`		`- return *ptr; // $ SPURIOUS: Alert[rust/access-after-lifetime-ended]=local_value`
	`843`	`+ return *ptr; // good`
`844`	`844`	`}`
`845`	`845`	`}`
`846`	`846`	`}`
`847`	`847`
`848`	`848`	`fn generic_caller<T: Processor>() -> i64`
`849`	`849`	`{`
`850`	`850`	`let local_value: i64 = 10;`
`851`		`- let ptr = &local_value as *const i64; // $ Source[rust/access-after-lifetime-ended]=local_value`
	`851`	`+ let ptr = &local_value as *const i64;`
`852`	`852`
`853`	`853`	`return T::process(ptr);`
`854`	`854`	`}`