Rust: Rework call disambiguation logic

[hvitved]

The following simple program would make our type inference implementation explode:

#[derive(Default)]
struct S;

fn f() -> S {
    let x = Default::default();
    From::from(x)
}

Firstly, because of a getSuccessor vs getAssocItem bug, From::from would allow for any sub trait of From, for example the Int trait, which meant that x could be inferred to have type bool. Secondly, since many from implementations are polymorphic in their argument, we should really be checking that the return type matches the type of the calling context.

This PR resolves the above, and other issues (see tests) by rewriting when and how we do type-based call disambiguation, aligning the cases for methods and non-methods. Key changes:

• As for calls to methods, we now also always check the Self type for calls to associated non-methods f. The type at the call site may be obtained by looking at the qualifier, e.g. Vec::<i32>::new() (which also means we need extra care for default type arguments, such as the default Global for A in Vec). Additionally, when f is (an implementation of) a trait function (that is, not in an inherent implementation), we may additionally obtain the type at any of the positions at which Self is mentioned in the trait function, for example in Default::default() the type may be obtained from the context of the call.
• Since the Self type is now always checked, both cases can now use the functionResolutionDependsOnArgument predicate from Overloading.qll, because the sibling logic assumes we only want to disambiguate targets with the same Self type.
• The logic in ArgsAreInstantiationsOf has been changed to do a ranked forall over type parameters instead of over type positions, because what we really want is to check that there is some position at which a given type parameter occurs, where the types match. This allows us to handle cases like this one.
• The typeCanBeUsedForDisambiguation logic has been removed, which gives us more call targets, but also some false targets like this one. I tried to take type parameter constraints into account as well, but that turned out quite difficult, since in cases like let mut i = 0i64; let mut pin = Pin::new(&i); we need type information from both the Pin qualifier and the &i argument to first match against the Self type, and subsequently to validate the Ptr : Deref constraint of the new function.

DCA DCA looks great; while we fix the performance issue, we increase Percentage of calls with call target by 1.67 1.73 % point. There is an increase in Nodes With Type At Length Limit, in particular on radiance, which is a consequence of removing typeCanBeUsedForDisambiguation. This PR also fixes 8 projects that currently timeout during analysis.

[hvitved]

This conjunction has non-linear recursion, hence the magic'ed version of hasTypeConstraint.

[Copilot]

Pull request overview

This PR fixes a type inference explosion issue in Rust queries by correcting two bugs in the type inference implementation:

1. Path resolution bug: Changed getASuccessor(_) to getAnAssocItem() to correctly resolve trait functions only from the trait itself, not from sub-traits
2. Context-based return type checking: Enhanced the logic to only use return type for disambiguation when all argument positions are trivially satisfied

Changes:

• Fixed trait function resolution to prevent matching sub-trait implementations
• Added logic to check return type matches calling context for polymorphic functions
• Refactored Input modules into a unified structure
• Added regression test for the Default::default() and From::from() pattern

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
shared/typeinference/codeql/typeinference/internal/TypeInference.qll	Added helper predicate with pragma[nomagic] to optimize type constraint checking
rust/ql/lib/codeql/rust/internal/typeinference/TypeInference.qll	Fixed getASuccessor → getAnAssocItem bug, merged Input modules, fixed parameter ordering in context typing
rust/ql/lib/codeql/rust/internal/typeinference/FunctionOverloading.qll	Split predicate and added return type disambiguation logic
rust/ql/test/library-tests/type-inference/main.rs	Added regression test for from_default module
rust/ql/test/library-tests/type-inference/type-inference.expected	Updated expected test output
rust/ql/test/query-tests/security/CWE-312/CONSISTENCY/PathResolutionConsistency.expected	Removed spurious multiple resolution error

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[geoffw0]

Looks helpful.

Is there a reason this is still draft?

[hvitved]

Is there a reason this is still draft?

I would like to rework this a bit more; while it does fix the example posted in the description, there are still cases resulting in timeouts that I would like to cover as well.

[geoffw0]

LGTM. This is a complex CodeQL change that's difficult to review closely - if there are any particular areas you'd like to be scrutinised in more detail, please point to them. The excellent new tests, the existing tests, and the DCA run add a lot of confidence for me.

[geoffw0]

Are the two TODO comments intended as follow-up work?

[hvitved]

Yes.

[paldepind]

Great improvements!

[paldepind]

This method and the other method2 below have the same comment, so we can't distinguish them in the expectations.

Suggested change

	// S::method2
	// S_as_FirstTrait::method2

[hvitved]

Whoops.

[paldepind]

What about this renaming:

• getPrefix -> getProperPrefix
• getAPrefix -> getAProperPrefix
• getAPrefixOrSelf -> getAPrefix

These names a more precise and the most used predicate, getAPrefixOrSelf, gets a shorter name.

[paldepind]

There's a bit of duplication here and in getTypeForTypeParameterAt below.

Perhaps we could get rid of it with these predicates:

    private Type getPositionalTypeArgument(int i, TypePath path, boolean isDefault) {
      result = getPathTypeArgument(this, i).getTypeAt(path) and
      isDefault = false
      or
      result = this.getDefaultPositionalTypeArgument(i, path) and
      isDefault = true
    }

    pragma[nomagic]
    Type getTypeArgument(TypeParameter tp, TypePath path, boolean isDefault) {
      exists(int i |
        result = this.getPositionalTypeArgument(pragma[only_bind_into](i), path, isDefault) and
        tp = this.resolveRootType().getPositionalTypeParameter(pragma[only_bind_into](i))
      )
    }

Where getTypeArgument can be used in getTypeForTypeParameterAt and in place of getDefaultTypeForTypeParameterInNonAnnotationAt as in this diff:

diff --git a/rust/ql/lib/codeql/rust/internal/typeinference/TypeInference.qll b/rust/ql/lib/codeql/rust/internal/typeinference/TypeInference.qll
index 3e9c823c570..27052410294 100644
--- a/rust/ql/lib/codeql/rust/internal/typeinference/TypeInference.qll
+++ b/rust/ql/lib/codeql/rust/internal/typeinference/TypeInference.qll
@@ -1071,8 +1071,7 @@ private Type getCallExprTypeQualifier(CallExpr ce, TypePath path, boolean isDefa
     isDefaultTypeArg = false
     or
     exists(TypeParameter tp, TypePath suffix |
-      result =
-        tm.(NonAliasPathTypeMention).getDefaultTypeForTypeParameterInNonAnnotationAt(tp, suffix) and
+      result = tm.(NonAliasPathTypeMention).getTypeArgument(tp, suffix, true) and
       path = TypePath::cons(tp, suffix) and
       isDefaultTypeArg = true
     )
diff --git a/rust/ql/lib/codeql/rust/internal/typeinference/TypeMention.qll b/rust/ql/lib/codeql/rust/internal/typeinference/TypeMention.qll
index a1177e55cc9..b41e86ed9a9 100644
--- a/rust/ql/lib/codeql/rust/internal/typeinference/TypeMention.qll
+++ b/rust/ql/lib/codeql/rust/internal/typeinference/TypeMention.qll
@@ -247,12 +247,20 @@ private module MkTypeMention<getAdditionalPathTypeAtSig/2 getAdditionalPathTypeA
       )
     }
 
-    private Type getPositionalTypeArgument(int i, TypePath path) {
-      result = getPathTypeArgument(this, i).getTypeAt(path)
+    private Type getPositionalTypeArgument(int i, TypePath path, boolean isDefault) {
+      result = getPathTypeArgument(this, i).getTypeAt(path) and
+      isDefault = false
       or
-      // Defaults only apply to type mentions in type annotations
-      this.isInTypeAnnotation() and
-      result = this.getDefaultPositionalTypeArgument(i, path)
+      result = this.getDefaultPositionalTypeArgument(i, path) and
+      isDefault = true
+    }
+
+    pragma[nomagic]
+    Type getTypeArgument(TypeParameter tp, TypePath path, boolean isDefault) {
+      exists(int i |
+        result = this.getPositionalTypeArgument(pragma[only_bind_into](i), path, isDefault) and
+        tp = this.resolveRootType().getPositionalTypeParameter(pragma[only_bind_into](i))
+      )
     }
 
     /**
@@ -260,9 +268,8 @@ private module MkTypeMention<getAdditionalPathTypeAtSig/2 getAdditionalPathTypeA
      * type parameter does not correspond directly to a type mention.
      */
     private Type getTypeForTypeParameterAt(TypeParameter tp, TypePath path) {
-      exists(int i |
-        result = this.getPositionalTypeArgument(pragma[only_bind_into](i), path) and
-        tp = this.resolveRootType().getPositionalTypeParameter(pragma[only_bind_into](i))
+      exists(boolean isDefault | result = this.getTypeArgument(tp, path, isDefault) |
+        isDefault = false or this.isInTypeAnnotation()
       )
       or
       // Handle the special syntactic sugar for function traits. The syntactic

[hvitved]

I went for a slightly different refactor.

[paldepind]

Suggested change

	result = this.getPathResolutionResolved() and
	result = i.getASuccessor(_) and
	result = this.getPathResolutionResolved(i) and

This is equivalent to changing i.getASuccessor(_) to i.getAnAssocItem() which I think this is what we want.

On rust db this roughly halves the size of this predicate with no changes to inferType.

More generally, I rarely think that we actually want to use getASuccessor on ImplItem in type inference. With recent changes that I made to path resolution getASuccessor can give anything that is available on Self inside the impl block, which is not necessarily functions that are actually within the impl block (see relevantSelfFunctionName).

[hvitved]

Good catch.

[paldepind]

Suggested change

not f.hasSelfParam() and

f has type NonMethodFunction so this is superflous.

[paldepind]

Suggested change

	f = impl.getASuccessor(_) and
	f = impl.getAnAssocItem() and

Similar to this comment.