Skip to content

Rust: Fix context-based type inference explosion #21217

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
hvitved wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

Rust: Fix context-based type inference explosion #21217

hvitved wants to merge 6 commits into from
+7,902 −7,547

Conversation

@hvitved
Copy link
Contributor

@hvitved hvitved commented Jan 26, 2026
edited
Loading

The following simple program would make our type inference implementation explode:

#[derive(Default)]
struct S;

fn f() -> S {
    let x = Default::default();
    From::from(x)
}

Firstly, because of a getSuccessor vs getAssocItem bug, From::from would allow for any sub trait of From, for example the Int trait, which meant that x could be inferred to have type bool. Secondly, since many from implementations are polymorphic in their argument, we should really be checking that the return type matches the type of the calling context.

This PR makes those two adjustments, and adds the regression test.

DCA looks good; we loose some call edges, but nothing too serious.

@github-actions github-actions bot added the Rust Pull requests that update Rust code label Jan 26, 2026
@hvitved hvitved force-pushed the rust/type-inference-perf branch 3 times, most recently from 38929dd to 50ce393 Compare January 26, 2026 19:16
@hvitved hvitved changed the title Rust: Type inference performance improvements Rust: Fix context-based type inference explosion Jan 26, 2026
@hvitved hvitved added the no-change-note-required This PR does not need a change note label Jan 27, 2026
hvitved
hvitved commented Jan 27, 2026
View reviewed changes
shared/typeinference/codeql/typeinference/internal/TypeInference.qll
Comment on lines +1002 to 1003
hasTypeConstraint(tt, constraint) and
t = getTypeAt(tt, path)
Copy link
Contributor Author

@hvitved hvitved Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This conjunction has non-linear recursion, hence the magic'ed version of hasTypeConstraint.

@hvitved hvitved marked this pull request as ready for review January 27, 2026 07:31
@hvitved hvitved requested review from a team as code owners January 27, 2026 07:31
@hvitved hvitved requested review from Copilot and paldepind January 27, 2026 07:31
Copilot AI reviewed Jan 27, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a type inference explosion issue in Rust queries by correcting two bugs in the type inference implementation:

  1. Path resolution bug: Changed getASuccessor(_) to getAnAssocItem() to correctly resolve trait functions only from the trait itself, not from sub-traits
  2. Context-based return type checking: Enhanced the logic to only use return type for disambiguation when all argument positions are trivially satisfied

Changes:

  • Fixed trait function resolution to prevent matching sub-trait implementations
  • Added logic to check return type matches calling context for polymorphic functions
  • Refactored Input modules into a unified structure
  • Added regression test for the Default::default() and From::from() pattern

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
shared/typeinference/codeql/typeinference/internal/TypeInference.qll Added helper predicate with pragma[nomagic] to optimize type constraint checking
rust/ql/lib/codeql/rust/internal/typeinference/TypeInference.qll Fixed getASuccessorgetAnAssocItem bug, merged Input modules, fixed parameter ordering in context typing
rust/ql/lib/codeql/rust/internal/typeinference/FunctionOverloading.qll Split predicate and added return type disambiguation logic
rust/ql/test/library-tests/type-inference/main.rs Added regression test for from_default module
rust/ql/test/library-tests/type-inference/type-inference.expected Updated expected test output
rust/ql/test/query-tests/security/CWE-312/CONSISTENCY/PathResolutionConsistency.expected Removed spurious multiple resolution error

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@hvitved hvitved marked this pull request as draft January 27, 2026 13:14
geoffw0
geoffw0 reviewed Jan 29, 2026
View reviewed changes
Copy link
Contributor

@geoffw0 geoffw0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks helpful.

Is there a reason this is still draft?

@hvitved
Copy link
Contributor Author

hvitved commented Jan 29, 2026

Is there a reason this is still draft?

I would like to rework this a bit more; while it does fix the example posted in the description, there are still cases resulting in timeouts that I would like to cover as well.

@hvitved hvitved force-pushed the rust/type-inference-perf branch from 50ce393 to 3244471 Compare January 29, 2026 15:58
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 29, 2026
View reviewed changes
@hvitved hvitved force-pushed the rust/type-inference-perf branch 2 times, most recently from c1b3551 to 9079fde Compare January 30, 2026 10:13
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 30, 2026
View reviewed changes
@hvitved hvitved force-pushed the rust/type-inference-perf branch 4 times, most recently from 26cb1d9 to ef9ba0c Compare February 2, 2026 13:13
@hvitved hvitved force-pushed the rust/type-inference-perf branch from ef9ba0c to 4b6311f Compare February 2, 2026 13:40
@hvitved hvitved force-pushed the rust/type-inference-perf branch from 4b6311f to b05fe36 Compare February 2, 2026 14:07
@hvitved
Rust: Fix bad join
e2ebf44 
Before
```
Evaluated relational algebra for predicate _PathResolution::ImplItemNode.getTraitPath/0#dispred#3b7d1cb6_PathResolution::ImplOrTraitItemNode.ge__#shared@0d3de6d9 with tuple counts:
         395360270  ~2%    {5} r1 = JOIN Type::TAssociatedTypeTypeParameter#6da9e52a WITH `PathResolution::ImplItemNode.getTraitPath/0#dispred#3b7d1cb6` CARTESIAN PRODUCT OUTPUT Rhs.0, Lhs.0, Lhs.1, Lhs.2, Rhs.1
        1274237644  ~0%    {6}    | JOIN WITH `PathResolution::ItemNode.getASuccessor/1#8f430f71` ON FIRST 1 OUTPUT Lhs.1, Lhs.2, Lhs.3, Lhs.4, Rhs.1, Rhs.2
        1274237644  ~0%    {6}    | JOIN WITH PathResolution::TraitItemNode#8d4ce62d ON FIRST 1 OUTPUT Lhs.0, Lhs.4, Lhs.1, Lhs.2, Lhs.3, Lhs.5
           6984871  ~0%    {5}    | JOIN WITH `PathResolution::ImplOrTraitItemNode.getAssocItem/1#f77bb9ed` ON FIRST 3 OUTPUT Lhs.2, Lhs.0, Lhs.3, Lhs.4, Lhs.5
           6984871  ~0%    {4}    | JOIN WITH TypeAlias::Generated::TypeAlias#1ca97780 ON FIRST 1 OUTPUT Lhs.4, Lhs.1, Lhs.2, Lhs.3
           6076675  ~0%    {4}    | JOIN WITH `TypeAlias::Generated::TypeAlias.getTypeRepr/0#dispred#5fd7e521` ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2, Lhs.3
                           return r1
```

After
```
Evaluated relational algebra for predicate _PathResolution::ImplItemNode.getTraitPath/0#dispred#3b7d1cb6_PathResolution::ImplOrTraitItemNode.ge__#shared@760e0499 with tuple counts:
          443292  ~2%    {3} r1 = SCAN `PathResolution::ImplOrTraitItemNode.getAssocItem/1#f77bb9ed` OUTPUT In.0, In.2, In.1
            1258  ~1%    {3}    | JOIN WITH Type::TAssociatedTypeTypeParameter#6da9e52a ON FIRST 2 OUTPUT Lhs.2, Lhs.0, Rhs.2
        13656944  ~3%    {4}    | JOIN WITH `PathResolution::ItemNode.getASuccessor/1#8f430f71_102#join_rhs` ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2, Rhs.2
         6984871  ~0%    {4}    | JOIN WITH `PathResolution::ImplItemNode.getTraitPath/0#dispred#3b7d1cb6` ON FIRST 1 OUTPUT Lhs.3, Lhs.1, Lhs.2, Rhs.1
         6076675  ~0%    {4}    | JOIN WITH `TypeAlias::Generated::TypeAlias.getTypeRepr/0#dispred#5fd7e521` ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2, Lhs.3
                         return r1
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@geoffw0 geoffw0 geoffw0 left review comments

Copilot code review Copilot Copilot left review comments

@paldepind paldepind Awaiting requested review from paldepind

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

no-change-note-required This PR does not need a change note Rust Pull requests that update Rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hvitved @geoffw0