Rust: Non-symmetrict type propagation for if and match

Author: hvitved

rust/ql/lib/codeql/rust/internal/TypeInference.qll

@@ -540,10 +540,6 @@ private predicate typeEquality(AstNode n1, TypePath prefix1, AstNode n2, TypePat
       let.getInitializer() = n2
     )
     or
-    n1 = n2.(IfExpr).getABranch()
-    or
-    n1 = n2.(MatchExpr).getAnArm().getExpr()
-    or
     exists(LetExpr let |
       n1 = let.getScrutinee() and
       n2 = let.getPat()
@@ -635,6 +631,40 @@ private predicate typeEquality(AstNode n1, TypePath prefix1, AstNode n2, TypePat
   prefix2.isEmpty()
 }
 
+/**
+ * Holds if the type tree of `n1` at `prefix1` should be equal to the type tree
+ * of `n2` at `prefix2`, but type information should only propagate from `n1` to
+ * `n2`.
+ */
+private predicate typeEqualityNonSymmetric(
+  AstNode n1, TypePath prefix1, AstNode n2, TypePath prefix2
+) {
+  prefix1.isEmpty() and
+  prefix2.isEmpty() and
+  (
+    n1 = n2.(IfExpr).getABranch()
+    or
+    n1 = n2.(MatchExpr).getAnArm().getExpr()
+  )
+  or
+  exists(AstNode mid |
+    typeEquality(n1, prefix1, mid, prefix2) or
+    typeEquality(mid, prefix2, n1, prefix1)
+  |
+    mid =
+      any(IfExpr ie |
+        n2 = ie.getABranch() and
+        not n1 = ie.getABranch()
+      )
+    or
+    mid =
+      any(MatchExpr me |
+        n2 = me.getAnArm().getExpr() and
+        not n1 = me.getAnArm().getExpr()
+      )
+  )
+}
+
 pragma[nomagic]
 private Type inferTypeEquality(AstNode n, TypePath path) {
   exists(TypePath prefix1, AstNode n2, TypePath prefix2, TypePath suffix |
@@ -644,6 +674,8 @@ private Type inferTypeEquality(AstNode n, TypePath path) {
     typeEquality(n, prefix1, n2, prefix2)
     or
     typeEquality(n2, prefix2, n, prefix1)
+    or
+    typeEqualityNonSymmetric(n2, prefix2, n, prefix1)
   )
 }