fix: issue in the hoisting algorithm causing false positives in some edge cases.

plusvic · plusvic · commit f0f5b0ae3d61 · 2025-08-28T10:56:25.000+02:00
When a `with` statement declares some variable `foo`, and `foo` is used in the right side of the declaration of some other variable `bar` within the same statement, the hoisting algorithm was not realizing that `bar` depends on `foo`.
diff --git a/lib/src/compiler/ir/dfs.rs b/lib/src/compiler/ir/dfs.rs
@@ -22,6 +22,12 @@ pub(crate) enum EventContext {
     Body,
     /// The current expression is a children of a field access expression.
     FieldAccess,
+    /// The current expression is one of the expressions that initializes a
+    /// variable in a `with` statement. For instance, the `<expr>` in:
+    /// ```text
+    /// with some_var = <expr> : ( .. )
+    /// ```
+    WithDeclaration,
 }
 
 /// An iterator that conducts a Depth First Search (DFS) traversal of the IR
@@ -154,12 +160,12 @@ impl<'a> DFSWithScopeIter<'a> {
     /// corresponding to the `for` statement.
     ///
     /// Let's see a more complex example, consider the following YARA
-    /// expression, where we are positioned at `<inner expr>`:
+    /// expression, where we are positioned at `<for body expr>`:
     ///
     /// ```text
-    /// with a = <expr> : (
+    /// with a = <init expr> : (
     ///    for any i in (0..10) : (
-    ///         <inner expr>
+    ///         <for body expr>
     ///    )
     /// )
     /// ```
@@ -168,6 +174,9 @@ impl<'a> DFSWithScopeIter<'a> {
     /// statement first and then the [`ExprId`] corresponding to the `for`
     /// statement. The iterator processes the scopes starting from the outermost
     /// scope and progresses inward.
+    ///
+    /// If we are positioned at `<init expr>`, the iterator returns the
+    /// [`ExprId`] that corresponds to the `with` statement.
     pub fn scopes(&self) -> impl DoubleEndedIterator<Item = ExprId> + '_ {
         self.scopes.iter().cloned()
     }
@@ -192,15 +201,21 @@ impl Iterator for DFSWithScopeIter<'_> {
         }
         let next = match self.dfs.next()? {
             Event::Enter((expr_id, _, ctx)) => {
-                if matches!(ctx, EventContext::Body) {
+                if matches!(
+                    ctx,
+                    EventContext::Body | EventContext::WithDeclaration
+                ) {
                     // If the current expression is the body of some other
                     // expression, the current expression must have a parent.
                     self.scopes.push(self.ir.get_parent(expr_id).unwrap());
                 }
                 Event::Enter((expr_id, ctx))
             }
             Event::Leave((expr_id, _, ctx)) => {
-                if matches!(ctx, EventContext::Body) {
+                if matches!(
+                    ctx,
+                    EventContext::Body | EventContext::WithDeclaration
+                ) {
                     // Don't remove the scope at top of the stack right away.
                     // If the user calls `scopes()` while processing the Leave
                     // event, we want the current context to be there. We just
@@ -383,7 +398,8 @@ pub(super) fn dfs_common(
         Expr::With(with) => {
             stack.push(Event::Enter((with.body, EventContext::Body)));
             for (_id, expr) in with.declarations.iter().rev() {
-                stack.push(Event::Enter((*expr, EventContext::None)))
+                stack
+                    .push(Event::Enter((*expr, EventContext::WithDeclaration)))
             }
         }
     }
@@ -612,17 +628,17 @@ mod tests {
 
         assert!(matches!(
             dfs.next(),
-             Some(Event::Enter((expr_id, EventContext::None))) if expr_id == const_1
+             Some(Event::Enter((expr_id, EventContext::WithDeclaration))) if expr_id == const_1
         ));
 
-        assert_eq!(dfs.scopes().collect::<Vec<_>>(), vec![]);
+        assert_eq!(dfs.scopes().collect::<Vec<_>>(), vec![with]);
 
         assert!(matches!(
             dfs.next(),
-             Some(Event::Leave((expr_id, EventContext::None))) if expr_id == const_1
+             Some(Event::Leave((expr_id, EventContext::WithDeclaration))) if expr_id == const_1
         ));
 
-        assert_eq!(dfs.scopes().collect::<Vec<_>>(), vec![]);
+        assert_eq!(dfs.scopes().collect::<Vec<_>>(), vec![with]);
 
         assert!(matches!(
             dfs.next(),
@@ -642,5 +658,7 @@ mod tests {
             dfs.next(),
             Some(Event::Leave((expr_id, EventContext::None))) if expr_id == with
         ));
+
+        assert_eq!(dfs.scopes().collect::<Vec<_>>(), vec![]);
     }
 }
diff --git a/lib/src/compiler/ir/tests/testdata/10.cse.ir b/lib/src/compiler/ir/tests/testdata/10.cse.ir
@@ -0,0 +1,16 @@
+RULE test
+  13: FOR_IN -- hash: 0xfc4f8d81a95824cd -- parent: None 
+    0: CONST integer(1) -- parent: 13 
+    1: CONST integer(2) -- parent: 13 
+    12: WITH -- hash: 0x2fa6e67ac30fd47a -- parent: 13 
+      6: FN_CALL uint32@i@i:R0:4294967295u -- hash: 0xb24700199f93dab8 -- parent: 12 
+        5: ADD -- hash: 0x685e7a2ba5a36f1d -- parent: 6 
+          3: PATTERN_OFFSET PatternIdx(0) INDEX -- hash: 0x7cb6e22690df7f1b -- parent: 5 
+            2: SYMBOL Var { var: Var { frame_id: 1, ty: integer, index: 5 }, type_value: integer(unknown) } -- parent: 3 
+          4: CONST integer(16) -- parent: 5 
+      8: FN_CALL uint32be@i@i:R0:4294967295u -- hash: 0x36dbf5f6d8719ced -- parent: 12 
+        7: SYMBOL Var { var: Var { frame_id: 2, ty: integer, index: 7 }, type_value: integer(unknown) } -- parent: 8 
+      11: NE -- hash: 0xe0b33818592dcf55 -- parent: 12 
+        9: SYMBOL Var { var: Var { frame_id: 2, ty: integer, index: 8 }, type_value: integer(unknown) } -- parent: 11 
+        10: CONST integer(1347092738) -- parent: 11 
+
diff --git a/lib/src/compiler/ir/tests/testdata/10.hoisting.ir b/lib/src/compiler/ir/tests/testdata/10.hoisting.ir
@@ -0,0 +1,16 @@
+RULE test
+  13: FOR_IN -- hash: 0xfc4f8d81a95824cd -- parent: None 
+    0: CONST integer(1) -- parent: 13 
+    1: CONST integer(2) -- parent: 13 
+    12: WITH -- hash: 0x2fa6e67ac30fd47a -- parent: 13 
+      6: FN_CALL uint32@i@i:R0:4294967295u -- hash: 0xb24700199f93dab8 -- parent: 12 
+        5: ADD -- hash: 0x685e7a2ba5a36f1d -- parent: 6 
+          3: PATTERN_OFFSET PatternIdx(0) INDEX -- hash: 0x7cb6e22690df7f1b -- parent: 5 
+            2: SYMBOL Var { var: Var { frame_id: 1, ty: integer, index: 5 }, type_value: integer(unknown) } -- parent: 3 
+          4: CONST integer(16) -- parent: 5 
+      8: FN_CALL uint32be@i@i:R0:4294967295u -- hash: 0x36dbf5f6d8719ced -- parent: 12 
+        7: SYMBOL Var { var: Var { frame_id: 2, ty: integer, index: 7 }, type_value: integer(unknown) } -- parent: 8 
+      11: NE -- hash: 0xe0b33818592dcf55 -- parent: 12 
+        9: SYMBOL Var { var: Var { frame_id: 2, ty: integer, index: 8 }, type_value: integer(unknown) } -- parent: 11 
+        10: CONST integer(1347092738) -- parent: 11 
+
diff --git a/lib/src/compiler/ir/tests/testdata/10.in b/lib/src/compiler/ir/tests/testdata/10.in
@@ -0,0 +1,12 @@
+rule test {
+  strings:
+    $a = { 50 4B 05 06 }
+  condition:
+    for any i in (1..10): (
+      with
+        offset = uint32(@a[i] + 16),
+        value = uint32be(offset): (
+          value != 0x504b0102
+        )
+    )
+}
diff --git a/lib/src/compiler/ir/tests/testdata/10.ir b/lib/src/compiler/ir/tests/testdata/10.ir
@@ -0,0 +1,16 @@
+RULE test
+  13: FOR_IN -- hash: 0xfc4f8d81a95824cd -- parent: None 
+    0: CONST integer(1) -- parent: 13 
+    1: CONST integer(2) -- parent: 13 
+    12: WITH -- hash: 0x2fa6e67ac30fd47a -- parent: 13 
+      6: FN_CALL uint32@i@i:R0:4294967295u -- hash: 0xb24700199f93dab8 -- parent: 12 
+        5: ADD -- hash: 0x685e7a2ba5a36f1d -- parent: 6 
+          3: PATTERN_OFFSET PatternIdx(0) INDEX -- hash: 0x7cb6e22690df7f1b -- parent: 5 
+            2: SYMBOL Var { var: Var { frame_id: 1, ty: integer, index: 5 }, type_value: integer(unknown) } -- parent: 3 
+          4: CONST integer(16) -- parent: 5 
+      8: FN_CALL uint32be@i@i:R0:4294967295u -- hash: 0x36dbf5f6d8719ced -- parent: 12 
+        7: SYMBOL Var { var: Var { frame_id: 2, ty: integer, index: 7 }, type_value: integer(unknown) } -- parent: 8 
+      11: NE -- hash: 0xe0b33818592dcf55 -- parent: 12 
+        9: SYMBOL Var { var: Var { frame_id: 2, ty: integer, index: 8 }, type_value: integer(unknown) } -- parent: 11 
+        10: CONST integer(1347092738) -- parent: 11 
+
diff --git a/lib/src/tests/mod.rs b/lib/src/tests/mod.rs
@@ -727,6 +727,42 @@ fn with() {
            )
         "#
     );
+
+    #[cfg(feature = "test_proto2-module")]
+    condition_true!(
+        r#"with one = test_proto2.int32_one,
+                two = test_proto2.add(one, 1),
+                three = two + 1,
+                four = 4: (
+
+                with seven = three + four: (
+                    seven == 7
+                )
+           )
+        "#
+    );
+
+    #[cfg(feature = "test_proto2-module")]
+    condition_false!(
+        r#"with undef_1 = uint32(100000),
+                undef_2 = uint32(undef_1),
+                one = 1: (
+                undef_2 != one
+           )
+        "#
+    );
+
+    #[cfg(feature = "test_proto2-module")]
+    condition_false!(
+        r#"for any i in (1..2): (
+            with undef_1 = uint32(100000),
+                undef_2 = uint32(undef_1) + i,
+                one = i: (
+                undef_2 != one
+           )
+        )
+        "#
+    );
 }
 
 #[test]
