Add dataflow graph, limited to first few lines of function

ast.dot/cpp/print-dfg.dot

@@ -0,0 +1,342 @@
+digraph {
+  compound=true;
+  0[label="buf"; ];
+  1[label="buf"; ];
+  2[label="size"; ];
+  3[label="input"; ];
+  4[label="input"; ];
+  5[label="buf"; ];
+  6[label="input"; ];
+  7[label="input"; ];
+  8[label="input_types"; ];
+  9[label="buf"; ];
+  10[label="buf"; ];
+  11[label="size"; ];
+  12[label="input"; ];
+  13[label="input"; ];
+  14[label="buf"; ];
+  15[label="input"; ];
+  16[label="input"; ];
+  17[label="input"; ];
+  18[label="input"; ];
+  19[label="call to memcpy"; ];
+  20[label="call to memcpy"; ];
+  21[label="1"; ];
+  22[label="0"; ];
+  23[label="input"; ];
+  24[label="input"; ];
+  25[label="input"; ];
+  26[label="input_types"; ];
+  27[label="buf indirection"; ];
+  28[label="buf indirection"; ];
+  29[label="buf indirection"; ];
+  30[label="buf indirection"; ];
+  31[label="call to memcpy indirection"; ];
+  32[label="input indirection"; ];
+  33[label="access to array indirection"; ];
+  34[label="ptr indirection"; ];
+  35[label="input indirection"; ];
+  36[label="access to array indirection"; ];
+  37[label="ptr indirection"; ];
+  38[label="buf indirection"; ];
+  39[label="buf indirection"; ];
+  40[label="input indirection"; ];
+  41[label="access to array indirection"; ];
+  42[label="ptr indirection"; ];
+  43[label="input indirection"; ];
+  44[label="call to copy_mem_nested indirection"; ];
+  45[label="call to DYN_INPUT_TYPE indirection"; ];
+  46[label="buf indirection"; ];
+  47[label="buf indirection"; ];
+  48[label="buf indirection"; ];
+  49[label="buf indirection"; ];
+  50[label="call to memcpy indirection"; ];
+  51[label="input indirection"; ];
+  52[label="access to array indirection"; ];
+  53[label="ptr indirection"; ];
+  54[label="input indirection"; ];
+  55[label="access to array indirection"; ];
+  56[label="ptr indirection"; ];
+  57[label="buf indirection"; ];
+  58[label="buf indirection"; ];
+  59[label="input indirection"; ];
+  60[label="access to array indirection"; ];
+  61[label="ptr indirection"; ];
+  62[label="input indirection"; ];
+  63[label="call to copy_mem_nested indirection"; ];
+  64[label="input indirection"; ];
+  65[label="buf indirection"; ];
+  66[label="buf indirection"; ];
+  67[label="buf indirection"; ];
+  68[label="input indirection"; ];
+  69[label="buf indirection"; ];
+  70[label="buf indirection"; ];
+  71[label="buf indirection"; ];
+  72[label="input indirection"; ];
+  73[label="size indirection"; ];
+  74[label="input indirection"; ];
+  75[label="input indirection"; ];
+  76[label="buf indirection"; ];
+  77[label="buf indirection"; ];
+  78[label="buf indirection"; ];
+  79[label="input indirection"; ];
+  80[label="buf indirection"; ];
+  81[label="buf indirection"; ];
+  82[label="buf indirection"; ];
+  83[label="input indirection"; ];
+  84[label="size indirection"; ];
+  85[label="input indirection"; ];
+  86[label="unused indirection"; ];
+  87[label="input indirection"; ];
+  88[label="input indirection"; ];
+  89[label="input indirection"; ];
+  90[label="input_types indirection"; ];
+  91[label="copy_mem indirection"; ];
+  92[label="call to memcpy indirection"; ];
+  93[label="call to memcpy indirection"; ];
+  94[label="call to memcpy indirection"; ];
+  95[label="input indirection"; ];
+  96[label="access to array indirection"; ];
+  97[label="ptr indirection"; ];
+  98[label="buf indirection"; ];
+  99[label="buf indirection"; ];
+  100[label="buf indirection"; ];
+  101[label="input indirection"; ];
+  102[label="access to array indirection"; ];
+  103[label="ptr indirection"; ];
+  104[label="buf indirection"; ];
+  105[label="buf indirection"; ];
+  106[label="buf indirection"; ];
+  107[label="(const void *)... indirection"; ];
+  108[label="(const void *)... indirection"; ];
+  109[label="input indirection"; ];
+  110[label="access to array indirection"; ];
+  111[label="ptr indirection"; ];
+  112[label="size indirection"; ];
+  113[label="call to copy_mem_nested indirection"; ];
+  114[label="input indirection"; ];
+  115[label="call to DYN_INPUT_TYPE indirection"; ];
+  116[label="call to memcpy indirection"; ];
+  117[label="call to memcpy indirection"; ];
+  118[label="call to memcpy indirection"; ];
+  119[label="input indirection"; ];
+  120[label="access to array indirection"; ];
+  121[label="ptr indirection"; ];
+  122[label="buf indirection"; ];
+  123[label="buf indirection"; ];
+  124[label="buf indirection"; ];
+  125[label="input indirection"; ];
+  126[label="access to array indirection"; ];
+  127[label="ptr indirection"; ];
+  128[label="buf indirection"; ];
+  129[label="buf indirection"; ];
+  130[label="buf indirection"; ];
+  131[label="(const void *)... indirection"; ];
+  132[label="(const void *)... indirection"; ];
+  133[label="input indirection"; ];
+  134[label="access to array indirection"; ];
+  135[label="ptr indirection"; ];
+  136[label="size indirection"; ];
+  137[label="call to copy_mem_nested indirection"; ];
+  138[label="input indirection"; ];
+  139[label="input indirection"; ];
+  140[label="buf indirection"; ];
+  141[label="buf indirection"; ];
+  142[label="input indirection"; ];
+  143[label="buf indirection"; ];
+  144[label="buf indirection"; ];
+  145[label="input indirection"; ];
+  146[label="input indirection"; ];
+  147[label="input indirection"; ];
+  148[label="buf indirection"; ];
+  149[label="buf indirection"; ];
+  150[label="input indirection"; ];
+  151[label="buf indirection"; ];
+  152[label="buf indirection"; ];
+  153[label="input indirection"; ];
+  154[label="input indirection"; ];
+  155[label="unused indirection"; ];
+  156[label="input indirection"; ];
+  157[label="input indirection"; ];
+  158[label="input indirection"; ];
+  159[label="input_types indirection"; ];
+  160[label="copy_mem indirection"; ];
+  161[label="memcpy output argument"; ];
+  162[label="memcpy output argument"; ];
+  163[label="copy_mem_nested output argument"; ];
+  164[label="memcpy output argument"; ];
+  165[label="memcpy output argument"; ];
+  166[label="Phi"; ];
+  167[label="access to array indirection [post update]"; ];
+  168[label="access to array indirection [post update]"; ];
+  169[label="access to array indirection [post update]"; ];
+  170[label="access to array indirection [post update]"; ];
+  171[label="access to array indirection [post update]"; ];
+  172[label="access to array indirection [post update]"; ];
+  0 -> 19[];
+  3 -> 3[];
+  3 -> 4[];
+  4 -> 4[];
+  4 -> 6[];
+  5 -> 1[];
+  6 -> 6[];
+  6 -> 7[];
+  7 -> 7[];
+  7 -> 12[];
+  8 -> 8[];
+  9 -> 20[];
+  12 -> 12[];
+  12 -> 13[];
+  13 -> 13[];
+  13 -> 15[];
+  14 -> 10[];
+  15 -> 15[];
+  15 -> 16[];
+  16 -> 16[];
+  21 -> 166[];
+  22 -> 166[];
+  23 -> 17[];
+  23 -> 18[];
+  25 -> 87[];
+  26 -> 8[];
+  27 -> 93[];
+  28 -> 94[];
+  29 -> 93[];
+  29 -> 161[];
+  30 -> 162[];
+  32 -> 68[];
+  32 -> 96[];
+  33 -> 68[];
+  35 -> 72[];
+  35 -> 102[];
+  36 -> 72[];
+  38 -> 107[];
+  39 -> 108[];
+  40 -> 74[];
+  40 -> 110[];
+  41 -> 74[];
+  43 -> 75[];
+  46 -> 117[];
+  47 -> 118[];
+  48 -> 117[];
+  48 -> 164[];
+  49 -> 165[];
+  51 -> 79[];
+  51 -> 120[];
+  52 -> 79[];
+  54 -> 83[];
+  54 -> 126[];
+  55 -> 83[];
+  57 -> 131[];
+  58 -> 132[];
+  59 -> 85[];
+  59 -> 134[];
+  60 -> 85[];
+  64 -> 32[];
+  64 -> 139[];
+  65 -> 0[];
+  66 -> 140[];
+  67 -> 141[];
+  68 -> 35[];
+  68 -> 142[];
+  69 -> 5[];
+  70 -> 143[];
+  71 -> 144[];
+  72 -> 40[];
+  72 -> 145[];
+  73 -> 2[];
+  74 -> 43[];
+  74 -> 146[];
+  75 -> 51[];
+  75 -> 147[];
+  76 -> 9[];
+  77 -> 148[];
+  78 -> 149[];
+  79 -> 54[];
+  79 -> 150[];
+  80 -> 14[];
+  81 -> 151[];
+  82 -> 152[];
+  83 -> 59[];
+  83 -> 153[];
+  84 -> 11[];
+  85 -> 62[];
+  85 -> 154[];
+  87 -> 3[];
+  87 -> 24[];
+  88 -> 64[];
+  88 -> 157[];
+  92 -> 31[];
+  95 -> 64[];
+  96 -> 33[];
+  97 -> 34[];
+  98 -> 65[];
+  99 -> 66[];
+  100 -> 67[];
+  101 -> 68[];
+  102 -> 36[];
+  103 -> 37[];
+  104 -> 69[];
+  105 -> 70[];
+  106 -> 71[];
+  107 -> 29[];
+  108 -> 30[];
+  109 -> 72[];
+  110 -> 41[];
+  111 -> 42[];
+  112 -> 73[];
+  113 -> 44[];
+  114 -> 74[];
+  115 -> 45[];
+  116 -> 50[];
+  119 -> 75[];
+  120 -> 52[];
+  121 -> 53[];
+  122 -> 76[];
+  123 -> 77[];
+  124 -> 78[];
+  125 -> 79[];
+  126 -> 55[];
+  127 -> 56[];
+  128 -> 80[];
+  129 -> 81[];
+  130 -> 82[];
+  131 -> 48[];
+  132 -> 49[];
+  133 -> 83[];
+  134 -> 60[];
+  135 -> 61[];
+  136 -> 84[];
+  137 -> 63[];
+  138 -> 85[];
+  139 -> 32[];
+  140 -> 27[];
+  141 -> 28[];
+  142 -> 35[];
+  143 -> 38[];
+  144 -> 39[];
+  145 -> 40[];
+  146 -> 43[];
+  147 -> 51[];
+  148 -> 46[];
+  149 -> 47[];
+  150 -> 54[];
+  151 -> 57[];
+  152 -> 58[];
+  153 -> 59[];
+  154 -> 62[];
+  155 -> 86[];
+  156 -> 88[];
+  156 -> 89[];
+  158 -> 88[];
+  159 -> 90[];
+  160 -> 91[];
+  163 -> 75[];
+  166 -> 91[];
+  167 -> 68[];
+  168 -> 72[];
+  169 -> 74[];
+  170 -> 79[];
+  171 -> 83[];
+  172 -> 85[];
+}

graphs/dfg.ql

@@ -0,0 +1,30 @@
+/**
+ * @name Print part of the DFG
+ * @description Outputs a subset of the data flow graph
+ * @id cpp/print-dfg
+ * @kind graph
+ */
+
+//  Just show the part for
+//  int copy_mem(unsigned int unused, dyn_input_t *input,
+//      unsigned int input_types)
+import cpp
+import semmle.code.cpp.dataflow.new.DataFlow
+
+query predicate nodes(DataFlow::Node n1, string key, string value) {
+  (edges(n1, _) or edges(_, n1)) and
+  (
+    key = "color" and value = "black"
+    or
+    key = "line" and value = n1.getLocation().getStartLine().toString()
+  )
+}
+
+query predicate edges(DataFlow::Node n1, DataFlow::Node n2) {
+  exists(Function f1 |
+    f1.hasName("copy_mem") and
+    n1.getFunction() = f1 and
+    DataFlow::localFlowStep(n1, n2) and
+    n2.getLocation().getStartLine() < 46
+  )
+}

readme-low-level.org

@@ -112,7 +112,6 @@
 
   #+END_SRC
 
-
 * Source Annotated with CFG Nodes
   The CFG entries
   #+BEGIN_SRC text
@@ -150,3 +149,35 @@
     }
   #+END_SRC
 
+* DFG
+  The control flow graph and AST are narrowed to the function of interest,
+  #+BEGIN_SRC c++
+    int copy_mem(unsigned int unused, dyn_input_t *input,
+                 unsigned int input_types) {...}
+
+  #+END_SRC
+  from [[./tests-common/test_part1.c]], so we do the same for the DFG.
+
+  #+BEGIN_SRC sh 
+    # Produce ast in dot format
+    codeql database analyze                             \
+           --format=dot --output=ast.dot                \
+           -j8 -v --ram=16000                           \
+           --rerun                                      \
+           --                                           \
+           cpp-dataflow-part1-database                  \
+           graphs/dfg.ql                            
+
+    # Convert dot to pdf
+    dot -Tpdf < ast.dot/cpp/print-dfg.dot > ast.dot/cpp/print-dfg.pdf
+    dot -Tsvg < ast.dot/cpp/print-dfg.dot > ast.dot/cpp/print-dfg.svg
+
+    # View the graph
+    xdg-open ast.dot/cpp/print-dfg.pdf
+
+    # This comes from
+    tests-common/test_part1.c
+  #+END_SRC
+
+  
+