diff --git a/ast.dot/cpp/print-ast.dot b/ast.dot/cpp/print-ast.dot new file mode 100644 index 0000000..f0ad64b --- /dev/null +++ b/ast.dot/cpp/print-ast.dot @@ -0,0 +1,114 @@ +digraph { + compound=true; + 0[label="[IfStmt] if (...) ... "; ]; + 1[label="[VariableAccess] input_types"; ]; + 2[label="[FunctionCall] call to DYN_INPUT_TYPE"; ]; + 3[label="[Literal] 2"; ]; + 4[label="[CStyleCast] (unsigned int)..."; ]; + 5[label="[Literal] 1"; ]; + 6[label="[CStyleCast] (unsigned int)..."; ]; + 7[label="[EQExpr] ... == ..."; ]; + 8[label="[ExprStmt] ExprStmt"; ]; + 9[label="[FunctionCall] call to memcpy"; ]; + 10[label="[VariableAccess] input"; ]; + 11[label="[Literal] 1"; ]; + 12[label="[ArrayExpr] access to array"; ]; + 13[label="[ValueFieldAccess] ptr"; ]; + 14[label="[ValueFieldAccess] buf"; ]; + 15[label="[VariableAccess] input"; ]; + 16[label="[Literal] 0"; ]; + 17[label="[ArrayExpr] access to array"; ]; + 18[label="[ValueFieldAccess] val"; ]; + 19[label="[AddressOfExpr] & ..."; ]; + 20[label="[CStyleCast] (const void *)..."; ]; + 21[label="[SizeofExprOperator] sizeof()"; ]; + 22[label="[VariableAccess] input"; ]; + 23[label="[Literal] 0"; ]; + 24[label="[ArrayExpr] access to array"; ]; + 25[label="[ValueFieldAccess] val"; ]; + 26[label="[ParenthesisExpr] (...)"; ]; + 27[label="[ReturnStmt] return ..."; ]; + 28[label="[Literal] 0"; ]; + 29[label="[BlockStmt] { ... }"; ]; + 30[label="[ExprStmt] ExprStmt"; ]; + 31[label="[FunctionCall] call to memcpy"; ]; + 32[label="[VariableAccess] input"; ]; + 33[label="[Literal] 1"; ]; + 34[label="[ArrayExpr] access to array"; ]; + 35[label="[ValueFieldAccess] ptr"; ]; + 36[label="[ValueFieldAccess] buf"; ]; + 37[label="[VariableAccess] input"; ]; + 38[label="[Literal] 0"; ]; + 39[label="[ArrayExpr] access to array"; ]; + 40[label="[ValueFieldAccess] val"; ]; + 41[label="[AddressOfExpr] & ..."; ]; + 42[label="[CStyleCast] (const void *)..."; ]; + 43[label="[SizeofExprOperator] sizeof()"; ]; + 44[label="[VariableAccess] input"; ]; + 45[label="[Literal] 0"; ]; + 46[label="[ArrayExpr] access to array"; ]; + 47[label="[ValueFieldAccess] val"; ]; + 48[label="[ParenthesisExpr] (...)"; ]; + 49[label="[ReturnStmt] return ..."; ]; + 50[label="[Literal] 1"; ]; + 51[label="[BlockStmt] { ... }"; ]; + 52[label="[Parameter] input"; ]; + 53[label="[Parameter] input_types"; ]; + 54[]; + 55[label="[TopLevelFunction] int write_val_to_mem(dyn_input_t*, unsigned int)"; ]; + 0 -> 7[label="getCondition()"; ]; + 2 -> 3[label="getArgument(0)"; ]; + 7 -> 1[label="getLeftOperand()"; ]; + 8 -> 9[label="getExpr()"; ]; + 9 -> 14[label="getArgument(0)"; ]; + 12 -> 10[label="getArrayBase()"; ]; + 13 -> 12[label="getQualifier()"; ]; + 14 -> 13[label="getQualifier()"; ]; + 17 -> 15[label="getArrayBase()"; ]; + 18 -> 17[label="getQualifier()"; ]; + 19 -> 18[label="getOperand()"; ]; + 21 -> 25[label="getExprOperand()"; ]; + 24 -> 22[label="getArrayBase()"; ]; + 25 -> 24[label="getQualifier()"; ]; + 27 -> 28[label="getExpr()"; ]; + 29 -> 8[label="getStmt(0)"; ]; + 30 -> 31[label="getExpr()"; ]; + 31 -> 36[label="getArgument(0)"; ]; + 34 -> 32[label="getArrayBase()"; ]; + 35 -> 34[label="getQualifier()"; ]; + 36 -> 35[label="getQualifier()"; ]; + 39 -> 37[label="getArrayBase()"; ]; + 40 -> 39[label="getQualifier()"; ]; + 41 -> 40[label="getOperand()"; ]; + 43 -> 47[label="getExprOperand()"; ]; + 46 -> 44[label="getArrayBase()"; ]; + 47 -> 46[label="getQualifier()"; ]; + 49 -> 50[label="getExpr()"; ]; + 51 -> 0[label="getStmt(0)"; ]; + 55 -> 54[label=""; ]; + 54 -> 52[label="getParameter(0)"; ]; + 0 -> 29[label="getThen()"; ]; + 2 -> 5[label="getArgument(1)"; ]; + 7 -> 2[label="getRightOperand()"; ]; + 9 -> 19[label="getArgument(1)"; ]; + 12 -> 11[label="getArrayOffset()"; ]; + 17 -> 16[label="getArrayOffset()"; ]; + 21 -> 26[label="getExprOperand().getFullyConverted()"; ]; + 24 -> 23[label="getArrayOffset()"; ]; + 29 -> 27[label="getStmt(1)"; ]; + 31 -> 41[label="getArgument(1)"; ]; + 34 -> 33[label="getArrayOffset()"; ]; + 39 -> 38[label="getArrayOffset()"; ]; + 43 -> 48[label="getExprOperand().getFullyConverted()"; ]; + 46 -> 45[label="getArrayOffset()"; ]; + 51 -> 30[label="getStmt(1)"; ]; + 55 -> 51[label="getEntryPoint()"; ]; + 54 -> 53[label="getParameter(1)"; ]; + 2 -> 4[label="getArgument(0).getFullyConverted()"; ]; + 9 -> 21[label="getArgument(2)"; ]; + 31 -> 43[label="getArgument(2)"; ]; + 51 -> 49[label="getStmt(2)"; ]; + 2 -> 6[label="getArgument(1).getFullyConverted()"; ]; + 9 -> 20[label="getArgument(1).getFullyConverted()"; ]; + 31 -> 42[label="getArgument(1).getFullyConverted()"; ]; +} diff --git a/ast.dot/cpp/print-ast.pdf b/ast.dot/cpp/print-ast.pdf new file mode 100644 index 0000000..b507e49 Binary files /dev/null and b/ast.dot/cpp/print-ast.pdf differ diff --git a/readme-low-level.org b/readme-low-level.org new file mode 100644 index 0000000..01980cf --- /dev/null +++ b/readme-low-level.org @@ -0,0 +1,24 @@ +* Some low-level codeql + #+BEGIN_SRC sh + # Produce ast in dot format + codeql database analyze \ + --format=dot --output=ast.dot \ + -- cpp-dataflow-part1-database solutions/ast.ql + + # Convert dot to pdf + dot -Tpdf < ast.dot/cpp/print-ast.dot > ast.dot/cpp/print-ast.pdf + + # View the graph + open ast.dot/cpp/print-ast.pdf + + + # This comes from + unzip -v cpp-dataflow-part1-database/src.zip + # Archive: cpp-dataflow-part1-database/src.zip + # Length Method Size Cmpr Date Time CRC-32 Name + # -------- ------ ------- ---- ---------- ----- -------- ---- + # 3280 Defl:N 880 73% 03-17-2025 08:59 8057b2ea Users/hohn/local/codeql-workshop-dataflow-c/tests-common/test_part1.c + # -------- ------- --- ------- + # 3280 880 73% 1 file + #+END_SRC + diff --git a/solutions/ast.ql b/solutions/ast.ql new file mode 100644 index 0000000..d895d75 --- /dev/null +++ b/solutions/ast.ql @@ -0,0 +1,12 @@ +/** + * @id cpp/print-ast + * @kind graph + */ + +import cpp +import semmle.code.cpp.PrintAST + +// extend `PrintASTConfiguration` and override `shouldPrintFunction` to hold for only the functions +class PrintConfig extends PrintAstConfiguration { + override predicate shouldPrintFunction(Function func) { func.hasName("write_val_to_mem") } +}