hohn/codeql-workshop-dataflow-c
1
0
Fork 0
mirror of https://github.com/hohn/codeql-workshop-dataflow-c.git synced 2025-12-16 18:43:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

Choose copy_mem() for ast rendering

Browse Source
This commit is contained in:
Michael Hohn
2025-03-17 19:21:15 -07:00
committed by =Michael Hohn
parent 92d605aa7a
commit a24441458a
4 changed files with 223 additions and 93 deletions
Download Patch File Download Diff File Expand all files Collapse all files

304
ast.dot/cpp/print-ast.dot
View File

@@ -1,77 +1,140 @@
digraph { digraph {
compound=true; compound=true;
0[label="[IfStmt] if (...) ... "; ]; 0[label="[ExprStmt] ExprStmt"; ];
1[label="[VariableAccess] input_types"; ]; 1[label="[FunctionCall] call to memcpy"; ];
2[label="[FunctionCall] call to DYN_INPUT_TYPE"; ]; 2[label="[VariableAccess] input"; ];
3[label="[Literal] 2"; ]; 3[label="[Literal] 0"; ];
4[label="[CStyleCast] (unsigned int)..."; ]; 4[label="[ArrayExpr] access to array"; ];
5[label="[Literal] 1"; ]; 5[label="[ValueFieldAccess] ptr"; ];
6[label="[CStyleCast] (unsigned int)..."; ]; 6[label="[ValueFieldAccess] buf"; ];
7[label="[EQExpr] ... == ..."; ]; 7[label="[VariableAccess] input"; ];
8[label="[ExprStmt] ExprStmt"; ]; 8[label="[Literal] 1"; ];
9[label="[FunctionCall] call to memcpy"; ]; 9[label="[ArrayExpr] access to array"; ];
10[label="[VariableAccess] input"; ]; 10[label="[ValueFieldAccess] ptr"; ];
11[label="[Literal] 1"; ]; 11[label="[ValueFieldAccess] buf"; ];
12[label="[ArrayExpr] access to array"; ]; 12[label="[CStyleCast] (const void *)..."; ];
13[label="[ValueFieldAccess] ptr"; ]; 13[label="[VariableAccess] input"; ];
14[label="[ValueFieldAccess] buf"; ]; 14[label="[Literal] 1"; ];
15[label="[VariableAccess] input"; ]; 15[label="[ArrayExpr] access to array"; ];
16[label="[Literal] 0"; ]; 16[label="[ValueFieldAccess] ptr"; ];
17[label="[ArrayExpr] access to array"; ]; 17[label="[ValueFieldAccess] size"; ];
18[label="[ValueFieldAccess] val"; ]; 18[label="[ExprStmt] ExprStmt"; ];
19[label="[AddressOfExpr] & ..."; ]; 19[label="[FunctionCall] call to copy_mem_nested"; ];
20[label="[CStyleCast] (const void *)..."; ]; 20[label="[VariableAccess] input"; ];
21[label="[SizeofExprOperator] sizeof(<expr>)"; ]; 21[label="[IfStmt] if (...) ... "; ];
22[label="[VariableAccess] input"; ]; 22[label="[VariableAccess] input_types"; ];
23[label="[Literal] 0"; ]; 23[label="[FunctionCall] call to DYN_INPUT_TYPE"; ];
24[label="[ArrayExpr] access to array"; ]; 24[label="[Literal] 1"; ];
25[label="[ValueFieldAccess] val"; ]; 25[label="[CStyleCast] (unsigned int)..."; ];
26[label="[ParenthesisExpr] (...)"; ]; 26[label="[Literal] 1"; ];
27[label="[ReturnStmt] return ..."; ]; 27[label="[CStyleCast] (unsigned int)..."; ];
28[label="[Literal] 0"; ]; 28[label="[NEExpr] ... != ..."; ];
29[label="[BlockStmt] { ... }"; ]; 29[label="[BlockStmt] { ... }"; ];
30[label="[ExprStmt] ExprStmt"; ]; 30[label="[ExprStmt] ExprStmt"; ];
31[label="[FunctionCall] call to memcpy"; ]; 31[label="[FunctionCall] call to memcpy"; ];
32[label="[VariableAccess] input"; ]; 32[label="[VariableAccess] input"; ];
33[label="[Literal] 1"; ]; 33[label="[Literal] 0"; ];
34[label="[ArrayExpr] access to array"; ]; 34[label="[ArrayExpr] access to array"; ];
35[label="[ValueFieldAccess] ptr"; ]; 35[label="[ValueFieldAccess] ptr"; ];
36[label="[ValueFieldAccess] buf"; ]; 36[label="[ValueFieldAccess] buf"; ];
37[label="[VariableAccess] input"; ]; 37[label="[VariableAccess] input"; ];
38[label="[Literal] 0"; ]; 38[label="[Literal] 1"; ];
39[label="[ArrayExpr] access to array"; ]; 39[label="[ArrayExpr] access to array"; ];
40[label="[ValueFieldAccess] val"; ]; 40[label="[ValueFieldAccess] ptr"; ];
41[label="[AddressOfExpr] & ..."; ]; 41[label="[ValueFieldAccess] buf"; ];
42[label="[CStyleCast] (const void *)..."; ]; 42[label="[CStyleCast] (const void *)..."; ];
43[label="[SizeofExprOperator] sizeof(<expr>)"; ]; 43[label="[VariableAccess] input"; ];
44[label="[VariableAccess] input"; ]; 44[label="[Literal] 1"; ];
45[label="[Literal] 0"; ]; 45[label="[ArrayExpr] access to array"; ];
46[label="[ArrayExpr] access to array"; ]; 46[label="[ValueFieldAccess] ptr"; ];
47[label="[ValueFieldAccess] val"; ]; 47[label="[ValueFieldAccess] size"; ];
48[label="[ParenthesisExpr] (...)"; ]; 48[label="[ExprStmt] ExprStmt"; ];
49[label="[ReturnStmt] return ..."; ]; 49[label="[FunctionCall] call to copy_mem_nested"; ];
50[label="[Literal] 1"; ]; 50[label="[VariableAccess] input"; ];
51[label="[BlockStmt] { ... }"; ]; 51[label="[IfStmt] if (...) ... "; ];
52[label="[Parameter] input"; ]; 52[label="[FunctionCall] call to DYN_INPUT_TYPE"; ];
53[label="[Parameter] input_types"; ]; 53[label="[Literal] 1"; ];
54[]; 54[label="[CStyleCast] (unsigned int)..."; ];
55[label="[TopLevelFunction] int write_val_to_mem(dyn_input_t*, unsigned int)"; ]; 55[label="[Literal] 1"; ];
0 -> 7[label="getCondition()"; ]; 56[label="[CStyleCast] (unsigned int)..."; ];
2 -> 3[label="getArgument(0)"; ]; 57[label="[Literal] 100"; ];
7 -> 1[label="getLeftOperand()"; ]; 58[label="[CStyleCast] (unsigned int)..."; ];
8 -> 9[label="getExpr()"; ]; 59[label="[EQExpr] ... == ..."; ];
9 -> 14[label="getArgument(0)"; ]; 60[label="[ExprStmt] ExprStmt"; ];
12 -> 10[label="getArrayBase()"; ]; 61[label="[FunctionCall] call to memcpy"; ];
13 -> 12[label="getQualifier()"; ]; 62[label="[VariableAccess] input"; ];
14 -> 13[label="getQualifier()"; ]; 63[label="[Literal] 0"; ];
17 -> 15[label="getArrayBase()"; ]; 64[label="[ArrayExpr] access to array"; ];
18 -> 17[label="getQualifier()"; ]; 65[label="[ValueFieldAccess] ptr"; ];
19 -> 18[label="getOperand()"; ]; 66[label="[ValueFieldAccess] buf"; ];
21 -> 25[label="getExprOperand()"; ]; 67[label="[VariableAccess] input"; ];
24 -> 22[label="getArrayBase()"; ]; 68[label="[Literal] 1"; ];
25 -> 24[label="getQualifier()"; ]; 69[label="[ArrayExpr] access to array"; ];
27 -> 28[label="getExpr()"; ]; 70[label="[ValueFieldAccess] ptr"; ];
29 -> 8[label="getStmt(0)"; ]; 71[label="[ValueFieldAccess] buf"; ];
72[label="[CStyleCast] (const void *)..."; ];
73[label="[VariableAccess] input"; ];
74[label="[Literal] 1"; ];
75[label="[ArrayExpr] access to array"; ];
76[label="[ValueFieldAccess] ptr"; ];
77[label="[ValueFieldAccess] size"; ];
78[label="[BlockStmt] { ... }"; ];
79[label="[IfStmt] if (...) ... "; ];
80[label="[VariableAccess] input_types"; ];
81[label="[FunctionCall] call to DYN_INPUT_TYPE"; ];
82[label="[Literal] 1"; ];
83[label="[CStyleCast] (unsigned int)..."; ];
84[label="[Literal] 1"; ];
85[label="[CStyleCast] (unsigned int)..."; ];
86[label="[NEExpr] ... != ..."; ];
87[label="[ReturnStmt] return ..."; ];
88[label="[Literal] 1"; ];
89[label="[BlockStmt] { ... }"; ];
90[label="[ExprStmt] ExprStmt"; ];
91[label="[FunctionCall] call to memcpy"; ];
92[label="[VariableAccess] input"; ];
93[label="[Literal] 0"; ];
94[label="[ArrayExpr] access to array"; ];
95[label="[ValueFieldAccess] ptr"; ];
96[label="[ValueFieldAccess] buf"; ];
97[label="[VariableAccess] input"; ];
98[label="[Literal] 1"; ];
99[label="[ArrayExpr] access to array"; ];
100[label="[ValueFieldAccess] ptr"; ];
101[label="[ValueFieldAccess] buf"; ];
102[label="[CStyleCast] (const void *)..."; ];
103[label="[VariableAccess] input"; ];
104[label="[Literal] 1"; ];
105[label="[ArrayExpr] access to array"; ];
106[label="[ValueFieldAccess] ptr"; ];
107[label="[ValueFieldAccess] size"; ];
108[label="[ExprStmt] ExprStmt"; ];
109[label="[FunctionCall] call to copy_mem_nested"; ];
110[label="[VariableAccess] input"; ];
111[label="[ReturnStmt] return ..."; ];
112[label="[Literal] 0"; ];
113[label="[BlockStmt] { ... }"; ];
114[label="[Parameter] unused"; ];
115[label="[Parameter] input"; ];
116[label="[Parameter] input_types"; ];
117[];
118[label="[TopLevelFunction] int copy_mem(unsigned int, dyn_input_t*, unsigned int)"; ];
0 -> 1[label="getExpr()"; ];
1 -> 6[label="getArgument(0)"; ];
4 -> 2[label="getArrayBase()"; ];
5 -> 4[label="getQualifier()"; ];
6 -> 5[label="getQualifier()"; ];
9 -> 7[label="getArrayBase()"; ];
10 -> 9[label="getQualifier()"; ];
11 -> 10[label="getQualifier()"; ];
15 -> 13[label="getArrayBase()"; ];
16 -> 15[label="getQualifier()"; ];
17 -> 16[label="getQualifier()"; ];
18 -> 19[label="getExpr()"; ];
19 -> 20[label="getArgument(0)"; ];
21 -> 28[label="getCondition()"; ];
23 -> 24[label="getArgument(0)"; ];
28 -> 22[label="getLeftOperand()"; ];
30 -> 31[label="getExpr()"; ]; 30 -> 31[label="getExpr()"; ];
31 -> 36[label="getArgument(0)"; ]; 31 -> 36[label="getArgument(0)"; ];
34 -> 32[label="getArrayBase()"; ]; 34 -> 32[label="getArrayBase()"; ];
@@ -79,36 +142,99 @@ digraph {
36 -> 35[label="getQualifier()"; ]; 36 -> 35[label="getQualifier()"; ];
39 -> 37[label="getArrayBase()"; ]; 39 -> 37[label="getArrayBase()"; ];
40 -> 39[label="getQualifier()"; ]; 40 -> 39[label="getQualifier()"; ];
41 -> 40[label="getOperand()"; ]; 41 -> 40[label="getQualifier()"; ];
43 -> 47[label="getExprOperand()"; ]; 45 -> 43[label="getArrayBase()"; ];
46 -> 44[label="getArrayBase()"; ]; 46 -> 45[label="getQualifier()"; ];
47 -> 46[label="getQualifier()"; ]; 47 -> 46[label="getQualifier()"; ];
49 -> 50[label="getExpr()"; ]; 48 -> 49[label="getExpr()"; ];
51 -> 0[label="getStmt(0)"; ]; 49 -> 50[label="getArgument(0)"; ];
55 -> 54[label="<params>"; ]; 51 -> 59[label="getCondition()"; ];
54 -> 52[label="getParameter(0)"; ]; 52 -> 53[label="getArgument(0)"; ];
0 -> 29[label="getThen()"; ]; 59 -> 52[label="getLeftOperand()"; ];
2 -> 5[label="getArgument(1)"; ]; 60 -> 61[label="getExpr()"; ];
7 -> 2[label="getRightOperand()"; ]; 61 -> 66[label="getArgument(0)"; ];
9 -> 19[label="getArgument(1)"; ]; 64 -> 62[label="getArrayBase()"; ];
12 -> 11[label="getArrayOffset()"; ]; 65 -> 64[label="getQualifier()"; ];
17 -> 16[label="getArrayOffset()"; ]; 66 -> 65[label="getQualifier()"; ];
21 -> 26[label="getExprOperand().getFullyConverted()"; ]; 69 -> 67[label="getArrayBase()"; ];
24 -> 23[label="getArrayOffset()"; ]; 70 -> 69[label="getQualifier()"; ];
29 -> 27[label="getStmt(1)"; ]; 71 -> 70[label="getQualifier()"; ];
75 -> 73[label="getArrayBase()"; ];
76 -> 75[label="getQualifier()"; ];
77 -> 76[label="getQualifier()"; ];
78 -> 60[label="getStmt(0)"; ];
79 -> 86[label="getCondition()"; ];
81 -> 82[label="getArgument(0)"; ];
86 -> 80[label="getLeftOperand()"; ];
87 -> 88[label="getExpr()"; ];
89 -> 87[label="getStmt(0)"; ];
90 -> 91[label="getExpr()"; ];
91 -> 96[label="getArgument(0)"; ];
94 -> 92[label="getArrayBase()"; ];
95 -> 94[label="getQualifier()"; ];
96 -> 95[label="getQualifier()"; ];
99 -> 97[label="getArrayBase()"; ];
100 -> 99[label="getQualifier()"; ];
101 -> 100[label="getQualifier()"; ];
105 -> 103[label="getArrayBase()"; ];
106 -> 105[label="getQualifier()"; ];
107 -> 106[label="getQualifier()"; ];
108 -> 109[label="getExpr()"; ];
109 -> 110[label="getArgument(0)"; ];
111 -> 112[label="getExpr()"; ];
113 -> 0[label="getStmt(0)"; ];
118 -> 117[label="<params>"; ];
117 -> 114[label="getParameter(0)"; ];
1 -> 11[label="getArgument(1)"; ];
4 -> 3[label="getArrayOffset()"; ];
9 -> 8[label="getArrayOffset()"; ];
15 -> 14[label="getArrayOffset()"; ];
21 -> 29[label="getThen()"; ];
23 -> 26[label="getArgument(1)"; ];
28 -> 23[label="getRightOperand()"; ];
31 -> 41[label="getArgument(1)"; ]; 31 -> 41[label="getArgument(1)"; ];
34 -> 33[label="getArrayOffset()"; ]; 34 -> 33[label="getArrayOffset()"; ];
39 -> 38[label="getArrayOffset()"; ]; 39 -> 38[label="getArrayOffset()"; ];
43 -> 48[label="getExprOperand().getFullyConverted()"; ]; 45 -> 44[label="getArrayOffset()"; ];
46 -> 45[label="getArrayOffset()"; ]; 51 -> 78[label="getThen()"; ];
51 -> 30[label="getStmt(1)"; ]; 52 -> 55[label="getArgument(1)"; ];
55 -> 51[label="getEntryPoint()"; ]; 59 -> 57[label="getRightOperand()"; ];
54 -> 53[label="getParameter(1)"; ]; 61 -> 71[label="getArgument(1)"; ];
2 -> 4[label="getArgument(0).getFullyConverted()"; ]; 64 -> 63[label="getArrayOffset()"; ];
9 -> 21[label="getArgument(2)"; ]; 69 -> 68[label="getArrayOffset()"; ];
31 -> 43[label="getArgument(2)"; ]; 75 -> 74[label="getArrayOffset()"; ];
51 -> 49[label="getStmt(2)"; ]; 79 -> 89[label="getThen()"; ];
2 -> 6[label="getArgument(1).getFullyConverted()"; ]; 81 -> 84[label="getArgument(1)"; ];
9 -> 20[label="getArgument(1).getFullyConverted()"; ]; 86 -> 81[label="getRightOperand()"; ];
91 -> 101[label="getArgument(1)"; ];
94 -> 93[label="getArrayOffset()"; ];
99 -> 98[label="getArrayOffset()"; ];
105 -> 104[label="getArrayOffset()"; ];
113 -> 18[label="getStmt(1)"; ];
118 -> 113[label="getEntryPoint()"; ];
117 -> 115[label="getParameter(1)"; ];
1 -> 17[label="getArgument(2)"; ];
23 -> 25[label="getArgument(0).getFullyConverted()"; ];
31 -> 47[label="getArgument(2)"; ];
52 -> 54[label="getArgument(0).getFullyConverted()"; ];
59 -> 58[label="getRightOperand().getFullyConverted()"; ];
61 -> 77[label="getArgument(2)"; ];
81 -> 83[label="getArgument(0).getFullyConverted()"; ];
91 -> 107[label="getArgument(2)"; ];
113 -> 21[label="getStmt(2)"; ];
117 -> 116[label="getParameter(2)"; ];
1 -> 12[label="getArgument(1).getFullyConverted()"; ];
23 -> 27[label="getArgument(1).getFullyConverted()"; ];
31 -> 42[label="getArgument(1).getFullyConverted()"; ]; 31 -> 42[label="getArgument(1).getFullyConverted()"; ];
52 -> 56[label="getArgument(1).getFullyConverted()"; ];
61 -> 72[label="getArgument(1).getFullyConverted()"; ];
81 -> 85[label="getArgument(1).getFullyConverted()"; ];
91 -> 102[label="getArgument(1).getFullyConverted()"; ];
113 -> 30[label="getStmt(3)"; ];
113 -> 48[label="getStmt(4)"; ];
113 -> 51[label="getStmt(5)"; ];
113 -> 79[label="getStmt(6)"; ];
113 -> 90[label="getStmt(7)"; ];
113 -> 108[label="getStmt(8)"; ];
113 -> 111[label="getStmt(9)"; ];
} }

BIN
ast.dot/cpp/print-ast.pdf
View File

Binary file not shown.

2
graphs/ast.ql
View File

@@ -8,5 +8,5 @@ import semmle.code.cpp.PrintAST
// extend `PrintASTConfiguration` and override `shouldPrintFunction` to hold for only the functions // extend `PrintASTConfiguration` and override `shouldPrintFunction` to hold for only the functions
class PrintConfig extends PrintAstConfiguration { class PrintConfig extends PrintAstConfiguration {
override predicate shouldPrintFunction(Function func) { func.hasName("write_val_to_mem") } override predicate shouldPrintFunction(Function func) { func.hasName("copy_mem") }
} }

10
readme-low-level.org
View File

@@ -1,9 +1,13 @@
* CodeQL AST in dot and pdf * CodeQL AST in dot and pdf
#+BEGIN_SRC sh #+BEGIN_SRC sh
# Produce ast in dot format # Produce ast in dot format
codeql database analyze \ codeql database analyze \
--format=dot --output=ast.dot \ --format=dot --output=ast.dot \
-- cpp-dataflow-part1-database solutions/ast.ql -j8 -v --ram=16000 \
--rerun \
-- \
cpp-dataflow-part1-database \
graphs/ast.ql
# Convert dot to pdf # Convert dot to pdf
dot -Tpdf < ast.dot/cpp/print-ast.dot > ast.dot/cpp/print-ast.pdf dot -Tpdf < ast.dot/cpp/print-ast.dot > ast.dot/cpp/print-ast.pdf