diff --git a/ast.dot/cpp/print-ast.svg b/ast.dot/cpp/print-ast.svg
new file mode 100644
index 0000000..59af795
--- /dev/null
+++ b/ast.dot/cpp/print-ast.svg
@@ -0,0 +1,1552 @@
+
+
+
+
+
+
+
+0
+[ExprStmt] ExprStmt
+
+
+
+1
+[FunctionCall] call to memcpy
+
+
+
+0->1
+getExpr()
+
+
+
+6
+[ValueFieldAccess] buf
+
+
+
+1->6
+getArgument(0)
+
+
+
+11
+[ValueFieldAccess] buf
+
+
+
+1->11
+getArgument(1)
+
+
+
+12
+[CStyleCast] (const void *)...
+
+
+
+1->12
+getArgument(1).getFullyConverted()
+
+
+
+17
+[ValueFieldAccess] size
+
+
+
+1->17
+getArgument(2)
+
+
+
+2
+[VariableAccess] input
+
+
+
+3
+[Literal] 0
+
+
+
+4
+[ArrayExpr] access to array
+
+
+
+4->2
+getArrayBase()
+
+
+
+4->3
+getArrayOffset()
+
+
+
+5
+[ValueFieldAccess] ptr
+
+
+
+5->4
+getQualifier()
+
+
+
+6->5
+getQualifier()
+
+
+
+7
+[VariableAccess] input
+
+
+
+8
+[Literal] 1
+
+
+
+9
+[ArrayExpr] access to array
+
+
+
+9->7
+getArrayBase()
+
+
+
+9->8
+getArrayOffset()
+
+
+
+10
+[ValueFieldAccess] ptr
+
+
+
+10->9
+getQualifier()
+
+
+
+11->10
+getQualifier()
+
+
+
+13
+[VariableAccess] input
+
+
+
+14
+[Literal] 1
+
+
+
+15
+[ArrayExpr] access to array
+
+
+
+15->13
+getArrayBase()
+
+
+
+15->14
+getArrayOffset()
+
+
+
+16
+[ValueFieldAccess] ptr
+
+
+
+16->15
+getQualifier()
+
+
+
+17->16
+getQualifier()
+
+
+
+18
+[ExprStmt] ExprStmt
+
+
+
+19
+[FunctionCall] call to copy_mem_nested
+
+
+
+18->19
+getExpr()
+
+
+
+20
+[VariableAccess] input
+
+
+
+19->20
+getArgument(0)
+
+
+
+21
+[IfStmt] if (...) ...
+
+
+
+28
+[NEExpr] ... != ...
+
+
+
+21->28
+getCondition()
+
+
+
+29
+[BlockStmt] { ... }
+
+
+
+21->29
+getThen()
+
+
+
+22
+[VariableAccess] input_types
+
+
+
+23
+[FunctionCall] call to DYN_INPUT_TYPE
+
+
+
+24
+[Literal] 1
+
+
+
+23->24
+getArgument(0)
+
+
+
+25
+[CStyleCast] (unsigned int)...
+
+
+
+23->25
+getArgument(0).getFullyConverted()
+
+
+
+26
+[Literal] 1
+
+
+
+23->26
+getArgument(1)
+
+
+
+27
+[CStyleCast] (unsigned int)...
+
+
+
+23->27
+getArgument(1).getFullyConverted()
+
+
+
+28->22
+getLeftOperand()
+
+
+
+28->23
+getRightOperand()
+
+
+
+30
+[ExprStmt] ExprStmt
+
+
+
+31
+[FunctionCall] call to memcpy
+
+
+
+30->31
+getExpr()
+
+
+
+36
+[ValueFieldAccess] buf
+
+
+
+31->36
+getArgument(0)
+
+
+
+41
+[ValueFieldAccess] buf
+
+
+
+31->41
+getArgument(1)
+
+
+
+42
+[CStyleCast] (const void *)...
+
+
+
+31->42
+getArgument(1).getFullyConverted()
+
+
+
+47
+[ValueFieldAccess] size
+
+
+
+31->47
+getArgument(2)
+
+
+
+32
+[VariableAccess] input
+
+
+
+33
+[Literal] 0
+
+
+
+34
+[ArrayExpr] access to array
+
+
+
+34->32
+getArrayBase()
+
+
+
+34->33
+getArrayOffset()
+
+
+
+35
+[ValueFieldAccess] ptr
+
+
+
+35->34
+getQualifier()
+
+
+
+36->35
+getQualifier()
+
+
+
+37
+[VariableAccess] input
+
+
+
+38
+[Literal] 1
+
+
+
+39
+[ArrayExpr] access to array
+
+
+
+39->37
+getArrayBase()
+
+
+
+39->38
+getArrayOffset()
+
+
+
+40
+[ValueFieldAccess] ptr
+
+
+
+40->39
+getQualifier()
+
+
+
+41->40
+getQualifier()
+
+
+
+43
+[VariableAccess] input
+
+
+
+44
+[Literal] 1
+
+
+
+45
+[ArrayExpr] access to array
+
+
+
+45->43
+getArrayBase()
+
+
+
+45->44
+getArrayOffset()
+
+
+
+46
+[ValueFieldAccess] ptr
+
+
+
+46->45
+getQualifier()
+
+
+
+47->46
+getQualifier()
+
+
+
+48
+[ExprStmt] ExprStmt
+
+
+
+49
+[FunctionCall] call to copy_mem_nested
+
+
+
+48->49
+getExpr()
+
+
+
+50
+[VariableAccess] input
+
+
+
+49->50
+getArgument(0)
+
+
+
+51
+[IfStmt] if (...) ...
+
+
+
+59
+[EQExpr] ... == ...
+
+
+
+51->59
+getCondition()
+
+
+
+78
+[BlockStmt] { ... }
+
+
+
+51->78
+getThen()
+
+
+
+52
+[FunctionCall] call to DYN_INPUT_TYPE
+
+
+
+53
+[Literal] 1
+
+
+
+52->53
+getArgument(0)
+
+
+
+54
+[CStyleCast] (unsigned int)...
+
+
+
+52->54
+getArgument(0).getFullyConverted()
+
+
+
+55
+[Literal] 1
+
+
+
+52->55
+getArgument(1)
+
+
+
+56
+[CStyleCast] (unsigned int)...
+
+
+
+52->56
+getArgument(1).getFullyConverted()
+
+
+
+57
+[Literal] 100
+
+
+
+58
+[CStyleCast] (unsigned int)...
+
+
+
+59->52
+getLeftOperand()
+
+
+
+59->57
+getRightOperand()
+
+
+
+59->58
+getRightOperand().getFullyConverted()
+
+
+
+60
+[ExprStmt] ExprStmt
+
+
+
+61
+[FunctionCall] call to memcpy
+
+
+
+60->61
+getExpr()
+
+
+
+66
+[ValueFieldAccess] buf
+
+
+
+61->66
+getArgument(0)
+
+
+
+71
+[ValueFieldAccess] buf
+
+
+
+61->71
+getArgument(1)
+
+
+
+72
+[CStyleCast] (const void *)...
+
+
+
+61->72
+getArgument(1).getFullyConverted()
+
+
+
+77
+[ValueFieldAccess] size
+
+
+
+61->77
+getArgument(2)
+
+
+
+62
+[VariableAccess] input
+
+
+
+63
+[Literal] 0
+
+
+
+64
+[ArrayExpr] access to array
+
+
+
+64->62
+getArrayBase()
+
+
+
+64->63
+getArrayOffset()
+
+
+
+65
+[ValueFieldAccess] ptr
+
+
+
+65->64
+getQualifier()
+
+
+
+66->65
+getQualifier()
+
+
+
+67
+[VariableAccess] input
+
+
+
+68
+[Literal] 1
+
+
+
+69
+[ArrayExpr] access to array
+
+
+
+69->67
+getArrayBase()
+
+
+
+69->68
+getArrayOffset()
+
+
+
+70
+[ValueFieldAccess] ptr
+
+
+
+70->69
+getQualifier()
+
+
+
+71->70
+getQualifier()
+
+
+
+73
+[VariableAccess] input
+
+
+
+74
+[Literal] 1
+
+
+
+75
+[ArrayExpr] access to array
+
+
+
+75->73
+getArrayBase()
+
+
+
+75->74
+getArrayOffset()
+
+
+
+76
+[ValueFieldAccess] ptr
+
+
+
+76->75
+getQualifier()
+
+
+
+77->76
+getQualifier()
+
+
+
+78->60
+getStmt(0)
+
+
+
+79
+[IfStmt] if (...) ...
+
+
+
+86
+[NEExpr] ... != ...
+
+
+
+79->86
+getCondition()
+
+
+
+89
+[BlockStmt] { ... }
+
+
+
+79->89
+getThen()
+
+
+
+80
+[VariableAccess] input_types
+
+
+
+81
+[FunctionCall] call to DYN_INPUT_TYPE
+
+
+
+82
+[Literal] 1
+
+
+
+81->82
+getArgument(0)
+
+
+
+83
+[CStyleCast] (unsigned int)...
+
+
+
+81->83
+getArgument(0).getFullyConverted()
+
+
+
+84
+[Literal] 1
+
+
+
+81->84
+getArgument(1)
+
+
+
+85
+[CStyleCast] (unsigned int)...
+
+
+
+81->85
+getArgument(1).getFullyConverted()
+
+
+
+86->80
+getLeftOperand()
+
+
+
+86->81
+getRightOperand()
+
+
+
+87
+[ReturnStmt] return ...
+
+
+
+88
+[Literal] 1
+
+
+
+87->88
+getExpr()
+
+
+
+89->87
+getStmt(0)
+
+
+
+90
+[ExprStmt] ExprStmt
+
+
+
+91
+[FunctionCall] call to memcpy
+
+
+
+90->91
+getExpr()
+
+
+
+96
+[ValueFieldAccess] buf
+
+
+
+91->96
+getArgument(0)
+
+
+
+101
+[ValueFieldAccess] buf
+
+
+
+91->101
+getArgument(1)
+
+
+
+102
+[CStyleCast] (const void *)...
+
+
+
+91->102
+getArgument(1).getFullyConverted()
+
+
+
+107
+[ValueFieldAccess] size
+
+
+
+91->107
+getArgument(2)
+
+
+
+92
+[VariableAccess] input
+
+
+
+93
+[Literal] 0
+
+
+
+94
+[ArrayExpr] access to array
+
+
+
+94->92
+getArrayBase()
+
+
+
+94->93
+getArrayOffset()
+
+
+
+95
+[ValueFieldAccess] ptr
+
+
+
+95->94
+getQualifier()
+
+
+
+96->95
+getQualifier()
+
+
+
+97
+[VariableAccess] input
+
+
+
+98
+[Literal] 1
+
+
+
+99
+[ArrayExpr] access to array
+
+
+
+99->97
+getArrayBase()
+
+
+
+99->98
+getArrayOffset()
+
+
+
+100
+[ValueFieldAccess] ptr
+
+
+
+100->99
+getQualifier()
+
+
+
+101->100
+getQualifier()
+
+
+
+103
+[VariableAccess] input
+
+
+
+104
+[Literal] 1
+
+
+
+105
+[ArrayExpr] access to array
+
+
+
+105->103
+getArrayBase()
+
+
+
+105->104
+getArrayOffset()
+
+
+
+106
+[ValueFieldAccess] ptr
+
+
+
+106->105
+getQualifier()
+
+
+
+107->106
+getQualifier()
+
+
+
+108
+[ExprStmt] ExprStmt
+
+
+
+109
+[FunctionCall] call to copy_mem_nested
+
+
+
+108->109
+getExpr()
+
+
+
+110
+[VariableAccess] input
+
+
+
+109->110
+getArgument(0)
+
+
+
+111
+[ReturnStmt] return ...
+
+
+
+112
+[Literal] 0
+
+
+
+111->112
+getExpr()
+
+
+
+113
+[BlockStmt] { ... }
+
+
+
+113->0
+getStmt(0)
+
+
+
+113->18
+getStmt(1)
+
+
+
+113->21
+getStmt(2)
+
+
+
+113->30
+getStmt(3)
+
+
+
+113->48
+getStmt(4)
+
+
+
+113->51
+getStmt(5)
+
+
+
+113->79
+getStmt(6)
+
+
+
+113->90
+getStmt(7)
+
+
+
+113->108
+getStmt(8)
+
+
+
+113->111
+getStmt(9)
+
+
+
+114
+[Parameter] unused
+
+
+
+115
+[Parameter] input
+
+
+
+116
+[Parameter] input_types
+
+
+
+117
+117
+
+
+
+117->114
+getParameter(0)
+
+
+
+117->115
+getParameter(1)
+
+
+
+117->116
+getParameter(2)
+
+
+
+118
+[TopLevelFunction] int copy_mem(unsigned int, dyn_input_t*, unsigned int)
+
+
+
+118->113
+getEntryPoint()
+
+
+
+118->117
+<params>
+
+
+
diff --git a/cfg.dot/cpp/print-cfg.svg b/cfg.dot/cpp/print-cfg.svg
new file mode 100644
index 0000000..9ae36e1
--- /dev/null
+++ b/cfg.dot/cpp/print-cfg.svg
@@ -0,0 +1,1272 @@
+
+
+
+
+
+
+
+0
+ExprStmt
+
+
+
+2
+input
+
+
+
+0->2
+
+
+
+1
+call to memcpy
+
+
+
+17
+ExprStmt
+
+
+
+1->17
+
+
+
+3
+0
+
+
+
+2->3
+
+
+
+4
+access to array
+
+
+
+3->4
+
+
+
+5
+ptr
+
+
+
+4->5
+
+
+
+6
+buf
+
+
+
+5->6
+
+
+
+7
+input
+
+
+
+6->7
+
+
+
+8
+1
+
+
+
+7->8
+
+
+
+9
+access to array
+
+
+
+8->9
+
+
+
+10
+ptr
+
+
+
+9->10
+
+
+
+11
+buf
+
+
+
+10->11
+
+
+
+12
+input
+
+
+
+11->12
+
+
+
+13
+1
+
+
+
+12->13
+
+
+
+14
+access to array
+
+
+
+13->14
+
+
+
+15
+ptr
+
+
+
+14->15
+
+
+
+16
+size
+
+
+
+15->16
+
+
+
+16->1
+
+
+
+19
+input
+
+
+
+17->19
+
+
+
+18
+call to copy_mem_nested
+
+
+
+20
+if (...) ...
+
+
+
+18->20
+
+
+
+19->18
+
+
+
+21
+input_types
+
+
+
+20->21
+
+
+
+23
+1
+
+
+
+21->23
+
+
+
+22
+call to DYN_INPUT_TYPE
+
+
+
+25
+... != ...
+
+
+
+22->25
+
+
+
+24
+1
+
+
+
+23->24
+
+
+
+24->22
+
+
+
+26
+{ ... }
+
+
+
+25->26
+
+
+
+27
+ExprStmt
+
+
+
+25->27
+
+
+
+26->27
+
+
+
+29
+input
+
+
+
+27->29
+
+
+
+28
+call to memcpy
+
+
+
+44
+ExprStmt
+
+
+
+28->44
+
+
+
+30
+0
+
+
+
+29->30
+
+
+
+31
+access to array
+
+
+
+30->31
+
+
+
+32
+ptr
+
+
+
+31->32
+
+
+
+33
+buf
+
+
+
+32->33
+
+
+
+34
+input
+
+
+
+33->34
+
+
+
+35
+1
+
+
+
+34->35
+
+
+
+36
+access to array
+
+
+
+35->36
+
+
+
+37
+ptr
+
+
+
+36->37
+
+
+
+38
+buf
+
+
+
+37->38
+
+
+
+39
+input
+
+
+
+38->39
+
+
+
+40
+1
+
+
+
+39->40
+
+
+
+41
+access to array
+
+
+
+40->41
+
+
+
+42
+ptr
+
+
+
+41->42
+
+
+
+43
+size
+
+
+
+42->43
+
+
+
+43->28
+
+
+
+46
+input
+
+
+
+44->46
+
+
+
+45
+call to copy_mem_nested
+
+
+
+47
+if (...) ...
+
+
+
+45->47
+
+
+
+46->45
+
+
+
+49
+1
+
+
+
+47->49
+
+
+
+48
+call to DYN_INPUT_TYPE
+
+
+
+51
+100
+
+
+
+48->51
+
+
+
+50
+1
+
+
+
+49->50
+
+
+
+50->48
+
+
+
+52
+... == ...
+
+
+
+51->52
+
+
+
+70
+{ ... }
+
+
+
+52->70
+
+
+
+71
+if (...) ...
+
+
+
+52->71
+
+
+
+53
+ExprStmt
+
+
+
+55
+input
+
+
+
+53->55
+
+
+
+54
+call to memcpy
+
+
+
+54->71
+
+
+
+56
+0
+
+
+
+55->56
+
+
+
+57
+access to array
+
+
+
+56->57
+
+
+
+58
+ptr
+
+
+
+57->58
+
+
+
+59
+buf
+
+
+
+58->59
+
+
+
+60
+input
+
+
+
+59->60
+
+
+
+61
+1
+
+
+
+60->61
+
+
+
+62
+access to array
+
+
+
+61->62
+
+
+
+63
+ptr
+
+
+
+62->63
+
+
+
+64
+buf
+
+
+
+63->64
+
+
+
+65
+input
+
+
+
+64->65
+
+
+
+66
+1
+
+
+
+65->66
+
+
+
+67
+access to array
+
+
+
+66->67
+
+
+
+68
+ptr
+
+
+
+67->68
+
+
+
+69
+size
+
+
+
+68->69
+
+
+
+69->54
+
+
+
+70->53
+
+
+
+72
+input_types
+
+
+
+71->72
+
+
+
+74
+1
+
+
+
+72->74
+
+
+
+73
+call to DYN_INPUT_TYPE
+
+
+
+76
+... != ...
+
+
+
+73->76
+
+
+
+75
+1
+
+
+
+74->75
+
+
+
+75->73
+
+
+
+79
+{ ... }
+
+
+
+76->79
+
+
+
+80
+ExprStmt
+
+
+
+76->80
+
+
+
+77
+return ...
+
+
+
+78
+1
+
+
+
+77->78
+
+
+
+103
+copy_mem
+
+
+
+78->103
+
+
+
+79->77
+
+
+
+82
+input
+
+
+
+80->82
+
+
+
+81
+call to memcpy
+
+
+
+97
+ExprStmt
+
+
+
+81->97
+
+
+
+83
+0
+
+
+
+82->83
+
+
+
+84
+access to array
+
+
+
+83->84
+
+
+
+85
+ptr
+
+
+
+84->85
+
+
+
+86
+buf
+
+
+
+85->86
+
+
+
+87
+input
+
+
+
+86->87
+
+
+
+88
+1
+
+
+
+87->88
+
+
+
+89
+access to array
+
+
+
+88->89
+
+
+
+90
+ptr
+
+
+
+89->90
+
+
+
+91
+buf
+
+
+
+90->91
+
+
+
+92
+input
+
+
+
+91->92
+
+
+
+93
+1
+
+
+
+92->93
+
+
+
+94
+access to array
+
+
+
+93->94
+
+
+
+95
+ptr
+
+
+
+94->95
+
+
+
+96
+size
+
+
+
+95->96
+
+
+
+96->81
+
+
+
+99
+input
+
+
+
+97->99
+
+
+
+98
+call to copy_mem_nested
+
+
+
+100
+return ...
+
+
+
+98->100
+
+
+
+99->98
+
+
+
+101
+0
+
+
+
+100->101
+
+
+
+101->103
+
+
+
+102
+{ ... }
+
+
+
+102->0
+
+
+
diff --git a/readme-low-level.org b/readme-low-level.org
index e6c8d16..760aa06 100644
--- a/readme-low-level.org
+++ b/readme-low-level.org
@@ -1,4 +1,14 @@
+#+HTML_HEAD_EXTRA:
+
* CodeQL AST in dot and pdf
+ The control flow graph is narrowed to the function of interest,
+ #+BEGIN_SRC c++
+ int copy_mem(unsigned int unused, dyn_input_t *input,
+ unsigned int input_types) {...}
+
+ #+END_SRC
+ from [[./tests-common/test_part1.c]], so we do the same for the AST.
+
#+BEGIN_SRC sh
# Produce ast in dot format
codeql database analyze \
@@ -11,17 +21,17 @@
# Convert dot to pdf
dot -Tpdf < ast.dot/cpp/print-ast.dot > ast.dot/cpp/print-ast.pdf
+ dot -Tsvg < ast.dot/cpp/print-ast.dot > ast.dot/cpp/print-ast.svg
# View the graph
open ast.dot/cpp/print-ast.pdf
-
# This comes from
tests-common/test_part1.c
#+END_SRC
* CodeQL CFG in dot and pdf
- XX: The whole control flow graph is very large, so the query narrows it to the
+ The whole control flow graph is very large, so the query narrows it to the
function of interest,
#+BEGIN_SRC c++
int copy_mem(unsigned int unused, dyn_input_t *input,
@@ -43,8 +53,53 @@
# Convert dot to pdf
dot -Tpdf < cfg.dot/cpp/print-cfg.dot > cfg.dot/cpp/print-cfg.pdf
+ dot -Tsvg < cfg.dot/cpp/print-cfg.dot > cfg.dot/cpp/print-cfg.svg
# View the graph
open cfg.dot/cpp/print-cfg.pdf
#+END_SRC
+* Original source code
+ #+BEGIN_SRC c++
+ int copy_mem(unsigned int unused, dyn_input_t *input,
+ unsigned int input_types) {
+ memcpy(input[0].ptr.buf, input[1].ptr.buf,
+ input[1].ptr.size); // NON_COMPLIANT - type not checked
+ copy_mem_nested(input); // NON_COMPLIANT - type not checked
+
+ if (input_types != DYN_INPUT_TYPE(DYN_INPUT_TYPE_MEM, DYN_INPUT_TYPE_MEM)) {
+ }
+
+ memcpy(input[0].ptr.buf, input[1].ptr.buf,
+ input[1].ptr.size); // NON_COMPLIANT - guard doesn't control all paths
+ copy_mem_nested(input); // NON_COMPLIANT - guard doesn't control all paths
+
+ if (DYN_INPUT_TYPE(DYN_INPUT_TYPE_MEM, DYN_INPUT_TYPE_MEM) == 100) {
+ memcpy(input[0].ptr.buf, input[1].ptr.buf,
+ input[1].ptr.size); // NON_COMPLIANT - useless type check
+ }
+
+ if (input_types != DYN_INPUT_TYPE(DYN_INPUT_TYPE_MEM, DYN_INPUT_TYPE_MEM)) {
+ return 1;
+ }
+
+ memcpy(input[0].ptr.buf, input[1].ptr.buf,
+ input[1].ptr.size); // COMPLIANT - type checked
+ copy_mem_nested(input); // COMPLIANT - type checked
+
+ return 0;
+ }
+ #+END_SRC
+* AST
+ The ast is inlined here. For better viewing, open the
+ pdf ([[./ast.dot/cpp/print-ast.pdf]]) separately.
+ #+ATTR_HTML: :width 100%
+ [[./ast.dot/cpp/print-ast.svg]]
+
+* CFG
+ The cfg is inlined here. For better viewing, open the
+ pdf ([[./cfg.dot/cpp/print-cfg.pdf]]) separately.
+
+ #+ATTR_HTML: :class scrollable-svg
+ [[./cfg.dot/cpp/print-cfg.svg]]
+