hohn/codeql-workshop-dataflow-c
1
0
Fork 0
mirror of https://github.com/hohn/codeql-workshop-dataflow-c.git synced 2025-12-16 10:33:04 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
cc088b2d9ec92bc34c9cb8a9c081734f9a890984
codeql-workshop-dataflow-c/readme-low-level.org
Michael Hohn cc088b2d9e Add hybrid AST / CFG graph for illustration
2025-03-19 19:36:29 -07:00

3.8 KiB
Raw Blame History

CodeQL AST in dot and pdf

The control flow graph is narrowed to the function of interest,

  int copy_mem(unsigned int unused, dyn_input_t *input,
               unsigned int input_types) {...}

from ./tests-common/test_part1.c, so we do the same for the AST.

  # Produce ast in dot format
  codeql database analyze                             \
         --format=dot --output=ast.dot                \
         -j8 -v --ram=16000                           \
         --rerun                                      \
         --                                           \
         cpp-dataflow-part1-database                  \
         graphs/ast.ql                            

  # Convert dot to pdf
  dot -Tpdf < ast.dot/cpp/print-ast.dot > ast.dot/cpp/print-ast.pdf
  dot -Tsvg < ast.dot/cpp/print-ast.dot > ast.dot/cpp/print-ast.svg

  # View the graph
  open ast.dot/cpp/print-ast.pdf

  # This comes from
  tests-common/test_part1.c

CodeQL CFG in dot and pdf

The whole control flow graph is very large, so the query narrows it to the function of interest,

  int copy_mem(unsigned int unused, dyn_input_t *input,
               unsigned int input_types) {...}

from ./tests-common/test_part1.c

  # Produce CFG in dot format
  codeql database analyze                             \
         --format=dot --output=cfg.dot                \
         -j8 -v --ram=16000                           \
         --rerun                                      \
         --                                           \
         cpp-dataflow-part1-database                  \
         graphs/cfg.ql                            


  # Convert dot to pdf
  dot -Tpdf < cfg.dot/cpp/print-cfg.dot > cfg.dot/cpp/print-cfg.pdf
  dot -Tsvg < cfg.dot/cpp/print-cfg.dot > cfg.dot/cpp/print-cfg.svg

  # View the graph
  open cfg.dot/cpp/print-cfg.pdf

AST

The ast is inlined here. For better viewing, open the pdf (./ast.dot/cpp/print-ast.pdf) separately.

./ast.dot/cpp/print-ast.svg

CFG

The cfg is inlined here. For better viewing, open the pdf (./cfg.dot/cpp/print-cfg.pdf) separately.

./cfg.dot/cpp/print-cfg.svg

GPTs

A gpt was used to add 17 of the CFG edges to the AST tree; more resulted in a very confusing graph. The hybrid is in cfg.dot/cpp/ast-cfg-hybrid.dot

Render via dot

The hybrid is rendered via dot. The other renderers produced very spread layouts. 

  # Convert dot to pdf
  twopi -Tpdf < cfg.dot/cpp/ast-cfg-hybrid.dot > cfg.dot/cpp/ast-cfg-hybrid.pdf
  circo -Tpdf < cfg.dot/cpp/ast-cfg-hybrid.dot > cfg.dot/cpp/ast-cfg-hybrid.pdf
  dot -Tpdf < cfg.dot/cpp/ast-cfg-hybrid.dot > cfg.dot/cpp/ast-cfg-hybrid.pdf
  dot -Tsvg < cfg.dot/cpp/ast-cfg-hybrid.dot > cfg.dot/cpp/ast-cfg-hybrid.svg

  # View the graph
  open -a skim cfg.dot/cpp/ast-cfg-hybrid.pdf

AST-CFG HYBRID

The ast-cfg hybrid is inlined here. For better viewing, open the pdf (./cfg.dot/cpp/ast-cfg-hybrid.pdf) separately.

./cfg.dot/cpp/ast-cfg-hybrid.svg

Hybrid portion of source code

The part of the source code corresponding to the hybrid portion, with space for adding edges:

  int    copy_mem(unsigned    int    unused,    dyn_input_t    *input,


               unsigned    int    input_types)    {


      memcpy(input[0].ptr.buf,    input[1].ptr.buf,


             input[1].ptr.size);  


      copy_mem_nested(input);   

      ...;
  }