mirror of
https://github.com/github/codeql.git
synced 2026-04-27 17:55:19 +02:00
Docs: Update C/C++
This commit is contained in:
Shati Patel
@@ -4,12 +4,12 @@ Tutorial: Conversions and classes
|
||||
Overview
|
||||
--------
|
||||
|
||||
This topic contains worked examples of how to write queries using the standard QL library classes for C/C++ conversions and classes.
|
||||
This topic contains worked examples of how to write queries using the CodeQL library classes for C/C++ conversions and classes.
|
||||
|
||||
Conversions
|
||||
-----------
|
||||
|
||||
Let us take a look at the QL ``Conversion`` class in the standard library:
|
||||
Let us take a look at the ``Conversion`` class in the standard library:
|
||||
|
||||
- ``Expr``
|
||||
|
||||
@@ -128,26 +128,26 @@ Unlike the earlier versions of the query, this query would return each side of t
|
||||
|
||||
Note
|
||||
|
||||
In general, QL predicates named ``getAXxx`` exploit the ability to return multiple results (multiple instances of ``Xxx``) whereas plain ``getXxx`` predicates usually return at most one specific instance of ``Xxx``.
|
||||
In general, predicates named ``getAXxx`` exploit the ability to return multiple results (multiple instances of ``Xxx``) whereas plain ``getXxx`` predicates usually return at most one specific instance of ``Xxx``.
|
||||
|
||||
Classes
|
||||
-------
|
||||
|
||||
Next we're going to look at C++ classes, using the following QL classes:
|
||||
Next we're going to look at C++ classes, using the following CodeQL classes:
|
||||
|
||||
- ``Type``
|
||||
|
||||
- ``UserType``—includes classes, typedefs and enums
|
||||
- ``UserType``—includes classes, typedefs, and enums
|
||||
|
||||
- ``Class``—a class or struct
|
||||
|
||||
- ``Struct``—a struct, which is treated as a subtype of Class in QL.
|
||||
- ``Struct``—a struct, which is treated as a subtype of ``Class``
|
||||
- ``TemplateClass``—a C++ class template
|
||||
|
||||
Finding derived classes
|
||||
~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
We want to create a query that checks for destructors that should be ``virtual``. Specifically, when a class and a class derived from it both have destructors, the base class destructor should generally be virtual. This ensures that the derived class destructor is always invoked. A ``Destructor`` in QL is a subtype of ``MemberFunction``:
|
||||
We want to create a query that checks for destructors that should be ``virtual``. Specifically, when a class and a class derived from it both have destructors, the base class destructor should generally be virtual. This ensures that the derived class destructor is always invoked. In the CodeQL library, ``Destructor`` is a subtype of ``MemberFunction``:
|
||||
|
||||
- ``Function``
|
||||
|
||||
@@ -221,13 +221,13 @@ Our last change is to use ``Function.isVirtual()`` to find cases where the base
|
||||
|
||||
That completes the query.
|
||||
|
||||
There is a similar built-in LGTM `query <https://lgtm.com/rules/2158670642/>`__ that finds classes in a C/C++ project with virtual functions but no virtual destructor. You can take a look at the QL code for this query by clicking **Open in query console** at the top of that page.
|
||||
There is a similar built-in LGTM `query <https://lgtm.com/rules/2158670642/>`__ that finds classes in a C/C++ project with virtual functions but no virtual destructor. You can take a look at the code for this query by clicking **Open in query console** at the top of that page.
|
||||
|
||||
What next?
|
||||
----------
|
||||
|
||||
- Explore other ways of querying classes using examples from the `C/C++ cookbook <https://help.semmle.com/wiki/label/CBCPP/class>`__.
|
||||
- Take a look at the :doc:`Analyzing data flow in C/C++ <dataflow>` tutorial.
|
||||
- Try the worked examples in the following topics: :doc:`Example: Checking that constructors initialize all private fields <private-field-initialization>` and :doc:`Example: Checking for allocations equal to 'strlen(string)' without space for a null terminator <zero-space-terminator>`.
|
||||
- Try the worked examples in the following topics: :doc:`Example: Checking that constructors initialize all private fields <private-field-initialization>`, and :doc:`Example: Checking for allocations equal to 'strlen(string)' without space for a null terminator <zero-space-terminator>`.
|
||||
- Find out more about QL in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__ and `QL language specification <https://help.semmle.com/QL/ql-spec/language.html>`__.
|
||||
- Learn more about the query console in `Using the query console <https://lgtm.com/help/lgtm/using-query-console>`__.
|
||||
|
||||
@@ -4,10 +4,10 @@ Analyzing data flow in C/C++
|
||||
Overview
|
||||
--------
|
||||
|
||||
This topic describes how data flow analysis is implemented in the QL for C/C++ library and includes examples to help you write your own data flow queries.
|
||||
The following sections describe how to utilize the QL libraries for local data flow, global data flow and taint tracking.
|
||||
This topic describes how data flow analysis is implemented in the CodeQL libraries for C/C++ and includes examples to help you write your own data flow queries.
|
||||
The following sections describe how to utilize the libraries for local data flow, global data flow, and taint tracking.
|
||||
|
||||
For a more general introduction to modeling data flow in QL, see :doc:`Introduction to data flow analysis in QL <../intro-to-data-flow>`.
|
||||
For a more general introduction to modeling data flow, see :doc:`Introduction to data flow analysis with CodeQL <../intro-to-data-flow>`.
|
||||
|
||||
Local data flow
|
||||
---------------
|
||||
|
||||
@@ -4,12 +4,12 @@ Tutorial: Expressions, types and statements
|
||||
Overview
|
||||
--------
|
||||
|
||||
This topic contains worked examples of how to write queries using the standard QL library classes for C/C++ expressions, types, and statements.
|
||||
This topic contains worked examples of how to write queries using the standard CodeQL library classes for C/C++ expressions, types, and statements.
|
||||
|
||||
Expressions and types
|
||||
---------------------
|
||||
|
||||
Each part of an expression in C becomes an instance of the QL ``Expr`` class. For example, the C code ``x = x + 1`` becomes an ``AssignExpr``, an ``AddExpr``, two instances of ``VariableAccess`` and a ``Literal``. All of these QL classes extend ``Expr``.
|
||||
Each part of an expression in C becomes an instance of the ``Expr`` class. For example, the C code ``x = x + 1`` becomes an ``AssignExpr``, an ``AddExpr``, two instances of ``VariableAccess`` and a ``Literal``. All of these CodeQL classes extend ``Expr``.
|
||||
|
||||
Finding assignments to zero
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
@@ -26,7 +26,7 @@ In the following example we find instances of ``AssignExpr`` which assign the co
|
||||
|
||||
➤ `See this in the query console <https://lgtm.com/query/1505908086530/>`__
|
||||
|
||||
The ``where`` clause in this example gets the expression on the right side of the assignment, ``getRValue()``, and compares it with zero. Notice that there are no checks to make sure that the right side of the assignment is an integer or that it has a value (that is, it is compile-time constant, rather than a variable). For expressions where either of these assumptions is wrong, the associated QL predicate simply does not return anything and the ``where`` clause will not produce a result. You could think of it as if there is an implicit ``exists(e.getRValue().getValue().toInt())`` at the beginning of this line.
|
||||
The ``where`` clause in this example gets the expression on the right side of the assignment, ``getRValue()``, and compares it with zero. Notice that there are no checks to make sure that the right side of the assignment is an integer or that it has a value (that is, it is compile-time constant, rather than a variable). For expressions where either of these assumptions is wrong, the associated predicate simply does not return anything and the ``where`` clause will not produce a result. You could think of it as if there is an implicit ``exists(e.getRValue().getValue().toInt())`` at the beginning of this line.
|
||||
|
||||
It is also worth noting that the query above would find this C code:
|
||||
|
||||
@@ -34,7 +34,7 @@ It is also worth noting that the query above would find this C code:
|
||||
|
||||
yPtr = NULL;
|
||||
|
||||
This is because the snapshot contains a representation of the code base after the preprocessor transforms have run (for more information, see `Database generation <https://lgtm.com/help/lgtm/generate-database>`__). This means that any macro invocations, such as the ``NULL`` define used here, are expanded during the creation of the snapshot. If you want to write queries about macros then there are some special library classes that have been designed specifically for this purpose (for example, the ``Macro``, ``MacroInvocation`` classes and predicates like ``Element.isInMacroExpansion()``). In this case, it is good that macros are expanded, but we do not want to find assignments to pointers.
|
||||
This is because the database contains a representation of the code base after the preprocessor transforms have run (for more information, see `Database generation <https://lgtm.com/help/lgtm/generate-database>`__). This means that any macro invocations, such as the ``NULL`` define used here, are expanded during the creation of the database. If you want to write queries about macros then there are some special library classes that have been designed specifically for this purpose (for example, the ``Macro``, ``MacroInvocation`` classes and predicates like ``Element.isInMacroExpansion()``). In this case, it is good that macros are expanded, but we do not want to find assignments to pointers.
|
||||
|
||||
Finding assignments of 0 to an integer
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
@@ -4,14 +4,14 @@ Tutorial: Function classes
|
||||
Overview
|
||||
--------
|
||||
|
||||
The standard QL library for C and C++ represents functions using the ``Function`` class (see :doc:`Introducing the C/C++ libraries <introduce-libraries-cpp>`).
|
||||
The standard CodeQL library for C and C++ represents functions using the ``Function`` class (see :doc:`Introducing the C/C++ libraries <introduce-libraries-cpp>`).
|
||||
|
||||
The example queries in this topic explore some of the most useful library predicates for querying functions.
|
||||
|
||||
Finding all static functions
|
||||
----------------------------
|
||||
|
||||
Using the member predicate ``Function.isStatic()`` we can list all of the static functions in a snapshot:
|
||||
Using the member predicate ``Function.isStatic()`` we can list all the static functions in a database:
|
||||
|
||||
.. code-block:: ql
|
||||
|
||||
@@ -26,7 +26,7 @@ This query is very general, so there are probably too many results to be interes
|
||||
Finding functions that are not called
|
||||
-------------------------------------
|
||||
|
||||
It might be more interesting to find functions that are not called, using the standard QL ``FunctionCall`` class from the **abstract syntax tree** category (see :doc:`Introducing the C/C++ libraries <introduce-libraries-cpp>`). The ``FunctionCall`` class can be used to identify places where a function is actually used, and it is related to ``Function`` through the ``FunctionCall.getTarget()`` predicate.
|
||||
It might be more interesting to find functions that are not called, using the standard CodeQL ``FunctionCall`` class from the **abstract syntax tree** category (see :doc:`Introducing the C/C++ libraries <introduce-libraries-cpp>`). The ``FunctionCall`` class can be used to identify places where a function is actually used, and it is related to ``Function`` through the ``FunctionCall.getTarget()`` predicate.
|
||||
|
||||
.. code-block:: ql
|
||||
|
||||
@@ -58,9 +58,9 @@ You can modify the query to remove functions where a function pointer is used to
|
||||
|
||||
This query returns fewer results. However, if you examine the results then you can probably still find potential refinements.
|
||||
|
||||
For example, there is a more complicated LGTM `query <https://lgtm.com/rules/2152580467/>`__ that finds unused static functions. To see the QL code for this query, click **Open in query console** at the top of the page.
|
||||
For example, there is a more complicated LGTM `query <https://lgtm.com/rules/2152580467/>`__ that finds unused static functions. To see the code for this query, click **Open in query console** at the top of the page.
|
||||
|
||||
You can explore the definition of an element in the standard QL libraries and see what predicates are available. Use the keyboard **F3** button to open the definition of any element. Alternatively, hover over the element and click **Jump to definition** in the tooltip displayed. The library file is opened in a new tab with the definition highlighted.
|
||||
You can explore the definition of an element in the standard libraries and see what predicates are available. Use the keyboard **F3** button to open the definition of any element. Alternatively, hover over the element and click **Jump to definition** in the tooltip displayed. The library file is opened in a new tab with the definition highlighted.
|
||||
|
||||
Finding a specific function
|
||||
---------------------------
|
||||
|
||||
@@ -1,23 +1,23 @@
|
||||
Introducing the C/C++ libraries
|
||||
===============================
|
||||
Introducing the CodeQL libraries for C/C++
|
||||
==========================================
|
||||
|
||||
Overview
|
||||
--------
|
||||
|
||||
There is an extensive QL library for analyzing snapshots extracted from C/C++ projects. The QL classes in this library present the data from a snapshot database in an object-oriented form and provide abstractions and predicates to help you with common analysis tasks. The library is implemented as a set of QL modules, that is, files with the extension ``.qll``. The module ``cpp.qll`` imports all of the core C/C++ library modules, so you can include the complete library by beginning your query with:
|
||||
There is an extensive library for analyzing CodeQL databases extracted from C/C++ projects. The classes in this library present the data from a database in an object-oriented form and provide abstractions and predicates to help you with common analysis tasks. The library is implemented as a set of QL modules, that is, files with the extension ``.qll``. The module ``cpp.qll`` imports all the core C/C++ library modules, so you can include the complete library by beginning your query with:
|
||||
|
||||
.. code-block:: ql
|
||||
|
||||
import cpp
|
||||
|
||||
The rest of this topic summarizes available QL classes and corresponding C/C++ constructs.
|
||||
The rest of this topic summarizes the available CodeQL classes and corresponding C/C++ constructs.
|
||||
|
||||
NOTE: You can find related classes and features using the query console's auto-complete feature. You can also press *F3* to jump to the definition of any element; QL library files are opened in new tabs in the console.
|
||||
NOTE: You can find related classes and features using the query console's auto-complete feature. You can also press *F3* to jump to the definition of any element; library files are opened in new tabs in the console.
|
||||
|
||||
Summary of the library classes
|
||||
------------------------------
|
||||
|
||||
The most commonly used standard QL library classes are listed below. The listing is broken down by functionality. Each QL library class is annotated with a C/C++ construct it corresponds to.
|
||||
The most commonly used standard library classes are listed below. The listing is broken down by functionality. Each library class is annotated with a C/C++ construct it corresponds to.
|
||||
|
||||
Declaration classes
|
||||
~~~~~~~~~~~~~~~~~~~
|
||||
@@ -25,7 +25,7 @@ Declaration classes
|
||||
This table lists `Declaration <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/Declaration.qll/type.Declaration$Declaration.html>`__ classes representing C/C++ declarations.
|
||||
|
||||
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| Example syntax | QL class | Remarks |
|
||||
| Example syntax | CodeQL class | Remarks |
|
||||
+=================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+=======================================================================================================================================================================+====================================================================================================================================================================================================+
|
||||
| ``int`` *var* ``;`` | `GlobalVariable <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/Variable.qll/type.Variable$GlobalVariable.html>`__ | |
|
||||
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
@@ -154,7 +154,7 @@ Statement classes
|
||||
This table lists subclasses of `Stmt <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/stmts/Stmt.qll/type.Stmt$Stmt.html>`__ representing C/C++ statements.
|
||||
|
||||
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| Example syntax | QL class | Remarks |
|
||||
| Example syntax | CodeQL class | Remarks |
|
||||
+===============================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+==================================================================================================================================================================+===================================================================================================================================================================================================================================================================================================+
|
||||
| ``__asm__ ("`` *movb %bh, (%eax)* ``");`` | `AsmStmt <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/stmts/Stmt.qll/type.Stmt$AsmStmt.html>`__ | Specific to a given CPU instruction set |
|
||||
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
@@ -215,7 +215,7 @@ Expression classes
|
||||
This table lists subclasses of `Expr <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/exprs/Expr.qll/type.Expr$Expr.html>`__ representing C/C++ expressions.
|
||||
|
||||
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| Example syntax | QL class(es) | Remarks |
|
||||
| Example syntax | CodeQL class(es) | Remarks |
|
||||
+========================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+==========================================================================================================================================================================================================+=============================================================================================================================================================================================================================================================================================================+
|
||||
| ``{`` `Expr <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/exprs/Expr.qll/type.Expr$Expr.html>`__... ``}`` | | `ArrayAggregateLiteral <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/exprs/Literal.qll/type.Literal$ArrayAggregateLiteral.html>`__ | |
|
||||
| | | `ClassAggregateLiteral <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/exprs/Literal.qll/type.Literal$ClassAggregateLiteral.html>`__ | |
|
||||
@@ -417,7 +417,7 @@ Type classes
|
||||
This table lists subclasses of `Type <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/Type.qll/type.Type$Type.html>`__ representing C/C++ types.
|
||||
|
||||
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| Example syntax | QL class | Remarks |
|
||||
| Example syntax | CodeQL class | Remarks |
|
||||
+=============================================================================================================================================================================================================================================================================================================================================================================================================================================+==================================================================================================================================================================+==================================================================================================================================================================================================================================================================================+
|
||||
| ``void`` | `VoidType <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/Type.qll/type.Type$VoidType.html>`__ | |
|
||||
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
@@ -485,7 +485,7 @@ Preprocessor classes
|
||||
This table lists `Preprocessor <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/Preprocessor.qll/module.Preprocessor.html>`__ classes representing C/C++ preprocessing directives.
|
||||
|
||||
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| Example syntax | QL class | Remarks |
|
||||
| Example syntax | CodeQL class | Remarks |
|
||||
+=============================================================================================================================================================================================================================================================================================================================================================================================================================================+==================================================================================================================================================================+===================================================================================================================================================================================================================================================================================+
|
||||
| ``#elif`` *condition* | `PreprocessorElif <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/Preprocessor.qll/type.Preprocessor$PreprocessorElif.html>`__ | |
|
||||
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
@@ -522,6 +522,6 @@ This table lists `Preprocessor <https://help.semmle.com/qldoc/cpp/semmle/code/cp
|
||||
What next?
|
||||
----------
|
||||
|
||||
- Experiment with the worked examples in the QL for C/C++ topics: :doc:`Function classes <function-classes>`, :doc:`Expressions, types and statements <expressions-types>`, :doc:`Conversions and classes <conversions-classes>`, and :doc:`Analyzing data flow in C/C++ <dataflow>`.
|
||||
- Experiment with the worked examples in the CodeQL for C/C++ topics: :doc:`Function classes <function-classes>`, :doc:`Expressions, types and statements <expressions-types>`, :doc:`Conversions and classes <conversions-classes>`, and :doc:`Analyzing data flow in C/C++ <dataflow>`.
|
||||
- Find out more about QL in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__ and `QL language specification <https://help.semmle.com/QL/ql-spec/language.html>`__.
|
||||
- Learn more about the query console in `Using the query console <https://lgtm.com/help/lgtm/using-query-console>`__.
|
||||
|
||||
@@ -4,7 +4,7 @@ Example: Checking that constructors initialize all private fields
|
||||
Overview
|
||||
--------
|
||||
|
||||
This topic describes how a C++ query was developed. The example introduces recursive predicates and demonstrates the typical workflow used to refine a query. For a full overview of the topics available for learning to write QL queries for C/C++ code, see :doc:`QL for C/C++ <ql-for-cpp>`.
|
||||
This topic describes how a C++ query was developed. The example introduces recursive predicates and demonstrates the typical workflow used to refine a query. For a full overview of the topics available for learning to write queries for C/C++ code, see :doc:`CodeQL for C/C++ <ql-for-cpp>`.
|
||||
|
||||
Problem—finding every private field and checking for initialization
|
||||
-------------------------------------------------------------------
|
||||
@@ -29,7 +29,7 @@ We can start by looking at every private field in a class and checking that ever
|
||||
#. ``f.isPrivate()`` checks if the field is private.
|
||||
#. ``not exists(Assignment a | a = f.getAnAssignment() and a.getEnclosingFunction() = c)`` checks that there is no assignment to the field in the constructor.
|
||||
|
||||
This QL code looks fairly complete, but when you test it on a project, there are several results that contain examples that we have overlooked.
|
||||
This code looks fairly complete, but when you test it on a project, there are several results that contain examples that we have overlooked.
|
||||
|
||||
Refinement 1—excluding fields initialized by lists
|
||||
--------------------------------------------------
|
||||
@@ -62,7 +62,7 @@ These can be excluded by adding an extra condition to check for this special con
|
||||
Refinement 2—excluding fields initialized by external libraries
|
||||
---------------------------------------------------------------
|
||||
|
||||
When you test the revised query, you may discover that fields from classes in external libraries are over-reported. This is often because a header file declares a constructor that is defined in a source file that is not analyzed (external libraries are often excluded from analysis). When the source code is analyzed, the snapshot is populated with a ``Constructor`` entry with no body. This ``constructor`` therefore contains no assignments and consequently the query reports that any fields initialized by the constructor are "uninitialized." There is no particular reason to be suspicious of these cases, and we can exclude them from the results by defining a condition to exclude constructors that have no body:
|
||||
When you test the revised query, you may discover that fields from classes in external libraries are over-reported. This is often because a header file declares a constructor that is defined in a source file that is not analyzed (external libraries are often excluded from analysis). When the source code is analyzed, the CodeQL database is populated with a ``Constructor`` entry with no body. This ``constructor`` therefore contains no assignments and consequently the query reports that any fields initialized by the constructor are "uninitialized." There is no particular reason to be suspicious of these cases, and we can exclude them from the results by defining a condition to exclude constructors that have no body:
|
||||
|
||||
.. code-block:: ql
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
QL for C/C++
|
||||
============
|
||||
CodeQL for C/C++
|
||||
================
|
||||
|
||||
.. toctree::
|
||||
:glob:
|
||||
@@ -13,19 +13,19 @@ QL for C/C++
|
||||
private-field-initialization
|
||||
zero-space-terminator
|
||||
|
||||
These topics provide an overview of the QL C/C++ standard libraries and show examples of how to write queries that use them.
|
||||
These topics provide an overview of the CodeQL libraries for C/C++ and show examples of how to write queries that use them.
|
||||
|
||||
- `Basic C/C++ QL query <https://lgtm.com/help/lgtm/console/ql-cpp-basic-example>`__ describes how to write and run queries using LGTM.
|
||||
- `Basic C/C++ query <https://lgtm.com/help/lgtm/console/ql-cpp-basic-example>`__ describes how to write and run queries using LGTM.
|
||||
|
||||
- :doc:`Introducing the QL libraries for C/C++ <introduce-libraries-cpp>` introduces the standard libraries used to write queries for C and C++ code.
|
||||
- :doc:`Introducing the CodeQL libraries for C/C++ <introduce-libraries-cpp>` introduces the standard libraries used to write queries for C and C++ code.
|
||||
|
||||
- :doc:`Tutorial: Function classes <function-classes>` demonstrates how to write queries using the standard QL library classes for C/C++ functions.
|
||||
- :doc:`Tutorial: Function classes <function-classes>` demonstrates how to write queries using the standard CodeQL library classes for C/C++ functions.
|
||||
|
||||
- :doc:`Tutorial: Expressions, types and statements <expressions-types>` demonstrates how to write queries using the standard QL library classes for C/C++ expressions, types and statements.
|
||||
- :doc:`Tutorial: Expressions, types and statements <expressions-types>` demonstrates how to write queries using the standard CodeQL library classes for C/C++ expressions, types and statements.
|
||||
|
||||
- :doc:`Tutorial: Conversions and classes <conversions-classes>` demonstrates how to write queries using the standard QL library classes for C/C++ conversions and classes.
|
||||
- :doc:`Tutorial: Conversions and classes <conversions-classes>` demonstrates how to write queries using the standard CodeQL library classes for C/C++ conversions and classes.
|
||||
|
||||
- :doc:`Tutorial: Analyzing data flow in C/C++ <dataflow>` demonstrates how to write queries using the standard QL for C/C++ data flow and taint tracking libraries.
|
||||
- :doc:`Tutorial: Analyzing data flow in C/C++ <dataflow>` demonstrates how to write queries using the standard data flow and taint tracking libraries for C/C++.
|
||||
|
||||
- :doc:`Example: Checking that constructors initialize all private fields <private-field-initialization>` works through the development of a query. It introduces recursive predicates and shows the typical workflow used to refine a query.
|
||||
|
||||
@@ -51,6 +51,8 @@ Advanced libraries
|
||||
Other resources
|
||||
---------------
|
||||
|
||||
- For examples of how to query common C/C++ elements, see the `C/C++ QL cookbook <https://help.semmle.com/wiki/display/CBCPP>`__.
|
||||
- For the queries used in LGTM, display a `C/C++ query <https://lgtm.com/search?q=language%3Acpp&t=rules>`__ and click **Open in query console** to see the QL code used to find alerts.
|
||||
- For more information about the C/C++ QL library see the `QL library for C/C++ <https://help.semmle.com/qldoc/cpp>`__.
|
||||
.. TODO: Rename the cookbooks: C/C++ cookbook, or C/C++ CodeQL cookbook, or CodeQL cookbook for C/C++, or...?
|
||||
|
||||
- For examples of how to query common C/C++ elements, see the `C/C++ cookbook <https://help.semmle.com/wiki/display/CBCPP>`__.
|
||||
- For the queries used in LGTM, display a `C/C++ query <https://lgtm.com/search?q=language%3Acpp&t=rules>`__ and click **Open in query console** to see the code used to find alerts.
|
||||
- For more information about the library for C/C++ see the `CodeQL library for C/C++ <https://help.semmle.com/qldoc/cpp>`__.
|
||||
|
||||
@@ -4,7 +4,7 @@ Hash consing and value numbering
|
||||
Overview
|
||||
--------
|
||||
|
||||
In C and C++ QL databases, each node in the abstract syntax tree is represented by a separate object. This allows both analysis and results display to refer to specific appearances of a piece of syntax. However, it is frequently useful to determine whether two expressions are equivalent, either syntactically or semantically.
|
||||
In C and C++ databases, each node in the abstract syntax tree is represented by a separate object. This allows both analysis and results display to refer to specific appearances of a piece of syntax. However, it is frequently useful to determine whether two expressions are equivalent, either syntactically or semantically.
|
||||
|
||||
The `hash consing <https://en.wikipedia.org/wiki/Hash_consing>`__ library (defined in ``semmle.code.cpp.valuenumbering.HashCons``) provides a mechanism for identifying expressions that have the same syntactic structure. The `global value numbering <https://en.wikipedia.org/wiki/Value_numbering>`__ library (defined in ``semmle.code.cpp.valuenumbering.GlobalValueNumbering``) provides a mechanism for identifying expressions that compute the same value at runtime.
|
||||
|
||||
|
||||
@@ -4,7 +4,7 @@ Example: Checking for allocations equal to ``strlen(string)`` without space for
|
||||
Overview
|
||||
--------
|
||||
|
||||
This topic describes how a C/C++ query for detecting a potential buffer overflow was developed. For a full overview of the topics available for learning to write QL queries for C/C++ code, see :doc:`QL for C/C++ <ql-for-cpp>`.
|
||||
This topic describes how a C/C++ query for detecting a potential buffer overflow was developed. For a full overview of the topics available for learning to write queries for C/C++ code, see :doc:`CodeQL for C/C++ <ql-for-cpp>`.
|
||||
|
||||
Problem—detecting memory allocation that omits space for a null termination character
|
||||
-------------------------------------------------------------------------------------
|
||||
@@ -32,7 +32,7 @@ Defining the entities of interest
|
||||
|
||||
You could approach this problem either by searching for code similar to the call to ``malloc`` in line 3 or the call to ``strcpy`` in line 5 (see example above). For our basic query, we start with a simple assumption: any call to ``malloc`` with only a ``strlen`` to define the memory size is likely to cause an error when the memory is populated.
|
||||
|
||||
Calls to ``strlen`` can be identified using the library `StrlenCall <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/commons/StringAnalysis.qll/type.StringAnalysis$StrlenCall.html>`__ class, but we need to define a new class to identify calls to ``malloc``. Both the library class and the new class need to extend the standard QL class ``FunctionCall``, with the added restriction of the function name that they apply to:
|
||||
Calls to ``strlen`` can be identified using the library `StrlenCall <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/commons/StringAnalysis.qll/type.StringAnalysis$StrlenCall.html>`__ class, but we need to define a new class to identify calls to ``malloc``. Both the library class and the new class need to extend the standard class ``FunctionCall``, with the added restriction of the function name that they apply to:
|
||||
|
||||
.. code-block:: ql
|
||||
|
||||
@@ -52,7 +52,7 @@ Calls to ``strlen`` can be identified using the library `StrlenCall <https://hel
|
||||
Finding the ``strlen(string)`` pattern
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Before we start to write our query, there's one remaining task. We need to modify our new ``MallocCall`` class, so it returns an expression for the size of the allocation. Currently this will be the first argument to the ``malloc`` call, ``FunctionCall.getArgument(0)``, but converting this into a QL predicate makes it more flexible for future refinements.
|
||||
Before we start to write our query, there's one remaining task. We need to modify our new ``MallocCall`` class, so it returns an expression for the size of the allocation. Currently this will be the first argument to the ``malloc`` call, ``FunctionCall.getArgument(0)``, but converting this into a predicate makes it more flexible for future refinements.
|
||||
|
||||
.. code-block:: ql
|
||||
|
||||
@@ -106,7 +106,7 @@ The query above works for simple cases, but does not identify a common coding pa
|
||||
int len = strlen(input);
|
||||
buffer = malloc(len);
|
||||
|
||||
To identify this case we can use the standard QL library ``SSA.qll`` (imported as ``semmle.code.cpp.controlflow.SSA``).
|
||||
To identify this case we can use the standard library ``SSA.qll`` (imported as ``semmle.code.cpp.controlflow.SSA``).
|
||||
|
||||
This library helps us identify where values assigned to local variables may subsequently be used.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user