You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/codeql/codeql-language-guides/advanced-dataflow-scenarios-cpp.rst
+7-2Lines changed: 7 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -61,6 +61,7 @@ A regular dataflow query such as the following query:
61
61
will catch most things such as:
62
62
63
63
.. code-block:: cpp
64
+
:caption: Example 1
64
65
65
66
struct A {
66
67
const int *p;
@@ -116,6 +117,7 @@ For example, consider an alternative setup where our source of data starts as th
116
117
This would match the call to ``write_user_input_to`` in the following example:
117
118
118
119
.. code-block:: cpp
120
+
:caption: Example 2
119
121
120
122
void write_user_input_to(void*);
121
123
void use_value(int);
@@ -194,13 +196,14 @@ We have an important choice here: Should ``n2`` be the node corresponding to the
194
196
Using asIndirectExpr
195
197
~~~~~~~~~~~~~~~~~~~~
196
198
197
-
If we use ``n2.asIndirectExpr() = fa`` we specify that flow moves to what ``fa`` points to. This allows data to flow through a later dereference, which is exactly what we need to track data flow from ``p`` to ``*p`` in ``process_user_data``.
199
+
If we use ``n2.asIndirectExpr() = fa`` we specify that flow in example 2 moves to what ``fa`` points to. This allows data to flow through a later dereference, which is exactly what we need to track data flow from ``p`` to ``*p`` in ``process_user_data``.
198
200
199
201
Thus we get the required flow path.
200
202
201
203
Consider a slightly different sink:
202
204
203
205
.. code-block:: cpp
206
+
:caption: Example 3
204
207
205
208
void write_user_input_to(void*);
206
209
void use_pointer(int*);
@@ -239,7 +242,7 @@ The only difference between the previous example and this one is that our data e
239
242
Using asExpr
240
243
~~~~~~~~~~~~
241
244
242
-
Alternatively, this flow could also be tracked by:
245
+
Alternatively, the flow in example 2 could also be tracked by:
243
246
1. Changing ``isAdditionalFlowStep`` so that it targets the dataflow node that represents the value of the ``FieldAccess`` instead of the value it points to, and
244
247
2. Changing ``isSink`` to specify that we're interested in tracking the value the argument passed to ``use_pointer`` (instead of the value of what the argument points to).
245
248
@@ -291,6 +294,7 @@ Passing the address of a variable to ``use_pointer``
291
294
Consider an alternative scenario where ``U`` contains a single ``int`` data, and we pass the address of data to ``use_pointer`` as seen below.
292
295
293
296
.. code-block:: cpp
297
+
:caption: Example 4
294
298
295
299
void write_user_input_to(void*);
296
300
void use_pointer(int*);
@@ -368,6 +372,7 @@ The previous section demonstrated how to add flow from qualifiers to field acces
368
372
To set the stage, consider the following scenario:
0 commit comments