You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/language/learn-ql/cpp/conversions-classes.rst
+9-12Lines changed: 9 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,15 +1,14 @@
1
-
Tutorial: Conversions and classes
2
-
=================================
1
+
Conversions and classes in C and C++
2
+
====================================
3
3
4
-
Overview
5
-
--------
6
-
7
-
This topic contains worked examples of how to write queries using the CodeQL library classes for C/C++ conversions and classes.
4
+
You can use the standard CodeQL libraries for C and C++ to detect when the type of an expression is changed.
8
5
9
6
Conversions
10
7
-----------
11
8
12
-
Let us take a look at the ``Conversion`` class in the standard library:
9
+
In C and C++, conversions change the type of an expression. They may be implicit conversions generated by the compiler, or explicit conversions requested by the user.
10
+
11
+
Let's take a look at the `Conversion <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/exprs/Cast.qll/type.Cast$Conversion.html>`__ class in the standard library:
13
12
14
13
- ``Expr``
15
14
@@ -25,8 +24,6 @@ Let us take a look at the ``Conversion`` class in the standard library:
25
24
- ``ArrayToPointerConversion``
26
25
- ``VirtualMemberToFunctionPointerConversion``
27
26
28
-
All conversions change the type of an expression. They may be implicit conversions (generated by the compiler) or explicit conversions (requested by the user).
29
-
30
27
Exploring the subexpressions of an assignment
31
28
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
32
29
@@ -221,13 +218,13 @@ Our last change is to use ``Function.isVirtual()`` to find cases where the base
221
218
222
219
That completes the query.
223
220
224
-
There is a similar built-in LGTM `query <https://lgtm.com/rules/2158670642/>`__ that finds classes in a C/C++ project with virtual functions but no virtual destructor. You can take a look at the code for this query by clicking **Open in query console** at the top of that page.
221
+
There is a similar built-in `query <https://lgtm.com/rules/2158670642/>`__ on LGTM.com that finds classes in a C/C++ project with virtual functions but no virtual destructor. You can take a look at the code for this query by clicking **Open in query console** at the top of that page.
225
222
226
223
What next?
227
224
----------
228
225
229
226
- Explore other ways of querying classes using examples from the `C/C++ cookbook <https://help.semmle.com/wiki/label/CBCPP/class>`__.
230
-
- Take a look at the :doc:`Analyzing data flow in C/C++ <dataflow>` tutorial.
231
-
- Try the worked examples in the following topics: :doc:`Example: Checking that constructors initialize all private fields<private-field-initialization>`, and :doc:`Example: Checking for allocations equal to 'strlen(string)' without space for a null terminator<zero-space-terminator>`.
227
+
- Take a look at the :doc:`Analyzing data flow in C and C++ <dataflow>` tutorial.
228
+
- Try the worked examples in the following topics: :doc:`Refining a query to account for edge cases<private-field-initialization>`, and :doc:`Detecting a potential buffer overflow<zero-space-terminator>`.
232
229
- Find out more about QL in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__ and `QL language specification <https://help.semmle.com/QL/ql-spec/language.html>`__.
233
230
- Learn more about the query console in `Using the query console <https://lgtm.com/help/lgtm/using-query-console>`__.
Copy file name to clipboardExpand all lines: docs/language/learn-ql/cpp/dataflow.rst
+7-8Lines changed: 7 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,13 +1,12 @@
1
-
Analyzing data flow in C/C++
2
-
============================
1
+
Analyzing data flow in C and C++
2
+
================================
3
3
4
-
Overview
5
-
--------
4
+
You can use data-flow analysis to track the flow of potentially malicious or insecure data that can cause vulnerabilities in your codebase.
6
5
7
-
This topic describes how data flow analysis is implemented in the CodeQL libraries for C/C++ and includes examples to help you write your own data flow queries.
8
-
The following sections describe how to utilize the libraries for local data flow, global data flow, and taint tracking.
6
+
About data flow
7
+
---------------
9
8
10
-
For a more general introduction to modeling data flow, see :doc:`Introduction to data flow analysis with CodeQL <../intro-to-data-flow>`.
9
+
Data flow analysis computes the possible values that a variable can hold at various points in a program, determining how those values propagate through the program, and where they are used. In CodeQL, you can model both local data flow and global data flow. For more background information, see :doc:`Introduction to data flow analysis with CodeQL <../intro-to-data-flow>`.
11
10
12
11
Local data flow
13
12
---------------
@@ -299,7 +298,7 @@ Exercise 4: Using the answers from 2 and 3, write a query which finds all global
299
298
What next?
300
299
----------
301
300
302
-
- Try the worked examples in the following topics: :doc:`Example: Checking that constructors initialize all private fields<private-field-initialization>` and :doc:`Example: Checking for allocations equal to 'strlen(string)' without space for a null terminator<zero-space-terminator>`.
301
+
- Try the worked examples in the following topics: :doc:`Refining a query to account for edge cases<private-field-initialization>` and :doc:`Detecting a potential buffer overflow<zero-space-terminator>`.
303
302
- Find out more about QL in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__ and `QL language specification <https://help.semmle.com/QL/ql-spec/language.html>`__.
304
303
- Learn more about the query console in `Using the query console <https://lgtm.com/help/lgtm/using-query-console>`__.
Copy file name to clipboardExpand all lines: docs/language/learn-ql/cpp/expressions-types.rst
+9-12Lines changed: 9 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,13 +1,10 @@
1
-
Tutorial: Expressions, types and statements
2
-
===========================================
1
+
Expressions, types, and statements in C and C++
2
+
===============================================
3
3
4
-
Overview
5
-
--------
4
+
You can use CodeQL to explore expressions, types, and statements in C and C++ code to find, for example, incorrect assignments.
6
5
7
-
This topic contains worked examples of how to write queries using the standard CodeQL library classes for C/C++ expressions, types, and statements.
8
-
9
-
Expressions and types
10
-
---------------------
6
+
Expressions and types in CodeQL
7
+
-------------------------------
11
8
12
9
Each part of an expression in C becomes an instance of the ``Expr`` class. For example, the C code ``x = x + 1`` becomes an ``AssignExpr``, an ``AddExpr``, two instances of ``VariableAccess`` and a ``Literal``. All of these CodeQL classes extend ``Expr``.
13
10
@@ -34,7 +31,7 @@ It is also worth noting that the query above would find this C code:
34
31
35
32
yPtr = NULL;
36
33
37
-
This is because the database contains a representation of the code base after the preprocessor transforms have run (for more information, see `Database generation <https://lgtm.com/help/lgtm/generate-database>`__). This means that any macro invocations, such as the ``NULL`` define used here, are expanded during the creation of the database. If you want to write queries about macros then there are some special library classes that have been designed specifically for this purpose (for example, the ``Macro``, ``MacroInvocation`` classes and predicates like ``Element.isInMacroExpansion()``). In this case, it is good that macros are expanded, but we do not want to find assignments to pointers.
34
+
This is because the database contains a representation of the code base after the preprocessor transforms have run. This means that any macro invocations, such as the ``NULL`` define used here, are expanded during the creation of the database. If you want to write queries about macros then there are some special library classes that have been designed specifically for this purpose (for example, the ``Macro``, ``MacroInvocation`` classes and predicates like ``Element.isInMacroExpansion()``). In this case, it is good that macros are expanded, but we do not want to find assignments to pointers. For more information, see `Database generation <https://lgtm.com/help/lgtm/generate-database>`__ on LGTM.com.
38
35
39
36
Finding assignments of 0 to an integer
40
37
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -61,8 +58,8 @@ This checks that the left side of the assignment has a type that is some kind of
61
58
62
59
i = 0;
63
60
64
-
Statements
65
-
----------
61
+
Statements in CodeQL
62
+
--------------------
66
63
67
64
We can refine the query further using statements. In this case we use the class ``ForStmt``:
68
65
@@ -136,6 +133,6 @@ What next?
136
133
----------
137
134
138
135
- Explore other ways of finding types and statements using examples from the C/C++ cookbook for `types <https://help.semmle.com/wiki/label/CBCPP/type>`__ and `statements <https://help.semmle.com/wiki/label/CBCPP/statement>`__.
139
-
- Take a look at the :doc:`Conversions and classes <conversions-classes>` and :doc:`Analyzing data flow in C/C++ <dataflow>` tutorials.
136
+
- Take a look at the :doc:`Conversions and classes in C and C++ <conversions-classes>` and :doc:`Analyzing data flow in C and C++ <dataflow>` tutorials.
140
137
- Find out more about QL in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__ and `QL language specification <https://help.semmle.com/QL/ql-spec/language.html>`__.
141
138
- Learn more about the query console in `Using the query console <https://lgtm.com/help/lgtm/using-query-console>`__.
Copy file name to clipboardExpand all lines: docs/language/learn-ql/cpp/function-classes.rst
+7-5Lines changed: 7 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,10 +1,12 @@
1
-
Tutorial: Function classes
2
-
==========================
1
+
Functions in C and C++
2
+
=======================
3
+
4
+
You can use CodeQL to explore functions in C and C++ code.
3
5
4
6
Overview
5
7
--------
6
8
7
-
The standard CodeQL library for C and C++ represents functions using the ``Function`` class (see :doc:`Introducing the C/C++ libraries<introduce-libraries-cpp>`).
9
+
The standard CodeQL library for C and C++ represents functions using the ``Function`` class (see :doc:`CodeQL libraries for C and C++ <introduce-libraries-cpp>`).
8
10
9
11
The example queries in this topic explore some of the most useful library predicates for querying functions.
10
12
@@ -26,7 +28,7 @@ This query is very general, so there are probably too many results to be interes
26
28
Finding functions that are not called
27
29
-------------------------------------
28
30
29
-
It might be more interesting to find functions that are not called, using the standard CodeQL ``FunctionCall`` class from the **abstract syntax tree** category (see :doc:`Introducing the C/C++ libraries<introduce-libraries-cpp>`). The ``FunctionCall`` class can be used to identify places where a function is actually used, and it is related to ``Function`` through the ``FunctionCall.getTarget()`` predicate.
31
+
It might be more interesting to find functions that are not called, using the standard CodeQL ``FunctionCall`` class from the **abstract syntax tree** category (see :doc:`CodeQL libraries for C and C++ <introduce-libraries-cpp>`). The ``FunctionCall`` class can be used to identify places where a function is actually used, and it is related to ``Function`` through the ``FunctionCall.getTarget()`` predicate.
30
32
31
33
.. code-block:: ql
32
34
@@ -91,6 +93,6 @@ What next?
91
93
----------
92
94
93
95
- Explore other ways of finding functions using examples from the `C/C++ cookbook <https://help.semmle.com/wiki/label/CBCPP/function>`__.
94
-
- Take a look at some of the other tutorials: :doc:`Expressions, types and statements <expressions-types>`, :doc:`Conversions and classes <conversions-classes>`, and :doc:`Analyzing data flow in C/C++ <dataflow>`.
96
+
- Take a look at some other tutorials: :doc:`Expressions, types and statements in C and C++ <introduce-libraries-cpp>`, :doc:`Conversions and classes in C and C++ <conversions-classes>`, and :doc:`Analyzing data flow in C and C++ <dataflow>`.
95
97
- Find out more about QL in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__ and `QL language specification <https://help.semmle.com/QL/ql-spec/language.html>`__.
96
98
- Learn more about the query console in `Using the query console <https://lgtm.com/help/lgtm/using-query-console>`__.
Copy file name to clipboardExpand all lines: docs/language/learn-ql/cpp/guards.rst
+5-3Lines changed: 5 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,8 +1,10 @@
1
1
Using the guards library in C and C++
2
2
=====================================
3
3
4
-
Overview
5
-
--------
4
+
You can use the CodeQL guards library to identify conditional expressions that control the execution of other parts of a program in C and C++ codebases.
5
+
6
+
About the guards library
7
+
------------------------
6
8
7
9
The guards library (defined in ``semmle.code.cpp.controlflow.Guards``) provides a class `GuardCondition <https://help.semmle.com/qldoc/cpp/semmle/code/cpp/controlflow/Guards.qll/type.Guards$GuardCondition.html>`__ representing Boolean values that are used to make control flow decisions.
8
10
A ``GuardCondition`` is considered to guard a basic block if the block can only be reached if the ``GuardCondition`` is evaluated a certain way. For instance, in the following code, ``x < 10`` is a ``GuardCondition``, and it guards all the code before the return statement.
@@ -20,7 +22,7 @@ A ``GuardCondition`` is considered to guard a basic block if the block can only
20
22
21
23
22
24
The ``controls`` predicate
23
-
------------------------------------------------
25
+
--------------------------
24
26
25
27
The ``controls`` predicate helps determine which blocks are only run when the ``GuardCondition`` evaluates a certain way. ``guard.controls(block, testIsTrue)`` holds if ``block`` is only entered if the value of this condition is ``testIsTrue``.
Copy file name to clipboardExpand all lines: docs/language/learn-ql/cpp/introduce-libraries-cpp.rst
+10-9Lines changed: 10 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,20 +1,21 @@
1
-
Introducing the CodeQL libraries for C/C++
2
-
==========================================
1
+
CodeQL library for C and C++
2
+
============================
3
3
4
-
Overview
5
-
--------
4
+
When analyzing C or C++ code, you can use the large collection of classes in the CodeQL library for C and C++.
6
5
7
-
There is an extensive library for analyzing CodeQL databases extracted from C/C++ projects. The classes in this library present the data from a database in an object-oriented form and provide abstractions and predicates to help you with common analysis tasks. The library is implemented as a set of QL modules, that is, files with the extension ``.qll``. The module ``cpp.qll`` imports all the core C/C++ library modules, so you can include the complete library by beginning your query with:
6
+
About the CodeQL library for C and C++
7
+
--------------------------------------
8
+
9
+
There is an extensive library for analyzing CodeQL databases extracted from C/C++ projects. The classes in this library present the data from a database in an object-oriented form and provide abstractions and predicates to help you with common analysis tasks.
10
+
The library is implemented as a set of QL modules, that is, files with the extension ``.qll``. The module ``cpp.qll`` imports all the core C/C++ library modules, so you can include the complete library by beginning your query with:
8
11
9
12
.. code-block:: ql
10
13
11
14
import cpp
12
15
13
16
The rest of this topic summarizes the available CodeQL classes and corresponding C/C++ constructs.
14
17
15
-
NOTE: You can find related classes and features using the query console's auto-complete feature. You can also press *F3* to jump to the definition of any element; library files are opened in new tabs in the console.
16
-
17
-
Summary of the library classes
18
+
Commonly-used library classes
18
19
------------------------------
19
20
20
21
The most commonly used standard library classes are listed below. The listing is broken down by functionality. Each library class is annotated with a C/C++ construct it corresponds to.
@@ -522,6 +523,6 @@ This table lists `Preprocessor <https://help.semmle.com/qldoc/cpp/semmle/code/cp
522
523
What next?
523
524
----------
524
525
525
-
- Experiment with the worked examples in the CodeQL for C/C++ topics: :doc:`Function classes <function-classes>`, :doc:`Expressions, types and statements <expressions-types>`, :doc:`Conversions and classes <conversions-classes>`, and :doc:`Analyzing data flow in C/C++ <dataflow>`.
526
+
- Experiment with the worked examples in the CodeQL for C/C++ topics: :doc:`Functions in C and C++ <function-classes>`, :doc:`Expressions, types, and statements in C and C++ <expressions-types>`, :doc:`Conversions and classes in C and C++ <conversions-classes>`, and :doc:`Analyzing data flow in C and C++ <dataflow>`.
526
527
- Find out more about QL in the `QL language handbook <https://help.semmle.com/QL/ql-handbook/index.html>`__ and `QL language specification <https://help.semmle.com/QL/ql-spec/language.html>`__.
527
528
- Learn more about the query console in `Using the query console <https://lgtm.com/help/lgtm/using-query-console>`__.
0 commit comments