Skip to content

Comments

Add 'View DFG' queries#21356

Draft
asgerf wants to merge 85 commits intogithub:mainfrom
asgerf:view-dfg
Draft

Add 'View DFG' queries#21356
asgerf wants to merge 85 commits intogithub:mainfrom
asgerf:view-dfg

Conversation

@asgerf
Copy link
Contributor

@asgerf asgerf commented Feb 23, 2026

Adds the queries called by github/vscode-codeql#4305

This interface works better when defining the DFG edges in the next commit
Adding this directly in the DataFlow module would expose it publicly via the `DataFlow::` prefix which does not seem desirable. We just want to be able to access it ourselves, so I've put it in its own file.
private import codeql.dataflow.PrintDfg
import MakePrintDfg<Location, JSDataFlow, JSTaintFlow>

external string selectedSourceFile();

Check warning

Code scanning / CodeQL

Dead code Warning

This code is never used, and it's not publicly exported.

external string selectedSourceFile();

private predicate selectedSourceFileAlias = selectedSourceFile/0;

Check warning

Code scanning / CodeQL

Dead code Warning

This code is never used, and it's not publicly exported.

private predicate selectedSourceFileAlias = selectedSourceFile/0;

external int selectedSourceLine();

Check warning

Code scanning / CodeQL

Dead code Warning

This code is never used, and it's not publicly exported.

external int selectedSourceLine();

private predicate selectedSourceLineAlias = selectedSourceLine/0;

Check warning

Code scanning / CodeQL

Dead code Warning

This code is never used, and it's not publicly exported.

private predicate selectedSourceLineAlias = selectedSourceLine/0;

external int selectedSourceColumn();

Check warning

Code scanning / CodeQL

Dead code Warning

This code is never used, and it's not publicly exported.

external int selectedSourceColumn();

private predicate selectedSourceColumnAlias = selectedSourceColumn/0;

Check warning

Code scanning / CodeQL

Dead code Warning

This code is never used, and it's not publicly exported.

private predicate selectedSourceColumnAlias = selectedSourceColumn/0;

module ViewCfgQueryInput implements ViewGraphQueryInputSig<File> {

Check warning

Code scanning / CodeQL

Dead code Warning

This code is never used, and it's not publicly exported.
predicate selectedSourceColumn = selectedSourceColumnAlias/0;

predicate cfgScopeSpan(
predicate callableSpan(

Check warning

Code scanning / CodeQL

Dead code Warning

This code is never used, and it's not publicly exported.

private import codeql.util.Location
private import codeql.dataflow.DataFlow as DF
private import codeql.dataflow.TaintTracking as TT

Check warning

Code scanning / CodeQL

Names only differing by case Warning

TT is only different by casing from Tt that is used elsewhere for modules.
paldepind and others added 15 commits February 24, 2026 13:20
Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com>
…cks (UncheckedLeapYearAfterYearModification). Switch to using 'postprocess' for unit tests.
…ion. Includes new logic for detecting leap year checks, new forms of leap year checks detected, and various heuristics to remove false postives. Move TimeConversionFunction into LeapYear.qll and refactored to separate conversion functions that are expected to be checked for failure from those that auto correct leap year dates if feb 29 is provided on a non-leap year. Increas the set of known TimeConversionFunctions.
…auto correct for leap year should be considered.
tausbn and others added 27 commits February 24, 2026 13:21
These were causing the repo `gufolabs/noc` to spend ~30 seconds
evaluating `ControlFlowNode.strictlyDominates`. Just in case, I added
`overlay[caller] to the other instances of `pragma[inline]` as well.
On `keras-team/keras`, this was producing ~200 million intermediate
tuples in order to produce a total of ... 2 tuples.

After the refactor, max intermediate tuple count is ~80k for the
charpred (and 4 for the new helper predicate).
This caused a ~30x blowup in intermediate tuples, now back to baseline.
Note that some sanitizers had no effect because flow through those functions wasn't modeled.
Note that this will only block flow for queries that use the kind `command-injection`.
Need to do this because the model numbering was changing. At the same
time we may as well use inline expectations.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

8 participants