CodeQL library for C/C++
codeql/cpp-all 2.1.1-dev (changelog, source)
Search

Member predicate TypeTracking::TypeBackTracker::smallstep

Gets the summary that corresponds to having taken a backwards local, heap and/or inter-procedural step from nodeTo to nodeFrom.

Unlike TypeBackTracker::step, this predicate exposes all edges in the flowgraph, and not just the edges between TypeTrackingNodes. It may therefore be less performant.

Type tracking predicates using small steps typically take the following form:

Node myType(TypeBackTracker t) {
  t.start() and
  result = < some API call >.getArgument(< n >)
  or
  exists (TypeBackTracker t2 |
    t = t2.smallstep(result, myType(t2))
  )
}

Node myType() {
  result = myType(DataFlow::TypeBackTracker::end())
}
TypeBackTracker smallstep(Node nodeFrom, Node nodeTo)