CodeQL Python Extractor 源码分析

最近定位python codeql 的一个cve 复现，发现涉及到extractor 的逻辑，正好之前也有跟踪过java 的经验，应该大差不差，记录下。

1. 架构

https://github.com/github/codeql/blob/main/python/extractor/README.md#2-The-actual-Python-extractor

从流程图上看

2. Trap 生成

2.1 codeql database create

新建一个Java 项目任务，配置Debug

中断ProcessBuilder 发现有两处

• autobuild.sh
• pre-finalize.sh

2.2 autobuild.sh

Debug 断点中发现，部分重要env 如下：

"CODEQL_EXTRACTOR_PYTHON_SOURCE_ARCHIVE_DIR" -> "/Users/m0d9/study/java/codeqlDebug/langflow2.cdb/src"
"CODEQL_JAVA_HOME" -> "/Users/m0d9/study/codeql-home/v2.17.2/codeql/tools/osx64/java-aarch64"
"CODEQL_EXTRACTOR_PYTHON_SCRATCH_DIR" -> "/Users/m0d9/study/java/codeqlDebug/langflow2.cdb/working"
"CODEQL_EXTRACTOR_PYTHON_TRAP_DIR" -> "/Users/m0d9/study/java/codeqlDebug/langflow2.cdb/trap/python"
"CODEQL_EXTRACTOR_PYTHON_DIAGNOSTIC_DIR" -> "/Users/m0d9/study/java/codeqlDebug/langflow2.cdb/diagnostic/extractors/python"
"CODEQL_EXTRACTOR_PYTHON_WIP_DATABASE" -> "/Users/m0d9/study/java/codeqlDebug/langflow2.cdb"
"CODEQL_EXTRACTOR_PYTHON_LOG_DIR" -> "/Users/m0d9/study/java/codeqlDebug/langflow2.cdb/log"
"CODEQL_SCRATCH_DIR" -> "/Users/m0d9/study/java/codeqlDebug/langflow2.cdb/working"
"CODEQL_DIST" -> "/Users/m0d9/study/codeql-home/v2.17.2/codeql"
"CODEQL_EXTRACTOR_PYTHON_ROOT" -> "/Users/m0d9/study/codeql-home/v2.17.2/codeql/python"

其中autobuild 具体代码如下：

#!/bin/sh

set -eu

# Legacy environment variables for the autobuild infrastructure.
LGTM_SRC="$(pwd)"
LGTM_WORKSPACE="$CODEQL_EXTRACTOR_PYTHON_SCRATCH_DIR"
export LGTM_SRC
export LGTM_WORKSPACE

if which python3 >/dev/null; then
    exec python3 "$CODEQL_EXTRACTOR_PYTHON_ROOT/tools/index.py"
elif which python >/dev/null; then
    exec python "$CODEQL_EXTRACTOR_PYTHON_ROOT/tools/index.py"
else
    echo "ERROR: Could not find a valid Python distribution. It should be available when running 'which python' or 'which python3' in your shell. Python 2 is no longer supported."
    exit 1
fi

实际作用就是调用index.py

2.3 index.py

为了调试index.py，需要新建Python 项目，把codeql python extractor 目录拷贝至此，配置Debug

CODEQL_EXTRACTOR_PYTHON_SOURCE_ARCHIVE_DIR=/Users/m0d9/study/java/codeqlDebug/langflow2.cdb/src
CODEQL_JAVA_HOME=/Users/m0d9/study/codeql-home/v2.17.2/codeql/tools/osx64/java-aarch64
CODEQL_EXTRACTOR_PYTHON_SCRATCH_DIR=/Users/m0d9/study/java/codeqlDebug/langflow2.cdb/working
CODEQL_EXTRACTOR_PYTHON_TRAP_DIR=/Users/m0d9/study/java/codeqlDebug/langflow2.cdb/trap/python
CODEQL_EXTRACTOR_PYTHON_DIAGNOSTIC_DIR=/Users/m0d9/study/java/codeqlDebug/langflow2.cdb/diagnostic/extractors/python
CODEQL_EXTRACTOR_PYTHON_WIP_DATABASE=/Users/m0d9/study/java/codeqlDebug/langflow2.cdb
CODEQL_EXTRACTOR_PYTHON_LOG_DIR=/Users/m0d9/study/java/codeqlDebug/langflow2.cdb/log
CODEQL_SCRATCH_DIR=/Users/m0d9/study/java/codeqlDebug/langflow2.cdb/working
CODEQL_DIST=/Users/m0d9/study/codeql-home/v2.17.2/codeql
CODEQL_EXTRACTOR_PYTHON_ROOT=/Users/m0d9/study/codeql-home/v2.17.2/codeql/python
CODEQL_EXTRACTOR_PYTHON_SCRATCH_DIR=/Users/m0d9/study/java/codeqlDebug/langflow2.cdb/working
LGTM_SRC=/Users/m0d9/study/codeql-home/v2.17.2/codeql/python/tools
LGTM_WORKSPACE=/Users/m0d9/study/java/codeqlDebug/langflow2.cdb/working

index.py 代码如下

import os
import sys

if sys.version_info < (3, 7):
    sys.exit("ERROR: Python 3.7 or later is required (currently running {}.{})".format(sys.version_info[0], sys.version_info[1]))

from python_tracer import getzipfilename

if 'SEMMLE_DIST' in os.environ:
    if 'CODEQL_EXTRACTOR_PYTHON_ROOT' not in os.environ:
        os.environ['CODEQL_EXTRACTOR_PYTHON_ROOT'] = os.environ['SEMMLE_DIST']
else:
    os.environ["SEMMLE_DIST"] = os.environ["CODEQL_EXTRACTOR_PYTHON_ROOT"]

tools = os.path.join(os.environ['SEMMLE_DIST'], "tools")
zippath = os.path.join(tools, getzipfilename())
sys.path = [ zippath ] + sys.path

import buildtools.index
buildtools.index.main()

index.py 中的逻辑逻辑比较简单，就是配置一些env 变量，然后调用buildtools

2.4 buildtools

buildtools.index.main 实现如下，逻辑如下

def main():
    version = discover.get_version()
    tracer = os.path.join(os.environ["SEMMLE_DIST"], "tools", "python_tracer.py")
    args = extractor_executable() + site_flag(3) + [tracer] + extractor_options(version)
    print("Calling " + " ".join(args))
    sys.stdout.flush()
    sys.stderr.flush()
    env = os.environ.copy()
    env["CODEQL_EXTRACTOR_PYTHON_ANALYSIS_VERSION"] = get_analysis_version(version)
    subprocess.check_call(args, env=env)

2.5 python_tracer.py

Debug 发现

2.6 extractor

python_tracer.py

def main(sys_path = sys.path[:]):
	...
    run(options, args, the_traverser, logger)
    ...

def run(options, args, the_traverser, logger: logging.Logger):
	...
    try:
        pool = worker.ExtractorPool.from_options(options, trap_dir, archive, logger)
	...

worker.py

class ExtractorPool(object):
	...
    def __init__(self, outdir, archive, proc_count, options, logger: Logger):
    	...
        self.procs = [
            ctx.Process(target=_extract_loop, args=(n+1,) + args + (n == 0,)) for n in range(proc_count)
        ]
        
    def from_options(options, trap_dir, archive, logger: Logger):
    	...
        return ExtractorPool(trap_dir, archive, procs, options, logger)

def _extract_loop(proc_id, queue, trap_dir, archive, options, reply_queue, logger: Logger, write_global_data):
	...
            extractor = SuperExtractor(options, trap_dir, archive, renamer, logger, diagnostics_writer)
                    imports = extractor.process(unit)

super_extractor.py

class SuperExtractor(object):
    def process(self, unit):
        for extractor in self.extractors:
            self.logger.debug("Trying %s on %s",extractor.name, unit)
            res = extractor.process(unit)
            if res is not NotImplemented:
                self.logger.debug("%s extracted by the %s.", unit, extractor.name)
                break

2.7 extractors

Each extractor process runs a loop which extracts files or modules from the queue, one at a time. Each file or module description is passed, in turn, to one of the extractor objects which will either extract it or reject it for the next extractor object to try. Currently the default extractors are:

• Builtin module extractor: Extracts built-in modules like sys.
• Thrift extractor: Extracts Thrift IDL files.
• Python extractor: Extracts Python source code files.
• Package extractor: Extracts minimal information for package folders.
• General file extractor: Any files rejected by the above passes are added to the database as a text blob.

Python extraction

The Python extractor is the most interesting of the processes mentioned above. The Python extractor takes a path to a Python file. It emits TRAP to the specified folder and a UTF-8 encoded version of the source to the source archive. It consists of the following passes:

1. Ingestion and decoding: Read the contents of the file as bytes, determine its encoding, and decode it to text.
2. Tokenizing: Tokenize the source text, including whitespace and comment tokens.
3. Parsing: Create a concrete parse tree from the list of tokens.
4. Rewriting: Rewrite the concrete parse tree to an AST, annotated with scope, variable information, and locations.
5. Write out lexical and AST information as TRAP.
6. Generate and emit TRAP for control-flow graphs. This is done one scope at a time to minimize memory consumption.
7. Emit ancillary information, like TRAP for comments.

Template file extraction

Most Python template languages work by either translating the template into Python or by fairly closely mimicking the behavior of Python. This means that we can extract template files by converting them to the same AST used internally by the Python extractor and then passing that AST to the backend of the Python extractor to determine imports, and generate TRAP files including control-flow information.

主要是 py_extractor

2.8 tokenizer

module.py

class PythonSourceModule(object):
	def tokens(self):
        if self._tokens is None:
            with timers["tokenize"]:
                tokenizer = semmle.python.parser.tokenizer.Tokenizer(self._source)
                self._tokens = list(tokenizer.tokens())
        return self._tokens

2.9 CST

虽然实现改功能的几个文件名为ast，但是实际上是CST

• ast (标准库)
  生成抽象语法树 (Abstract Syntax Tree, AST)，关注代码的逻辑结构，忽略非逻辑元素（如空格、注释、括号位置）。
  用途：代码分析、优化、转换（如 Linter、静态检查）、生成字节码。
• blib2to3 (Black 的分支)
  生成具体语法树 (Concrete Syntax Tree, CST) 或解析树，保留所有原始细节（空格、注释、格式）。
  用途：代码格式化（如 Black）、保留格式的源码转换（如 2to3 迁移工具）。

__init__.py

def parse(tokens, logger):
    """Given a string with source, return the lib2to3 Node."""
    for name, grammar in GRAMMARS:
        try:
            with timers["parse"]:
                cpt = parse_tokens(grammar, tokens)
            with timers["rewrite"]:
                return ast.convert(logger, cpt)

def parse_tokens(gr, tokens):
    """Parse a series of tokens and return the syntax tree."""
    p = Parser(gr, convert)
    p.setup()
    for tkn in tokens:
        type, value, start, end = tkn
        if type in (tokenize.COMMENT, tokenize.NL):
            continue
        if type == token.OP:
            type = grammar.opmap[value]
        if type == token.INDENT:
            value = ""
        if p.addtoken(type, value, (start, end)):
            break
    else:
        # We never broke out -- EOF is too soon (how can this happen???)
        raise parse.ParseError("incomplete input",
                               type, value, ("", start))
    return p.rootnode

整体上都用的blib2to3 这个库，为什么没用默认的AST 呢？

dump_ast

为了更好理解此处的ast 结构，codeql 也提供了dump_ast.py 脚本

python -m semmle.python.parser.dump_ast /Users/m0d9/study/python/codeql-python-extractor/data/python/stubs/six/moves/urllib_robotparser.py --old

Module
  body: [
    Import
      names: [
        alias
          value:
            ImportMember
              module:
                ImportExpr
                  level: 0
                  name: 'six'
                  top: False
              name: 'PY2'
          asname:
            Name
              variable: Variable('PY2', None)
              ctx: Store
        alias
          value:
            ImportMember
              module:
                ImportExpr
                  level: 0
                  name: 'six'
                  top: False
              name: 'PY3'
          asname:
            Name
              variable: Variable('PY3', None)
              ctx: Store
      ]
    If
      test:
        Name
          variable: Variable('PY2', None)
          ctx: Load
      body: [
        Import
          names: [
            alias
              value:
                ImportExpr
                  level: 0
                  name: 'robotparser'
                  top: False
              asname:
                Name
                  variable: Variable('_1', None)
                  ctx: Store
          ]
        Assign
          targets: [
            Name
              variable: Variable('RobotFileParser', None)
              ctx: Store
          ]
          value:
            Attribute
              value:
                Name
                  variable: Variable('_1', None)
                  ctx: Load
              attr: 'RobotFileParser'
              ctx: Load
        Delete
          targets: [
            Name
              variable: Variable('_1', None)
              ctx: Del
          ]
      ]
      orelse: None
    If
      test:
        Name
          variable: Variable('PY3', None)
          ctx: Load
      body: [
        Import
          names: [
            alias
              value:
                ImportExpr
                  level: 0
                  name: 'urllib.robotparser'
                  top: False
              asname:
                Name
                  variable: Variable('_1', None)
                  ctx: Store
          ]
        Assign
          targets: [
            Name
              variable: Variable('RobotFileParser', None)
              ctx: Store
          ]
          value:
            Attribute
              value:
                Name
                  variable: Variable('_1', None)
                  ctx: Load
              attr: 'RobotFileParser'
              ctx: Load
        Delete
          targets: [
            Name
              variable: Variable('_1', None)
              ctx: Del
          ]
      ]
      orelse: None
  ]

2.10 Converter

ast.py

def convert(logger, cpt):
    '''Covert concrete parse tree as specified by blib2to3/Grammar.txt
    to the AST specified by semmle/python/master.py
    '''
    return Convertor(logger).visit(cpt)

逻辑是将blib2to3 的AST 转成CodeQL 定义的AST 结构

class ParseTreeVisitor(object):
    '''Standard tree-walking visitor,
    using `node.name` rather than `type(node).__name__`
    '''

    def visit(self, node, extra_arg=None):
        method = 'visit_' + node.name
        if extra_arg is None:
            return getattr(self, method)(node)
        else:
            return getattr(self, method)(node, extra_arg)

具体实现是在visit_xxx 中

2.11 生成Trap

def _extract_trap_file(self, ast, comments, path):
    writer = TrapWriter()
    file_tag = get_source_file_tag(self.src_archive.get_virtual_path(path))
    writer.write_tuple(u'py_Modules', 'g', ast.trap_name)
    writer.write_tuple(u'py_module_path', 'gg', ast.trap_name, file_tag)
    try:
        for ex in self.passes:
            with timers[ex.name]:
                if isinstance(ex, FlowPass):
                    ex.set_filename(path)
                ex.extract(ast, writer)
        with timers['lexical']:
            self.lexical.extract(ast, comments, writer)
        with timers['object']:
            self.object_pass.extract(ast, path, writer)
    except Exception as ex:
        self.logger.error("Exception extracting module %s: %s", path, ex)
        self.logger.traceback(WARN)
        return None
    return writer.get_compressed()

• 先写文件信息
• 之后交由Passes.extract 处理

2.12 Passes

Passes 可以简单理解为遍历器

• ASTPass: 遍历所有的AST 结构，保存为Trap
• ExportsPass: __al__ 中的exprorts
• FlowPass: 遍历CFG，保存为Trap，对应API::DataFlow 等之类的

2.12.1 ASTPass

class ASTPass(Pass):

	def extract(self, root, writer):
        try:
            self.writer = writer
            if root is None:
                return
            self._emit_variable(ast.Variable("__name__", root))
            self._emit_variable(ast.Variable("__package__", root))
            # Introduce special variable "$" for use by the points-to library.
            self._emit_variable(ast.Variable("$", root))
            writer.write_tuple(u'py_extracted_version', 'gs', root.trap_name, get_analysis_major_version())
            self._walk(root, None, 0, root, None)
        finally:
            self.writer = None

    def _walk(self, node, parent, index, scope, description):
        self._get_walker(node)(node, parent, index, scope, description)
        
    def _get_walker(self, node):
        if isinstance(node, list):
            return self._walk_list
        elif isinstance(node, ast.AstBase):
            return self._walk_node
        else:
            return self._emit_primitive

• list
• 基础节点，例如class、Function、Module、alias、arguments等
• 原始类型，例如Variable

2.12.2 ExportsPass

def exports_from_ast(node):
    'Get a list of symbols exported by the module from its ast.'
    #Look for assignments to __all__
    #If not available at top-level, then check if-statements,
    #but ignore try-except and loops
    assert type(node) is ast.Module
    exports = __all___from_stmt_list(node.body)
    if exports is not None:
        return exports
    # No explicit __all__ assignment so gather global assignments
    exports = set()
    globals_from_tree(node.body, exports)
    return [ ex for ex in exports if not is_private_symbol(ex) ]

class ExportsPass(Pass):
	...
    def extract(self, ast, writer):
        exported = exports_from_ast(ast)
        write_exports(ast, exported, writer)

2.12.3 FlowPass

• FlowNode: CFG 中的节点
• FlowGraph: CFG 图
• FlowScope: 整个CFG 图

FlowNode

class FlowNode(object):
    __slots__ = [ 'node' ]

    def __init__(self, node):
        self.node = node

    def __repr__(self):
        if hasattr(self.node, "lineno"):
            return 'FlowNode(%s at %d)' % (type(self.node), self.node.lineno)
        else:
            return 'FlowNode(%r)' % self.node

    def copy(self):
        return FlowNode(self.node)

FlowGraph

FlowGraph 有几个重点的field

• pred: dict类型，当存在边x-y,那么则pred[y].add(x)
• succ: 与pred 方向相反

为了弄清其含义，看看图最重要的两个接口，如下

   def add_node(self, n):
       'Add a node to the graph'
       if n not in self.succ:
           self.pred[n] = SmallSet()
           self.succ[n] = SmallSet()
           self.all_nodes.append(n)

def add_edge(self, x, y):
       '''Add an edge (x -> y) to the graph. Return true if x, y was
       previously in graph'''
       if x in self.succ:
           if y in self.succ[x]:
               return True
       else:
           self.add_node(x)
       self.add_node(y)
       self.pred[y].add(x)
       self.succ[x].add(y)
       return False

use 猜测是SSA 的产物

def add_use(self, node, var):
    assert node in self.succ, node
    self.uses[node] = var

def _walk_name(self, node, predecessors, ctx_type = None):
    # Too many exception edges make analysis slower and adds almost no accuracy
    # Assume that Name may only raise an exception if global in scope and
    # not a store
    res = self.add_successor(predecessors, node)
    if ctx_type is None:
        ctx_type = type(node.ctx)
        assert ctx_type not in (ast.AugAssign, ast.AugLoad)
    #Only generate SSA variables for variables local to scope
    if node.variable.scope == self.scope.ast_scope:
        if ctx_type in (ast.Store, ast.Param, ast.AugStore):
            for flow_node, kind in res:
                self.scope.graph.add_definition(flow_node, node.variable)
        elif ctx_type is ast.Del:
            for flow_node, kind in res:
                self.scope.graph.add_deletion(flow_node, node.variable)
        elif ctx_type in (ast.Load, ast.AugLoad):
            for flow_node, kind in res:
                self.scope.graph.add_use(flow_node, node.variable)

可以看到，FlowGraph 的接口add_use，参数顾名思义是node 是ASTNode，Var 是Variable

class Variable(object):
    'A variable'

    def __init__(self, var_id, scope = None):
        assert isinstance(var_id, str), type(var_id)
        self.id = var_id
        self.scope = scope

    def __repr__(self):
        return 'Variable(%r, %r)' % (self.id, self.scope)

    def __eq__(self, other):
        if type(other) is not Variable:
            return False
        if self.scope is None or other.scope is None:
            raise TypeError("Scope not set")
        return self.scope == other.scope and self.id == other.id

FlowScope

class FlowScope(object):

    def __init__(self, depth, ast_scope):
        self.entry = FlowNode(ast_scope)
        self.graph = graph.FlowGraph(self.entry)
        self.exceptional_exit = FlowNode(ast_scope)
        self.graph.add_node(self.exceptional_exit)
        self.graph.annotate_node(self.exceptional_exit, EXCEPTION_EXIT)
        self.depth = depth
        self.exception_stack = BlockStack()
        self.exception_stack.push_block()
        self.breaking_stack = BlockStack()
        self.continuing_stack = BlockStack()
        self.return_stack = BlockStack()
        self.return_stack.push_block()
        self.ast_scope = ast_scope

def _walk_scope(self, scope_node):
    '''Returns: whether this scope raises an exception (or not)'''
    prev_flow_scope = self.scope
    if prev_flow_scope is None:
        self.scope = FlowScope(0, scope_node)
    else:
        self.scope = prev_flow_scope.inner(scope_node)
    predecessors = SingletonNodeSet(self.scope.entry, NORMAL)
    for _, _, child_node in iter_fields(scope_node):
        predecessors = self._walk(child_node, predecessors)

predecessors 这中间有个递归调用

• iter_fields 可以理解为遍历ast Node
• _walk 可以理解为根据当前节点类型，遍历

self._walkers = {
            list : self._walk_list,
            bool : self.skip,
            int : self.skip,
            float : self.skip,
            bytes : self.skip,
            str : self.skip,
            complex : self.skip,
            type(None) : self.skip,

walkers 针对不同的ast 类型，有不同的处理方式，想上面列的，str 之类的，无需放到CFG 中，CFG 主要关注的是方法调用、行参实参的传播，我们重点看这一块的处理。

LexicalPass

class LexicalPass(Pass):

    def extract(self, ast, comments, writer):
        'The entry point'
        LexicalModule(ast, comments, writer).extract()


class LexicalModule(object):
    'Object for extracting lexical information for the given module.'

用于从给定模块中提取词汇信息的对象

ObjectPass

class ObjectPass(Pass):
    '''Generates relations for objects. This includes information about
    builtin objects, including their types and members.
    It also generates objects for all literal values present in the Python source.'''

    def extract(self, ast, path, writer):
        self.writer = writer
        try:
            self._extract_py(ast)
            self._extract_possible_module_names(path)
        finally:
            self.writer = None

生成类信息

2.13 疑问

• 跨文件分析是如何实现的？CST 都是单文件的分析

3. Trap2DB

3.1 pre-finalize

1. trap 文件读取

FileSubtask

public InputStream makeNewStream() throws IOException {
    return CompressedFileInputStream.fromFile(this.trapFile);
}

2. ImportTasksProcessor

TrapInputStream trapInputStream = new TrapInputStream(subtask.getOriginalInputStream(), subtask);

try {
    TRAPReader trapReader = new TRAPReader(trapInputStream, subtaskName, this.getThreadWriter(), this.ids, this.trapReaderConfig, this.cancelToken);
    trapReader.importTuples((LinkTarget[])subtask.getAdditionalInformation());
    bytesRead += trapReader.getBytesRead();

3. TRAPReader

   protected void scanTuplesAndLabels(TrapScanner scanner, ScanMode scanMode) throws IOException {
       int tryResolveTuplesThreshold = 1000;
       ArrayList<Object> fields = new ArrayList();
       String previousLabel = null;
   
       while(true) {
           this.cancelToken.checkCancelled();
           TokenKind token = scanner.nextToken();
           String labelToModify = previousLabel;
           previousLabel = null;
           switch (token) {
               case LABEL:
                   if (!scanMode.computeLabels) {
                       skipLabel(scanner);
                   } else {
                       String label = scanner.getLabelValue();
                       expectToken(scanner.nextToken(), TRAPReader.TokenKind.EQ, "=");
                       this.scanLabelValue(scanner, label);
                       previousLabel = label;
                   }

每个Trap 内容都是单独的，需要整合所有的trap 文件

3.2 Trap 格式

3.2.1 基础结构

Tuple 结构

public class Tuple {
    private String tableName;
    private Object[] fields;

顾名思义，python tuple的意思，不过不经相同，以trap 文件内的containerparent(#10007, #10006) 为例

tuple 表名会最终对应codeql db 中的一个.rel 表

PreThreadWriter

RelationEntry

private class RelationEntry {
    private final String name;
    private final RelationType type;
    private final List<Path> fragmentPaths = new ArrayList();
    private ConcreteRelationWriter relation;
    private ClosableSink sink;
    private int writtenTuples = 0;

addTuple 接口

private void addTuple(long[] tuple) {
    this.sink.addTuple(tuple);
    this.increaseTupleCount();
}

BTreeRelationWriter

BTree Relation 指的是数据库中的关系型数据存储，它使用了B 树结构作为索引，从而实现对数据的快速查询和访问。

3.2.2 流程

Trap 文件解析

• LABEL
• IDENTIFIER

TRAPReader

protected void scanTuplesAndLabels(TrapScanner scanner, ScanMode scanMode) throws IOException {
    while(true) {
        this.cancelToken.checkCancelled();
        TokenKind token = scanner.nextToken();
        String labelToModify = previousLabel;
        previousLabel = null;
        switch (token) {
            case LABEL:
            case IDENTIFIER:
            case PUSH:
            case POP:
            case IF_FRESH:
            case END_IF_FRESH:
            case IMPLEMENTATION:
            case EOF:

LABEL

#10000 = @"('/Users/m0d9/Downloads/langflow-main/scripts/ci/update_starter_projects.py', 'utf-8;sourcefile')"

LABEL = #10000
Value = @”(‘/Users/m0d9/Downloads/langflow-main/scripts/ci/update_starter_projects.py’, ‘utf-8;sourcefile’)”
LABELValue 会根据Value 生成ID

例如：

IDENTIFIER

files(#10000, "/Users/m0d9/Downloads/langflow-main/scripts/ci/update_starter_projects.py")

Identifier 需要指定Label
tableName = file

最终结果会被保存在TaggedTuple 结构中

Merge

先写cache/working/xxx.relcheck

再通过Merge().merge 合并

那么cache/working/xxx.relcheck 是何时生成的呢？

答案是在RelationEntry 每一次addTuple 中就会触发，实际上会直接往这个relcheck 文件里面写

Saver

Saver addTag/addTuple/flush 都会进行文件写入

addTag

private int addTag(byte tag) {
    ByteBuffer newBuffer = ByteBuffer.allocate(1);
    newBuffer.put(tag);
    newBuffer.flip();
    this.checksum.update(tag);

    try {
        return this.channel.write(newBuffer);
    } catch (IOException var4) {
        IOException e = var4;
        throw this.makeResourceError(e);
    }
}

public void addTuple(long... longTuple) {
    this.updateIntTuple(longTuple);
    if (this.ibuf.remaining() < this.intTuple.length) {
        this.flush();
    }

    this.ibuf.put(this.intTuple);
    this.noTuples = false;
}

至于文件格式，为codeql 独有的

3. blib2to3 VS AST

5. 其他

可能有安全风险

6. 参考

1. https://github.com/github/codeql/blob/main/python/extractor/README.md