语句

Statement syntax CodeQL class Superclasses
; EmptyStmt
Expr; ExprStmt
{Stmt…} BlockStmt
if(Expr)StmtelseStmt IfStmt ConditionalStmt
if(Expr)Stmt
while(Expr)Stmt WhileStmt ConditionalStmt, LoopStmt
do Stmt while(Expr) DoStmt ConditionalStmt, LoopStmt
for(Expr;Expr;Expr)Stmt ForStmt ConditionalStmt, LoopStmt
for(VarAccess:Expr)Stmt EnhancedForStmt LoopStmt
switch(Expr){SwitchCase…} SwitchStmt
try{Stmt…}finally{Stmt…} TryStmt
return Expr; ReturnStmt
return;
throw Expr; ThrowStmt
break; BreakStmt JumpStmt
breaklabel;
continue; ContinueStmt JumpStmt
continuelabel;
label:Stmt LabeledStmt
synchronized(Expr)Stmt SynchronizedStmt
assert Expr:Expr; AssertStmt
assert Expr
;
TypeAccess name; LocalVariableDeclStmt
classname{Member…}; LocalClassDeclStmt
this(Expr,…); ThisConstructorInvocationStmt
super(Expr,…); SuperConstructorInvocationStmt
catch(TypeAccess name){Stmt…} CatchClause
caseLiteral :Stmt ConstCase
default:Stmt DefaultCase

return语句

获取return x; 中的x

  1. from ReturnStmt returnStmt, Expr x
  2. where
  3.     x = returnStmt.getResult()
  4. select x

表达式

一元表达式

所有的一元表达式均可以使用getExpr() 谓词来获取操作的表达式,如下为所有的一元表达式,全部继承了UnaryExpr类的getExpr谓词。

Expression syntax CodeQL class Superclasses Remarks
Expr++ PostIncExpr UnaryAssignExpr
Expr PostDecExpr UnaryAssignExpr
++Expr PreIncExpr UnaryAssignExpr
Expr PreDecExpr UnaryAssignExpr
~Expr BitNotExpr BitwiseExpr see below for other subclasses of BitwiseExpr
-Expr MinusExpr
+Expr PlusExpr
Expr LogNotExpr LogicExpr see below for other subclasses of LogicExpr

获取x++中的x

  1. from PostIncExpr postIncExpr,Expr x
  2. where
  3.     x = postIncExpr.getExpr()
  4.  select x

获取++x中的x

  1. from PreIncExpr preIncExpr,Expr x
  2. where
  3.     x = preIncExpr.getExpr()
  4.  select x

二元表达式

二元表达式全部继承自BinaryExpr类,可以使用getLeftOperand()来获取操作符左侧的表达式,使用getRightOperand()来获取操作符右侧的表达式,

Expression syntax CodeQL class Superclasses
Expr*Expr MulExpr
Expr/Expr DivExpr
Expr%Expr RemExpr
Expr+Expr AddExpr
Expr-Expr SubExpr
Expr<<Expr LShiftExpr
Expr>>Expr RShiftExpr
Expr>>>Expr URShiftExpr
Expr&&Expr AndLogicalExpr LogicExpr
Expr||Expr OrLogicalExpr LogicExpr
Expr<Expr LTExpr ComparisonExpr
Expr>Expr GTExpr ComparisonExpr
Expr<=Expr LEExpr ComparisonExpr
Expr>=Expr GEExpr ComparisonExpr
Expr==Expr EQExpr EqualityTest
Expr!=Expr NEExpr EqualityTest
Expr&Expr AndBitwiseExpr BitwiseExpr
Expr|Expr OrBitwiseExpr BitwiseExpr
Expr^Expr XorBitwiseExpr BitwiseExpr

获取x+y中的x和y

  1. from AddExpr addExpr,Expr x, Expr y
  2. where
  3.     x = addExpr.getLeftOperand() and
  4.   y = addExpr.getRightOperand()
  5.  select x,y

赋值表达式

赋值表达式全部继承自Assignment类,可以使用getDest()来获取操作符左边的表达式,使用getRhs()来获取右边的表达式。

Expression syntax CodeQL class Superclasses
Expr=Expr AssignExpr
Expr+=Expr AssignAddExpr AssignOp
Expr-=Expr AssignSubExpr AssignOp
Expr*=Expr AssignMulExpr AssignOp
Expr/=Expr AssignDivExpr AssignOp
Expr%=Expr AssignRemExpr AssignOp
Expr&=Expr AssignAndExpr AssignOp
Expr|=Expr AssignOrExpr AssignOp
Expr^=Expr AssignXorExpr AssignOp
Expr<<=Expr AssignLShiftExpr AssignOp
Expr>>=Expr AssignRShiftExpr AssignOp
Expr>>>=Expr AssignURShiftExpr AssignOp

获取 x = y 中的x和y

  1. from AssignExpr assignExpr, Expr x, Expr y
  2. where
  3.     x = assignExpr.getDest() and
  4.   y = assignExpr.getRhs()
  5. select x,y

变量访问

Expression syntax examples CodeQL class
x VarAccess
e.f

访问 x.y 中的x和y

  1. from VarAccess varAccess, Expr x, Expr y
  2. where
  3.     x = varAccess.getQualifier() and
  4.   y = varAccess.Variable()
  5. select x,y

方法调用

Expression syntax examples CodeQL class
f(…) MethodAccess
e.m(…)

获取e.m(p0..pn)中的e、m和p

  1. from MethodAccess methodAccess, Expr e, Method m, Argument p
  2. where
  3.     e = methodAccess.getQualifier() and
  4.   m = methodAccess.getMethod() and
  5.   p = methodAccess.getAnArgument()
  6. select e,m,p

综合

Map类型

Map类型的数据
点击查看【processon】
示例
方法的返回值的Map类型,获取返回值所有的键

  1. import java
  2. import semmle.code.java.Maps
  4. from Variable mapVar, ReturnStmt returnStmt, MapPutCall mapPutCall, Expr mapVarKey
  5. where
  6.   mapVar.getAnAccess() = returnStmt.getResult() and
  7.   mapVar.getType() instanceof MapType and
  8.   mapVar.getAnAccess() = mapPutCall.getQualifier() and
  9.   mapVarKey = mapPutCall.getKey()
  10. select returnStmt, mapVarKey