CodeQL for V8

前陣子因為看到一個蠻有趣的 bug Pattern，想找看看 Variant
所以接觸到了 CodeQL
稍微記錄一下 V8 的 CodeQL database 怎麼建

首先要 fetch V8 source code
https://v8.dev/docs/source-code
然後裝 CodeQL

之後用 V8 提供的 gn 產編譯用的參數檔，等等 CodeQL 會用 ninja 根據這個參數檔編譯 d8 並從中獲取資訊

gn gen out/CodeQL --export-compile-commands --args='is_component_build = true is_debug = true symbol_level = 2 target_cpu = "x64" v8_enable_sandbox = true v8_enable_backtrace = true v8_enable_fast_mksnapshot = true v8_enable_slow_dchecks = true v8_optimized_debug = false'

之後就可以建立 V8 的 CodeQL database

1	codeql database create ~/codeql-dbs/v8-cpp --language=cpp --source-root . --command='ninja -C out/v8-codeql d8'

Bug Pattern 和寫出來的 CodeQL 就先不放了，找出來的 case 有點多，還在想要怎麼篩選會比較好
有想過用這邊文章的方式，不限制太多條件
Our new perspective views CodeQL not as a definitive bug-finding tool, but as a guide to point us in the right direction.
他們 Query 方式是找所有 copy 的地方
但我沒想到在這個 V8 bug pattern 上比較好的做法
https://bughunters.google.com/blog/5800341475819520/a-fuzzy-escape-a-tale-of-vulnerability-research-on-hypervisors

文章中的 CodeQL Query

# Objective: find all functions that do some copy operation

import cpp

from Function copyFunction, FunctionCall functionCall,
where
# First get all the functions that have copy in the name
    copyFunction.getName().matches("%\\_copy%") and not
    copyFunction.getName().matches("%trace%") and

# Then get where they are used
    functionCall.getTarget() = copyFunction and
    functionCall.getLocation().toString().matches("%/hw/%")
select copyFunction.getName(), functionCall.getLocation()