A great overview from the original thesis is below:

  1. Source code to AST
  2. AST to CFG
  3. CFG entered into a Framework Adaptor
  4. Running a fixpoint algorithm on the result of 3
  5. Spit out all the vulnerabilities.

I’ll go through each of these steps in depth and walk through where in the code they happen.

Source code to AST

This is by far the easiest step, as it is done for us by the ast module, the only place where we perform parsing is the generate_ast function in the file, where we just write ast.parse( on a file. The result is a tree of objects whose classes all inherit from ast.AST.


This is mostly performed by a class that inherits from ast.NodeVisitor, named Visitor in