search

brazdil / dexter

1 stars 1 forks source link

Compiler constraint issue #17

Closed brazdil closed 11 years ago

brazdil commented 11 years ago

Rubin, could you tell me what's wrong with this code?

0: new-instance a15, Ljava/lang/Throwable;
1: invoke-direct Ljava/lang/Throwable;-><init>()V {a15}()
2: invoke-virtual Ljava/lang/Throwable;->getStackTrace()[Ljava/lang/StackTraceElement; {a15}()
3: move-result-obj a16
4: const a17, #1
5: array-length a18, {a16}
6: if-le a18, a17, L4
7: aget-object a19, {a16}[a17]
8: invoke-virtual Ljava/lang/StackTraceElement;->getClassName()Ljava/lang/String; {a19}()
9: move-result-obj a14
10: goto L5
11: L4
12: const a14, #0
13: L5
14: if-eqz a14, L2
15: invoke-static Ljava/lang/Class;->forName(Ljava/lang/String;)Ljava/lang/Class; (a14)
16: move-result-obj a20
17: const-class a21, Luk/ac/cam/db538/dexter/aux/anno/InternalClass$$1;
18: invoke-virtual Ljava/lang/Class;->getAnnotation(Ljava/lang/Class;)Ljava/lang/annotation/Annotation; {a20}(a21)
19: move-result-obj a13
20: if-eqz a13, L2
21: sget-object a22, Luk/ac/cam/db538/dexter/aux/InvokeTaintStore$$1;->ARGS_PRIM:Luk/ac/cam/db538/dexter/aux/InvokeTaintStore$ThreadLocalPrimitiveArguments$$1;
22: invoke-virtual Ljava/lang/ThreadLocal;->get()Ljava/lang/Object; {a22}()
23: move-result-obj a22
24: check-cast a22, [I
25: sget-object a23, Luk/ac/cam/db538/dexter/aux/InvokeTaintStore$$1;->ARGS_REF:Luk/ac/cam/db538/dexter/aux/InvokeTaintStore$ThreadLocalReferenceArguments$$1;
26: invoke-virtual Ljava/lang/ThreadLocal;->get()Ljava/lang/Object; {a23}()
27: move-result-obj a23
28: check-cast a23, [Luk/ac/cam/db538/dexter/aux/struct/Taint$$1;
29: const a24, #0
30: const a25, #0
31: aget-object t2, {a23}[a25]
32: check-cast t2, Luk/ac/cam/db538/dexter/aux/struct/TaintInternal$$1;
33: const a25, #1
34: aget-int-float t3, {a22}[a25]
35: goto L3
36: L2
37: const a28, #0
38: const a29, #0
39: invoke-static Luk/ac/cam/db538/dexter/aux/struct/Assigner$$1;->lookupInternal(Ljava/lang/Object;I)Luk/ac/cam/db538/dexter/aux/struct/TaintInternal$$1; (v2, a28)
40: move-result-obj t2
41: const a29, #1
42: move t3, a28
43: L3
44: 
45: const t0, #0
46: const v0, #3
47: 
48: move a0, v0
49: new-array v0, [v0], [I
50: invoke-static Luk/ac/cam/db538/dexter/aux/struct/Assigner$$1;->newArrayPrimitive(Ljava/lang/Object;II)Luk/ac/cam/db538/dexter/aux/struct/TaintArrayPrimitive$$1; (v0, a0, t0)
51: move-result-obj t0
52: 
53: const t1, #0
54: const v1, #0
55: 
56: TRYSTART0
57: iget-object a1, {t0}Luk/ac/cam/db538/dexter/aux/struct/TaintArrayPrimitive$$1;->t_array:[I
58: aput-int-float t3, {a1}[v1]
59: aput-int-float v3, {v0}[v1]
60: TRYEND0
61: goto L0
62: CATCHALL0
63: move-exception a4
64: const a2, #0
65: invoke-interface Luk/ac/cam/db538/dexter/aux/struct/Taint$$1;->get()I {t0}()
66: move-result a3
67: or-int a2, a2, a3
68: or-int a2, a2, t3
69: or-int a2, a2, t1
70: invoke-static Luk/ac/cam/db538/dexter/aux/struct/Assigner$$1;->lookupExternal(Ljava/lang/Object;I)Luk/ac/cam/db538/dexter/aux/struct/TaintExternal$$1; (a4, a2)
71: move-result-obj a5
72: throw a4
73: L0
74: 
75: fill-array-data v0, <data>
76: 
77: TRYSTART1
78: aget-int-float v0, {v0}[v1]
79: iget-object t0, {t0}Luk/ac/cam/db538/dexter/aux/struct/TaintArrayPrimitive$$1;->t_array:[I
80: aget-int-float t0, {t0}[v1]
81: TRYEND1
82: goto L1
83: CATCHALL1
84: move-exception a9
85: const a7, #0
86: invoke-interface Luk/ac/cam/db538/dexter/aux/struct/Taint$$1;->get()I {t0}()
87: move-result a8
88: or-int a7, a7, a8
89: or-int a7, a7, t1
90: invoke-static Luk/ac/cam/db538/dexter/aux/struct/Assigner$$1;->lookupExternal(Ljava/lang/Object;I)Luk/ac/cam/db538/dexter/aux/struct/TaintExternal$$1; (a9, a7)
91: move-result-obj a10
92: throw a9
93: L1
94: 
95: invoke-static Ljava/lang/Integer;->valueOf(I)Ljava/lang/Integer; (t0)
96: move-result-obj a11
97: sget-object a12, Luk/ac/cam/db538/dexter/aux/InvokeTaintStore$$1;->RES_PRIM:Luk/ac/cam/db538/dexter/aux/InvokeTaintStore$ThreadLocalPrimitiveResult$$1;
98: invoke-virtual Ljava/lang/ThreadLocal;->set(Ljava/lang/Object;)V {a12}(a11)
99: return v0

It fails with:

Caused by: java.lang.AssertionError
    at com.rx201.dx.translator.TypeSolver.addConstraint(TypeSolver.java:91)
    at com.rx201.dx.translator.TypeSolver.propagate(TypeSolver.java:110)
    at com.rx201.dx.translator.TypeSolver.addConstraint(TypeSolver.java:97)
    at com.rx201.dx.translator.AnalyzedDexInstruction.initDefinitionConstraints(AnalyzedDexInstruction.java:184)
    at com.rx201.dx.translator.DexCodeAnalyzer.typeConstraintAnalysis(DexCodeAnalyzer.java:191)
    at com.rx201.dx.translator.DexCodeAnalyzer.analyze(DexCodeAnalyzer.java:92)
    ... 5 more

which is the "is not polymorphic" assertion:

        if (freeze) {
            assert !constraint.isPolymorphic();
            info.freezed = true;
            newType = constraint;
        }
brazdil commented 11 years ago

(The actual method body starts on line 53, everything before is the initialization of taints)

xurubin commented 11 years ago

Do you have a test apk for this case?

brazdil commented 11 years ago

Must have been fixed by the FILL_ARRAY_DATA exception definition fix