search

soot-oss / SootUp

A new version of Soot with a completely overhauled architecture
https://soot-oss.github.io/SootUp/
GNU Lesser General Public License v2.1
549 stars 66 forks source link

An inconsistency between call graphs #903

Open karlls12321 opened 3 months ago

karlls12321 commented 3 months ago

I used SootUp to construct call graphs for my project, and found a bug in CHA algorithms.

A.java

package org.sslab;
import java.io.Closeable;
public interface A extends Closeable {
    @Override
    default void close(){
        close();
    }
}

B.java

package org.sslab;
public class B implements A {
    public static void main(String[] args) {
        try (B b = new B()) {
        }
    }
}

In the above code examples, RTA call graph includes an edge from B.main to A.close that is reasonable, but CHA does not have. I think CHA should provide a more sound analysis results.

This edge seems related to callback process of SootUp as no type hierarchy and new expressions here to guide the above two algorithms.

SootUp version: 1.1.2

Configuration

AnalysisInputLocation<JavaSootClass> javaBaseInputLocation = new JavaClassPathAnalysisInputLocation("Path/to/javaBase", SourceType.Library);
AnalysisInputLocation<JavaSootClass> classInput = new JavaClassPathAnalysisInputLocation("Path/to/classDir", SourceType.Application);
JavaProject project = JavaProject.builder(new JavaLanguage(8))
          .addInputLocation(classInput)
          .addInputLocation(javaBaseInputLocation)
          .build();
JavaView view = project.createView();

String EntrySignature="<org.sslab.B: void main(java.lang.String[])>"
List<MethodSignature> entryMethods = new ArrayList<>();
for (JavaSootClass klass : classes) {
    for (JavaSootMethod method : klass.getMethods()) {
        if (method.isMain() && method.getSignature().toString().equals(EntrySignature)) {
            entryMethods.add(method.getSignature());
        }
    }
}

CallGraphAlgorithm cha = new ClassHierarchyAnalysisAlgorithm(Constants.view);
CallGraph cg1 = cha.initialize(entryMethods);

CallGraphAlgorithm rta = new RapidTypeAnalysisAlgorithm(view);
CallGraph cg2 = rta.initialize(entryMethods);
JonasKlauke commented 3 months ago

It is really weird that RTA has an edge and CHA does not have an edge, since RTA works like CHA but filters the results, so everything RTA finds should be in CHA. I will investigate why there is no edge in CHA

JonasKlauke commented 1 month ago

added bugfix in PR #936 Could not be reproduced or is already fixed