Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Impact of Analysis Scope on the Construction of a Call Graph #139

Closed
YunFy26 opened this issue Jan 19, 2025 · 2 comments
Closed

Impact of Analysis Scope on the Construction of a Call Graph #139

YunFy26 opened this issue Jan 19, 2025 · 2 comments

Comments

@YunFy26
Copy link

YunFy26 commented Jan 19, 2025

📝 Overall Description

For the following code

public static void main(String[] args) throws IOException {

        Runtime runtime = Runtime.getRuntime();
        runtime.exec("ls");
}

call-graph as follows

digraph G {
  node [color=".3 .2 1.0",shape=box,style=filled];
  edge [];
  "0" [label="<org.example.Main: void main(java.lang.String[])>",];
  "1" [label="<java.lang.String: void <clinit>()>",];
  "2" [label="<java.lang.Runtime: java.lang.Runtime getRuntime()>",];
  "0" -> "2" [label="[0@L10] $r0 = invokestatic <java.lang.Runtime: java.lang.Runtime getRuntime()>();",];
}

It is missing a call to exec().

For the ir:

[0@L10] $r0 = invokestatic <java.lang.Runtime: java.lang.Runtime getRuntime()>();

The corresponding analysis process in Tai-e is

private void processCallEdge(Edge<CSCallSite, CSMethod> edge) {
        if (callGraph.addEdge(edge)) {
            // process new call edge
            CSMethod csCallee = edge.getCallee();
            addCSMethod(csCallee);
            if (edge.getKind() != CallKind.OTHER
                    && !isIgnored(csCallee.getMethod())) {
                ...
            }
            plugin.onNewCallEdge(edge);
        }
    }

isIgnored(csCallee.getMethod()) is true, so it cannot enter the if (edge.getKind() != CallKind.OTHER && !isIgnored(csCallee.getMethod())) { ... }, resulting in the variable $r0 not being processed, thus missing the exec call.

I found that isIgnored() is affected by only-app, so I changed only-app to false. However, the resulting call graph contains a lot of content that I am not interested in. Additionally, changing the scope in options.yml leads to the same result. Is there a way to output a complete call graph without including a lot of irrelevant method calls?

🎯 Expected Behavior

The call graph should include the exec() call edge, without including a lot of irrelevant method calls.

🐛 Current Behavior

It is missing a call to exec(), and get a lot of irrelevant method calls when I change the only-app.

🔄 Reproducible Example

public class Main {

    public static void main(String[] args) throws IOException {

        Runtime runtime = Runtime.getRuntime();
        runtime.exec("ls");
    }
}

⚙️ Tai-e Arguments

🔍 Click here to see Tai-e Options
optionsFile: null
printHelp: false
classPath: []
appClassPath:
- ../Tai-e_Test/build/classes/java/main
mainClass: org.example.Main
inputClasses: []
javaVersion: 17
prependJVM: true
allowPhantom: true
worldBuilderClass: pascal.taie.frontend.soot.SootWorldBuilder
outputDir: output
preBuildIR: false
worldCacheMode: false
scope: REACHABLE
nativeModel: true
planFile: null
analyses:
cg: ""
cfg: ""
ir-dumper: ;
onlyGenPlan: false
keepResult:
- $KEEP-ALL
🔍 Click here to see Tai-e Analysis Plan
- id: pta
options:
  cs: ci
  only-app: true
  implicit-entries: false
  distinguish-string-constants: reflection
  merge-string-objects: true
  merge-string-builders: true
  merge-exception-objects: true
  handle-invokedynamic: false
  propagate-types:
  - reference
  advanced: null
  dump: false
  dump-ci: false
  dump-yaml: false
  expected-file: null
  reflection-inference: string-constant
  reflection-log: null
  taint-config: null
  taint-config-providers: []
  taint-interactive-mode: false
  plugins: []
  time-limit: -1
- id: cg
options:
  algorithm: pta
  dump: true
  dump-methods: true
  dump-call-edges: false
- id: throw
options:
  exception: explicit
  algorithm: intra
- id: cfg
options:
  exception: explicit
  dump: false
- id: ir-dumper
options: {}

📜 Tai-e Log

🔍 Click here to see Tai-e Log
Writing log to /Users/yuntsy/My/Projects/Java/Tai-e/output/tai-e.log
java.version: 17.0.11
java.version.date: 2024-04-16
java.runtime.version: 17.0.11+7-LTS-207
java.vendor: Oracle Corporation
java.vendor.version: null
os.name: Mac OS X
os.version: 15.2
os.arch: aarch64
Tai-e Version: 0.5.2-SNAPSHOT
Tai-e Commit: 3f3b802611bf6b8187abc1785e6c5d08a4cf5a4a
Writing analysis plan to /Users/yuntsy/My/Projects/Java/Tai-e/output/tai-e-plan.yml
WorldBuilder starts ...
10083 classes with 99475 methods in the world
WorldBuilder finishes, elapsed time: 1.75s
pta starts ...
[Pointer analysis] elapsed time: 0.01s
-------------- Pointer analysis statistics: --------------
#var pointers:                2 (insens) / 2 (sens)
#objects:                     3 (insens) / 3 (sens)
#var points-to:               2 (insens) / 2 (sens)
#static field points-to:      0 (sens)
#instance field points-to:    0 (sens)
#array points-to:             1 (sens)
#reachable methods:           3 (insens) / 3 (sens)
#call graph edges:            1 (insens) / 1 (sens)
----------------------------------------
pta finishes, elapsed time: 0.13s
cg starts ...
Call graph has 3 reachable methods and 1 edges
Dumping call graph to /Users/yuntsy/My/Projects/Java/Tai-e/output/call-graph.dot
Dumping reachable methods to /Users/yuntsy/My/Projects/Java/Tai-e/output/reachable-methods.txt
cg finishes, elapsed time: 0.00s
throw starts ...
3 methods in scope (REACHABLE) of method analyses
throw finishes, elapsed time: 0.00s
cfg starts ...
cfg finishes, elapsed time: 0.00s
ir-dumper starts ...
Dumping IR in /Users/yuntsy/My/Projects/Java/Tai-e/output/tir
3 classes in scope (REACHABLE) of class analyses
ir-dumper finishes, elapsed time: 0.31s
Tai-e finishes, elapsed time: 2.32s

ℹ️ Additional Information

No response

@zhangt2333
Copy link
Member

🎯 Expected Behavior

The call graph should include the exec() call edge, without including a lot of irrelevant method calls.

The analysis produces sound results when using only-app:false.

What you're seeing as "irrelevant method calls" are actually important implicit calls (such as Thread.start) and class initialization methods. These calls are crucial for maintaining the soundness of the analysis.

If you specifically want to view a call graph starting from Main.main, you have two ways:

  1. Perform a BFS traversal on the complete call graph after the analysis finishes
  2. Modify the source code to ignore implicit calls, though this will compromise soundness

private boolean isIgnored(JMethod method) {
return ignoredMethods.contains(method) ||
onlyApp && !method.isApplication();
}

@YunFy26
Copy link
Author

YunFy26 commented Jan 21, 2025

Got it, Thanks!

@YunFy26 YunFy26 closed this as completed Jan 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants