Tai-e 指针分析之反射算法Solar分析

0x01 背景

如谭老师参考【4】中的《Java指针分析综述》一文中对于Java反射的静态分析研究简述：

1. Livshits 借助指针分析解析反射关键API的字符串参数进而分析出反射调用的副作用，简称字符串分析方法。
2. 谭、李老师提出的Elf 方案，思路大致是不依赖调用参数必须是字符串常量，而是根据其他信息，比如反射调用的参数类型、返回值的向下类型转换等。
3. 还是谭、李老师推出的Solar 方案，不是很懂，原文复述下
   • 集体推导技术(collective inference)
   • 懒惰堆建模(lazy heap modeling)， 懒惰堆建模用于分析由反射调用Class.newInstance()或 Constructor.newInstance()创建但具体类型在创建点未知的堆对象。对于这类对象，Solar 将其传播到程序中使用它们的位置，如向下类型转换，或Method.invoke()、Field.get()、Field.set()的反射调用点等，并更充分地利用程序中这些位置的类型信息以分析反射创建对象的具体类型。

0x02 Tai-e Solar

2.1 Invoke Demo Code

先准备待测试程序InvokeDemo

import java.lang.reflect.Method;

public class InvokeDemo {
    private String name;

    InvokeDemo(String name){
        this.name = name;
    }

    public void echoName(){
        System.out.println("echo by echoName: " + this.name);
    }

    public void echo(String content){
        System.out.println("echo by echo: " + content);
    }

    public static void main(String[] args) throws Exception {
        String content = args[0];
        String methodNmae = args[1];
        InvokeDemo tt = new InvokeDemo(content);
        // 1. 测试污点为参数
        Method method = tt.getClass().getMethod("echo", String.class);
        method.invoke(tt, content);

        // 2. 测试污点为method
        Method method2 = tt.getClass().getMethod(methodNmae);
        method2.invoke(tt);

        // 3. 测试类型
        Object tt3 = new InvokeDemo(content);
        Method method3 = tt3.getClass().getMethod("echo", String.class);
        method3.invoke(tt3, content);
    }
}

需要指定pta模式

-cp /Users/m0d9/study/codeql-home/custom/test/query-tests/invoke/ 
-pp 
--main-class InvokeDemo 
-ap 
-a pta=taint-config:src/test/resources/pta/taint/taint-config.yml

2.2 测试

可以看到，识别的两个Invoke调用结果都正确：

1. 第一个invoke识别为echo
2. 第二个是不确定的，可以是InvokeDemo任意不带参数的方法

0x03 PTA前置知识

在前文指针分析中，简单提到过反射分析、污点分析都是由Tai-e PTA的plugin机制实现的。下面来看看具体的实现

3.1 Plugin机制

PointerAnalysis#analyze
	runAnalysis
    	setPlugin
            CompositePlugin#addPlugin
            CompositePlugin#setSolver
            DefaultSolver#setPlugin

在这一过程中会加载插件

3.1.1 插件接口

并且根据plugin实现接口，归类

• onNewPointsToSet
• onNewCallEdge
• onNewMethod
  • ClassInitializer
• onNewStmt
• onNewCSMethod
• onUnresolvedCall

Invoke Plugin API

何时调用的Plugin 接口？答案是在DefaultSolver中

1. initialize 接口中调用plugin.onStart
2. anaylze接口中调用onNewPointsToSet 和onFinish
3. addCSMethod 接口中调用plugin.onNewCSMethod
4. processNewMethod 接口中调用plugin.onNewMethod 和onNewStmt
5. processCall 接口中调用plugin.onUnresolvedCall
6. processCallEdge 接口中调用plugin.onNewCallEdge

3.1.2 Load Plugins

private static void setPlugin(Solver solver, AnalysisOptions options) {
    CompositePlugin plugin = new CompositePlugin();
    // add builtin plugins
    // To record elapsed time precisely, AnalysisTimer should be added at first.
    plugin.addPlugin(
            new AnalysisTimer(),
            new EntryPointHandler(),
            new ClassInitializer(),
            new ThreadHandler(),
            new NativeModeller(),
            new ExceptionAnalysis()
    );
    int javaVersion = World.get().getOptions().getJavaVersion();
    // ReferenceHandler 不支持java9 以上
    if (javaVersion < 9) {
        // current reference handler doesn't support Java 9+
        plugin.addPlugin(new ReferenceHandler());
    }
    // 处理lambda
    if (javaVersion >= 8) {
        plugin.addPlugin(new LambdaAnalysis());
    }
    // 处理java8 string
    if (javaVersion >= 9) {
        plugin.addPlugin(new Java9StringConcatHandler());
    }
    // 处理反射
    if (options.getString("reflection-inference") != null ||
            options.getString("reflection-log") != null) {
        plugin.addPlugin(new ReflectionAnalysis());
    }
    // 处理动态invoke
    if (options.getBoolean("handle-invokedynamic") &&
            InvokeDynamicAnalysis.useMethodHandle()) {
        plugin.addPlugin(new InvokeDynamicAnalysis());
    }
    // 如果有配置taint-config，那么也加载污点插件
    if (options.getString("taint-config") != null) {
        plugin.addPlugin(new TaintAnalysis());
    }
    plugin.addPlugin(new ResultProcessor());
    // add plugins specified in options
    // noinspection unchecked
    // 增加自定义的插件
    addPlugins(plugin, (List<String>) options.get("plugins"));
    // connects plugins and solver
    plugin.setSolver(solver);
    solver.setPlugin(plugin);

3.2 Plugins

在PTA分析中，默认会加载这些插件：

• AnalysisTimer: 用于计算分析时间
• EntryPointHandler：入口函数处理，目前为Main函数和隐式函数，比如Thread#run
• ClassInitializer：类关系及静态变量/代码块的处理
• ThreadHandler：
• NativeModeller
• ExceptionAnalysis
• LambdaAnalysis
• Java9StringConcatHandler
• ReflectionAnalysis
• TaintAnalysis
• ResultProcessor

有些可能跟反射分析关系不大，跟踪下一些不是一眼就能看出干什么的plugin

3.2.1 CompositePlugin

CompositePlugin 可以看成是plugin的集合

// 所有的插件
private final List<Plugin> allPlugins = new ArrayList<>();
   // Use separate lists to store plugins that overwrite
   // frequently-invoked methods.
// 存在NewPointsToSet的插件，新增一个var指向obj
   private final List<Plugin> onNewPointsToSetPlugins = new ArrayList<>();
// 存在NewCallEdge的插件，新增一个calledge pfg边
private final List<Plugin> onNewCallEdgePlugins = new ArrayList<>();
// 存在NewMethod的插件，新增一个处理new method
   private final List<Plugin> onNewMethodPlugins = new ArrayList<>();
// 存在NewStmt的插件，新增一个处理new stmt
   private final List<Plugin> onNewStmtPlugins = new ArrayList<>();
// 存在NewCSMethod的插件，新增一个处理new CSMethod
   private final List<Plugin> onNewCSMethodPlugins = new ArrayList<>();
// 存在UnresolvedCall的插件，新增一个UnresolvedCall
   private final List<Plugin> onUnresolvedCallPlugins = new ArrayList<>();

3.2.2 ClassInitializer

ClassInitializer 顾名思义是用于处理class 相关

onNewMethod

public void onNewMethod(JMethod method) {
	// 当遇到静态方法或者构造方法，通过solver初始化该method对应的class
    if (method.isStatic() || method.isConstructor()) {
        solver.initializeClass(method.getDeclaringClass());
    }
}

onNewStmt

public void onNewStmt(Stmt stmt, JMethod container) {
	// 处理新的stmt语句，如果stmt是常量赋值
    if (stmt instanceof AssignLiteral) {
     // 获取常量类型
        Type type = ((AssignLiteral) stmt).getRValue().getType();
        // 如果是ClassType
        if (type instanceof ClassType) {
        	// 通过solver初始化该class
            solver.initializeClass(((ClassType) type).getJClass());
        }
    } else if (stmt instanceof FieldStmt<?, ?> fieldStmt) {
    	// 如果是静态属性语句，同样的，通过solver初始化该field的class
        if (fieldStmt.isStatic()) {
            JField field = fieldStmt.getFieldRef().resolve();
            solver.initializeClass(field.getDeclaringClass());
        }
    }
}

DefaultSolver#initializeClass

看看initializeClass 具体做了什么

public void initializeClass(JClass cls) {
    if (cls == null || initializedClasses.contains(cls)) {
        return;
    }
    // initialize super class
    // 递归处理其父类
    JClass superclass = cls.getSuperClass();
    if (superclass != null) {
        initializeClass(superclass);
    }
    // TODO: initialize the superinterfaces which
    //  declare default methods
    // 注意这里clinit和 init的区别，这里是处理静态变量
    JMethod clinit = cls.getClinit();
    if (clinit != null) {
        // addCSMethod() may trigger initialization of more
        // classes. So cls must be added before addCSMethod(),
        // otherwise, infinite recursion may occur.
        initializedClasses.add(cls);
        // 处理clinit方法
        // 还有注意这里的csManager.getCSMethod，不存在则新增
        CSMethod csMethod = csManager.getCSMethod(
                contextSelector.getEmptyContext(), clinit);
        addCSMethod(csMethod);
    }
}

Java 类加载的初始化过程中，编译器按语句在源文件中出现的顺序，依次自动收集类中的所有类变量的赋值动作和静态代码块中的语句合并产生<clinit\>() 方法。 如果类中没有静态语句和静态代码块，那可以不生成<clinit>() 方法。

总结下：

1. DefaultSolver#initializedClasses 属性作用：记录所有的class
2. initializeClass 方法的作用：
   • 处理当前类及父类，保存在DefaultSolver#initializedClasses 中，已经在该变量中的不再进行处理
   • 如果该类/父类有clinit方法（有静态变量/代码块），那么处理该clinit，加入分析逻辑（addCSMethod）
   • 同时也讲clinit存入结果集中：csManager.mtdManager

JClass IR

3.2.3 EntryPointHandler

EntryPointHandler 也是个plugin，而且顺序放在第二

其作用是从入口函数开始分析

DefaultSolver#addEntryPoint

private void processNewMethod(JMethod method) {
    if (reachableMethods.add(method)) {
        plugin.onNewMethod(method);
        method.getIR().forEach(stmt -> plugin.onNewStmt(stmt, method));
    }
}

1. reachableMethods 可达method 增加该method
2. 每个plugin执行onNewMethod
3. 针对该method 的每个子stmt，调用所有plugin 的onNewStmt

ClassInitializer#onNewStmt

从此之后进进入类似JavaComipler Visitor的逻辑
DefaultSolver$StmtProcessor$Visitor

EntryPointHandler#onStart

public void onStart() {
    // process program main method
    JMethod mainMethod = World.get().getMainMethod();
    if (mainMethod != null) {
        solver.addEntryPoint(new EntryPoint(mainMethod,
                new MainEntryPointParamProvider(mainMethod, solver)));
    }
    // process implicit entries
    if (solver.getOptions().getBoolean("implicit-entries")) {
        for (JMethod entry : World.get().getImplicitEntries()) {
            solver.addEntryPoint(new EntryPoint(entry, EmptyParamProvider.get()));
        }
    }
}

• 手动置顶的MainClass
• 如果设置implicit-entries项为true，那么隐式入口也会被当作入口

solver#addEntryPoint 以这几个main函数为入口，进行CFG构建

通过method.getIR() 获取所包含的IR，然后进行遍历

addCallEdge:808, DefaultSolver (pascal.taie.analysis.pta.core.solver)
processInvokeStatic:649, DefaultSolver$StmtProcessor$Visitor (pascal.taie.analysis.pta.core.solver)
visit:723, DefaultSolver$StmtProcessor$Visitor (pascal.taie.analysis.pta.core.solver)
visit:570, DefaultSolver$StmtProcessor$Visitor (pascal.taie.analysis.pta.core.solver)
accept:152, Invoke (pascal.taie.ir.stmt)
lambda$process$0:564, DefaultSolver$StmtProcessor (pascal.taie.analysis.pta.core.solver)
accept:-1, DefaultSolver$StmtProcessor$$Lambda$324/0x0000000800f02a20 (pascal.taie.analysis.pta.core.solver)
forEach:75, Iterable (java.lang)
process:564, DefaultSolver$StmtProcessor (pascal.taie.analysis.pta.core.solver)
addStmts:827, DefaultSolver (pascal.taie.analysis.pta.core.solver)
addCSMethod:820, DefaultSolver (pascal.taie.analysis.pta.core.solver)
initializeClass:855, DefaultSolver (pascal.taie.analysis.pta.core.solver)
onNewStmt:62, ClassInitializer (pascal.taie.analysis.pta.plugin)
lambda$onNewStmt$4:124, CompositePlugin (pascal.taie.analysis.pta.plugin)
accept:-1, CompositePlugin$$Lambda$323/0x0000000800f01510 (pascal.taie.analysis.pta.plugin)
forEach:1511, ArrayList (java.util)
onNewStmt:124, CompositePlugin (pascal.taie.analysis.pta.plugin)
lambda$processNewMethod$10:538, DefaultSolver (pascal.taie.analysis.pta.core.solver)
accept:-1, DefaultSolver$$Lambda$322/0x0000000800f012d8 (pascal.taie.analysis.pta.core.solver)
forEach:75, Iterable (java.lang)
processNewMethod:538, DefaultSolver (pascal.taie.analysis.pta.core.solver)
addCSMethod:819, DefaultSolver (pascal.taie.analysis.pta.core.solver)
addEntryPoint:787, DefaultSolver (pascal.taie.analysis.pta.core.solver)
onStart:59, EntryPointHandler (pascal.taie.analysis.pta.plugin)
accept:-1, CompositePlugin$$Lambda$311/0x0000000800efb4a8 (pascal.taie.analysis.pta.plugin)
forEach:1511, ArrayList (java.util)
onStart:99, CompositePlugin (pascal.taie.analysis.pta.plugin)
initialize:265, DefaultSolver (pascal.taie.analysis.pta.core.solver)

3.2.4 LambdaAnalysis

3.2.5 ThreadHandler

待分析

0x4 反射分析

反射分析有两个目录

• reflection
• invokedymanic

4.1 ReflectionAnalysis

ReflectionAnalysis 是用于处理Java反射的插件Plugin，分析具体的逻辑。

4.1.1 field

有几个特殊的field单独讲解下。

• csManager: 上下文管理

Model:

• logBasedModel：用于统计反射分析结果记录日志
• inferenceModel：推断反射调用，可能有以下取值
  • StringBasedModel：通过String判断
  • SolarModel：Solar算法
  • DummyModel：do nothing
• reflectiveActionModel：和inferenceModel类似，老版本？
• annotationModel：处理注解
• othersModel：

4.1.2 setSolver

public void setSolver(Solver solver) {
        this.solver = solver;
        csManager = solver.getCSManager();

        MetaObjHelper helper = new MetaObjHelper(solver);
        TypeMatcher typeMatcher = new TypeMatcher(solver.getTypeSystem());
        String logPath = solver.getOptions().getString("reflection-log");
        if (logPath != null) {
            logBasedModel = new LogBasedModel(solver, helper, logPath);
        }
        Set<Invoke> invokesWithLog = logBasedModel != null
                ? logBasedModel.getInvokesWithLog() : Set.of();
        String reflection = solver.getOptions().getString("reflection-inference");
        // 常量string模型
        if ("string-constant".equals(reflection)) {
            inferenceModel = new StringBasedModel(solver, helper, invokesWithLog);
        // solar模型
        } else if ("solar".equals(reflection)) {
            inferenceModel = new SolarModel(solver, helper, typeMatcher, invokesWithLog);
        } else if (reflection == null) {
            inferenceModel = new DummyModel(solver);
        } else {
            throw new IllegalArgumentException("Illegal reflection option: " + reflection);
        }
        reflectiveActionModel = new ReflectiveActionModel(solver, helper,
                typeMatcher, invokesWithLog);
        annotationModel = new AnnotationModel(solver, helper);
        othersModel = new OthersModel(solver, helper);
    }

4.1.3 on API

大致就是调用对应的Model API，顺序一般是

• inferenceModel: SolarModel
• reflectiveActionModel
• othersModel

onNewStmt

当遇到新的Stmt，调用以上的

public void onNewStmt(Stmt stmt, JMethod container) {
	// 如果是invoke，那么调用以上的各个model进行处理
    if (stmt instanceof Invoke invoke) {
        if (!invoke.isDynamic()) {
            inferenceModel.handleNewInvoke(invoke);
            reflectiveActionModel.handleNewInvoke(invoke);
            othersModel.handleNewInvoke(invoke);
        }
    // 如果不是invoke，继续尝试inferenceModel调用非invoke接口
    } else {
        inferenceModel.handleNewNonInvokeStmt(stmt);
    }
}

onNewPointsToSet

当新Var指向新PTS，调用Model的handleNewPointsToSet接口

public void onNewPointsToSet(CSVar csVar, PointsToSet pts) {
    if (inferenceModel.isRelevantVar(csVar.getVar())) {
        inferenceModel.handleNewPointsToSet(csVar, pts);
    }
    if (reflectiveActionModel.isRelevantVar(csVar.getVar())) {
        reflectiveActionModel.handleNewPointsToSet(csVar, pts);
    }
    if (othersModel.isRelevantVar(csVar.getVar())) {
        othersModel.handleNewPointsToSet(csVar, pts);
    }
    reflectiveArgs.get(csVar.getVar())
            .forEach(edge -> passReflectiveArgs(edge, pts));
}

onNewCSMethod

public void onNewCSMethod(CSMethod csMethod) {
    if (logBasedModel != null) {
        logBasedModel.handleNewCSMethod(csMethod);
    }
}

onUnresolvedCall

public void onUnresolvedCall(CSObj recv, Context context, Invoke invoke) {
    annotationModel.onUnresolvedCall(recv, context, invoke);
}

onNewCallEdge

public void onNewCallEdge(Edge<CSCallSite, CSMethod> edge) {
    if (edge instanceof ReflectiveCallEdge refEdge) {
        Context callerCtx = refEdge.getCallSite().getContext();
        // pass argument
        Var args = refEdge.getArgs();
        if (args != null) {
            CSVar csArgs = csManager.getCSVar(callerCtx, args);
            passReflectiveArgs(refEdge, solver.getPointsToSetOf(csArgs));
            // record args for later-arrive array objects
            reflectiveArgs.put(args, refEdge);
        }
        // pass return value
        Invoke invoke = refEdge.getCallSite().getCallSite();
        Context calleeCtx = refEdge.getCallee().getContext();
        JMethod callee = refEdge.getCallee().getMethod();
        Var result = invoke.getResult();
        if (result != null && isConcerned(callee.getReturnType())) {
            CSVar csResult = csManager.getCSVar(callerCtx, result);
            callee.getIR().getReturnVars().forEach(ret -> {
                CSVar csRet = csManager.getCSVar(calleeCtx, ret);
                solver.addPFGEdge(csRet, csResult, RETURN);
            });
        }
    }
}

4.2 Model & AbstractModel

Provides common functionalities for implementing API models.

个人理解是用于处理特殊API的接口。

4.2.1 Field

• isRelevantVar: 存的是<Var, Invoke>，用于判断是否处理过
• relevantVarIndexes: 存的是Method和参数地址
• handlers: 存的是待处理的InvokeHandler

isRelevantVar

判断是否是相关变量，逻辑是Model 接口存在

// 存的是变量Var和Invoke调用
protected final MultiMap<Var, Invoke> relevantVars = Maps.newMultiMap(Maps.newHybridMap());

public boolean isRelevantVar(Var var) {
    return relevantVars.containsKey(var);
}

relevantVarIndexes

// 存的是method 和相关参数index
   protected final Map<JMethod, int[]> relevantVarIndexes = Maps.newHybridMap();

// 存method和index
   protected void registerRelevantVarIndexes(JMethod api, int... indexes) {
       relevantVarIndexes.put(api, indexes);
   }

以ReflectiveActionModel为例，relevantVarIndexes存的是InvokeHandler

4.2.2 InvokeHandler注解

public abstract class AbstractModel extends SolverHolder implements Model {
    protected final Map<JMethod, TriConsumer<CSVar, PointsToSet, Invoke>> handlers
            = Maps.newMap();
    protected AbstractModel(Solver solver) {
        super(solver);
        registerVarAndHandlersByAnnotation();
        registerVarAndHandlers();
    }

    private void registerVarAndHandlersByAnnotation() {
        Class<?> clazz = getClass();
        for (Method method : clazz.getMethods()) {
            InvokeHandler[] invokeHandlers = method.getAnnotationsByType(InvokeHandler.class);
            if (invokeHandlers != null) {
                for (InvokeHandler invokeHandler : invokeHandlers) {
                    String signature = invokeHandler.signature();
                    JMethod api = hierarchy.getMethod(signature);
                    if (api != null) {
                        registerRelevantVarIndexes(api, invokeHandler.argIndexes());
                        registerAPIHandler(api, createHandler(method));
                    }
                }
            }
        }
    }
    protected void registerAPIHandler(
            JMethod api, TriConsumer<CSVar, PointsToSet, Invoke> handler) {
        if (handlers.containsKey(api)) {
            throw new RuntimeException(this + " registers multiple handlers for " +
                    api + " (in a Model, at most one handler can be registered for a method)");
        }
        handlers.put(api, handler);
    }

在初始化时，就会把带有InvokeHandler注解的方法，放在处理handlers中。

以SolarModel为例，当处理forName 方法时，就会调用Solar#classForName 方法进行处理。

4.2.3 其他API

handleNewInvoke

默认处理NewInvoke，再往上一层是ReflectionAnalysis#onNewStmt，结果是在relevantVars 里新增对应记录。

ReflectionAnalysis#onNewStmt
	AbstractModel#handleNewInvoke
	    relevantVars#put

public void handleNewInvoke(Invoke invoke) {
    JMethod target = invoke.getMethodRef().resolveNullable();
    if (target != null) {
        int[] indexes = relevantVarIndexes.get(target);
        if (indexes != null) {
            for (int i : indexes) {
                relevantVars.put(InvokeUtils.getVar(invoke, i), invoke);
            }
        }
    }
}

handleNewPointsToSet

默认当处理CSVar指向新pts，调用对应handler处理

ReflectionAnalysis#onNewPointsToSet
	AbstractModel#handleNewPointsToSet
    	handler#accept

public void handleNewPointsToSet(CSVar csVar, PointsToSet pts) {
    relevantVars.get(csVar.getVar()).forEach(invoke -> {
        JMethod target = invoke.getMethodRef().resolve();
        var handler = handlers.get(target);
        if (handler != null) {
        	// 调用handler 对应method处理
            handler.accept(csVar, pts, invoke);
        }
    });
}

4.3 SolarModel

最主要的两个Model

• SolarModel
• ReflectiveActionModel
  先看SolarModel

4.3.1 fields

• typeMatcher：类型判断所用, todo
  • typeSystem
  • typeInfos
• handlers：上文AbstractModel解释的通过InvokeHandler注解注册的各种API处理方法
• solver: 原Solver
• csManager
• unsoundInvokes: 存的是暂时无法确定的invoke调用，会在每次invoke中尝试去解析

4.3.2 handlers

以Class.forName 为例

Class.forName(java.lang.String)

总结：根据参数string是否是常量，如果是常量，那么转换成常量对应的类obj，如果不是常量，那么生成一个unknow的obj。

// 上文提到的InvokeHandler，遇到Class.forName 会调用当前method进行处理
   @InvokeHandler(signature = "<java.lang.Class: java.lang.Class forName(java.lang.String)>", argIndexes = {0})
   @InvokeHandler(signature = "<java.lang.Class: java.lang.Class forName(java.lang.String,boolean,java.lang.ClassLoader)>", argIndexes = {0})
   public void classForName(CSVar csVar, PointsToSet pts, Invoke invoke) {
       if (isIgnored(invoke)) {
           return;
       }
       // 获取上下文敏感变脸csVar 的上下文
       Context context = csVar.getContext();
       pts.forEach(obj -> {
       	// 如果obj 不是字符串常量
           if (!heapModel.isStringConstant(obj.getObject())) { // generate c^u
           	// 那么医用solver添加一个指向，var为result，obj为新生成的unknow
               Var result = invoke.getResult();
               if (result != null) {
                   Obj unknownClass = helper.getUnknownClass(invoke);
                   solver.addVarPointsTo(context, result, unknownClass);
               }
           } else { // generate c^t
               // 如果是常量，那么根据string常量生成对应的obj
               classForNameKnown(context, invoke, CSObjs.toString(obj));
           }
       });
   }

疑问：对于Class.forName(java.lang.String)这类invoke，普通指针分析如何的逻辑？
可以看看DefaultSolver#processCall 的逻辑。

getMethods() & getDeclaredMethods()

思考：与上面的Class.forName类似，针对r=o.getMethods()，getMethods()要做的就是加上r var到o.getMethods 的所有可能method 对应的obj。

总结：因为返回是个Array，所以还需要考虑Array内部元素

1. r 指向一个array，具体由helper.getMetaObjArray(invoke) 生成
2. array[i]指向o 里的每个method 对应生成的obj

@InvokeHandler(signature = "<java.lang.Class: java.lang.reflect.Method[] getMethods()>", argIndexes = {BASE})
@InvokeHandler(signature = "<java.lang.Class: java.lang.reflect.Method[] getDeclaredMethods()>", argIndexes = {BASE})
public void classGetMethods(CSVar csVar, PointsToSet pts, Invoke invoke) {
    if (isIgnored(invoke)) {
        return;
    }
    // 获取invoke的result，也即r
    Var result = invoke.getResult();
    if (result != null) {
        Context context = csVar.getContext();
        // 
        CSObj methodArray = csManager.getCSObj(context, helper.getMetaObjArray(invoke));
        ArrayIndex methodArrayIndex = csManager.getArrayIndex(methodArray);
        pts.forEach(classObj -> {
            Obj method;
            if (helper.isUnknownMetaObj(classObj)) { // generate m^u_u
                method = helper.getUnknownMethod(invoke, null, null);
            } else { // generate m^t_u
                JClass clazz = CSObjs.toClass(classObj);
                method = helper.getUnknownMethod(invoke, clazz, null);
            }
            // 并不是Array里的每个index都是个Var，而是整个当作一个Var
            solver.addPointsTo(methodArrayIndex, method);
            // 一开始以为：这里为什么要在for 里呢？为什么不放外面，虽然结果一样
            solver.addVarPointsTo(context, result, methodArray);
        });
    }
}

Method.getMethod & Method.getDeclaredMethod

针对r=o.getMethod(a1,a2)

总结：增加以下的指向

1. var r 指向由o.method生成的obj

@InvokeHandler(signature = "<java.lang.Class: java.lang.reflect.Method getMethod(java.lang.String,java.lang.Class[])>", argIndexes = {BASE, 0})
@InvokeHandler(signature = "<java.lang.Class: java.lang.reflect.Method getDeclaredMethod(java.lang.String,java.lang.Class[])>", argIndexes = {BASE, 0})
public void classGetMethod(CSVar csVar, PointsToSet pts, Invoke invoke) {
    if (isIgnored(invoke)) {
        return;
    }
    Var result = invoke.getResult();
    if (result != null) {
        List<PointsToSet> args = getArgs(csVar, pts, invoke, BASE, 0);
        // o
        PointsToSet classObjs = args.get(0);
        // a1
        PointsToSet nameObjs = args.get(1);
        Context context = csVar.getContext();
        classObjs.forEach(classObj -> {
            boolean isClassUnknown = helper.isUnknownMetaObj(classObj);
            JClass clazz = CSObjs.toClass(classObj);
            nameObjs.forEach(nameObj -> {
                boolean isNameUnknown = !heapModel.isStringConstant(
                        nameObj.getObject());
                String name = CSObjs.toString(nameObj);
                // 如果有一个class 或者name 是未分析的
                if (isClassUnknown || isNameUnknown) { // generate m^t_u, m^u_s, and m^u_u
                	// 那么当作一个unkonw method来处理
                    Obj unknownMethod = helper.getUnknownMethod(invoke, clazz, name);
                    solver.addVarPointsTo(context, result, unknownMethod);
                } else { // generate m^t_s
                	// 重点逻辑：解析具体的method
                    classGetMethodKnown(context, invoke, clazz, name);
                }
            });
        });
    }
}

问题是如何根据a1和a2确定o对应的method？

protected void classGetMethodKnown(Context context, Invoke invoke,
                                   @Nullable JClass clazz, @Nullable String name) {
    if (clazz != null && name != null) {
        Var result = invoke.getResult();
        if (result != null) {
        	// 获取invoke 对应的所有的 methods
            Stream<JMethod> methods = switch (invoke.getMethodRef().getName()) {
            	// 如果class 都分析了，那么获取class 对应name的 method
                case "getMethod" -> Reflections.getMethods(clazz, name);
                case "getDeclaredMethod" -> Reflections.getDeclaredMethods(clazz, name);
                default -> throw new AnalysisException(
                        "Expected [getMethod, getDeclaredMethod], given " +
                                invoke.getMethodRef());
            };
            methods.map(helper::getMetaObj)
                    .forEach(mtdObj -> solver.addVarPointsTo(context, result, mtdObj));
        }
    }
}

疑问，没分析a2吗？

Obj getMetaObj(Object classOrTypeOrMember) {
    return getMetaObj(classOrTypeOrMember, REFLECTION_DESC);
}

private Obj getMetaObj(Object classOrTypeOrMember, Descriptor desc) {
    if (classOrTypeOrMember instanceof JClass jclass) {
        ClassLiteral classLiteral = ClassLiteral.get(jclass.getType());
        return desc.equals(REFLECTION_LOG_DESC)
                ? heapModel.getMockObj(desc, classLiteral, clazz)
                : heapModel.getConstantObj(classLiteral);
    } else if (classOrTypeOrMember instanceof Type type) {
        ClassLiteral classLiteral = ClassLiteral.get(type);
        return desc.equals(REFLECTION_LOG_DESC)
                ? heapModel.getMockObj(desc, classLiteral, clazz)
                : heapModel.getConstantObj(classLiteral);
    } else if (classOrTypeOrMember instanceof JMethod m) {
        if (m.isConstructor()) {
            return heapModel.getMockObj(desc, classOrTypeOrMember, constructor);
        } else {
            return heapModel.getMockObj(desc, classOrTypeOrMember, method);
        }
    } else if (classOrTypeOrMember instanceof JField) {
        return heapModel.getMockObj(desc, classOrTypeOrMember, field);
    } else {
        throw new IllegalArgumentException(
                "Expected JClass or ClassMember," + " given " + classOrTypeOrMember);
    }
}

Method.invoke(java.lang.Object,java.lang.Object[])

针对r=m.invoke(o,a)

总结：

@InvokeHandler(signature = "<java.lang.reflect.Method: java.lang.Object invoke(java.lang.Object,java.lang.Object[])>", argIndexes = {BASE, 0})
public void methodInvoke(CSVar csVar, PointsToSet pts, Invoke invoke) {
    if (isIgnored(invoke)) {
        return;
    }
    List<PointsToSet> args = getArgs(csVar, pts, invoke, BASE, 0);
    PointsToSet mtdObjs = args.get(0);
    // infer m^t_s from m^t_u (obj) with type information at invoke
    if (typeMatcher.hasTypeInfo(invoke)) {
        Context context = csVar.getContext();
        Var m = InvokeUtils.getVar(invoke, BASE); // m.invoke(o, args);
        mtdObjs.forEach(obj -> {
            if (helper.isUnknownMetaObj(obj)) {
                MethodInfo methodInfo = helper.getMethodInfo(obj);
                JClass clazz = methodInfo.clazz();
                if (clazz != null && (!ONLY_APP || clazz.isApplication())) {
                    // class is known in methodInfo
                    Stream<JMethod> targets = methodInfo.isFromGetMethod()
                            ? Reflections.getMethods(clazz)
                            : Reflections.getDeclaredMethods(clazz);
                    targets.filter(target -> !typeMatcher.isUnmatched(invoke, target))
                            .map(helper::getMetaObj)
                            .forEach(mtdObj -> solver.addVarPointsTo(context, m, mtdObj));
                }
            }
        });
    }
    // collect unsound Method.invoke() call
    if (!unsoundInvokes.contains(invoke)) {
        PointsToSet recvObjs = args.get(1);
        Var o = InvokeUtils.getVar(invoke, 0);
        boolean oIsNull = o.isConst() && o.getConstValue() instanceof NullLiteral;
        for (CSObj mtdObj : mtdObjs) {
            if (helper.isUnknownMetaObj(mtdObj)) {
                MethodInfo methodInfo = helper.getMethodInfo(mtdObj);
                if (methodInfo.isClassUnknown()) {
                    if (oIsNull) {
                        unsoundInvokes.add(invoke);
                        return;
                    }
                    for (CSObj recvObj : recvObjs) {
                        if (recvObj.getObject() instanceof MockObj mockObj &&
                                mockObj.getDescriptor().equals(UNKNOWN_DESC)) {
                            unsoundInvokes.add(invoke);
                            return;
                        }
                    }
                }
            }
        }
    }
}

Object.newInstance()

r=class.newInstance()

总结：增加一个指向关系，Var为r，obj为unknownObj

@InvokeHandler(signature = "<java.lang.Class: java.lang.Object newInstance()>", argIndexes = {BASE})
public void classNewInstance(CSVar csVar, PointsToSet pts, Invoke invoke) {
    if (isIgnored(invoke)) {
        return;
    }
    Var result = invoke.getResult();
    if (result != null) {
        Context context = csVar.getContext();
        for (CSObj obj : pts) {
            if (helper.isUnknownMetaObj(obj)) {
                CSCallSite csCallSite = csManager.getCSCallSite(context, invoke);
                Obj unknownObj = heapModel.getMockObj(UNKNOWN_DESC,
                        csCallSite, object, invoke.getContainer(), false);
                solver.addVarPointsTo(context, result, unknownObj);
                return;
            }
        }
    }
}

Object.newInstance(java.lang.Class,int)

r=class.newInstance(a1,a2)

总结：插入unsoundInvokes

@InvokeHandler(signature = "<java.lang.reflect.Array: java.lang.Object newInstance(java.lang.Class,int)>", argIndexes = {0})
public void collectUnsoundArrayNewInstance(CSVar csVar, PointsToSet pts, Invoke invoke) {
    if (isIgnored(invoke) || unsoundInvokes.contains(invoke)) {
        return;
    }
    for (CSObj classObj : pts) {
        if (helper.isUnknownMetaObj(classObj)) {
            unsoundInvokes.add(invoke);
            return;
        }
    }
}

4.4 ReflectiveActionModel

4.4.1 fields

• allTargets: MultiMap<Invoke, Object> 类型

4.4.2 handlers

前文分析已经得知，具体是通过InvokeHandler 注册handler 来进行处理匹配的method 逻辑。

1. Object.newInstance()

@InvokeHandler(signature = "<java.lang.Class: java.lang.Object newInstance()>", argIndexes = {BASE})
public void classNewInstance(CSVar csVar, PointsToSet pts, Invoke invoke) {
    Context context = csVar.getContext();
    // 对于每个pts包含的obj
    pts.forEach(obj -> {
        if (isInvalidTarget(invoke, obj)) {
            return;
        }
        // 获取obj的类型对应的JClass
        JClass clazz = CSObjs.toClass(obj);
        if (clazz != null) {
        	// 获取Jclass 的无参构造函数
            JMethod init = clazz.getDeclaredMethod(initNoArg);
            if (init != null && !typeMatcher.isUnmatched(invoke, init)) {
            	// 
                ClassType type = clazz.getType();
                // 核心逻辑：根据invoke 方法和类型，计算出新的类型
                CSObj csNewObj = newReflectiveObj(context, invoke, type);
                addReflectiveCallEdge(context, invoke, csNewObj, init, null);
            }
        }
    });
}

isInvalidTarget: 如果日志对反射调用 {@code invoke} 进行了注解、而给定的 {@code metaObj} 并非由日志生成，那么我们将{@code metaObj} 将被视为 {@code invoke} 的无效目标。

private boolean isInvalidTarget(Invoke invoke, CSObj metaObj) {
    return invokesWithLog.contains(invoke) && !helper.isLogMetaObj(metaObj);
}

具体如何的逻辑？

newReflectiveObj

Object.newInstance(java.lang.Class,int)

@InvokeHandler(signature = "<java.lang.reflect.Array: java.lang.Object newInstance(java.lang.Class,int)>", argIndexes = {0})
public void arrayNewInstance(CSVar csVar, PointsToSet pts, Invoke invoke) {
    Var result = invoke.getResult();
    if (result == null) {
        return;
    }
    Context context = csVar.getContext();
    pts.forEach(obj -> {
        if (isInvalidTarget(invoke, obj)) {
            return;
        }
        Type baseType = CSObjs.toType(obj);
        if (baseType != null && !(baseType instanceof VoidType)) {
            ArrayType arrayType = typeSystem.getArrayType(baseType, 1);
            CSObj csNewArray = newReflectiveObj(context, invoke, arrayType);
            solver.addVarPointsTo(context, result, csNewArray);
            allTargets.put(invoke, arrayType);
        }
    });
}

Field.set(java.lang.Object,java.lang.Object)

@InvokeHandler(signature = "<java.lang.reflect.Field: void set(java.lang.Object,java.lang.Object)>", argIndexes = {BASE, 0})
public void fieldSet(CSVar csVar, PointsToSet pts, Invoke invoke) {
    Context context = csVar.getContext();
    CSVar from = csManager.getCSVar(context, invoke.getInvokeExp().getArg(1));
    List<PointsToSet> args = getArgs(csVar, pts, invoke, BASE, 0);
    PointsToSet fldObjs = args.get(0);
    PointsToSet baseObjs = args.get(1);
    fldObjs.forEach(fldObj -> {
        if (isInvalidTarget(invoke, fldObj)) {
            return;
        }
        JField field = CSObjs.toField(fldObj);
        if (field != null) {
            if (field.isStatic()) {
                StaticField sfield = csManager.getStaticField(field);
                solver.addPFGEdge(from, sfield, STATIC_STORE, sfield.getType());
            } else {
                Type declType = field.getDeclaringClass().getType();
                baseObjs.forEach(baseObj -> {
                    Type objType = baseObj.getObject().getType();
                    if (typeSystem.isSubtype(declType, objType)) {
                        InstanceField ifield = csManager.getInstanceField(baseObj, field);
                        solver.addPFGEdge(from, ifield, INSTANCE_STORE, ifield.getType());
                        allTargets.put(invoke, field); // record target
                    }
                });
            }
        }
    });
}

Field.get(java.lang.Object)

@InvokeHandler(signature = "<java.lang.reflect.Field: java.lang.Object get(java.lang.Object)>", argIndexes = {BASE, 0})
public void fieldGet(CSVar csVar, PointsToSet pts, Invoke invoke) {
    Var result = invoke.getResult();
    if (result == null) {
        return;
    }
    Context context = csVar.getContext();
    CSVar to = csManager.getCSVar(context, result);
    List<PointsToSet> args = getArgs(csVar, pts, invoke, BASE, 0);
    PointsToSet fldObjs = args.get(0);
    PointsToSet baseObjs = args.get(1);
    fldObjs.forEach(fldObj -> {
        if (isInvalidTarget(invoke, fldObj)) {
            return;
        }
        JField field = CSObjs.toField(fldObj);
        if (field != null) {
            if (field.isStatic()) {
                StaticField sfield = csManager.getStaticField(field);
                solver.addPFGEdge(sfield, to, FlowKind.STATIC_LOAD);
            } else {
                Type declType = field.getDeclaringClass().getType();
                baseObjs.forEach(baseObj -> {
                    Type objType = baseObj.getObject().getType();
                    if (typeSystem.isSubtype(declType, objType)) {
                        InstanceField ifield = csManager.getInstanceField(baseObj, field);
                        solver.addPFGEdge(ifield, to, FlowKind.INSTANCE_LOAD);
                        allTargets.put(invoke, field); // record target
                    }
                });
            }
        }
    });
}

Object.invoke(java.lang.Object,java.lang.Object[])

思考：针对r=m.invoke(o,a)

总结：

@InvokeHandler(signature = "<java.lang.reflect.Method: java.lang.Object invoke(java.lang.Object,java.lang.Object[])>", argIndexes = {BASE, 0})
public void methodInvoke(CSVar csVar, PointsToSet pts, Invoke invoke) {
    Context context = csVar.getContext();
    List<PointsToSet> args = getArgs(csVar, pts, invoke, BASE, 0);
    // m
    PointsToSet mtdObjs = args.get(0);
    // o
    PointsToSet recvObjs = args.get(1);
    // a
    Var argsVar = invoke.getInvokeExp().getArg(1);
    mtdObjs.forEach(mtdObj -> {
        if (isInvalidTarget(invoke, mtdObj)) {
            return;
        }
        JMethod target = CSObjs.toMethod(mtdObj);
        if (target != null && !typeMatcher.isUnmatched(invoke, target)) {
            if (target.isStatic()) {
            	// 如果是静态method，调用addReflectiveCallEdge
                addReflectiveCallEdge(context, invoke, null, target, argsVar);
            } else {
            	// 否则，针对o对应的每一个pts，调用addReflectiveCallEdge
                recvObjs.forEach(recvObj ->
                        addReflectiveCallEdge(context, invoke, recvObj, target, argsVar));
            }
        }
    });
}

最主要的逻辑addReflectiveCallEdge: 增加一条反射调用边

private void addReflectiveCallEdge(
        Context callerCtx, Invoke callSite,
        @Nullable CSObj recvObj, JMethod callee, Var args) {
    // 如果不是静态方法或者构造方法
    if (!callee.isConstructor() && !callee.isStatic()) {
        // dispatch for instance method (except constructor)
        assert recvObj != null : "recvObj is required for instance method";
        // 重点：查找对应的callee method
        callee = hierarchy.dispatch(recvObj.getObject().getType(),
                callee.getRef());
        if (callee == null) {
            return;
        }
    }
    CSCallSite csCallSite = csManager.getCSCallSite(callerCtx, callSite);
    Context calleeCtx;
    if (callee.isStatic()) {
        calleeCtx = selector.selectContext(csCallSite, callee);
    } else {
        calleeCtx = selector.selectContext(csCallSite, recvObj, callee);
        // pass receiver object to 'this' variable of callee
        // 
        solver.addVarPointsTo(calleeCtx, callee.getIR().getThis(), recvObj);
    }
    // 
    ReflectiveCallEdge callEdge = new ReflectiveCallEdge(csCallSite,
            csManager.getCSMethod(calleeCtx, callee), args);
    // 增加一条calledge
    solver.addCallEdge(callEdge);
    allTargets.put(callSite, callee); // record target
}

0x05 步骤跟踪

5.1 SolarModel#methodInvoke 第一次

调用栈

methodInvoke:199, SolarModel (pascal.taie.analysis.pta.plugin.reflection)
accept:-1, AbstractModel$$Lambda$287/0x0000000800ee7990 (pascal.taie.analysis.pta.plugin.util)
lambda$handleNewPointsToSet$0:155, AbstractModel (pascal.taie.analysis.pta.plugin.util)
accept:-1, AbstractModel$$Lambda$359/0x0000000800f1b960 (pascal.taie.analysis.pta.plugin.util)
forEach:75, Iterable (java.lang)
forEach:1092, Collections$UnmodifiableCollection (java.util)
handleNewPointsToSet:151, AbstractModel (pascal.taie.analysis.pta.plugin.util)
handleNewPointsToSet:292, SolarModel (pascal.taie.analysis.pta.plugin.reflection)
onNewPointsToSet:126, ReflectionAnalysis (pascal.taie.analysis.pta.plugin.reflection)
lambda$onNewPointsToSet$1:109, CompositePlugin (pascal.taie.analysis.pta.plugin)
accept:-1, CompositePlugin$$Lambda$354/0x0000000800f1aa10 (pascal.taie.analysis.pta.plugin)
forEach:1511, ArrayList (java.util)
onNewPointsToSet:109, CompositePlugin (pascal.taie.analysis.pta.plugin)
analyze:318, DefaultSolver (pascal.taie.analysis.pta.core.solver)
solve:246, DefaultSolver (pascal.taie.analysis.pta.core.solver)
runAnalysis:119, PointerAnalysis (pascal.taie.analysis.pta)
analyze:107, PointerAnalysis (pascal.taie.analysis.pta)
analyze:64, PointerAnalysis (pascal.taie.analysis.pta)
runProgramAnalysis:148, AnalysisManager (pascal.taie.analysis)
runAnalysis:135, AnalysisManager (pascal.taie.analysis)
lambda$execute$0:104, AnalysisManager (pascal.taie.analysis)
get:-1, AnalysisManager$$Lambda$227/0x0000000800eaf578 (pascal.taie.analysis)
runAndCount:93, Timer (pascal.taie.util)
lambda$execute$1:103, AnalysisManager (pascal.taie.analysis)
accept:-1, AnalysisManager$$Lambda$226/0x0000000800eaf120 (pascal.taie.analysis)
forEach:1511, ArrayList (java.util)
execute:102, AnalysisManager (pascal.taie.analysis)
executePlan:152, Main (pascal.taie)
lambda$main$0:61, Main (pascal.taie)
run:-1, Main$$Lambda$109/0x0000000800d2b228 (pascal.taie)
lambda$runAndCount$0:112, Timer (pascal.taie.util)
get:-1, Timer$$Lambda$110/0x0000000800d2b680 (pascal.taie.util)
runAndCount:93, Timer (pascal.taie.util)
runAndCount:111, Timer (pascal.taie.util)
runAndCount:107, Timer (pascal.taie.util)
main:52, Main (pascal.taie)

疑问：relevantVars 何时input值的

解读：

• var r3 即tt
• pts 为22行的new InvokeDemo()
• invoke 为jvm invokevirtual 动态调用

@InvokeHandler(signature = "<java.lang.reflect.Method: java.lang.Object invoke(java.lang.Object,java.lang.Object[])>", argIndexes = {BASE, 0})
public void methodInvoke(CSVar csVar, PointsToSet pts, Invoke invoke) {
    if (isIgnored(invoke)) {
        return;
    }
    // 获取当前参数的pts，当前参数为-1和0位置，也即
    // 1. method
    // 2. obj
    List<PointsToSet> args = getArgs(csVar, pts, invoke, BASE, 0);
    // method obj对应的pts
    PointsToSet mtdObjs = args.get(0);
    // infer m^t_s from m^t_u (obj) with type information at invoke
    // 获取invoke的TypeInfo，包括resultType和argsType
    if (typeMatcher.hasTypeInfo(invoke)) {
        Context context = csVar.getContext();
        // 获取method 对应的Var
        Var m = InvokeUtils.getVar(invoke, BASE); // m.invoke(o, args);
        // 此刻mtdObjs为空，不进入这里，暂不跟踪
        mtdObjs.forEach(obj -> {
            if (helper.isUnknownMetaObj(obj)) {
                MethodInfo methodInfo = helper.getMethodInfo(obj);
                JClass clazz = methodInfo.clazz();
                if (clazz != null && (!ONLY_APP || clazz.isApplication())) {
                    // class is known in methodInfo
                    Stream<JMethod> targets = methodInfo.isFromGetMethod()
                            ? Reflections.getMethods(clazz)
                            : Reflections.getDeclaredMethods(clazz);
                    targets.filter(target -> !typeMatcher.isUnmatched(invoke, target))
                            .map(helper::getMetaObj)
                            .forEach(mtdObj -> solver.addVarPointsTo(context, m, mtdObj));
                }
            }
        });
    }
    // collect unsound Method.invoke() call
    // 放入unsoundInvokes
    if (!unsoundInvokes.contains(invoke)) {
    	// 获取method 的pts
        PointsToSet recvObjs = args.get(1);
        // 获取obj 的var
        Var o = InvokeUtils.getVar(invoke, 0);
        boolean oIsNull = o.isConst() && o.getConstValue() instanceof NullLiteral;
        // 如果method 有对应pts
        for (CSObj mtdObj : mtdObjs) {
        	// 满足特定条件，才会被添加unsoundInvokes
            if (helper.isUnknownMetaObj(mtdObj)) {
                MethodInfo methodInfo = helper.getMethodInfo(mtdObj);
                if (methodInfo.isClassUnknown()) {
                    if (oIsNull) {
                        unsoundInvokes.add(invoke);
                        return;
                    }
                    for (CSObj recvObj : recvObjs) {
                        if (recvObj.getObject() instanceof MockObj mockObj &&
                                mockObj.getDescriptor().equals(UNKNOWN_DESC)) {
                            unsoundInvokes.add(invoke);
                            return;
                        }
                    }
                }
            }
        }
    }
}

所以总体看看，干了啥

• unsoundInvokes，满足一定条件的invoke，会被放在这里
• 中间更新了obj、method、arg的pts

所以这里并没有直接解析出invoke的映射关系。

AbstractModel#getArgs

/**
 * For invocation r = v.foo(a0, a1, ..., an);
 * when points-to set of v or any ai (0 ≤ i ≤ n) changes,
 * this convenient method returns points-to sets relevant arguments.
 * For case v/ai == csVar.getVar(), this method returns pts,
 * otherwise, it just returns current points-to set of v/ai.     
 *
 * @param csVar   may be v or any ai.
 * @param pts     changed part of csVar
 * @param invoke  the call site which contain csVar
 * @param indexes indexes of the relevant arguments
 */
/**
 * 对于调用 r = v.foo(a0, a1, ..., an);
 * 如果v，或者ai(0<=i<=n)的pts变化，这个方法返回pts相关的参数。
 * 如果v或者ai等于参数csVar，那么返回参数pts，
 * 否则返回v或者ai 对应的pts
 */
protected List<PointsToSet> getArgs(
        CSVar csVar, PointsToSet pts, Invoke invoke, int... indexes) {
    List<PointsToSet> args = new ArrayList<>(indexes.length);
    for (int i : indexes) {
    	// 根据位置index获取invoke调用所在对应位置的参数
        Var arg = InvokeUtils.getVar(invoke, i);
        // 如果和csVar 相同，那么直接返回当前pts
        if (arg.equals(csVar.getVar())) {
            args.add(pts);
        } else {
        	// 否则，从csManager中获取
            CSVar csArg = csManager.getCSVar(csVar.getContext(), arg);
            // solver.getPointsToSetOf没有过多操作，获取CSVar中对应的pts，如果当前CSVar没有指定pts关系，那么则关联上
            args.add(solver.getPointsToSetOf(csArg));
        }
    }
    return args;
}

1. 第0个参试是$r6，不是csVar的$r3，那么通过csManager获取

getCSVar:172, MapBasedCSManager$PointerManager (pascal.taie.analysis.pta.core.cs.element)
getCSVar:65, MapBasedCSManager (pascal.taie.analysis.pta.core.cs.element)
getArgs:180, AbstractModel (pascal.taie.analysis.pta.plugin.util)
methodInvoke:202, SolarModel (pascal.taie.analysis.pta.plugin.reflection)

疑问：csManager何时维护的？

2. 第0个参试是$r3，是csVar，那么直接返回csVar的pts

typeMatcher.hasTypeInfo(invoke)

TypeMatcher.java

boolean hasTypeInfo(Invoke invoke) {
    return getTypeInfo(invoke).argumentTypes() != null;
}
private TypeInfo getTypeInfo(Invoke invoke) {
    return typeInfos.computeIfAbsent(invoke, TypeMatcher::computeTypeInfo);
}

/**
 * Performs an intra-procedural analysis to compute available
 * type information for reflective call {@code invoke}.
 */
private static TypeInfo computeTypeInfo(Invoke invoke) {
    List<Stmt> stmts = invoke.getContainer().getIR().getStmts();
    // search cast type on result of invoke

TypeMatcher#computeTypeInfo

作用是：执行程序内分析，计算反射调用 {@code invoke} 的可用类型信息。

难不成这里是关键？

private static TypeInfo computeTypeInfo(Invoke invoke) {
	// 获取当前invoke调用所在的函数的所有子stmt
    List<Stmt> stmts = invoke.getContainer().getIR().getStmts();
    // search cast type on result of invoke
    Var result = invoke.getResult();
    Type returnType = null;
    // 如果存在ret，暂时不看，本case没有
    if (result != null) {
        for (int i = invoke.getIndex() + 1; i < stmts.size(); ++i) {
            Stmt stmt = stmts.get(i);
            if (stmt.getUses().contains(result) && returnType != null) {
                // found multiple usages of the result, give up
                returnType = null;
                break;
            }
            if (stmt instanceof Cast cast &&
                    cast.getRValue().getValue().equals(result)) {
                assert returnType == null;
                returnType = cast.getRValue().getCastType();
            }
        }
    }
    // 如果参数个数为0
    if (invoke.getInvokeExp().getArgCount() == 0) {
        // no argument, it means that invoke calls Class.newInstance()
        return new TypeInfo(returnType, List.of());
    }
    // search definition of args
    // argIndexes静态常量，判断是invoke调用还是newInstance调用，如果是invoke，那么参数位置为1，如果是newInstance，那么为0
    int argIndex = argIndexes.get(invoke.getMethodRef().getName());
    // 获取invoke参数对应的var
    Var args = invoke.getInvokeExp().getArg(argIndex);
    Type[] argTypes = null;
    if (args.isConst()) {
        // if args is constant, it must be null, and for such case,
        // no argument is given.
        argTypes = new Type[0];
    } else {
    	// invoke的参数是数组格式的，这里验证下
        assert args.getType() instanceof ArrayType;
        DefinitionStmt<?, ?> argDef = null;
        // 一当前invoke为起始点，往上回溯，找到arg的定义，注意这里arg是个数组，实际上并非代码中，而是IR过程自动生成，这一步的目的是
        // 1. 获取invoke参数个数，生成argTypes数组
        // 2. 获取到argDef
        for (int i = invoke.getIndex() - 1; i >= 0; --i) {
            Stmt stmt = stmts.get(i);
            if (stmt instanceof DefinitionStmt<?, ?> defStmt) {
                LValue lValue = defStmt.getLValue();
                if (args.equals(lValue)) { // found definition of args
                    if (argDef == null) {
                        argDef = defStmt;
                        int length = getArrayLength(defStmt.getRValue());
                        if (length != -1) { // found args = new Object[length];
                            argTypes = new Type[length];
                        } else { // args is defined by other ways, give up
                            break;
                        }
                    } else { // found multiple definitions of args, give up
                        argTypes = null;
                        break;
                    }
                }
            }
        }
        if (argTypes != null) {
            // creation of args is analyzable, collect argument types
            // 从argDef开始往后遍历
            for (int i = argDef.getIndex(); i < stmts.size(); ++i) {
                Stmt stmt = stmts.get(i);
                // 对应Store 存储，StoreArray 往Array里面存储
                if (stmt instanceof StoreArray storeArray) {
                
                    ArrayAccess arrayAccess = storeArray.getArrayAccess();
                    if (arrayAccess.getBase().equals(args)) {
                        // args[*] = ...;
                        Var index = arrayAccess.getIndex();
                        if (index.isConst()) { // index is constant
                            int iIndex = ((IntLiteral) index.getConstValue()).getValue();
                            if (argTypes[iIndex] == null) {
                            	// 获取对应参数类型
                                argTypes[iIndex] = storeArray.getRValue().getType();
                            } else { // found multiple definitions
                                // on the same array index, give up
                                argTypes = null;
                                break;
                            }
                        } else { // index is not constant, give up
                            argTypes = null;
                            break;
                        }
                    }
                }
            }
            if (argTypes != null) {
                // fill NullType for non-assigned array indexes
	            // 如果argTypes还有没找到类型的，就设置为NullType
                for (int i = 0; i < argTypes.length; ++i) {
                    if (argTypes[i] == null) {
                        argTypes[i] = NullType.NULL;
                    }
                }
            }
        }
    }
    List<Type> argumentTypes = (argTypes != null) ? List.of(argTypes) : null;
    // 最后由组成returnType，argsType TypeInfo
    return (returnType == null && argumentTypes == null)
            ? UNKNOWN : new TypeInfo(returnType, argumentTypes);
}

并未看到

通过对SolarModel的分析，我们并未发现对invoke 方法的推断逻辑

调试发现，这个关系在worlList的callEdges中

WorkList#addEntry 方法提供对callEdges的增加操作，其有一处usage

DefaultSlover#processCall
ReflectiveActionModel#addReflectiveCallEdge
...
    DefaultSlover#addCallEdge
        WorkList#addEntry
            WorkList.callEdges.add

5.2 SolarModel#methodInvoke 第二次

methodInvoke:199, SolarModel (pascal.taie.analysis.pta.plugin.reflection)
accept:-1, AbstractModel$$Lambda$289/0x0000000800ed8ac8 (pascal.taie.analysis.pta.plugin.util)
lambda$handleNewPointsToSet$0:155, AbstractModel (pascal.taie.analysis.pta.plugin.util)
accept:-1, AbstractModel$$Lambda$359/0x0000000800f0d368 (pascal.taie.analysis.pta.plugin.util)
forEach:75, Iterable (java.lang)
forEach:1092, Collections$UnmodifiableCollection (java.util)
handleNewPointsToSet:151, AbstractModel (pascal.taie.analysis.pta.plugin.util)
handleNewPointsToSet:292, SolarModel (pascal.taie.analysis.pta.plugin.reflection)
onNewPointsToSet:126, ReflectionAnalysis (pascal.taie.analysis.pta.plugin.reflection)
lambda$onNewPointsToSet$1:109, CompositePlugin (pascal.taie.analysis.pta.plugin)
accept:-1, CompositePlugin$$Lambda$354/0x0000000800f0c418 (pascal.taie.analysis.pta.plugin)
forEach:1511, ArrayList (java.util)
onNewPointsToSet:109, CompositePlugin (pascal.taie.analysis.pta.plugin)

此刻mtdObjs 已经有值了，并且是关联上了正确的pts：echo method

中间发生了啥？

5.3 SolarModel#getMethod

在处理getMethod时，如果发现method可以被定位，那么会调用classGetMethodKnown，进而还会把result重新入栈workList进行计算
注意此时的result 为method
对应的是invoke 的method，重新入栈之后会再次触发SolarModel#invoke，而这次method 的pts已经是已知的了。

<init>:49, MockObj (pascal.taie.analysis.pta.core.heap)
getMockObj:207, AbstractHeapModel (pascal.taie.analysis.pta.core.heap)
getMockObj:63, HeapModel (pascal.taie.analysis.pta.core.heap)
getMockObj:77, HeapModel (pascal.taie.analysis.pta.core.heap)
getMetaObj:131, MetaObjHelper (pascal.taie.analysis.pta.plugin.reflection)
getMetaObj:105, MetaObjHelper (pascal.taie.analysis.pta.plugin.reflection)
apply:-1, InferenceModel$$Lambda$367/0x0000000800f0eac0 (pascal.taie.analysis.pta.plugin.reflection)
accept:197, ReferencePipeline$3$1 (java.util.stream)
forEachRemaining:1625, ArrayList$ArrayListSpliterator (java.util)
copyInto:509, AbstractPipeline (java.util.stream)
wrapAndCopyInto:499, AbstractPipeline (java.util.stream)
evaluateSequential:150, ForEachOps$ForEachOp (java.util.stream)
evaluateSequential:173, ForEachOps$ForEachOp$OfRef (java.util.stream)
evaluate:234, AbstractPipeline (java.util.stream)
forEach:596, ReferencePipeline (java.util.stream)
classGetMethodKnown:114, InferenceModel (pascal.taie.analysis.pta.plugin.reflection)

workList 中新增一条记录，invoke调用的返回Var$r6，Obj为该invoke调用

0x06 其他探索

6.1 编译优化

代码改成"ec"+"ho"表达式

// 1. 测试污点为参数
Method method = tt.getClass().getMethod("ec"+"ho", String.class);
method.invoke(tt, content);

发现IR中仍然会将其拼接成”echo”，这步是在哪实现的呢？

• 编译阶段
• IR

答案是编译的时候进行了优化

6.2

拆分为变量

String t = "ec";
Method method = tt.getClass().getMethod(t+"ho", String.class);
method.invoke(tt, content);

此刻编译结果没有优化

IR:

看看Tai-e Solar反射分析结果

结论：未被识别出来

6.3

String t = "ho";
Method method = tt.getClass().getMethod("ec"+t, String.class);
method.invoke(tt, content);

此刻编译结果没有优化

IR:

看看Tai-e Solar反射分析结果

结论：未被识别出来

6.4

String t = "echo";
Method method = tt.getClass().getMethod(t, String.class);
method.invoke(tt, content);

此刻编译结果没有优化

IR:

看看Tai-e Solar反射分析结果

结论：可以被识别

0x07 总结与思考

1. 指针分析需要知道入口点，如何能够保证全部类文件都分析到？

0x08 参考

• [1] pascal-lab/Tai-e
• [2] 静态分析-基于南京大学软件分析课程的静态分析基础教程
• [3] Java静态分析框架Tai-e的简单使用
• [4] Java 指针分析综述
• [5] Understanding and Analyzing Java Reflection