Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug fix]return incorrect nullness in the method Scene#getTypeUnsafe #1697

Open
wants to merge 4 commits into
base: develop
Choose a base branch
from

Conversation

canliture
Copy link
Contributor

@canliture canliture commented Jul 11, 2021

fixed #1647
fixed #1696

In method soot.jimple.toolkits.callgraph.OnFlyCallGraphBuilder#addType, it calls Scene#getTypeUnsafe(String),
but the argument passed into the method Scene#getTypeUnsafe(String) may be quoted, just like:

  • "sun.reflect.'annotation'.AnnotationType"

  • "java.lang.'annotation'.Annotation"

  • Scene#getTypeUnsafe(String) will return null if the argument passed into is quoted, it will lead to Soot crashing with NullPointerException or IllegalArgumentException somewhere, just like the following 'test3' failing to pass the test with IllegalArgumentException

    Here is a minimal test for evaluating the bug fixing.

    public class SootResolverTest {
        @Test
        public void test3() {
            G.reset();
    
            Options.v().set_whole_program(true);
    
            Scene.v().loadNecessaryClasses();
    
            /* returnType maybe be null in SootMethodRefImpl's constructor, resulting in throwing IllegalArgumentException */
            PackManager.v().runPacks();
        }
    }
    

    Before fixing the bug, soot will crash with the messages:

    java.lang.IllegalArgumentException: Attempt to create SootMethodRef with null returnType
    
    	at soot.SootMethodRefImpl.(SootMethodRefImpl.java:86)
    	at soot.Scene.makeMethodRef(Scene.java:1962)
    	at soot.jimple.toolkits.callgraph.OnFlyCallGraphBuilder.addType(OnFlyCallGraphBuilder.java:608)
    	at soot.jimple.toolkits.callgraph.CallGraphBuilder.processReceivers(CallGraphBuilder.java:201)
    	at soot.jimple.toolkits.callgraph.CallGraphBuilder.process(CallGraphBuilder.java:128)
    	at soot.jimple.toolkits.callgraph.CallGraphBuilder.build(CallGraphBuilder.java:114)
    	at soot.jimple.toolkits.callgraph.CHATransformer.internalTransform(CHATransformer.java:54)
    	at soot.SceneTransformer.transform(SceneTransformer.java:36)
    	at soot.Transform.apply(Transform.java:105)
    	at soot.RadioScenePack.internalApply(RadioScenePack.java:64)
    	at soot.jimple.toolkits.callgraph.CallGraphPack.internalApply(CallGraphPack.java:61)
    	at soot.Pack.apply(Pack.java:118)
    	at soot.PackManager.runWholeProgramPacks(PackManager.java:619)
    	at soot.PackManager.runPacksNormally(PackManager.java:500)
    	at soot.PackManager.runPacks(PackManager.java:425)
            ... ...
            ... ...
    

    Why type name string may be quoted?(like sun.reflect.'annotation'.AnnotationType)
    For serialization, e.g. to .jimple format, a textual (and quoted as needed) representation of type is necessary.So for some reserved names, they will be replaced with quoted.(reserved names table are listed in the method Scene#setReservedNames)

    "annotation" is a reserved name for textual serialization, and in the method Scene#quotedNameOf, If a part of a string contains reserved name, the part will be replaced with 'part', just like annotation replaced with 'annotation'.

    @linghuiluo linghuiluo requested a review from swissiety July 14, 2021 18:30
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    None yet
    Projects
    None yet
    1 participant