fix phantom type of applying rules

.gitignore

@@ -56,3 +56,5 @@ env/data
 env/import
 .DS_Store
 jre_libs
+*.jar
+db.properties

src/main/java/tabby/analysis/PollutedVarsPointsToAnalysis.java

@@ -111,7 +111,16 @@ protected void flowThrough(Map<Local, TabbyVariable> in, Unit d, Map<Local, Tabb
  if(GlobalConfiguration.isNeedStop){
  return;
  }
- Map<Local, TabbyVariable> newIn = new HashMap<>();
+
+// if(context.getMethodSignature().equals("")){
+// System.out.println(1);
+// }
+//
+// if("".equals(d.toString())){
+// System.out.println(1);
+// }
+
+ Map<Local, TabbyVariable> newIn = new HashMap<>(); // TODO debug
  copy(in, newIn);
  context.setLocalMap(newIn);
  context.setInitialMap(initialMap);

src/main/java/tabby/analysis/switcher/Switcher.java

@@ -7,20 +7,19 @@
 import soot.jimple.internal.JimpleLocalBox;
 import soot.toolkits.graph.BriefUnitGraph;
 import soot.toolkits.graph.UnitGraph;
-import tabby.common.utils.SemanticUtils;
-import tabby.core.container.DataContainer;
+import tabby.analysis.PollutedVarsPointsToAnalysis;
 import tabby.analysis.data.Context;
 import tabby.analysis.data.TabbyVariable;
-import tabby.analysis.PollutedVarsPointsToAnalysis;
 import tabby.common.bean.edge.Call;
 import tabby.common.bean.ref.MethodReference;
 import tabby.common.utils.PositionUtils;
+import tabby.common.utils.SemanticUtils;
+import tabby.core.container.DataContainer;
 
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.concurrent.*;
 
 /**
  * switcher的公共函数
@@ -68,10 +67,9 @@ public static PollutedVarsPointsToAnalysis doMethodAnalysis(Context context,
  methodRef.setInitialed(true);
  methodRef.setActionInitialed(true);
  return pta;
- }catch (RuntimeException e){
- e.printStackTrace();
+ }catch (Exception e){
+ throw new RuntimeException(e);
  }
- return null;
  }
 
 

src/main/java/tabby/analysis/switcher/value/SimpleRightValueSwitcher.java

@@ -4,9 +4,9 @@
 import soot.Local;
 import soot.Value;
 import soot.jimple.*;
+import tabby.analysis.data.TabbyVariable;
 import tabby.analysis.switcher.Switcher;
 import tabby.config.GlobalConfiguration;
-import tabby.analysis.data.TabbyVariable;
 
 /**
  * @author wh1t3P1g

src/main/java/tabby/core/collector/CallGraphCollector.java

@@ -5,12 +5,11 @@
 import org.springframework.stereotype.Service;
 import soot.Modifier;
 import soot.SootMethod;
-import tabby.core.container.DataContainer;
 import tabby.analysis.data.Context;
 import tabby.analysis.switcher.Switcher;
-import tabby.analysis.PollutedVarsPointsToAnalysis;
 import tabby.common.bean.ref.MethodReference;
 import tabby.common.utils.TickTock;
+import tabby.core.container.DataContainer;
 
 /**
  * @author wh1t3P1g
@@ -46,17 +45,21 @@ public void collect(MethodReference methodRef, DataContainer dataContainer, Tick
  return;
  }
 
- log.debug(method.getDeclaringClass().getName()+" "+method.getName());
+// if(!methodRef.getSignature().equals("")){
+// tickTock.countDown();
+// return;
+// }
+
+ log.debug(method.getDeclaringClass().getName()+" "+method.getName()); // TODO debug
 
  Context context = Context.newInstance(method.getSignature(), methodRef);
 
- PollutedVarsPointsToAnalysis pta =
- Switcher.doMethodAnalysis(
- context, dataContainer,
- method, methodRef);
+ Switcher.doMethodAnalysis(context, dataContainer, method, methodRef);
  context.clear();
  }catch (RuntimeException e){
- e.printStackTrace();
+ log.error("Something error on call graph. " + methodRef.getSignature());
+ String msg = e.getMessage();
+ log.error(msg);
  }catch (Exception e){
  if(e instanceof InterruptedException) {
  log.error("Thread interrupted. " + methodRef.getSignature());

src/main/java/tabby/core/collector/ClassInfoCollector.java

@@ -8,12 +8,11 @@
 import soot.tagkit.AnnotationTag;
 import soot.tagkit.Tag;
 import soot.tagkit.VisibilityAnnotationTag;
-import tabby.core.container.DataContainer;
-import tabby.core.container.RulesContainer;
-import tabby.common.rule.TabbyRule;
 import tabby.common.bean.edge.Has;
 import tabby.common.bean.ref.ClassReference;
 import tabby.common.bean.ref.MethodReference;
+import tabby.core.container.DataContainer;
+import tabby.core.container.RulesContainer;
 
 import java.util.*;
 import java.util.concurrent.CompletableFuture;
@@ -68,46 +67,7 @@ public static void extractMethodInfo(SootMethod method,
  RulesContainer rulesContainer = dataContainer.getRulesContainer();
  String classname = ref.getName();
  MethodReference methodRef = MethodReference.newInstance(classname, method);
- TabbyRule.Rule rule = rulesContainer.getRule(classname, methodRef.getName());
-
- if (rule == null) { // 对于ignore类型，支持多级父类和接口的规则查找
- for (String relatedClassname : relatedClassnames) {
- TabbyRule.Rule tmpRule = rulesContainer.getRule(relatedClassname, methodRef.getName());
- if (tmpRule != null && tmpRule.isIgnore()) {
- rule = tmpRule;
- break;
- }
- }
- }
- boolean isSink = false;
- boolean isIgnore = false;
- boolean isSource = false;
- if(rule != null && (rule.isEmptySignaturesList() || rule.isContainsSignature(methodRef.getSignature()))){
- // 当rule存在signatures时，该rule为精确匹配，否则为模糊匹配，仅匹配函数名是否符合
- isSink = rule.isSink();
- isIgnore = rule.isIgnore();
- isSource = rule.isSource();
-
- // 此处，对于sink、know、ignore类型的规则，直接选取先验知识
- // 对于source类型 不赋予其actions和polluted
- if (!isSource) {
- Map<String, String> actions = rule.getActions();
- List<Integer> polluted = rule.getPolluted();
- if(isSink){
- methodRef.setVul(rule.getVul());
- }
- methodRef.setActions(actions!=null?actions:new HashMap<>());
- methodRef.setPollutedPosition(polluted!=null?polluted:new ArrayList<>());
- methodRef.setActionInitialed(true);
- if(isIgnore){// 不构建ignore的类型
- methodRef.setInitialed(true);
- }
- }
- }
-
- methodRef.setSink(isSink);
- methodRef.setIgnore(isIgnore);
- methodRef.setSource(isSource);
+ rulesContainer.applyRule(classname, methodRef, relatedClassnames);
  methodRef.setEndpoint(ref.isStrutsAction() || isEndpoint(method, relatedClassnames));
  methodRef.setNettyEndpoint(isNettyEndpoint(method, relatedClassnames));
  methodRef.setGetter(isGetter(method));

src/main/java/tabby/core/container/DataContainer.java

@@ -254,6 +254,7 @@ public MethodReference getOrAddMethodRef(SootMethodRef sootMethodRef, SootMethod
 
  if(methodRef == null){
  methodRef = MethodReference.newInstance(classRef.getName(), method);
+ rulesContainer.applyRule(cls.getName(), methodRef, new HashSet<>());
  Has has = Has.newInstance(classRef, methodRef);
  if(!classRef.getHasEdge().contains(has)){
  classRef.getHasEdge().add(has);

src/main/java/tabby/core/container/RulesContainer.java

@@ -3,6 +3,7 @@
 import lombok.Data;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Component;
+import tabby.common.bean.ref.MethodReference;
 import tabby.config.GlobalConfiguration;
 import tabby.common.rule.TabbyRule;
 import tabby.common.utils.FileUtils;
@@ -42,6 +43,49 @@ public TabbyRule.Rule getRule(String classname, String method){
  return null;
  }
 
+ public void applyRule(String classname, MethodReference methodRef, Set<String> relatedClassnames){
+ TabbyRule.Rule rule = getRule(classname, methodRef.getName());
+
+ if (rule == null) { // 对于ignore类型，支持多级父类和接口的规则查找
+ for (String relatedClassname : relatedClassnames) {
+ TabbyRule.Rule tmpRule = getRule(relatedClassname, methodRef.getName());
+ if (tmpRule != null && tmpRule.isIgnore()) {
+ rule = tmpRule;
+ break;
+ }
+ }
+ }
+ boolean isSink = false;
+ boolean isIgnore = false;
+ boolean isSource = false;
+ if(rule != null && (rule.isEmptySignaturesList() || rule.isContainsSignature(methodRef.getSignature()))){
+ // 当rule存在signatures时，该rule为精确匹配，否则为模糊匹配，仅匹配函数名是否符合
+ isSink = rule.isSink();
+ isIgnore = rule.isIgnore();
+ isSource = rule.isSource();
+
+ // 此处，对于sink、know、ignore类型的规则，直接选取先验知识
+ // 对于source类型 不赋予其actions和polluted
+ if (!isSource) {
+ Map<String, String> actions = rule.getActions();
+ List<Integer> polluted = rule.getPolluted();
+ if(isSink){
+ methodRef.setVul(rule.getVul());
+ }
+ methodRef.setActions(actions!=null?actions:new HashMap<>());
+ methodRef.setPollutedPosition(polluted!=null?polluted:new ArrayList<>());
+ methodRef.setActionInitialed(true);
+ if(isIgnore){// 不构建ignore的类型
+ methodRef.setInitialed(true);
+ }
+ }
+ }
+
+ methodRef.setSink(isSink);
+ methodRef.setIgnore(isIgnore);
+ methodRef.setSource(isSource);
+ }
+
  public TabbyRule getRule(String classname){
  return rules.getOrDefault(classname, null);
  }

src/main/java/tabby/core/scanner/ClassInfoScanner.java

@@ -63,7 +63,10 @@ public Map<String, CompletableFuture<ClassReference>> loadAndExtract(List<String
 
  for (String cl : classes) {
  try{
- SootClass theClass = Scene.v().loadClassAndSupport(cl);
+
+// if(!cl.startsWith("")) continue;
+
+ SootClass theClass = Scene.v().loadClassAndSupport(cl); // TODO debug
  if (!theClass.isPhantom()) {
  // 这里存在类数量不一致的情况，是因为存在重复的对象
  results.put(cl, collector.collect(theClass));