One EntryPoint’s result is different from all EntryPoint's results

[cyjhhh]

📝 Overall Description

I'm test ant-sast-java-benchmarch:https://github.com/alipay/ant-application-security-testing-benchmark/tree/main/sast-java
When i only add one spring EntryPointer in EntryPointHandler.java like

    public void onStart() {
        // process program main method
        JMethod main = World.get().getMainMethod();
        if (main != null) {
            solver.addEntryPoint(new EntryPoint(main,
                    new DeclaredParamProvider(main, solver.getHeapModel(), 1)));
        }

        // 测试加入单个EntryPoint
        JClass source = solver.getHierarchy().getClass("com.sast.astbenchmark.case_language_maturity.accuracy.object_field_sensitive.field_sensitive_interface_class.AccessPathChainAlias_004_F");
        solver.addEntryPoint(new EntryPoint(source.getDeclaredMethod("testcase"), EmptyParamProvider.get()));

        // process implicit entries
        if (solver.getOptions().getBoolean("implicit-entries")) {
            for (JMethod entry : World.get().getImplicitEntries()) {
                solver.addEntryPoint(new EntryPoint(entry, EmptyParamProvider.get()));
            }
        }
    }

and i add all spring methods as source in SourceHandler.java like

    private void handleParamSource(CSMethod csMethod) {
        JMethod method = csMethod.getMethod();
        if (paramSources.containsKey(method)) {
            Context context = csMethod.getContext();
            IR ir = method.getIR();
            paramSources.get(method).forEach(source -> {
                IndexRef indexRef = source.indexRef();
                Var param = ir.getParam(indexRef.index());
                SourcePoint sourcePoint = new ParamSourcePoint(method, indexRef, source);
                Obj taint = manager.makeTaint(sourcePoint, source.type());
                switch (indexRef.kind()) {
                    case VAR -> solver.addVarPointsTo(context, param, taint);
                    case ARRAY, FIELD -> sourceInfos.put(
                            param, new SourceInfo(indexRef, taint));
                }
            });
        }
        else
        {
            // 自定义添加source点
            if (!method.getAnnotations().stream().filter(
                    annotation -> annotation.getType().matches("org.springframework.web.bind.annotation.\\w+Mapping")
            ).toList().isEmpty()) {
                Context context = csMethod.getContext();
                IR ir = method.getIR();
                for (int i = 0; i < ir.getParams().size(); i++) {
                    Var param = ir.getParam(i);
                    Type type = param.getType();
                    if (!Objects.equals(type.getName(), "java.lang.String")){
                        continue;
                    }
                    IndexRef indexRef = new IndexRef(IndexRef.Kind.VAR, i, null);
                    ParamSource source = new ParamSource(method, indexRef, type);
                    SourcePoint sourcePoint = new ParamSourcePoint(method, indexRef, source);
                    Obj taint = manager.makeTaint(sourcePoint, param.getType());
                    solver.addVarPointsTo(context, param, taint);
                }
            }
        }
    }

i run pta,the result is

it looks like this entry cannot reach sink (runtime.exec)

---

but when i add all spring methods as EntryPoints like this

    @Override
    public void onStart() {
        // process program main method
        JMethod main = World.get().getMainMethod();
        if (main != null) {
            solver.addEntryPoint(new EntryPoint(main,
                    new DeclaredParamProvider(main, solver.getHeapModel(), 1)));
        }

        //add all xx mapping annotation methods to entrypoint
        List<JClass> list = solver.getHierarchy().applicationClasses().toList();
        AtomicInteger cnt = new AtomicInteger();
        cnt.set(0);
        for (JClass jClass : list) {
            jClass.getDeclaredMethods().forEach(jMethod -> {
                if (!jMethod.getAnnotations().stream().filter(
                        annotation -> annotation.getType().matches("org.springframework.web.bind.annotation.\\w+Mapping")
                ).toList().isEmpty()) {
                    solver.addEntryPoint(new EntryPoint(jMethod, EmptyParamProvider.get()));
                    logger.info("添加了EntryPoint: {}", jMethod);
                    cnt.set(cnt.get() + 1);
                }
            });
        }
        logger.warn("添加了{} 个EntryPoint", cnt);


        // process implicit entries
        if (solver.getOptions().getBoolean("implicit-entries")) {
            for (JMethod entry : World.get().getImplicitEntries()) {
                solver.addEntryPoint(new EntryPoint(entry, EmptyParamProvider.get()));
            }
        }
    }

the source is the same as above,the result is different, like this

it looks the same entry can reach sink

Is this difference in results reasonable?

🎯 Expected Behavior

reply and explain why the difference exists

🐛 Current Behavior

none

🔄 Reproducible Example

No response

⚙️ Tai-e Arguments

🔍 Click here to see Tai-e Options

{{The content of 'output/options.yml' file}}

🔍 Click here to see Tai-e Analysis Plan

{{The content of 'output/tai-e-plan.yml' file}}

📜 Tai-e Log

🔍 Click here to see Tai-e Log

{{The content of 'output/tai-e.log' file}}

ℹ️ Additional Information

No response

[Isla-top]

Thank you for your question! Based on your description, I think the issue may be as follows: Tai-e's analysis of the program starts from the entry point, and the function of SourceHandler is only to add the taint object into the pointer corresponding to the index when the analysis identifies a method as a source. Setting all Spring methods as entry points allows reaching more code compared to a single entry point, thereby increasing the likelihood of discovering taint flows.