Merge pull request #802 from t1mlange/develop

Fix type refinement in `SummaryTaintWrapper`

Author: StevenArzt

soot-infoflow-summaries/test/soot/jimple/infoflow/test/methodSummary/ApiClassClient.java

@@ -585,16 +585,23 @@ public void stringConcatTest() {
 	}
 
 	public void listIrrelevantItemTest() {
-		String secret = TelephonyManager.getDeviceId();
+		String secret = stringSource();
 
 		List<Object> lvar = new ArrayList<>();
 		Boolean bvar = true;
 
 		lvar.add(secret); // Adds tainted data to the list
 		lvar.add(bvar);
 
-		ConnectionManager cm = new ConnectionManager();
-		cm.publish(bvar);
+		sink(bvar);
 	}
 
+	public void testTypeNarrowing() {
+		String secret = stringSource();
+		// split: String -> String[]
+		// Tests that getMorePreciseType correctly
+		// keeps the array in the type
+		Object[] splitted = secret.split(";");
+		sink(splitted);
+	}
 }

soot-infoflow-summaries/test/soot/jimple/infoflow/test/methodSummary/junit/BaseSummaryTaintWrapperTests.java

@@ -51,7 +51,7 @@ protected void testFlowForMethod(String m) {
 	}
 
 	protected void testFlowForMethod(String m, int count) {
-
+		testFlowForMethod(m, count, null);
 	}
 
 	protected void testFlowForMethod(String m, int count, Consumer<InfoflowConfiguration> configCallback) {

soot-infoflow-summaries/test/soot/jimple/infoflow/test/methodSummary/junit/SummaryTaintWrapperTests.java

@@ -338,7 +338,12 @@ public void stringConcatTest() {
 
 	@Test(timeout = 30000)
 	public void listIrrelevantItemTest() {
-		testFlowForMethod("<soot.jimple.infoflow.test.methodSummary.ApiClassClient: void listIrrelevantItemTest()>", 1);
+		testNoFlowForMethod("<soot.jimple.infoflow.test.methodSummary.ApiClassClient: void listIrrelevantItemTest()>");
+	}
+
+	@Test(timeout = 30000)
+	public void testTypeNarrowing() {
+		testFlowForMethod("<soot.jimple.infoflow.test.methodSummary.ApiClassClient: void testTypeNarrowing()>", 1);
 	}
 
 	@Test

soot-infoflow/src/soot/jimple/infoflow/typing/TypeUtils.java

@@ -189,66 +189,67 @@ public boolean hasCompatibleTypesForCall(AccessPath apBase, SootClass dest) {
 	/**
 	 * Gets the more precise one of the two given types. If there is no ordering
 	 * (i.e., the two types are not cast-compatible) null is returned.
-	 * 
-	 * @param tp1 The first type
-	 * @param tp2 The second type
+	 * IMPORTANT: this method is not commutative on array types. The second type must
+	 * always be the declared type, which is used to infer the array depth.
+	 * Consider, for example, the case
+	 *   objArr[i] = str;
+	 * where we can narrow the type of objArr to String[]. Vice versa,
+	 *   obj = strArr[i];
+	 * allows us to narrow the type of obj to String. Therefore,
+	 * getMorePreciseType(String, Object[]) should return String[] and
+	 * getMorePreciseType(Object[], String) should return String.
+	 *
+	 * @param possibleRefinement The first type
+	 * @param declType The second type
 	 * @return The more precise one of the two given types
 	 */
-	public Type getMorePreciseType(Type tp1, Type tp2) {
+	public Type getMorePreciseType(Type possibleRefinement, Type declType) {
 		final FastHierarchy fastHierarchy = scene.getOrMakeFastHierarchy();
 
-		if (tp1 == null)
-			return tp2;
-		else if (tp2 == null)
-			return tp1;
-		else if (tp1 == tp2)
-			return tp1;
-		else if (TypeUtils.isObjectLikeType(tp1))
-			return tp2;
-		else if (TypeUtils.isObjectLikeType(tp2))
-			return tp1;
-		else if (tp1 instanceof PrimType && tp2 instanceof PrimType)
+		if (declType == null)
+			return possibleRefinement;
+		else if (possibleRefinement == null)
+			return declType;
+		else if (declType == possibleRefinement)
+			return declType;
+		else if (TypeUtils.isObjectLikeType(declType))
+			return possibleRefinement;
+		else if (TypeUtils.isObjectLikeType(possibleRefinement))
+			return declType;
+		else if (declType instanceof PrimType && possibleRefinement instanceof PrimType)
 			return null;
-		else if (fastHierarchy.canStoreType(tp2, tp1))
-			return tp2;
-		else if (fastHierarchy.canStoreType(tp1, tp2))
-			return tp1;
+		else if (fastHierarchy.canStoreType(possibleRefinement, declType))
+			return possibleRefinement;
+		else if (fastHierarchy.canStoreType(declType, possibleRefinement))
+			return declType;
 		else {
 			// If one type is an array type and the other one is the base type,
 			// we still accept the cast
-			if (tp1 instanceof ArrayType && tp2 instanceof ArrayType) {
-				ArrayType at1 = (ArrayType) tp1;
-				ArrayType at2 = (ArrayType) tp2;
+			if (declType instanceof ArrayType && possibleRefinement instanceof ArrayType) {
+				ArrayType at1 = (ArrayType) declType;
+				ArrayType at2 = (ArrayType) possibleRefinement;
 				if (at1.numDimensions != at2.numDimensions)
 					return null;
 				Type preciseType = getMorePreciseType(at1.getElementType(), at2.getElementType());
 				if (preciseType == null)
 					return null;
 
 				return ArrayType.v(preciseType, at1.numDimensions);
-			} else if (tp1 instanceof ArrayType) {
-				ArrayType at = (ArrayType) tp1;
-				return getMorePreciseType(at.getElementType(), tp2);
-			} else if (tp2 instanceof ArrayType) {
-				ArrayType at = (ArrayType) tp2;
-				return getMorePreciseType(tp1, at.getElementType());
+			} else if (declType instanceof ArrayType) {
+				ArrayType at = (ArrayType) declType;
+				Type preciseType = getMorePreciseType(at.getElementType(), possibleRefinement);
+				if (preciseType == null)
+					return null;
+
+				return ArrayType.v(preciseType, at.numDimensions);
+			} else if (possibleRefinement instanceof ArrayType) {
+				ArrayType at = (ArrayType) possibleRefinement;
+				return getMorePreciseType(at.getElementType(), declType);
 			}
 		}
 		return null;
 	}
 
-	/**
-	 * Gets the more precise one of the two given types
-	 * 
-	 * @param tp1 The first type
-	 * @param tp2 The second type
-	 * @return The more precise one of the two given types
-	 */
-	public String getMorePreciseType(String tp1, String tp2) {
-		Type newType = getMorePreciseType(getTypeFromString(tp1), getTypeFromString(tp2));
-		return newType == null ? null : "" + newType;
-	}
-
 	/**
 	 * Creates a Soot Type from the given string
 	 *