Hopefully the last fix for the type refinement

Author: t1mlange

soot-infoflow-summaries/src/soot/jimple/infoflow/methodSummary/taintWrappers/SummaryTaintWrapper.java

@@ -1720,7 +1720,7 @@ protected Taint addSinkTaint(MethodFlow flow, Taint taint, GapDefinition gap, St
 		String sBaseType = sinkType == null ? null : "" + sinkType;
 		if (!flow.getIgnoreTypes()) {
 			// Compute the new base type
-			Type newBaseType = manager.getTypeUtils().getMorePreciseType(sinkType, taintType);
+			Type newBaseType = manager.getTypeUtils().getMorePreciseType(taintType, sinkType);
 			if (newBaseType == null)
 				newBaseType = sinkType;
 

soot-infoflow-summaries/test/soot/jimple/infoflow/test/methodSummary/ApiClassClient.java

@@ -604,4 +604,10 @@ public void testTypeNarrowing() {
 		Object[] splitted = secret.split(";");
 		sink(splitted);
 	}
+
+	public void testTypeNarrowing2() {
+		int secret = intSource();
+		String formatted = String.format("%d", secret);
+		sink(formatted);
+	}
 }

soot-infoflow-summaries/test/soot/jimple/infoflow/test/methodSummary/junit/SummaryTaintWrapperTests.java

@@ -346,6 +346,11 @@ public void testTypeNarrowing() {
 		testFlowForMethod("<soot.jimple.infoflow.test.methodSummary.ApiClassClient: void testTypeNarrowing()>", 1);
 	}
 
+	@Test(timeout = 30000)
+	public void testTypeNarrowing2() {
+		testFlowForMethod("<soot.jimple.infoflow.test.methodSummary.ApiClassClient: void testTypeNarrowing2()>", 1);
+	}
+
 	@Test
 	public void testAllSummaries() throws URISyntaxException, IOException {
 		EagerSummaryProvider provider = new EagerSummaryProvider(TaintWrapperFactory.DEFAULT_SUMMARY_DIR);

soot-infoflow/src/soot/jimple/infoflow/typing/TypeUtils.java

@@ -206,49 +206,41 @@ public boolean hasCompatibleTypesForCall(AccessPath apBase, SootClass dest) {
 	 * @return The more precise one of the two given types
 	 */
 	public Type getMorePreciseType(Type possibleRefinement, Type declType) {
-		final FastHierarchy fastHierarchy = scene.getOrMakeFastHierarchy();
-
-		if (declType == null)
-			return possibleRefinement;
-		else if (possibleRefinement == null)
-			return declType;
-		else if (declType == possibleRefinement)
-			return declType;
-		else if (TypeUtils.isObjectLikeType(declType))
-			return possibleRefinement;
-		else if (TypeUtils.isObjectLikeType(possibleRefinement))
-			return declType;
-		else if (declType instanceof PrimType && possibleRefinement instanceof PrimType)
-			return null;
-		else if (fastHierarchy.canStoreType(possibleRefinement, declType))
-			return possibleRefinement;
-		else if (fastHierarchy.canStoreType(declType, possibleRefinement))
-			return declType;
-		else {
-			// If one type is an array type and the other one is the base type,
-			// we still accept the cast
-			if (declType instanceof ArrayType && possibleRefinement instanceof ArrayType) {
-				ArrayType at1 = (ArrayType) possibleRefinement;
-				ArrayType at2 = (ArrayType) declType;
-				if (at1.numDimensions != at2.numDimensions)
-					return null;
-				Type preciseType = getMorePreciseType(at1.getElementType(), at2.getElementType());
-				if (preciseType == null)
-					return null;
-
-				return ArrayType.v(preciseType, at2.numDimensions);
-			} else if (declType instanceof ArrayType) {
-				ArrayType at = (ArrayType) declType;
-				Type preciseType = getMorePreciseType(possibleRefinement, at.getElementType());
-				if (preciseType == null)
-					return null;
-
-				return ArrayType.v(preciseType, at.numDimensions);
-			} else if (possibleRefinement instanceof ArrayType) {
-				ArrayType at = (ArrayType) possibleRefinement;
-				return getMorePreciseType(at.getElementType(), declType);
-			}
+		if (declType instanceof ArrayType && possibleRefinement instanceof ArrayType) {
+			ArrayType at = (ArrayType) declType;
+			Type morePreciseType = getMorePreciseType(((ArrayType) possibleRefinement).baseType, at.baseType);
+			if (morePreciseType != null)
+				return ArrayType.v(morePreciseType, at.numDimensions);
+		} else if (declType instanceof ArrayType) {
+			ArrayType at = (ArrayType) declType;
+			Type morePreciseType = getMorePreciseType(possibleRefinement, at.baseType);
+			if (morePreciseType != null)
+				return ArrayType.v(morePreciseType, at.numDimensions);
+		} else if (possibleRefinement instanceof ArrayType) {
+			return getMorePreciseType(((ArrayType) possibleRefinement).baseType, declType);
+		} else {
+			final FastHierarchy fastHierarchy = scene.getOrMakeFastHierarchy();
+
+			if (declType == null)
+				return possibleRefinement;
+			else if (possibleRefinement == null)
+				return declType;
+			else if (declType == possibleRefinement)
+				return declType;
+			// Prevent declType=Object and refinement=String[] from returning String[]
+			// See testTypeNarrowing2
+			else if (TypeUtils.isObjectLikeType(declType))
+				return possibleRefinement;
+			else if (TypeUtils.isObjectLikeType(possibleRefinement))
+				return declType;
+			else if (declType instanceof PrimType && possibleRefinement instanceof PrimType)
+				return null;
+			else if (fastHierarchy.canStoreType(possibleRefinement, declType))
+				return possibleRefinement;
+			else if (fastHierarchy.canStoreType(declType, possibleRefinement))
+				return declType;
 		}
+
 		return null;
 	}