Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does scope affect the analysis order? Is it possible to specify the analysis order? #118

Closed
YunFy26 opened this issue Sep 10, 2024 · 2 comments
Closed

Does scope affect the analysis order? Is it possible to specify the analysis order? #118

YunFy26 opened this issue Sep 10, 2024 · 2 comments
Labels
type: question

Comments

@YunFy26
Copy link

YunFy26 commented Sep 10, 2024

📝 Overall Description

When I use Tai-e to analyze a web project, I cannot use Tai-e to analyze the web project directly because the web project has multiple entry points

I customized a new analysis to extract multiple entry points of the web

public class RouterAnalysis extends ProgramAnalysis {

    public static final String ID = "routerAnalysis";

    public RouterAnalysis(AnalysisConfig config) {
        super(config);
    }

    @Override
    public Object analyze() {

        return ;
    }
}

Then I customized the Plugin

public class myPlugin implements Plugin {

		...
		...

    @Override
    public void setSolver(Solver solver) {
			...
    }


    @Override
    public void onStart() {
        World world = World.get();
        List<ControllerClass> routerAnalysis = world.getResult("routerAnalysis");
        solver.addEntryPoint(...);
    }
}

When I specify scope as APP or ALL, Tai-e can correctly perform routerAnalysis and successfully construct a multi-entry callgraph

However, when the scope is specified as APP, it seems that the control flow analysis of the function calls of the third-party dependencies in the project cannot be performed (the CFG of the methods in the third-party dependencies cannot be constructed), so I specify the scope as REACHABLE, and then I run Tai-e, but the following exception is thrown

Exception in thread "main" java.lang.NullPointerException: Cannot invoke "java.util.List.iterator()" because "routerAnalysis" is null

The routerAnalysis was not successful at this time, so world.getResult("routerAnalysis"); got null

According to https://tai-e.pascal-lab.net/docs/current/reference/en/command-line-options.html,

• REACHABLE: classes that are reachable in the call graph (this scope requires analysis cg, i.e., call graph construction)

This means that Tai-e first builds cg before any analysis. cg is built in pta mode, and in the pointer analysis plugin

public void onStart() {
        World world = World.get();
        List<ControllerClass> routerAnalysis = world.getResult("routerAnalysis");
        solver.addEntryPoint(...);
    }

At this time, using world.getResult("routerAnalysis"); will get null, because routerAnalysis has not been run yet

But if I specify scope as ALL, it seems that a lot of unnecessary analysis will be performed? If the scope is ALL and the ir-dumper option is turned on, apple.*.tir and com.apple.*.tir will appear, which has nothing to do with the project I want to analyze...

So I would like to ask, when the scope is REACHABLE, can I still perform routerAnalysis analysis first, extract the entry and then use solver.addEntryPoint(...); to build cg

🎯 Expected Behavior

none

🐛 Current Behavior

none

🔄 Reproducible Example

No response

⚙️ Tai-e Arguments

🔍 Click here to see Tai-e Options 
optionsFile: null
printHelp: false
# WebGoat libs
classPath :
- WebGoat/BOOT-INF/lib
#  - /Users/yuntsy/My/Projects/Java/SpringTest/build/libs/BOOT-INF/lib
# appClass
appClassPath: [WebGoat/BOOT-INF/classes]
#appClassPath: [/Users/yuntsy/My/Projects/Java/SpringTest/build/classes/java/main]
mainClass:
inputClasses: []
javaVersion: 17
prependJVM: true
allowPhantom: true
worldBuilderClass: pascal.taie.frontend.soot.SootWorldBuilder
outputDir: output
preBuildIR: false
worldCacheMode: false
scope: APP
nativeModel: true
planFile: null
analyses:
#  ir-dumper: ;
routerAnalysis: ""
beanAnalysis: ""
cg: ""
cfg: ""
icfg: ""
pta: "plugins:[org.example.spring.myPlugin]"


onlyGenPlan: false
keepResult:
- $KEEP-ALL
🔍 Click here to see Tai-e Analysis Plan 
{{The content of 'output/tai-e-plan.yml' file}}

📜 Tai-e Log

🔍 Click here to see Tai-e Log 
Writing log to /Users/yuntsy/My/Projects/Java/WebAnalyzer/output/tai-e.log
java.version: 17.0.11
java.version.date: 2024-04-16
java.runtime.version: 17.0.11+7-LTS-207
java.vendor: Oracle Corporation
java.vendor.version: null
os.name: Mac OS X
os.version: 14.6.1
os.arch: aarch64
Tai-e Version: 0.5.1-SNAPSHOT
Tai-e Commit: b6cdf904ea0511ca96acba1b3a4d22090d88eb9a
Writing analysis plan to /Users/yuntsy/My/Projects/Java/WebAnalyzer/output/tai-e-plan.yml
WorldBuilder starts ...
Warning: main class was not given!
10778 classes with 102972 methods in the world
WorldBuilder finishes, elapsed time: 2.35s
pta starts ...

ℹ️ Additional Information

No response
@zhangt2333
Copy link
Member

The Analysis Manager automatically determines the execution order of analyses based on the requires field in this configuration file. You can configure other analyses to depend on yours by modifying this field.

@YunFy26
Copy link
Author

YunFy26 commented Sep 11, 2024

Oh, I'm sorry I forgot about this configuration...Thanks!

@YunFy26 YunFy26 closed this as completed Sep 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zhangt2333 @YunFy26