Temp variables not cleared when reinitializing in interactive mode of taint analysis

[zhangt2333]

📝 Overall Description

When re-initialize Taint Analysis, the temporary variables added during the previous round of taint analysis have not been cleared. This causes the number of pointers to continuously increase when repeatedly re-running taint analysis.

🎯 Expected Behavior

-------------- Pointer analysis statistics: --------------
#var pointers:                39 (insens) / 39 (sens)
#objects:                     15 (insens) / 15 (sens)
#var points-to:               61 (insens) / 61 (sens)
#static field points-to:      0 (sens)
#instance field points-to:    4 (sens)
#array points-to:             1 (sens)
#reachable methods:           16 (insens) / 16 (sens)
#call graph edges:            27 (insens) / 27 (sens)
----------------------------------------
...
...
-------------- Pointer analysis statistics: --------------
#var pointers:                39 (insens) / 39 (sens)
#objects:                     15 (insens) / 15 (sens)
#var points-to:               61 (insens) / 61 (sens)
#static field points-to:      0 (sens)
#instance field points-to:    4 (sens)
#array points-to:             1 (sens)
#reachable methods:           16 (insens) / 16 (sens)
#call graph edges:            27 (insens) / 27 (sens)
----------------------------------------

🐛 Current Behavior

-------------- Pointer analysis statistics: --------------
#var pointers:                39 (insens) / 39 (sens)
#objects:                     15 (insens) / 15 (sens)
#var points-to:               61 (insens) / 61 (sens)
#static field points-to:      0 (sens)
#instance field points-to:    4 (sens)
#array points-to:             1 (sens)
#reachable methods:           16 (insens) / 16 (sens)
#call graph edges:            27 (insens) / 27 (sens)
----------------------------------------
...
...
-------------- Pointer analysis statistics: --------------
#var pointers:                49 (insens) / 49 (sens)
#objects:                     15 (insens) / 15 (sens)
#var points-to:               65 (insens) / 65 (sens)
#static field points-to:      0 (sens)
#instance field points-to:    4 (sens)
#array points-to:             1 (sens)
#reachable methods:           16 (insens) / 16 (sens)
#call graph edges:            27 (insens) / 27 (sens)
----------------------------------------

🔄 Reproducible Example

    @org.junit.jupiter.api.Test
    void testBackPropagation() {
        String ptaOpts = """
            pta=
            implicit-entries:false;
            only-app:true;
            distinguish-string-constants:all;
            taint-config:src/test/resources/pta/taint/taint-config.yml;
            taint-interactive-mode:%s;
            """;

        // run in non-interactive mode
        pascal.taie.Main.main(
                "-pp",
                "-cp", "src/test/resources/pta/taint",
                "-m", "BackPropagation",
                "-a", String.format(ptaOpts, "false")
        );

        // run in interactive mode
        InputStream originalSystemIn = System.in;
        try {
            String simulatedStdin = "r\ne\n";
            System.setIn(new ByteArrayInputStream(simulatedStdin.getBytes()));
            pascal.taie.Main.main(
                    "-pp",
                    "-cp", "src/test/resources/pta/taint",
                    "-m", "BackPropagation",
                    "-a", String.format(ptaOpts, "true")
            );
        } finally {
            System.setIn(originalSystemIn);
        }
    }

[jjppp]

The cause for this outcome seems to be two-folded:

Temporary Var generation

TransferHandler creates temporary variables and adds them to the pta solver. Since Vars in Tai-e do not implement equals and hashCode, repeatedly created Vars are treated as different variables even though they have the same name and are associated to the same method.

Tai-e/src/main/java/pascal/taie/analysis/pta/plugin/taint/TransferHandler.java

Lines 272 to 275 in 12e7c43

	private Var getTempVar(JMethod container, Type type) {
	String varName = "%taint-temp-" + counter++;
	return new Var(container, varName, type, -1);
	}

Change of reachable methods due to taint MockObjs

TaintAnalysis adds artificial MockObjs to represent taint objects to the pta solver. The addition of such objects may trigger more methods to be reachable, and thus more variables (method parameters, in this case) are marked reachable and visible in the resulting output.

Tai-e/src/main/java/pascal/taie/analysis/pta/plugin/taint/TaintAnalysis.java

Lines 164 to 185 in 12e7c43

	// trigger the creation of taint objects
	CallGraph<CSCallSite, CSMethod> cg = solver.getCallGraph();
	if (cg != null) {
	CSManager csManager = solver.getCSManager();
	boolean handleStmt = context.config().callSiteMode()
	|| context.config().sources().stream().anyMatch(FieldSource.class::isInstance);
	cg.reachableMethods().forEach(csMethod -> {
	JMethod method = csMethod.getMethod();
	Context ctxt = csMethod.getContext();
	IR ir = csMethod.getMethod().getIR();
	if (handleStmt) {
	ir.forEach(stmt -> onNewStmt(stmt, method));
	}
	this.onNewCSMethod(csMethod);
	csMethod.getEdges().forEach(this::onNewCallEdge);
	ir.getParams().forEach(param -> {
	CSVar csParam = csManager.getCSVar(ctxt, param);
	onNewPointsToSet(csParam, csParam.getPointsToSet());
	});
	});
	}
	}