WALA icon indicating copy to clipboard operation
WALA copied to clipboard
verified publisher icon wala

ArrayIndexOutOfBoundsException when constructing call graph with CAst

Open mattkindy opened this issue 5 years ago • 2 comments

Running the following PeekErrorCase through the below JavaSourceAnalysisEngine leads to error

java.lang.ArrayIndexOutOfBoundsException: Index -1 out of bounds for length 0
    at com.ibm.wala.util.collections.IntStack.peek(IntStack.java:33)
    at com.ibm.wala.cast.ir.ssa.AbstractSSAConversion.top(AbstractSSAConversion.java:459)
    at com.ibm.wala.cast.ir.ssa.AbstractSSAConversion.SearchPreRec(AbstractSSAConversion.java:365)
    at com.ibm.wala.cast.ir.ssa.AbstractSSAConversion.SEARCH(AbstractSSAConversion.java:299)
    at com.ibm.wala.cast.ir.ssa.AbstractSSAConversion.renameVariables(AbstractSSAConversion.java:262)
    at com.ibm.wala.cast.ir.ssa.AbstractSSAConversion.perform(AbstractSSAConversion.java:137)
    at com.ibm.wala.cast.ir.ssa.SSAConversion.perform(SSAConversion.java:673)
    at com.ibm.wala.cast.ir.ssa.SSAConversion.convert(SSAConversion.java:739)
    at com.ibm.wala.cast.ir.ssa.SSAConversion.convert(SSAConversion.java:720)
    at com.ibm.wala.cast.ir.ssa.AstIRFactory$AstIR.<init>(AstIRFactory.java:139)
    at com.ibm.wala.cast.ir.ssa.AstIRFactory$AstIR.<init>(AstIRFactory.java:73)
    at com.ibm.wala.cast.ir.ssa.AstIRFactory.makeIR(AstIRFactory.java:165)
    at com.ibm.wala.cast.ir.ssa.AstIRFactory$AstDefaultIRFactory.makeIR(AstIRFactory.java:57)
    at com.ibm.wala.ssa.SSACache.findOrCreateIR(SSACache.java:69)
    at com.ibm.wala.ipa.callgraph.AnalysisCache.getIR(AnalysisCache.java:74)
    at com.ibm.wala.ipa.callgraph.propagation.cfa.ContextInsensitiveSSAInterpreter.getIR(ContextInsensitiveSSAInterpreter.java:45)
    at com.ibm.wala.ipa.callgraph.propagation.cfa.DelegatingSSAContextInterpreter.getIR(DelegatingSSAContextInterpreter.java:49)
    at com.ibm.wala.ipa.callgraph.propagation.cfa.DelegatingSSAContextInterpreter.getIR(DelegatingSSAContextInterpreter.java:53)
    at com.ibm.wala.ipa.callgraph.impl.ExplicitCallGraph$ExplicitNode.getIR(ExplicitCallGraph.java:295)
    at com.ibm.wala.ipa.callgraph.propagation.SSAPropagationCallGraphBuilder.getTargetPointerKey(SSAPropagationCallGraphBuilder.java:2291)
    at com.ibm.wala.ipa.callgraph.propagation.SSAPropagationCallGraphBuilder.processCallingConstraints(SSAPropagationCallGraphBuilder.java:1723)
    at com.ibm.wala.ipa.callgraph.propagation.SSAPropagationCallGraphBuilder.processResolvedCall(SSAPropagationCallGraphBuilder.java:1672)
    at com.ibm.wala.ipa.callgraph.propagation.SSAPropagationCallGraphBuilder.access$200(SSAPropagationCallGraphBuilder.java:99)
    at com.ibm.wala.ipa.callgraph.propagation.SSAPropagationCallGraphBuilder$ConstraintVisitor.visitInvokeInternal(SSAPropagationCallGraphBuilder.java:1183)
    at com.ibm.wala.ipa.callgraph.propagation.SSAPropagationCallGraphBuilder$ConstraintVisitor.visitInvoke(SSAPropagationCallGraphBuilder.java:1138)
    at com.ibm.wala.ssa.SSAInvokeInstruction.visit(SSAInvokeInstruction.java:94)
    at com.ibm.wala.ipa.callgraph.propagation.SSAPropagationCallGraphBuilder.addBlockInstructionConstraints(SSAPropagationCallGraphBuilder.java:272)
    at com.ibm.wala.ipa.callgraph.propagation.SSAPropagationCallGraphBuilder.addNodeInstructionConstraints(SSAPropagationCallGraphBuilder.java:249)
    at com.ibm.wala.ipa.callgraph.propagation.SSAPropagationCallGraphBuilder.unconditionallyAddConstraintsFromNode(SSAPropagationCallGraphBuilder.java:225)
    at com.ibm.wala.ipa.callgraph.propagation.SSAPropagation

new JavaSourceAnalysisEngine() {
      @Override
      protected ClassLoaderFactory getClassLoaderFactory(SetOfClasses exclusions) {
        return new ECJClassLoaderFactory(exclusions);
      }

      @Override
      protected Iterable<Entrypoint> makeDefaultEntrypoints(@NonNull final AnalysisScope scope,
                                                            final IClassHierarchy cha) {
        return new AllApplicationEntrypoints(scope, cha);
      }
    };

public class PeekErrorCase {

  public void start() {
    System.out.println(""); // Any method invocation here

    final int num = true ? 1 : 1; // has to be a ternary?
    new Object() {
      public int hashCode() {
        return num; // must use num in this function
      }
    };
  }
}

I suspect something weird is going on with the SSA conversion regarding the phi blocks based on the instructions dump

Instructions:
BB0
BB1
0   v4 = getstatic < Source, Ljava/lang/System, out, <Source,Ljava/io/PrintStream> >PeekErrorCase.java [4:4] -> [4:14]
1   invokevirtual < Source, Ljava/io/PrintStream, println(Ljava/lang/String;)V > v4,v5:# @1 exception:v6PeekErrorCase.java [4:4] -> [4:26]
BB2
2   conditional branch(eq, to iindex=5) v8:#true,v9:#0PeekErrorCase.java [6:20] -> [6:32]
BB3
3   v7 := v10:#1                             PeekErrorCase.java [6:20] -> [6:32]
4   goto (from iindex= 4 to iindex = 6)      PeekErrorCase.java [6:20] -> [6:32]
BB4
5   v7 := v10:#1                             PeekErrorCase.java [6:20] -> [6:32]
BB5
           v7 = phi  v7,v7
6   v11 = new <Source,LPeekErrorCase/start()V/<anonymous subclass of java.lang.Object>$1>@6PeekErrorCase.java [7:4] -> [11:5]
BB6
7   invokespecial < Source, LPeekErrorCase/start()V/<anonymous subclass of java.lang.Object>$1, <init>()V > v11 @7 exception:v13PeekErrorCase.java [7:4] -> [11:5]
BB7
           v7 = phi  v7,v7,v7

mattkindy avatar Jan 28 '20 20:01 mattkindy

Thanks for the clear bug report, @mattkindy-praetorian!

msridhar avatar Jan 28 '20 22:01 msridhar

@juliandolby is this fixed now?

msridhar avatar Mar 05 '21 23:03 msridhar