Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

`OP_INVOKEDYNAMIC` is not be handled correctly in `CallResolver`

See original GitHub issue

I’m using CallResolver to make a call graph for CPA algorithm.

My Java source code:

List<String> names = new ArrayList();
names.add(request.getParameter("as"));
names.forEach(System.out::println);

Compiled bytecodes:

       200: getstatic     #214                // Field java/lang/System.out:Ljava/io/PrintStream;
       203: dup
       204: invokevirtual #220                // Method java/lang/Object.getClass:()Ljava/lang/Class;
       207: pop
       208: invokedynamic #229,  0            // InvokeDynamic #0:accept:(Ljava/io/PrintStream;)Ljava/util/function/Consumer;
       213: invokeinterface #230,  2          // InterfaceMethod java/util/List.forEach:(Ljava/util/function/Consumer;)V

When CallResolver run into line 208, it is handled in handleInvokeDynamic as follows:

    private void handleInvokeDynamic(CodeLocation location, InvokeDynamicConstant constant)
    {
        if (lambdaExpressionMap.containsKey(constant))
        {
            LambdaExpression target = lambdaExpressionMap.get(constant);
            addCall(location,
                    target.invokedClassName,
                    target.invokedMethodName,
                    target.invokedMethodDesc,
                    Value.NEVER,
                    Instruction.OP_INVOKEDYNAMIC,
                    false
            );
        }
        else
        {
            log.debug("invokedynamic without matching lambda expression at {}", location);
        }
    }

Notice that it using the target method and class info to create a call node instead of bootstrap method (factoryMethodDescriptor).

In my case:

And the problem is, when we taking this wrong call node to transfer state in CPA algorithm,

since the target invokedMethod returned the type V, so no callSite will be pushed in the frame. (makes the stack unbalanced)

Finally when arriving to JvmTransferRelation:processCall

operands.add(state.pop()); will pop from a null operands, so get CPA run stopped for the following error: null …

Issue Analytics

State:
Created a year ago
Comments:6 (4 by maintainers)

Top GitHub Comments

1reaction

Masrepuscommented, Sep 1, 2022

I see. For the time being, we use the CFA for modeling control flow information in CPA, which can be constructed e.g. with this utility method. But semantically it is equivalent to general control flow information, so you could theoretically also create the CFA inside your PartialEvaluator execution.

0reactions

t3lscommented, Sep 1, 2022

Yes, I’m using PartialEvaluator not only for collecting particular values, but collecting control flow information in the meantime. So I prefer to reuse it in CPA.