Invalidate StringBuilder/Buffer arguments of unknown calls that might modify them

Dominik Helm · Dominik Helm · commit 88af66c16c3c · 2025-07-02T14:48:19.000+02:00
diff --git a/OPAL/tac/src/main/scala/org/opalj/tac/fpcf/analyses/string/StringInterpreter.scala b/OPAL/tac/src/main/scala/org/opalj/tac/fpcf/analyses/string/StringInterpreter.scala
@@ -50,9 +50,6 @@ trait StringInterpreter {
 
     protected[this] def computeFinalResult(p: StringFlowFunctionProperty)(implicit state: InterpretationState): Result =
         StringInterpreter.computeFinalResult(p)
-
-    protected[this] def isStringBuilderBufferCall(call: Call[V]): Boolean =
-        (call.declaringClass eq ClassType.StringBuilder) || (call.declaringClass eq ClassType.StringBuffer)
 }
 
 object StringInterpreter {
@@ -76,6 +73,32 @@ object StringInterpreter {
 
     def computeFinalResult(p: StringFlowFunctionProperty)(implicit state: InterpretationState): Result =
         Result(FinalEP(InterpretationHandler.getEntity(state), p))
+
+    def invalidEntitiesForUnknownCall(call: Call[V], target: Option[PV] = None)(implicit
+        state: InterpretationState
+    ): Set[PV] = {
+        val relevantParameters = call.descriptor.parameterTypes.iterator.zipWithIndex.collect {
+            case (p, index)
+                if p.isClassType && ((p.asClassType eq ClassType.StringBuilder) || (p.asClassType eq ClassType.StringBuffer)) =>
+                call.params(index)
+        }
+        val relevantReceiver = call.receiverOption.filter { _ => isStringBuilderBufferCall(call) }
+        (relevantParameters ++ relevantReceiver).map(_.asVar.toPersistentForm(state.tac.stmts)).toSet ++ target
+    }
+
+    def uninterpretedCall(call: Call[V], target: Option[PV] = None)(implicit
+        state:         InterpretationState,
+        highSoundness: Boolean
+    ): Result = {
+        val relevantEntities = invalidEntitiesForUnknownCall(call, target)
+        val webs = relevantEntities.map(PDUWeb(state.pc, _))
+        val flow = StringFlowFunctionProperty.constForEntities(state.pc, relevantEntities, failureTree)
+        val p = StringFlowFunctionProperty(webs, flow)
+        Result(FinalEP(InterpretationHandler.getEntity(state), p))
+    }
+
+    def isStringBuilderBufferCall(call: Call[V]): Boolean =
+        (call.declaringClass eq ClassType.StringBuilder) || (call.declaringClass eq ClassType.StringBuffer)
 }
 
 /**
diff --git a/OPAL/tac/src/main/scala/org/opalj/tac/fpcf/analyses/string/l0/interpretation/L0InterpretationHandler.scala b/OPAL/tac/src/main/scala/org/opalj/tac/fpcf/analyses/string/l0/interpretation/L0InterpretationHandler.scala
@@ -30,14 +30,10 @@ class L0InterpretationHandler(implicit override val project: SomeProject) extend
             SimpleValueConstExprInterpreter.interpretExpr(stmt, expr)
         case stmt @ Assignment(_, _, expr: BinaryExpr[V]) => BinaryExprInterpreter().interpretExpr(stmt, expr)
 
-        case ExprStmt(_, expr: InstanceFunctionCall[V]) => StringInterpreter.failure(expr.receiver.asVar)
-
-        case vmc: VirtualMethodCall[V]     => StringInterpreter.failure(vmc.receiver.asVar)
-        case nvmc: NonVirtualMethodCall[V] => StringInterpreter.failure(nvmc.receiver.asVar)
-
-        // Static calls without return value usage are irrelevant
-        case ExprStmt(_, _: StaticFunctionCall[V]) | _: StaticMethodCall[V] =>
-            StringInterpreter.computeFinalResult(StringFlowFunctionProperty.identity)
+        case ExprStmt(_, call: InstanceFunctionCall[V]) => StringInterpreter.uninterpretedCall(call)
+        case Assignment(_, target, call: InstanceFunctionCall[V]) =>
+            StringInterpreter.uninterpretedCall(call, Some(target.asVar.toPersistentForm(state.tac.stmts)))
+        case call: MethodCall[V] => StringInterpreter.uninterpretedCall(call)
 
         case Assignment(_, target, _) => StringInterpreter.failure(target)
 
diff --git a/OPAL/tac/src/main/scala/org/opalj/tac/fpcf/analyses/string/l1/interpretation/L1FunctionCallInterpreter.scala b/OPAL/tac/src/main/scala/org/opalj/tac/fpcf/analyses/string/l1/interpretation/L1FunctionCallInterpreter.scala
@@ -105,10 +105,10 @@ trait L1FunctionCallInterpreter
             }
         }
 
-        tryComputeFinalResult
+        computeResult
     }
 
-    private def tryComputeFinalResult(
+    private def computeResult(
         implicit
         state:     InterpretationState,
         callState: CallState
@@ -172,7 +172,7 @@ trait L1FunctionCallInterpreter
             case EUBP(_, _: StringConstancyProperty) =>
                 val contextEPS = eps.asInstanceOf[EOptionP[VariableDefinition, StringConstancyProperty]]
                 callState.updateReturnDependee(contextEPS.e.m, contextEPS)
-                tryComputeFinalResult(state, callState)
+                computeResult(state, callState)
 
             case _ => throw new IllegalArgumentException(s"Encountered unknown eps: $eps")
         }
diff --git a/OPAL/tac/src/main/scala/org/opalj/tac/fpcf/analyses/string/l1/interpretation/L1NonVirtualFunctionCallInterpreter.scala b/OPAL/tac/src/main/scala/org/opalj/tac/fpcf/analyses/string/l1/interpretation/L1NonVirtualFunctionCallInterpreter.scala
@@ -35,7 +35,10 @@ case class L1NonVirtualFunctionCallInterpreter()(
         val target = expr.receiver.asVar.toPersistentForm(state.tac.stmts)
         val calleeMethod = expr.resolveCallTarget(state.dm.definedMethod.classFile.thisType)
         if (calleeMethod.isEmpty) {
-            return failure(target)
+            return StringInterpreter.uninterpretedCall(
+                expr,
+                expr.receiverOption.map { _.asVar.toPersistentForm(state.tac.stmts) }
+            )
         }
 
         val m = calleeMethod.value
diff --git a/OPAL/tac/src/main/scala/org/opalj/tac/fpcf/analyses/string/l1/interpretation/L1NonVirtualMethodCallInterpreter.scala b/OPAL/tac/src/main/scala/org/opalj/tac/fpcf/analyses/string/l1/interpretation/L1NonVirtualMethodCallInterpreter.scala
@@ -28,10 +28,11 @@ case class L1NonVirtualMethodCallInterpreter()(
 
     override def interpret(call: T)(implicit state: InterpretationState): ProperPropertyComputationResult = {
         call.name match {
-            case "<init>" if isStringBuilderBufferCall(call) || (call.declaringClass eq ClassType.String) =>
+            case "<init>"
+                if StringInterpreter.isStringBuilderBufferCall(call) || (call.declaringClass eq ClassType.String) =>
                 interpretInit(call)
             case _ =>
-                computeFinalResult(StringFlowFunctionProperty.identity)
+                StringInterpreter.uninterpretedCall(call)
         }
     }
 
@@ -49,7 +50,7 @@ case class L1NonVirtualMethodCallInterpreter()(
                     (env: StringTreeEnvironment) => env.update(pc, targetVar, env(pc, paramVar))
                 )
             case _ =>
-                failure(targetVar)
+                StringInterpreter.uninterpretedCall(init)
         }
     }
 }
diff --git a/OPAL/tac/src/main/scala/org/opalj/tac/fpcf/analyses/string/l1/interpretation/L1StaticFunctionCallInterpreter.scala b/OPAL/tac/src/main/scala/org/opalj/tac/fpcf/analyses/string/l1/interpretation/L1StaticFunctionCallInterpreter.scala
@@ -48,7 +48,7 @@ case class L1StaticFunctionCallInterpreter()(
             case _
                 if (call.descriptor.returnType eq ClassType.String) || (call.descriptor.returnType eq ClassType.Object) =>
                 interpretArbitraryCall(target, call)
-            case _ => failure(target)
+            case _ => StringInterpreter.uninterpretedCall(call, Some(target))
         }
     }
 }
@@ -67,7 +67,7 @@ private[string] trait L1ArbitraryStaticFunctionCallInterpreter
     ): ProperPropertyComputationResult = {
         val calleeMethod = call.resolveCallTarget(state.dm.definedMethod.classFile.thisType)
         if (calleeMethod.isEmpty) {
-            return failure(target)
+            return StringInterpreter.uninterpretedCall(call, Some(target))
         }
 
         val m = calleeMethod.value
diff --git a/OPAL/tac/src/main/scala/org/opalj/tac/fpcf/analyses/string/l1/interpretation/L1VirtualFunctionCallInterpreter.scala b/OPAL/tac/src/main/scala/org/opalj/tac/fpcf/analyses/string/l1/interpretation/L1VirtualFunctionCallInterpreter.scala
@@ -52,9 +52,9 @@ class L1VirtualFunctionCallInterpreter(
         val pt = call.receiver.asVar.toPersistentForm(state.tac.stmts)
 
         call.name match {
-            case "append" if isStringBuilderBufferCall(call)  => interpretAppendCall(at, pt, call)
-            case "toString"                                   => interpretToStringCall(at, pt)
-            case "replace" if isStringBuilderBufferCall(call) => interpretReplaceCall(pt)
+            case "append" if StringInterpreter.isStringBuilderBufferCall(call)  => interpretAppendCall(at, pt, call)
+            case "toString"                                                     => interpretToStringCall(at, pt)
+            case "replace" if StringInterpreter.isStringBuilderBufferCall(call) => interpretReplaceCall(pt)
             case "substring" if call.descriptor.returnType eq ClassType.String =>
                 interpretSubstringCall(at, pt, call)
             case _ =>
@@ -76,7 +76,7 @@ class L1VirtualFunctionCallInterpreter(
                     case _ if at.isDefined =>
                         interpretArbitraryCall(at.get, call)
                     case _ =>
-                        computeFinalResult(StringFlowFunctionProperty.identity)
+                        StringInterpreter.uninterpretedCall(call)
                 }
         }
     }
diff --git a/OPAL/tac/src/main/scala/org/opalj/tac/fpcf/analyses/string/l1/interpretation/L1VirtualMethodCallInterpreter.scala b/OPAL/tac/src/main/scala/org/opalj/tac/fpcf/analyses/string/l1/interpretation/L1VirtualMethodCallInterpreter.scala
@@ -31,7 +31,7 @@ case class L1VirtualMethodCallInterpreter()(
         val pReceiver = call.receiver.asVar.toPersistentForm(state.tac.stmts)
 
         call.name match {
-            case "setLength" if isStringBuilderBufferCall(call) =>
+            case "setLength" if StringInterpreter.isStringBuilderBufferCall(call) =>
                 call.params.head.asVar.value match {
                     case TheIntegerValue(intVal) if intVal == 0 =>
                         computeFinalResult(StringFlowFunctionProperty.constForVariableAt(
@@ -63,7 +63,7 @@ case class L1VirtualMethodCallInterpreter()(
                 }
 
             case _ =>
-                computeFinalResult(StringFlowFunctionProperty.identity)
+                StringInterpreter.uninterpretedCall(call)
         }
     }
 }
diff --git a/OPAL/tac/src/main/scala/org/opalj/tac/fpcf/analyses/string/l3/interpretation/L3FieldReadInterpreter.scala b/OPAL/tac/src/main/scala/org/opalj/tac/fpcf/analyses/string/l3/interpretation/L3FieldReadInterpreter.scala
@@ -153,10 +153,10 @@ class L3FieldReadInterpreter(
 
         accessState.fieldAccessDependee = accessDependee
 
-        tryComputeFinalResult
+        computeResult
     }
 
-    private def tryComputeFinalResult(implicit
+    private def computeResult(implicit
         accessState: FieldReadState,
         state:       InterpretationState
     ): ProperPropertyComputationResult = {
@@ -214,7 +214,7 @@ class L3FieldReadInterpreter(
 
             case UBP(_: StringConstancyProperty) =>
                 accessState.updateAccessDependee(eps.asInstanceOf[EOptionP[VariableDefinition, StringConstancyProperty]])
-                tryComputeFinalResult(accessState, state)
+                computeResult(accessState, state)
 
             case _ => throw new IllegalArgumentException(s"Encountered unknown eps: $eps")
         }
diff --git a/OPAL/tac/src/main/scala/org/opalj/tac/fpcf/properties/string/StringFlowFunction.scala b/OPAL/tac/src/main/scala/org/opalj/tac/fpcf/properties/string/StringFlowFunction.scala
@@ -64,6 +64,15 @@ object StringFlowFunctionProperty extends StringFlowFunctionPropertyMetaInformat
 
     def constForAll(result: StringTreeNode): StringFlowFunctionProperty =
         StringFlowFunctionProperty(Set.empty[PDUWeb], ConstForAllFlow(result))
+
+    def constForEntities(pc: Int, entities: Iterable[PV], result: StringTreeNode): StringFlowFunction = {
+        (env: StringTreeEnvironment) =>
+            {
+                var updatedEnv = env
+                entities.foreach { p => updatedEnv = updatedEnv.update(pc, p, result) }
+                updatedEnv
+            }
+    }
 }
 
 trait StringFlowFunction extends (StringTreeEnvironment => StringTreeEnvironment)

Original file line number	Diff line number	Diff line change
`@@ -105,10 +105,10 @@ trait L1FunctionCallInterpreter`
`105`	`105`	`}`
`106`	`106`	`}`
`107`	`107`
`108`		`- tryComputeFinalResult`
	`108`	`+ computeResult`
`109`	`109`	`}`
`110`	`110`
`111`		`- private def tryComputeFinalResult(`
	`111`	`+ private def computeResult(`
`112`	`112`	`implicit`
`113`	`113`	`state: InterpretationState,`
`114`	`114`	`callState: CallState`
`@@ -172,7 +172,7 @@ trait L1FunctionCallInterpreter`
`172`	`172`	`case EUBP(_, _: StringConstancyProperty) =>`
`173`	`173`	`val contextEPS = eps.asInstanceOf[EOptionP[VariableDefinition, StringConstancyProperty]]`
`174`	`174`	`callState.updateReturnDependee(contextEPS.e.m, contextEPS)`
`175`		`- tryComputeFinalResult(state, callState)`
	`175`	`+ computeResult(state, callState)`
`176`	`176`
`177`	`177`	`case _ => throw new IllegalArgumentException(s"Encountered unknown eps: $eps")`
`178`	`178`	`}`
Original file line number	Diff line number	Diff line change
`@@ -28,10 +28,11 @@ case class L1NonVirtualMethodCallInterpreter()(`
`28`	`28`
`29`	`29`	`override def interpret(call: T)(implicit state: InterpretationState): ProperPropertyComputationResult = {`
`30`	`30`	`call.name match {`
`31`		`- case "<init>" if isStringBuilderBufferCall(call) \|\| (call.declaringClass eq ClassType.String) =>`
	`31`	`+ case "<init>"`
	`32`	`+ if StringInterpreter.isStringBuilderBufferCall(call) \|\| (call.declaringClass eq ClassType.String) =>`
`32`	`33`	`interpretInit(call)`
`33`	`34`	`case _ =>`
`34`		`- computeFinalResult(StringFlowFunctionProperty.identity)`
	`35`	`+ StringInterpreter.uninterpretedCall(call)`
`35`	`36`	`}`
`36`	`37`	`}`
`37`	`38`
`@@ -49,7 +50,7 @@ case class L1NonVirtualMethodCallInterpreter()(`
`49`	`50`	`(env: StringTreeEnvironment) => env.update(pc, targetVar, env(pc, paramVar))`
`50`	`51`	`)`
`51`	`52`	`case _ =>`
`52`		`- failure(targetVar)`
	`53`	`+ StringInterpreter.uninterpretedCall(init)`
`53`	`54`	`}`
`54`	`55`	`}`
`55`	`56`	`}`
Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ case class L1StaticFunctionCallInterpreter()(`
`48`	`48`	`case _`
`49`	`49`	`if (call.descriptor.returnType eq ClassType.String) \|\| (call.descriptor.returnType eq ClassType.Object) =>`
`50`	`50`	`interpretArbitraryCall(target, call)`
`51`		`- case _ => failure(target)`
	`51`	`+ case _ => StringInterpreter.uninterpretedCall(call, Some(target))`
`52`	`52`	`}`
`53`	`53`	`}`
`54`	`54`	`}`
`@@ -67,7 +67,7 @@ private[string] trait L1ArbitraryStaticFunctionCallInterpreter`
`67`	`67`	`): ProperPropertyComputationResult = {`
`68`	`68`	`val calleeMethod = call.resolveCallTarget(state.dm.definedMethod.classFile.thisType)`
`69`	`69`	`if (calleeMethod.isEmpty) {`
`70`		`- return failure(target)`
	`70`	`+ return StringInterpreter.uninterpretedCall(call, Some(target))`
`71`	`71`	`}`
`72`	`72`
`73`	`73`	`val m = calleeMethod.value`
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ case class L1VirtualMethodCallInterpreter()(`
`31`	`31`	`val pReceiver = call.receiver.asVar.toPersistentForm(state.tac.stmts)`
`32`	`32`
`33`	`33`	`call.name match {`
`34`		`- case "setLength" if isStringBuilderBufferCall(call) =>`
	`34`	`+ case "setLength" if StringInterpreter.isStringBuilderBufferCall(call) =>`
`35`	`35`	`call.params.head.asVar.value match {`
`36`	`36`	`case TheIntegerValue(intVal) if intVal == 0 =>`
`37`	`37`	`computeFinalResult(StringFlowFunctionProperty.constForVariableAt(`
`@@ -63,7 +63,7 @@ case class L1VirtualMethodCallInterpreter()(`
`63`	`63`	`}`
`64`	`64`
`65`	`65`	`case _ =>`
`66`		`- computeFinalResult(StringFlowFunctionProperty.identity)`
	`66`	`+ StringInterpreter.uninterpretedCall(call)`
`67`	`67`	`}`
`68`	`68`	`}`
`69`	`69`	`}`