This is the latest pre-release for version 0.5.2-SNAPSHOT. Details of the changes can be found in the CHANGELOG.md. Please note that this pre-release will be removed once the stable version is officially released, and it may be overridden by newer snapshot versions as they are published.

New Features

• Add side-effect analysis.
• The options --class-path and --app-class-path can be repeated multiple times to specify multiple paths.
• Pointer analysis
  • Add Plugin.onPhaseFinish().
  • Support specifying multiple method signatures in one @InvokeHandler annotation.
  • Add getInfo() to call graph edges and pointer flow edges.
  • Add pointer analysis assertion mechanism to ease testing.
  • Add pascal.taie.analysis.pta.plugin.util.AnalysisModelPluginand IRModelPlugin to replace original Model and IRModel, provide more convenient interfaces to support @InvokeHandler.
• Taint analysis
  • Support specifying IndexRef (e.g., index: "0[*]" and index: "0.f") in call sources and parameter sources.
  • Support specifying IndexRef in sinks.
  • Support interactive mode, allowing users to modify the taint configuration file and re-run taint analysis without needing to re-run the whole program analysis.
  • Enhance TFG dumping by adding taint configuration and call site info to Source/Sink node and TaintTransfer edge.
  • Support programmatic taint config provider.
  • Add commonly used taint configurations.
• Class hierarchy analysis (CHA)
  • Support ignoring call sites that call methods declared in java.lang.Object.
  • Support ignoring call sites whose callees exceed given limit.
• Signature pattern and matcher
  • Add pascal.taie.language.classes.SignatureMatcher which supports retrieving classes, methods, or fields whose signature match given pattern.
  • Use signature matcher in taint analysis and @InvokeHandler to simplify signature configuration.

Breaking Changes

• API changes
  • Change Solver.addPFGEdge(Pointer,Pointer,FlowKind,Type) and Solver.addPFGEdge(Pointer,Pointer,FlowKind,Transfer) to Solver.addPFGEdge(PointerFlowEdge) and related APIs.
  • Deprecate pascal.taie.analysis.pta.plugin.util.Model and IRModel (these two interfaces are currently preserved for compatibility, and will be removed in the future).
  • Change PrimitiveType from enum to an interface and implement it by classes that represent concrete primitive types. Refine the types of certain expressions from PrimitiveType to the concrete primitive types.

Fixes

• Fix incorrect classpath argument for the frontend where the -acp option is not being used. This issue is only reproducible when --prepend-JVM (-pp) is set to true.
• Fix mismatch between number of parameter names and number of actual parameters in JMethod for inner class.
• Fix option parser, now treat only the first colon as delimiter between a key and a value (before each colon is treated as delimiter).
• Fix empty log file when running via JAR.

Contributors

We would like to thank the following community members for their contributions to the releases (v0.5.1, v0.2.2) of Tai-e: Wangxiz, Chenghang Shi, YaphetsH, GnSight, Zhaohui Wang, cs-cat, Yinning Xiao, Zhiwei Zhang, Hengbin Zheng, Chenxi Zhang.

New Features

• Add option --app-class-path.
• Add option --keep-results.
• Add option --output-dir.
• Add option -wc, --world-cache-mode.
• Add def-use analysis.
• Add dominator-finding algorithm.
• Add generics signature information for Class, Method, and Field.
• Include documentation source in the repository.
• Taint analysis
  • Support taint source for arguments of method calls and method parameters.
  • Support taint source for field loads.
  • Support taint sanitization for method parameters.
  • Dump taint flow graph.
  • Support loading multiple taint configuration files.
  • Support taint transfer between variables and instance fields/array elements.
  • Support call-site mode.
• Pointer analysis
  • Support adding entry points of the program to analyze.
  • Support analysis time limit.
  • Support propagation for values of primitive types.
  • Support hybrid inference-based and log-based reflection analysis.
  • Add Solar reflection analysis (TOSEM'19).
  • Support annotation-based invoke handler registration.
  • Support dumping points-to set in YAML format.

Breaking Changes

• Option and configuration changes
  • Change All dump related options. Previously, most dump options require users to specify a path to dump file; now, Tai-e uses fixed path for dump file (the file name is fully fixed, and users can still change dump directory via option --output-dir), so that users only need to specify true or false for all dump options.
  • Rename analysis class-dumper to ir-dumper.
  • Pointer analysis
    • Replace merge-string-constants by distinguish-string-constants.
    • Replace action by dump and expected-file.
  • Taint analysis
    • Require to add kind to source configurations. Previously, the taint analysis only supports one kind of sources, i.e., result of method call. Now, we support more kinds of sources, including argument or result of method call (kind: call), and method parameter (kind: param) , so users need to specify kind of each source. Please see an example.
• API changes
  • Change pascal.taie.analysis.pta.core.heap.HeapModel.getMockObj(String,...) to HeapModel.getMockObj(Descriptor,...).
  • Change APIs of pascal.util.graph.Edge and its subclasses.
  • Change return type of Exp.getUses() to Set<RValue>.
  • Change return type of Stmt.getUses() to Set<RValue>.