Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug][kotlin2cpg] flow suddenly disappears if the sink is in the sources set #5053

Open
xavierpinho opened this issue Nov 4, 2024 · 1 comment
Open

[Bug][kotlin2cpg] flow suddenly disappears if the sink is in the sources set #5053

xavierpinho opened this issue Nov 4, 2024 · 1 comment
Labels
bug Something isn't working kotlin Relates to kotlin2cpg

Comments

@xavierpinho
Copy link
Contributor

We've noticed that having a sink in the sources set changes the outcome of reachableBy in unexpected ways. Below are three test cases showing this behaviour.

Joern version: 4.0.131

Test case 1 ✅

Source is literals, and works as expected.

val cpg = code("""
        |const val SRC = "src"
        |fun doStuff() {
        | println(SRC)
        |}
        |""".stripMargin)
val literals = cpg.literal.l
val sink     = cpg.call("println").argument(1).l
val source   = literals
sink.reachableByFlows(source).map(flowToResultPairs).l shouldBe List(
  List(("const val SRC = \"src\"", Some(2)), ("println(SRC)", Some(4)))
)

Test case 2 ✅

Source is sink, and works as expected.

val cpg = code("""
        |const val SRC = "src"
        |fun doStuff() {
        | println(SRC)
        |}
        |""".stripMargin)
val literals = cpg.literal.l
val sink     = cpg.call("println").argument(1).l
val source   = sink
sink.reachableByFlows(source).map(flowToResultPairs).l shouldBe List(
  List(("println(SRC)", Some(4)))
)

Test case 3 ❌

Source is literals plus sinks, and misses the result from Test case 1. That is, this test case's outcome is the same as that of Test case 2.

val cpg = code("""
        |const val SRC = "src"
        |fun doStuff() {
        | println(SRC)
        |}
        |""".stripMargin)
val literals = cpg.literal.l
val sink     = cpg.call("println").argument(1).l
val source   = literals ++ sink
sink.reachableByFlows(source).map(flowToResultPairs).l shouldBe List(
  List(("const val SRC = \"src\"", Some(2)), ("println(SRC)", Some(4))),
  List(("println(SRC)", Some(4)))
)

The expected behaviour would be for Test case 3 to output 2 results, namely those from Test case 1 and 2.
@xavierpinho xavierpinho added bug Something isn't working kotlin Relates to kotlin2cpg labels Nov 4, 2024
@DavidBakerEffendi
Copy link
Collaborator

@xavierpinho, from what I understand, there is a mechanism in the data-flow engine where the shortest path is returned if found, but also a path length ≤ 1 is filtered out - these might be running in an order where flows disappear.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working kotlin Relates to kotlin2cpg
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xavierpinho @DavidBakerEffendi