Re: [abc-users] tracematches on local variables

From: Pavel Avgustinov <>
Date: Sun, 23 Nov 2008 16:03:09 +0000

(Apologies for the delay with this, the message was stuck in a mail
queue since this morning without my noticing.)


Just before sending the message below, I tried compiling and running the
sample code I included with abc's old Polyglot-based frontend. With
that, I could reproduce exactly the behaviour you describe -- no matches
occur, unless each assignment of d.filter() is to a new local! This is
clearly a bug in the old frontend.

However, that is pretty much deprecated and almost unmaintained at this
point. I would strongly recommend you use "-ext" rather than
"-ext" when compiling tracematches, so that you get all the
benefits fo abc's shiny new JastAddJ-based frontend.

The original message is still included below for reference.



Hi there,

First off, tracematches are not concerned with local variables -- state
is tracked at the level of object instances, and so whether something is
stored in a local, a field, or a new local should not make a difference.

Having said that, I've looked at your example quite carefully, and I
think I see a possible cause of the problem. Your code reads:

    sym input after returning (from) :
        call(Data DataFactory.makeData(String)) && call(*

Note, however, that since no method is called makeData and markAsTainted
at the same time, this pointcut *never matches*. Indeed, for me abc
gives a warning to that effect.

Now, I assume you either meant disjunction ("||" rather than "&&"), or
you only meant calls to markAsTainted. If I fix this, things work
exactly as I expect: When I compile the program given below and run it,
I get the following output:

% java DataFactory
propagating from Tainted to Tainted#filtered
propagating from Tainted#filtered to Tainted#filtered#filtered

Having said this, I'm not sure why changing the assignment of d.filter()
to a new local made a difference for you, since the 'input' event should
still not have matched anywhere.

Here's the code that I used:

public aspect DataFactory {

static class Data {
private String str;
public Data(String s) {
str = s;

public String toString() {
return str;

public Data filter() {
return new Data((str+"#filtered").intern());

public static Data makeData(String s) {
return new Data(s.intern());

public static Data markAsTainted(Data d) { return d; }

public static void main(String[] args) {
Data d = makeData("Tainted");
d = d.filter();
d = d.filter();

tracematch (Data from, Data to) {
sym input after returning (from) :
//call(Data DataFactory.makeData(String)) && call(* *.markAsTainted(..));
call(* *.markAsTainted(..));
sym propagation after returning(to) :
call(Data Data.filter()) && target(from);

input propagation+ {
System.out.println("propagating from " + from + " to " + to);

Hope this helps,
- Pavel

Kazunori Kawauchi wrote:
> Hi,
> I'm a Kazunori Kawauchi and a doctoral student supervised by Dr. Hidehiko
> Masuhara at University of Tokyo.
> I attempt to implement "dataflow pointcut" which is analogous to "taint mode" in
> perl by using tracematch (included in abc 1.3.0) to implement "taint bit
> propagation". But, Some propagations on local variables doesn't work.
> I define the following tracematch:
> tracematch (Data from, Data to) {
> sym input after returning (from) :
> call(Data DataFactory.makeData(String)) && call(* *.markAsTainted(..));
> sym propagation after returning (to) :
> call(Data Data.filter()) && target(from);
> input propagation+ {
> System.out.println(" DEBUG: propagation from " + from + " to " + to);
> markAsTainted(to) // (Identity function)
> }
> }
> Then I define an application program too (I'll show the excerpt of the program):
> Data d = DataFactory.makeData("Tainted");
> d = d.filter(); // I would like to propagate a 'taint bit'
> But, the above tracematch body(i.e., taint bit propagation) isn't executed.
> I found suspicious instructions in the weaved bytecode:
> 61: aload_0
> 62: invokevirtual #43; //Method app/Data.filter:()Lapp/Data;
> 65: astore_0
> 66: goto 84
> (snip)
> 84: aload_1
> 85: invokevirtual #34; //Method tracematches/SampleTM.beforeafter$3:()V
> 88: aload_1
> 89: aload_0
> 90: aload_0
> 91: invokevirtual #14; //Method
> tracematches/SampleTM.afterReturning$2:(Lapp/Data;Lapp/Data;)V
> local variable "d" is allocated to #0, and an aspect instance to #1.
> Instruction 65 ("astore_0") overwrites a old value of 'd'(i.e., 'from') by a
> filtered value of 'd'(i.e., 'to'), and Instruction 91 ("invokevirtual") takes
> the filtered value as a value bound to 'from' in the tracematch body, doesn't it?
> Is it a correct behavior in terms of tracematches semantics?
> I also found taint bit propagation occurs with the following modification:
> Data d = DataFactory.makeData("Tainted");
> Data new_d = d.filter()
> in this case, the value bound to 'new_d' is marked as tainted.
> Thank you for your help in this matter.
> Regards,
> Kazunori Kawauchi
Received on Sun Nov 23 2008 - 16:04:07 GMT

This archive was generated by hypermail 2.2.0 : Mon Nov 24 2008 - 10:30:12 GMT