Java: model remaining top-500 JDK APIs#11968
Conversation
atorralba
left a comment
atorralba
left a comment
There was a problem hiding this comment.
Great job Jami! This must have been exhausting 😅
I added some comments below, let me know what you think.
Re: your questions.
Should any of the
java.lang.reflectmodels be summaries instead of neutral?
Answered in my comments.
Should the model for
java.util.ResourceBundle#getString(String)be different (or not modeled by MaD)? I wasn't able to get a working test case for this one, and I'm suspicious that my model is too simple, but am not sure how to properly model it.
It looks good (assuming the inaccuracy of getting a string with a different key than the one that tainted the map in the first place, otherwise we should move this outside of MaD indeed). Maybe your test needs to create a MapValue-tainted ResourceBundle so that getString can obtain it? Let me know if you need help in writing a test like that.
Does the model for
java.util.concurrent.atomic.AtomicReference#set(Object)look okay? It seems to be causing the removal of an alert in DCA for thejava/unsafe-cert-trustquery on theapache__geodeDB, and I'm not entirely sure why.
It looks correct. The only thing that comes to mind that could cause what you describe is field branch flow limit (you made a path one step too long, and it went beyond the threshold). Happy to pair to debug this if you need.
|
Re: your questions about leaving things that could be sinks as neutral summaries. Right now, they're just neutral models, there's no distinction between summaries and sinks (actually, the latter don't even exist). So as long as we remember to remove them/specify they are neutral summaries when the time comes, they can stay. |
jcogs33
force-pushed
the
jcogs33/model-more-top-jdk-apis-300-500
branch
3 times, most recently
from
05391e3 to
7a1b74b
Compare
jcogs33
force-pushed
the
jcogs33/model-more-top-jdk-apis-300-500
branch
from
5ed55d2 to
222e6f0
Compare
2 participants
Description:
This PR adds missing MaD summary models for the remaining top-500 JDK APIs. (This PR models the last 300 APIs. The first 200 were reviewed and modeled in #11572 and #11779).
Consideration:
Please review the added models in detail for correctness, especially the following:
java.lang.reflectmodels be summaries instead of neutral?java.util.ResourceBundle#getString(String)be different (or not modeled by MaD)? I wasn't able to get a working test case for this one, and I'm suspicious that my model is too simple, but am not sure how to properly model it.java.util.concurrent.atomic.AtomicReference#set(Object)look okay? It seems to be causing the removal of an alert in DCA for thejava/unsafe-cert-trustquery on theapache__geodeDB, and I'm not entirely sure why.Note: The new DCA alerts look mostly okay to me based on initial spot-checking. I'll do another DCA run if I end up changing models during review.