[core] Missing and invalid throws declarations

[nitram84]

Issue details

Jadx generates a throws declaration for each method annotated with dalvik.annotation.Throws. But this annotation is optional an not used at runtime ( https://stackoverflow.com/questions/14062434/throws-and-annotation-for-exception-in-dalvik-bytecode ), therefore can be removed ( https://github.com/facebook/redex/blob/main/config/aggressive.config#L62 ). If throws annotation are missing, the decompiled result has compile errors.

If throws annotation are not used at runtime, there is a possibility for bytecode manipulations. I did some tests: a thrown object can be anything and not necessarily a Throwable.

In my opinion jadx has to perform the same checks like a java compiler:
Collect all thrown exceptions for each method, calculate effective throws declarations, verify all throws annotations:
For each method: Follow the call graph of each method invocation; per method; aggregate all directly thrown exceptions and exceptions thrown by method invocations, merge collected exceptions with existing throws annotations, generate missing annotations and mark method as visited.

Is there an example for a visitor where we are traversing the call graph of each method? What is the best way to mark visited methods? A new JadxAttr?

Example:

###### Class jadx.test.MissingThrowsTest (jadx.test.MissingThrowsTest)
.class public Ljadx/test/MissingThrowsTest;
.super Ljava/lang/Object;
.source "MissingThrowsTest.java"


# direct methods
.method public constructor <init>()V
    .registers 1

    .line 6
    invoke-direct {p0}, Ljava/lang/Object;-><init>()V

    return-void
.end method

.method private exceptionSource()V
    .registers 3

    .line 8
    new-instance v0, Ljava/io/FileNotFoundException;

    const-string v1, ""

    invoke-direct {v0, v1}, Ljava/io/FileNotFoundException;-><init>(Ljava/lang/String;)V

    throw v0
.end method

.method private invalidException()V
    .registers 3
    .annotation system Ldalvik/annotation/Throws;
        value = {
            Ljava/lang/String;
        }
    .end annotation

    .line 36
    new-instance v0, Ljava/io/FileNotFoundException;

    const-string v1, ""

    invoke-direct {v0, v1}, Ljava/io/FileNotFoundException;-><init>(Ljava/lang/String;)V

    throw v0
.end method


# virtual methods
.method public doSomething1(I)V
    .registers 3
    .param p1, "i"    # I

    .line 20
    const/4 v0, 0x1

    if-ne p1, v0, :cond_7

    .line 21
    invoke-virtual {p0, p1}, Ljadx/test/MissingThrowsTest;->doSomething2(I)V

    goto :goto_a

    .line 23
    :cond_7
    invoke-virtual {p0, p1}, Ljadx/test/MissingThrowsTest;->doSomething1(I)V

    .line 25
    :goto_a
    return-void
.end method

.method public doSomething2(I)V
    .registers 3
    .param p1, "i"    # I

    .line 28
    const/4 v0, 0x1

    if-ne p1, v0, :cond_7

    .line 29
    invoke-direct {p0}, Ljadx/test/MissingThrowsTest;->exceptionSource()V

    goto :goto_a

    .line 31
    :cond_7
    invoke-virtual {p0, p1}, Ljadx/test/MissingThrowsTest;->doSomething1(I)V

    .line 33
    :goto_a
    return-void
.end method

.method public mergeThrownExcetions()V
    .registers 1
    .annotation system Ldalvik/annotation/Throws;
        value = {
            Ljava/io/IOException;
        }
    .end annotation

    .line 12
    invoke-direct {p0}, Ljadx/test/MissingThrowsTest;->exceptionSource()V

    .line 13
    return-void
.end method

.method public missingThrowsAnnotation()V
    .registers 1

    .line 16
    invoke-direct {p0}, Ljadx/test/MissingThrowsTest;->exceptionSource()V

    .line 17
    return-void
.end method

Actual result:

package jadx.test;

import java.io.FileNotFoundException;
import java.io.IOException;

/* loaded from: MissingThrowsTest.smali */
public class MissingThrowsTest {
    private void exceptionSource() { // Unhandled exception: java. io. FileNotFoundException
        throw new FileNotFoundException("");
    }

    public void mergeThrownExcetions() throws IOException {
        exceptionSource();
    }

    public void missingThrowsAnnotation() { // Unhandled exception: java. io. FileNotFoundException
        exceptionSource();
    }

    public void doSomething1(int i) { // Unhandled exception: java. io. FileNotFoundException
        if (i == 1) {
            doSomething2(i);
        } else {
            doSomething1(i);
        }
    }

    public void doSomething2(int i) { // Unhandled exception: java. io. FileNotFoundException
        if (i == 1) {
            exceptionSource();
        } else {
            doSomething1(i);
        }
    }

    private void invalidException() throws String { // error: incompatible types: String cannot be converted to Throwable + Unhandled exception: java. io. FileNotFoundException
        throw new FileNotFoundException("");
    }
}

Expected result:

package jadx.test;

import java.io.FileNotFoundException;
import java.io.IOException;

/* loaded from: MissingThrowsTest.smali */
public class MissingThrowsTest {
    private void exceptionSource() throws FileNotFoundException {
        throw new FileNotFoundException("");
    }

    public void mergeThrownExcetions() throws IOException {
        exceptionSource();
    }

    public void missingThrowsAnnotation() throws FileNotFoundException {
        exceptionSource();
    }

    public void doSomething1(int i) throws FileNotFoundException {
        if (i == 1) {
            doSomething2(i);
        } else {
            doSomething1(i);
        }
    }

    public void doSomething2(int i) throws FileNotFoundException {
        if (i == 1) {
            exceptionSource();
        } else {
            doSomething1(i);
        }
    }

    // JADX WARN: Skipped invalid throws annotation
    private void invalidException() throws FileNotFoundException {
        throw new FileNotFoundException("");
    }
}

Relevant log output or stacktrace

Provide sample and class/method full name

Real world example:

https://spider-solitaire-freecell.apk.gold/

Class com.startapp.android.publish.gson.stream.JsonReader

private IOException syntaxError(String message)

Jadx version

latest git master

[skylot]

Yay, another "do not trust bytecode" issue 🤣

Is there an example for a visitor where we are traversing the call graph of each method? What is the best way to mark visited methods? A new JadxAttr?

Looks like you can visit instructions pretty early, check AttachMethodDetails and add similar visitor after it. You don't need to go deep on method calls, because jadx "should" (I hope 🙂) process dependencies before the current class, so if you add a new attribute like "resolved throws", you should be able to read it on invoke instructions. One downside is a classpath methods (i.e. not from this app) may not be resolved if clsp data is mismatched. Anyway, using MethodUtils.getMethodDetails(BaseInvokeNode) on invoke insn should return IMethodDetails which has throws list and handle both app and clsp methods.

[skylot]

jadx "should" (I hope 🙂) process dependencies before the current class

Update: it is true only for first level of dependencies, deeper methods may be not yet loaded, so ... it is possible to go low level with code reader like in UsageInfoVisitor:

jadx/jadx-core/src/main/java/jadx/core/dex/visitors/usage/UsageInfoVisitor.java

Line 112 in a2bfe9b

codeReader.visitInstructions(insnData -> {

and traverse all instruction, but it may be slower and you may encounter loops 😢

[skylot]

Turns out, even first level method analysis might fail because of processing of that method in other thread:

java.util.ConcurrentModificationException: null
	at java.base/java.util.ArrayList$Itr.checkForComodification(ArrayList.java:1095)
	at java.base/java.util.ArrayList$Itr.next(ArrayList.java:1049)
	at jadx.core.dex.visitors.MethodThrowsVisitor.processInstructions(MethodThrowsVisitor.java:118)
	at jadx.core.dex.visitors.MethodThrowsVisitor.visit(MethodThrowsVisitor.java:69)
	at jadx.core.dex.visitors.MethodThrowsVisitor.checkInsn(MethodThrowsVisitor.java:176)
	at jadx.core.dex.visitors.MethodThrowsVisitor.processInstructions(MethodThrowsVisitor.java:132)
	at jadx.core.dex.visitors.MethodThrowsVisitor.visit(MethodThrowsVisitor.java:69)
	at jadx.core.dex.visitors.DepthTraversal.visit(DepthTraversal.java:25)
	at jadx.core.dex.visitors.DepthTraversal.lambda$visit$1(DepthTraversal.java:13)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
	at jadx.core.dex.visitors.DepthTraversal.visit(DepthTraversal.java:13)
	at jadx.core.ProcessClass.process(ProcessClass.java:74)
	at jadx.core.ProcessClass.generateCode(ProcessClass.java:109)
	at jadx.core.dex.nodes.ClassNode.generateClassCode(ClassNode.java:401)
	at jadx.core.dex.nodes.ClassNode.decompile(ClassNode.java:389)
	at jadx.core.dex.nodes.ClassNode.decompile(ClassNode.java:309)
	at jadx.api.JavaClass.load(JavaClass.java:130)
	at jadx.api.JavaClass.decompile(JavaClass.java:69)

I will add try/catch to log such issues and to not fail whole pass.

While it is possible to synchronize method processing using the same object as in ProcessClass, this still will be an incomplete solution (can handle only first level method usage). And, "tree analysis" problem have one caveat: method usage tree can be actually a graph with loops 😢

So the best solution is to build a method usage graph, find possible loops and disconnect them (convert to tree), traverse the tree in reverse DFS order and use low-level insns scanner to process thrown exceptions. All that should be done at pre-decompilation (prepare) stage. And since this might take some time, it is better to cache result somehow, best option is to use persistent attributes from #2366 (not yet implemented 🤣).