arkanalyzer 1.0.6 → 1.0.8

package/lib/callgraph/pointerAnalysis/PagBuilder.js

@@ -51,6 +51,7 @@ const Context_1 = require("./Context");
 const Pag_1 = require("./Pag");
 const PtsDS_1 = require("./PtsDS");
 const TSConst_1 = require("../../core/common/TSConst");
+const Const_1 = require("../../core/common/Const");
 const logger = logger_1.default.getLogger(logger_1.LOG_MODULE_TYPE.ARKANALYZER, 'PTA');
 class CSFuncID {
     constructor(cid, fid) {
@@ -70,10 +71,15 @@ class PagBuilder {
         this.cid2ThisRefMap = new Map();
         this.cid2ThisLocalMap = new Map();
         this.sdkMethodReturnValueMap = new Map();
+        // record the SDK API param, and create fake Values
+        this.sdkMethodParamValueMap = new Map();
+        this.fakeSdkMethodParamDeclaringStmt = new Stmt_1.ArkAssignStmt(new Local_1.Local(""), new Local_1.Local(""));
         this.funcHandledThisRound = new Set();
         this.updatedNodesThisRound = new Map();
         this.singletonFuncMap = new Map();
+        this.globalThisValue = new Local_1.Local(TSConst_1.GLOBAL_THIS);
         this.storagePropertyMap = new Map();
+        this.externalScopeVariableMap = new Map();
         this.pag = p;
         this.cg = cg;
         this.funcPags = new Map;
@@ -106,9 +112,11 @@ class PagBuilder {
             this.buildFuncPagAndAddToWorklist(csFuncID);
         });
         this.handleReachable();
+        this.globalThisPagNode = this.getOrNewGlobalThisNode(-1);
+        this.pag.addPagEdge(this.globalThisPagNode, this.globalThisPagNode, Pag_1.PagEdgeKind.Copy);
     }
     handleReachable() {
-        if (this.worklist.length == 0) {
+        if (this.worklist.length === 0) {
             return false;
         }
         this.funcHandledThisRound.clear();
@@ -131,38 +139,45 @@ class PagBuilder {
         if (this.funcPags.has(funcID)) {
             return false;
         }
-        let fpag = new Pag_1.FuncPag();
         let arkMethod = this.cg.getArkMethodByFuncID(funcID);
         if (arkMethod == null) {
-            //throw new Error("function ID");
             return false;
         }
         let cfg = arkMethod.getCfg();
         if (!cfg) {
+            this.buildSDKFuncPag(funcID);
             return false;
         }
         logger.trace(`[build FuncPag] ${arkMethod.getSignature().toString()}`);
+        let fpag = new Pag_1.FuncPag();
         for (let stmt of cfg.getStmts()) {
             if (stmt instanceof Stmt_1.ArkAssignStmt) {
+                this.handleValueFromExternalScope(stmt.getRightOp(), funcID);
                 // Add non-call edges
                 let kind = this.getEdgeKindForAssignStmt(stmt);
-                if (kind != Pag_1.PagEdgeKind.Unknown) {
+                if (kind !== Pag_1.PagEdgeKind.Unknown) {
                     fpag.addInternalEdge(stmt, kind);
                     continue;
                 }
                 // handle call
-                let inkExpr = stmt.getInvokeExpr();
-                if (inkExpr instanceof Expr_1.ArkStaticInvokeExpr) {
+                let ivkExpr = stmt.getInvokeExpr();
+                if (ivkExpr instanceof Expr_1.ArkStaticInvokeExpr) {
                     let cs = this.cg.getCallSiteByStmt(stmt);
                     if (cs) {
                         // direct call is already existing in CG
+                        // TODO: API Invoke stmt has anonymous method param, how to add these param into callee
                         fpag.addNormalCallSite(cs);
+                        if (ivkExpr.getMethodSignature().getDeclaringClassSignature()
+                            .getDeclaringFileSignature().getFileName() === Const_1.UNKNOWN_FILE_NAME) {
+                            fpag.addUnknownCallSite(cs);
+                            continue;
+                        }
                     }
                     else {
                         throw new Error('Can not find static callsite');
                     }
                 }
-                else if (inkExpr instanceof Expr_1.ArkInstanceInvokeExpr) {
+                else if (ivkExpr instanceof Expr_1.ArkInstanceInvokeExpr || ivkExpr instanceof Expr_1.ArkPtrInvokeExpr) {
                     let ptcs = this.cg.getDynCallsiteByStmt(stmt);
                     if (ptcs) {
                         this.addToDynamicCallSite(fpag, ptcs);
@@ -174,7 +189,14 @@ class PagBuilder {
                 let cs = this.cg.getCallSiteByStmt(stmt);
                 if (cs) {
                     // direct call or constructor call is already existing in CG
-                    fpag.addNormalCallSite(cs);
+                    // TODO: some ptr invoke stmt is recognized as Static invoke in tests/resources/callgraph/funPtrTest1/fnPtrTest4.ts
+                    // TODO: instance invoke(ptr invoke)
+                    if (this.cg.isUnknownMethod(cs.calleeFuncID)) {
+                        fpag.addUnknownCallSite(cs);
+                    }
+                    else {
+                        fpag.addNormalCallSite(cs);
+                    }
                     continue;
                 }
                 let dycs = this.cg.getDynCallsiteByStmt(stmt);
@@ -193,24 +215,51 @@ class PagBuilder {
         this.pagStat.numTotalFunction++;
         return true;
     }
+    /**
+     * will not create real funcPag, only create param values
+     */
+    buildSDKFuncPag(funcID) {
+        var _a;
+        // check if SDK method
+        let cgNode = this.cg.getNode(funcID);
+        if (!cgNode.isSdkMethod()) {
+            return;
+        }
+        let args = (_a = this.cg.getArkMethodByFuncID(funcID)) === null || _a === void 0 ? void 0 : _a.getParameters();
+        if (!args) {
+            return;
+        }
+        let paramArr = [];
+        args.forEach((arg) => {
+            let argInstance = new Local_1.Local(arg.getName(), arg.getType());
+            argInstance.setDeclaringStmt(this.fakeSdkMethodParamDeclaringStmt);
+            paramArr.push(argInstance);
+        });
+        this.sdkMethodParamValueMap.set(funcID, paramArr);
+    }
     buildPagFromFuncPag(funcID, cid) {
+        var _a;
         let funcPag = this.funcPags.get(funcID);
-        if (funcPag == undefined) {
-            //throw new Error("No Func PAG is found for #" + funcID);
+        if (funcPag === undefined) {
             return;
         }
         if (this.handledFunc.has(`${cid}-${funcID}`)) {
             return;
         }
         this.addEdgesFromFuncPag(funcPag, cid);
+        let interFuncPag = (_a = this.interFuncPags) === null || _a === void 0 ? void 0 : _a.get(funcID);
+        if (interFuncPag) {
+            this.addEdgesFromInterFuncPag(interFuncPag, cid);
+        }
         this.addCallsEdgesFromFuncPag(funcPag, cid);
-        this.addDynamicCallSite(funcPag);
+        this.addDynamicCallSite(funcPag, funcID);
+        this.addUnknownCallSite(funcPag, funcID);
         this.handledFunc.add(`${cid}-${funcID}`);
     }
     /// Add Pag Nodes and Edges in function
     addEdgesFromFuncPag(funcPag, cid) {
         let inEdges = funcPag.getInternalEdges();
-        if (inEdges == undefined) {
+        if (inEdges === undefined) {
             return false;
         }
         for (let e of inEdges) {
@@ -227,17 +276,17 @@ class PagBuilder {
     /// add Copy edges interprocedural
     addCallsEdgesFromFuncPag(funcPag, cid) {
         for (let cs of funcPag.getNormalCallSites()) {
+            let ivkExpr = cs.callStmt.getInvokeExpr();
             let calleeCid = this.ctx.getOrNewContext(cid, cs.calleeFuncID, true);
             let calleeCGNode = this.cg.getNode(cs.calleeFuncID);
-            let ivkExpr = cs.callStmt.getInvokeExpr();
             // process the Storage API(Static)
             if (!this.processStorage(cs, calleeCGNode, cid)) {
                 // If not Storage API, process normal edge
                 this.addStaticPagCallEdge(cs, cid, calleeCid);
             }
             // Add edge to thisRef for special calls
-            if (calleeCGNode.getKind() == CallGraph_1.CallGraphNodeKind.constructor ||
-                calleeCGNode.getKind() == CallGraph_1.CallGraphNodeKind.intrinsic) {
+            if (calleeCGNode.getKind() === CallGraph_1.CallGraphNodeKind.constructor ||
+                calleeCGNode.getKind() === CallGraph_1.CallGraphNodeKind.intrinsic) {
                 let callee = this.scene.getMethod(this.cg.getMethodByFuncID(cs.calleeFuncID));
                 if (ivkExpr instanceof Expr_1.ArkInstanceInvokeExpr) {
                     let baseNode = this.getOrNewPagNode(cid, ivkExpr.getBase());
@@ -285,13 +334,21 @@ class PagBuilder {
         return false;
     }
     processStorageSetOrCreate(cs, cid) {
-        let propertyName = cs.args[0].getValue();
+        let propertyStr = this.getPropertyName(cs.args[0]);
+        if (!propertyStr) {
+            return;
+        }
+        let propertyName = propertyStr;
         let propertyNode = this.getOrNewPropertyNode(Pag_1.StorageType.APP_STORAGE, propertyName, cs.callStmt);
         let storageObj = cs.args[1];
         this.addPropertyLinkEdge(propertyNode, storageObj, cid, cs.callStmt, Pag_1.StorageLinkEdgeType.Local2Property);
     }
     processStorageLink(cs, cid) {
-        let propertyName = cs.args[0].getValue();
+        let propertyStr = this.getPropertyName(cs.args[0]);
+        if (!propertyStr) {
+            return;
+        }
+        let propertyName = propertyStr;
         let propertyNode = this.getOrNewPropertyNode(Pag_1.StorageType.APP_STORAGE, propertyName, cs.callStmt);
         let leftOp = cs.callStmt.getLeftOp();
         let linkedOpNode = this.pag.getOrNewNode(cid, leftOp);
@@ -302,7 +359,11 @@ class PagBuilder {
         this.pag.addPagEdge(linkedOpNode, propertyNode, Pag_1.PagEdgeKind.Copy);
     }
     processStorageProp(cs, cid) {
-        let propertyName = cs.args[0].getValue();
+        let propertyStr = this.getPropertyName(cs.args[0]);
+        if (!propertyStr) {
+            return;
+        }
+        let propertyName = propertyStr;
         let propertyNode = this.getOrNewPropertyNode(Pag_1.StorageType.APP_STORAGE, propertyName, cs.callStmt);
         let leftOp = cs.callStmt.getLeftOp();
         let linkedOpNode = this.pag.getOrNewNode(cid, leftOp);
@@ -312,19 +373,31 @@ class PagBuilder {
         this.pag.addPagEdge(propertyNode, linkedOpNode, Pag_1.PagEdgeKind.Copy);
     }
     processStorageSet(cs, cid) {
-        let base = cs.callStmt.getInvokeExpr().getBase();
-        let baseNode = this.pag.getOrNewNode(cid, base);
-        if (baseNode.isStorageLinked()) {
-            let argsNode = this.pag.getOrNewNode(cid, cs.args[0]);
-            this.pag.addPagEdge(argsNode, baseNode, Pag_1.PagEdgeKind.Copy);
+        let ivkExpr = cs.callStmt.getInvokeExpr();
+        if (ivkExpr instanceof Expr_1.ArkInstanceInvokeExpr) {
+            let base = ivkExpr.getBase();
+            let baseNode = this.pag.getOrNewNode(cid, base);
+            if (baseNode.isStorageLinked()) {
+                let argsNode = this.pag.getOrNewNode(cid, cs.args[0]);
+                this.pag.addPagEdge(argsNode, baseNode, Pag_1.PagEdgeKind.Copy);
+            }
+        }
+        else if (ivkExpr instanceof Expr_1.ArkStaticInvokeExpr) {
+            // TODO: process AppStorage.set()
         }
     }
     processStorageGet(cs, cid) {
+        if (!(cs.callStmt instanceof Stmt_1.ArkAssignStmt)) {
+            return;
+        }
         let leftOp = cs.callStmt.getLeftOp();
         let ivkExpr = cs.callStmt.getInvokeExpr();
         let propertyName;
         if (ivkExpr instanceof Expr_1.ArkStaticInvokeExpr) {
-            propertyName = cs.args[0].getValue();
+            let propertyStr = this.getPropertyName(cs.args[0]);
+            if (propertyStr) {
+                propertyName = propertyStr;
+            }
         }
         else if (ivkExpr instanceof Expr_1.ArkInstanceInvokeExpr) {
             let baseNode = this.pag.getOrNewNode(cid, ivkExpr.getBase());
@@ -332,19 +405,44 @@ class PagBuilder {
                 propertyName = baseNode.getStorage().PropertyName;
             }
         }
-        // TODO: should not new node
         let propertyNode = this.getPropertyNode(Pag_1.StorageType.APP_STORAGE, propertyName, cs.callStmt);
         if (!propertyNode) {
             return;
         }
         this.pag.addPagEdge(propertyNode, this.pag.getOrNewNode(cid, leftOp, cs.callStmt), Pag_1.PagEdgeKind.Copy, cs.callStmt);
     }
-    addDynamicCallSite(funcPag) {
+    getPropertyName(value) {
+        if (value instanceof Local_1.Local) {
+            let type = value.getType();
+            if (type instanceof Type_1.StringType) {
+                return type.getName();
+            }
+        }
+        else if (value instanceof Constant_1.Constant) {
+            return value.getValue();
+        }
+        return undefined;
+    }
+    addDynamicCallSite(funcPag, funcID) {
         // add dyn callsite in funcpag to base node
         for (let cs of funcPag.getDynamicCallSites()) {
-            let base = cs.callStmt.getInvokeExpr().getBase();
+            let invokeExpr = cs.callStmt.getInvokeExpr();
+            let base;
+            if (invokeExpr instanceof Expr_1.ArkInstanceInvokeExpr) {
+                base = invokeExpr.getBase();
+            }
+            else if (invokeExpr instanceof Expr_1.ArkPtrInvokeExpr) {
+                base = invokeExpr.getFuncPtrLocal();
+            }
             // TODO: check base under different cid
             let baseNodeIDs = this.pag.getNodesByValue(base);
+            if (!baseNodeIDs) {
+                // bind the call site to export base
+                let interProceduralLocal = this.getSourceValueFromExternalScope(base, funcID);
+                if (interProceduralLocal) {
+                    baseNodeIDs = this.pag.getNodesByValue(interProceduralLocal);
+                }
+            }
             if (!baseNodeIDs) {
                 logger.warn(`[build dynamic call site] can not handle call site with base ${base.toString()}`);
                 continue;
@@ -358,63 +456,114 @@ class PagBuilder {
             }
         }
     }
+    addUnknownCallSite(funcPag, funcID) {
+        var _a;
+        let method = this.cg.getArkMethodByFuncID(funcID);
+        if (!method) {
+            throw new Error(`can not find ArkMethod by FuncID ${funcID}`);
+        }
+        let locals = (_a = method.getBody()) === null || _a === void 0 ? void 0 : _a.getLocals();
+        funcPag.getUnknownCallSites().forEach((unknownCallSite) => {
+            var _a;
+            let calleeName = (_a = unknownCallSite.callStmt.getInvokeExpr()) === null || _a === void 0 ? void 0 : _a.getMethodSignature().getMethodSubSignature().getMethodName();
+            let base = locals.get(calleeName);
+            if (base) {
+                let baseNodeIDs = this.pag.getNodesByValue(base);
+                if (!baseNodeIDs) {
+                    logger.warn(`[build dynamic call site] can not handle call site with base ${base.toString()}`);
+                    return;
+                }
+                for (let nodeID of baseNodeIDs.values()) {
+                    let node = this.pag.getNode(nodeID);
+                    if (!(node instanceof Pag_1.PagLocalNode)) {
+                        continue;
+                    }
+                    node.addRelatedUnknownCallSite(unknownCallSite);
+                }
+            }
+        });
+    }
     addDynamicCallEdge(cs, baseClassPTNode, cid) {
         let srcNodes = [];
         let ivkExpr = cs.callStmt.getInvokeExpr();
-        let calleeName = ivkExpr.getMethodSignature().getMethodSubSignature().getMethodName();
         let ptNode = this.pag.getNode(baseClassPTNode);
         let value = ptNode.getValue();
-        if (!(value instanceof Expr_1.ArkNewExpr || value instanceof Expr_1.ArkNewArrayExpr)) {
-            return srcNodes;
-        }
-        let callee = null;
-        if (value instanceof Expr_1.ArkNewExpr) {
-            // get class signature
-            let clsSig = value.getType().getClassSignature();
-            let cls;
-            cls = this.scene.getClass(clsSig);
-            while (!callee && cls) {
-                callee = cls.getMethodWithName(calleeName);
-                cls = cls.getSuperClass();
-            }
+        let callees = this.getDynamicCallee(ptNode, value, ivkExpr, cs);
+        for (let callee of callees) {
             if (!callee) {
-                callee = this.scene.getMethod(ivkExpr.getMethodSignature());
+                continue;
             }
-        }
-        // anonymous method
-        if (!callee) {
-            // try to change callee to param anonymous method
-            // TODO: anonymous method param and return value pointer pass
-            let args = cs.args;
-            if ((args === null || args === void 0 ? void 0 : args.length) == 1 && args[0].getType() instanceof Type_1.FunctionType) {
-                callee = this.scene.getMethod(args[0].getType().getMethodSignature());
+            // get caller and callee CG node, add param and return value PAG edge
+            let dstCGNode = this.cg.getCallGraphNodeByMethod(callee.getSignature());
+            let callerNode = this.cg.getNode(cs.callerFuncID);
+            if (!callerNode) {
+                throw new Error("Can not get caller method node");
+            }
+            // update call graph
+            // TODO: movo to cgbuilder
+            this.cg.addDynamicCallEdge(callerNode.getID(), dstCGNode.getID(), cs.callStmt);
+            if (!this.cg.detectReachable(dstCGNode.getID(), callerNode.getID())) {
+                let calleeCid = this.ctx.getOrNewContext(cid, dstCGNode.getID(), true);
+                let staticCS = new CallGraph_1.CallSite(cs.callStmt, cs.args, dstCGNode.getID(), cs.callerFuncID);
+                let staticSrcNodes = this.addStaticPagCallEdge(staticCS, cid, calleeCid);
+                srcNodes.push(...staticSrcNodes);
+                // Pass base's pts to callee's this pointer
+                if (!dstCGNode.isSdkMethod() && ivkExpr instanceof Expr_1.ArkInstanceInvokeExpr) {
+                    let srcBaseNode = this.addThisRefCallEdge(baseClassPTNode, cid, ivkExpr, callee, calleeCid, cs.callerFuncID);
+                    srcNodes.push(srcBaseNode);
+                }
             }
         }
-        if (!callee) {
-            // while pts has {o_1, o_2} and invoke expr represents a method that only {o_1} has
-            // return empty node when {o_2} come in
-            return [];
+        return srcNodes;
+    }
+    getDynamicCallee(ptNode, value, ivkExpr, cs) {
+        let callee = [];
+        if (ptNode instanceof Pag_1.PagFuncNode) {
+            // function ptr invoke
+            let tempCallee = this.scene.getMethod(ptNode.getMethod());
+            if (!callee) {
+                return callee;
+            }
+            callee.push(tempCallee);
         }
-        let dstCGNode = this.cg.getCallGraphNodeByMethod(callee.getSignature());
-        let callerNode = this.cg.getNode(cs.callerFuncID);
-        if (!callerNode) {
-            throw new Error("Can not get caller method node");
-        }
-        // update call graph
-        // TODO: movo to cgbuilder
-        this.cg.addDynamicCallEdge(callerNode.getID(), dstCGNode.getID(), cs.callStmt);
-        if (!this.cg.detectReachable(dstCGNode.getID(), callerNode.getID())) {
-            let calleeCid = this.ctx.getOrNewContext(cid, dstCGNode.getID(), true);
-            let staticCS = new CallGraph_1.CallSite(cs.callStmt, cs.args, dstCGNode.getID(), cs.callerFuncID);
-            let staticSrcNodes = this.addStaticPagCallEdge(staticCS, cid, calleeCid);
-            srcNodes.push(...staticSrcNodes);
-            // Pass base's pts to callee's this pointer
-            if (!dstCGNode.getIsSdkMethod()) {
-                let srcBaseNode = this.addThisRefCallEdge(baseClassPTNode, cid, ivkExpr, callee, calleeCid, cs.callerFuncID);
-                srcNodes.push(srcBaseNode);
+        else {
+            let calleeName = ivkExpr.getMethodSignature().getMethodSubSignature().getMethodName();
+            // instance method invoke
+            if (!(value instanceof Expr_1.ArkNewExpr || value instanceof Expr_1.ArkNewArrayExpr)) {
+                return callee;
+            }
+            let tempCallee;
+            // try to get callee by MethodSignature
+            if (value instanceof Expr_1.ArkNewExpr) {
+                // get class signature
+                let clsSig = value.getType().getClassSignature();
+                let cls;
+                cls = this.scene.getClass(clsSig);
+                while (!tempCallee && cls) {
+                    tempCallee = cls.getMethodWithName(calleeName);
+                    cls = cls.getSuperClass();
+                }
+                if (!tempCallee) {
+                    tempCallee = this.scene.getMethod(ivkExpr.getMethodSignature());
+                }
+            }
+            if (!tempCallee && cs.args) {
+                // while pts has {o_1, o_2} and invoke expr represents a method that only {o_1} has
+                // return empty node when {o_2} come in
+                // try to get callee by anonymous method in param
+                for (let arg of cs.args) {
+                    // TODO: anonymous method param and return value pointer pass
+                    let argType = arg.getType();
+                    if (argType instanceof Type_1.FunctionType) {
+                        callee.push(this.scene.getMethod(argType.getMethodSignature()));
+                    }
+                }
+            }
+            else if (tempCallee) {
+                callee.push(tempCallee);
             }
         }
-        return srcNodes;
+        return callee;
     }
     addUpdatedNode(nodeID, diffPT) {
         var _a;
@@ -451,7 +600,7 @@ class PagBuilder {
         else {
             callees.push(callee);
         }
-        if (callees.length == 0) {
+        if (callees.length === 0) {
             return srcNodes;
         }
         callees.forEach(callee => {
@@ -460,7 +609,7 @@ class PagBuilder {
                 throw new Error("Can not get caller method node");
             }
             if (this.processStorage(cs, dstCGNode, cid)) {
-                if (ivkExpr.getArgs().length != 0) {
+                if (ivkExpr.getArgs().length !== 0) {
                     // for AppStorage.set() instance invoke, add obj to reanalyze list
                     let argsNode = this.pag.getOrNewNode(cid, cs.args[0]);
                     srcNodes.push(argsNode.getID());
@@ -489,26 +638,29 @@ class PagBuilder {
             const diffCallSites = new Set(Array.from(callSites).filter(item => !processedCallSites.has(item)));
             diffCallSites.forEach((cs) => {
                 let ivkExpr = cs.callStmt.getInvokeExpr();
+                if (!(ivkExpr instanceof Expr_1.ArkInstanceInvokeExpr)) {
+                    return;
+                }
                 // Get local of base class
                 let base = ivkExpr.getBase();
                 // TODO: remove this after multiple this local fixed
                 base = this.getRealThisLocal(base, cs.callerFuncID);
                 // Get PAG nodes for this base's local
                 let ctx2NdMap = this.pag.getNodesByValue(base);
-                if (ctx2NdMap) {
-                    for (let [cid] of ctx2NdMap.entries()) {
-                        reAnalyzeNodes.push(...this.handleUnkownDynamicCall(cs, cid));
-                    }
+                if (!ctx2NdMap) {
+                    return;
+                }
+                for (let [cid] of ctx2NdMap.entries()) {
+                    reAnalyzeNodes.push(...this.handleUnkownDynamicCall(cs, cid));
                 }
             });
         }
         return reAnalyzeNodes;
     }
     addThisRefCallEdge(baseClassPTNode, cid, ivkExpr, callee, calleeCid, callerFunID) {
-        //let thisPtr = callee.getThisInstance();
         var _a;
         if (!callee || !callee.getCfg()) {
-            console.log("callee is null");
+            logger.error(`callee is null`);
             return -1;
         }
         let thisAssignStmt = (_a = callee.getCfg()) === null || _a === void 0 ? void 0 : _a.getStmts().filter(s => s instanceof Stmt_1.ArkAssignStmt && s.getRightOp() instanceof Ref_1.ArkThisRef);
@@ -523,6 +675,14 @@ class PagBuilder {
         let srcBaseLocal = ivkExpr.getBase();
         srcBaseLocal = this.getRealThisLocal(srcBaseLocal, callerFunID);
         let srcNodeId = this.pag.hasCtxNode(cid, srcBaseLocal);
+        if (!srcNodeId) {
+            // this check is for export local and closure use
+            // replace the invoke base, because its origin base has no pag node
+            let interProceduralLocal = this.getSourceValueFromExternalScope(srcBaseLocal, callerFunID);
+            if (interProceduralLocal) {
+                srcNodeId = this.pag.hasCtxNode(cid, interProceduralLocal);
+            }
+        }
         if (!srcNodeId) {
             throw new Error('Can not get base node');
         }
@@ -545,35 +705,10 @@ class PagBuilder {
         let calleeMethod = this.scene.getMethod(calleeNode.getMethod());
         if (!calleeMethod) {
             // TODO: check if nodes need to delete
-            // this.cg.removeCallGraphNode(cs.calleeFuncID)
             return srcNodes;
         }
-        if (calleeNode.getIsSdkMethod()) {
-            let returnType = calleeMethod.getReturnType();
-            // TODO: add new array type
-            if (!(returnType instanceof Type_1.ClassType) || !(cs.callStmt instanceof Stmt_1.ArkAssignStmt)) {
-                return srcNodes;
-            }
-            // check fake heap object exists or not
-            let cidMap = this.sdkMethodReturnValueMap.get(calleeMethod);
-            if (!cidMap) {
-                cidMap = new Map();
-            }
-            let newExpr = cidMap.get(calleeCid);
-            if (!newExpr) {
-                if (returnType instanceof Type_1.ClassType) {
-                    newExpr = new Expr_1.ArkNewExpr(returnType);
-                }
-                // } else if (returnType instanceof ArrayType) {
-                // TODO: check how to transform array type 2 newArrayExpr
-                // newExpr = new ArkNewArrayExpr(returnType.getBaseType(), )
-                // }
-            }
-            cidMap.set(calleeCid, newExpr);
-            this.sdkMethodReturnValueMap.set(calleeMethod, cidMap);
-            let srcPagNode = this.getOrNewPagNode(calleeCid, newExpr);
-            let dstPagNode = this.getOrNewPagNode(callerCid, cs.callStmt.getLeftOp(), cs.callStmt);
-            this.pag.addPagEdge(srcPagNode, dstPagNode, Pag_1.PagEdgeKind.Address, cs.callStmt);
+        if (calleeNode.isSdkMethod()) {
+            srcNodes.push(...this.addSDKMethodPagCallEdge(cs, callerCid, calleeCid));
             return srcNodes;
         }
         if (!calleeMethod.getCfg()) {
@@ -584,7 +719,6 @@ class PagBuilder {
         // callee cid will updated if callee is singleton
         calleeCid = calleeCS.cid;
         // TODO: getParameterInstances's performance is not good. Need to refactor 
-        //let params = calleeMethod.getParameterInstances();
         let params = calleeMethod.getCfg().getStmts()
             .filter(stmt => stmt instanceof Stmt_1.ArkAssignStmt && stmt.getRightOp() instanceof Ref_1.ArkParameterRef)
             .map(stmt => stmt.getRightOp());
@@ -595,7 +729,6 @@ class PagBuilder {
                 let arg = (_b = cs.args) === null || _b === void 0 ? void 0 : _b.at(i);
                 let param = params.at(i);
                 // TODO: param type should be ArkParameterRef?
-                //if (arg && param && param instanceof ArkParameterRef) {
                 if (arg && param) {
                     if (arg instanceof Constant_1.Constant) {
                         continue;
@@ -629,7 +762,7 @@ class PagBuilder {
                     continue;
                 }
                 else if (retValue instanceof Expr_1.AbstractExpr) {
-                    console.log(retValue);
+                    logger.debug(retValue);
                     continue;
                 }
                 else {
@@ -639,6 +772,86 @@ class PagBuilder {
         }
         return srcNodes;
     }
+    addSDKMethodPagCallEdge(cs, callerCid, calleeCid) {
+        let srcNodes = [];
+        let calleeNode = this.cg.getNode(cs.calleeFuncID);
+        let calleeMethod = this.scene.getMethod(calleeNode.getMethod());
+        if (!calleeMethod) {
+            return srcNodes;
+        }
+        if (!this.sdkMethodParamValueMap.has(calleeNode.getID())) {
+            this.buildSDKFuncPag(calleeNode.getID());
+        }
+        this.addSDKMethodReturnPagEdge(cs, callerCid, calleeCid, calleeMethod);
+        srcNodes.push(...this.addSDKMethodParamPagEdge(cs, callerCid, calleeCid, calleeNode.getID()));
+        return srcNodes;
+    }
+    addSDKMethodReturnPagEdge(cs, callerCid, calleeCid, calleeMethod) {
+        let returnType = calleeMethod.getReturnType();
+        if (!(returnType instanceof Type_1.ClassType) || !(cs.callStmt instanceof Stmt_1.ArkAssignStmt)) {
+            return;
+        }
+        // check fake heap object exists or not
+        let cidMap = this.sdkMethodReturnValueMap.get(calleeMethod);
+        if (!cidMap) {
+            cidMap = new Map();
+        }
+        let newExpr = cidMap.get(calleeCid);
+        if (!newExpr) {
+            if (returnType instanceof Type_1.ClassType) {
+                newExpr = new Expr_1.ArkNewExpr(returnType);
+            }
+        }
+        cidMap.set(calleeCid, newExpr);
+        this.sdkMethodReturnValueMap.set(calleeMethod, cidMap);
+        let srcPagNode = this.getOrNewPagNode(calleeCid, newExpr);
+        let dstPagNode = this.getOrNewPagNode(callerCid, cs.callStmt.getLeftOp(), cs.callStmt);
+        this.pag.addPagEdge(srcPagNode, dstPagNode, Pag_1.PagEdgeKind.Address, cs.callStmt);
+    }
+    addSDKMethodParamPagEdge(cs, callerCid, calleeCid, funcID) {
+        var _a, _b;
+        let argNum = (_a = cs.args) === null || _a === void 0 ? void 0 : _a.length;
+        let srcNodes = [];
+        if (argNum) {
+            // add args to parameters edges
+            for (let i = 0; i < argNum; i++) {
+                let arg = (_b = cs.args) === null || _b === void 0 ? void 0 : _b.at(i);
+                let paramValue;
+                if (arg instanceof Local_1.Local && arg.getType() instanceof Type_1.FunctionType) {
+                    // TODO: cannot find value
+                    paramValue = this.sdkMethodParamValueMap.get(funcID)[i];
+                }
+                else {
+                    continue;
+                }
+                if (arg && paramValue) {
+                    // Get or create new PAG node for argument and parameter
+                    let srcPagNode = this.getOrNewPagNode(callerCid, arg, cs.callStmt);
+                    let dstPagNode = this.getOrNewPagNode(calleeCid, paramValue, cs.callStmt);
+                    if (dstPagNode instanceof Pag_1.PagLocalNode) {
+                        // set the fake param Value in PagLocalNode
+                        /**
+                         * TODO: !!!
+                         * some API param is in the form of anonymous method:
+                         *  component/common.d.ts
+                         *  declare function animateTo(value: AnimateParam, event: () => void): void;
+                         *
+                         * this param fake Value will create PagFuncNode rather than PagLocalNode
+                         * when this API is called, the anonymous method pointer will not be able to pass into the fake Value PagNode
+                         */
+                        dstPagNode.setSdkParam();
+                        let sdkParamInvokeStmt = new Stmt_1.ArkInvokeStmt(new Expr_1.ArkPtrInvokeExpr(arg.getType().getMethodSignature(), paramValue, []));
+                        // create new DynCallSite
+                        let sdkParamCallSite = new CallGraph_1.DynCallSite(funcID, sdkParamInvokeStmt, undefined, undefined);
+                        dstPagNode.addRelatedDynCallSite(sdkParamCallSite);
+                    }
+                    this.pag.addPagEdge(srcPagNode, dstPagNode, Pag_1.PagEdgeKind.Copy, cs.callStmt);
+                    srcNodes.push(srcPagNode.getID());
+                }
+            }
+        }
+        return srcNodes;
+    }
     getOrNewPagNode(cid, v, s) {
         if (v instanceof Ref_1.ArkThisRef) {
             return this.getOrNewThisRefNode(cid, v);
@@ -647,15 +860,17 @@ class PagBuilder {
         // remove below block once this issue fixed
         // globalThis process can not be removed while all `globalThis` ref is the same Value
         if (v instanceof Local_1.Local) {
-            if (v.getName() == "this") {
+            if (v.getName() === "this") {
                 return this.getOrNewThisLoalNode(cid, v, s);
             }
-            else if (v.getName() == Pag_1.GLOBAL_THIS && v.getDeclaringStmt() == null) {
+            else if (v.getName() === TSConst_1.GLOBAL_THIS && v.getDeclaringStmt() == null) {
                 // globalThis node has no cid
-                return this.getOrNewGlobalThisNode(0);
+                return this.getOrNewGlobalThisNode(-1);
             }
         }
-        v = this.getRealInstanceRef(v);
+        if (v instanceof Ref_1.ArkInstanceFieldRef || v instanceof Ref_1.ArkStaticFieldRef) {
+            v = this.getRealInstanceRef(v);
+        }
         return this.pag.getOrNewNode(cid, v, s);
     }
     /**
@@ -706,7 +921,7 @@ class PagBuilder {
     }
     getPropertyNode(storage, propertyName, stmt) {
         let storageMap = this.storagePropertyMap.get(storage);
-        let propertyLocal = undefined;
+        let propertyLocal;
         if (!storageMap) {
             storageMap = new Map();
             this.storagePropertyMap.set(storage, storageMap);
@@ -764,7 +979,7 @@ class PagBuilder {
         let real;
         if (v instanceof Ref_1.ArkInstanceFieldRef) {
             base = v.getBase();
-            if (base instanceof Local_1.Local && base.getName() == Pag_1.GLOBAL_THIS && base.getDeclaringStmt() == null) {
+            if (base instanceof Local_1.Local && base.getName() === TSConst_1.GLOBAL_THIS && base.getDeclaringStmt() == null) {
                 // replace the base in fieldRef
                 base = this.getGlobalThisValue();
                 v.setBase(base);
@@ -797,13 +1012,13 @@ class PagBuilder {
             this.singletonFuncMap.set(funcID, false);
             return false;
         }
-        if (!arkMethod.getModifiers().has(TSConst_1.STATIC_KEYWORD)) {
+        if (!arkMethod.isStatic()) {
             this.singletonFuncMap.set(funcID, false);
             return false;
         }
         let funcPag = this.funcPags.get(funcID);
         let heapObjects = [...funcPag.getInternalEdges()]
-            .filter(edge => edge.kind == Pag_1.PagEdgeKind.Address)
+            .filter(edge => edge.kind === Pag_1.PagEdgeKind.Address)
             .map(edge => edge.dst);
         let returnValues = arkMethod.getReturnValues();
         let result = this.isValueConnected([...funcPag.getInternalEdges()], heapObjects, returnValues);
@@ -868,8 +1083,7 @@ class PagBuilder {
         return false;
     }
     getGlobalThisValue() {
-        var _a;
-        return (_a = this.globalThisValue) !== null && _a !== void 0 ? _a : new Local_1.Local(Pag_1.GLOBAL_THIS);
+        return this.globalThisValue;
     }
     getEdgeKindForAssignStmt(stmt) {
         if (this.stmtIsCreateAddressObj(stmt)) {
@@ -902,13 +1116,15 @@ class PagBuilder {
         switch (storageName) {
             case 'AppStorage':
                 return Pag_1.StorageType.APP_STORAGE;
-            case 'SubscribedAbstractProperty':
+            case 'SubscribedAbstractProperty': {
                 let calleeBaseLocal = cs.callStmt.getInvokeExpr().getBase();
                 let calleeBaseLocalNode = this.pag.getOrNewNode(cid, calleeBaseLocal);
                 if (calleeBaseLocalNode.isStorageLinked()) {
                     let storage = calleeBaseLocalNode.getStorage();
                     return storage.StorageType;
                 }
+                return Pag_1.StorageType.Undefined;
+            }
             default:
                 return Pag_1.StorageType.Undefined;
         }
@@ -920,10 +1136,10 @@ class PagBuilder {
         let lhOp = stmt.getLeftOp();
         let rhOp = stmt.getRightOp();
         if ((rhOp instanceof Expr_1.ArkNewExpr || rhOp instanceof Expr_1.ArkNewArrayExpr) ||
-            (lhOp instanceof Local_1.Local && rhOp instanceof Local_1.Local &&
-                rhOp.getType() instanceof Type_1.FunctionType &&
-                rhOp.getDeclaringStmt() === null ||
-                (rhOp instanceof Local_1.Local && rhOp.getName() == Pag_1.GLOBAL_THIS && rhOp.getDeclaringStmt() == null))) {
+            (lhOp instanceof Local_1.Local && ((rhOp instanceof Local_1.Local && rhOp.getType() instanceof Type_1.FunctionType &&
+                rhOp.getDeclaringStmt() === null) ||
+                (rhOp instanceof Ref_1.AbstractFieldRef && rhOp.getType() instanceof Type_1.FunctionType))) ||
+            (rhOp instanceof Local_1.Local && rhOp.getName() === TSConst_1.GLOBAL_THIS && rhOp.getDeclaringStmt() == null)) {
             return true;
         }
         // TODO: add other Address Obj creation
@@ -973,7 +1189,7 @@ class PagBuilder {
     }
     getRealThisLocal(input, funcId) {
         var _a;
-        if (input.getName() != 'this')
+        if (input.getName() !== 'this')
             return input;
         let real = input;
         let f = this.cg.getArkMethodByFuncID(funcId);
@@ -1003,5 +1219,142 @@ class PagBuilder {
     getHandledFuncs() {
         return Array.from(this.funcPags.keys());
     }
+    /**
+     * build export edge in internal func pag
+     * @param value: Value that need to check if it is from import/export
+     * @param originValue: if Value if InstanceFieldRef, the base will be passed to `value` recursively,
+     *                      fieldRef will be passed to `originValue`
+     */
+    handleValueFromExternalScope(value, funcID, originValue) {
+        if (value instanceof Local_1.Local) {
+            if (value.getDeclaringStmt()) {
+                // not from external scope
+                return;
+            }
+            if (!value.getType()) {
+                return;
+            }
+            let srcLocal = this.getSourceValueFromExternalScope(value, funcID);
+            if (srcLocal) {
+                // if `value` is from field base, use origin value(fieldRef) instead
+                this.addInterFuncEdge(srcLocal, originValue !== null && originValue !== void 0 ? originValue : value, funcID);
+            }
+        }
+        else if (value instanceof Ref_1.ArkInstanceFieldRef) {
+            let base = value.getBase();
+            if (base) {
+                this.handleValueFromExternalScope(base, funcID, value);
+            }
+        }
+    }
+    addInterFuncEdge(src, dst, funcID) {
+        var _a, _b, _c;
+        this.interFuncPags = (_a = this.interFuncPags) !== null && _a !== void 0 ? _a : new Map();
+        let interFuncPag = (_b = this.interFuncPags.get(funcID)) !== null && _b !== void 0 ? _b : new Pag_1.InterFuncPag();
+        // Export a local
+        // Add a InterProcedural edge
+        if (dst instanceof Local_1.Local) {
+            let e = { src: src, dst: dst, kind: Pag_1.PagEdgeKind.InterProceduralCopy };
+            interFuncPag.addToInterProceduralEdgeSet(e);
+            this.addExportVariableMap(src, dst);
+        }
+        else if (dst instanceof Ref_1.ArkInstanceFieldRef) {
+            // record the export base use
+            this.addExportVariableMap(src, dst.getBase());
+        }
+        this.interFuncPags.set(funcID, interFuncPag);
+        // Put the function which the src belongs to to worklist
+        let srcFunc = (_c = src.getDeclaringStmt()) === null || _c === void 0 ? void 0 : _c.getCfg().getDeclaringMethod();
+        if (srcFunc) {
+            let srcFuncID = this.cg.getCallGraphNodeByMethod(srcFunc.getSignature()).getID();
+            let cid = this.ctx.getNewContextID(srcFuncID);
+            let csFuncID = new CSFuncID(cid, srcFuncID);
+            this.buildFuncPagAndAddToWorklist(csFuncID);
+        }
+        // Extend other types of src here
+    }
+    getSourceValueFromExternalScope(value, funcID) {
+        let sourceValue;
+        // TODO: first from default method
+        sourceValue = this.getDefaultMethodSourceValue(value, funcID);
+        if (!sourceValue) {
+            sourceValue = this.getExportSourceValue(value, funcID);
+        }
+        return sourceValue;
+    }
+    getDefaultMethodSourceValue(value, funcID) {
+        var _a, _b, _c, _d, _e, _f, _g;
+        // namespace check
+        let arkMethod = this.cg.getArkMethodByFuncID(funcID);
+        if (!arkMethod) {
+            return;
+        }
+        let declaringNameSpace = arkMethod.getDeclaringArkClass().getDeclaringArkNamespace();
+        while (declaringNameSpace) {
+            let nameSpaceLocals = (_c = (_b = (_a = declaringNameSpace.getDefaultClass()
+                .getDefaultArkMethod()) === null || _a === void 0 ? void 0 : _a.getBody()) === null || _b === void 0 ? void 0 : _b.getLocals()) !== null && _c !== void 0 ? _c : new Map();
+            if (nameSpaceLocals.has(value.getName())) {
+                return nameSpaceLocals.get(value.getName());
+            }
+            declaringNameSpace = (_d = declaringNameSpace.getDeclaringArkNamespace()) !== null && _d !== void 0 ? _d : undefined;
+        }
+        // file check
+        let declaringFile = arkMethod.getDeclaringArkFile();
+        let fileLocals = (_g = (_f = (_e = declaringFile.getDefaultClass()
+            .getDefaultArkMethod()) === null || _e === void 0 ? void 0 : _e.getBody()) === null || _f === void 0 ? void 0 : _f.getLocals()) !== null && _g !== void 0 ? _g : new Map();
+        if (!fileLocals.has(value.getName())) {
+            return;
+        }
+        return fileLocals.get(value.getName());
+    }
+    getExportSourceValue(value, funcID) {
+        let curMethod = this.cg.getArkMethodByFuncID(funcID);
+        if (!curMethod) {
+            return;
+        }
+        let curFile = curMethod.getDeclaringArkFile();
+        let impInfo = curFile.getImportInfoBy(value.getName());
+        if (!impInfo) {
+            return;
+        }
+        let exportSource = impInfo.getLazyExportInfo();
+        if (!exportSource) {
+            return;
+        }
+        let exportSouceValue = exportSource.getArkExport();
+        if (exportSouceValue instanceof Local_1.Local) {
+            return exportSouceValue;
+        }
+    }
+    addExportVariableMap(src, dst) {
+        var _a;
+        let exportMap = (_a = this.externalScopeVariableMap.get(src)) !== null && _a !== void 0 ? _a : [];
+        if (!exportMap.includes(dst)) {
+            exportMap.push(dst);
+            this.externalScopeVariableMap.set(src, exportMap);
+        }
+    }
+    getExportVariableMap(src) {
+        var _a;
+        return (_a = this.externalScopeVariableMap.get(src)) !== null && _a !== void 0 ? _a : [];
+    }
+    /// Add inter-procedural Pag Nodes and Edges
+    addEdgesFromInterFuncPag(interFuncPag, cid) {
+        let edges = interFuncPag.getInterProceduralEdges();
+        if (edges.size === 0) {
+            return false;
+        }
+        for (let e of edges) {
+            // Existing local exported nodes -> ExportNode
+            let exportLocal = e.src;
+            let dstPagNode = this.getOrNewPagNode(cid, e.dst);
+            // get export local node in all cid
+            let existingNodes = this.pag.getNodesByValue(exportLocal);
+            existingNodes === null || existingNodes === void 0 ? void 0 : existingNodes.forEach(n => {
+                this.pag.addPagEdge(this.pag.getNode(n), dstPagNode, e.kind);
+            });
+        }
+        return true;
+    }
 }
 exports.PagBuilder = PagBuilder;