[Soot-list] Clarification on the Behavior of HEROS
Marc-Andre Laverdiere-Papineau
marc-andre.laverdiere-papineau at polymtl.ca
Thu Jan 24 11:07:16 EST 2013
Hello,
I will phrase things a bit differently.
Is the Heros solver working by defining some constraints and then
propagating them, or is it traversing the exploded graph on the fly?
The reason is shown by this example:
class Foo{
String a = "meh";
void setA(String b){
a = new String(b);
//new String to avoid a simple case where they're plainly aliased
}
String getA(){return a;}
}
If I am to use this as follows:
Foo f = new Foo();
String t = f.getA(); //gets meh
f.setA(taintedString);
String s = f.getA(); //gets tainted string
sink(s);
What happens in this case? Is the taint fact going to go from
taintedString to Foo.a to s? If so, would t be considered possibly
tainted too (as it dereferences the same field)? Will Heros request a
re-analysis of that call after I set the fact in f.setA(taintedString)?
Marc-André Laverdière-Papineau
Doctorant - PhD Candidate
On 13-01-24 04:14 AM, Eric Bodden wrote:
> Hello.
>
>> I am coding an IFDS analysis that requires setting some facts to fields.
>
> Sorry, I am not sure what you mean. Do you mean that your facts
> contain field references?
>
> Eric
>
More information about the Soot-list
mailing list