[Soot-list] Spark Error with Flowdroid

[Quentin Sabah]

> My only concern is the 'probable' part. I need to report to the
> programmer that there is a security issue, and I'm sure that they'd like
> precise report. So whatever information is in the tag needs to be sound.
> I am not super excited about an over-approximation, but that is better
> than the alternative.


Of course the tag will report names with fidelity regarding the class annotations.
The problem is that the local name table found in the class file doesn't have to be consistent with the source code. Compilers may put whatever information they want and there is no way this can be checked. The table is only for debug purpose.

In the MultipartRequest class file, we clearly see that the compiler didn't insert all the necessary informations. The table could contain two names for the same local at the same bytecode index, and we couldn't tell much to the programmer.

The worst is that currently, use-original-names may silently generate unsound jimple (not preserving the original bytecode semantics).

-- 
Quentin Sabah, CIFRE Ph.D. student
Grenoble University
INRIA-SARDES                   | STMicroelectronics/AST
Montbonnot, France             | Grenoble, France
mailto:quentin.sabah at inria.fr  | mailto:quentin.sabah at st.com
phone: +33 476 61 52 42        | phone: +33 476 58 44 14