[Soot-list] FlowDroid: call graph doesn't look context sensitive

Denis Bogdanas denis.bogdanas at gmail.com
Thu Mar 3 18:15:29 EST 2016 

Also please notice the format: those are all SootMethod. Shouldn't they be
MethodContext?


On 3 March 2016 at 15:13, Denis Bogdanas <denis.bogdanas at gmail.com> wrote:

> Hi Steven,
> Default settings produce the same result. From my logs:
>
> From <edu.oregonstate.ex.flowdroidtest.TestActivity: void
> onCreate(android.os.Bundle)>
>   to <edu.oregonstate.ex.flowdroidtest.TestActivity: void sensitive()>
> --------------------------------------------
> <edu.oregonstate.ex.flowdroidtest.TestActivity: void
> onCreate(android.os.Bundle)>
> <edu.oregonstate.ex.flowdroidtest.TestActivity: void threadWithSensitive()>
> <java.lang.Thread: void run()>
> <edu.oregonstate.ex.flowdroidtest.TestActivity$3: void run()>
> <edu.oregonstate.ex.flowdroidtest.TestActivity: void
> access$000(edu.oregonstate.ex.flowdroidtest.TestActivity)>
> <edu.oregonstate.ex.flowdroidtest.TestActivity: void sensitive()>
>
> From <edu.oregonstate.ex.flowdroidtest.TestActivity: boolean
> onOptionsItemSelected(android.view.MenuItem)>
>   to <edu.oregonstate.ex.flowdroidtest.TestActivity: void sensitive()>
> --------------------------------------------
> <edu.oregonstate.ex.flowdroidtest.TestActivity: boolean
> onOptionsItemSelected(android.view.MenuItem)>
> <edu.oregonstate.ex.flowdroidtest.TestActivity: void emptyThread()>
> <java.lang.Thread: void run()>
> <edu.oregonstate.ex.flowdroidtest.TestActivity$3: void run()>
> <edu.oregonstate.ex.flowdroidtest.TestActivity: void
> access$000(edu.oregonstate.ex.flowdroidtest.TestActivity)>
> <edu.oregonstate.ex.flowdroidtest.TestActivity: void sensitive()>
>
> Paths are produced by navigating the call graph upwards until a callback
> is reached. FlowDroid and soot on my machine are 2 weeks old.
>
>
>
> On 3 March 2016 at 14:28, Steven Arzt <Steven.Arzt at cased.de> wrote:
>
>> Hi Denis,
>>
>>
>>
>> You don’t actually need an implementation of java.* in your Android
>> platform JAR file, because FlowDroid provides explicit models for threads.
>> If you use FlowDroid’s default models, your callgraph should be able to
>> distinguish the two calls, i.e., there should not be a path from
>> emptyThread() to sensitive(). You have two different instances of the
>> Thread class, two different implementations (and thus also instances
>> thereof) of Runnable, and I don’t see any good reason for FlowDroid to
>> combine the two paths.
>>
>>
>>
>> Best regards,
>>
>>   Steven
>>
>>
>>
>> *Von:* soot-list-bounces at CS.McGill.CA [mailto:
>> soot-list-bounces at CS.McGill.CA] *Im Auftrag von *Denis Bogdanas
>> *Gesendet:* Donnerstag, 3. März 2016 23:04
>> *An:* soot-list at CS.McGill.CA
>> *Betreff:* [Soot-list] FlowDroid: call graph doesn't look context
>> sensitive
>>
>>
>>
>> Suppose we have 2 threads called from 2 UI callbacks. One of them calls
>> method sensitive(), another one is empty. In the call graph, both events
>> will have a path to sensitive(), as if the two Thread instances were
>> modeled as one:
>>
>> *protected void *onCreate(Bundle savedInstanceState) {
>>     threadWithSensitive();
>> }
>>
>> @Override
>> *public boolean *onOptionsItemSelected(MenuItem item) {
>>     emptyThread();
>>     *return false*;
>> }
>>
>> *private void *threadWithSensitive() {
>>     *new *Thread(*new *Runnable() {
>>         *public void *run() {
>>             sensitive();
>>         }
>>     }).start();
>> }
>>
>> *private void *emptyThread() {
>>     *new *Thread(*new *Runnable() {
>>         *public void *run() { }
>>     }).start();
>> }
>>
>> Shouldn't only onCreate() lead to sensitive() ?
>>
>> My setup: a crafted android.jar that has stubs for android classes but
>> full implementation for java.* and javax.* packages.
>>
>>
>>
>> I also noticed that class MethodContext which is supposed to model a
>> method in its context, is never instantiated, regardless of what call graph
>> algorithm I use.
>>
>> What am I missing?
>>
>> thanks,
>>
>> --
>>
>> Denis
>>
>
>
>
> --
> Denis
>



-- 
Denis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20160303/9690857c/attachment.html

More information about the Soot-list mailing list