[Soot-list] Missing callgraph edges with Spark

Eric Bodden eric.bodden at uni-paderborn.de
Mon May 9 08:19:07 EDT 2022 

Hi Faridah.

When creating callgraphs for Android you should be using our Soot-extension FlowDroid because it models Android’s lifecycle. When you use bare Soot then the callgraph will be very incomplete. Are you using FlowDroid already?

Cheers
Eric

On 9. May 2022, at 00:11, Faridah Akinotcho <faridath.akinotcho at yahoo.fr<mailto:faridath.akinotcho at yahoo.fr>> wrote:

Hi,

I am using Soot (org.soot.oss 4.2.1) to perform an interprocedural analysis on Android methods (in the wjtp phase). To this end, I am extracting reachable methods from Android lifecycles using Scene.v().getCallgraph().edgesOutOf(method). However, I noticed that some virtual and special edges seem to always be missing from the returned set. For e.g, given:


class B extends A{
    void onCreate(...){
        setContentView(C0027R.layout.merge);
        super.onCreate(bundle);
        setNextActivity(C.class);
    }
}

class A{
    public void setNextActivity(){
        ...
    }
}

When computing the reachable methods for B.onCreate(), neither setContentView, super.onCreate or setNextActivity are included as targets for the outgoing edges (only clinit is returned). However, when using CHA instead of Spark, these are part of the returned set (along other overapproximations), so I am assuming there might be some issue when performing the points-to analysis. Here are the options I am using:

Options.v().set_src_prec(Options.src_prec_apk);
Options.v().set_output_format(Options.output_format_none);

Options.v().set_no_bodies_for_excluded(true);
Options.v().set_allow_phantom_refs(true);
Options.v().set_android_jars(androidJar);

Options.v().set_process_dir(Collections.singletonList(apkPath));
Options.v().set_soot_classpath(androidJar);
Options.v().set_process_multiple_dex(true);

Options.v().set_whole_program(true);
Options.v().setPhaseOption("cg", "all-reachable:true");
Options.v().setPhaseOption("cg.spark", "on");
Options.v().setPhaseOption("cg.spark", "verbose:true");
Options.v().setPhaseOption("cg.spark", "string-constants:true");

Options.v().setPhaseOption("jb.ulp", "off");

Main.v().autoSetOptions();
Scene.v().loadNecessaryClasses();



I would greatly appreciate any pointers about what I might be missing (maybe an option that wasn't set properly) or what the problem could be.

Best regards,
Faridah Akinotcho

_______________________________________________
Soot-list mailing list
Soot-list at CS.McGill.CA<mailto:Soot-list at CS.McGill.CA>
https://mailman.CS.McGill.CA/mailman/listinfo/soot-list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20220509/9bd5d6d1/attachment-0001.html>

More information about the Soot-list mailing list