search

facebook / mariana-trench

A security focused static analysis tool for Android and Java applications.
https://mariana-tren.ch/
MIT License
1.1k stars 139 forks source link

Inconsistent behaviour with unreachable code #169

Closed draftyfrog closed 2 months ago

draftyfrog commented 3 months ago

Bug

Bug description Consider the following code:

 boolean selector = false;
 String taint = source();

 if (selector) {
     sink1(taint);
 }

 if (false) {
     sink2(taint);
 }

where the return value of source() is specified as a source and sink1()and sink2() are both defined as sinks. As can be seen in the code, both sinks are unreachable, but mariana-trench returns sink1() as found issue (but doesn't return sink2()).

arthaud commented 2 months ago

Hi @draftyfrog,

My guess is that the compiler probably removed the if (false) branch entirely. Mariana Trench analyzes the APK directly, after the compiler ran, so we cannot see things that have been removed by the compiler.

draftyfrog commented 2 months ago

Hi @arthaud, thanks for getting back! You're right, I reverse-engineered my apk and the compiler removed the second if-branch. My mistake - thank you!