search

secure-software-engineering / FlowDroid

FlowDroid Static Data Flow Tracker
GNU Lesser General Public License v2.1
1.04k stars 296 forks source link

ClassCastException: soot.ArrayType cannot be cast to soot.RefType #215

Open zjbthomas opened 4 years ago

zjbthomas commented 4 years ago

I got the following exception when running FlowDroid v2.7.1, with the latest Soot and Heros from their develop branches:

[main] INFO soot.jimple.infoflow.cmd.MainClass - Analyzing app /path/to/attached/apk (1 of 1)...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Initializing Soot...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Loading dex files...
[main] INFO soot.jimple.infoflow.android.SetupApplication - ARSC file parsing took 0.3747962 seconds
[main] INFO soot.jimple.infoflow.android.entryPointCreators.AndroidEntryPointCreator - Creating Android entry point for 152 components...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Constructing the callgraph...
[main] ERROR soot.jimple.infoflow.android.SetupApplication - Could not calculate callback methods
java.lang.ClassCastException: soot.ArrayType cannot be cast to soot.RefType
    at soot.jimple.toolkits.callgraph.OnFlyCallGraphBuilder.resolveStaticTypes(OnFlyCallGraphBuilder.java:432)
    at soot.jimple.toolkits.callgraph.OnFlyCallGraphBuilder.resolveInvoke(OnFlyCallGraphBuilder.java:372)
    at soot.jimple.toolkits.callgraph.OnFlyCallGraphBuilder.addBaseType(OnFlyCallGraphBuilder.java:284)
    at soot.jimple.toolkits.callgraph.OnFlyCallGraphBuilder.addType(OnFlyCallGraphBuilder.java:615)
    at soot.jimple.spark.solver.OnFlyCallGraph$2.visit(OnFlyCallGraph.java:139)
    at soot.jimple.spark.sets.HybridPointsToSet.forall(HybridPointsToSet.java:108)
    at soot.jimple.spark.solver.OnFlyCallGraph.updatedNode(OnFlyCallGraph.java:136)
    at soot.jimple.spark.solver.PropWorklist.handleVarNode(PropWorklist.java:158)
    at soot.jimple.spark.solver.PropWorklist.propagate(PropWorklist.java:81)
    at soot.jimple.spark.SparkTransformer.propagatePAG(SparkTransformer.java:238)
    at soot.jimple.spark.SparkTransformer.internalTransform(SparkTransformer.java:155)
    at soot.SceneTransformer.transform(SceneTransformer.java:36)
    at soot.Transform.apply(Transform.java:102)
    at soot.RadioScenePack.internalApply(RadioScenePack.java:68)
    at soot.jimple.toolkits.callgraph.CallGraphPack.internalApply(CallGraphPack.java:58)
    at soot.Pack.apply(Pack.java:117)
    at soot.jimple.infoflow.android.SetupApplication.constructCallgraphInternal(SetupApplication.java:564)
    at soot.jimple.infoflow.android.SetupApplication.calculateCallbackMethods(SetupApplication.java:682)
    at soot.jimple.infoflow.android.SetupApplication.calculateCallbacks(SetupApplication.java:476)
    at soot.jimple.infoflow.android.SetupApplication.calculateCallbacks(SetupApplication.java:446)
    at soot.jimple.infoflow.android.SetupApplication.processEntryPoint(SetupApplication.java:1395)
    at soot.jimple.infoflow.android.SetupApplication.runInfoflow(SetupApplication.java:1361)
    at soot.jimple.infoflow.android.SetupApplication.runInfoflow(SetupApplication.java:1308)
    at soot.jimple.infoflow.cmd.MainClass.run(MainClass.java:333)
    at soot.jimple.infoflow.cmd.MainClass.main(MainClass.java:231)
[main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Shutting down the memory warning system...
The data flow analysis has failed. Error message: soot.ArrayType cannot be cast to soot.RefType
java.lang.ClassCastException: soot.ArrayType cannot be cast to soot.RefType
    at soot.jimple.toolkits.callgraph.OnFlyCallGraphBuilder.resolveStaticTypes(OnFlyCallGraphBuilder.java:432)
    at soot.jimple.toolkits.callgraph.OnFlyCallGraphBuilder.resolveInvoke(OnFlyCallGraphBuilder.java:372)
    at soot.jimple.toolkits.callgraph.OnFlyCallGraphBuilder.addBaseType(OnFlyCallGraphBuilder.java:284)
    at soot.jimple.toolkits.callgraph.OnFlyCallGraphBuilder.addType(OnFlyCallGraphBuilder.java:615)
    at soot.jimple.spark.solver.OnFlyCallGraph$2.visit(OnFlyCallGraph.java:139)
    at soot.jimple.spark.sets.HybridPointsToSet.forall(HybridPointsToSet.java:108)
    at soot.jimple.spark.solver.OnFlyCallGraph.updatedNode(OnFlyCallGraph.java:136)
    at soot.jimple.spark.solver.PropWorklist.handleVarNode(PropWorklist.java:158)
    at soot.jimple.spark.solver.PropWorklist.propagate(PropWorklist.java:81)
    at soot.jimple.spark.SparkTransformer.propagatePAG(SparkTransformer.java:238)
    at soot.jimple.spark.SparkTransformer.internalTransform(SparkTransformer.java:155)
    at soot.SceneTransformer.transform(SceneTransformer.java:36)
    at soot.Transform.apply(Transform.java:102)
    at soot.RadioScenePack.internalApply(RadioScenePack.java:68)
    at soot.jimple.toolkits.callgraph.CallGraphPack.internalApply(CallGraphPack.java:58)
    at soot.Pack.apply(Pack.java:117)
    at soot.jimple.infoflow.android.SetupApplication.constructCallgraphInternal(SetupApplication.java:564)
    at soot.jimple.infoflow.android.SetupApplication.calculateCallbackMethods(SetupApplication.java:682)
    at soot.jimple.infoflow.android.SetupApplication.calculateCallbacks(SetupApplication.java:476)
    at soot.jimple.infoflow.android.SetupApplication.calculateCallbacks(SetupApplication.java:446)
    at soot.jimple.infoflow.android.SetupApplication.processEntryPoint(SetupApplication.java:1395)
    at soot.jimple.infoflow.android.SetupApplication.runInfoflow(SetupApplication.java:1361)
    at soot.jimple.infoflow.android.SetupApplication.runInfoflow(SetupApplication.java:1308)
    at soot.jimple.infoflow.cmd.MainClass.run(MainClass.java:333)
    at soot.jimple.infoflow.cmd.MainClass.main(MainClass.java:231)

Here I attached the app (Spotify): com.spotify.music_51386924_apps.evozi.com.zip

The parameters I used are the following, with SuSi list:

-a /path/to/attached/apk -p /path/to/android-platforms -s /path/to/susi/list -d -r

Also, I think the problem is in handling reflection, as when I disable -r, there is no exception.

I noticed that similar issue has been posted before, but it is not fully resolved. May I know what actually will lead to such exception? Because it happens quite frequently on real-world apps.

Thank you in advanced for your help.

StevenArzt commented 4 years ago

This seems to be a problem with the Soot framework for program analysis, on which FlowDroid is built. If I look into the OnFlyCallGraphBuilder class, I further see an empty line 432. Are you sure that you are using the newest version of Soot? How did you build FlowDroid, and how did you resolve the dependencies? Maybe you somehow pulled in an old version of Soot with a bug.

zjbthomas commented 4 years ago

Thank you for your reply.

To make sure I am using a clean version of all tools, I re-cloned FlowDroid, Soot and Heros, all from the develop branches, and imported them into Eclipse. In addition, I commented out the dependency of Soot in the pom.xml of soot-infoflow, so the latest Soot should be used.

The following is the new output:

[main] INFO soot.jimple.infoflow.cmd.MainClass - Analyzing app E:\eDocs\MASc\ISSTA\APKCaseStudy\Login\Top3\com.spotify.music_51386924_apps.evozi.com.apk (1 of 1)...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Initializing Soot...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Loading dex files...
[main] INFO soot.jimple.infoflow.android.SetupApplication - ARSC file parsing took 0.1071159 seconds
[main] INFO soot.jimple.infoflow.android.entryPointCreators.AndroidEntryPointCreator - Creating Android entry point for 152 components...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Constructing the callgraph...
[main] ERROR soot.jimple.infoflow.android.SetupApplication - Could not calculate callback methods
java.lang.ClassCastException: soot.ArrayType cannot be cast to soot.RefType
    at soot.jimple.toolkits.callgraph.OnFlyCallGraphBuilder.resolveStaticTypes(OnFlyCallGraphBuilder.java:436)
    at soot.jimple.toolkits.callgraph.OnFlyCallGraphBuilder.resolveInvoke(OnFlyCallGraphBuilder.java:376)
    at soot.jimple.toolkits.callgraph.OnFlyCallGraphBuilder.addBaseType(OnFlyCallGraphBuilder.java:288)
    at soot.jimple.toolkits.callgraph.OnFlyCallGraphBuilder.addType(OnFlyCallGraphBuilder.java:608)
    at soot.jimple.spark.solver.OnFlyCallGraph$2.visit(OnFlyCallGraph.java:139)
    at soot.jimple.spark.sets.HybridPointsToSet.forall(HybridPointsToSet.java:108)
    at soot.jimple.spark.solver.OnFlyCallGraph.updatedNode(OnFlyCallGraph.java:136)
    at soot.jimple.spark.solver.PropWorklist.handleVarNode(PropWorklist.java:158)
    at soot.jimple.spark.solver.PropWorklist.propagate(PropWorklist.java:81)
    at soot.jimple.spark.SparkTransformer.propagatePAG(SparkTransformer.java:238)
    at soot.jimple.spark.SparkTransformer.internalTransform(SparkTransformer.java:155)
    at soot.SceneTransformer.transform(SceneTransformer.java:36)
    at soot.Transform.apply(Transform.java:102)
    at soot.RadioScenePack.internalApply(RadioScenePack.java:68)
    at soot.jimple.toolkits.callgraph.CallGraphPack.internalApply(CallGraphPack.java:58)
    at soot.Pack.apply(Pack.java:117)
    at soot.jimple.infoflow.android.SetupApplication.constructCallgraphInternal(SetupApplication.java:565)
    at soot.jimple.infoflow.android.SetupApplication.calculateCallbackMethods(SetupApplication.java:677)
    at soot.jimple.infoflow.android.SetupApplication.calculateCallbacks(SetupApplication.java:477)
    at soot.jimple.infoflow.android.SetupApplication.calculateCallbacks(SetupApplication.java:447)
    at soot.jimple.infoflow.android.SetupApplication.processEntryPoint(SetupApplication.java:1429)
    at soot.jimple.infoflow.android.SetupApplication.runInfoflow(SetupApplication.java:1395)
    at soot.jimple.infoflow.android.SetupApplication.runInfoflow(SetupApplication.java:1342)
    at soot.jimple.infoflow.cmd.MainClass.run(MainClass.java:335)
    at soot.jimple.infoflow.cmd.MainClass.main(MainClass.java:233)
[main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Shutting down the memory warning system...
The data flow analysis has failed. Error message: soot.ArrayType cannot be cast to soot.RefType
java.lang.ClassCastException: soot.ArrayType cannot be cast to soot.RefType
    at soot.jimple.toolkits.callgraph.OnFlyCallGraphBuilder.resolveStaticTypes(OnFlyCallGraphBuilder.java:436)
    at soot.jimple.toolkits.callgraph.OnFlyCallGraphBuilder.resolveInvoke(OnFlyCallGraphBuilder.java:376)
    at soot.jimple.toolkits.callgraph.OnFlyCallGraphBuilder.addBaseType(OnFlyCallGraphBuilder.java:288)
    at soot.jimple.toolkits.callgraph.OnFlyCallGraphBuilder.addType(OnFlyCallGraphBuilder.java:608)
    at soot.jimple.spark.solver.OnFlyCallGraph$2.visit(OnFlyCallGraph.java:139)
    at soot.jimple.spark.sets.HybridPointsToSet.forall(HybridPointsToSet.java:108)
    at soot.jimple.spark.solver.OnFlyCallGraph.updatedNode(OnFlyCallGraph.java:136)
    at soot.jimple.spark.solver.PropWorklist.handleVarNode(PropWorklist.java:158)
    at soot.jimple.spark.solver.PropWorklist.propagate(PropWorklist.java:81)
    at soot.jimple.spark.SparkTransformer.propagatePAG(SparkTransformer.java:238)
    at soot.jimple.spark.SparkTransformer.internalTransform(SparkTransformer.java:155)
    at soot.SceneTransformer.transform(SceneTransformer.java:36)
    at soot.Transform.apply(Transform.java:102)
    at soot.RadioScenePack.internalApply(RadioScenePack.java:68)
    at soot.jimple.toolkits.callgraph.CallGraphPack.internalApply(CallGraphPack.java:58)
    at soot.Pack.apply(Pack.java:117)
    at soot.jimple.infoflow.android.SetupApplication.constructCallgraphInternal(SetupApplication.java:565)
    at soot.jimple.infoflow.android.SetupApplication.calculateCallbackMethods(SetupApplication.java:677)
    at soot.jimple.infoflow.android.SetupApplication.calculateCallbacks(SetupApplication.java:477)
    at soot.jimple.infoflow.android.SetupApplication.calculateCallbacks(SetupApplication.java:447)
    at soot.jimple.infoflow.android.SetupApplication.processEntryPoint(SetupApplication.java:1429)
    at soot.jimple.infoflow.android.SetupApplication.runInfoflow(SetupApplication.java:1395)
    at soot.jimple.infoflow.android.SetupApplication.runInfoflow(SetupApplication.java:1342)
    at soot.jimple.infoflow.cmd.MainClass.run(MainClass.java:335)
    at soot.jimple.infoflow.cmd.MainClass.main(MainClass.java:233)

Line 436 of OnFlyCallGraphBuilder should be:

SootClass baseClass = ((RefType) bType).getSootClass();

Also referring to your previous comment here: https://github.com/Sable/soot/issues/40#issuecomment-19319389, I am wondering if this issue may be related to how Spark creates points-to information for a Local?

zjbthomas commented 4 years ago

I figured out the issue actually exists in Soot. I submitted a pull request here with explanations and test cases: https://github.com/Sable/soot/pull/1316.