search

secure-software-engineering / FlowDroid

FlowDroid Static Data Flow Tracker
GNU Lesser General Public License v2.1
1.05k stars 298 forks source link

java.lang.OutOfMemoryError and thread blocking #218

Open xdek42 opened 4 years ago

xdek42 commented 4 years ago

Hello, I encountered two errors when converting Dalvik bytecode to Jimple using Soot, my code is as follows:

private void initSoot(String dexPath) {
        soot.G.reset();
        Options.v().set_src_prec(Options.src_prec_apk);
        Options.v().set_output_format(Options.output_format_jimple);
        String androidJarPath = Scene.v().getAndroidJarPath(platformDir, apkPath);
        List<String> pathList = new ArrayList<>();
        pathList.add(dexPath);
        Options.v().set_process_dir(pathList);
        Options.v().set_force_android_jar(androidJarPath);
        Options.v().set_process_multiple_dex(true);
        Options.v().set_no_bodies_for_excluded(true);
        Options.v().set_allow_phantom_refs(true);
        Scene.v().loadNecessaryClasses();
        PackManager.v().runPacks();
    }

1. java.lang.OutOfMemoryError: GC overhead limit exceeded

Sample Apk: https://drive.google.com/open?id=1IX323NMM0M3YKLWSVT2v-u7UNNwCUEXT When I analyze this apk, FlowDroid will encounter OutOfMemoryError

Exception in thread "Thread-5" java.lang.OutOfMemoryError: GC overhead limit exceeded
    at java.util.HashMap.newNode(HashMap.java:1747)
    at java.util.HashMap.putVal(HashMap.java:631)
    at java.util.HashMap.putMapEntries(HashMap.java:515)
    at java.util.HashMap.<init>(HashMap.java:490)
    at soot.jimple.toolkits.typing.fast.Typing.<init>(Typing.java:50)
    at soot.jimple.toolkits.typing.fast.TypeResolver.applyAssignmentConstraints(TypeResolver.java:524)
    at soot.jimple.toolkits.typing.fast.TypeResolver.inferTypes(TypeResolver.java:144)
    at soot.jimple.toolkits.typing.TypeAssigner.internalTransform(TypeAssigner.java:121)
    at soot.BodyTransformer.transform(BodyTransformer.java:55)
    at soot.BodyTransformer.transform(BodyTransformer.java:59)
    at soot.dexpler.DexBody.jimplify(DexBody.java:660)
    at soot.dexpler.DexMethod$1.getBody(DexMethod.java:119)
    at soot.SootMethod.retrieveActiveBody(SootMethod.java:402)
    at soot.PackManager$3.run(PackManager.java:1293)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
java.lang.RuntimeException: java.lang.OutOfMemoryError: GC overhead limit exceeded
    at soot.PackManager.retrieveAllBodies(PackManager.java:1315)
    at soot.PackManager.runPacksNormally(PackManager.java:497)
    at soot.PackManager.runPacks(PackManager.java:419)
    at com.glider.vulscan.driver.CheckDriver.initSoot(CheckDriver.java:86)

2. Thread Blocking

Sample Apk: https://drive.google.com/open?id=1fJCSJchxoHhr5skvpAhANPI5l3UsFQ3Q When I analyze this apk, all threads of FlowDroid will be blocked, except one thread. The program does not throw any exceptions, but it will not terminate soot

How can i fix these two errors ?Look forward to your help

StevenArzt commented 4 years ago

Both experiences seem to be related to the same issue, which is memory exhaustion. How much memory did you allocate to FlowDroid? Note that you may need to explicitly increase the Java heap space using the -Xmx parameter, e.g., -Xmx4g for 4 GB of heap space.

You can also try to use a different FlowDroid configuration if you are short on memory on your machine: https://github.com/secure-software-engineering/FlowDroid#configuring-flowdroid-for-performance

xdek42 commented 4 years ago

Thank you for your reply. my -Xms default configuration is 4GB, When I increase the java heap memory to 16G, the program does not throw gc exception, but the thread blocks.

The error occurred in the TypeAssigner step of the jimplify process, I think the reason may be that the code of the target function (Lcom/paopao/lucky/LuckyAutoActivity;->Myclick) caused some kind of infinite loop during the TypeAssigner process, causing soot to allocate memory all the time.

Actual debugging verified my guess, I found an infinite loop.

package soot.jimple.toolkits.typing.fast;
public class TypeResolver {
    private Collection<Typing> applyAssignmentConstraints(Typing tg, IEvalFunction ef, IHierarchy h) {
        final int numAssignments = this.assignments.size();

        LinkedList<Typing> sigma = new LinkedList<Typing>(), r = new LinkedList<Typing>();
        if (numAssignments == 0) {
        return sigma;
        }

        HashMap<Typing, BitSet> worklists = new HashMap<Typing, BitSet>();

        sigma.add(tg);
        BitSet wl = new BitSet(numAssignments - 1);
        wl.set(0, numAssignments);
        worklists.put(tg, wl);
        //Here is an infinite loop
        while (!sigma.isEmpty()) {
            tg = sigma.element();
            wl = worklists.get(tg);
                        ...
                        ...
        }