Why does the order of statements affect taint propagation results in Backwards mode?

[RichardHoOoOo]

Hi @StevenArzt, following the discussion in #471, I am trying the backward taint propagation of FlowDroid (config.setDataFlowDirection(DataFlowDirection.Backwards)). I found the order of some statements may affect the taint propagation results. In the following example, I set wv.loadUrl (line 6) as the sink and tv.getText (line 3) as the source. Then I register a TaintPropagationHandler to understand the backward propagation process.

// MainActivity.java
1: protected void onCreate(Bundle savedInstanceState) {
2:   tv = (TextView) findViewById(R.id.textView); // tv is a field
3:   String str = tv.getText().toString(); 
4:   wv = (WebView) findViewById(R.id.webview); // wv is a field
5:   btn = (Button) findViewById(R.id.button); // btn is a field
6:   wv.loadUrl(str + str);
7: }

It turns out not only the arguments (str + str) but also the receiver object (wv) of the sink are tainted. This is fine, but the problem in the above example is that btn is also tainted.

If I switch the order of line 4 and 5 (i.e., put btn = ... before wv = ...), btn is not tainted.

One more interesting thing is that if I change line 6 to wv.loadUrl(str);, btn is not tainted no matter how I order line 4 and 5.

May I ask why does the order of line 4 and 5 affect the tainting of btn in this example? Is it an expected behavior or do I misconfig something?

Thanks in advance!