Non-deterministic results from --dataflowsolver FLOWINSENSITIVE --pathalgo CONTEXTINSENSITIVE --taintwrapper EASY

[AnnabellaM]

Hi,

This issue is related to issue 583 and issue 663.

As a follow-up investigation, I was testing on the commit d6dde9 for nondeterministic behaviors.

As a result, I found an instance that I think could be a remaining nondeterministic issue. After bisecting the configuration flags to reduce the configuration to minimal reproducer, I found this nondeterminism seems to be related to these three options --dataflowsolver FLOWINSENSITIVE --pathalgo CONTEXTINSENSITIVE --taintwrapper EASY.

This non-determinism is observed when running FlowDroid on the BroadcastReceiverLifecycle2 from Droidbench.

Results

Running Flowdroid 20 times with the above configuration on BroadcastReceiverLifecycle2 outputs 3 different results:

1 run output finding 1 leak from getDeviceId() -> sendBroadcast(android.content.Intent) in onCreate()

10 runs output finding 1 leak from getDeviceId() -> registerReceiver(android.content.BroadcastReceiver,android.content.IntentFilter) in onCreate()

9 runs output finding 2 leaks (both the previous flows together)

However, according to the ground truth of BroadcastReceiverLifecycle2 project, it seems that only one leak is expected.

Any feedback or insight regarding this issue is really appreciated! Thank you in advance!

[AnnabellaM]

A follow-up on this issue, according to the ground truth of BroadcastReceiverLifecycle2, there seems to be only one leak in this program. And the expected sink should be Log.d("DroidBench", deviceId); in onReceive(). However, both results found by FlowDroid are different from the expected result.

Any feedback or insight on this issue will be very appreciated!