Why flowdroid cannot find the path from flow1 to flow2 by taint varibale Flow.data1？

[RabbitDong-on]

public class Flow { public static int data1=-1; public static int flow1(int count){ data1++; if(count<1){ count++; } return count; } public static int flow2(int count){ count=count+data1; if(count<2){ count++; } return count; }

public static void entryMethod(){
    data1=flow1(flowdata1);
    flow2(flowdata1);
}

}

Source: flow1 Sink: flow2 Entry: entryMethod data1 is modified by flow1. data1 is used by flow2. Flowdroid does not support taint analysis for class field? or I need add more rule for taint analysis? Please help me figure out this problem. thanks.

[StevenArzt]

How did you define your sources and sinks? If the return value of method flow1 is tainted, this will taint variable data1. The variable is never passed to a sink. In your example, I thinkyou should rather define the method that produces flowdata1 as your source.

[RabbitDong-on]

In my code, List sources; List sinks; List entryPoint=new ArrayList(); entryPoint.add("<demo.Flow: void entryMethod()>"); sources.add("<demo.Flow: int flow1(int)>"); sinks.add("<demo.Flow: int flow2(int)>"); computeInfoflow(appPath, libPath, entryPoint, sources, sinks); I use this to compute infoflow.

You mean that flowdroid can tranfer taint variable data1 via assign stmt| call parameter | call return value instead of shared memory data1.

[StevenArzt]

There is no flow from data1 to flowdata1. Keep in mind that FlowDroid is flow-sensitive, i.e., the order of statements matters. data1 is derived from flowdata1, but not the other way around.

As I wrote, you should define the method that computes flowdata1 as your source and the flow will be found.

[RabbitDong-on]

Thanks! I will close this issue.