search

soot-oss / soot

Soot - A Java optimization framework
GNU Lesser General Public License v2.1
2.89k stars 710 forks source link

Spark points to analysis got empty set #1192

Open gaojun0816 opened 5 years ago

gaojun0816 commented 5 years ago

I'm using Soot to analysis Android APKs. I'm using FlowDroid to generate the dummy main to instrument the APKs. Then I'm using Spark points-to analysis for a more accurate result. However, all the points-to sets are of type EmptyPointsToSet. So I'm wondering did I do something wrong or there are some issues in Soot. The main method of my analysis shown below:

public static void main(String[] args) throws IOException {
        if (args.length < 2) {
            System.err.println("Required 2 arguments: APK path and path to Android SDKs");
        }
        Global.apk = args[0];
        Global.androidSdk = args[1];
        String[] opts = {
                "-process-dir", Global.apk,
                "-android-jars", Global.androidSdk,
                "-ire",
                "-allow-phantom-refs",
                "-process-multiple-dex",
                "-src-prec", "apk",
                "-w",
                "-p", "cg", "enabled:true",
                "-p", "cg.spark", "enabled:true",
                "-p", "cg.spark", "propagator:worklist",
                "-p", "cg.spark", "simple-edges-bidirectional:false",
                "-p", "cg.spark", "on-fly-cg:true",
                "-p", "cg.spark", "set-impl:double",
                "-p", "cg.spark", "double-set-old:hybrid",
                "-p", "cg.spark", "double-set-new:hybrid",
                "-p", "jop.cpf", "enabled:true",
                "-output-format", "n"
        };
        SootMethod entryPoint = createEntryPoint();
        G.reset();
        Options.v().set_main_class(entryPoint.getSignature());
        Scene.v().setEntryPoints(Collections.singletonList(entryPoint));
        Analyzer analyzer = new Analyzer();
        PackManager.v().getPack("wjtp").add(new Transform("wjtp.analyzer", analyzer));
        soot.Main.main(opts);
 }

The method I used to generate the dummy main is shown as following:

private static SootMethod createEntryPoint() {
        String ssf = "SourcesAndSinks.txt";
        SetupApplication app = new SetupApplication(Global.androidSdk, Global.apk);
        try {
            app.runInfoflow(ssf);
        } catch (IOException e) {
            e.printStackTrace();
        } catch (XmlPullParserException e) {
            e.printStackTrace();
        } 
        return app.getDummyMainMethod();
}

I obtained the points-to analysis in the transformer (i.e., "analyzer" object) by using:

PointsToAnalysis pta = Scene.v().getPointsToAnalysis();

I found relevant local variables by looping all statements. For a found variable "$r" at statement "stmt", to get the points-to set "ps", I did as following:

PointsToSet ps = pta.reachingObjects(stmt, (Local) v);

But the issuse is all the "ps" got is empty. I'm using FlowDroid 2.7.1 and Soot snapshot on 08-Aug-2019 12:13

Waiting for your kind reply and thanks a lot!

ericbodden commented 5 years ago

@StevenArzt do you have any idea?

dah-fari7009 commented 3 years ago

Hi, I was wondering if this issue was ever resolved. I am having the same problem with this snippet of code ` int id = menuItem.getItemId();

    Fragment fragmentToShow = null;
    switch (id){
        case R.id.nav_home:
            fragmentToShow = new HomeFragment();
            break;
        case R.id.nav_gallery:
            fragmentToShow = new GalleryFragment();
            break;
        case R.id.nav_slideshow:
            fragmentToShow = new SlideshowFragment();
            break;
    }
    if (fragmentToShow != null) {
        fragmentManager.beginTransaction().replace(R.id.fragment_container, fragmentToShow).commit();
    }`

where I am trying to determine the variables pointing to fragmentToShow but get an EmptyPointsToSet as a result

Thanks