FlowDroid icon indicating copy to clipboard operation
FlowDroid copied to clipboard
verified publisher icon secure-software-engineering

PointsToAnalysis becomes a DumbPointerAnalysis after app.runInfoflow()

Open RichardHoOoOo opened this issue 3 years ago • 5 comments

Hi @StevenArzt

It seems PointsToAnalysis becomes a DumbPointerAnalysis after SetupApplication.runInfoflow(). As a result, some post-processing tasks that rely on points-to information cannot be done after taint analysis.

May I ask is it an intended behavior of FlowDroid or did I forget to config something? If it is intended, maybe I can grab a snapshot of PointsToAnalysis right after SetupApplication.constructCallgraph.

RichardHoOoOo avatar Nov 01 '22 08:11 RichardHoOoOo

This looks like a bug. I guess the pointer analysis is released at some point. If someone requests a pointer analysis after it has been released, Soot dishes out a a DumbPointerAnalysis. The interesting question would be where and why the release happens.

StevenArzt avatar Nov 01 '22 08:11 StevenArzt

Yes, I have searched for the call sites of Scene.v().releasePointsToAnalysis(), but seems they are called at the right place.

RichardHoOoOo avatar Nov 01 '22 08:11 RichardHoOoOo

I'd expect that from a static point of view. Set a breakpoint. My guess is that FlowDroid optimizes the code and thereby looses the points-to information. Depending on the type of change, we might be able to back it up before and then restore it later.

StevenArzt avatar Nov 01 '22 08:11 StevenArzt

I see, thanks for your idea. BTW, if we use the default aliasing algorithm (i.e., FlowSensitive), the release of pointer analysis will not have any side effects, right?

RichardHoOoOo avatar Nov 01 '22 08:11 RichardHoOoOo

Mostly. The PtS infoirmation is still used, e.g., for some typing checks. Those should then assume that all casts are valid, I guess.

StevenArzt avatar Nov 01 '22 08:11 StevenArzt