soot icon indicating copy to clipboard operation
soot copied to clipboard

Published 20 hours ago verified publisher icon soot-oss

flowThrough method get wrong analysis order of loop statements

Open Arielwyy opened this issue 2 years ago • 1 comments

When I overwrite the flowThrough method to analyze for loops, I get wrong order of statements.

The source .class file is :

public void badSink() {
	…(some omitted)
	
	for(int var5 = 0; var5 < var4; ++var5) {
		String var6 = var3[var5];
                var2.func1(var6);
        }
        var2.func2();
}

I get method body like this :

public void badSink()
{
    …(some omitted)

 label1:
    if l5 >= l4 goto label2;

    l6 = l3[l5];

    virtualinvoke l2.<cn.aaa.ForLoop: void func1(java.lang.String)>(l6);

    l5 = l5 + 1;

    goto label1;

 label2:
    virtualinvoke l2.<cn.aaa.ForLoop: void fun2()>();

    return;
}

But when I call flowThrough, I get the wrong order of statements like this:

…(some omitted)
if l5 >= l4 goto virtualinvoke l2.<cn.aaa.ForLoop: void fun2()>()
virtualinvoke l2.<cn.aaa.ForLoop: void fun2()>()
return
l6 = l3[l5]
virtualinvoke l2.<cn.aaa.ForLoop: void fun1(java.lang.String)>(l6)
l5 = l5 + 1
goto [?= (branch)]

The statements virtualinvoke l2.<cn.aaa.ForLoop: void fun2()>() and return was analyzed before l6 = l3[l5] and the subsequent statements. It gives me the wrong result for my analysis.

Arielwyy avatar Apr 29 '22 04:04 Arielwyy

There is no guarantee about the order of analysis. The only guarantee is that the iteration continues until it reaches a fixed point. When analyzing a statement, flowThrough is called with values from that statement's predecessors. If those values are incorrect, then maybe there's something worth looking at. But in general you should count on a statement being called with flowThrough multiple times.

On Fri, Apr 29, 2022 at 4:27 PM Arielwyy @.***> wrote:

When I overwrite the flowThrough method to analyze for loops, I get wrong order of statements.

The source .class file is :

public void badSink() {

…(some omitted)

for(int var5 = 0; var5 < var4; ++var5) {

  String var6 = var3[var5];

            var2.func1(var6);

    }

    var2.func2();

}

I get method body like this :

public void badSink()

{

…(some omitted)

label1:

if l5 >= l4 goto label2;



l6 = l3[l5];



virtualinvoke l2.<cn.aaa.ForLoop: void func1(java.lang.String)>(l6);



l5 = l5 + 1;



goto label1;

label2:

virtualinvoke l2.<cn.aaa.ForLoop: void fun2()>();



return;

}

But when I call flowThrough, I get the wrong order of statements like this:

…(some omitted)

if l5 >= l4 goto virtualinvoke l2.<cn.aaa.ForLoop: void fun2()>()

virtualinvoke l2.<cn.aaa.ForLoop: void fun2()>()

return

l6 = l3[l5]

virtualinvoke l2.<cn.aaa.ForLoop: void fun1(java.lang.String)>(l6)

l5 = l5 + 1

goto [?= (branch)]

The statements virtualinvoke l2.<cn.aaa.ForLoop: void fun2()>() and return was analyzed before l6 = l3[l5] and the subsequent statements. It gives me the wrong result for my analysis.

— Reply to this email directly, view it on GitHub https://github.com/soot-oss/soot/issues/1865, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOKE5XXIVG5GJASUPFWWMDVHNQKJANCNFSM5UUSQ64A . You are receiving this because you are subscribed to this thread.Message ID: @.***>

patricklam avatar Apr 29 '22 04:04 patricklam