Merge pull request #557 from timll/parameterMismatch

Notes on argument/parameter mismatch

Author: StevenArzt

soot-infoflow/src/soot/jimple/infoflow/problems/BackwardsInfoflowProblem.java

@@ -570,7 +570,8 @@ private Set<Abstraction> computeTargetsInternal(Abstraction d1, Abstraction sour
 								if (abs != null)
 									res.add(abs);
 							}
-						} else if (ie != null && dest.getParameterCount() > 0) {
+						} else if (ie != null && dest.getParameterCount() > 0
+									&& (isReflectiveCallSite || ie.getArgCount() == dest.getParameterCount())) {
 							for (int i = isReflectiveCallSite ? 1 : 0; i < ie.getArgCount(); i++) {
 								if (!aliasing.mayAlias(ie.getArg(i), source.getAccessPath().getPlainValue()))
 									continue;
@@ -588,17 +589,18 @@ private Set<Abstraction> computeTargetsInternal(Abstraction d1, Abstraction sour
 								if (interproceduralCFG().methodWritesValue(dest, paramLocals[i]))
 									continue;
 
-								// taint all parameters if reflective call site
 								if (isReflectiveCallSite) {
+									// taint all parameters if the arg array of an reflective
+									// call site is tainted
 									for (Value param : paramLocals) {
 										AccessPath ap = manager.getAccessPathFactory()
 												.copyWithNewValue(source.getAccessPath(), param, null, false);
 										Abstraction abs = source.deriveNewAbstraction(ap, stmt);
 										if (abs != null)
 											res.add(abs);
 									}
-									// taint just the tainted parameter
 								} else {
+									// taint just the tainted parameter
 									AccessPath ap = manager.getAccessPathFactory()
 											.copyWithNewValue(source.getAccessPath(), paramLocals[i]);
 									Abstraction abs = source.deriveNewAbstraction(ap, stmt);
@@ -609,6 +611,12 @@ private Set<Abstraction> computeTargetsInternal(Abstraction d1, Abstraction sour
 							}
 						}
 
+						// Sometimes callers have more arguments than the callee parameters, e.g.
+						// because one argument is resolved in native code. A concrete example is
+						// sendMessageDelayed(android.os.Message, int)
+						//   -> handleMessage(android.os.Message message)
+						// TODO: handle argument/parameter mismatch for some special cases
+
 						return res;
 					}
 				};

soot-infoflow/src/soot/jimple/infoflow/problems/InfoflowProblem.java

@@ -1007,14 +1007,7 @@ private Set<AccessPath> mapAccessPathToCallee(final SootMethod callee, final Inv
 										if (newAP != null)
 											res.add(newAP);
 									}
-								} else if (i < paramLocals.length) {
-									// Sometimes callers have more arguments than the callee parameters. For
-									// example, this is the case on a call from
-									// sendMessageDelayed(android.os.Message, int)
-									// to the callee handler handleMessage(android.os.Message message). The delay is
-									// handled native and not present in the call-graph. In this case, we just break
-									// out of the loop as no more params are left to be mapped into the callee
-
+								} else {
 									// Taint the corresponding parameter local in the callee
 									AccessPath newAP = manager.getAccessPathFactory().copyWithNewValue(ap,
 											paramLocals[i]);
@@ -1024,6 +1017,12 @@ private Set<AccessPath> mapAccessPathToCallee(final SootMethod callee, final Inv
 							}
 						}
 					}
+
+					// Sometimes callers have more arguments than the callee parameters, e.g.
+					// because one argument is resolved in native code. A concrete example is
+					// sendMessageDelayed(android.os.Message, int)
+					//   -> handleMessage(android.os.Message message)
+					// TODO: handle argument/parameter mismatch for some special cases
 				}
 				return res;
 			}