Merge branch 'develop' of github.com:secure-software-engineering/FlowDroid into develop

Author: StevenArzt

README.MD

@@ -109,7 +109,7 @@ Steven Arzt</a> is a good place to start.
 ## Contributing to FlowDroid
 
 Contributions are always welcome. FlowDroid is an open source project that we published in the hope that it will be useful to
-the research community as a whole. If you have a new feature of a bug fix that you would like to see in the official code
+the research community as a whole. If you have a new feature or a bug fix that you would like to see in the official code
 repository, please open a merge request here on Github and contact us (see below) with a short description of what you have
 done.
 

soot-infoflow-android/src/soot/jimple/infoflow/android/iccta/IccRedirectionCreator.java

@@ -181,6 +181,7 @@ protected SootMethod generateRedirectMethodForStartActivityForResult(SootClass o
 		dummyMainClass.addMethod(newSM);
 		final JimpleBody b = Jimple.v().newBody(newSM);
 		newSM.setActiveBody(b);
+		newSM.addTag(SimulatedCodeElementTag.TAG);
 
 		LocalGenerator lg = new LocalGenerator(b);
 
@@ -228,13 +229,14 @@ protected SootMethod generateRedirectMethodForStartActivityForResult(SootClass o
 	protected SootMethod generateRedirectMethod(SootClass wrapper) {
 		SootMethod targetDummyMain = componentToEntryPoint.getEntryPoint(wrapper);
 		if (targetDummyMain == null) {
-			logger.warn(String.format("Destination component %s has no dummy main method", wrapper.getName()));
+			logger.warn("Destination component {} has no dummy main method", wrapper.getName());
 			return null;
 		}
 
 		String newSM_name = "redirector" + num++;
 		SootMethod newSM = Scene.v().makeSootMethod(newSM_name, Collections.<Type>singletonList(INTENT_TYPE),
 				VoidType.v(), Modifier.STATIC | Modifier.PUBLIC);
+		newSM.addTag(SimulatedCodeElementTag.TAG);
 		dummyMainClass.addMethod(newSM);
 		JimpleBody b = Jimple.v().newBody(newSM);
 		newSM.setActiveBody(b);
@@ -260,12 +262,13 @@ protected SootMethod generateRedirectMethod(SootClass wrapper) {
 	protected SootMethod generateRedirectMethodForStartActivity(SootClass wrapper) {
 		SootMethod targetDummyMain = componentToEntryPoint.getEntryPoint(wrapper);
 		if (targetDummyMain == null) {
-			logger.warn(String.format("Destination component %s has no dummy main method", wrapper.getName()));
+			logger.warn("Destination component {} has no dummy main method", wrapper.getName());
 			return null;
 		}
 		String newSM_name = "redirector" + num++;
 		SootMethod newSM = Scene.v().makeSootMethod(newSM_name, Collections.<Type>singletonList(INTENT_TYPE),
 				VoidType.v(), Modifier.STATIC | Modifier.PUBLIC);
+		newSM.addTag(SimulatedCodeElementTag.TAG);
 		dummyMainClass.addMethod(newSM);
 		JimpleBody b = Jimple.v().newBody(newSM);
 		newSM.setActiveBody(b);
@@ -291,12 +294,12 @@ protected SootMethod generateRedirectMethodForStartActivity(SootClass wrapper) {
 	protected SootMethod generateRedirectMethodForBindService(SootClass serviceConnection, SootClass destComp) {
 		ServiceEntryPointInfo entryPointInfo = (ServiceEntryPointInfo) componentToEntryPoint.get(destComp);
 		if (entryPointInfo == null) {
-			logger.warn(String.format("Destination component %s has no dummy main method", destComp.getName()));
+			logger.warn("Destination component {} has no dummy main method", destComp.getName());
 			return null;
 		}
 		SootMethod targetDummyMain = entryPointInfo.getEntryPoint();
 		if (targetDummyMain == null) {
-			logger.warn(String.format("Destination component %s has no dummy main method", destComp.getName()));
+			logger.warn("Destination component {} has no dummy main method", destComp.getName());
 			return null;
 		}
 		String newSM_name = "redirector" + num++;
@@ -307,6 +310,7 @@ protected SootMethod generateRedirectMethodForBindService(SootClass serviceConne
 
 		SootMethod newSM = Scene.v().makeSootMethod(newSM_name, newSM_parameters, VoidType.v(),
 				Modifier.STATIC | Modifier.PUBLIC);
+		newSM.addTag(SimulatedCodeElementTag.TAG);
 		dummyMainClass.addMethod(newSM);
 		JimpleBody b = Jimple.v().newBody(newSM);
 		newSM.setActiveBody(b);
@@ -342,7 +346,7 @@ protected SootMethod generateRedirectMethodForBindService(SootClass serviceConne
 		Local iLocal1 = lg.generateLocal(RefType.v("android.content.ComponentName"));
 		b.getUnits().add(Jimple.v().newAssignStmt(iLocal1, NullConstant.v()));
 
-		List<Value> args = new ArrayList<Value>();
+		List<Value> args = new ArrayList<>();
 		args.add(iLocal1);
 		args.add(ibinderLocal);
 		SootClass sc = Scene.v().getSootClass(originActivityParameterLocal.getType().toString());
@@ -363,6 +367,7 @@ protected SootMethod generateRedirectMethodForContentProvider(Stmt iccStmt, Soot
 		String newSM_name = "redirector" + num++;
 		SootMethod newSM = Scene.v().makeSootMethod(newSM_name, iccMethod.getParameterTypes(),
 				iccMethod.getReturnType(), Modifier.STATIC | Modifier.PUBLIC);
+		newSM.addTag(SimulatedCodeElementTag.TAG);
 		dummyMainClass.addMethod(newSM);
 		JimpleBody b = Jimple.v().newBody(newSM);
 		newSM.setActiveBody(b);
@@ -419,7 +424,7 @@ protected void insertRedirectMethodCallAfterIccMethod(IccLink link, SootMethod r
 
 		// specially deal with startActivityForResult since they have two
 		// parameters
-		List<Value> args = new ArrayList<Value>();
+		List<Value> args = new ArrayList<>();
 		if (callee.getNumberedSubSignature().equals(subsigStartActivityForResult)) {
 			InstanceInvokeExpr iiexpr = (InstanceInvokeExpr) fromStmt.getInvokeExpr();
 			args.add(iiexpr.getBase());
@@ -451,8 +456,9 @@ protected void insertRedirectMethodCallAfterIccMethod(IccLink link, SootMethod r
 		redirectCallU.addTag(SimulatedCodeElementTag.TAG);
 		units.insertAfter(redirectCallU, link.getFromU());
 		instrumentedUnits.put(body, redirectCallU);
-		if (instrumentationCallback != null)
+		if (instrumentationCallback != null) {
 			instrumentationCallback.onRedirectorCallInserted(link, redirectCallU, redirectMethod);
+		}
 
 		// remove the real ICC methods call stmt
 		// link.getFromSM().retrieveActiveBody().getUnits().remove(link.getFromU());

soot-infoflow-android/src/soot/jimple/infoflow/android/source/ConfigurationBasedCategoryFilter.java

@@ -62,20 +62,24 @@ public SourceSinkType filter(CategoryDefinition category, SourceSinkType sourceS
 		CategoryMode sourceMode = config.getSourceCategoriesAndModes().get(category);
 		CategoryMode sinkMode = config.getSinkCategoriesAndModes().get(category);
 
-		if (config.getSourceFilterMode() == SourceSinkFilterMode.UseAllButExcluded) {
-			if (sourceSinkType == SourceSinkType.Source || sourceSinkType == SourceSinkType.Both)
+		if (sourceSinkType == SourceSinkType.Source || sourceSinkType == SourceSinkType.Both) {
+			if (config.getSourceFilterMode() == SourceSinkFilterMode.UseAllButExcluded) {
 				if (sourceMode != null && sourceMode == CategoryMode.Exclude)
 					sourceSinkType = sourceSinkType.removeType(SourceSinkType.Source);
-			if (sourceSinkType == SourceSinkType.Sink || sourceSinkType == SourceSinkType.Both)
-				if (sinkMode != null && sinkMode == CategoryMode.Exclude)
-					sourceSinkType = sourceSinkType.removeType(SourceSinkType.Sink);
-		} else if (config.getSourceFilterMode() == SourceSinkFilterMode.UseOnlyIncluded) {
-			if (sourceSinkType == SourceSinkType.Source || sourceSinkType == SourceSinkType.Both)
+			} else if (config.getSourceFilterMode() == SourceSinkFilterMode.UseOnlyIncluded) {
 				if (sourceMode == null || sourceMode != CategoryMode.Include)
 					sourceSinkType = sourceSinkType.removeType(SourceSinkType.Source);
-			if (sourceSinkType == SourceSinkType.Sink || sourceSinkType == SourceSinkType.Both)
-				if (sourceMode == null || sinkMode != CategoryMode.Include)
+			}
+		}
+
+		if (sourceSinkType == SourceSinkType.Sink || sourceSinkType == SourceSinkType.Both) {
+			if (config.getSinkFilterMode() == SourceSinkFilterMode.UseAllButExcluded) {
+				if (sinkMode != null && sinkMode == CategoryMode.Exclude)
+					sourceSinkType = sourceSinkType.removeType(SourceSinkType.Sink);
+			} else if (config.getSinkFilterMode() == SourceSinkFilterMode.UseOnlyIncluded) {
+				if (sinkMode == null || sinkMode != CategoryMode.Include)
 					sourceSinkType = sourceSinkType.removeType(SourceSinkType.Sink);
+			}
 		}
 
 		return sourceSinkType;

soot-infoflow-summaries/src/soot/jimple/infoflow/methodSummary/data/summary/MethodFlow.java

@@ -242,8 +242,13 @@ public String toString() {
 	}
 
 	public boolean getIgnoreTypes() {
-		if (ignoreTypes == null)
+		if (ignoreTypes == null) {
+			if (typeChecking != null && !typeChecking.booleanValue()) {
+				if ("java.lang.Object[]".equals(to.getLastFieldType()))
+					return true;
+			}
 			return false;
+		}
 		return ignoreTypes;
 	}
 

soot-infoflow-summaries/src/soot/jimple/infoflow/methodSummary/taintWrappers/SummaryTaintWrapper.java

@@ -1689,15 +1689,15 @@ private Taint addSinkTaint(MethodFlow flow, Taint taint, GapDefinition gap) {
 		if (flowSink.getType() == SourceSinkType.GapBaseObject && remainingFields != null && !remainingFields.isEmpty())
 			sourceSinkType = SourceSinkType.Field;
 
-		// Compute the new base type
-		Type newBaseType = TypeUtils.getMorePreciseType(taintType, sinkType);
-		if (newBaseType == null)
-			newBaseType = sinkType;
 		String sBaseType = sinkType == null ? null : "" + sinkType;
-
-		// Set the correct type. In case x -> b.x, the new type is not the type
-		// of b, but of the field x.
 		if (!flow.getIgnoreTypes()) {
+			// Compute the new base type
+			Type newBaseType = TypeUtils.getMorePreciseType(taintType, sinkType);
+			if (newBaseType == null)
+				newBaseType = sinkType;
+
+			// Set the correct type. In case x -> b.x, the new type is not the type
+			// of b, but of the field x.
 			if (flowSink.hasAccessPath()) {
 				if (appendedFields != null)
 					appendedFields = appendedFields.updateFieldType(flowSink.getAccessPathLength() - 1,

soot-infoflow/src/soot/jimple/infoflow/codeOptimization/InterproceduralConstantValuePropagator.java

@@ -58,6 +58,7 @@
 import soot.jimple.infoflow.entryPointCreators.BaseEntryPointCreator;
 import soot.jimple.infoflow.entryPointCreators.IEntryPointCreator;
 import soot.jimple.infoflow.entryPointCreators.SimulatedCodeElementTag;
+import soot.jimple.infoflow.solver.cfg.IInfoflowCFG;
 import soot.jimple.infoflow.sourcesSinks.manager.ISourceSinkManager;
 import soot.jimple.infoflow.taintWrappers.ITaintPropagationWrapper;
 import soot.jimple.infoflow.util.SystemClassHandler;
@@ -127,7 +128,7 @@ public InterproceduralConstantValuePropagator(InfoflowManager manager) {
 	public InterproceduralConstantValuePropagator(InfoflowManager manager, Collection<SootMethod> excludedMethods,
 			ISourceSinkManager sourceSinkManager, ITaintPropagationWrapper taintWrapper) {
 		this.manager = manager;
-		this.excludedMethods = new HashSet<SootMethod>(excludedMethods);
+		this.excludedMethods = new HashSet<>(excludedMethods);
 		this.sourceSinkManager = sourceSinkManager;
 		this.taintWrapper = taintWrapper;
 	}
@@ -256,7 +257,7 @@ protected void internalTransform(String phaseName, Map<String, String> options)
 						continue;
 
 					boolean allCalleesRemoved = true;
-					Set<SootClass> exceptions = new HashSet<SootClass>();
+					Set<SootClass> exceptions = new HashSet<>();
 					for (Iterator<Edge> edgeIt = Scene.v().getCallGraph().edgesOutOf(s); edgeIt.hasNext();) {
 						Edge edge = edgeIt.next();
 						SootMethod callee = edge.tgt();
@@ -392,10 +393,11 @@ private boolean typeSupportsConstants(Type returnType) {
 	 * @param sm The method whose value to propagate
 	 */
 	private void propagateReturnValueIntoCallers(SootMethod sm) {
+		final IInfoflowCFG icfg = manager.getICFG();
 		// We need to make sure that all exit nodes agree on the same
 		// constant value
 		Constant value = null;
-		for (Unit retSite : manager.getICFG().getEndPointsOf(sm)) {
+		for (Unit retSite : icfg.getEndPointsOf(sm)) {
 			// Skip exceptional exits
 			if (!(retSite instanceof ReturnStmt))
 				continue;
@@ -411,7 +413,7 @@ private void propagateReturnValueIntoCallers(SootMethod sm) {
 
 		// Propagate the return value into the callers
 		if (value != null)
-			for (Unit callSite : manager.getICFG().getCallersOf(sm))
+			for (Unit callSite : icfg.getCallersOf(sm))
 				if (callSite instanceof AssignStmt) {
 					AssignStmt assign = (AssignStmt) callSite;
 
@@ -427,13 +429,13 @@ private void propagateReturnValueIntoCallers(SootMethod sm) {
 
 					// Make sure that we don't access anything we have already
 					// removed
-					SootMethod caller = manager.getICFG().getMethodOf(assign);
+					SootMethod caller = icfg.getMethodOf(assign);
 					if (caller == null || !caller.getActiveBody().getUnits().contains(assign))
 						continue;
 
 					// If the call site has multiple callees, we cannot
 					// propagate a single constant
-					Collection<SootMethod> callees = manager.getICFG().getCalleesOfCallAt(callSite);
+					Collection<SootMethod> callees = icfg.getCalleesOfCallAt(callSite);
 					if (callees != null && callees.size() > 1)
 						continue;
 
@@ -478,7 +480,7 @@ private void propagateReturnValueIntoCallers(SootMethod sm) {
 	}
 
 	private void fixExceptions(SootMethod caller, Unit callSite) {
-		fixExceptions(caller, callSite, new HashSet<SootClass>());
+		fixExceptions(caller, callSite, new HashSet<>());
 	}
 
 	private void fixExceptions(SootMethod caller, Unit callSite, Set<SootClass> doneSet) {
@@ -493,6 +495,7 @@ private void fixExceptions(SootMethod caller, Unit callSite, Set<SootClass> done
 					if (exceptionClass == null) {
 						exceptionClass = Scene.v().makeSootClass("FLOWDROID_EXCEPTIONS", Modifier.PUBLIC);
 						exceptionClass.setSuperclass(Scene.v().getSootClass("java.lang.Object"));
+						exceptionClass.addTag(SimulatedCodeElementTag.TAG);
 						Scene.v().addClass(exceptionClass);
 					}
 
@@ -541,9 +544,10 @@ protected SootMethod createDummyMainInternal() {
 						protected void createEmptyMainMethod() {
 							// Make sure that we don't end up with duplicate method names
 							int methodIdx = exceptionThrowers.size();
+							String baseName = "throw_" + t.getException().getName().replaceAll("\\W+", "_") + "_";
 							String methodName;
 							do {
-								methodName = "throw" + methodIdx++;
+								methodName = baseName + methodIdx++;
 							} while (exceptionClass.declaresMethodByName(methodName));
 
 							// Create the new method
@@ -582,6 +586,7 @@ public Collection<SootField> getAdditionalFields() {
 				Stmt throwCall = Jimple.v().newInvokeStmt(Jimple.v().newStaticInvokeExpr(thrower.makeRef()));
 				throwCall.addTag(SimulatedCodeElementTag.TAG);
 				caller.getActiveBody().getUnits().insertBefore(throwCall, callSite);
+
 			}
 	}
 
@@ -594,7 +599,7 @@ public Collection<SootField> getAdditionalFields() {
 	 *         side-effects or calls a sink method, otherwise false.
 	 */
 	private boolean hasSideEffectsOrCallsSink(SootMethod method) {
-		return hasSideEffectsOrCallsSink(method, new HashSet<SootMethod>());
+		return hasSideEffectsOrCallsSink(method, new HashSet<>());
 	}
 
 	/**
@@ -778,7 +783,7 @@ private boolean methodIsAndroidStub(SootMethod method) {
 					// Check for super class constructor invocation
 					if (!(method.getDeclaringClass().hasSuperclass()
 							&& callee.getDeclaringClass() == method.getDeclaringClass().getSuperclass()
-							&& callee.getName().equals("<init>")))
+							&& callee.isConstructor()))
 						return false;
 			} else if (!(u instanceof ThrowStmt))
 				return false;
@@ -794,7 +799,11 @@ private boolean methodIsAndroidStub(SootMethod method) {
 	 * @param sm The method for which to look for call sites.
 	 */
 	private void propagateConstantsIntoCallee(SootMethod sm) {
-		Collection<Unit> callSites = manager.getICFG().getCallersOf(sm);
+
+		// icfg field is final in InfoflowManager, hence it can't change
+		// and we can cache it here so we don't have to retrieve it again and again.
+		final IInfoflowCFG icfg = manager.getICFG();
+		Collection<Unit> callSites = icfg.getCallersOf(sm);
 		if (callSites.isEmpty())
 			return;
 
@@ -807,9 +816,14 @@ private void propagateConstantsIntoCallee(SootMethod sm) {
 		boolean hasCallSites = false;
 		for (Unit callSite : callSites) {
 			// If this call site is in an excluded method, we ignore it
-			if (excludedMethods != null && manager.getICFG().isReachable(callSite)
-					&& excludedMethods.contains(manager.getICFG().getMethodOf(callSite)))
-				continue;
+			if (excludedMethods != null && icfg.isReachable(callSite)) {
+				SootMethod caller = icfg.getMethodOf(callSite);
+				// synthetic methods e.g. created by FlowDroid are excluded by default
+				if (excludedMethods.contains(caller) || caller.hasTag(SimulatedCodeElementTag.TAG_NAME)) {
+					logger.trace("Ignoring calls from {}", caller);
+					continue;
+				}
+			}
 
 			// We do not support special edges that do not provide a 1:1 argument mapping
 			InvokeExpr iiExpr = ((Stmt) callSite).getInvokeExpr();
@@ -821,7 +835,7 @@ private void propagateConstantsIntoCallee(SootMethod sm) {
 			// If we have a reflective call site, we never have constant
 			// arguments, because
 			// they are always passed in using an array
-			if (manager.getICFG().isReflectiveCallSite(callSite)) {
+			if (icfg.isReflectiveCallSite(callSite)) {
 				for (int i = 0; i < isConstant.length; i++)
 					isConstant[i] = false;
 			} else {
@@ -837,8 +851,9 @@ private void propagateConstantsIntoCallee(SootMethod sm) {
 								isConstant[i] = false;
 							else
 								values[i] = (Constant) argVal;
-						} else
+						} else {
 							isConstant[i] = false;
+						}
 					}
 				}
 			}
@@ -856,7 +871,7 @@ private void propagateConstantsIntoCallee(SootMethod sm) {
 					sm.getActiveBody().getUnits().insertBefore(assignConst, point);
 
 					if (inserted == null)
-						inserted = new ArrayList<Unit>();
+						inserted = new ArrayList<>();
 					inserted.add(assignConst);
 				}
 			}
@@ -869,7 +884,7 @@ private void propagateConstantsIntoCallee(SootMethod sm) {
 
 				// This might lead to more opportunities of constant propagation
 				for (Unit u : sm.getActiveBody().getUnits())
-					for (SootMethod callee : manager.getICFG().getCalleesOfCallAt(u))
+					for (SootMethod callee : icfg.getCalleesOfCallAt(u))
 						checkAndAddMethod(callee);
 			}
 		}