Improve handling of callbacks and dummy main generation

Author: MarcMil

soot-infoflow-android/src/soot/jimple/infoflow/android/SetupApplication.java

@@ -670,8 +670,8 @@ private void calculateCallbackMethods(LayoutFileParser lfp, SootClass component)
 		// filter out callbacks even if the respective component is only
 		// analyzed later.
 		AbstractCallbackAnalyzer jimpleClass = callbackClasses == null
-				? new DefaultCallbackAnalyzer(config, entryPointClasses, callbackFile)
-				: new DefaultCallbackAnalyzer(config, entryPointClasses, callbackClasses);
+				? new DefaultCallbackAnalyzer(config, entryPointClasses, callbackMethods, callbackFile)
+				: new DefaultCallbackAnalyzer(config, entryPointClasses, callbackMethods, callbackClasses);
 		if (valueProvider != null)
 			jimpleClass.setValueProvider(valueProvider);
 		jimpleClass.addCallbackFilter(new AlienHostComponentFilter(entrypoints));
@@ -736,6 +736,8 @@ private void calculateCallbackMethods(LayoutFileParser lfp, SootClass component)
 				if (!Scene.v().hasCallGraph())
 					throw new RuntimeException("No callgraph in Scene even after creating one. That's very sad "
 							+ "and should never happen.");
+
+				lfp.parseLayoutFileDirect(config.getAnalysisFileConfig().getTargetAPKFile());
 				PackManager.v().getPack("wjtp").apply();
 
 				// Creating all callgraph takes time and memory. Check whether
@@ -956,6 +958,7 @@ private boolean collectXmlBasedCallbackMethods(LayoutFileParser lfp, AbstractCal
 										hasNewCallback = true;
 									break;
 								}
+
 								SootClass sclass = currentClass.getSuperclassUnsafe();
 								if (sclass == null) {
 									logger.error(String.format("Callback method %s not found in class %s", methodName,
@@ -982,7 +985,7 @@ private boolean collectXmlBasedCallbackMethods(LayoutFileParser lfp, AbstractCal
 					if (controls != null) {
 						for (AndroidLayoutControl lc : controls) {
 							if (!SystemClassHandler.v().isClassInSystemPackage(lc.getViewClass().getName()))
-								registerCallbackMethodsForView(callbackClass, lc);
+								hasNewCallback |= registerCallbackMethodsForView(callbackClass, lc);
 						}
 					}
 				} else
@@ -1053,19 +1056,20 @@ private void calculateCallbackMethodsFast(LayoutFileParser lfp, SootClass compon
 	 * @param callbackClass The class with which to associate the layout callbacks
 	 * @param lc            The layout control whose callbacks are to be associated
 	 *                      with the given class
+	 * @return 
 	 */
-	private void registerCallbackMethodsForView(SootClass callbackClass, AndroidLayoutControl lc) {
+	private boolean registerCallbackMethodsForView(SootClass callbackClass, AndroidLayoutControl lc) {
 		// Ignore system classes
 		if (SystemClassHandler.v().isClassInSystemPackage(callbackClass.getName()))
-			return;
+			return false;
 
 		// Get common Android classes
 		if (scView == null)
 			scView = Scene.v().getSootClass("android.view.View");
 
 		// Check whether the current class is actually a view
 		if (!Scene.v().getOrMakeFastHierarchy().canStoreType(lc.getViewClass().getType(), scView.getType()))
-			return;
+			return false;
 
 		// There are also some classes that implement interesting callback
 		// methods.
@@ -1080,16 +1084,19 @@ private void registerCallbackMethodsForView(SootClass callbackClass, AndroidLayo
 						systemMethods.put(sm.getSubSignature(), sm);
 		}
 
+		boolean changed = false;
 		// Scan for methods that overwrite parent class methods
 		for (SootMethod sm : sc.getMethods()) {
 			if (!sm.isConstructor()) {
 				SootMethod parentMethod = systemMethods.get(sm.getSubSignature());
-				if (parentMethod != null)
+				if (parentMethod != null) {
 					// This is a real callback method
-					this.callbackMethods.put(callbackClass,
+					changed |= this.callbackMethods.put(callbackClass,
 							new AndroidCallbackDefinition(sm, parentMethod, CallbackType.Widget));
+				}
 			}
 		}
+		return changed;
 	}
 
 	/**

soot-infoflow-android/src/soot/jimple/infoflow/android/callbacks/AbstractCallbackAnalyzer.java

@@ -106,6 +106,7 @@ public abstract class AbstractCallbackAnalyzer {
 	protected final MultiMap<SootClass, Integer> layoutClasses = new HashMultiMap<>();
 	protected final Set<SootClass> dynamicManifestComponents = new HashSet<>();
 	protected final MultiMap<SootClass, SootClass> fragmentClasses = new HashMultiMap<>();
+	protected final MultiMap<SootClass, SootClass> fragmentClassesRev = new HashMultiMap<>();
 	protected final Map<SootClass, Integer> fragmentIDs = new HashMap<>();
 
 	protected final List<ICallbackFilter> callbackFilters = new ArrayList<>();
@@ -615,12 +616,12 @@ protected boolean invokesSetContentView(InvokeExpr inv) {
 					|| curClass.getName().equals("android.support.v7.app.AppCompatActivity")
 					|| curClass.getName().equals("androidx.appcompat.app.AppCompatActivity"))
 				return true;
-            // As long as the class is subclass of android.app.Activity,
-            // it can be sure that the setContentView method is what we expected.
-            // Following 2 statements make the overriding of method
-            // setContentView ignored.
+			// As long as the class is subclass of android.app.Activity,
+			// it can be sure that the setContentView method is what we expected.
+			// Following 2 statements make the overriding of method
+			// setContentView ignored.
 			// if (curClass.declaresMethod("void setContentView(int)"))
-			// 	return false;
+			// return false;
 			curClass = curClass.hasSuperclass() ? curClass.getSuperclass() : null;
 		}
 		return false;
@@ -646,7 +647,7 @@ protected boolean invokesInflate(InvokeExpr inv) {
 			if (curClass.getName().equals("android.app.Fragment"))
 				return true;
 			if (curClass.declaresMethod("android.view.View inflate(int,android.view.ViewGroup,boolean)"))
-				return false;
+				return true;
 			curClass = curClass.hasSuperclass() ? curClass.getSuperclass() : null;
 		}
 		return false;
@@ -814,6 +815,7 @@ protected boolean checkAndAddMethod(SootMethod method, SootMethod parentMethod,
 	 */
 	protected void checkAndAddFragment(SootClass componentClass, SootClass fragmentClass) {
 		this.fragmentClasses.put(componentClass, fragmentClass);
+		this.fragmentClassesRev.put(fragmentClass, componentClass);
 	}
 
 	private boolean isEmpty(Body activeBody) {

soot-infoflow-android/src/soot/jimple/infoflow/android/callbacks/DefaultCallbackAnalyzer.java

@@ -10,8 +10,10 @@
 import java.util.Map;
 import java.util.Set;
 
+import heros.solver.Pair;
 import soot.MethodOrMethodContext;
 import soot.PackManager;
+import soot.RefType;
 import soot.Scene;
 import soot.SceneTransformer;
 import soot.SootClass;
@@ -48,22 +50,28 @@ public class DefaultCallbackAnalyzer extends AbstractCallbackAnalyzer implements
 	private AndroidEntryPointUtils entryPointUtils = new AndroidEntryPointUtils();
 	private Set<IMemoryBoundedSolverStatusNotification> notificationListeners = new HashSet<>();
 	private ISolverTerminationReason isKilled = null;
+	private MultiMap<SootClass, AndroidCallbackDefinition> viewCallbacks;
 
 	public DefaultCallbackAnalyzer(InfoflowAndroidConfiguration config, Set<SootClass> entryPointClasses)
 			throws IOException {
 		super(config, entryPointClasses);
 	}
 
 	public DefaultCallbackAnalyzer(InfoflowAndroidConfiguration config, Set<SootClass> entryPointClasses,
-			String callbackFile) throws IOException {
+			MultiMap<SootClass, AndroidCallbackDefinition> viewCallbacks, String callbackFile) throws IOException {
 		super(config, entryPointClasses, callbackFile);
+		this.viewCallbacks = viewCallbacks;
 	}
 
 	public DefaultCallbackAnalyzer(InfoflowAndroidConfiguration config, Set<SootClass> entryPointClasses,
-			Set<String> androidCallbacks) throws IOException {
+			MultiMap<SootClass, AndroidCallbackDefinition> viewCallbacks, Set<String> androidCallbacks)
+			throws IOException {
 		super(config, entryPointClasses, androidCallbacks);
+		this.viewCallbacks = viewCallbacks;
 	}
 
+	QueueReader<MethodOrMethodContext> reachableChangedListener;
+
 	/**
 	 * Collects the callback methods for all Android default handlers implemented in
 	 * the source code. Note that this operation runs inside Soot, so this method
@@ -100,17 +108,31 @@ protected void internalTransform(String phaseName, @SuppressWarnings("rawtypes")
 								getLifecycleMethods(sc));
 
 						// Check for callbacks registered in the code
-						analyzeRechableMethods(sc, methods);
+						analyzeReachableMethods(sc, methods);
 
 						// Check for method overrides
 						analyzeMethodOverrideCallbacks(sc);
 						analyzeClassInterfaceCallbacks(sc, sc, sc);
 					}
+					reachableChangedListener = Scene.v().getReachableMethods().listener();
 					logger.info("Callback analysis done.");
 				} else {
 					// Incremental mode, only process the worklist
 					logger.info(String.format("Running incremental callback analysis for %d components...",
 							callbackWorklist.size()));
+					// Find the mappings between classes and layouts
+					findClassLayoutMappings();
+
+					MultiMap<SootMethod, SootClass> reverseViewCallbacks = new HashMultiMap<>();
+					for (Pair<SootClass, AndroidCallbackDefinition> i : viewCallbacks)
+						reverseViewCallbacks.put(i.getO2().getTargetMethod(), i.getO1());
+					while (reachableChangedListener.hasNext()) {
+						SootMethod m = reachableChangedListener.next().method();
+						Set<SootClass> o = reverseViewCallbacks.get(m);
+						for (SootClass i : o) {
+							callbackWorklist.put(i, m);
+						}
+					}
 
 					MultiMap<SootClass, SootMethod> workList = new HashMultiMap<>(callbackWorklist);
 					for (Iterator<SootClass> it = workList.keySet().iterator(); it.hasNext();) {
@@ -122,6 +144,10 @@ protected void internalTransform(String phaseName, @SuppressWarnings("rawtypes")
 						Set<SootMethod> callbacks = callbackWorklist.get(componentClass);
 						callbackWorklist.remove(componentClass);
 
+						Set<SootClass> activityComponents = fragmentClassesRev.get(componentClass);
+						if (activityComponents == null || activityComponents.isEmpty())
+							activityComponents = Collections.singleton(componentClass);
+
 						// Check whether we're already beyond the maximum number
 						// of callbacks for the current component
 						if (config.getCallbackConfig().getMaxCallbacksPerComponent() > 0
@@ -133,15 +159,21 @@ protected void internalTransform(String phaseName, @SuppressWarnings("rawtypes")
 
 						// Check for method overrides. The whole class might be new.
 						analyzeMethodOverrideCallbacks(componentClass);
-						analyzeClassInterfaceCallbacks(componentClass, componentClass, componentClass);
+						for (SootClass activityComponent : activityComponents) {
+							if (activityComponent == null)
+								activityComponent = componentClass;
+							analyzeClassInterfaceCallbacks(componentClass, componentClass, activityComponent);
+						}
 
 						// Collect all methods that we need to analyze
 						List<MethodOrMethodContext> entryClasses = new ArrayList<>(callbacks.size());
-						for (SootMethod sm : callbacks)
-							entryClasses.add(sm);
+						for (SootMethod sm : callbacks) {
+							if (sm != null)
+								entryClasses.add(sm);
+						}
 
 						// Check for further callback declarations
-						analyzeRechableMethods(componentClass, entryClasses);
+						analyzeReachableMethods(componentClass, entryClasses);
 					}
 					logger.info("Incremental callback analysis done.");
 				}
@@ -226,7 +258,7 @@ private static Collection<? extends MethodOrMethodContext> getLifecycleMethods(S
 		return lifecycleMethods;
 	}
 
-	private void analyzeRechableMethods(SootClass lifecycleElement, List<MethodOrMethodContext> methods) {
+	private void analyzeReachableMethods(SootClass lifecycleElement, List<MethodOrMethodContext> methods) {
 		// Make sure to exclude all other edges in the callgraph except for the
 		// edges start in the lifecycle methods we explicitly pass in
 		ComponentReachableMethods rm = new ComponentReachableMethods(config, lifecycleElement, methods);
@@ -279,40 +311,53 @@ protected void checkAndAddFragment(SootClass componentClass, SootClass fragmentC
 		}
 	}
 
+	Iterator<MethodOrMethodContext> rmIterator;
+
 	/**
 	 * Finds the mappings between classes and their respective layout files
 	 */
 	private void findClassLayoutMappings() {
-		Iterator<MethodOrMethodContext> rmIterator = Scene.v().getReachableMethods().listener();
+		if (rmIterator == null)
+			rmIterator = Scene.v().getReachableMethods().listener();
 		while (rmIterator.hasNext()) {
 			SootMethod sm = rmIterator.next().method();
+
 			if (!sm.isConcrete())
 				continue;
 			if (SystemClassHandler.v().isClassInSystemPackage(sm.getDeclaringClass().getName()))
 				continue;
-
-			for (Unit u : sm.retrieveActiveBody().getUnits())
+			RefType fragmentType = RefType.v("android.app.Fragment");
+			for (Unit u : sm.retrieveActiveBody().getUnits()) {
 				if (u instanceof Stmt) {
 					Stmt stmt = (Stmt) u;
 					if (stmt.containsInvokeExpr()) {
 						InvokeExpr inv = stmt.getInvokeExpr();
-						if (invokesSetContentView(inv) || invokesInflate(inv)) { // check
-																					// also
-																					// for
-																					// inflate
-																					// to
-																					// look
-																					// for
-																					// the
-																					// fragments
+						if (invokesSetContentView(inv)) { // check
+															// also
+															// for
+															// inflate
+															// to
+															// look
+															// for
+															// the
+															// fragments
 							for (Value val : inv.getArgs()) {
 								Integer intValue = valueProvider.getValue(sm, stmt, val, Integer.class);
-								if (intValue != null)
+								if (intValue != null) {
 									this.layoutClasses.put(sm.getDeclaringClass(), intValue);
+								}
+
+							}
+						}
+						if (invokesInflate(inv)) {
+							Integer intValue = valueProvider.getValue(sm, stmt, inv.getArg(0), Integer.class);
+							if (intValue != null) {
+								this.layoutClasses.put(sm.getDeclaringClass(), intValue);
 							}
 						}
 					}
 				}
+			}
 		}
 	}
 

soot-infoflow-android/src/soot/jimple/infoflow/android/callbacks/FastCallbackAnalyzer.java

@@ -77,8 +77,9 @@ private void findClassLayoutMappings() {
 								if (invokesSetContentView(inv)) {
 									for (Value val : inv.getArgs()) {
 										Integer intValue = valueProvider.getValue(sm, stmt, val, Integer.class);
-										if (intValue != null)
+										if (intValue != null) {
 											this.layoutClasses.put(sm.getDeclaringClass(), intValue);
+										}
 									}
 								}
 							}

soot-infoflow-android/src/soot/jimple/infoflow/android/callbacks/filters/UnreachableConstructorFilter.java

@@ -1,5 +1,7 @@
 package soot.jimple.infoflow.android.callbacks.filters;
 
+import soot.RefType;
+import soot.Scene;
 import soot.SootClass;
 import soot.SootMethod;
 
@@ -21,6 +23,11 @@ public boolean accepts(SootClass component, SootClass callbackHandler) {
 		// If the callback is in the component class itself, it is trivially reachable
 		if (component == callbackHandler)
 			return true;
+		RefType fragmentType = RefType.v("android.app.Fragment");
+		boolean isFragment = Scene.v().getFastHierarchy().canStoreType(callbackHandler.getType(), fragmentType);
+		if (isFragment)
+			// we cannot find constructors for these...
+			return true;
 
 		{
 			SootClass curHandler = callbackHandler;

soot-infoflow/src/soot/jimple/infoflow/memory/FlowDroidTimeoutWatcher.java

@@ -25,18 +25,18 @@ public class FlowDroidTimeoutWatcher implements IMemoryBoundedSolverStatusNotifi
 	 *
 	 */
 	private enum SolverState {
-	/**
-	 * The solver has not been started yet
-	 */
-	IDLE,
-	/**
-	 * The solver is running
-	 */
-	RUNNING,
-	/**
-	 * The solver has completed its work
-	 */
-	DONE
+		/**
+		 * The solver has not been started yet
+		 */
+		IDLE,
+		/**
+		 * The solver is running
+		 */
+		RUNNING,
+		/**
+		 * The solver has completed its work
+		 */
+		DONE
 	}
 
 	private final Logger logger = LoggerFactory.getLogger(getClass());
@@ -120,7 +120,7 @@ public void run() {
 
 				// If things have not stopped on their own account, we force
 				// them to
-				if (!stopped & !allTerminated) {
+				if (!stopped && !allTerminated) {
 					logger.warn("Timeout reached, stopping the solvers...");
 					if (results != null)
 						results.addException("Timeout reached");