<div dir="ltr"><div><div>Hi Steven,<br></div>Default settings produce the same result. From my logs:<br><br>From &lt;edu.oregonstate.ex.flowdroidtest.TestActivity: void onCreate(android.os.Bundle)&gt;<br>  to &lt;edu.oregonstate.ex.flowdroidtest.TestActivity: void sensitive()&gt;<br>--------------------------------------------<br>&lt;edu.oregonstate.ex.flowdroidtest.TestActivity: void onCreate(android.os.Bundle)&gt;<br>&lt;edu.oregonstate.ex.flowdroidtest.TestActivity: void threadWithSensitive()&gt;<br>&lt;java.lang.Thread: void run()&gt;<br>&lt;edu.oregonstate.ex.flowdroidtest.TestActivity$3: void run()&gt;<br>&lt;edu.oregonstate.ex.flowdroidtest.TestActivity: void access$000(edu.oregonstate.ex.flowdroidtest.TestActivity)&gt;<br>&lt;edu.oregonstate.ex.flowdroidtest.TestActivity: void sensitive()&gt;<br><br>From &lt;edu.oregonstate.ex.flowdroidtest.TestActivity: boolean onOptionsItemSelected(android.view.MenuItem)&gt;<br>  to &lt;edu.oregonstate.ex.flowdroidtest.TestActivity: void sensitive()&gt;<br>--------------------------------------------<br>&lt;edu.oregonstate.ex.flowdroidtest.TestActivity: boolean onOptionsItemSelected(android.view.MenuItem)&gt;<br>&lt;edu.oregonstate.ex.flowdroidtest.TestActivity: void emptyThread()&gt;<br>&lt;java.lang.Thread: void run()&gt;<br>&lt;edu.oregonstate.ex.flowdroidtest.TestActivity$3: void run()&gt;<br>&lt;edu.oregonstate.ex.flowdroidtest.TestActivity: void access$000(edu.oregonstate.ex.flowdroidtest.TestActivity)&gt;<br>&lt;edu.oregonstate.ex.flowdroidtest.TestActivity: void sensitive()&gt;<br><br></div>Paths are produced by navigating the call graph upwards until a callback is reached. FlowDroid and soot on my machine are 2 weeks old.<br><br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On 3 March 2016 at 14:28, Steven Arzt <span dir="ltr">&lt;<a href="mailto:Steven.Arzt@cased.de" target="_blank">Steven.Arzt@cased.de</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div link="blue" vlink="purple" lang="DE"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">Hi Denis,<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d" lang="EN-US">You don’t actually need an implementation of java.* in your Android platform JAR file, because FlowDroid provides explicit models for threads. If you use FlowDroid’s default models, your callgraph should be able to distinguish the two calls, i.e., there should not be a path from emptyThread() to sensitive(). You have two different instances of the Thread class, two different implementations (and thus also instances thereof) of Runnable, and I don’t see any good reason for FlowDroid to combine the two paths.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d" lang="EN-US"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d" lang="EN-US">Best regards,<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d" lang="EN-US">  Steven<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d" lang="EN-US"><u></u> <u></u></span></p><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">Von:</span></b><span style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;"> <a href="mailto:soot-list-bounces@CS.McGill.CA" target="_blank">soot-list-bounces@CS.McGill.CA</a> [mailto:<a href="mailto:soot-list-bounces@CS.McGill.CA" target="_blank">soot-list-bounces@CS.McGill.CA</a>] <b>Im Auftrag von </b>Denis Bogdanas<br><b>Gesendet:</b> Donnerstag, 3. März 2016 23:04<br><b>An:</b> <a href="mailto:soot-list@CS.McGill.CA" target="_blank">soot-list@CS.McGill.CA</a><br><b>Betreff:</b> [Soot-list] FlowDroid: call graph doesn&#39;t look context sensitive<u></u><u></u></span></p><div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><div><div><p class="MsoNormal" style="margin-bottom:12.0pt">Suppose we have 2 threads called from 2 UI callbacks. One of them calls method sensitive(), another one is empty. In the call graph, both events will have a path to sensitive(), as if the two Thread instances were modeled as one:<u></u><u></u></p></div><div><pre style="background:white"><b><span style="font-size:9.5pt;color:navy">protected void </span></b><span style="font-size:9.5pt;color:black">onCreate(Bundle savedInstanceState) {</span><i><span style="font-size:9.5pt;color:gray"><br>    </span></i><span style="font-size:9.5pt;color:black">threadWithSensitive();<br>}<br><br></span><span style="font-size:9.5pt;color:olive">@Override<br></span><b><span style="font-size:9.5pt;color:navy">public boolean </span></b><span style="font-size:9.5pt;color:black">onOptionsItemSelected(MenuItem item) {</span><i><span style="font-size:9.5pt;color:gray"><br>    </span></i><span style="font-size:9.5pt;color:black">emptyThread();<br>    </span><b><span style="font-size:9.5pt;color:navy">return false</span></b><span style="font-size:9.5pt;color:black">;<br>}<u></u><u></u></span></pre><pre style="background:white"><b><span style="font-size:9.5pt;color:navy">private void </span></b><span style="font-size:9.5pt;color:black">threadWithSensitive() {<br>    </span><b><span style="font-size:9.5pt;color:navy">new </span></b><span style="font-size:9.5pt;color:black">Thread(</span><b><span style="font-size:9.5pt;color:navy">new </span></b><span style="font-size:9.5pt;color:black">Runnable() {</span><span style="font-size:9.5pt;color:olive"><br>        </span><b><span style="font-size:9.5pt;color:navy">public void </span></b><span style="font-size:9.5pt;color:black">run() {<br>            sensitive();<br>        }<br>    }).start();<br>}<br><br></span><b><span style="font-size:9.5pt;color:navy">private void </span></b><span style="font-size:9.5pt;color:black">emptyThread() {<br>    </span><b><span style="font-size:9.5pt;color:navy">new </span></b><span style="font-size:9.5pt;color:black">Thread(</span><b><span style="font-size:9.5pt;color:navy">new </span></b><span style="font-size:9.5pt;color:black">Runnable() {</span><span style="font-size:9.5pt;color:olive"><br>        </span><b><span style="font-size:9.5pt;color:navy">public void </span></b><span style="font-size:9.5pt;color:black">run() { }<br>    }).start();<br>}<u></u><u></u></span></pre><p class="MsoNormal" style="margin-bottom:12.0pt">Shouldn&#39;t only onCreate() lead to sensitive() ?<u></u><u></u></p></div><div><p class="MsoNormal">My setup: a crafted android.jar that has stubs for android classes but full implementation for java.* and javax.* packages.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal" style="margin-bottom:12.0pt">I also noticed that class <span style="background:#e4e4ff">MethodContext</span> which is supposed to model a method in its context, is never instantiated, regardless of what call graph algorithm I use.<u></u><u></u></p></div><div><p class="MsoNormal" style="margin-bottom:12.0pt">What am I missing?<u></u><u></u></p></div><div><p class="MsoNormal">thanks,<u></u><u></u></p></div><div><div><p class="MsoNormal">-- <u></u><u></u></p><div><div><p class="MsoNormal">Denis<u></u><u></u></p></div></div></div></div></div></div></div></div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr">Denis<br></div></div>
</div>