soot.jimple.infoflow.codeOptimization.InterproceduralConstantValuePropagator Maven / Gradle / Ivy
package soot.jimple.infoflow.codeOptimization;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import heros.solver.Pair;
import soot.Body;
import soot.DoubleType;
import soot.FloatType;
import soot.IntType;
import soot.Local;
import soot.LocalGenerator;
import soot.LongType;
import soot.MethodOrMethodContext;
import soot.Modifier;
import soot.RefType;
import soot.Scene;
import soot.SceneTransformer;
import soot.SootClass;
import soot.SootField;
import soot.SootMethod;
import soot.Trap;
import soot.Type;
import soot.Unit;
import soot.Value;
import soot.ValueBox;
import soot.VoidType;
import soot.dexpler.DalvikThrowAnalysis;
import soot.jimple.ArrayRef;
import soot.jimple.AssignStmt;
import soot.jimple.Constant;
import soot.jimple.DefinitionStmt;
import soot.jimple.FieldRef;
import soot.jimple.IdentityStmt;
import soot.jimple.IfStmt;
import soot.jimple.IntConstant;
import soot.jimple.InvokeExpr;
import soot.jimple.InvokeStmt;
import soot.jimple.Jimple;
import soot.jimple.NewExpr;
import soot.jimple.ParameterRef;
import soot.jimple.ReturnStmt;
import soot.jimple.Stmt;
import soot.jimple.ThisRef;
import soot.jimple.ThrowStmt;
import soot.jimple.infoflow.InfoflowManager;
import soot.jimple.infoflow.entryPointCreators.BaseEntryPointCreator;
import soot.jimple.infoflow.entryPointCreators.IEntryPointCreator;
import soot.jimple.infoflow.entryPointCreators.SimulatedCodeElementTag;
import soot.jimple.infoflow.solver.cfg.IInfoflowCFG;
import soot.jimple.infoflow.sourcesSinks.manager.ISourceSinkManager;
import soot.jimple.infoflow.taintWrappers.ITaintPropagationWrapper;
import soot.jimple.infoflow.util.SystemClassHandler;
import soot.jimple.toolkits.callgraph.Edge;
import soot.jimple.toolkits.scalar.ConditionalBranchFolder;
import soot.jimple.toolkits.scalar.ConstantPropagatorAndFolder;
import soot.jimple.toolkits.scalar.DeadAssignmentEliminator;
import soot.jimple.toolkits.scalar.UnconditionalBranchFolder;
import soot.jimple.toolkits.scalar.UnreachableCodeEliminator;
import soot.options.Options;
import soot.toolkits.exceptions.ThrowAnalysis;
import soot.toolkits.exceptions.ThrowableSet;
import soot.toolkits.exceptions.UnitThrowAnalysis;
import soot.toolkits.scalar.UnusedLocalEliminator;
import soot.util.queue.QueueReader;
public class InterproceduralConstantValuePropagator extends SceneTransformer {
private final Logger logger = LoggerFactory.getLogger(getClass());
private final InfoflowManager manager;
private final Set excludedMethods;
private final ISourceSinkManager sourceSinkManager;
private final ITaintPropagationWrapper taintWrapper;
private boolean removeSideEffectFreeMethods = true;
private boolean excludeSystemClasses = true;
protected final Map methodSideEffects = new ConcurrentHashMap<>();
protected final Map methodSinks = new ConcurrentHashMap<>();
protected final Map methodFieldReads = new ConcurrentHashMap<>();
protected SootClass exceptionClass = null;
protected final Map exceptionThrowers = new HashMap<>();
private final List propagationWorklist = new ArrayList<>();
private final Set> propagatedParameters = new HashSet<>();
/**
* Creates a new instance of the {@link InterproceduralConstantValuePropagator}
* class
*
* @param manager The data flow manager for interacting with the solver
*/
public InterproceduralConstantValuePropagator(InfoflowManager manager) {
this.manager = manager;
this.excludedMethods = null;
this.sourceSinkManager = null;
this.taintWrapper = null;
}
/**
* Creates a new instance of the {@link InterproceduralConstantValuePropagator}
* class
*
* @param manager The data flow manager for interacting with the
* solver
* @param excludedMethods The methods that shall be excluded. If one of these
* methods calls another method with a constant
* argument, this argument will not be propagated into
* the callee.
* @param sourceSinkManager The SourceSinkManager to be used for not propagating
* constants out of source methods
* @param taintWrapper The taint wrapper to be used for not breaking dummy
* values that will later be replaced by artificial
* taints
*/
public InterproceduralConstantValuePropagator(InfoflowManager manager, Collection excludedMethods,
ISourceSinkManager sourceSinkManager, ITaintPropagationWrapper taintWrapper) {
this.manager = manager;
this.excludedMethods = new HashSet<>(excludedMethods);
this.sourceSinkManager = sourceSinkManager;
this.taintWrapper = taintWrapper;
}
/**
* Sets whether side-effect free methods that do not call sinks shall be removed
*
* @param removeSideEffectFreeMethods The if side-effect free methods that do
* not call sinks shall be removed, otherwise
* false
*/
public void setRemoveSideEffectFreeMethods(boolean removeSideEffectFreeMethods) {
this.removeSideEffectFreeMethods = removeSideEffectFreeMethods;
}
/**
* Sets whether methods in system classes shall be excluded from constraint
* propagation
*
* @param excludeSystemClasses True if methods in system classes shall be
* excluded from constraint propagation, otherwise
* false
*/
public void setExcludeSystemClasses(boolean excludeSystemClasses) {
this.excludeSystemClasses = excludeSystemClasses;
}
/**
* Checks whether optimizations are possible for the given method and, if so,
* adds it to the global worklist
*
* @param sm The method to check and add to the worklist
*/
private void checkAndAddMethod(SootMethod sm) {
if (sm == null || !sm.hasActiveBody())
return;
// If this callee is excluded, we do not propagate out of it
if (excludedMethods != null && excludedMethods.contains(sm))
return;
if (excludeSystemClasses && SystemClassHandler.v().isClassInSystemPackage(sm.getDeclaringClass()))
return;
if (sm.getReturnType() != VoidType.v() || sm.getParameterCount() > 0) {
if (!propagationWorklist.contains(sm))
propagationWorklist.add(sm);
}
}
@Override
protected void internalTransform(String phaseName, Map options) {
logger.info("Removing side-effect free methods is " + (removeSideEffectFreeMethods ? "enabled" : "disabled"));
// Clear up any potential old state
propagationWorklist.clear();
propagatedParameters.clear();
// Collect all application methods that take parameters or return values
// and place them in the initial worklist.
for (QueueReader rdr = Scene.v().getReachableMethods().listener(); rdr.hasNext();) {
MethodOrMethodContext mom = rdr.next();
SootMethod sm = mom.method();
checkAndAddMethod(sm);
}
while (!propagationWorklist.isEmpty()) {
SootMethod sm = propagationWorklist.remove(0);
// Propagate constants from caller into callee
if (sm.getParameterCount() > 0)
propagateConstantsIntoCallee(sm);
// Propagate constant return values from callee to caller
if (typeSupportsConstants(sm.getReturnType()))
propagateReturnValueIntoCallers(sm);
}
for (QueueReader rdr = Scene.v().getReachableMethods().listener(); rdr.hasNext();) {
MethodOrMethodContext mom = rdr.next();
SootMethod sm = mom.method();
if (sm.hasActiveBody()) {
List oldCallSites = DeadCodeEliminator.getCallsInMethod(sm);
Body body = sm.retrieveActiveBody();
ConditionalBranchFolder.v().transform(body);
UnconditionalBranchFolder.v().transform(body);
DeadAssignmentEliminator.v().transform(body);
UnreachableCodeEliminator.v().transform(body);
UnusedLocalEliminator.v().transform(body);
// We need to be careful and patch the cfg so
// that it does not retain edges for call statements we have deleted
DeadCodeEliminator.removeDeadCallgraphEdges(sm, oldCallSites);
}
}
// Check for calls we can remove altogether
if (removeSideEffectFreeMethods) {
int callEdgesRemoved = 0;
for (QueueReader rdr = Scene.v().getReachableMethods().listener(); rdr.hasNext();) {
MethodOrMethodContext mom = rdr.next();
SootMethod sm = mom.method();
if (sm == null || !sm.hasActiveBody())
continue;
// Do not touch excluded methods
if (excludedMethods != null && excludedMethods.contains(sm))
continue;
// Check for call sites
for (Iterator unitIt = sm.getActiveBody().getUnits().snapshotIterator(); unitIt.hasNext();) {
Stmt s = (Stmt) unitIt.next();
if (!sm.getActiveBody().getUnits().contains(s))
continue;
if (!(s instanceof InvokeStmt))
continue;
// If this is a fixed exception method, we must keep it
if (exceptionClass != null
&& ((InvokeExpr) s.getInvokeExpr()).getMethod().getDeclaringClass() == exceptionClass)
continue;
// If none of our pre-conditions are satisfied, there is no
// need to look at concrete callees
if (getNonConstParamCount(s) > 0)
continue;
boolean allCalleesRemoved = true;
Set exceptions = new HashSet<>();
for (Iterator edgeIt = Scene.v().getCallGraph().edgesOutOf(s); edgeIt.hasNext();) {
Edge edge = edgeIt.next();
SootMethod callee = edge.tgt();
// If this method returns nothing, is side-effect free and does not call a sink,
// we can remove it altogether. No data can ever flow out of it.
boolean remove = callee.getReturnType() == VoidType.v() && !hasSideEffectsOrReadsThis(callee);
remove |= !hasSideEffectsOrCallsSink(callee);
if (remove) {
Scene.v().getCallGraph().removeEdge(edge);
callEdgesRemoved++;
// If this callee threw an exception, we have to
// make up for it
fixExceptions(sm, s, exceptions);
} else if (!sm.getName().equals(""))
allCalleesRemoved = false;
}
// If all call edges have been removed from a call site, we
// can kill the call site altogether
if (allCalleesRemoved && !isSourceSinkOrTaintWrapped(s))
removeCallSite(s, sm);
}
}
logger.info("Removed %d call edges", callEdgesRemoved);
}
// If we introduced a new class, we have to reset the hierarchy
if (exceptionClass != null) {
Scene.v().releaseActiveHierarchy();
Scene.v().releaseFastHierarchy();
Scene.v().getOrMakeFastHierarchy();
}
}
/**
* Gets the number of non-constant arguments to the given method call
*
* @param s A call site
* @return The number of non-constant arguments in the given call site
*/
private int getNonConstParamCount(Stmt s) {
int cnt = 0;
for (Value val : s.getInvokeExpr().getArgs())
if (!(val instanceof Constant))
cnt++;
return cnt;
}
/**
* Checks whether the given method is a source, a sink or is accepted by the
* taint wrapper
*
* @param callSite The call site to check
* @return True if the given method is a source, a sink or is accepted by the
* taint wrapper, otherwise false
*/
private boolean isSourceSinkOrTaintWrapped(Stmt callSite) {
if (!callSite.containsInvokeExpr())
return false;
SootMethod method = callSite.getInvokeExpr().getMethod();
// If this method is a source on its own, we must keep it
if (sourceSinkManager != null && sourceSinkManager.getSourceInfo((Stmt) callSite, manager) != null) {
methodFieldReads.put(method, true);
return true;
}
// If this method is a sink, we must keep it as well
if (sourceSinkManager != null && sourceSinkManager.getSinkInfo((Stmt) callSite, manager, null) != null) {
methodSinks.put(method, true);
return true;
}
// If this method is wrapped, we need to keep it
if (taintWrapper != null && taintWrapper.supportsCallee(method)) {
methodSideEffects.put(method, true);
return true;
}
return false;
}
/**
* Removes a given call site
*
* @param callSite The call site to be removed
* @param caller The method containing the call site
*/
private void removeCallSite(Stmt callSite, SootMethod caller) {
// Make sure that we don't access anything we have already removed
if (!caller.getActiveBody().getUnits().contains(callSite))
return;
// Only remove actual call sites
if (!((Stmt) callSite).containsInvokeExpr())
return;
// Remove the call
caller.getActiveBody().getUnits().remove(callSite);
// Fix the callgraph
if (Scene.v().hasCallGraph())
Scene.v().getCallGraph().removeAllEdgesOutOf(callSite);
}
/**
* Checks whether constant handling is supported for the given type
*
* @param returnType The type to check
* @return True if a value of the given type can be represented as a constant,
* otherwise false
*/
private boolean typeSupportsConstants(Type returnType) {
if (returnType == IntType.v() || returnType == LongType.v() || returnType == FloatType.v()
|| returnType == DoubleType.v())
return true;
if (returnType instanceof RefType)
if (((RefType) returnType).getClassName().equals("java.lang.String"))
return true;
return false;
}
/**
* Propagates the return value of the given method into all of its callers if
* the value is constant
*
* @param sm The method whose value to propagate
*/
private void propagateReturnValueIntoCallers(SootMethod sm) {
final IInfoflowCFG icfg = manager.getICFG();
// We need to make sure that all exit nodes agree on the same
// constant value
Constant value = null;
for (Unit retSite : icfg.getEndPointsOf(sm)) {
// Skip exceptional exits
if (!(retSite instanceof ReturnStmt))
continue;
ReturnStmt retStmt = (ReturnStmt) retSite;
if (!(retStmt.getOp() instanceof Constant))
return;
if (value != null && retStmt.getOp() != value)
return;
value = (Constant) retStmt.getOp();
}
// Propagate the return value into the callers
if (value != null)
for (Unit callSite : icfg.getCallersOf(sm))
if (callSite instanceof AssignStmt) {
AssignStmt assign = (AssignStmt) callSite;
// If we have a taint wrapper, we need to keep the stub untouched since we don't
// know what artificial taint the wrapper will come up with
if (taintWrapper != null && taintWrapper.supportsCallee(assign))
continue;
// If this is a call to a source method, we do not propagate
// constants out of the callee for not destroying data flows
if (sourceSinkManager != null && sourceSinkManager.getSourceInfo(assign, manager) != null)
continue;
// Make sure that we don't access anything we have already
// removed
SootMethod caller = icfg.getMethodOf(assign);
if (caller == null || !caller.getActiveBody().getUnits().contains(assign))
continue;
// If the call site has multiple callees, we cannot
// propagate a single constant
Collection callees = icfg.getCalleesOfCallAt(callSite);
if (callees != null && callees.size() > 1)
continue;
// If the call has no side effects, we can remove it altogether, otherwise we
// can just propagate the return value
Unit assignConst = Jimple.v().newAssignStmt(assign.getLeftOp(), value);
if (!hasSideEffectsOrCallsSink(sm)) {
// If this method threw an exception, we have to make up
// for it
fixExceptions(caller, callSite);
// We don't have side effects, so we can just change
// a = b.foo() into a = 0.
caller.getActiveBody().getUnits().swapWith(assign, assignConst);
if (excludedMethods == null || !excludedMethods.contains(caller)) {
ConstantPropagatorAndFolder.v().transform(caller.getActiveBody());
checkAndAddMethod(caller);
}
// Fix the callgraph
if (Scene.v().hasCallGraph())
Scene.v().getCallGraph().removeAllEdgesOutOf(assign);
} else {
// We have side effects, so we need to keep the method
// call. Change
// a = b.foo() into b.foo(); a = 0;
caller.getActiveBody().getUnits().insertAfter(assignConst, assign);
if (excludedMethods == null || !excludedMethods.contains(caller)) {
ConstantPropagatorAndFolder.v().transform(caller.getActiveBody());
checkAndAddMethod(caller);
}
caller.getActiveBody().getUnits().remove(assignConst);
Stmt inv = Jimple.v().newInvokeStmt(assign.getInvokeExpr());
caller.getActiveBody().getUnits().swapWith(assign, inv);
// Fix the callgraph
if (Scene.v().hasCallGraph())
Scene.v().getCallGraph().swapEdgesOutOf(assign, inv);
}
}
}
private void fixExceptions(SootMethod caller, Unit callSite) {
fixExceptions(caller, callSite, new HashSet<>());
}
private void fixExceptions(SootMethod caller, Unit callSite, Set doneSet) {
ThrowAnalysis ta = Options.v().src_prec() == Options.src_prec_apk ? DalvikThrowAnalysis.v()
: UnitThrowAnalysis.v();
ThrowableSet throwSet = ta.mightThrow(callSite);
for (final Trap t : caller.getActiveBody().getTraps())
if (doneSet.add(t.getException()) && throwSet.catchableAs(t.getException().getType())) {
SootMethod thrower = exceptionThrowers.get(t.getException());
if (thrower == null) {
if (exceptionClass == null) {
exceptionClass = Scene.v().makeSootClass("FLOWDROID_EXCEPTIONS", Modifier.PUBLIC);
exceptionClass.setSuperclass(Scene.v().getSootClass("java.lang.Object"));
exceptionClass.addTag(SimulatedCodeElementTag.TAG);
Scene.v().addClass(exceptionClass);
}
IEntryPointCreator epc = new BaseEntryPointCreator() {
@Override
public Collection getRequiredClasses() {
return Collections.emptySet();
}
@Override
protected SootMethod createDummyMainInternal() {
LocalGenerator generator = Scene.v().createLocalGenerator(body);
// Create the counter used for the opaque predicate
int conditionCounter = 0;
Value intCounter = generator.generateLocal(IntType.v());
AssignStmt assignStmt = Jimple.v().newAssignStmt(intCounter,
IntConstant.v(conditionCounter));
body.getUnits().add(assignStmt);
Stmt afterEx = Jimple.v().newReturnVoidStmt();
IfStmt ifStmt = Jimple.v().newIfStmt(
Jimple.v().newEqExpr(intCounter, IntConstant.v(conditionCounter)), afterEx);
body.getUnits().add(ifStmt);
conditionCounter++;
Local lcEx = generator.generateLocal(t.getException().getType());
AssignStmt assignNewEx = Jimple.v().newAssignStmt(lcEx,
Jimple.v().newNewExpr(t.getException().getType()));
body.getUnits().add(assignNewEx);
InvokeStmt consNewEx = Jimple.v().newInvokeStmt(Jimple.v().newSpecialInvokeExpr(lcEx,
Scene.v().makeConstructorRef(exceptionClass, Collections.emptyList())));
body.getUnits().add(consNewEx);
ThrowStmt throwNewEx = Jimple.v().newThrowStmt(lcEx);
body.getUnits().add(throwNewEx);
body.getUnits().add(afterEx);
mainMethod.addTag(SimulatedCodeElementTag.TAG);
return mainMethod;
}
@Override
protected void createEmptyMainMethod() {
// Make sure that we don't end up with duplicate method names
int methodIdx = exceptionThrowers.size();
String baseName = "throw_" + t.getException().getName().replaceAll("\\W+", "_") + "_";
String methodName;
do {
methodName = baseName + methodIdx++;
} while (exceptionClass.declaresMethodByName(methodName));
// Create the new method
SootMethod thrower = Scene.v().makeSootMethod(methodName, Collections.emptyList(),
VoidType.v());
thrower.setModifiers(Modifier.PUBLIC | Modifier.STATIC);
final Body body = Jimple.v().newBody(thrower);
thrower.setActiveBody(body);
// Register the new method
exceptionThrowers.put(t.getException(), thrower);
exceptionClass.addMethod(thrower);
// Make it available to the entry point creator
mainMethod = thrower;
}
@Override
public Collection getAdditionalMethods() {
return null;
}
@Override
public Collection getAdditionalFields() {
return null;
}
};
epc.createDummyMain();
thrower = epc.getGeneratedMainMethod();
}
// Call the exception thrower after the old call site
Stmt throwCall = Jimple.v().newInvokeStmt(Jimple.v().newStaticInvokeExpr(thrower.makeRef()));
throwCall.addTag(SimulatedCodeElementTag.TAG);
caller.getActiveBody().getUnits().insertBefore(throwCall, callSite);
}
}
/**
* Checks whether the given method or one of its transitive callees has
* side-effects or calls a sink method
*
* @param method The method to check
* @return True if the given method or one of its transitive callees has
* side-effects or calls a sink method, otherwise false.
*/
private boolean hasSideEffectsOrCallsSink(SootMethod method) {
return hasSideEffectsOrCallsSink(method, new HashSet<>());
}
/**
* Checks whether the given method or one of its transitive callees has
* side-effects or calls a sink method
*
* @param method The method to check
* @param runList A set to receive all methods that have already been processed
* @param cache The cache in which to store the results
* @return True if the given method or one of its transitive callees has
* side-effects or calls a sink method, otherwise false.
*/
private boolean hasSideEffectsOrCallsSink(SootMethod method, Set runList) {
// Without a body, we cannot say much
if (!method.hasActiveBody())
return false;
// Do we already have an entry?
Boolean hasSideEffects = methodSideEffects.get(method);
if (hasSideEffects != null)
return hasSideEffects;
Boolean hasSink = methodSinks.get(method);
if (hasSink != null)
return hasSink;
// Do not process the same method twice
if (!runList.add(method))
return false;
// If this is an Android stub method that just throws a stub exception,
// this will never happen in practice and can be removed
if (methodIsAndroidStub(method)) {
methodSideEffects.put(method, false);
return false;
}
// Scan for references to this variable
for (Unit u : method.getActiveBody().getUnits()) {
if (u instanceof AssignStmt) {
AssignStmt assign = (AssignStmt) u;
if (assign.getLeftOp() instanceof FieldRef || assign.getLeftOp() instanceof ArrayRef) {
methodSideEffects.put(method, true);
return true;
}
}
Stmt s = (Stmt) u;
// If this method calls another method for which we have a taint
// wrapper, we need to conservatively assume that the taint wrapper
// can do anything
if (taintWrapper != null && taintWrapper.supportsCallee(s)) {
methodSideEffects.put(method, true);
return true;
}
if (s.containsInvokeExpr()) {
// If this method calls a sink, we need to keep it
if (sourceSinkManager != null && sourceSinkManager.getSinkInfo((Stmt) u, manager, null) != null) {
methodSinks.put(method, true);
return true;
}
// Check the callees
for (Iterator edgeIt = Scene.v().getCallGraph().edgesOutOf(u); edgeIt.hasNext();) {
Edge e = edgeIt.next();
if (hasSideEffectsOrCallsSink(e.getTgt().method(), runList))
return true;
}
}
}
// Variable is not read
methodSideEffects.put(method, false);
return false;
}
/**
* Checks whether the given method or one of its transitive callees has
* side-effects or calls a sink method
*
* @param method The method to check
* @return True if the given method or one of its transitive callees has
* side-effects or calls a sink method, otherwise false.
*/
private boolean hasSideEffectsOrReadsThis(SootMethod method) {
return hasSideEffectsOrReadsThis(method, new HashSet());
}
/**
* Checks whether the given method or one of its transitive callees has
* side-effects or calls a sink method
*
* @param method The method to check
* @param runList A set to receive all methods that have already been processed
* @param cache The cache in which to store the results
* @return True if the given method or one of its transitive callees has
* side-effects or calls a sink method, otherwise false.
*/
private boolean hasSideEffectsOrReadsThis(SootMethod method, Set runList) {
// Without a body, we cannot say much
if (!method.hasActiveBody())
return false;
// Do we already have an entry?
Boolean hasSideEffects = methodSideEffects.get(method);
if (hasSideEffects != null)
return hasSideEffects;
// Do not process the same method twice
if (!runList.add(method))
return false;
// If this is an Android stub method that just throws a stub exception,
// this will never happen in practice and can be removed
if (methodIsAndroidStub(method)) {
methodSideEffects.put(method, false);
return false;
}
// Scan for references to this variable
Local thisLocal = method.isStatic() ? null : method.getActiveBody().getThisLocal();
for (Unit u : method.getActiveBody().getUnits()) {
if (u instanceof AssignStmt) {
AssignStmt assign = (AssignStmt) u;
if (assign.getLeftOp() instanceof FieldRef || assign.getLeftOp() instanceof ArrayRef) {
methodSideEffects.put(method, true);
return true;
}
}
Stmt s = (Stmt) u;
// If this statement uses the "this" local, we have to
// conservatively assume that is can read data
if (thisLocal != null)
for (ValueBox vb : s.getUseBoxes())
if (vb.getValue() == thisLocal)
return true;
if (s.containsInvokeExpr()) {
// Check the callees
for (Iterator edgeIt = Scene.v().getCallGraph().edgesOutOf(u); edgeIt.hasNext();) {
Edge e = edgeIt.next();
if (hasSideEffectsOrReadsThis(e.getTgt().method(), runList))
return true;
}
}
}
// Variable is not read
methodSideEffects.put(method, false);
return false;
}
/**
* Checks whether the given method is a library stub method
*
* @param method The method to check
* @return True if the given method is an Android library stub, false otherwise
*/
private boolean methodIsAndroidStub(SootMethod method) {
if (!(Options.v().src_prec() == Options.src_prec_apk && method.getDeclaringClass().isLibraryClass()
&& SystemClassHandler.v().isClassInSystemPackage(method.getDeclaringClass())))
return false;
// Check whether there is only a single throw statement
for (Unit u : method.getActiveBody().getUnits()) {
if (u instanceof DefinitionStmt) {
DefinitionStmt defStmt = (DefinitionStmt) u;
if (!(defStmt.getRightOp() instanceof ThisRef) && !(defStmt.getRightOp() instanceof ParameterRef)
&& !(defStmt.getRightOp() instanceof NewExpr))
return false;
} else if (u instanceof InvokeStmt) {
InvokeStmt stmt = (InvokeStmt) u;
// Check for exception constructor invocations
SootMethod callee = stmt.getInvokeExpr().getMethod();
if (!callee.getSubSignature().equals("void (java.lang.String)"))
// Check for super class constructor invocation
if (!(method.getDeclaringClass().hasSuperclass()
&& callee.getDeclaringClass() == method.getDeclaringClass().getSuperclass()
&& callee.isConstructor()))
return false;
} else if (!(u instanceof ThrowStmt))
return false;
}
return true;
}
/**
* Checks whether all call sites for a specific callee agree on the same
* constant value for one or more arguments. If so, these constant values are
* propagated into the callee.
*
* @param sm The method for which to look for call sites.
*/
private void propagateConstantsIntoCallee(SootMethod sm) {
// icfg field is final in InfoflowManager, hence it can't change
// and we can cache it here so we don't have to retrieve it again and again.
final IInfoflowCFG icfg = manager.getICFG();
Collection callSites = icfg.getCallersOf(sm);
if (callSites.isEmpty())
return;
boolean[] isConstant = new boolean[sm.getParameterCount()];
Constant[] values = new Constant[sm.getParameterCount()];
for (int i = 0; i < isConstant.length; i++)
isConstant[i] = true;
// Do all of our callees agree on one constant value?
boolean hasCallSites = false;
for (Unit callSite : callSites) {
// If this call site is in an excluded method, we ignore it
if (excludedMethods != null && icfg.isReachable(callSite)) {
SootMethod caller = icfg.getMethodOf(callSite);
// synthetic methods e.g. created by FlowDroid are excluded by default
if (excludedMethods.contains(caller) || caller.hasTag(SimulatedCodeElementTag.TAG_NAME)) {
logger.trace("Ignoring calls from {}", caller);
continue;
}
}
// We do not support special edges that do not provide a 1:1 argument mapping
InvokeExpr iiExpr = ((Stmt) callSite).getInvokeExpr();
if (iiExpr.getArgCount() != sm.getParameterCount())
continue;
hasCallSites = true;
// If we have a reflective call site, we never have constant
// arguments, because
// they are always passed in using an array
if (icfg.isReflectiveCallSite(callSite)) {
for (int i = 0; i < isConstant.length; i++)
isConstant[i] = false;
} else {
// Check whether we have constant parameter values
for (int i = 0; i < iiExpr.getArgCount(); i++) {
if (isConstant[i]) {
final Value argVal = iiExpr.getArg(i);
if (argVal instanceof Constant) {
// If we already have a value for this argument and
// the new one does not agree, this parameter is not
// globally constant.
if (values[i] != null && !values[i].equals(argVal))
isConstant[i] = false;
else
values[i] = (Constant) argVal;
} else {
isConstant[i] = false;
}
}
}
}
}
if (hasCallSites) {
// Get the constant parameters
List inserted = null;
for (int i = 0; i < isConstant.length; i++) {
if (isConstant[i] && values[i] != null && propagatedParameters.add(new Pair<>(sm, i))) {
// Propagate the constant into the callee
Local paramLocal = sm.getActiveBody().getParameterLocal(i);
Unit point = getFirstNonIdentityStmt(sm);
Unit assignConst = Jimple.v().newAssignStmt(paramLocal, values[i]);
sm.getActiveBody().getUnits().insertBefore(assignConst, point);
if (inserted == null)
inserted = new ArrayList<>();
inserted.add(assignConst);
}
}
// Propagate the constant inside the callee
if (inserted != null) {
ConstantPropagatorAndFolder.v().transform(sm.getActiveBody());
for (Unit u : inserted)
sm.getActiveBody().getUnits().remove(u);
// This might lead to more opportunities of constant propagation
for (Unit u : sm.getActiveBody().getUnits())
for (SootMethod callee : icfg.getCalleesOfCallAt(u))
checkAndAddMethod(callee);
}
}
}
/**
* Gets the first statement in the body of the given method that does not assign
* the "this" local or a parameter local
*
* @param sm The method in whose body to look
* @return The first non-identity statement in the body of the given method.
*/
private Unit getFirstNonIdentityStmt(SootMethod sm) {
for (Unit u : sm.getActiveBody().getUnits()) {
if (!(u instanceof IdentityStmt))
return u;
IdentityStmt id = (IdentityStmt) u;
if (!(id.getRightOp() instanceof ThisRef) && !(id.getRightOp() instanceof ParameterRef))
return u;
}
return null;
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy