Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Soot reports a false positive edge in call graph #2061

Open
kitty-1998 opened this issue Mar 27, 2024 · 0 comments
Open

Soot reports a false positive edge in call graph #2061

kitty-1998 opened this issue Mar 27, 2024 · 0 comments

Comments

@kitty-1998
Copy link

kitty-1998 commented Mar 27, 2024
edited

Describe the bug

I used Soot RTA to construct a call graph and find a false positive. In the following program, Soot reports two edges in the call graph: (1) Main.main -> Thread1.run; (2) Main.main -> Thread2.run. However, the second edge is obviously a false positive as Thread2 class is never instantiated. Hence, RTA should not add this edge to CG based on its algorithm design.

Besides, when I used Soot CHA to construct the call graph, it does not report this false positive. It is confusing as CHA is more sound than RTA.

Input files

Main.java

public class Main {
    public static void main(String[] args) {
            Thread t = new Thread1();
            t.start();
        }
    }
}

Thread1.java

public class Thread1 extends Thread {
    public void run() {}
}

Thread2.java

public class Thread2 extends Thread {
    public void run() {}
}

Results

Soot RTA Edge: <Main: void main(java.lang.String[])> --> <Thread1: void run()>
Soot RTA Edge: <Main: void main(java.lang.String[])> --> <Thread2: void run()> // false positive

To reproduce

Steps to reproduce the behavior:
I used Soot 4.4.1 and the options are listed below:

Options.v().set_whole_program(true);
Options.v().set_soot_classpath(JAVA_BASE_DIRECTORY); 
Options.v().set_no_bodies_for_excluded(true);
List<String> classPaths = new ArrayList<>();
classPaths.add("PATH/TO/INPUTDIR");
Options.v().set_process_dir("Path/to/dir");
Options.v().process_dir();
Options.v().set_allow_phantom_refs(true);
Options.v().setPhaseOption("jb", "use-original-names:true");
Options.v().set_prepend_classpath(false);
Options.v().set_exclude(Constants.excludedClassList);
Scene.v().loadNecessaryClasses();

Transform transform = new Transform("cg.spark", null);
PhaseOptions.v().setPhaseOption("cg.spark", "on");
PhaseOptions.v().setPhaseOption("cg.spark", "rta:true");
PhaseOptions.v().setPhaseOption("cg.spark", "types-for-sites:true");
PhaseOptions.v().setPhaseOption("cg.spark", "on-fly-cg:false");
Map<String, String> phaseOptions = PhaseOptions.v().getPhaseOptions(transform);
SparkTransformer.v().transform(transform.getPhaseName(), phaseOptions);
PackManager.v().runPacks();
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kitty-1998