FlowDroid crashes when analyzing callbacks registered in a certain way

[wyatt-feng]

Description

The current version (2.14.0 and 2.15.0-SNAPSHOT) of FlowDroid crashes when analyzing some apps that register ActivityLifecycleCallbacks in a certain way. Here is the minimal demonstration that can reliably trigger the issue and the corresponding crash log, which is very similar to #786, #770, and #748 (but I am not sure if the root cause is exactly the same).

Steps to reproduce

The demonstration consists of an activity MainActivity and an application class Demonstration, in which file the LifecycleCallbacks are implemented and registered.

MainActivity.java:

package com.example.minimaldemonstration;

import android.os.Bundle;
import android.util.Log;

import androidx.activity.EdgeToEdge;
import androidx.appcompat.app.AppCompatActivity;
import androidx.core.graphics.Insets;
import androidx.core.view.ViewCompat;
import androidx.core.view.WindowInsetsCompat;

import java.util.Random;

public class MainActivity extends AppCompatActivity {
    private int info;  // <----- The issue won't appear if this is a local variable.

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        info = dummySource();
        dummySink(info);
    }

    @Override
    protected void onStart() {     // <----- This method does nothing but has to be here or else the issue won't appear.
        super.onStart();
    }

    public int dummySource() {
        return 0;
    }
    public void dummySink(int info) {
        Log.d("sink", String.valueOf(info));
    }
}

Demonstration.java:

package com.example.minimaldemonstration;

import android.app.Activity;
import android.app.Application;
import android.os.Bundle;
import android.util.Log;

import androidx.annotation.NonNull;
import androidx.annotation.Nullable;

public class Demonstration extends Application {
    @Override
    public void onCreate() {
        super.onCreate();
        LifecycleTracker.register(this);
    }
}

class LifecycleTracker implements Application.ActivityLifecycleCallbacks {
    private static LifecycleTracker e;
    private LifecycleTracker() {}
    public static void register(Application app) {
        if (e == null) {
            e = new LifecycleTracker();
        }
        app.registerActivityLifecycleCallbacks(e);
    }
    @Override
    public void onActivityCreated(@NonNull Activity activity, @Nullable Bundle savedInstanceState) {
        Log.d("Lifecycle", "onActivityCreated()");    // <----- Avoid being optimized.
    }

    @Override
    public void onActivityStarted(@NonNull Activity activity) {}

    @Override
    public void onActivityResumed(@NonNull Activity activity) {}

    @Override
    public void onActivityPaused(@NonNull Activity activity) {}

    @Override
    public void onActivityStopped(@NonNull Activity activity) {}

    @Override
    public void onActivitySaveInstanceState(@NonNull Activity activity, @NonNull Bundle outState) {}

    @Override
    public void onActivityDestroyed(@NonNull Activity activity) {}
}

AndroidManifest.xml

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:tools="http://schemas.android.com/tools" >
    <application
        android:name=".Demonstration"
        tools:targetApi="31" >
        <activity
            android:name=".MainActivity"
            android:exported="true" >
        </activity>
    </application>
</manifest>

SourcesAndSinks.txt:

<com.example.minimaldemonstration.MainActivity: int dummySource()> -> _SOURCE_
<com.example.minimaldemonstration.MainActivity: void dummySink(int)> -> _SINK_

Expected behavior

Log saying "Found 1 leaks from 1 sources" with no runtime exceptions.

Observed behavior

Crash log:

...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Constructing the callgraph...
[main] ERROR soot.jimple.spark.solver.PropWorklist - Note that we log, but continue in case of SPARK problems
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Running incremental callback analysis for 1 components...
[main] INFO soot.jimple.infoflow.android.callbacks.DefaultCallbackAnalyzer - Incremental callback analysis done.
[main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Shutting down the memory warning system...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Callback analysis terminated normally
[main] INFO soot.jimple.infoflow.android.SetupApplication - Entry point calculation done.
[main] INFO soot.jimple.infoflow.android.source.AccessPathBasedSourceSinkManager - Created a SourceSinkManager with 2 sources, 2 sinks, and 81 callback methods.
[main] INFO soot.jimple.infoflow.android.SetupApplication - Collecting callbacks and building a callgraph took 0 seconds
[main] INFO soot.jimple.infoflow.android.SetupApplication - Running data flow analysis on /Users/wyattfeng/Workspace/minimaldemonstration/app/build/outputs/apk/debug/app-debug.apk with 2 sources and 2 sinks...
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Implicit flow tracking is NOT enabled
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Exceptional flow tracking is enabled
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Running with a maximum access path length of 5
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Using path-agnostic result collection
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Recursive access path shortening is enabled
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Taint analysis enabled: true
[main] INFO soot.jimple.infoflow.InfoflowConfiguration - Using alias algorithm FlowSensitive
[main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Registered a memory warning system for 14,745.6 MiB
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Callgraph construction took 0 seconds
[main] INFO soot.jimple.infoflow.codeOptimization.InterproceduralConstantValuePropagator - Removing side-effect free methods is disabled
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Dead code elimination took 0.013935166 seconds
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Callgraph has 111 edges
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Starting Taint Analysis
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Using context- and flow-sensitive solver
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Using context- and flow-sensitive solver
[main] WARN soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Running with limited join point abstractions can break context-sensitive path builders
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Looking for sources and sinks...
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Source lookup done, found 1 sources and 1 sinks.
[FlowDroid] ERROR heros.solver.CountingThreadPoolExecutor - Worker thread execution failed: null
java.lang.NullPointerException
	at com.google.common.base.Preconditions.checkNotNull(Preconditions.java:904)
	at com.google.common.cache.LocalCache.get(LocalCache.java:4016)
	at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:4040)
	at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4989)
	at com.google.common.cache.LocalCache$LocalLoadingCache.getUnchecked(LocalCache.java:4996)
	at soot.jimple.toolkits.ide.icfg.AbstractJimpleBasedICFG.getOrCreateUnitGraph(AbstractJimpleBasedICFG.java:130)
	at soot.jimple.toolkits.ide.icfg.AbstractJimpleBasedICFG.isStartPoint(AbstractJimpleBasedICFG.java:160)
	at soot.jimple.toolkits.ide.icfg.AbstractJimpleBasedICFG.isStartPoint(AbstractJimpleBasedICFG.java:51)
	at soot.jimple.infoflow.solver.cfg.InfoflowCFG.isStartPoint(InfoflowCFG.java:213)
	at soot.jimple.infoflow.solver.cfg.InfoflowCFG.isStartPoint(InfoflowCFG.java:51)
	at soot.jimple.toolkits.ide.icfg.BackwardsInterproceduralCFG.isExitStmt(BackwardsInterproceduralCFG.java:67)
	at soot.jimple.toolkits.ide.icfg.BackwardsInterproceduralCFG.isExitStmt(BackwardsInterproceduralCFG.java:38)
	at soot.jimple.infoflow.solver.cfg.InfoflowCFG.isExitStmt(InfoflowCFG.java:208)
	at soot.jimple.infoflow.solver.cfg.InfoflowCFG.isExitStmt(InfoflowCFG.java:51)
	at soot.jimple.infoflow.solver.fastSolver.IFDSSolver$PathEdgeProcessingTask.runInternal(IFDSSolver.java:750)
	at soot.jimple.infoflow.solver.fastSolver.LocalWorklistTask.run(LocalWorklistTask.java:27)
	...
[FlowDroid] ERROR heros.solver.CountingThreadPoolExecutor - Worker thread execution failed: null
java.lang.NullPointerException
	at com.google.common.base.Preconditions.checkNotNull(Preconditions.java:904)
	at com.google.common.cache.LocalCache.get(LocalCache.java:4016)
	at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:4040)
	at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4989)
	at com.google.common.cache.LocalCache$LocalLoadingCache.getUnchecked(LocalCache.java:4996)
	at soot.jimple.toolkits.ide.icfg.AbstractJimpleBasedICFG.getOrCreateUnitGraph(AbstractJimpleBasedICFG.java:130)
	at soot.jimple.toolkits.ide.icfg.AbstractJimpleBasedICFG.isStartPoint(AbstractJimpleBasedICFG.java:160)
	at soot.jimple.toolkits.ide.icfg.AbstractJimpleBasedICFG.isStartPoint(AbstractJimpleBasedICFG.java:51)
	at soot.jimple.infoflow.solver.cfg.InfoflowCFG.isStartPoint(InfoflowCFG.java:213)
	at soot.jimple.infoflow.solver.cfg.InfoflowCFG.isStartPoint(InfoflowCFG.java:51)
	at soot.jimple.toolkits.ide.icfg.BackwardsInterproceduralCFG.isExitStmt(BackwardsInterproceduralCFG.java:67)
	at soot.jimple.toolkits.ide.icfg.BackwardsInterproceduralCFG.isExitStmt(BackwardsInterproceduralCFG.java:38)
	at soot.jimple.infoflow.solver.cfg.InfoflowCFG.isExitStmt(InfoflowCFG.java:208)
	at soot.jimple.infoflow.solver.cfg.InfoflowCFG.isExitStmt(InfoflowCFG.java:51)
	at soot.jimple.infoflow.solver.fastSolver.IFDSSolver$PathEdgeProcessingTask.runInternal(IFDSSolver.java:750)
	at soot.jimple.infoflow.solver.fastSolver.LocalWorklistTask.run(LocalWorklistTask.java:27)
	...
Exception in thread "FlowDroid" [main] INFO soot.jimple.infoflow.memory.MemoryWarningSystem - Shutting down the memory warning system...
java.lang.NullPointerException
	at com.google.common.base.Preconditions.checkNotNull(Preconditions.java:904)
	at com.google.common.cache.LocalCache.get(LocalCache.java:4016)
	at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:4040)
	at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4989)
	at com.google.common.cache.LocalCache$LocalLoadingCache.getUnchecked(LocalCache.java:4996)
	at soot.jimple.toolkits.ide.icfg.AbstractJimpleBasedICFG.getOrCreateUnitGraph(AbstractJimpleBasedICFG.java:130)
	at soot.jimple.toolkits.ide.icfg.AbstractJimpleBasedICFG.isStartPoint(AbstractJimpleBasedICFG.java:160)
	at soot.jimple.toolkits.ide.icfg.AbstractJimpleBasedICFG.isStartPoint(AbstractJimpleBasedICFG.java:51)
	at soot.jimple.infoflow.solver.cfg.InfoflowCFG.isStartPoint(InfoflowCFG.java:213)
	at soot.jimple.infoflow.solver.cfg.InfoflowCFG.isStartPoint(InfoflowCFG.java:51)
	at soot.jimple.toolkits.ide.icfg.BackwardsInterproceduralCFG.isExitStmt(BackwardsInterproceduralCFG.java:67)
	at soot.jimple.toolkits.ide.icfg.BackwardsInterproceduralCFG.isExitStmt(BackwardsInterproceduralCFG.java:38)
	at soot.jimple.infoflow.solver.cfg.InfoflowCFG.isExitStmt(InfoflowCFG.java:208)
	at soot.jimple.infoflow.solver.cfg.InfoflowCFG.isExitStmt(InfoflowCFG.java:51)
	at soot.jimple.infoflow.solver.fastSolver.IFDSSolver$PathEdgeProcessingTask.runInternal(IFDSSolver.java:750)
	at soot.jimple.infoflow.solver.fastSolver.LocalWorklistTask.run(LocalWorklistTask.java:27)
	...
Exception in thread "FlowDroid" java.lang.NullPointerException
	at com.google.common.base.Preconditions.checkNotNull(Preconditions.java:904)
	at com.google.common.cache.LocalCache.get(LocalCache.java:4016)
	at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:4040)
	at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4989)
	at com.google.common.cache.LocalCache$LocalLoadingCache.getUnchecked(LocalCache.java:4996)
	at soot.jimple.toolkits.ide.icfg.AbstractJimpleBasedICFG.getOrCreateUnitGraph(AbstractJimpleBasedICFG.java:130)
	at soot.jimple.toolkits.ide.icfg.AbstractJimpleBasedICFG.isStartPoint(AbstractJimpleBasedICFG.java:160)
	at soot.jimple.toolkits.ide.icfg.AbstractJimpleBasedICFG.isStartPoint(AbstractJimpleBasedICFG.java:51)
	at soot.jimple.infoflow.solver.cfg.InfoflowCFG.isStartPoint(InfoflowCFG.java:213)
	at soot.jimple.infoflow.solver.cfg.InfoflowCFG.isStartPoint(InfoflowCFG.java:51)
	at soot.jimple.toolkits.ide.icfg.BackwardsInterproceduralCFG.isExitStmt(BackwardsInterproceduralCFG.java:67)
	at soot.jimple.toolkits.ide.icfg.BackwardsInterproceduralCFG.isExitStmt(BackwardsInterproceduralCFG.java:38)
	at soot.jimple.infoflow.solver.cfg.InfoflowCFG.isExitStmt(InfoflowCFG.java:208)
	at soot.jimple.infoflow.solver.cfg.InfoflowCFG.isExitStmt(InfoflowCFG.java:51)
	at soot.jimple.infoflow.solver.fastSolver.IFDSSolver$PathEdgeProcessingTask.runInternal(IFDSSolver.java:750)
	at soot.jimple.infoflow.solver.fastSolver.LocalWorklistTask.run(LocalWorklistTask.java:27)
	...
[main] ERROR soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Exception during data flow analysis
java.lang.RuntimeException: There were exceptions during IFDS analysis. Exiting.
	at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.runExecutorAndAwaitCompletion(IFDSSolver.java:263)
	at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.awaitCompletionComputeValuesAndShutdown(IFDSSolver.java:230)
	at soot.jimple.infoflow.solver.fastSolver.IFDSSolver.solve(IFDSSolver.java:202)
	at soot.jimple.infoflow.AbstractInfoflow.runTaintAnalysis(AbstractInfoflow.java:1204)
	at soot.jimple.infoflow.AbstractInfoflow.runAnalysis(AbstractInfoflow.java:881)
	at soot.jimple.infoflow.AbstractInfoflow.runAnalysis(AbstractInfoflow.java:814)
	at soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow.runAnalysis(SetupApplication.java:1358)
	at soot.jimple.infoflow.android.SetupApplication.processEntryPoint(SetupApplication.java:1656)
	at soot.jimple.infoflow.android.SetupApplication.runInfoflow(SetupApplication.java:1585)
	at soot.jimple.infoflow.android.SetupApplication.runInfoflow(SetupApplication.java:1532)
	at soot.jimple.infoflow.android.SetupApplication.runInfoflow(SetupApplication.java:1500)
	at edu.ucr.cs.cresp.Main.main(Main.java:39)
Caused by: java.lang.NullPointerException
	at com.google.common.base.Preconditions.checkNotNull(Preconditions.java:904)
	at com.google.common.cache.LocalCache.get(LocalCache.java:4016)
	at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:4040)
	at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4989)
	at com.google.common.cache.LocalCache$LocalLoadingCache.getUnchecked(LocalCache.java:4996)
	at soot.jimple.toolkits.ide.icfg.AbstractJimpleBasedICFG.getOrCreateUnitGraph(AbstractJimpleBasedICFG.java:130)
	at soot.jimple.toolkits.ide.icfg.AbstractJimpleBasedICFG.isStartPoint(AbstractJimpleBasedICFG.java:160)
	at soot.jimple.toolkits.ide.icfg.AbstractJimpleBasedICFG.isStartPoint(AbstractJimpleBasedICFG.java:51)
	at soot.jimple.infoflow.solver.cfg.InfoflowCFG.isStartPoint(InfoflowCFG.java:213)
	at soot.jimple.infoflow.solver.cfg.InfoflowCFG.isStartPoint(InfoflowCFG.java:51)
	at soot.jimple.toolkits.ide.icfg.BackwardsInterproceduralCFG.isExitStmt(BackwardsInterproceduralCFG.java:67)
	at soot.jimple.toolkits.ide.icfg.BackwardsInterproceduralCFG.isExitStmt(BackwardsInterproceduralCFG.java:38)
	at soot.jimple.infoflow.solver.cfg.InfoflowCFG.isExitStmt(InfoflowCFG.java:208)
	at soot.jimple.infoflow.solver.cfg.InfoflowCFG.isExitStmt(InfoflowCFG.java:51)
	at soot.jimple.infoflow.solver.fastSolver.IFDSSolver$PathEdgeProcessingTask.runInternal(IFDSSolver.java:750)
	at soot.jimple.infoflow.solver.fastSolver.LocalWorklistTask.run(LocalWorklistTask.java:27)
	...
[main] INFO soot.jimple.infoflow.android.SetupApplication - Found 0 leaks from 0 sources

Process finished with exit code 0

I tried to solve the issue by myself, but the root cause seems to be more complicated than I had thought.

[t1mlange]

The problem is that some code maps data-flow facts into a method which was not added to the interprocedural CFG (i.e. missing icfg.notifyMethodChanged(m)) and, therefore, the iCFG doesn't know the method and it's body. Offhand there are two cases where the call statement is not explicit or generated later:

1. Callbacks in summarized methods inside StubDroid/soot-infoflow-summaries
2. Android Lifecycle

Your code hints at the second, however, when I'm compiling your code myself with Android Studio, I get the expected result with the current develop HEAD:

[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - The sink virtualinvoke r0.<com.example.callback_crash_repro.MainActivity: void dummySink(int)>($i0) in method <com.example.callback_crash_repro.MainActivity: void onCreate(android.os.Bundle)> was called with values from the following sources:
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - - $i0 = virtualinvoke r0.<com.example.callback_crash_repro.MainActivity: int dummySource()>() in method <com.example.callback_crash_repro.MainActivity: void onCreate(android.os.Bundle)>
[main] INFO soot.jimple.infoflow.android.SetupApplication$InPlaceInfoflow - Data flow solver took 0 seconds. Maximum memory consumption: 221 MB

Either you debug it yourself via

1. Break at the exception
2. Go up the call stack into the IFDS solver and look at the current propagation $d_2$
3. Follow the predecessors of the fact till you reach a fact with a current statement being a call
4. Look up where the call statement is generated and notify the ICFG there.

or supply the reproducer as a precompiled APK and how you setup FlowDroid.

[wyatt-feng]

Thank you! Here is the link to the precompiled reproducer: https://github.com/wyatt-feng/wyatt-feng/raw/refs/heads/main/files/flowdroid%20787%20reproducer.zip

It contains two files: app-debug.apk and SourcesAndSinks.txt. Simply use the following command to reproduce the issue:

java -jar <path to soot-infoflow-cmd-2.14.1-jar-with-dependencies.jar> -a app-debug.apk -s SourcesAndSinks.txt -p <path to android platforms>

[t1mlange]

So the callgraph contains no edge to the LifecycleTracker class but Soot's ICFG has a fallback option that uses static dispatch in case the backing callgraph has no edge. See:
https://github.com/soot-oss/soot/blob/d81f939ec38bf08732d9f7608c718cbd7e8bf1fc/src/main/java/soot/jimple/toolkits/ide/icfg/JimpleBasedInterproceduralCFG.java#L111-L119

So the exception is caused by the fallback handling allowing getCalleesOfCallAt to return a callee but not populating the unitToOwner map with that callee body before. But I'm not too sure how useful this fallback option is anways, as it just hides a broken callgraph.

The reason for the missing callgraph edge is that FlowDroid's EntryPointCreator assumes each class has a public constructor to use. Your LifecycleTracker only has a private constructor, thus, following lines will ignore it

FlowDroid/soot-infoflow/src/soot/jimple/infoflow/entryPointCreators/BaseEntryPointCreator.java

Line 599 in 0f65d7a

if (!allowNonPublicConstructors && (currentMethod.isPrivate() || currentMethod.isProtected()))

and not create a dummy instance and corresponding local for use in the dummy main, following, missing the call. Flipping allowNonPublicConstructors fixes your problem.

[wyatt-feng]

I see. Thank you!

[StevenArzt]

Since the app works just fine with the private constructor, I'll change the default for that flag. I honestly expected private constructors to be rejected by the Android lifecyle handling, but that's apparently not the case.

Thanks to both of you.