自己做一些筆記

下載配置

參照我前面的文章可以使用FlowDroid安裝初體驗
為了看代碼了解FlowDroid如何處理，clone其官方倉庫FlowDroid GitHub

源碼概況

下載下來的內容還是挺多的，主要分了以下幾個文件夾

• soot-infoflow： 核心功能代碼
• soot-infoflowandroid： 安卓數(shù)據(jù)流分析代碼
• soot-infoflow-summaries：字面意思函數(shù)摘要
• soot-infoflow-cmd：使用cmd的解釋運行流程
  
  下面對AliasingTest進行案例分析

代碼邏輯分析

analyzeAPKFile

這部分跟進去是一個自定義的測試代碼片段，跟進去看具體實現(xiàn)，可以看到不同的接口

ICC model（GPT4的回答）：
在FlowDroid中，ICC（Inter-Component Communication，組件間通信）模型用于表示和處理安卓應用中各個組件（例如活動、服務、廣播接收器等）之間如何相互通信。在Android中，組件通常通過Intent機制來相互通信。ICC模型旨在建模這種Intent傳遞機制，以更準確地進行數(shù)據(jù)流分析。
具體來說，FlowDroid的ICC模型可能包括以下幾方面的信息：

• 哪個組件發(fā)送了Intent。
• Intent中包含哪些數(shù)據(jù)。
• Intent被發(fā)送到哪個組件。
• 如何處理接收到的Intent。

通過精確地建模這些交互，FlowDroid可以更準確地追蹤可能的數(shù)據(jù)流路徑，從而更有效地檢測潛在的安全問題。該模型對于理解應用如何處理敏感數(shù)據(jù)，以及這些數(shù)據(jù)可能如何泄露（通過組件間的不安全通信）等問題非常有用。

再往下跟就是一些配置信息，讀取環(huán)境變量等，跟進runInfoflow函數(shù)，是比較關鍵的

runInfoflow

//這兩行代碼做了soot的初始化
if (config.getSootIntegrationMode() == SootIntegrationMode.CreateNewInstance) {G.reset();initializeSoot();
}

//soot初始化關鍵函數(shù)，比較常規(guī)
private void initializeSoot() {logger.info("Initializing Soot...");final String androidJar = config.getAnalysisFileConfig().getAndroidPlatformDir();final String apkFileLocation = config.getAnalysisFileConfig().getTargetAPKFile();// Clean up any old Soot instance we may haveG.reset();Options.v().set_no_bodies_for_excluded(true);Options.v().set_allow_phantom_refs(true);if (config.getWriteOutputFiles())Options.v().set_output_format(Options.output_format_jimple);elseOptions.v().set_output_format(Options.output_format_none);Options.v().set_whole_program(true);Options.v().set_process_dir(Collections.singletonList(apkFileLocation));if (forceAndroidJar)Options.v().set_force_android_jar(androidJar);elseOptions.v().set_android_jars(androidJar);Options.v().set_src_prec(Options.src_prec_apk_class_jimple);Options.v().set_keep_offset(false);Options.v().set_keep_line_number(config.getEnableLineNumbers());Options.v().set_throw_analysis(Options.throw_analysis_dalvik);Options.v().set_process_multiple_dex(config.getMergeDexFiles());Options.v().set_ignore_resolution_errors(true);// Set soot phase option if original names should be usedif (config.getEnableOriginalNames())Options.v().setPhaseOption("jb", "use-original-names:true");// Set the Soot configuration options. Note that this will needs to be// done before we compute the classpath.if (sootConfig != null)sootConfig.setSootOptions(Options.v(), config);Options.v().set_soot_classpath(getClasspath());Main.v().autoSetOptions();configureCallgraph();// Load whatever we needlogger.info("Loading dex files...");Scene.v().loadNecessaryClasses();// Make sure that we have valid Jimple bodiesPackManager.v().getPack("wjpp").apply();// Patch the callgraph to support additional edges. We do this now,// because during callback discovery, the context-insensitive callgraph// algorithm would flood us with invalid edges.LibraryClassPatcher patcher = getLibraryClassPatcher();patcher.patchLibraries();}

接下來對apk資源文件進行解析，分析入口點

try {parseAppResources();} catch (IOException | XmlPullParserException e) {logger.error("Parse app resource failed", e);throw new RuntimeException("Parse app resource failed", e);}

protected void parseAppResources() throws IOException, XmlPullParserException {final File targetAPK = new File(config.getAnalysisFileConfig().getTargetAPKFile());if (!targetAPK.exists())throw new RuntimeException(String.format("Target APK file %s does not exist", targetAPK.getCanonicalPath()));// Parse the resource filelong beforeARSC = System.nanoTime();this.resources = new ARSCFileParser();this.resources.parse(targetAPK.getAbsolutePath());logger.info("ARSC file parsing took " + (System.nanoTime() - beforeARSC) / 1E9 + " seconds");// To look for callbacks, we need to start somewhere. We use the Android// lifecycle methods for this purpose.this.manifest = createManifestParser(targetAPK);SystemClassHandler.v().setExcludeSystemComponents(config.getIgnoreFlowsInSystemPackages());Set<String> entryPoints = manifest.getEntryPointClasses();this.entrypoints = new HashSet<>(entryPoints.size());for (String className : entryPoints) {SootClass sc = Scene.v().getSootClassUnsafe(className);if (sc != null)this.entrypoints.add(sc);}}

processEntryPoint

Runs the data flow analysis on the given entry point class

if (config.getOneComponentAtATime()) {List<SootClass> entrypointWorklist = new ArrayList<>(entrypoints);while (!entrypointWorklist.isEmpty()) {SootClass entrypoint = entrypointWorklist.remove(0);processEntryPoint(sourcesAndSinks, resultAggregator, entrypointWorklist.size(), entrypoint);}} elseprocessEntryPoint(sourcesAndSinks, resultAggregator, -1, null);

resultAggregator 記錄結果的地方

	protected void processEntryPoint(ISourceSinkDefinitionProvider sourcesAndSinks,MultiRunResultAggregator resultAggregator, int numEntryPoints, SootClass entrypoint) {long beforeEntryPoint = System.nanoTime();// Get rid of leftovers from the last entry pointresultAggregator.clearLastResults();// Perform basic app parsinglong callbackDuration = System.nanoTime();try {if (config.getOneComponentAtATime())calculateCallbacks(sourcesAndSinks, entrypoint);elsecalculateCallbacks(sourcesAndSinks);} catch (IOException | XmlPullParserException e) {logger.error("Callgraph construction failed: " + e.getMessage(), e);throw new RuntimeException("Callgraph construction failed", e);}callbackDuration = Math.round((System.nanoTime() - callbackDuration) / 1E9);logger.info(String.format("Collecting callbacks and building a callgraph took %d seconds", (int) callbackDuration));final Collection<? extends ISourceSinkDefinition> sources = getSources();final Collection<? extends ISourceSinkDefinition> sinks = getSinks();final String apkFileLocation = config.getAnalysisFileConfig().getTargetAPKFile();if (config.getOneComponentAtATime())logger.info("Running data flow analysis on {} (component {}/{}: {}) with {} sources and {} sinks...",apkFileLocation, (entrypoints.size() - numEntryPoints), entrypoints.size(), entrypoint,sources == null ? 0 : sources.size(), sinks == null ? 0 : sinks.size());elselogger.info("Running data flow analysis on {} with {} sources and {} sinks...", apkFileLocation,sources == null ? 0 : sources.size(), sinks == null ? 0 : sinks.size());// Create a new entry point and compute the flows in it. If we// analyze all components together, we do not need a new callgraph,// but can reuse the one from the callback collection phase.if (config.getOneComponentAtATime() && config.getSootIntegrationMode().needsToBuildCallgraph()) {createMainMethod(entrypoint);constructCallgraphInternal();}// Create and run the data flow trackerinfoflow = createInfoflow();infoflow.addResultsAvailableHandler(resultAggregator);infoflow.runAnalysis(sourceSinkManager, entryPointCreator.getGeneratedMainMethod());// Update the statisticsif (config.getLogSourcesAndSinks() && infoflow.getCollectedSources() != null)this.collectedSources.addAll(infoflow.getCollectedSources());if (config.getLogSourcesAndSinks() && infoflow.getCollectedSinks() != null)this.collectedSinks.addAll(infoflow.getCollectedSinks());// Print out the found results{int resCount = resultAggregator.getLastResults() == null ? 0 : resultAggregator.getLastResults().size();if (config.getOneComponentAtATime())logger.info("Found {} leaks for component {}", resCount, entrypoint);elselogger.info("Found {} leaks", resCount);}// Update the performance object with the real data{InfoflowResults lastResults = resultAggregator.getLastResults();if (lastResults != null) {InfoflowPerformanceData perfData = lastResults.getPerformanceData();if (perfData == null)lastResults.setPerformanceData(perfData = new InfoflowPerformanceData());perfData.setCallgraphConstructionSeconds((int) callbackDuration);perfData.setTotalRuntimeSeconds((int) Math.round((System.nanoTime() - beforeEntryPoint) / 1E9));}}// We don't need the computed callbacks anymorethis.callbackMethods.clear();this.fragmentClasses.clear();// Notify our result handlersfor (ResultsAvailableHandler handler : resultsAvailableHandlers)handler.onResultsAvailable(resultAggregator.getLastICFG(), resultAggregator.getLastResults());}

calculateCallbacks(sourcesAndSinks)

傳進來的參數(shù)即為讀取的sources和sinks
Calculates the sets of sources, sinks, entry points, and callbacks methods
for the entry point in the given APK file.

private void calculateCallbacks(ISourceSinkDefinitionProvider sourcesAndSinks, SootClass entryPoint)throws IOException, XmlPullParserException {// Add the callback methodsLayoutFileParser lfp = null;final CallbackConfiguration callbackConfig = config.getCallbackConfig();if (callbackConfig.getEnableCallbacks()) {// If we have a callback file, we use itString callbackFile = callbackConfig.getCallbacksFile();if (callbackFile != null && !callbackFile.isEmpty()) {File cbFile = new File(callbackFile);if (cbFile.exists()) {CollectedCallbacks callbacks = CollectedCallbacksSerializer.deserialize(callbackConfig);if (callbacks != null) {// Get our callback data from the fileentrypoints = callbacks.getEntryPoints();fragmentClasses = callbacks.getFragmentClasses();callbackMethods = callbacks.getCallbackMethods();// Create the callgraphcreateMainMethod(entryPoint);constructCallgraphInternal();createSourceSinkProvider(entryPoint, lfp);return;}}}if (callbackClasses != null && callbackClasses.isEmpty()) {logger.warn("Callback definition file is empty, disabling callbacks");} else {lfp = createLayoutFileParser();switch (callbackConfig.getCallbackAnalyzer()) {case Fast:calculateCallbackMethodsFast(lfp, entryPoint);break;case Default:calculateCallbackMethods(lfp, entryPoint);break;default:throw new RuntimeException("Unknown callback analyzer");}}} else if (config.getSootIntegrationMode().needsToBuildCallgraph()) {// Create the new iteration of the main methodcreateMainMethod(entryPoint);constructCallgraphInternal();}logger.info("Entry point calculation done.");createSourceSinkProvider(entryPoint, lfp);}

在此過程中給對Layout進行了解析LayoutFileParser(this.manifest.getPackageName(), this.resources);

lfp = createLayoutFileParser();
calculateCallbackMethods(lfp, entryPoint);
下面這是真正的計算了

private void calculateCallbackMethods(LayoutFileParser lfp, SootClass component) throws IOException {final CallbackConfiguration callbackConfig = config.getCallbackConfig();// Load the APK fileif (config.getSootIntegrationMode().needsToBuildCallgraph())releaseCallgraph();// Make sure that we don't have any leftovers from previous runsPackManager.v().getPack("wjtp").remove("wjtp.lfp");PackManager.v().getPack("wjtp").remove("wjtp.ajc");// Get the classes for which to find callbacksSet<SootClass> entryPointClasses = getComponentsToAnalyze(component);// Collect the callback interfaces implemented in the app's// source code. Note that the filters should know all components to// filter out callbacks even if the respective component is only// analyzed later.AbstractCallbackAnalyzer jimpleClass = callbackClasses == null? new DefaultCallbackAnalyzer(config, entryPointClasses, callbackMethods, callbackFile): new DefaultCallbackAnalyzer(config, entryPointClasses, callbackMethods, callbackClasses);if (valueProvider != null)jimpleClass.setValueProvider(valueProvider);jimpleClass.addCallbackFilter(new AlienHostComponentFilter(entrypoints));jimpleClass.addCallbackFilter(new ApplicationCallbackFilter(entrypoints));jimpleClass.addCallbackFilter(new UnreachableConstructorFilter());jimpleClass.collectCallbackMethods();// Find the user-defined sources in the layout XML files. This// only needs to be done once, but is a Soot phase.lfp.parseLayoutFile(config.getAnalysisFileConfig().getTargetAPKFile());// Watch the callback collection algorithm's memory consumptionFlowDroidMemoryWatcher memoryWatcher = null;FlowDroidTimeoutWatcher timeoutWatcher = null;if (jimpleClass instanceof IMemoryBoundedSolver) {// Make sure that we don't spend too much time and memory in the callback// analysismemoryWatcher = createCallbackMemoryWatcher(jimpleClass);timeoutWatcher = createCallbackTimeoutWatcher(callbackConfig, jimpleClass);}try {int depthIdx = 0;boolean hasChanged = true;boolean isInitial = true;while (hasChanged) {hasChanged = false;// Check whether the solver has been aborted in the meantimeif (jimpleClass instanceof IMemoryBoundedSolver) {if (((IMemoryBoundedSolver) jimpleClass).isKilled())break;}// Create the new iteration of the main methodcreateMainMethod(component);int numPrevEdges = 0;if (Scene.v().hasCallGraph()) {numPrevEdges = Scene.v().getCallGraph().size();}// Since the generation of the main method can take some time,// we check again whether we need to stop.if (jimpleClass instanceof IMemoryBoundedSolver) {if (((IMemoryBoundedSolver) jimpleClass).isKilled()) {logger.warn("Callback calculation aborted due to timeout");break;}}if (!isInitial) {// Reset the callgraphreleaseCallgraph();// We only want to parse the layout files oncePackManager.v().getPack("wjtp").remove("wjtp.lfp");}isInitial = false;// Run the soot-based operationsconstructCallgraphInternal();if (!Scene.v().hasCallGraph())throw new RuntimeException("No callgraph in Scene even after creating one. That's very sad "+ "and should never happen.");lfp.parseLayoutFileDirect(config.getAnalysisFileConfig().getTargetAPKFile());PackManager.v().getPack("wjtp").apply();// Creating all callgraph takes time and memory. Check whether// the solver has been aborted in the meantimeif (jimpleClass instanceof IMemoryBoundedSolver) {if (((IMemoryBoundedSolver) jimpleClass).isKilled()) {logger.warn("Aborted callback collection because of low memory");break;}}if (numPrevEdges < Scene.v().getCallGraph().size())hasChanged = true;// Collect the results of the soot-based phasesif (this.callbackMethods.putAll(jimpleClass.getCallbackMethods()))hasChanged = true;if (entrypoints.addAll(jimpleClass.getDynamicManifestComponents()))hasChanged = true;// Collect the XML-based callback methodsif (collectXmlBasedCallbackMethods(lfp, jimpleClass))hasChanged = true;// Avoid callback overruns. If we are beyond the callback limit// for one entry point, we may not collect any further callbacks// for that entry point.if (callbackConfig.getMaxCallbacksPerComponent() > 0) {for (Iterator<SootClass> componentIt = this.callbackMethods.keySet().iterator(); componentIt.hasNext();) {SootClass callbackComponent = componentIt.next();if (this.callbackMethods.get(callbackComponent).size() > callbackConfig.getMaxCallbacksPerComponent()) {componentIt.remove();jimpleClass.excludeEntryPoint(callbackComponent);}}}// Check depth limitingdepthIdx++;if (callbackConfig.getMaxAnalysisCallbackDepth() > 0&& depthIdx >= callbackConfig.getMaxAnalysisCallbackDepth())break;// If we work with an existing callgraph, the callgraph never// changes and thus it doesn't make any sense to go multiple// roundsif (config.getSootIntegrationMode() == SootIntegrationMode.UseExistingCallgraph)break;}} catch (Exception ex) {logger.error("Could not calculate callback methods", ex);throw ex;} finally {// Shut down the watchersif (timeoutWatcher != null)timeoutWatcher.stop();if (memoryWatcher != null)memoryWatcher.close();}// Filter out callbacks that belong to fragments that are not used by// the host activityAlienFragmentFilter fragmentFilter = new AlienFragmentFilter(invertMap(fragmentClasses));fragmentFilter.reset();for (Iterator<Pair<SootClass, AndroidCallbackDefinition>> cbIt = this.callbackMethods.iterator(); cbIt.hasNext();) {Pair<SootClass, AndroidCallbackDefinition> pair = cbIt.next();// Check whether the filter accepts the given mappingif (!fragmentFilter.accepts(pair.getO1(), pair.getO2().getTargetMethod()))cbIt.remove();else if (!fragmentFilter.accepts(pair.getO1(), pair.getO2().getTargetMethod().getDeclaringClass())) {cbIt.remove();}}// Avoid callback overrunsif (callbackConfig.getMaxCallbacksPerComponent() > 0) {for (Iterator<SootClass> componentIt = this.callbackMethods.keySet().iterator(); componentIt.hasNext();) {SootClass callbackComponent = componentIt.next();if (this.callbackMethods.get(callbackComponent).size() > callbackConfig.getMaxCallbacksPerComponent())componentIt.remove();}}// Make sure that we don't retain any weird Soot phasesPackManager.v().getPack("wjtp").remove("wjtp.lfp");PackManager.v().getPack("wjtp").remove("wjtp.ajc");// Warn the user if we had to abort the callback analysis earlyboolean abortedEarly = false;if (jimpleClass instanceof IMemoryBoundedSolver) {if (((IMemoryBoundedSolver) jimpleClass).isKilled()) {logger.warn("Callback analysis aborted early due to time or memory exhaustion");abortedEarly = true;}}if (!abortedEarly)logger.info("Callback analysis terminated normally");// Serialize the callbacksif (callbackConfig.isSerializeCallbacks()) {CollectedCallbacks callbacks = new CollectedCallbacks(entryPointClasses, callbackMethods, fragmentClasses);CollectedCallbacksSerializer.serialize(callbacks, callbackConfig);}}

這段代碼首先對調用圖進行重置

	protected void releaseCallgraph() {// If we are configured to use an existing callgraph, we may not release// itif (config.getSootIntegrationMode() == SootIntegrationMode.UseExistingCallgraph)return;Scene.v().releaseCallGraph();Scene.v().releasePointsToAnalysis();Scene.v().releaseReachableMethods();G.v().resetSpark();}

接下來兩行代碼不懂問了GPT

		// Make sure that we don't have any leftovers from previous runsPackManager.v().getPack("wjtp").remove("wjtp.lfp");PackManager.v().getPack("wjtp").remove("wjtp.ajc");
PackManager.v().getPack("wjtp")：

這部分獲取名為 “wjtp” 的分析階段組（pack）。Soot框架將各種分析和轉換任務組織在不同的階段組（如 “wjtp”, “jtp”, “cg” 等）中。

remove(“wjtp.lfp”) 和 remove(“wjtp.ajc”)：這兩行代碼從 “wjtp” 階段組中移除特定的分析或轉換階段。具體來說，它們移除名為 “wjtp.lfp” 和 “wjtp.ajc” 的階段。

這兩行代碼確保在新一輪的Soot分析或轉換開始之前，清除先前可能添加到 “wjtp” 階段組的 “wjtp.lfp” 和 “wjtp.ajc” 分析階段。這樣做主要是為了避免先前運行的殘留影響到當前的運行。這是一種清理機制，確保每次運行都是在干凈、一致的環(huán)境中進行。

再次回到processEntryPoint

Instantiates and configures the data flow engine

	private IInPlaceInfoflow createInfoflow() {// Some sanity checksif (config.getSootIntegrationMode().needsToBuildCallgraph()) {if (entryPointCreator == null)throw new RuntimeException("No entry point available");if (entryPointCreator.getComponentToEntryPointInfo() == null)throw new RuntimeException("No information about component entry points available");}// Get the component lifecycle methodsCollection<SootMethod> lifecycleMethods = Collections.emptySet();if (entryPointCreator != null) {ComponentEntryPointCollection entryPoints = entryPointCreator.getComponentToEntryPointInfo();if (entryPoints != null)lifecycleMethods = entryPoints.getLifecycleMethods();}// Initialize and configure the data flow trackerIInPlaceInfoflow info = createInfoflowInternal(lifecycleMethods);if (ipcManager != null)info.setIPCManager(ipcManager);info.setConfig(config);info.setSootConfig(sootConfig);info.setTaintWrapper(taintWrapper);info.setTaintPropagationHandler(taintPropagationHandler);info.setAliasPropagationHandler(aliasPropagationHandler);// We use a specialized memory manager that knows about Androidinfo.setMemoryManagerFactory(new IMemoryManagerFactory() {@Overridepublic IMemoryManager<Abstraction, Unit> getMemoryManager(boolean tracingEnabled,PathDataErasureMode erasePathData) {return new AndroidMemoryManager(tracingEnabled, erasePathData, entrypoints);}});info.setMemoryManagerFactory(null);// Inject additional post-processorsinfo.setPostProcessors(Collections.singleton(new PostAnalysisHandler() {@Overridepublic InfoflowResults onResultsAvailable(InfoflowResults results, IInfoflowCFG cfg) {// Purify the ICC results if requestedfinal IccConfiguration iccConfig = config.getIccConfig();if (iccConfig.isIccResultsPurifyEnabled()) {// no-op at the moment. We used to have a purifier here, but it didn't make// any sense. Removed it for the better.}return results;}}));return info;}

接下來進入到runAnalysis函數(shù)內部，這個函數(shù)似乎比較關鍵
Conducts a taint analysis on an already initialized callgraph

	protected void runAnalysis(final ISourceSinkManager sourcesSinks, final Set<String> additionalSeeds) {final InfoflowPerformanceData performanceData = createPerformanceDataClass();try {// Clear the data from previous runsresults = createResultsObject();results.setPerformanceData(performanceData);// Print and check our configurationcheckAndFixConfiguration();config.printSummary();// Register a memory watcherif (memoryWatcher != null) {memoryWatcher.clearSolvers();memoryWatcher = null;}memoryWatcher = new FlowDroidMemoryWatcher(results, config.getMemoryThreshold());// Initialize the abstraction configurationAbstraction.initialize(config);// Build the callgraphlong beforeCallgraph = System.nanoTime();constructCallgraph();performanceData.setCallgraphConstructionSeconds((int) Math.round((System.nanoTime() - beforeCallgraph) / 1E9));logger.info(String.format(Locale.getDefault(), "Callgraph construction took %d seconds",performanceData.getCallgraphConstructionSeconds()));// Initialize the source sink managerif (sourcesSinks != null)sourcesSinks.initialize();// Perform constant propagation and remove dead codeif (config.getCodeEliminationMode() != CodeEliminationMode.NoCodeElimination) {long currentMillis = System.nanoTime();eliminateDeadCode(sourcesSinks);logger.info("Dead code elimination took " + (System.nanoTime() - currentMillis) / 1E9 + " seconds");}// After constant value propagation, we might find more call edges// for reflective method callsif (config.getEnableReflection()) {releaseCallgraph();constructCallgraph();}if (config.getCallgraphAlgorithm() != CallgraphAlgorithm.OnDemand)logger.info("Callgraph has {} edges", Scene.v().getCallGraph().size());IInfoflowCFG iCfg = icfgFactory.buildBiDirICFG(config.getCallgraphAlgorithm(),config.getEnableExceptionTracking());if (config.isTaintAnalysisEnabled())runTaintAnalysis(sourcesSinks, additionalSeeds, iCfg, performanceData);// Gather performance dataperformanceData.setTotalRuntimeSeconds((int) Math.round((System.nanoTime() - beforeCallgraph) / 1E9));performanceData.updateMaxMemoryConsumption(getUsedMemory());logger.info(String.format("Data flow solver took %d seconds. Maximum memory consumption: %d MB",performanceData.getTotalRuntimeSeconds(), performanceData.getMaxMemoryConsumption()));// Provide the handler with the final resultsfor (ResultsAvailableHandler handler : onResultsAvailable)handler.onResultsAvailable(iCfg, results);// Write the Jimple files to disk if requestedif (config.getWriteOutputFiles())PackManager.v().writeOutput();} catch (Exception ex) {StringWriter stacktrace = new StringWriter();PrintWriter pw = new PrintWriter(stacktrace);ex.printStackTrace(pw);if (results != null)results.addException(ex.getClass().getName() + ": " + ex.getMessage() + "\n" + stacktrace.toString());logger.error("Exception during data flow analysis", ex);if (throwExceptions)throw ex;}}

constructCallgraph();
構造調用圖

	protected void constructCallgraph() {if (config.getSootIntegrationMode().needsToBuildCallgraph()) {// Allow the ICC manager to change the Soot Scene before we continueif (ipcManager != null)ipcManager.updateJimpleForICC();// Run the preprocessorsfor (PreAnalysisHandler tr : preProcessors)tr.onBeforeCallgraphConstruction();// Patch the system libraries we need for callgraph constructionLibraryClassPatcher patcher = getLibraryClassPatcher();patcher.patchLibraries();// To cope with broken APK files, we convert all classes that are still// dangling after resolution into phantomsfor (SootClass sc : Scene.v().getClasses())if (sc.resolvingLevel() == SootClass.DANGLING) {sc.setResolvingLevel(SootClass.BODIES);sc.setPhantomClass();}// We explicitly select the packs we want to run for performance// reasons. Do not re-run the callgraph algorithm if the host// application already provides us with a CG.if (config.getCallgraphAlgorithm() != CallgraphAlgorithm.OnDemand && !Scene.v().hasCallGraph()) {PackManager.v().getPack("wjpp").apply();PackManager.v().getPack("cg").apply();}}// If we don't have a FastHierarchy, we need to create it - even if we use an// existing callgraphhierarchy = Scene.v().getOrMakeFastHierarchy();if (config.getSootIntegrationMode().needsToBuildCallgraph()) {// Run the preprocessorsfor (PreAnalysisHandler tr : preProcessors)tr.onAfterCallgraphConstruction();}}

runAnalysis分析結束后回到了processEntryPoint