RunDroid: Recovering Execution Call Graphs for Android Applications Yujie Yuan East China Normal University Shanghai, China mijackstudio@gmail.com Lihua Xu East China Normal University Shanghai, China lhxu@cs.ecnu.edu.cn Xusheng Xiao Case Western Reserve University Ohio, USA xusheng.xiao@case.edu Andy Podgurski Case Western Reserve University Ohio, USA hap@case.edu Huibiao Zhu East China Normal University Shanghai, China hbzhu@sei.ecnu.edu.cn ABSTRACT Fault localization is a well-received technique for helping develop- ers to identify faulty statements of a program. Research has shown that the coverages of faulty statements and its predecessors in program dependence graph are important for efective fault local- ization. However, app executions in Android split into segments in diferent components, i.e., methods, threads, and processes, pos- ing challenges for traditional program dependence computation, and in turn rendering fault localization less efective. We present RunDroid, a tool for recovering the dynamic call graphs of app executions in Android, assisting existing tools for more precise program dependence computation. For each execution, RunDroid captures and recovers method calls from not only the application layer, but also between applications and the Android framework. Moreover, to deal with the widely adopted multi-threaded commu- nications in Android applications, RunDroid also captures methods calls that are split among threads. Demo : https://github.com/MiJack/RunDroid Video : https://youtu.be/EM7TJbE-Oaw CCS CONCEPTS · Software and its engineering → Software maintenance tools; KEYWORDS Android, software analysis, multi-thread ACM Reference format: Yujie Yuan, Lihua Xu, Xusheng Xiao, Andy Podgurski, and Huibiao Zhu. 2017. RunDroid: Recovering Execution Call Graphs for Android Applica- tions. In Proceedings of 2017 11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foun- dations of Software Engineering, Paderborn, Germany, September 4ś8, 2017 (ESEC/FSE’17), 5 pages. https://doi.org/10.1145/3106237.3122821 Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for proft or commercial advantage and that copies bear this notice and the full citation on the frst page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specifc permission and/or a fee. Request permissions from permissions@acm.org. ESEC/FSE’17, September 4ś8, 2017, Paderborn, Germany © 2017 Association for Computing Machinery. ACM ISBN 978-1-4503-5105-8/17/09. . . $15.00 https://doi.org/10.1145/3106237.3122821 1 INTRODUCTION Android applications (i.e., apps) have been witnessed a massive growth over the last decade. As such, more and more attentions are paid to the quality and reliability of apps. Among techniques that ensure high quality of apps, fault localization technique is a well-received technique for fnding faulty statements of apps[12] [11]. Research [7, 8] has shown that the coverage of faulty state- ments and its predecessors in program dependence graph are im- portant for efective fault localization. However, app executions split into segments in diferent components, i.e., methods, threads, and processes, posing challenges for traditional program depen- dence computation, and in turn rendering fault localization less efective. Specifcally, the major challenges posed by Android apps for precise computation of program dependencies are as follows. • Multi-thread communications. Android apps employ worker threads for intensive operations, while only objects running on the UI thread have access to UI objects. Hence, handlers are utilized commonly to pass messages and data between the UI thread and worker threads. • Implicit callbacks. Android apps are driven by events and call- backs, such as onClick(), onActivityResult(), that are invoked by the Android framework. • Lifecycle methods. In Android apps, each component, e.g. an activity, is required to follow a lifecycle, which are defned via callbacks. 1 Despite achievements made by static analysis [6, 10, 14, 15] to model Android execution environment, these techniques still face challenges in precisely inferring the whole-program control fows of Android apps. Besides the aforementioned major challenges, Android apps use refections (e.g., composing UI views and instanti- ation of components), type polymorphism (e.g., customized Thread classes and UI views), and temporary classes (e.g., event handlers registered using temporal classes), which cause further difculties for static analysis to be precise and scalable. To address these challenges and improve the precision of ex- isting fault localization techniques for Android apps, we present RunDroid, a tool that recovers app executions’ dynamic call graphs 1 In this work, we specifcally diferentiate lifecycle methods from other implicit callback methods to better understand and visualize the internal behaviors of each activity. 949