[Soot-list] wrong result for method reachObjects(local, field) in points-to analysis

Prof. Laurie HENDREN hendren at cs.mcgill.ca
Tue Mar 7 17:30:08 EST 2006 

Dear Aiwu,

The points-to analysis done by Spark is flow-insensitive, meaning
that it doesn not take control flow into account.   Such an analysis
cannot tell anything about the order in which assignments happen in
the program.  Thus, cannot know that the second assignment to w.f
kills the points-to relationships from the first assignment.

Laurie


+-----------------------------------------------------------------
| Laurie Hendren --- laurie.hendren at mcgill.ca
| Associate Dean (Academic), Faculty of Science,
| Dawson Hall, McGill University, 853 Sherbrooke St W,
| Montreal QC H3A 2T6 Canada, 514-398-7179, fax 514-398-1774
+----------------------------------------------------------------
| For contact and home page info as Professor, Computer Science:
| http://www.sable.mcgill.ca/~hendren   ---  hendren at cs.mcgill.ca
| Research: http://www.sable.mcgill.ca  http://aspectbench.org
+----------------------------------------------------------------

On Tue, 7 Mar 2006, Aiwu Shi wrote:

> hi,
>
> I use a simple program to test my points-to analysis.
>
> I am not extending Soot in the recommended way, but just calling into
> Soot/Spark directly like the following:
>
> //set the PointsToAnalysis with phase options
>   options.put("enabled", "true");
>   options.put("on-fly-cg", "true");
>   options.put("set-impl", "hybrid");
>   options.put("propagator", "worklist");
>   options.put("verbose", "true");
>   SparkTransformer.v().transform("cg.spark",options);
>
> I want to get the PointsToSet for the field f of local variable w, that is, the PointsToSet of w.f. after my analysis, I got the PointsToSet include two AllocNode, one is AllocNode for x, the other is AllocNode for y.
> in fact, we can know, the w.f should only contain the AllocNode of y.
> so, is there a bug for the method of reachObject(local, field)? please explain for me. thanks
>
> Aiwu
>
>
>
> my analyzed sample class is followed:
>
> class Sample{
>  private C f;
>
>  public C f2( ){
>   C x;
>   C y;
>   Sample w=new Sample();
>   x = new C();
>   y = new C();
>
>   w.f=x;
>   w.f=y;
>
>   return x;
>  }
> }

More information about the Soot-list mailing list