[Soot-list] information returned from DemandCS pointto analysis misses context
Eric Bodden
eric.bodden at mail.mcgill.ca
Tue Aug 4 15:41:25 EDT 2009
Hi Peng.
I understand your problem. Unfortunately, I believe that the current
implementation of DemandCSPointsTo does not yet support such queries.
I am CC'in Manu Shridharan, the author of this analysis. Maybe he can
comment on how hard it be to make appropriate changes.
The problem is that you currently have to use the method
"reachingObjects(Local l)", as this is the only method of the
PointsToAnalysis interface that DemandCSPointsTo implements:
http://www.sable.mcgill.ca/soot/doc/soot/PointsToAnalysis.html#reachingObjects%28soot.Local%29
However, to get the right answer in your case you would have to use
the method instead "reachingObjects(Context c, Local l)", respectively
"reachingObjects(Context c, Local l, SootField f)". This method
returns a points-to set *assuming* a certain given context that you
pass in (e.g. the context for method A()).
So right now I see two options for you:
1.) Wait for Manu's reply and see if it's easily possible to change
DemandCSPointsTo so that it implements these methods as well, or...
2.) Use Paddle instead: http://www.sable.mcgill.ca/paddle/ Paddle is
an extension to Soot. It does not use Spark for its analyss but rather
uses another, BDD-based, approach. This makes it a bit tricky to set
up but paddle does provide the above methods.
Eric
2009/8/4 LIU Peng <lpxz at ust.hk>:
> Dear Eric:
> As mentioned in last email, I tried DemandCS pointto analysis. But I
> found in the AllocAndContext returned using reachingObjects(iBase),
> the contexts are empty but alloc is not empty.
> To be more detailed:
>
>
> 1 subject class:
> public class TestMethods {
> public static void A()
> {
> Run1 run1 = new Run1();
> D(run1);
> }
> public static void B()
> {
> Run2 run2 = new Run2();
> D(run2);
> }
> public static void C()
> {
> Run3 run3 = new Run3();
> // D(run3);
> }
> public static void D(Runit r)
> {
> r.run();
> }
> public static void main(String[] args) // to be analyzed.
> {
> A();
> B();
> C();
> }
> }
>
>
>
> 2 trace:
> //the analysis start from main body, and when meet with an invoking stmt,
> analyze the corresponding method immediately.
>
>
> This is part of my console information :
> [Call Graph] For information on where the call graph may be incomplete,
> use the verbose option to the cg phase.
> [Spark] Pointer Assignment Graph in 2.4 seconds.
> [Spark] Type masks in 1.0 seconds.
> [Spark] Pointer Graph simplified in 0.0 seconds.
> [Spark] Propagation in 157.3 seconds.
> [Spark] Solution found in 157.4 seconds.
> [Spark] Initialized on-demand refinement-based context-sensitive analysis
> in 18.2 seconds.
>
>
> ==>method:<TestMethods: void main(java.lang.String[])>
> args := @parameter0: java.lang.String[]
> staticinvoke <TestMethods: void A()>()
> { =====================================
> ==>method:<TestMethods: void A()>
> $r0 = new Run1
> specialinvoke $r0.<Run1: void <init>()>()
> AllocNode 32 new Run1 in method <TestMethods: void A()><--> ibase:$r0
> { =====================================
> ==>method:<Run1: void <init>()>
> this := @this: Run1
> specialinvoke this.<java.lang.Object: void <init>()>()
> AllocNode 32 new Run1 in method <TestMethods: void A()><--> ibase:this
> return
> <==method:<Run1: void <init>()>
> ===================================== }
> run1 = $r0
> staticinvoke <TestMethods: void D(Runit)>(run1)
> { =====================================
> ==>method:<TestMethods: void D(Runit)>
> r := @parameter0: Runit
> interfaceinvoke r.<Runit: void run()>()
> (I hope to get context information here.)!!!!!!!!!!!!!!!!!!!!!!!!!
> AllocNode 32 new Run1 in method <TestMethods: void A()><--> ibase:r
> AllocNode 31 new Run2 in method <TestMethods: void B()><--> ibase:r
> { =====================================
> ==>method:<Run2: void run()>
> this := @this: Run2
> $r0 = <java.lang.System: java.io.PrintStream out>
> virtualinvoke $r0.<java.io.PrintStream: void
> println(java.lang.String)>("B is runnning")
> AllocNode 8 new java.io.PrintStream in method <java.lang.System: void
> initializeSystemClass()><--> ibase:$r0
> return
> <==method:<Run2: void run()>
> ==>method:<Run1: void run()>
> this := @this: Run1
> $r0 = <java.lang.System: java.io.PrintStream out>
> virtualinvoke $r0.<java.io.PrintStream: void
> println(java.lang.String)>("A is runnning")
> AllocNode 8 new java.io.PrintStream in method <java.lang.System: void
> initializeSystemClass()><--> ibase:$r0
> return
> <==method:<Run1: void run()>
> ===================================== }
> return
> <==method:<TestMethods: void D(Runit)>
> ===================================== }
>
>
>
>
> 3 problem:
> The problem is for interfaceinvoke r.<Runit: void run()>(), I want
> its pointTo set of r is context-sensitive, to be concrete, I
> want:
> r points to "AllocNode 32 new Run1 in method <TestMethods: void A()>"
> when r.<Runit: void run()>() is called under context "A()"
> r points to "AllocNode 31 new Run2 in method <TestMethods: void B()>"
> when r.<Runit: void run()>() is called under context "B()"
> but when I use the following code to query.
>
> PointsToSet p2base= MyAnalysis.paDemand.reachingObjects(iBase);
> if(base instanceof AllocAndContextSet) // spark use this way, can use
> forall implementation
> {//
>
> for (AllocAndContext allocAndContext : ((AllocAndContextSet)base)) {
> System.out.println(""+allocAndContext.alloc+"");
> filter2.add(allocAndContext);// type
> }
> }
>
> I find that alloc is right. but the integer stack of context is empty
> during debug mode. so I can get no assistant information about context
> -sensitive.
>
> Do you know what is wrong with my analysis?
> Thanks
>
> Regards
> Peng
>
>
>
>
> _______________________________________________
> Soot-list mailing list
> Soot-list at sable.mcgill.ca
> http://mailman.cs.mcgill.ca/mailman/listinfo/soot-list
>
--
Eric Bodden
Software Technology Group
Technical University Darmstadt, Germany
More information about the Soot-list
mailing list