[Soot-list] [Beginnger] A few questions about cfg and Soot

Wed Jul 8 10:57:45 EDT 2009

> i'm quite new to Soot. For bytecode analysis i used ASM but it is more a
> manipulation than analyzing framework.
> I read the survival guide and a few papers. But i can't figure out how
> to construct an inter-procedural control flow graph and traverse through
> it.
>
> Here is a simple example
>
> class Adder{
>
> public static void main(...){
>
>   Calc calc = new Calc();
>   int a = 10;
>   int b = 5;
>   calc.printadd(a,b);
>
>   }
>
> }
>
> class Calc{
>
>   private int add(int a, int b){
>      return a+b;
>     }
>
>   public void printadd(int a, int b){
>        int res = add(a,b);
>      System.out.println("res: " + res);
>   }
>
> }
>
> I want to know, if there is a call for the add(int,int) method which i
> can reach from the main method?
> Is there a way to construct an inter-procedural cfg, so that i can go
> from main to every node i can reach?

Hi Olaf.

Soot does not really support inter-procedural control-flow graphs (in
the sense that those graphs would tell you the order in which method
calls may appear), but I think what you are actually looking for is
just a call graph (which tells you which methods may call which other
methods, irrespective of the order of these calls). This can be
achieved very easily:

1.) Enable whole-program mode using the -w flag.
2.) Optionally: use phase options to tell Soot what kind of call graph
you like:
http://www.sable.mcgill.ca/soot/tutorial/phase/phase.html#SECTION00040000000000000000
3.) Add a SceneTransformer to the wjtp pack. Within the
SceneTransformer's transform method you can easily access the call
graph using Scene.v().getCallGraph().

> In this example a and b are constants, is it possible if i know, there
> is a call for add, to calculated the arguments? (maybe a kind of
> inter-procedural "constant" propagation + folding)

Yes, you would need inter-procedural constant folding for this. Soot
does not have this built-in, I believe, but you could certainly write
such a constant folder yourself once you have the call graph.

> The general question is: can i reach a method A form entry E -> if there
> is a call,  which arguments are used? (constant values or every int < 10
> is possible ?)

Constants will appear as Value instances of type IntConstant in
Jimple. Hence, they should be easy to detect. It may help to look at
Soot's intra-procedural constant folder before you get started.

> Can i define my own entry method? The programs i want to analyze don't
> have a main method (kind of services).

Yes, that can be done using the EntryPoints class, but that would
probably require that you call the call-graph construction manually
instead of having the framework do it. I would recommend to instead
write a "dummy" main class that calls your actual entry point and then
feed this class to Soot using the -main-class argument.

Eric
-- 
Eric Bodden
Sable Research Group, McGill University
Montréal, Québec, Canada