[Soot-list] [Beginnger] A few questions about cfg and Soot

Wed Jul 8 12:27:54 EDT 2009

Hi Eric,

Eric Bodden schrieb:
>> i'm quite new to Soot. For bytecode analysis i used ASM but it is more a
>> manipulation than analyzing framework.
>> I read the survival guide and a few papers. But i can't figure out how
>> to construct an inter-procedural control flow graph and traverse through
>> it.
>>
>> Here is a simple example
>>
>> class Adder{
>>
>> public static void main(...){
>>
>>   Calc calc = new Calc();
>>   int a = 10;
>>   int b = 5;
>>   calc.printadd(a,b);
>>
>>   }
>>
>> }
>>
>> class Calc{
>>
>>   private int add(int a, int b){
>>      return a+b;
>>     }
>>
>>   public void printadd(int a, int b){
>>        int res = add(a,b);
>>      System.out.println("res: " + res);
>>   }
>>
>> }
>>
>> I want to know, if there is a call for the add(int,int) method which i
>> can reach from the main method?
>> Is there a way to construct an inter-procedural cfg, so that i can go
>> from main to every node i can reach?
>>     
>
> Hi Olaf.
>
> Soot does not really support inter-procedural control-flow graphs (in
> the sense that those graphs would tell you the order in which method
> calls may appear), but I think what you are actually looking for is
> just a call graph (which tells you which methods may call which other
> methods, irrespective of the order of these calls). This can be
> achieved very easily:
>
> 1.) Enable whole-program mode using the -w flag.
> 2.) Optionally: use phase options to tell Soot what kind of call graph
> you like:
> http://www.sable.mcgill.ca/soot/tutorial/phase/phase.html#SECTION00040000000000000000
> 3.) Add a SceneTransformer to the wjtp pack. Within the
> SceneTransformer's transform method you can easily access the call
> graph using Scene.v().getCallGraph().
>
>   

ok, i'll try to write my own SceneTransformer...

Hmm, for some analysis i need to know the order of calls e.g. i want to 
know if there is a database.writeData() call and if there is on every 
path reaching this call a database.open() call.
>> In this example a and b are constants, is it possible if i know, there
>> is a call for add, to calculated the arguments? (maybe a kind of
>> inter-procedural "constant" propagation + folding)
>>     
>
> Yes, you would need inter-procedural constant folding for this. Soot
> does not have this built-in, I believe, but you could certainly write
> such a constant folder yourself once you have the call graph.
>
>   
>> The general question is: can i reach a method A form entry E -> if there
>> is a call,  which arguments are used? (constant values or every int < 10
>> is possible ?)
>>     
>
> Constants will appear as Value instances of type IntConstant in
> Jimple. Hence, they should be easy to detect. It may help to look at
> Soot's intra-procedural constant folder before you get started.
>
>   
If values appear as IntConstant, can i access the real value?
>> Can i define my own entry method? The programs i want to analyze don't
>> have a main method (kind of services).
>>     
>
> Yes, that can be done using the EntryPoints class, but that would
> probably require that you call the call-graph construction manually
> instead of having the framework do it. I would recommend to instead
> write a "dummy" main class that calls your actual entry point and then
> feed this class to Soot using the -main-class argument.
>
>   

The problem is, that i don't have the programs as java source code, only 
the bytecode is available.
> Eric
>   
Thanks!
Olaf