[Soot-list] Callgraph generation with Paddle

Saswat Anand saswat78 at gmail.com
Fri May 7 14:33:56 EDT 2010 

> However, I am not quite sure whether this really indicates an
> out-of-memory error. For example, when trying to perform a
> 1-object-sensitive points-to analysis after callgraph generation, the
> problematic frame is bdd_makenode+0x75 inside libjeddbuddy and the CR2
> register is at 0x28442810, which is between two allocated heap segments:

You can confirm if it is a memory issue if you modify Jedd as follows:
Edit the method "errorhandler" in jbuddy.c in runtime/csrc in jedd-0.4
folder to print out the error code. If it prints -1, then buddy is
running out of memory. -1 is the code for out of memory error in
buddy.


> I am also having a hard time understanding contexts representation
> within Paddle. For example, while iterating over the object-sensitive
> callgraph, I obtain such edges:
>
> [*] Edge from <AnyObject: void method(AnyObject,int)>
>        In Context: GlobalAllocNode 17 Any_subtype_of_AnyObject in null
>    To node: <AnyObject: AnotherObject getObj()>
>        In Context: GlobalAllocNode 17 Any_subtype_of_AnyObject in null
>
>
> [*] Edge from <AnyObject: void method(AnyObject,int)
>        In Context: GlobalAllocNode 17 Any_subtype_of_AnyObject in null
>    To node: <AnyObject: AnotherObject getObj()>
>        In Context: GlobalAllocNode 17 Any_subtype_of_AnyObject in null
>
>
> Which correspond to the following code:
>
> class AnyObject {
>    private AnotherObject att = new AnotherObject();
>
>    public AnotherObject getObj() {
>        return this.att;
>    }
>
>    void method(AnyObject Untrusted, int i) {
>        AnotherObject localUntrusted = untrusted.getObj();
>        AnotherObject localTrusted = this.getObj();
>       [...]
>    }
> }
>
> As I understand it, for an object-sensitive analysis, the context
> attached to these methods should be the allocation site of the receiver
> objects, which are not allocated at the same line, so why are these
> contexts similar ?

Because type of the allocated object in the above two contexts is
Any_subtype_of_AnyObject, the allocated object definitely does not
correspond to the new expression in the code snippet above. Some of
the places where Any_subtype allocation objects are used include
reflection calls and exceptions.

Saswat

More information about the Soot-list mailing list