[Soot-list] Points-to analysis using SPARK

Eric Bodden bodden at st.informatik.tu-darmstadt.de
Thu Sep 8 10:56:13 EDT 2011 

Hi Christophe.

I think this is because Spark is context insensitive. This means that
it will confuse your
Circle instance with all other objects ever being put into a List (or
at least ArrayList). to better than that you have to use a context
sensitive analysis, e.g. the paddle framework, which integrates with
Soot, or the demand-driven context-sensitive analysis within Soot.
(see http://www.sable.mcgill.ca/soot/tutorial/phase/)

But still I am a little confused as to why things such as String end
up in this points-to set. Clearly a variable of type Drawable could
never hold such a value. I am usure why that happens.

Eric

On 8 September 2011 14:39, Christophe Foket
<christophe.foket at elis.ugent.be> wrote:
> Hi,
>
> I've got a question on how to treat the results of a points-to analysis
> performed using SPARK. Consider for instance the following 2-class program:
>
> public abstract class Drawable {
>
>     public void draw(){}
> }
>
> public class Circle extends Drawable {
>
>     public void draw(){
>
>         super.draw();
>     }
>
>     public static void main(String[] args){
>
>         List<Drawable> drawables = new ArrayList<Drawable>();
>         drawables.add(new Circle());
>
>         for(Drawable drawable : drawables)
>             drawable.draw();
>     }
> }
>
> The jimple code for Drawable:draw() is
>
> Drawable r0
> r0 := @this: Drawable
> return
>
> Using SPARK as a points-to analysis,
>
>     Scene.v().getPointsToAnalysis().reachingObjects(...).possibleTypes()
>
> gives me the following set of types for the Local corresponding to r0:
>
> [Any_subtype_of_java.lang.Thread, Any_subtype_of_java.lang.ClassLoader,
> Circle, Any_subtype_of_java.lang.Object,
> Any_subtype_of_java.security.PrivilegedActionException]
>
> I expected this set to only include Circle (since Drawable is abstract).
> What is the purpose of the "Any_subtype_of_..." types? I suppose this
> covers all types that are subtypes of Object. However, these also
> include, e.g., String, which is definitely not a possible type for r0.
>
> Can anyone shed any light on this?
>
> Best,
>
> Christophe
>
> _______________________________________________
> Soot-list mailing list
> Soot-list at sable.mcgill.ca
> http://mailman.cs.mcgill.ca/mailman/listinfo/soot-list
>



-- 
Dr. Eric Bodden, http://bodden.de/
Principal Investigator in Secure Services at CASED
Coordinator of the CASED Advisory Board of Study Affairs
PostDoc at Software Technology Group, Technische Universität Darmstadt
Tel: +49 6151 16-5478    Fax: +49 6151 16-5410
Mailing Address: S2|02 A209, Hochschulstraße 10, 64289 Darmstadt

More information about the Soot-list mailing list