[Soot-list] Null pointer exception in Soot-transformed BigInteger
Daniel Wainwright
wainwright.daniel at gmail.com
Wed Dec 19 20:51:13 EST 2012
Hi Phl,
Thanks for your assistance. I can't reproduce the error exactly in a
stand-alone test, but I can get a verifier error which seems be caused by
the same problem. I have attached a script, if you make this executable and
run it, it will show that it executes correctly without processing through
soot but has verifier error when it is processed using shimple. Of course
you will have to change the script to point to the locations of your soot
and rt jars.
In the generated shimple for the last line of the function it seems to use
only one definition for the new array, instead of collecting each
definition in a phi-node. The problem seems to be caused by the while loop,
if I comment this out it appears to work fine.
Daniel
On 19 December 2012 03:28, Phil Pratt-Szeliga <pcpratts at chirrup.org> wrote:
> Hi Dan,
>
> Can you post a full example that can show me the bug if I run a
> command named "run"? I will make a patch.
>
> Phil Pratt-Szeliga
> Syracuse University
> http://chirrup.org/
>
> On Mon, Dec 17, 2012 at 6:57 AM, Eric Bodden <eric.bodden at ec-spride.de>
> wrote:
> > Thanks for the detailed report.
> >
> > I wonder if the people who implemented Shimple are still around... I
> > have personally never touched Shimple and don't feel quite qualified
> > to fix this.
> >
> > Eric
> >
> > On 17 December 2012 07:35, Daniel Wainwright
> > <wainwright.daniel at gmail.com> wrote:
> >> Hi,
> >>
> >> I am using Soot to perform dynamic analysis on the JDK, and I am
> >> experiencing a null-pointer exception after transforming the
> >> java.math.BigInteger class. I have transformed this class with Soot with
> >> none of my own transformations, only passing it through shimple. I then
> >> execute it with the code
> >>
> >> BigInteger num = BigInteger.valueOf(17);
> >> boolean b = num.isProbablePrime(50);
> >>
> >> which results in
> >>
> >> ---
> >> Caused by: java.lang.NullPointerException
> >> at java.math.BigInteger.<init>(BigInteger.java:924)
> >> at java.math.BigInteger.shiftRight(BigInteger.java:2166)
> >> at java.math.BigInteger.passesMillerRabin(BigInteger.java:894)
> >> at java.math.BigInteger.primeToCertainty(BigInteger.java:739)
> >> at java.math.BigInteger.isProbablePrime(BigInteger.java:2474)
> >> at ProbablePrime.test(ProbablePrime.java:52)
> >> at ProbablePrime.main(ProbablePrime.java:47)
> >>
> >>
> >> It appears that the array passed to the constructor is null, which does
> not
> >> appear possible from the source code (the last line in this function is
> >> BigInteger.java:2166):
> >>
> >>
> >> public BigInteger shiftRight(int n) {
> >> if (n==0)
> >> return this;
> >> if (n<0) {
> >> if (n == Integer.MIN_VALUE) {
> >> throw new ArithmeticException("Shift distance of
> >> Integer.MIN_VALUE not supported.");
> >> } else {
> >> return shiftLeft(-n);
> >> }
> >> }
> >>
> >> int nInts = n >>> 5;
> >> int nBits = n & 0x1f;
> >> int magLen = mag.length;
> >> int newMag[] = null;
> >>
> >> // Special case: entire contents shifted off the end
> >> if (nInts >= magLen)
> >> return (signum >= 0 ? ZERO : negConst[1]);
> >>
> >> if (nBits == 0) {
> >> int newMagLen = magLen - nInts;
> >> newMag = new int[newMagLen];
> >> for (int i=0; i<newMagLen; i++)
> >> newMag[i] = mag[i];
> >> } else {
> >> int i = 0;
> >> int highBits = mag[0] >>> nBits;
> >> if (highBits != 0) {
> >> newMag = new int[magLen - nInts];
> >> newMag[i++] = highBits;
> >> } else {
> >> newMag = new int[magLen - nInts -1];
> >> }
> >>
> >> int nBits2 = 32 - nBits;
> >> int j=0;
> >> while (j < magLen - nInts - 1)
> >> newMag[i++] = (mag[j++] << nBits2) | (mag[j] >>> nBits);
> >> }
> >>
> >> if (signum < 0) {
> >> // Find out whether any one-bits were shifted off the end.
> >> boolean onesLost = false;
> >> for (int i=magLen-1, j=magLen-nInts; i>=j && !onesLost; i--)
> >> onesLost = (mag[i] != 0);
> >> if (!onesLost && nBits != 0)
> >> onesLost = (mag[magLen - nInts - 1] << (32 - nBits) !=
> 0);
> >>
> >> if (onesLost)
> >> newMag = javaIncrement(newMag);
> >> }
> >>
> >> return new BigInteger(newMag, signum);
> >> }
> >>
> >>
> >> Looking at the generated shimple (attached), it appears that there is a
> >> phi-node missing from the final block in this function, which would be
> >> needed to collect the different definitions of the array (r6).
> >>
> >> I am using Soot 2.5.0 and openjdk-7u6-fcs-src-b24-28_aug_2012. The
> command I
> >> used to process the class with Soot was:
> >>
> >>
> >>
> HOST_CP=$LIB_DIR/sootclasses-2.5.0.jar:$LIB_DIR/jasminclasses-2.5.0.jar:$LIB_DIR/polyglotclasses-1.3.5.jar
> >> java -Xmx6G -cp $HOST_CP:$1 \
> >> soot.Main \
> >> -soot-class-path $TARGET_DIR \
> >> -src-prec class \
> >> --via-shimple \
> >> -p sop enabled:true \
> >> -p stp enabled:true \
> >> -include-all \
> >> -exclude java.lang.invoke. \
> >> -exclude java.security. \
> >> -exclude java.lang.invoke. \
> >> -exclude java.util. \
> >> -exclude java.io. \
> >> -exclude java.nio. \
> >> -exclude java.sql. \
> >> -exclude java.net. \
> >> -exclude java.applet. \
> >> -exclude java.rmi. \
> >> -exclude java.text. \
> >> -exclude java.util.logging. \
> >> -exclude com. \
> >> -exclude com.sun.corba.se.impl.encoding. \
> >> -exclude com.sun.org.apache.xml.internal.utils. \
> >> -exclude com.sun.org.apache.bcel.internal.classfile. \
> >> -exclude com.sun.org.apache.xerces.internal.impl.xpath.regex. \
> >> -exclude com.sun.security.ntlm. \
> >> -exclude com.sun.xml.internal.ws.model. \
> >> -exclude
> >> com.sun.xml.internal.messaging.saaj.packaging.mime.internet. \
> >> -exclude com.sun.corba.se.impl.encoding. \
> >> -exclude javax. \
> >> -exclude javax.security.auth. \
> >> -exclude org. \
> >> -exclude org.jcp.xml.dsig.internal.dom. \
> >> -exclude sun. \
> >> -exclude sun.awt.image. \
> >> -exclude sun.net.www. \
> >> -exclude sun.tools.jar. \
> >> -exclude sun.rmi.server. \
> >> -exclude sun.rmi.rmic.iiop. \
> >> -exclude sun.text.normalizer. \
> >> -exclude sun.print. \
> >> -exclude sunw. \
> >> -no-bodies-for-excluded \
> >> -keep-line-number \
> >> -output-format S \
> >> -output-dir $OUTPUT_DIR \
> >> -process-dir $TARGET_DIR
> >>
> >>
> >> _______________________________________________
> >> Soot-list mailing list
> >> Soot-list at sable.mcgill.ca
> >> http://mailman.cs.mcgill.ca/mailman/listinfo/soot-list
> >>
> >
> >
> >
> > --
> > Eric Bodden, Ph.D., http://sse.ec-spride.de/ http://bodden.de/
> > Head of Secure Software Engineering Group at EC SPRIDE
> > Tel: +49 6151 16-75422 Fax: +49 6151 16-72051
> > Room 3.2.14, Mornewegstr. 30, 64293 Darmstadt
> > _______________________________________________
> > Soot-list mailing list
> > Soot-list at sable.mcgill.ca
> > http://mailman.cs.mcgill.ca/mailman/listinfo/soot-list
> >
> >
>
--
Regards,
Daniel Wainwright
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.cs.mcgill.ca/pipermail/soot-list/attachments/20121220/78fccd66/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: run
Type: application/octet-stream
Size: 2765 bytes
Desc: not available
Url : http://mailman.cs.mcgill.ca/pipermail/soot-list/attachments/20121220/78fccd66/attachment-0001.obj
More information about the Soot-list
mailing list