[Soot-list] Null pointer exception in Soot-transformed BigInteger
Phil Pratt-Szeliga
pcpratts at chirrup.org
Sat Dec 22 10:52:12 EST 2012
Hi Daniel,
This is fixed in the develop branch on github. This bug in the SSA
code was fixed since the last release (2.5.0) of soot.
Phil Pratt-Szeliga
Syracuse University
http://chirrup.org/
On Wed, Dec 19, 2012 at 8:51 PM, Daniel Wainwright
<wainwright.daniel at gmail.com> wrote:
> Hi Phl,
>
> Thanks for your assistance. I can't reproduce the error exactly in a
> stand-alone test, but I can get a verifier error which seems be caused by
> the same problem. I have attached a script, if you make this executable and
> run it, it will show that it executes correctly without processing through
> soot but has verifier error when it is processed using shimple. Of course
> you will have to change the script to point to the locations of your soot
> and rt jars.
>
> In the generated shimple for the last line of the function it seems to use
> only one definition for the new array, instead of collecting each definition
> in a phi-node. The problem seems to be caused by the while loop, if I
> comment this out it appears to work fine.
>
> Daniel
>
>
> On 19 December 2012 03:28, Phil Pratt-Szeliga <pcpratts at chirrup.org> wrote:
>>
>> Hi Dan,
>>
>> Can you post a full example that can show me the bug if I run a
>> command named "run"? I will make a patch.
>>
>> Phil Pratt-Szeliga
>> Syracuse University
>> http://chirrup.org/
>>
>> On Mon, Dec 17, 2012 at 6:57 AM, Eric Bodden <eric.bodden at ec-spride.de>
>> wrote:
>> > Thanks for the detailed report.
>> >
>> > I wonder if the people who implemented Shimple are still around... I
>> > have personally never touched Shimple and don't feel quite qualified
>> > to fix this.
>> >
>> > Eric
>> >
>> > On 17 December 2012 07:35, Daniel Wainwright
>> > <wainwright.daniel at gmail.com> wrote:
>> >> Hi,
>> >>
>> >> I am using Soot to perform dynamic analysis on the JDK, and I am
>> >> experiencing a null-pointer exception after transforming the
>> >> java.math.BigInteger class. I have transformed this class with Soot
>> >> with
>> >> none of my own transformations, only passing it through shimple. I then
>> >> execute it with the code
>> >>
>> >> BigInteger num = BigInteger.valueOf(17);
>> >> boolean b = num.isProbablePrime(50);
>> >>
>> >> which results in
>> >>
>> >> ---
>> >> Caused by: java.lang.NullPointerException
>> >> at java.math.BigInteger.<init>(BigInteger.java:924)
>> >> at java.math.BigInteger.shiftRight(BigInteger.java:2166)
>> >> at java.math.BigInteger.passesMillerRabin(BigInteger.java:894)
>> >> at java.math.BigInteger.primeToCertainty(BigInteger.java:739)
>> >> at java.math.BigInteger.isProbablePrime(BigInteger.java:2474)
>> >> at ProbablePrime.test(ProbablePrime.java:52)
>> >> at ProbablePrime.main(ProbablePrime.java:47)
>> >>
>> >>
>> >> It appears that the array passed to the constructor is null, which does
>> >> not
>> >> appear possible from the source code (the last line in this function is
>> >> BigInteger.java:2166):
>> >>
>> >>
>> >> public BigInteger shiftRight(int n) {
>> >> if (n==0)
>> >> return this;
>> >> if (n<0) {
>> >> if (n == Integer.MIN_VALUE) {
>> >> throw new ArithmeticException("Shift distance of
>> >> Integer.MIN_VALUE not supported.");
>> >> } else {
>> >> return shiftLeft(-n);
>> >> }
>> >> }
>> >>
>> >> int nInts = n >>> 5;
>> >> int nBits = n & 0x1f;
>> >> int magLen = mag.length;
>> >> int newMag[] = null;
>> >>
>> >> // Special case: entire contents shifted off the end
>> >> if (nInts >= magLen)
>> >> return (signum >= 0 ? ZERO : negConst[1]);
>> >>
>> >> if (nBits == 0) {
>> >> int newMagLen = magLen - nInts;
>> >> newMag = new int[newMagLen];
>> >> for (int i=0; i<newMagLen; i++)
>> >> newMag[i] = mag[i];
>> >> } else {
>> >> int i = 0;
>> >> int highBits = mag[0] >>> nBits;
>> >> if (highBits != 0) {
>> >> newMag = new int[magLen - nInts];
>> >> newMag[i++] = highBits;
>> >> } else {
>> >> newMag = new int[magLen - nInts -1];
>> >> }
>> >>
>> >> int nBits2 = 32 - nBits;
>> >> int j=0;
>> >> while (j < magLen - nInts - 1)
>> >> newMag[i++] = (mag[j++] << nBits2) | (mag[j] >>>
>> >> nBits);
>> >> }
>> >>
>> >> if (signum < 0) {
>> >> // Find out whether any one-bits were shifted off the end.
>> >> boolean onesLost = false;
>> >> for (int i=magLen-1, j=magLen-nInts; i>=j && !onesLost;
>> >> i--)
>> >> onesLost = (mag[i] != 0);
>> >> if (!onesLost && nBits != 0)
>> >> onesLost = (mag[magLen - nInts - 1] << (32 - nBits) !=
>> >> 0);
>> >>
>> >> if (onesLost)
>> >> newMag = javaIncrement(newMag);
>> >> }
>> >>
>> >> return new BigInteger(newMag, signum);
>> >> }
>> >>
>> >>
>> >> Looking at the generated shimple (attached), it appears that there is a
>> >> phi-node missing from the final block in this function, which would be
>> >> needed to collect the different definitions of the array (r6).
>> >>
>> >> I am using Soot 2.5.0 and openjdk-7u6-fcs-src-b24-28_aug_2012. The
>> >> command I
>> >> used to process the class with Soot was:
>> >>
>> >>
>> >>
>> >> HOST_CP=$LIB_DIR/sootclasses-2.5.0.jar:$LIB_DIR/jasminclasses-2.5.0.jar:$LIB_DIR/polyglotclasses-1.3.5.jar
>> >> java -Xmx6G -cp $HOST_CP:$1 \
>> >> soot.Main \
>> >> -soot-class-path $TARGET_DIR \
>> >> -src-prec class \
>> >> --via-shimple \
>> >> -p sop enabled:true \
>> >> -p stp enabled:true \
>> >> -include-all \
>> >> -exclude java.lang.invoke. \
>> >> -exclude java.security. \
>> >> -exclude java.lang.invoke. \
>> >> -exclude java.util. \
>> >> -exclude java.io. \
>> >> -exclude java.nio. \
>> >> -exclude java.sql. \
>> >> -exclude java.net. \
>> >> -exclude java.applet. \
>> >> -exclude java.rmi. \
>> >> -exclude java.text. \
>> >> -exclude java.util.logging. \
>> >> -exclude com. \
>> >> -exclude com.sun.corba.se.impl.encoding. \
>> >> -exclude com.sun.org.apache.xml.internal.utils. \
>> >> -exclude com.sun.org.apache.bcel.internal.classfile. \
>> >> -exclude com.sun.org.apache.xerces.internal.impl.xpath.regex. \
>> >> -exclude com.sun.security.ntlm. \
>> >> -exclude com.sun.xml.internal.ws.model. \
>> >> -exclude
>> >> com.sun.xml.internal.messaging.saaj.packaging.mime.internet. \
>> >> -exclude com.sun.corba.se.impl.encoding. \
>> >> -exclude javax. \
>> >> -exclude javax.security.auth. \
>> >> -exclude org. \
>> >> -exclude org.jcp.xml.dsig.internal.dom. \
>> >> -exclude sun. \
>> >> -exclude sun.awt.image. \
>> >> -exclude sun.net.www. \
>> >> -exclude sun.tools.jar. \
>> >> -exclude sun.rmi.server. \
>> >> -exclude sun.rmi.rmic.iiop. \
>> >> -exclude sun.text.normalizer. \
>> >> -exclude sun.print. \
>> >> -exclude sunw. \
>> >> -no-bodies-for-excluded \
>> >> -keep-line-number \
>> >> -output-format S \
>> >> -output-dir $OUTPUT_DIR \
>> >> -process-dir $TARGET_DIR
>> >>
>> >>
>> >> _______________________________________________
>> >> Soot-list mailing list
>> >> Soot-list at sable.mcgill.ca
>> >> http://mailman.cs.mcgill.ca/mailman/listinfo/soot-list
>> >>
>> >
>> >
>> >
>> > --
>> > Eric Bodden, Ph.D., http://sse.ec-spride.de/ http://bodden.de/
>> > Head of Secure Software Engineering Group at EC SPRIDE
>> > Tel: +49 6151 16-75422 Fax: +49 6151 16-72051
>> > Room 3.2.14, Mornewegstr. 30, 64293 Darmstadt
>> > _______________________________________________
>> > Soot-list mailing list
>> > Soot-list at sable.mcgill.ca
>> > http://mailman.cs.mcgill.ca/mailman/listinfo/soot-list
>> >
>> >
>
>
>
>
> --
> Regards,
>
> Daniel Wainwright
More information about the Soot-list
mailing list