[Soot-list] Geometric PTA Possible Bug

Michael Gordon mgordon at mit.edu
Wed Apr 10 16:43:54 EDT 2013 

Hello,

I think that I have found a bug in the Geometric PTA in
FullSensitiveNode.java.  In the code around line 140, it seems to be
pruning *this* pointer object sets.  The code checks to see if the
type of the this object can actually lead to the current method being
reached, and if not (some other method would be resolved in virtual
resolution), then it removes the type of the object from the PT set of
the this pointer.

The code calls Scene.v().getActiveHierarchy().resolveConcreteDispatch
to resolve the virtual method dispatch, however this call will fail if
an appropriate method cannot be found.  There are cases where the
points to set for a this pointer includes objects that do not define a
method that matches the signature of the method that contains this
pointer, and if this is the case, the PTA fails.

Here is an example with 2 classes:


public class Test {
    public Object a() {
        Random ran = new Random();
        Object x;
        if (ran.nextBoolean())
            x = this;
        else
            x = new Object();

        return x;
    }

    public void q() {
        System.out.println("Q");
    }
}

public class Another {
    private static Test t;

    public static void main(String[] args) {
        t = (Test)((new Test()).a());
        t.q();
    }
}

When the code in FullSensitiveNode.java tries to prune the this
pointer set for Test.q(), it has in its set both the allocnode of
Object from Test.a(), and the allocnode of Test in Another.main().
The code will call
Scene.v().getActiveHierarchy().resolveConcreteDispatch with args
Object and Test.q() since Object is the type of one of the alloc
nodes.  However, no method with the signature of q() is defined in
Object, so we have our error:

Exception in thread "main" java.lang.RuntimeException: could not resolve
concrete dispatch!
Type: java.lang.Object
Method: <com.example.android.apis.os.Test: void q()>
at soot.Hierarchy.resolveConcreteDispatch(Hierarchy.java:513)
at
soot.jimple.spark.geom.geomE.FullSensitiveNode.do_before_propagation(FullSensitiveNode.java:141)
at
soot.jimple.spark.geom.geomPA.GeomPointsTo.solveConstraints(GeomPointsTo.java:761)
at soot.jimple.spark.geom.geomPA.GeomPointsTo.solve(GeomPointsTo.java:1058)
at
soot.jimple.spark.SparkTransformer.internalTransform(SparkTransformer.java:188)
at soot.SceneTransformer.transform(SceneTransformer.java:39)

Seems like if resolveConcreteDispatch fails we also want to remove the
object from the this's points to set and continue analysis.

Is this a bug?  If so, what is the appropriate fix?

Best,
Michael



-- 
Michael Gordon, PhD
Research Scientist, MIT CSAIL
http://people.csail.mit.edu/mgordon
Program Head, MIT AITI
http://aiti.mit.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.cs.mcgill.ca/pipermail/soot-list/attachments/20130410/09021f3a/attachment.html

More information about the Soot-list mailing list