[Soot-list] Call Graph issues and advice needed

Henddher Pedroza hpedro2 at uic.edu
Wed Apr 24 11:00:12 EDT 2013 

Hello all:

I am trying to obtain the most complete CFG there can be for Interprocedural analysis to use with Heros. I am analyzing Android apps.

*) cg.paddle does not seem to be complete. Apparently PaddleTransformer is missing. Exception in thread "main" java.lang.RuntimeException: Could not find soot.jimple.paddle.PaddleTransformer. Did you include Paddle on your Java classpath?
	at soot.jimple.paddle.PaddleHook.instantiate(PaddleHook.java:51)
*) Neither cg.spark and cg.cha seem to obey the "all-reachable:true" option.

I am using JimpleBasedInterproceduralCFG and it seems like the cg is not complete. I create this instance within the body of internalTransform of my SceneTransformer phase added to the "wjtp" pack. 

I have my own driver:
// command line: java -cp lib/soot.jar:bin/ -Xmx4000m -ea MyDriver -f J -d ./sootOutput/ -cp $APPCP -process-dir $APK -no-bodies-for-excluded -allow-phantom-refs -w -pp -src-prec apk -android-jars ../Documents/android-sdk-macosx/platforms/ -ire -p cg all-reachable:true -p cg.spark enabled:true

// MyDriver.java
public static void main(String[] args) {
  Options.v().parse(Arrays.copyOf(args, args.length));
  Scene.v().loadNecessaryClasses();
     addMyEntryPointsTo(Scene.v().getEntryPoints()); // here I add my entry points because "all-reachable:true" seems to do nothing
     PackManager.v().getPack("wjtp").add(new Transform("wjtp.ifds", new MyAnalysis()));
  PackManager.v().runPacks();
}

Any advice of how I should instruct Soot to create the CG for interprocedural?

I am experiencing multiple problems:

1. When I query all the callers (callsites) of a given callee method, I get an empty set (i.e. cg.getCallersOf(callee).isEmpty() is true). But, if I specify one of the known callers (i.e. knownCallerSootMethod) as an entry point (Scene.v().getEntryPoints().add(knownCallerSootMethod)), then cg.getCallersOf(callee) returns the callsite unit where my callee is invoked. The fact that I have to add knownCallerSootMethod to entry points tells me that the knownCallerSootMethod is not an entry point automatically found by Soot even though is an entry point for Android app (aka Acvitity.onCreate(Bundle)). Doesn't Soot know the standard entry points for android apps when the -src-prec option is "apk"?
And, why does "all-reachable:true" option seem to do nothing in my case?

2. The cg constructed seems to be incomplete even when I choose .class file analysis instead of .apk. IOW, cg.getCallersOf(callee) returns empty even when I use -src-prec class AND add the android-platform path (not stubs) to soot classpath. 

3. For some apps (.apk), the construction of cg fails with NPE depending on which entry points I explicitly add. Note that my command line specifies "cg.spark" (a) but similar results (NPE) are produced when I use cg.cha (b).

a)
Exception in thread "main" java.lang.NullPointerException
	at soot.SootMethod.getBodyFromMethodSource(SootMethod.java:89)
	at soot.SootMethod.retrieveActiveBody(SootMethod.java:322)
	at soot.jimple.toolkits.callgraph.OnFlyCallGraphBuilder.processNewMethod(OnFlyCallGraphBuilder.java:532)
	at soot.jimple.toolkits.callgraph.OnFlyCallGraphBuilder.processReachables(OnFlyCallGraphBuilder.java:427)
	at soot.jimple.spark.solver.OnFlyCallGraph.build(OnFlyCallGraph.java:55)
	at soot.jimple.spark.builder.ContextInsensitiveBuilder.build(ContextInsensitiveBuilder.java:77)
	at soot.jimple.spark.SparkTransformer.internalTransform(SparkTransformer.java:84)
	at soot.SceneTransformer.transform(SceneTransformer.java:39)
b)
Exception in thread "main" java.lang.NullPointerException
	at soot.SootMethod.getBodyFromMethodSource(SootMethod.java:89)
	at soot.SootMethod.retrieveActiveBody(SootMethod.java:322)
	at soot.jimple.toolkits.callgraph.OnFlyCallGraphBuilder.processNewMethod(OnFlyCallGraphBuilder.java:532)
	at soot.jimple.toolkits.callgraph.OnFlyCallGraphBuilder.processReachables(OnFlyCallGraphBuilder.java:427)
	at soot.jimple.toolkits.callgraph.CallGraphBuilder.build(CallGraphBuilder.java:84)
	at soot.jimple.toolkits.callgraph.CHATransformer.internalTransform(CHATransformer.java:43)
	at soot.SceneTransformer.transform(SceneTransformer.java:39)
	at soot.Transform.apply(Transform.java:89)
	at soot.RadioScenePack.internalApply(RadioScenePack.java:57)
	at soot.jimple.toolkits.callgraph.CallGraphPack.internalApply(CallGraphPack.java:49)
	at soot.Pack.apply(Pack.java:114)

Any suggestion is welcome.

- Henddher


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.cs.mcgill.ca/pipermail/soot-list/attachments/20130424/d257eaea/attachment-0001.html

More information about the Soot-list mailing list