[Soot-list] [bug report] missing case in tableswitch

Bodden, Eric eric.bodden at sit.fraunhofer.de
Mon Dec 16 03:12:06 EST 2013 

Thanks a lot!

Just for the record, this should be fixed by now.

Cheers,
Eric

On 05.12.2013, at 22:28, Dacong (Tony) Yan <yan.379 at osu.edu> wrote:

> Hi,
> 
> The current version of Soot seems to miss the last non-default case in a tableswitch code block. This problem and its triggering test case were originally found by Shengqian Yang (cc'ed in this email).
> 
> To trigger the bug, here's a simple test case:
> 
> class A {
>   int f(int i) {
>     switch(i) {
>       case 1: return 1;
>       case 2: return 2;
>       case 3: return 3;
>       default: return -1;
>     }
>   }
> }
> 
> Bytecode:
> 
>    int f(int);
>        0: iload_1       
>        1: tableswitch   { // 1 to 3
>                      1: 28
>                      2: 30
>                      3: 32
>                default: 34
>           }
>       28: iconst_1      
>       29: ireturn       
>       30: iconst_2      
>       31: ireturn       
>       32: iconst_3      
>       33: ireturn       
>       34: iconst_m1     
>       35: ireturn
> 
> Jimple:
> 
>     int f(int)
>     {   
>         A r0; 
>         int i0; 
> 
>         r0 := @this: A;
>         i0 := @parameter0: int;
>         tableswitch(i0)
>         {
>             case 1: goto label0;
>             case 2: goto label1;
>             default: goto label3;
>         };
> 
>      label0:
>         return 1;
> 
>      label1:
>         return 2;
> 
>      label2:
>         return 3;
> 
>      label3:
>         return -1;
>     }
> 
> The "case 3" branch is missing in Jimple. Commit <https://github.com/Sable/soot/commit/71ffb6130ad1ed9daffa1d7e20a75453e74c3ebc> seems to be the root cause. Here's part of relevant diffs:
> 
> -        for(int i = lowIndex; i <= highIndex; i++)
> +        for(int i = lowIndex; i < highIndex; i++)
>          { ... }
> +        // in the for loop above, we cannot use "<=" since 'i' would wrap around
> +        if (highIndex == Integer.MAX_VALUE) {
> +          buffer.append("    case " + highIndex + ": goto " + 
> +                    getTarget(highIndex - lowIndex) + ";" 
> +                              + endOfLine);
> +        }
> 
> The case when "i == highIndex" is considered only if "highIndex == Integer.MAX_VALUE". lowIndex and highIndex (inclusive) are indices into the switch table. For the above example, lowIndex is 1 and highIndex is 3.
> 
> To fix the bug, the body of if-statement should be executed unconditionally.
> 
> Thanks,
> Tony
> 
> -- 
> Dacong (Tony) Yan
> Ph.D. Student
> Computer Science and Engineering
> The Ohio State University, Columbus
> http://www.cse.ohio-state.edu/~yan
> _______________________________________________
> Soot-list mailing list
> Soot-list at sable.mcgill.ca
> http://mailman.cs.mcgill.ca/mailman/listinfo/soot-list

--
Prof. Eric Bodden, Ph.D., http://sse.ec-spride.de/ http://bodden.de/
Head of Secure Software Engineering  at Fraunhofer SIT, TU Darmstadt and EC SPRIDE
Tel: +49 6151 16-75422    Fax: +49 6151 16-72051
Room 3.2.14, Mornewegstr. 30, 64293 Darmstadt

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.cs.mcgill.ca/pipermail/soot-list/attachments/20131216/fbfa7ca8/attachment.bin

More information about the Soot-list mailing list