[Soot-list] spark points to analysis

salim bansal salim.bansal at gmail.com
Mon Feb 25 20:29:35 EST 2013 

Thanks a lot for the reply Eric.
I am trying to build call graph for android apps.
For that I have created a class with main method that calls relevant
methods like
onCreate, onStart()... of the launcher activity class of the app. And this
main method is entry point for soot.
Then I run spark points-to analysis. When it is finished I go through all
the methods of the app looking for statements
like a.method1() and add an edge from this statement to method1() of all
the possible type that can be pointed to by 'a'.
But as there are lots of callbacks involved a lot of code is unreachable
from the custom entry point(the main class). So I think when I execute

Scene.v().getPointsToAnalysis().reachingObjects(<local pointing to
a>).possibleTypes()

on a code that was unreachable from the main method I get an empty set. Is
it correct?
Also when I encounter a callback registration site like
src.register(listener) I add edges to call graph from this statement to all
the methods in 'listener' class. But this happens after spark is run and
now though the call graph  covers the call back code but the points-to set
is still empty for the code that was unreachable from the main method,
before spark was run.
Is my understanding correct? Is there a better/correct way to built the
complete call graph considering all the callbacks present in android apps?


On Mon, Feb 25, 2013 at 3:52 AM, Eric Bodden <eric.bodden at ec-spride.de>wrote:

> Salim can you post the full code of the example you are analyzing?
>
> Eric
>
> On 25 February 2013 07:58, salim bansal <salim.bansal at gmail.com> wrote:
> > I am using spark points to analysis and have following options along with
> > whole program mode and spark enabled
> >
> >         opt.put("propagator","worklist");
> >         opt.put("set-impl","double");
> >         opt.put("double-set-old","hybrid");
> >         opt.put("double-set-new","hybrid");
> >         opt.put("cs-demand","true");
> >         opt.put("on-fly-cg","true");
> >         opt.put("ignore-types","false");
> >         opt.put("passes","100");
> > But for following source code :
> >           SuperClass a = new SubClass();
> >
> > ...
> > ...
> > ...
> >
> > a.method1();
> >
> > method1() is overriden in SubClass. And 'a' can be either method local
> > variable or class variable.
> > But when I do
> >
> > Scene.v().getPointsToAnalysis().reachingObjects(<local pointing to
> > a>).possibleTypes()
> >
> > It is either empty or has just one value SuperClass instead of SubClass.
> > Is there something wrong the way I am using spark points to analysis?
> >
> >
> >
> >
> >
> > _______________________________________________
> > Soot-list mailing list
> > Soot-list at sable.mcgill.ca
> > http://mailman.cs.mcgill.ca/mailman/listinfo/soot-list
> >
>
>
>
> --
> Eric Bodden, Ph.D., http://sse.ec-spride.de/ http://bodden.de/
> Head of Secure Software Engineering Group at EC SPRIDE
> Tel: +49 6151 16-75422    Fax: +49 6151 16-72051
> Room 3.2.14, Mornewegstr. 30, 64293 Darmstadt
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.cs.mcgill.ca/pipermail/soot-list/attachments/20130225/a5a572fa/attachment.html

More information about the Soot-list mailing list