[Soot-list] Need your value-based data-flow analyses

Marc-André Laverdière-Papineau marc-andre.laverdiere-papineau at polymtl.ca
Wed May 1 08:11:25 EDT 2013 

Hello Elena,

I have an information flow analysis that sorta works - I don't have good 
handling for instance fields yet. And it is implemented in Scala using 
Heros.

The good news is that it is very modular, relying on user-supplied 
functions to determine whether it gens a fact, and the like.

To give you a taste, this is what one of my functions looks like:

override def getNormalFlowFunction(src: SootUnit, dest: SootUnit): 
FlowFunction[Value] = {

   if (src.isInstanceOf[DefinitionStmt] && detectionFn.apply(src)) {
     foundSet +=  src
   }
   if (src.isInstanceOf[DefinitionStmt] && genPredicate.apply(src)) {
     return new Gen[Value]((src.asInstanceOf[DefinitionStmt]).getLeftOp, 
zero)
   }
   if (src.isInstanceOf[AssignStmt]) {
     val assignStmt: AssignStmt = src.asInstanceOf[AssignStmt]
     var right: Value = assignStmt.getRightOp
     val left: Value = assignStmt.getLeftOp
     if (right.isInstanceOf[CastExpr]) {
       right = (right.asInstanceOf[CastExpr]).getOp
     }
     if (!(right.isInstanceOf[NewExpr] || right.isInstanceOf[Constant] 
|| right.isInstanceOf[LengthExpr] || right.isInstanceOf[BinopExpr])) {
       return new PTATransferFunction(right, left)
     }
   }
   Identity.v()
}

Tell me if you're hungry for more :)

It sounds like you'd be going for an IDE function though, as the domain 
is suited for this kind of representation.

Of course, you can go full circle and have you own bit vector to handle 
those combinations...

Marc-André Laverdière-Papineau
Doctorant - PhD Candidate

On 04/30/2013 01:22 PM, Elena Sherman wrote:
> Greetings,
>
> I'm looking at an easier way to implement on-the-fly transfer functions
> for an abstract domain which is the power set of disjointed domain
> partitions.
>
> For example, if disjointed partitions are {minus, zero, plus}, where
> {minus} correspond to the set of concrete values that are less than 0,
> plus -- more than zero and, zero is {0}, then the abstract domain
> contains all possible combinations of those partitions -- 8 of them, i.e.,
> {{}, {minus}, {zero}, {plus}, {minus, zero}, …, {minus,zero,plus}}
>
> So, for add (+) instruction one have to create/encode 8*8 transfer
> function, i.e.,
> {} + {plus} -> {}
> {plus} + {minus,plus} -> {minus,zero,plus}
> and so on, to account for all possible values of abstract values on the
> left hand side and the right hand side of +.
>
> My idea is to utilize a solver that would help with generating those
> transfer functions. In order to see if this approach is useful I would
> like to ask if you can share implementations of your transfer functions
> with me that you've designed for some analysis. It is great if you have
> something big and complicated, but it does have to be -- something that
> you might have done for a class project would work just fine.
>
> Thank you!
> Elena
>
>
>
> _______________________________________________
> Soot-list mailing list
> Soot-list at sable.mcgill.ca
> http://mailman.cs.mcgill.ca/mailman/listinfo/soot-list
>

More information about the Soot-list mailing list