[Soot-list] Help with NPE PointsToAnalysis.reachingObjects(Context, Local) using Heros/Spark+Geom

Richard Xiao richardxx at cse.ust.hk
Tue May 21 01:00:41 EDT 2013 

Basically, your problem is really involved, because you update an object
field and there are rare cases that performing strong update to an object
field is sound. Heap analysis or shape analysis aims for creating precise
modeling for heap fields. As far I as I know, there is no good heap
analysis package working for soot.

Therefore, I suggest you looking at the return values of "doSomethingElse"
instead, which is a good approximation.

But of course, Eric, do you have better idea by piggybacking heros?


Cheers,
Xiao



On Mon, May 20, 2013 at 11:34 PM, Henddher Pedroza <hpedro2 at uic.edu> wrote:

> Thank you very much Richard,
>
> Given that I am using Heros (flow-sensitive and context-sensitive), what
> would be a suitable points-to-analysis for the case I am interested
> (this.dummy field)?
>
> - Henddher
>
>
> On May 20, 2013, at 10:10 AM, Richard Xiao <richardxx at cse.ust.hk> wrote:
>
> Hi, Pedroza:
>
> Yes, your usage is wrong. Context means callsite in current implementation
> of Geom PTA. And in Spark, context version of reachingObjects is not
> supported.
>
> You cannot observe the changes before/after the assignment with a
> flow-insensitive points-to analysis, because the points-to results for the
> pointer before/after the assignment are the same. You can only inspect what
> are returned by "doSomethingElse".
>
> Cheers,
> Xiao
>
>
>
> On Mon, May 20, 2013 at 10:30 PM, Henddher Pedroza <hpedro2 at uic.edu>wrote:
>
>> Thank you Richard,
>>
>> So I am using reachingObjects incorrectly in this case? (because I am
>> using the wrong statement?)
>> (Thus far, I am experimenting with every possible 'reachingObjects' call
>> to see what I get back and it seems like in this particular stmt the use is
>> invalid, right?)
>>
>> In reality I am trying to get points-to-analysis for fields of
>> instances: this.dummy
>>
>> I want to see what a field may be pointing to whenever an assignment
>> involves that field. IOW, whenever there's an stmt with a field being set
>> or being retrieved, I want to see what the field may point to before/after
>> the assignment.
>> Is such possible?
>>
>> Thanks
>>
>> On May 20, 2013, at 9:03 AM, Richard Xiao <richardxx at cse.ust.hk> wrote:
>>
>> Hi, Pedroza:
>>
>> The first argument of "reachingObjects" is the callsite that invokes the
>> enclosing method of the second argument. For your case, context should be
>> the statement "anObj.doSomething();". Please try again.
>>
>> Cheers,
>> Xiao
>>
>>
>>
>> On Mon, May 20, 2013 at 9:48 PM, Henddher Pedroza <hpedro2 at uic.edu>wrote:
>>
>>> Hello,
>>>
>>> Any suggestions?
>>>
>>>
>>> On May 17, 2013, at 10:58 AM, Henddher Pedroza <hpedro2 at uic.edu> wrote:
>>>
>>> Hello all:
>>>
>>> Using Heros in combination with SPARK w/Geom (*), I am getting an NPE in
>>> CallGraph.findEdge(Unit, SootMethod) @ line 123 called from
>>> GeomPointsTo.reachingObjects(Context, Local) @ line 1504:
>>>
>>> (*) cmd-line options:
>>> -p cg
>>> all-reachable:true,verbose:true,safe-forname:true,safe-newinstance:true -p
>>> cg.spark enabled:true,verbose:true,geom-pta:true,geom-eval:2
>>>
>>> GeomPointsTo.reachingObjects(Context, Local):
>>> 1504: Edge e = Scene.v().getCallGraph().findEdge((Unit)c, callee);
>>>
>>> CallGraph.findEdge(Unit, SootMethod):
>>>     Edge findEdge( Unit u, SootMethod callee )
>>>     {
>>>     Edge e = srcUnitToEdge.get(u);
>>> 123:  while ( e.srcUnit() == u && // <<<< NPE, e is null
>>>
>>> For my test, I am using one explicit entry point, discarding all default
>>> entry-points configured by Soot.
>>> My entry-point is a static method (staticFakeEntryPoint) which
>>> instantiates one obj of the class I am testing. Then, in my interesting
>>> method doSomething(), I perform a field assignment and request
>>> PointsToAnalysis.reachingObjects(Context, Local) (see "<<<<" below).
>>> Context is the current statement "stmt" (r0.<MyClass: java.lang.String
>>> dummy> = $r3) and Local is "r0" (obtained
>>> through stmt.getDefBoxes().getValue().getBase() more or less)
>>>
>>> MyClass {
>>>    String dummy;
>>>    void static staticFakeEntryPoint() {
>>>       MyClass anObj = new MyClass();
>>>       anObj.doSomething();
>>>    }
>>>    void doSomething() {
>>>      this.dummy = doSomethingElse(); // <<<< jimple: r0.<MyClass:
>>> java.lang.String dummy> = $r3
>>>    }
>>> }
>>>
>>> Am I incorrectly using pointsToAnalysis.reachingObjects(Context, Local)
>>> or incorrectly configuring Spark?
>>>
>>> Why would srcUnitToEdge be lacking that edge?
>>>
>>> Any help is appreciated.
>>>
>>> - Henddher
>>>
>>>
>>>
>>> _______________________________________________
>>> Soot-list mailing list
>>> Soot-list at sable.mcgill.ca
>>> http://mailman.cs.mcgill.ca/mailman/listinfo/soot-list
>>>
>>>
>>
>>
>> --
>> Richard Xiao Xiao
>> PhD Student @ CSE @ Hong Kong University of Science and Technology
>> www.cse.ust.hk/~richardxx
>>  _______________________________________________
>> Soot-list mailing list
>> Soot-list at sable.mcgill.ca
>> http://mailman.cs.mcgill.ca/mailman/listinfo/soot-list
>>
>>
>>
>> _______________________________________________
>> Soot-list mailing list
>> Soot-list at sable.mcgill.ca
>> http://mailman.cs.mcgill.ca/mailman/listinfo/soot-list
>>
>>
>
>
> --
> Richard Xiao Xiao
> PhD Student @ CSE @ Hong Kong University of Science and Technology
> www.cse.ust.hk/~richardxx
>
>
>
> _______________________________________________
> Soot-list mailing list
> Soot-list at sable.mcgill.ca
> http://mailman.cs.mcgill.ca/mailman/listinfo/soot-list
>
>


-- 
Richard Xiao Xiao
PhD Student @ CSE @ Hong Kong University of Science and Technology
www.cse.ust.hk/~richardxx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.cs.mcgill.ca/pipermail/soot-list/attachments/20130521/0382f780/attachment.html

More information about the Soot-list mailing list