[Soot-list] Use SOOT to analyse Java library.

[Bodden, Eric]

Hi Christian.

> How do I get SOOT to load & parse (so I can get Jimple bodies) for say the entire java 1.x library.
> 
> Do I have to supply SOOT with the classes (or source code) as arguments in the call to Main.main(args) (see code below)?
> 
> Do I have to create a main class to get it to work? Or can SOOT analyze all classes I provide as arguments to Main.main(args) call without a main class & method?

This really depends on what you want to do. If you want to do intra-procedural analysis then it should be “just” a matter of giving Soot the right command line to parse all the classes faithfully. I have a PhD student who is currently analyzing the JDK for vulnerabilities and I have asked him to provide more info on which command line he uses.

If you want to do inter-procedural analysis then it’s more tricky. The problem is that you need a call graph and this, in turn, requires some entry points. You can use "-p cg all-reachable:true” to instruct Soot to consider _all_ methods as entry points during call-graph construction. If you combine this with using CHA then this should typically give you a call graph that is sound but may be very imprecise. We are currently working towards more precise analyses of libraries but it’s a hard problem to solve.

Best wishes,
Eric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20150410/f88feb8d/attachment.bin