[Soot-list] JNewExpr and JSpecialInvokeExpr pairs

Nouraldin I. Jaber njaber at purdue.edu
Mon Feb 2 01:34:12 EST 2015 

Hi Eric,

Thanks for the fast and useful reply. What I'm trying to do is the following: I take byteCode as an input for a class ,say A, convert that to jimple and Clone it's SootClass to A_copy then modify the copy's allocation site to be of other type.

Class A{

B b = new B();
}

to 

Class A_copy extends A{

B_copy = new B_copy();

}

I did the cloning and used the Chain returned from "importBodyContentsFrom(Body b)" to get the statements "$r1 = new B;" and "specialinvoke $r1.<init>();" I can make my way to the first one since i run Paddle first and collect information about newly created sites. as for the second one, I can use $r1 to get it using Paddle as well, but i thought I could use the AST for that.

but since only the assignments are allowed I could even use simpler logic tracing down and comparing locals until i hit the invoke stmt. and "by experiment" I concluded there is no NewExpr without a call to the constructor.

Here are some jimple code generated form some Java Library classes: 


 
Within <sun.nio.ch.EPollArrayWrapper: void <clinit>()> in class sun.nio.ch.EPollArrayWrapper
$r1 = new sun.security.action.GetIntegerAction
$i0 = <sun.nio.ch.EPollArrayWrapper: int OPEN_MAX>
$i7 = staticinvoke <java.lang.Math: int min(int,int)>($i0, 65536)
specialinvoke $r1.<sun.security.action.GetIntegerAction: void <init>(java.lang.String,int)>("sun.nio.ch.maxUpdateArraySize", $i7)


Within <sun.nio.fs.UnixException: java.lang.String errorString()> in class sun.nio.fs.UnixException
$r3 = new java.lang.String
$i0 = virtualinvoke r0.<sun.nio.fs.UnixException: int errno()>()
$r4 = staticinvoke <sun.nio.fs.UnixNativeDispatcher: byte[] strerror(int)>($i0)
specialinvoke $r3.<java.lang.String: void <init>(byte[])>($r4)


And since I'm using "importBodyContentsFrom" i noticed that ,for some reason, even if only cloned the body of a function and printed it, some information are missing, for example cloning this jimple body:

 void <init>()
    {
        TestConstructorCalls r0;

        r0 := @this: TestConstructorCalls;
        specialinvoke r0.<TestConstructorCalls: void <init>(java.lang.String)>("");
        return;
    }

will produce this:

    void <init>()
    {
        TestConstructorCalls r0;

        r0 := @this;
        specialinvoke r0.<init>(""); //not clear anymore if it's a call for a local constructor or some other super class constructor. 
        return;
    }

now I know as long as the program is running I can still get the missing info by getting them from Values' types but the thing is, the cloned jimple can't be an input to SOOT anymore "I tried to input that and the Lexer keeps complaining".

Sorry for this long reply.

Kind regards :)

Nour


----- Original Message -----
From: "Eric Bodden" <eric.bodden at sit.fraunhofer.de>
To: "Nouraldin I. Jaber" <njaber at purdue.edu>
Cc: soot-list at cs.mcgill.ca
Sent: Sunday, February 1, 2015 9:12:16 PM
Subject: Re: [Soot-list] JNewExpr and JSpecialInvokeExpr pairs

Hi Nour.

In any valid piece of Jimple, as in Java bytecode, you will have the guarantee that no operations are invoked on a newly created object before its constructor has been called. In other words, assignments to other locals are allowed, but nothing else.

But since assignments are allowed, in the general case you might indeed need a local points-to analysis, depending on what you want to do. So what do you actually want to do?

Cheers,
Eric

> On 01.02.2015, at 20:39, Nouraldin I. Jaber <njaber at purdue.edu> wrote:
> 
> 
> Hello all,
> 
> I hope you're doing well. I have a question about Jimple representation of allocating objects using "new" in Java.
> 
> I know that for example:
> Entry e = new Entry();
> 
> is represented using two statements :a JAssignStmt containing a "JNewExpr" and a JInvokeStmt that contains a "JSpecialInvokeExpr". like this:
> 
> $r1 = new Entry;
> specialinvoke $r1.<Entry: void <init>()>();
> 
> My question is: is there anyway that I can reach one from the other? since there could be statements generated between them that may include assigning "$r1" to other temp locals before calling the invoke, or even another invoke.
> 
> I'm not sure if the AST or any internal structure have them coupled at some point or do I need to trace manually from the assign statement to the invoke statement and use PointsToAnalysis to double check.
> 
> thanks in advance
> 
> Nour
> _______________________________________________
> Soot-list mailing list
> Soot-list at CS.McGill.CA
> https://mailman.CS.McGill.CA/mailman/listinfo/soot-list

--
Prof. Eric Bodden, Ph.D., http://sse.ec-spride.de/ http://bodden.de/
Head of Secure Software Engineering at Fraunhofer SIT, TU Darmstadt and EC SPRIDE
Tel: +49 6151 16-75422    Fax: +49 6151 869-127
Room B5.11, Fraunhofer SIT, Rheinstraße 75, 64295 Darmstadt

More information about the Soot-list mailing list