[Soot-list] Pointsto analysis for reflection methods

Jun GAO jun.gao at uni.lu
Mon Dec 9 05:31:31 EST 2019 

Hi there,

I’m trying to tracking the usage of certain object returned from Java reflection methods by using SPARK PointsTo analysis.
Hereafter is the code of a simple test case:

import java.lang.reflect.Method;
import java.lang.reflect.Constructor;
import java.lang.Class;
import java.lang.reflect.InvocationTargetException;

public class Testcase {

    public static void main(String[] args) {
        try{
            Class cdog = Class.forName("Dog");
            Method mbark = cdog.getMethod("bark");
            mbark.invoke(null);
        } catch(ClassNotFoundException e) {
            e.printStackTrace();
        } catch(NoSuchMethodException e) {
            e.printStackTrace();
        } catch(InvocationTargetException e) {
            e.printStackTrace();
        } catch(IllegalAccessException e) {
            e.printStackTrace();
        }
    }

}


By using the points-to analysis, I want to know that the “cdog” in statement "Class cdog = Class.forName("Dog”);” is the one in statement "Method mbark = cdog.getMethod("bark”);”.
Also, the “mbark” in statement "mbark.invoke(null);” is the one got before.
However, the points-to set from the points-to analysis for all these local variables are “EmptyPointsToSet”.

Following is the code for analysis by using Soot:

public class Tester {
public static void main(String[] args) {
String[] opts = {
         "-process-dir", "../pointsto_test_case/",
         "-ire",
         "-allow-phantom-refs",
         "-src-prec", "c",
         "-w",
         "-p", "cg", "enabled:true",
         "-p", "cg", "all-reachable:true",
         "-p", "cg", "trim-clinit:false",
         "-p", "cg.spark", "on",
         "-p", "cg.spark", "verbose:true",
         "-p", "cg.spark", "propagator:worklist",
         "-p", "cg.spark", "simple-edges-bidirectional:false",
         "-p", "cg.spark", "on-fly-cg:true",
         "-p", "cg.spark", "set-impl:double",
         "-p", "cg.spark", "double-set-old:hybrid",
         "-p", "cg.spark", "double-set-new:hybrid",
         "-p", "jop.cpf", "enabled:true",
         "-output-format", "n"
     };
     G.reset();
PackManager.v().getPack("wjtp").add(new Transform("wjtp.test", new SceneTransformer() {
       @Override
       protected void internalTransform(String phaseName, Map<String, String> options) {
PointsToAnalysis pa = Scene.v().getPointsToAnalysis();
         ReachableMethods reachableMethods = Scene.v().getReachableMethods();
         QueueReader<MethodOrMethodContext> listener = reachableMethods.listener();
         while (listener.hasNext()) {
           SootMethod m = listener.next().method();

           if (!m.getDeclaringClass().getName().equals("Testcase")) continue;

           if (m.hasActiveBody()) {
            Local cls = null, method = null;
             Stmt clsStmt = null, methodStmt = null;
             Body body = m.getActiveBody();
             for (Unit u : body.getUnits()) {
               Stmt stmt = (Stmt) u;
               if (stmt.containsInvokeExpr()) {
                 InvokeExpr ie = stmt.getInvokeExpr();
                 if (ie.getMethod().getName().equals("forName")) {
                   cls = (Local) ((AssignStmt) stmt).getLeftOp();
                   clsStmt = stmt;
                 } else if (ie.getMethod().getName().equals("getMethod")) {
                    AssignStmt astmt = (AssignStmt) stmt;
                  method = (Local) astmt.getLeftOp();
                  methodStmt = stmt;
                   Local invoker = (Local) ((InstanceInvokeExpr) ie).getBase();
                   PointsToSet clsPs = pa.reachingObjects(cls);
                   System.out.println(clsPs.getClass());
                   PointsToSet invokerPs = pa.reachingObjects(invoker);
                   System.out.println(invokerPs.getClass());
                   if (clsPs.hasNonEmptyIntersection(invokerPs)) {
                    System.out.println(clsStmt);
                     System.out.println(methodStmt);
                   }
                 } else if (ie.getMethod().getName().equals("invoke")) {
                   Local invoker = (Local) ((InstanceInvokeExpr) ie).getBase();
                   PointsToSet methodPs = pa.reachingObjects(method);
                   System.out.println(methodPs.getClass());
                   PointsToSet invokerPs = pa.reachingObjects(invoker);
                   System.out.println(invokerPs.getClass());
                   if (methodPs.hasNonEmptyIntersection(invokerPs)) {
                     System.out.println(methodStmt);
                     System.out.println(stmt);
                   }
                 }
               }
             }
}
}
}
}
}

I tried the points-to analysis with object instantiated with new statement which works very well.
And I also noticed that these reflection methods were somehow related to native code.
So I’m wandering are there some other parameters required for the points-to analysis to work properly for this situation?
Or it cannot work with it?


Best Regard
——————————————————
Jun Gao

University of Luxembourg, SnT
6 Rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Office: Bloc E 107
Tele: (+352) 46 66 44 6019
Fax: (+352) 46 66 44 36019





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20191209/0ba1ab30/attachment-0001.html>

More information about the Soot-list mailing list