[Soot-list] Pointsto analysis for reflection methods
Eric Bodden
eric.bodden at uni-paderborn.de
Wed Dec 11 05:44:02 EST 2019
I think David is right. Please have a look also at the documentation of the option "precise-newinstance” here:
https://soot-build.cs.uni-paderborn.de/public/origin/master/soot/soot-master/3.3.0/options/soot_options.htm#phase_3_1
If you provide “Dog” as a dynamic class then Soot should be able to pick that up.
Let us know in case that does not solve your problem.
Cheers
Eric
> On 10. Dec 2019, at 21:12, David Diepenbrock <ddiepenbrock at pjrcorp.com> wrote:
>
> Jun,
>
> Try looking into "Options.v().set_dynamic_class()". In my limited experience spark needs a list of the dynamically loaded classes in order to identify the reflective method invokes.
>
> -David
> From: Soot-list <soot-list-bounces at CS.McGill.CA> on behalf of Jun GAO <jun.gao at uni.lu>
> Sent: Monday, December 9, 2019 4:31 AM
> To: soot-list at cs.mcgill.ca <soot-list at CS.McGill.CA>
> Subject: [Soot-list] Pointsto analysis for reflection methods
>
> Hi there,
>
> I’m trying to tracking the usage of certain object returned from Java reflection methods by using SPARK PointsTo analysis.
> Hereafter is the code of a simple test case:
>
> import java.lang.reflect.Method;
> import java.lang.reflect.Constructor;
> import java.lang.Class;
> import java.lang.reflect.InvocationTargetException;
>
> public class Testcase {
>
> public static void main(String[] args) {
> try{
> Class cdog = Class.forName("Dog");
> Method mbark = cdog.getMethod("bark");
> mbark.invoke(null);
> } catch(ClassNotFoundException e) {
> e.printStackTrace();
> } catch(NoSuchMethodException e) {
> e.printStackTrace();
> } catch(InvocationTargetException e) {
> e.printStackTrace();
> } catch(IllegalAccessException e) {
> e.printStackTrace();
> }
> }
>
> }
>
>
> By using the points-to analysis, I want to know that the “cdog” in statement "Class cdog = Class.forName("Dog”);” is the one in statement "Method mbark = cdog.getMethod("bark”);”.
> Also, the “mbark” in statement "mbark.invoke(null);” is the one got before.
> However, the points-to set from the points-to analysis for all these local variables are “EmptyPointsToSet”.
>
> Following is the code for analysis by using Soot:
>
> public class Tester {
> public static void main(String[] args) {
> String[] opts = {
> "-process-dir", "../pointsto_test_case/",
> "-ire",
> "-allow-phantom-refs",
> "-src-prec", "c",
> "-w",
> "-p", "cg", "enabled:true",
> "-p", "cg", "all-reachable:true",
> "-p", "cg", "trim-clinit:false",
> "-p", "cg.spark", "on",
> "-p", "cg.spark", "verbose:true",
> "-p", "cg.spark", "propagator:worklist",
> "-p", "cg.spark", "simple-edges-bidirectional:false",
> "-p", "cg.spark", "on-fly-cg:true",
> "-p", "cg.spark", "set-impl:double",
> "-p", "cg.spark", "double-set-old:hybrid",
> "-p", "cg.spark", "double-set-new:hybrid",
> "-p", "jop.cpf", "enabled:true",
> "-output-format", "n"
> };
> G.reset();
> PackManager.v().getPack("wjtp").add(new Transform("wjtp.test", new SceneTransformer() {
> @Override
> protected void internalTransform(String phaseName, Map<String, String> options) {
> PointsToAnalysis pa = Scene.v().getPointsToAnalysis();
> ReachableMethods reachableMethods = Scene.v().getReachableMethods();
> QueueReader<MethodOrMethodContext> listener = reachableMethods.listener();
> while (listener.hasNext()) {
>
> SootMethod m = listener.next().method();
>
> if (!m.getDeclaringClass().getName().equals("Testcase")) continue;
>
> if (m.hasActiveBody()) {
> Local cls = null, method = null;
> Stmt clsStmt = null, methodStmt = null;
> Body body = m.getActiveBody();
> for (Unit u : body.getUnits()) {
> Stmt stmt = (Stmt) u;
> if (stmt.containsInvokeExpr()) {
> InvokeExpr ie = stmt.getInvokeExpr();
> if (ie.getMethod().getName().equals("forName")) {
> cls = (Local) ((AssignStmt) stmt).getLeftOp();
> clsStmt = stmt;
> } else if (ie.getMethod().getName().equals("getMethod")) {
>
> AssignStmt astmt = (AssignStmt) stmt;
> method = (Local) astmt.getLeftOp();
> methodStmt = stmt;
> Local invoker = (Local) ((InstanceInvokeExpr) ie).getBase();
> PointsToSet clsPs = pa.reachingObjects(cls);
> System.out.println(clsPs.getClass());
> PointsToSet invokerPs = pa.reachingObjects(invoker);
> System.out.println(invokerPs.getClass());
> if (clsPs.hasNonEmptyIntersection(invokerPs)) {
> System.out.println(clsStmt);
> System.out.println(methodStmt);
> }
> } else if (ie.getMethod().getName().equals("invoke")) {
> Local invoker = (Local) ((InstanceInvokeExpr) ie).getBase();
> PointsToSet methodPs = pa.reachingObjects(method);
> System.out.println(methodPs.getClass());
> PointsToSet invokerPs = pa.reachingObjects(invoker);
> System.out.println(invokerPs.getClass());
> if (methodPs.hasNonEmptyIntersection(invokerPs)) {
> System.out.println(methodStmt);
> System.out.println(stmt);
> }
> }
> }
> }
> }
> }
> }
> }
> }
>
> I tried the points-to analysis with object instantiated with new statement which works very well.
> And I also noticed that these reflection methods were somehow related to native code.
> So I’m wandering are there some other parameters required for the points-to analysis to work properly for this situation?
> Or it cannot work with it?
>
>
> Best Regard
> ——————————————————
> Jun Gao
>
> University of Luxembourg, SnT
> 6 Rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
> Office: Bloc E 107
> Tele: (+352) 46 66 44 6019
> Fax: (+352) 46 66 44 36019
>
>
>
>
>
> _______________________________________________
> Soot-list mailing list
> Soot-list at CS.McGill.CA
> https://mailman.CS.McGill.CA/mailman/listinfo/soot-list
More information about the Soot-list
mailing list