[Soot-list] Pointsto analysis for reflection methods
Jun GAO
jun.gao at uni.lu
Wed Dec 11 04:22:48 EST 2019
Hi David,
Thanks for your quick reply.
About “Options.v().set_dynamic_class()”, I found no clear documents and examples so far.
I tried to add following code after “G.reset()” in my “Tester”:
List<String> classes = new ArrayList<String>();
classes.add("java.lang.ClassLoader");
classes.add("java.lang.Class");
classes.add("java.lang.reflect.Method");
classes.add("java.lang.reflect.Field");
Options.v().set_dynamic_class(classes);
But the results showed no differences.
I’m wondering if I used it in a wrong way or it may be not related?
Best Regard
——————————————————
Jun Gao
University of Luxembourg, SnT
6 Rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Office: Bloc E 107
Tele: (+352) 46 66 44 6019
Fax: (+352) 46 66 44 36019
On 10 Dec 2019, at 21:12, David Diepenbrock <ddiepenbrock at pjrcorp.com<mailto:ddiepenbrock at pjrcorp.com>> wrote:
Jun,
Try looking into "Options.v().set_dynamic_class()". In my limited experience spark needs a list of the dynamically loaded classes in order to identify the reflective method invokes.
-David
________________________________
From: Soot-list <soot-list-bounces at CS.McGill.CA<mailto:soot-list-bounces at CS.McGill.CA>> on behalf of Jun GAO <jun.gao at uni.lu<mailto:jun.gao at uni.lu>>
Sent: Monday, December 9, 2019 4:31 AM
To: soot-list at cs.mcgill.ca<mailto:soot-list at cs.mcgill.ca> <soot-list at CS.McGill.CA<mailto:soot-list at CS.McGill.CA>>
Subject: [Soot-list] Pointsto analysis for reflection methods
Hi there,
I’m trying to tracking the usage of certain object returned from Java reflection methods by using SPARK PointsTo analysis.
Hereafter is the code of a simple test case:
import java.lang.reflect.Method;
import java.lang.reflect.Constructor;
import java.lang.Class;
import java.lang.reflect.InvocationTargetException;
public class Testcase {
public static void main(String[] args) {
try{
Class cdog = Class.forName("Dog");
Method mbark = cdog.getMethod("bark");
mbark.invoke(null);
} catch(ClassNotFoundException e) {
e.printStackTrace();
} catch(NoSuchMethodException e) {
e.printStackTrace();
} catch(InvocationTargetException e) {
e.printStackTrace();
} catch(IllegalAccessException e) {
e.printStackTrace();
}
}
}
By using the points-to analysis, I want to know that the “cdog” in statement "Class cdog = Class.forName("Dog”);” is the one in statement "Method mbark = cdog.getMethod("bark”);”.
Also, the “mbark” in statement "mbark.invoke(null);” is the one got before.
However, the points-to set from the points-to analysis for all these local variables are “EmptyPointsToSet”.
Following is the code for analysis by using Soot:
public class Tester {
public static void main(String[] args) {
String[] opts = {
"-process-dir", "../pointsto_test_case/",
"-ire",
"-allow-phantom-refs",
"-src-prec", "c",
"-w",
"-p", "cg", "enabled:true",
"-p", "cg", "all-reachable:true",
"-p", "cg", "trim-clinit:false",
"-p", "cg.spark", "on",
"-p", "cg.spark", "verbose:true",
"-p", "cg.spark", "propagator:worklist",
"-p", "cg.spark", "simple-edges-bidirectional:false",
"-p", "cg.spark", "on-fly-cg:true",
"-p", "cg.spark", "set-impl:double",
"-p", "cg.spark", "double-set-old:hybrid",
"-p", "cg.spark", "double-set-new:hybrid",
"-p", "jop.cpf", "enabled:true",
"-output-format", "n"
};
G.reset();
PackManager.v().getPack("wjtp").add(new Transform("wjtp.test", new SceneTransformer() {
@Override
protected void internalTransform(String phaseName, Map<String, String> options) {
PointsToAnalysis pa = Scene.v().getPointsToAnalysis();
ReachableMethods reachableMethods = Scene.v().getReachableMethods();
QueueReader<MethodOrMethodContext> listener = reachableMethods.listener();
while (listener.hasNext()) {
SootMethod m = listener.next().method();
if (!m.getDeclaringClass().getName().equals("Testcase")) continue;
if (m.hasActiveBody()) {
Local cls = null, method = null;
Stmt clsStmt = null, methodStmt = null;
Body body = m.getActiveBody();
for (Unit u : body.getUnits()) {
Stmt stmt = (Stmt) u;
if (stmt.containsInvokeExpr()) {
InvokeExpr ie = stmt.getInvokeExpr();
if (ie.getMethod().getName().equals("forName")) {
cls = (Local) ((AssignStmt) stmt).getLeftOp();
clsStmt = stmt;
} else if (ie.getMethod().getName().equals("getMethod")) {
AssignStmt astmt = (AssignStmt) stmt;
method = (Local) astmt.getLeftOp();
methodStmt = stmt;
Local invoker = (Local) ((InstanceInvokeExpr) ie).getBase();
PointsToSet clsPs = pa.reachingObjects(cls);
System.out.println(clsPs.getClass());
PointsToSet invokerPs = pa.reachingObjects(invoker);
System.out.println(invokerPs.getClass());
if (clsPs.hasNonEmptyIntersection(invokerPs)) {
System.out.println(clsStmt);
System.out.println(methodStmt);
}
} else if (ie.getMethod().getName().equals("invoke")) {
Local invoker = (Local) ((InstanceInvokeExpr) ie).getBase();
PointsToSet methodPs = pa.reachingObjects(method);
System.out.println(methodPs.getClass());
PointsToSet invokerPs = pa.reachingObjects(invoker);
System.out.println(invokerPs.getClass());
if (methodPs.hasNonEmptyIntersection(invokerPs)) {
System.out.println(methodStmt);
System.out.println(stmt);
}
}
}
}
}
}
}
}
}
I tried the points-to analysis with object instantiated with new statement which works very well.
And I also noticed that these reflection methods were somehow related to native code.
So I’m wandering are there some other parameters required for the points-to analysis to work properly for this situation?
Or it cannot work with it?
Best Regard
——————————————————
Jun Gao
University of Luxembourg, SnT
6 Rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Office: Bloc E 107
Tele: (+352) 46 66 44 6019
Fax: (+352) 46 66 44 36019
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20191211/09bb2401/attachment-0001.html>
More information about the Soot-list
mailing list