[Soot-list] Pointsto analysis for reflection methods

Eric Bodden eric.bodden at uni-paderborn.de
Wed Dec 18 06:46:29 EST 2019 

Hi.

Are you actually re-executing the pointer analysis after your call to reset()?

Eric

> On 11. Dec 2019, at 10:22, Jun GAO <jun.gao at uni.lu> wrote:
> 
> Hi David,
> 
> Thanks for your quick reply.
> 
> About “Options.v().set_dynamic_class()”, I found  no clear documents and examples so far.
> I tried to add following code after “G.reset()” in my “Tester”:
> 
> List<String> classes = new ArrayList<String>();
> classes.add("java.lang.ClassLoader");
> classes.add("java.lang.Class");
> classes.add("java.lang.reflect.Method");
> classes.add("java.lang.reflect.Field");
> Options.v().set_dynamic_class(classes);
> 
> But the results showed no differences.
> I’m wondering if I used it in a wrong way or it may be not related?  
> 
> Best Regard
> ——————————————————
> Jun Gao
> 
> University of Luxembourg, SnT
> 6 Rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
> Office: Bloc E 107
> Tele: (+352) 46 66 44 6019
> Fax: (+352) 46 66 44 36019
> 
> 
> 
> 
> 
>> On 10 Dec 2019, at 21:12, David Diepenbrock <ddiepenbrock at pjrcorp.com> wrote:
>> 
>> Jun,
>> 
>> Try looking into "Options.v().set_dynamic_class()".  In my limited experience spark needs a list of the dynamically loaded classes in order to identify the reflective method invokes. 
>> 
>> -David
>> From: Soot-list <soot-list-bounces at CS.McGill.CA> on behalf of Jun GAO <jun.gao at uni.lu>
>> Sent: Monday, December 9, 2019 4:31 AM
>> To: soot-list at cs.mcgill.ca <soot-list at CS.McGill.CA>
>> Subject: [Soot-list] Pointsto analysis for reflection methods
>>  
>> Hi there,
>> 
>> I’m trying to tracking the usage of certain object returned from Java reflection methods by using SPARK PointsTo analysis.
>> Hereafter is the code of a simple test case:
>> 
>> import java.lang.reflect.Method;
>> import java.lang.reflect.Constructor;
>> import java.lang.Class;
>> import java.lang.reflect.InvocationTargetException;
>> 
>> public class Testcase {
>> 
>>     public static void main(String[] args) {
>>         try{
>>             Class cdog = Class.forName("Dog");
>>             Method mbark = cdog.getMethod("bark");
>>             mbark.invoke(null);
>>         } catch(ClassNotFoundException e) {
>>             e.printStackTrace();
>>         } catch(NoSuchMethodException e) {
>>             e.printStackTrace();
>>         } catch(InvocationTargetException e) {
>>             e.printStackTrace();
>>         } catch(IllegalAccessException e) {
>>             e.printStackTrace();
>>         }
>>     }
>> 
>> }
>> 
>> 
>> By using the points-to analysis, I want to know that the “cdog” in statement "Class cdog = Class.forName("Dog”);” is the one in statement "Method mbark = cdog.getMethod("bark”);”.
>> Also, the “mbark” in statement "mbark.invoke(null);” is the one got before.
>> However, the points-to set from the points-to analysis for all these local variables are “EmptyPointsToSet”.
>> 
>> Following is the code for analysis by using Soot:
>> 
>> public class Tester {
>> public static void main(String[] args) {
>> String[] opts = {
>>          "-process-dir", "../pointsto_test_case/",
>>          "-ire",
>>          "-allow-phantom-refs",
>>          "-src-prec", "c",
>>          "-w",
>>          "-p", "cg", "enabled:true",
>>          "-p", "cg", "all-reachable:true",
>>          "-p", "cg", "trim-clinit:false",
>>          "-p", "cg.spark", "on",
>>          "-p", "cg.spark", "verbose:true",
>>          "-p", "cg.spark", "propagator:worklist",
>>          "-p", "cg.spark", "simple-edges-bidirectional:false",
>>          "-p", "cg.spark", "on-fly-cg:true",
>>          "-p", "cg.spark", "set-impl:double",
>>          "-p", "cg.spark", "double-set-old:hybrid",
>>          "-p", "cg.spark", "double-set-new:hybrid",
>>          "-p", "jop.cpf", "enabled:true",
>>          "-output-format", "n"
>>      };
>>      G.reset();
>> PackManager.v().getPack("wjtp").add(new Transform("wjtp.test", new SceneTransformer() {
>>        @Override
>>        protected void internalTransform(String phaseName, Map<String, String> options) {
>> PointsToAnalysis pa = Scene.v().getPointsToAnalysis();
>>          ReachableMethods reachableMethods = Scene.v().getReachableMethods();
>>          QueueReader<MethodOrMethodContext> listener = reachableMethods.listener();
>>          while (listener.hasNext()) {
>>          
>>  SootMethod m = listener.next().method();
>> 
>>            if (!m.getDeclaringClass().getName().equals("Testcase")) continue;
>> 
>>            if (m.hasActiveBody()) {
>>             Local cls = null, method = null;
>>              Stmt clsStmt = null, methodStmt = null;
>>              Body body = m.getActiveBody();
>>              for (Unit u : body.getUnits()) {
>>                Stmt stmt = (Stmt) u;
>>                if (stmt.containsInvokeExpr()) {
>>                   InvokeExpr ie = stmt.getInvokeExpr();
>>                   if (ie.getMethod().getName().equals("forName")) {
>>                      cls = (Local) ((AssignStmt) stmt).getLeftOp();
>>                      clsStmt = stmt;
>>                   } else if (ie.getMethod().getName().equals("getMethod")) {
>>                      AssignStmt astmt = (AssignStmt) stmt;
>>                    method = (Local) astmt.getLeftOp();
>>                    methodStmt = stmt;
>>                      Local invoker = (Local) ((InstanceInvokeExpr) ie).getBase();
>>                      PointsToSet clsPs = pa.reachingObjects(cls);
>>                      System.out.println(clsPs.getClass());
>>                      PointsToSet invokerPs = pa.reachingObjects(invoker);
>>                      System.out.println(invokerPs.getClass());
>>                      if (clsPs.hasNonEmptyIntersection(invokerPs)) {
>>                       System.out.println(clsStmt);
>>                        System.out.println(methodStmt);
>>                      }
>>                   } else if (ie.getMethod().getName().equals("invoke")) {
>>                      Local invoker = (Local) ((InstanceInvokeExpr) ie).getBase();
>>                      PointsToSet methodPs = pa.reachingObjects(method);
>>                      System.out.println(methodPs.getClass());
>>                      PointsToSet invokerPs = pa.reachingObjects(invoker);
>>                      System.out.println(invokerPs.getClass());
>>                      if (methodPs.hasNonEmptyIntersection(invokerPs)) {
>>                        System.out.println(methodStmt);
>>                        System.out.println(stmt);
>>                      }
>>                   }
>>                }
>>              }
>> }
>> }
>> }
>> }
>> }
>> 
>> I tried the points-to analysis with object instantiated with new statement which works very well.
>> And I also noticed that these reflection methods were somehow related to native code.
>> So I’m wandering are there some other parameters required for the points-to analysis to work properly for this situation?
>> Or it cannot work with it?
>> 
>> 
>> Best Regard
>> ——————————————————
>> Jun Gao
>> 
>> University of Luxembourg, SnT
>> 6 Rue Richard Coudenhove-Kalergi
>> L-1359 Luxembourg
>> Office: Bloc E 107
>> Tele: (+352) 46 66 44 6019
>> Fax: (+352) 46 66 44 36019
> 
> _______________________________________________
> Soot-list mailing list
> Soot-list at CS.McGill.CA
> https://mailman.CS.McGill.CA/mailman/listinfo/soot-list

More information about the Soot-list mailing list