[Soot-list] Correct way of using SPARK points-to analysis
Shuyang Liu
sliu44 at cs.ucla.edu
Tue Jun 25 05:05:17 EDT 2019
Hello All,
Recently I'm using soot SPARK points-to analysis as part of a research project. I followed some online documentations and examples but the program seems to give a call graph that is much larger than the call graphs produced by other static analysis tools such as petablox and WALA. More specifically, when running it on a relatively large application, soot give a call graph consisting 395624 call graph edges whereas other tools such as WALA (with 0cfa and no reflection turned on) gives ~40000 edges. So I'm wondering if I am using soot correctly? The following is my code:
```
public class SootCallgraph extends SceneTransformer {
private void process(Chain<SootClass> app) throws IOException {
CallGraph cg = Scene.v().getCallGraph();
System.out.println("Found " + cg.size() + " edges");
// ... More code processing the call graph
}
@Override
protected void internalTransform(String phaseName, Map options) {
HashMap <String , String> opt = new HashMap <String , String> (options);
opt.put("enabled","true");
opt.put("verbose", "true");
opt.put("on-fly-cg","true");
opt.put("simple-edges-bidirectional", "false");
opt.put("vta", "false");
opt.put("rta", "false");
opt.put("propagator","worklist");
opt.put("ignore-types","false");
opt.put("field-based","false");
opt.put("pre-jimplify","false");
opt.put("class-method-var","true");
opt.put("dump-pag","false");
opt.put("force-gc","false");
opt.put("merge-stringbuffer","false");
opt.put("string-constants","false");
opt.put("simulate-natives","true");
opt.put("simplify-offline","false");
opt.put("simplify-sccs","true");
opt.put("ignore-types-for-sccs","false");
opt.put("set-impl","double");
opt.put("double-set-old","hybrid");
opt.put("double-set-new","hybrid");
opt.put("dump-html","false");
opt.put("dump-solution","false");
opt.put("topo-sort","false");
opt.put("dump-types","false");
opt.put("dump-answer","false");
opt.put("add-tags","false");
opt.put("set-mass","false");
SparkTransformer.v().transform("", opt);
Chain<SootClass> app = Scene.v().getClasses();
try { process(app);} catch (IOException ignored) {}
}
public static void main(String[] args) {
Options.v().parse(args);
SootClass entryClass = Scene.v().loadClassAndSupport(mainClass); // mainClass is the name of the main class
Scene.v().loadNecessaryClasses();
// Set Entry Point
SootMethod method = entryClass.getMethodByName("main");
List <SootMethod> entryPoints = new ArrayList<>();
entryPoints.add(method);
Scene.v().setEntryPoints(entryPoints);
PackManager.v().getPack("wjtp").add(new Transform("wjtp.myTrans", new SootCallgraph("output.txt")));
soot.Main.main(newargs);
}
}
```
The command line options I used for running this piece of code are:
```
-pp
-w
-f
n
-app
-process-dir
test/bin
-allow-phantom-refs
```
In addition, I have tried specifying `-p cg.spark on` in the cmdline options without calling `SparkTransformer.transform()` inside my code, but it produces the same results. Interestingly, if I have both, the number of edges decreases drastically to 1709 edges, which is much less than what other tools produces. If I put `SparkTransformer.transform()` outside of `internalTransform()` method, the number of edges in the call graph would be different as well.
I understand that it is hard to tell what is wrong without looking at the actual application program it is running on (especially in this case there is no error message but it just feels not right). Any suggestions on how to correctly use SPARK would be very much appreciated.
Thank you!
Shuyang Liu
More information about the Soot-list
mailing list