[Soot-list] [Help] Confused about Soot reflection resolver in Spark
Yirui Liu
yirliu at umich.edu
Tue Nov 5 15:58:23 EST 2019
Hi all,
I am new to Soot, and working on building a static analysis upon Spark
pointer analysis.
I have some expectations of the behavior reflection resolutions, and wonder
if the built-in resolver can meet my requirement.
I want to see my analysis only reaching the classes appeared in the
`forName()` call as shown in the example at the end, and not including
other classes not reachable from the entry points.
And then I got confused by the document (
https://www.sable.mcgill.ca/soot/doc/soot/options/CGOptions.html#safe_newinstance())
which says
*Safe newInstance -- Handle Class.newInstance() calls conservatively...
When this option is set to false, any calls to Class.newInstance() are
assumed not to call the constructor of the created object*".
I cannot get required bahaviors either by turning safe-new-instance on or
off, because with this option on, all the classes are reachable; with the
option off, non of the class is resolved.
I wonder if this is because Soot does not support my requirements, or
because I set up my analysis in a wrong way.
Could you give me some suggestions?
Here is the part of my analysis to enumerate all the classes reachable from
the entry point (Simple3.main). I am using callGraph and ReachableMethods.
```
CallGraph callGraph = Scene.v().getCallGraph();
List<SootMethod> lm = Scene.v().getEntryPoints();
Set<String> sigs = new HashSet<String>();
for (SootMethod em: lm) {
ReachableMethods rm;
rm = new ReachableMethods(callGraph, Collections.singleton(em));
rm.update();
QueueReader<MethodOrMethodContext> qr = rm.listener();
while (qr.hasNext()) {
MethodOrMethodContext momc = qr.next();
if (momc != null) {
SootMethod m = momc.method();
if (m.isConcrete()) {
String sig = m.getBytecodeSignature();
if (sigs.add(sig)) {
SootClass cl = m.getDeclaringClass();
System.out.println("Found "+cl.getType());
}
}
}
}
}
```
Here is my command line arguments:
```
-cp
$JAVA_HOME/lib/rt.jar:$JAVA_HOME/lib/charsets.jar:$JAVA_HOME/lib/resources.jar:$JAVA_HOME/lib/jsse.jar:$JAVA_HOME/lib/jce.jar:$SOOT_DIR/target/classes/
-process-dir simple3_classes/ -main-class Simple3 -d simple3Output -w -p
cg.spark enabled:true -p cg safe-newinstance:true
```
I also tried to turn `types-for-invoke:true` on and those two cases still
happened.
Here is my simple example.
I expected to see only the "Goat" class accessed, but other animal class
"Cat" also appeared if I turned "safe-newinstance" on; none of "Goat" and
"Cat" appeared with "safe-newinstance" off.
```
// Goat.java
class Goat {
private String name;
public Goat(String n) {
name = n;
}
}
// Cat.java
class Cat {
private String name;
public Cat(String n) {
name = n;
}
}
//Simple3.java
import java.lang.reflect.*;
public class Simple3 {
public static void main(String[] args) {
try {
Class<?> clazz = Class.forName("Goat");
Constructor<?> cons = clazz.getConstructor(String.class);
Object o = cons.newInstance("Data");
System.out.println("this is my instance:" + o.toString());
}
catch (Exception e) {
System.out.println("Error " + e.getMessage());
e.printStackTrace();
}
}
}
```
Thanks so much,
Yirui
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20191105/ea257c57/attachment.html>
More information about the Soot-list
mailing list