[Soot-list] [Help] Confused about Soot reflection resolver in Spark

Tue Nov 5 15:58:23 EST 2019

Hi all,

I am new to Soot, and working on building a static analysis upon Spark
pointer analysis.
I have some expectations of the behavior reflection resolutions, and wonder
if the built-in resolver can meet my requirement.

I want to see my analysis only reaching the classes appeared in the
`forName()` call as shown in the example at the end, and not including
other classes not reachable from the entry points.
And then I got confused by the document (
https://www.sable.mcgill.ca/soot/doc/soot/options/CGOptions.html#safe_newinstance())
which says
*Safe newInstance -- Handle Class.newInstance() calls conservatively...
When this option is set to false, any calls to Class.newInstance() are
assumed not to call the constructor of the created object*".

I cannot get required bahaviors either by turning safe-new-instance on or
off, because with this option on, all the classes are reachable; with the
option off, non of the class is resolved.
I wonder if this is because Soot does not support my requirements, or
because I set up my analysis in a wrong way.
Could you give me some suggestions?

Here is the part of my analysis to enumerate all the classes reachable from
the entry point (Simple3.main). I am using callGraph and ReachableMethods.
```
  CallGraph callGraph = Scene.v().getCallGraph();
  List<SootMethod> lm = Scene.v().getEntryPoints();
  Set<String> sigs = new HashSet<String>();
  for (SootMethod em: lm) {
         ReachableMethods rm;
         rm = new ReachableMethods(callGraph, Collections.singleton(em));
         rm.update();
         QueueReader<MethodOrMethodContext> qr = rm.listener();
         while (qr.hasNext()) {
           MethodOrMethodContext momc = qr.next();
           if (momc != null) {
             SootMethod m = momc.method();
             if (m.isConcrete()) {
                  String sig = m.getBytecodeSignature();
                  if (sigs.add(sig)) {
                      SootClass cl = m.getDeclaringClass();
                      System.out.println("Found "+cl.getType());
                  }
               }
           }
      }
  }
```

Here is my command line arguments:
```
-cp
$JAVA_HOME/lib/rt.jar:$JAVA_HOME/lib/charsets.jar:$JAVA_HOME/lib/resources.jar:$JAVA_HOME/lib/jsse.jar:$JAVA_HOME/lib/jce.jar:$SOOT_DIR/target/classes/
-process-dir simple3_classes/ -main-class Simple3 -d simple3Output -w -p
cg.spark enabled:true  -p cg safe-newinstance:true
```
I also tried to turn `types-for-invoke:true` on and those two cases still
happened.

Here is my simple example.
I expected to see only the "Goat" class accessed, but other animal class
"Cat" also appeared if I turned "safe-newinstance" on; none of "Goat" and
"Cat" appeared with "safe-newinstance" off.
```
// Goat.java
class Goat {
    private String name;
    public Goat(String n) {
        name = n;
    }
}
// Cat.java
class Cat {
    private String name;
    public Cat(String n) {
        name = n;
    }
}
//Simple3.java
import java.lang.reflect.*;
public class Simple3 {
    public static void main(String[] args) {
        try {
            Class<?> clazz = Class.forName("Goat");
            Constructor<?> cons = clazz.getConstructor(String.class);
            Object o = cons.newInstance("Data");
            System.out.println("this is my instance:" + o.toString());
        }
        catch (Exception e) {
            System.out.println("Error " + e.getMessage());
            e.printStackTrace();
        }
    }
}
```

Thanks so much,
Yirui
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20191105/ea257c57/attachment.html>