Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf ·...
Transcript of Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf ·...
![Page 1: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/1.jpg)
Analyzing Java Programs with Soot
Bruno Dufour
based on material by:
Eric Bodden,Laurie Hendren, Patrick Lam, Jennifer Lhotak, Ondrej Lhotak and Feng
Qian
McGill University
http://www.sable.mcgill.ca/soot/
Analyzing Java Programs with Soot – p. 1/89
![Page 2: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/2.jpg)
www.sable.mcgill.ca/soot/
What is Soot?
a free compiler infrastructure, written in Java(LGPL)
was originally designed to analyze andtransform Java bytecode
original motivation was to provide a commoninfrastructure with which researchers couldcompare analyses (points-to analyses)
has been extended to include decompilationand visualization
Analyzing Java Programs with Soot – p. 2/89
![Page 3: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/3.jpg)
What is Soot? (2)
Soot has many potential applications:used as a stand-alone tool (command lineor Eclipse plugin)extended to include new IRs, analyses,transformations and visualizationsas the basis of building newspecial-purpose tools
Analyzing Java Programs with Soot – p. 3/89
![Page 4: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/4.jpg)
www.sable.mcgill.ca/publications/
Soot: Past and Present
Started in 1996-97 with the development ofcoffi by Clark Verbrugge and some firstprototypes of Jimple IR by Clark and RajaVallée-Rai.
First publicly-available versions of Soot 1.xwere associated with Raja’s M.Sc. thesis
New contributions and releases have beenadded by many graduate students at McGilland research results have been the topics ofpapers and theses.
Analyzing Java Programs with Soot – p. 4/89
![Page 5: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/5.jpg)
Soot: Past and Present (2)
Soot 1.x has been used by many researchgroups for a wide variety of applications. Hasalso been used in several compiler courses.Last version was 1.2.5.
Soot 2.0 and the first version of the EclipsePlugin were released - June 2003 - JIT forPLDI 2003.
Soot 2.3.0: Java 5 support
Soot 2.4.0: partial Reflection support
This tutorial is based on Soot 2.4.0.
Analyzing Java Programs with Soot – p. 5/89
![Page 6: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/6.jpg)
Soot Overview
sourceJava
sourceSML
sourceScheme
sourceEiffel
sourceJava
class files
javac MLJ KAWA SmallEiffel
SOOT
Produce Jimple 3−address IR
Generate Bytecode
Interpreter JIT Adaptive Engine Ahead−of−Time
Compiler
Optimized class files + attributes
Analyze, Optimize and Tag
Eclipse
Analyzing Java Programs with Soot – p. 6/89
![Page 7: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/7.jpg)
Soot IRs
Baf: is a compact rep. of Bytecode (stack-based)
Jimple: is Java’s simple, typed, 3-addr(stackless) representation
Shimple: is a SSA-version of Jimple
Grimp: is like Jimple, but with expressionsagGRegated
Dava: structured representation used forDecompiling Java
Analyzing Java Programs with Soot – p. 7/89
![Page 8: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/8.jpg)
Raja’s Thesis, CASCON99, CC2000, SAS2000
Jimple
Jimple is:
principal Soot Intermediate Representation
3-address code in a control-flow graph
a typed intermediate representation
stackless
special variables for this and parameters
only simple statements, never nested
Analyzing Java Programs with Soot – p. 8/89
![Page 9: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/9.jpg)
Kinds of Jimple Stmts I
Core statements:NopStmtDefinitionStmt: IdentityStmt,
AssignStmt
Intraprocedural control-flow:IfStmtGotoStmtTableSwitchStmt,LookupSwitchStmt
Interprocedural control-flow:InvokeStmtReturnStmt, ReturnVoidStmt
Analyzing Java Programs with Soot – p. 9/89
![Page 10: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/10.jpg)
Kinds of Jimple Stmts II
ThrowStmtthrows an exception
RetStmtnot used; returns from a JSR
MonitorStmt: EnterMonitorStmt,ExitMonitorStmt
mutual exclusion
Analyzing Java Programs with Soot – p. 10/89
![Page 11: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/11.jpg)
IdentityStmt
this.m();Where’s the definition of this?
IdentityStmt:
Used for assigning parameter values andthis ref to locals.
Gives each local at least one definition point.
Jimple rep of IdentityStmts:r0 := @this;i1 := @parameter0;
Analyzing Java Programs with Soot – p. 11/89
![Page 12: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/12.jpg)
Context: other Jimple Stmts
public int foo(java.lang.String) { // locals
r0 := @this; // IdentityStmt
r1 := @parameter0;
if r1 != null goto label0; // IfStmt
$i0 = r1.length(); // AssignStmt
r1.toUpperCase(); // InvokeStmt
return $i0; // ReturnStmt
label0: // created by Printer
return 2;
}
Analyzing Java Programs with Soot – p. 12/89
![Page 13: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/13.jpg)
Converting bytecode → Jimple → bytecode
These transformations are relatively hard to design sothat they produce correct, useful and efficient code.
Worth the price, we do want a 3-addr typed IR.
raw bytecode typed 3-address code (Jimple)
◦ each inst has implicit ◦ each stmt acts explicitly
effect on stack on named variables
◦ no types for local ◦ types for each local
variables variable
◦ > 200 kinds of insts ◦ only 15 kinds of stmts
Analyzing Java Programs with Soot – p. 13/89
![Page 14: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/14.jpg)
Soot Data Structure Basics
Soot builds data structures to represent:a complete environment (Scene )classes (SootClass )Fields and Methods (SootMethod ,SootField )bodies of Methods (come in differentflavours, corresponding to different IRlevels, ie. JimpleBody )
These data structures are implemented usingOO techniques, and designed to be easy touse and generic where possible.
Analyzing Java Programs with Soot – p. 14/89
![Page 15: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/15.jpg)
Soot Classes
SootMethod
SootClass
JimpleBody
Scene
SootField
getMethod()
getField()
getSootClass()
Scene.v()
getSignature()
getActiveBody()
(singleton)
getSignature()
Analyzing Java Programs with Soot – p. 15/89
![Page 16: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/16.jpg)
Body-centric View
Chain
SootMethod
ChainJimpleBody
Chain
getLocals()
getActiveBody()
getTraps()getUnits()
Analyzing Java Programs with Soot – p. 16/89
![Page 17: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/17.jpg)
Getting a UnitGraph
SootMethod
Chain
ChainJimpleBody
Chain
UnitGraph
getUnits()
new BriefUnitGraph()
getLocals()
getActiveBody()
getTraps()getUnits()
getBody()
Analyzing Java Programs with Soot – p. 17/89
![Page 18: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/18.jpg)
What to do with a UnitGraph
getBody()
getHeads(), getTails()
getPredsOf(u), getSuccsOf(u)
getExtendedBasicBlockPathBetween(from, to)
Analyzing Java Programs with Soot – p. 18/89
![Page 19: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/19.jpg)
Control-flow units
We create an OO hierarchy of units, allowinggeneric programming using Units.
Unit: abstract interface
Inst: Baf’s bytecode-level unit(load x)
Stmt: Jimple’s three-address code units(z = x + y)
Stmt: also used in Grimp(z = x + y * 2 % n;)
Analyzing Java Programs with Soot – p. 19/89
![Page 20: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/20.jpg)
Soot Philosophy on Units
Accesses should be abstract wheneverpossible!
Accessing data:
getUseBoxes(), getDefBoxes(),getUseAndDefBoxes()
(also control-flow information:)fallsThrough(), branches(),getBoxesPointingToThis(),
addBoxesPointingToThis(),
removeBoxesPointingToThis(),
redirectJumpsToThisTo()
Analyzing Java Programs with Soot – p. 20/89
![Page 21: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/21.jpg)
What is a Box?
s: x = y op z
AssignStmt
VB
x
VB
OpExpr
VB
y
VB
z
AssignStmt
x OpExpr
y z
Analyzing Java Programs with Soot – p. 21/89
![Page 22: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/22.jpg)
What is a DefBox?
List defBoxes = ut.getDefBoxes();
method ut.getDefBoxes() returns a list ofValueBoxes, corresponding to all Valueswhich get defined in ut, a Unit.
non-empty for IdentityStmt andAssignStmt.
ut: x = y op z ;
getDefBoxes(ut) = { x }(List containing a ValueBoxcontaining a Local)
Analyzing Java Programs with Soot – p. 22/89
![Page 23: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/23.jpg)
On Values and Boxes
Value value = defBox.getValue();
getValue(): Dereferencing a pointer.x → x
setValue(): mutates the value in the Box.
Analyzing Java Programs with Soot – p. 23/89
![Page 24: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/24.jpg)
On UseBoxes
Opposite of defBoxes.List useBoxes = ut.getUseBoxes();
method ut.getUseBoxes() returns a list ofValueBoxes, corresponding to all Valueswhich get used in ut, a Unit.
non-empty for most Soot Units.
ut: x = y op z ;
getUseBoxes(ut) = { y , z , y op z }
(List containing 3 ValueBoxes, 2containing Locals & 1 Expr)
Analyzing Java Programs with Soot – p. 24/89
![Page 25: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/25.jpg)
Why Boxes?
Change all instances of y to 1:
AssignStmt
VB
x
VB
OpExpr
VB
y
VB
z
AssignStmt
x OpExpr
y z
setValue() ??
Analyzing Java Programs with Soot – p. 25/89
![Page 26: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/26.jpg)
Search & Replace
/* Replace all uses of v1 in body with v2 */
void replace(Body body, Value v1, Value v2)
{ for (Unit ut : body.getUnits())
{ for (ValueBox vb : ut.getUseBoxes())
if( vb.getValue().equals(v1) )
vb.setValue(v2);
}
}
replace(b, y, IntConstant.v(1));
Analyzing Java Programs with Soot – p. 26/89
![Page 27: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/27.jpg)
More Abstract Accessors: Stmt
Jimple provides the following additionalaccessors for special kinds of Values:
containsArrayRef(),getArrayRef(), getArrayRefBox()
containsInvokeExpr(),getInvokeExpr(), getInvokeExprBox()
containsFieldRef(),getFieldRef(), getFieldRefBox()
Analyzing Java Programs with Soot – p. 27/89
![Page 28: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/28.jpg)
Intraprocedural Outline
About Soot’s Flow Analysis Framework
Flow Analysis ExamplesLive VariablesBranched Nullness
Adding Analyses to Soot
Analyzing Java Programs with Soot – p. 28/89
![Page 29: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/29.jpg)
Flow Analysis in Soot
Flow analysis is key part of compilerframework
Soot has easy-to-use framework forintraprocedural flow analysis
Soot itself, and its flow analysis framework,are object-oriented.
Analyzing Java Programs with Soot – p. 29/89
![Page 30: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/30.jpg)
Four Steps to Flow Analysis
1. Forward or backward? Branched or not?
2. Decide what you are approximating.What is the domain’s confluence operator?
3. Write equation for each kind of IR statement.
4. State the starting approximation.
Analyzing Java Programs with Soot – p. 30/89
![Page 31: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/31.jpg)
HOWTO: Soot Flow Analysis
A checklist of your obligations:
1. Subclass *FlowAnalysis
2. Implement abstraction: merge(), copy()
3. Implement flow function flowThrough()
4. Implement initial values:newInitialFlow() andentryInitialFlow()
5. Implement constructor(it must call doAnalysis())
Analyzing Java Programs with Soot – p. 31/89
![Page 32: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/32.jpg)
HOWTO: Soot Flow Analysis II
Soot provides you with:
impls of abstraction domains (flow sets)standard abstractions trivial to implement;
an implemented flow analysis namely,doAnalysis() method: executesintraprocedural analyses on a CFG using aworklist algorithm.
Analyzing Java Programs with Soot – p. 32/89
![Page 33: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/33.jpg)
soot.toolkits.scalar
Flow Analysis Hierarchy
AbstractFlowAnalysis
FlowAnalysis
Forward- Backward-
BranchedFlowAnalysis
Forward-
Analyzing Java Programs with Soot – p. 33/89
![Page 34: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/34.jpg)
soot.toolkits.scalar
Soot Flow Analyses
AbstractFlowAnalysis
FlowAnalysis
Forward-
PRE analy’s
Avail. Expr.
Array Bds
Backward-
PRE analy’s
Liveness
BranchedFlowAnalysis
Forward-
Casts Nullness
Analyzing Java Programs with Soot – p. 34/89
![Page 35: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/35.jpg)
Backward vs. Forward Analyses
A forward analysis computes OUT from IN:
fs(i)
s
t
flow dir
i
fs(i)
ft(fs(i))
A backward analysis computes IN from OUT:
ft(i)
sflow dir
t
i
ft(i)
fs(ft(i))
Analyzing Java Programs with Soot – p. 35/89
![Page 36: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/36.jpg)
Outline: Soot Flow Analysis Examples
Will describe how to implement a flow analysis inSoot and present examples:
live locals
branched nullness testing
Analyzing Java Programs with Soot – p. 36/89
![Page 37: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/37.jpg)
Example 1: Live Variables
A local variable v is live at s if there exists somestatement s′ using v and a control-flow path froms to s′ free of definitions of v.
{}
y=x
x=y z=2
{z, y}
{z, x}
a=z
b=y
{z, y}
{y}
{z, y}
{z, y}
{z, y}
{z}
{z}
Analyzing Java Programs with Soot – p. 37/89
![Page 38: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/38.jpg)
Steps to a Flow Analysis
As we’ve seen before:
1. Subclass *FlowAnalysis
2. Implement abstraction: merge(), copy()
3. Implement flow function flowThrough()
4. Implement initial values:newInitialFlow() andentryInitialFlow()
5. Implement constructor(it must call doAnalysis())
Analyzing Java Programs with Soot – p. 38/89
![Page 39: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/39.jpg)
soot.toolkits.scalar.BackwardFlowAnalysis
Step 1: Forward or Backward?
Live variables is a backward flow analysis, sinceflow fn computes IN sets from OUT sets.
In Soot, we subclass BackwardFlowAnalysis.
class LiveVariablesAnalysisextends
BackwardFlowAnalysis<Unit,Set>
Analyzing Java Programs with Soot – p. 39/89
![Page 40: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/40.jpg)
soot.toolkits.scalar.ArraySparseSet
Step 2: Abstraction domain
Domain for Live Variables: sets of Localse.g. {x, y, z}
Partial order is subset inclusion
Merge operator is union
In Soot, we use the provided ArraySparseSetimplementation of FlowSet.
Analyzing Java Programs with Soot – p. 40/89
![Page 41: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/41.jpg)
Implementing an Abstraction
Need to implement copy(), merge() methods:
copy dirsrc
CFGdest
copy() brings IN set to predecessor’s OUT set.
src1 src2
merge dir dest = src1 ⊲⊳ src2
merge() joins two IN sets to make an OUT set.
Analyzing Java Programs with Soot – p. 41/89
![Page 42: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/42.jpg)
More on Implementing an Abstraction
Signatures:
void merge(Set src1, Set src2,
Set dest);
void copy(Set src, Set dest);
Analyzing Java Programs with Soot – p. 42/89
![Page 43: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/43.jpg)
soot.toolkits.scalar.FlowSet
Flow Sets and Soot
Soot provides special sets called FlowSets,which are often helpful.
Impls: ToppedSet, ArraySparseSet,ArrayPackedSet
// c = a ∩ b
a.intersection(b, c);
// d = c
c.complement(d);
// c = a ∪ b
a.union(b,c);
// d = d ∪ {v}
d.add(v);
Analyzing Java Programs with Soot – p. 43/89
![Page 44: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/44.jpg)
soot.toolkits.scalar.*Set
Digression: types of FlowSets
Which FlowSet do you want?
ArraySparseSet: simple listfoo bar z
(simplest possible)
ArrayPackedSet: bitvector w/ map00100101 10101111 10000000
(can complement, need universe)
ToppedSet:FlowSet & isTop()
(adjoins a ⊤ to another FlowSet)
Analyzing Java Programs with Soot – p. 44/89
![Page 45: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/45.jpg)
Step 2: copy() for live variables
protected void copy(Set src,Set dest) {
dest.clear(); dest.addAll(src);}
Analyzing Java Programs with Soot – p. 45/89
![Page 46: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/46.jpg)
Step 2: merge() for live variables
In live variables, a variable v is live if there existsany path from d to p, so we use union.
void merge(...) {dest.clear();dest.addAll(src1Set);dest.addAll(src2Set); }
Often, you may want to implement a more exoticmerge.
Analyzing Java Programs with Soot – p. 46/89
![Page 47: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/47.jpg)
Step 3: Flow equations
Goal: At a unit like x = y * z:kill def x;gen uses y, z.
How? Implement this method:protected void flowThrough
(Set srcValue,Unit u,Set destValue)
Analyzing Java Programs with Soot – p. 47/89
![Page 48: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/48.jpg)
Step 3: Copying
Need to copy src to dest to allow manipulation.
copy dirsrc
CFGdest
dest.clear();dest.addAll(src);
Analyzing Java Programs with Soot – p. 48/89
![Page 49: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/49.jpg)
Step 3: Implementing flowThrough
Must decide what happens at each statement (ingeneral, need to switch on unit type):
= OUT[ut] \ kills[ut] ∪ gens[ut]
ut
OUT[ut]
IN[ut]
IN[ut]
= flowThrough(OUT[ut])
flowThrough
flowThrough is the brains of a flow analysis.
Analyzing Java Programs with Soot – p. 49/89
![Page 50: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/50.jpg)
Step 3: flowThrough for live locals
A local variable v is live at s if there exists somestatement s′ containing a use of v, and acontrol-flow path from s to s′ free of def’ns of v.
Don’t care about the type of unit we’re analyzing:Soot provides abstract accessors to values usedand defined in a unit.
Analyzing Java Programs with Soot – p. 50/89
![Page 51: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/51.jpg)
Step 3: Implementing flowThrough: removing kills
// Take out kill set:// for each local v def’d in// this unit, remove v from destfor (ValueBox box : ut.getDefBoxes()){
Value value = box.getValue();if( value instanceof Local )
dest.remove( value );}
Analyzing Java Programs with Soot – p. 51/89
![Page 52: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/52.jpg)
Step 3: Implementing flowThrough: adding gens
// Add gen set// for each local v used in// this unit, add v to destfor (ValueBox box : ut.getUseBoxes()){
Value value = box.getValue();if (value instanceof Local)
dest.add(value);}
N.B. our analysis is generic, not restricted toJimple.
Analyzing Java Programs with Soot – p. 52/89
![Page 53: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/53.jpg)
Step 4: Initial values
• Soundly initialize IN, OUT sets prior toanalysis.
Create initial setsSet newInitialFlow()
{return new HashSet();}
Create initial sets for exit nodesSet entryInitialFlow()
{return new HashSet();}
Want conservative initial value at exit nodes,optimistic value at all other nodes.
Analyzing Java Programs with Soot – p. 53/89
![Page 54: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/54.jpg)
Step 5: Implement constructor
LiveVariablesAnalysis(UnitGraph g){
super(g);
doAnalysis();}Causes the flow sets to be computed, usingSoot’s flow analysis engine.
In other analyses, we precompute values.
Analyzing Java Programs with Soot – p. 54/89
![Page 55: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/55.jpg)
Enjoy: Flow Analysis Results
You can instantiate an analysis and collectresults:
LiveVariablesAnalysis lv =new LiveVariablesAnalysis(g);
// return HashSets// of live variables:
lv.getFlowBefore(s);lv.getFlowAfter(s);
Analyzing Java Programs with Soot – p. 55/89
![Page 56: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/56.jpg)
Example 2: VeryB
class VeryBusyExpressionAnalysis
extends BackwardFlowAnalysis {
[...]
}
Analyzing Java Programs with Soot – p. 56/89
![Page 57: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/57.jpg)
VeryB - Constructor
public VeryBusyExpressionAnalysis(
DirectedGraph g) {
super(g);
doAnalysis();
}
Analyzing Java Programs with Soot – p. 57/89
![Page 58: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/58.jpg)
VeryB - Merge
protected void merge(Object in1,
Object in2,
Object out) {
FlowSet inSet1 = (FlowSet)in1,
inSet2 = (FlowSet)in2,
outSet = (FlowSet)out;
inSet1.intersection(inSet2,
outSet);
}
Analyzing Java Programs with Soot – p. 58/89
![Page 59: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/59.jpg)
VeryB - Copy
protected void copy(Object source,
Object dest) {
FlowSet srcSet = (FlowSet)source,
destSet = (FlowSet)dest;
srcSet.copy(destSet);
}
Analyzing Java Programs with Soot – p. 59/89
![Page 60: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/60.jpg)
VeryB - Flow
protected void flowThrough(Object in,
Object node,
Object out) {
FlowSet inSet = (FlowSet)source,
outSet = (FlowSet)dest;
Unit u = (Unit)node;
kill(inSet, u, outSet);
gen(outSet, u);
}
Analyzing Java Programs with Soot – p. 60/89
![Page 61: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/61.jpg)
VeryB - Gen
private void gen(FlowSet outSet,
Unit u) {
for (ValueBox useBox: u.getUseBoxes()) {
if (useBox.getValue()
instanceof BinopExpr)
outSet.add(useBox.getValue());
}
}
}
Analyzing Java Programs with Soot – p. 61/89
![Page 62: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/62.jpg)
VeryB - Kill
private
void kill(FlowSet in, Unit u, FlowSet out) {
FlowSet kills = (FlowSet)emptySet.clone();
for (ValueBox defBox: u.getUseBoxes()) {
if (defBox.getValue() instanceof Local) {
for (BinopExpr e: in) {
for (ValueBox useBox: e.getUseBoxes()) {
if (useBox.getValue() instanceof Local
&& useBox.getValue().equivTo(
defBox.getValue()))
kills.add(e);
}}}}
in.difference(kills, out);
}
Analyzing Java Programs with Soot – p. 62/89
![Page 63: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/63.jpg)
VeryB - Initial State
protected Object entryInitialFlow() {
return new ValueArraySparseSet();
}
protected Object newInitialFlow() {
return new ValueArraySparseSet();
}
Analyzing Java Programs with Soot – p. 63/89
![Page 64: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/64.jpg)
Example 3: Branched Nullness
A local variable v is non-null at s if allcontrol-flow paths reaching s result in v beingassigned a value different from null.
F
x=new foo()
{y}
{}
{y}
{x, y}
{x}
{x}
{x, b}
{} if (y==null)
x.bar()
y=null
y=b.f
{}
{x}
T
Analyzing Java Programs with Soot – p. 64/89
![Page 65: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/65.jpg)
HOWTO: Soot Flow Analysis
Again, here’s what to do:
1. Subclass *FlowAnalysis
2. Implement abstraction: merge(), copy()
3. Implement flow function flowThrough()
4. Implement initial values:newInitialFlow() andentryInitialFlow()
5. Implement constructor(it must call doAnalysis())
Analyzing Java Programs with Soot – p. 65/89
![Page 66: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/66.jpg)
soot.toolkits.scalar.ForwardBranchedFlowAnalysis
Step 1: Forward or Backward?
Nullness is a branched forward flow analysis,since flow fn computes OUT sets from IN sets,sensitive to branches
Now subclass ForwardBranchedFlowAnalysis.
class NullnessAnalysis
extends
ForwardBranchedFlowAnalysis<Unit,FlowSet> {
Analyzing Java Programs with Soot – p. 66/89
![Page 67: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/67.jpg)
∗ see soot.jimple.toolkits.annotation.nullcheck.BranchedRefVarsAnalysis
Step 2: Abstraction domain
Domain: sets of Locals known to be non-nullPartial order is subset inclusion.
(More complicated abstractions possible∗ for thisproblem; e.g. ⊥,⊤,null,non-null per-local.)
This time, use ArraySparseSet to implement:
void merge(FlowSet in1, FlowSet in2,
FlowSet out);
void copy(FlowSet src, FlowSet dest);
Analyzing Java Programs with Soot – p. 67/89
![Page 68: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/68.jpg)
Implementing an Abstraction
For a forward analysis, copy and merge mean:
destCFGcopy dir
src
copy() brings OUT set to predecessor’s IN set.
src1 src2
merge dirdest = src1 ⊲⊳ src2
merge() joins two OUT sets to make an IN set.
Analyzing Java Programs with Soot – p. 68/89
![Page 69: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/69.jpg)
Step 2: copy() for nullness
Same as for live locals.protected void copy(FlowSet src,
FlowSet dest) {src.copy(dest);
}
Use copy() method from FlowSet.
Analyzing Java Programs with Soot – p. 69/89
![Page 70: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/70.jpg)
Step 2: merge() for nullness
In branched nullness, a variable v is non-null if itis non-null on all paths from start to s, so weuse intersection.
Like copy(), use FlowSet method – here,intersection():
void merge(...) {srcSet1.intersection(srcSet2,
destSet);}
Analyzing Java Programs with Soot – p. 70/89
![Page 71: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/71.jpg)
Step 3: Branched Flow Function
Need to differentiate between branch andfall-through OUT sets.protected void
flowThrough(FlowSet srcValue,Unit unit,List<FlowSet> fallOut,List<FlowSet> branchOuts)
fallOut is a one-element list.branchOuts contains a FlowSet for eachnon-fallthrough successor.
Analyzing Java Programs with Soot – p. 71/89
![Page 72: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/72.jpg)
Step 3: Flow equations
We do the following things in our flow function:
Create copy of src set.
Analyzing Java Programs with Soot – p. 72/89
![Page 73: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/73.jpg)
Step 3: Flow equations
We do the following things in our flow function:
Create copy of src set.
Remove kill set (defined Locals).y in y = y.next;
Analyzing Java Programs with Soot – p. 72/89
![Page 74: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/74.jpg)
Step 3: Flow equations
We do the following things in our flow function:
Create copy of src set.
Remove kill set (defined Locals).y in y = y.next;
Add gen set.x in x.foo();
Analyzing Java Programs with Soot – p. 72/89
![Page 75: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/75.jpg)
Step 3: Flow equations
We do the following things in our flow function:
Create copy of src set.
Remove kill set (defined Locals).y in y = y.next;
Add gen set.x in x.foo();
Handle copy statements.
Analyzing Java Programs with Soot – p. 72/89
![Page 76: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/76.jpg)
Step 3: Flow equations
We do the following things in our flow function:
Create copy of src set.
Remove kill set (defined Locals).y in y = y.next;
Add gen set.x in x.foo();
Handle copy statements.
Copy to branch and fallthrough lists.
Analyzing Java Programs with Soot – p. 72/89
![Page 77: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/77.jpg)
Step 3: Flow equations
We do the following things in our flow function:
Create copy of src set.
Remove kill set (defined Locals).y in y = y.next;
Add gen set.x in x.foo();
Handle copy statements.
Copy to branch and fallthrough lists.
Patch sets for if statements.
Analyzing Java Programs with Soot – p. 72/89
![Page 78: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/78.jpg)
Step 4: Initial values
Initialize IN, OUT sets.
Create initial sets (⊤ from constr.)FlowSet newInitialFlow() {
{ return fullSet.clone(); }
Create entry sets (emptySet from constr.)FlowSet entryInitialFlow()
{ return emptySet.clone(); }
(To be created in constructor!)
Analyzing Java Programs with Soot – p. 73/89
![Page 79: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/79.jpg)
Step 5: Constructor: Prologue
Create auxiliary objects.
public NullnessAnalysis(UnitGraph g){
super(g);
unitToGenerateSet = new HashMap();Body b = g.getBody();
Analyzing Java Programs with Soot – p. 74/89
![Page 80: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/80.jpg)
Step 5: Constructor: Finding All Locals
Create flowsets, finding all locals in body:emptySet = new ArraySparseSet();fullSet = new ArraySparseSet();
for (Local l : b.getLocals()) {if (l.getType()
instanceof RefLikeType)fullSet.add(l);
}
Analyzing Java Programs with Soot – p. 75/89
![Page 81: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/81.jpg)
Step 5: Creating gen sets
Precompute, for each statement, which localsbecome non-null after execution of that stmt.
x gets non-null value:x = *, where * is NewExpr, ThisRef, etc.
successful use of x:x.f, x.m(), entermonitor x, etc.
Analyzing Java Programs with Soot – p. 76/89
![Page 82: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/82.jpg)
Step 5: Constructor: Doing work
Don’t forget to call doAnalysis()!
...
doAnalysis();}
}
Analyzing Java Programs with Soot – p. 77/89
![Page 83: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/83.jpg)
Enjoy: Branched Flow Analysis Results
To instantiate a branched analysis & collectresults:NullnessAnalysis na=new NullnessAnalysis(b);
// a SparseArraySet of non-null variables.
na.getFlowBefore(s);
// another SparseArraySet
if (s.fallsThrough()) na.getFallFlowAfter(s);
// a List of SparseArraySets
if (s.branches()) na.getBranchFlowAfter(s);
Analyzing Java Programs with Soot – p. 78/89
![Page 84: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/84.jpg)
Adding transformations to Soot (easy way)
1. Implement a BodyTransformer ora SceneTransformer
internalTransform methoddoes the transformation
2. Choose a pack for your transformation(usually jtp)
3. Write a main method that adds the transformto the pack, then runs Soot’s main
Analyzing Java Programs with Soot – p. 79/89
![Page 85: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/85.jpg)
soot.Pack
On Packs
Want to run a set of Transformer objects withone method call.
⇒ Group them in a Pack.
Soot defines default Packs which are runautomatically. To add a Transformer to thejtp Pack:Pack jtp = G.v().PackManager().
getPack("jtp");
jtp.add(new Transform("jtp.nt",
new NullTransformer()));
jtp.add(new Transform("jtp.nac",
new NullnessAnalysisColorer()));
Analyzing Java Programs with Soot – p. 80/89
![Page 86: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/86.jpg)
Running Soot more than once
All Soot global variables are stored in G.v()
G.reset() re-initializes all of Soot
Analyzing Java Programs with Soot – p. 81/89
![Page 87: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/87.jpg)
Generating Jimple
.class coffi
jb Jimple
.jimpleJimpleparser
Analyzing Java Programs with Soot – p. 82/89
![Page 88: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/88.jpg)
Intra-procedural packs
stp sop sap Shimple
Jimple jtp jop jap Jimple
bb bop tag Baf
gb gop Grimp
Dava Jasmin Output
Analyzing Java Programs with Soot – p. 83/89
![Page 89: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/89.jpg)
The p is sometimes silent.
Soot Pack Naming Scheme
w?(j|s|b|g)(b|t|o|a)p
w ⇒ Whole-program phase
j, s, b, g ⇒ Jimple, Shimple, Baf, Grimp
b, t, o, a ⇒
(b) Body creation(t) User-defined transformations(o) Optimizations with -O option(a) Attribute generation
Analyzing Java Programs with Soot – p. 84/89
![Page 90: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/90.jpg)
Soot Packs (Jimple Body)
jb converts naive Jimple generated frombytecode into typed Jimple with split variables
Analyzing Java Programs with Soot – p. 85/89
![Page 91: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/91.jpg)
Soot Packs (Jimple)
jtp performs user-defined intra-proceduraltransformations
jop performs intra-procedural optimizationsCSE, PRE, constant propagation, . . .
jap generates annotations using whole-programanalyses
null-pointer checkarray bounds checkside-effect analysis
Analyzing Java Programs with Soot – p. 86/89
![Page 92: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/92.jpg)
Soot Packs (Back-end)
bb performs transformations to create Baf
bop performs user-defined Baf optimizations
gb performs transformations to create Grimp
gop performs user-defined Grimp optimizations
tag aggregates annotations intobytecode attributes
Analyzing Java Programs with Soot – p. 87/89
![Page 93: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/93.jpg)
Conclusion
Have introduced Soot, a framework foranalyzing, optimizing, (tagging andvisualizing) Java bytecode.
Have shown the basics of using Soot as astand-alone tool and also how to add newfunctionality to Soot.
Now for some homework and reading.
Analyzing Java Programs with Soot – p. 88/89
![Page 94: Analyzing Java Programs with Soot - Service webdufour/cours/ift6315/docs/soot-tutorial.pdf · Analyzing Java Programs with Soot Bruno Dufour based on material by: Eric Bodden,Laurie](https://reader031.fdocuments.us/reader031/viewer/2022022005/5ab8e3e37f8b9ab62f8d255c/html5/thumbnails/94.jpg)
Resources
Main Soot page: www.sable.mcgill.ca/soot/
Theses and papers:
www.sable.mcgill.ca/publications/
Tutorials: www.sable.mcgill.ca/soot/tutorial/
Javadoc: in main Soot distribution,www.sable.mcgill.ca/software/#soot and alsoonline at www.sable.mcgill.ca/soot/doc/ .
Mailing lists:
www.sable.mcgill.ca/soot/#mailingLists
Soot in a Course:
www.sable.mcgill.ca/˜hendren/621/
Analyzing Java Programs with Soot – p. 89/89