EzDevInfo.com

soot

Soot - A Java optimization framework

How to compute, for each method, the set of exceptions that method may throw, including runtime exceptions?

I'm trying to implement an intra-procedural analysis that computes, for each method, the set of exceptions that method may throw, including runtime exceptions that are explicitly thrown by means of a throw statement.

So far, I'm completely lost on how to start it with SOOT. Anyone can give me a first hint?


Source: (StackOverflow)

What does .v() mean in soot library?

I work with soot library.

In different examples I see .v() method, for example Jimple.v(), scene.v(), ... .

Now I want ask what does it mean? Specially in Jimple.v().


Source: (StackOverflow)

Advertisements

How do I install SOOT?

I am using Ubuntu 14.04 and I want to install SOOT. Can somebody help me how to do that? Is there any plugin for IntelliJIDEA for this? Do I have to download the whole source code for this from git hub?


Source: (StackOverflow)

AOT compilation or native code compilation of Scala?

My scala application needs to perform simple operations over large arrays of integers & doubles, and performance is a bottleneck. I've struggled to put my finger on exactly when certain optimizations kick in (e.g. escape analysis) although I can observe their results through various benchmarking. I'd love to do some AOT compilation of my scala application, so I can see or enforce (or implement) certain optimizations ... or compile to native code, if possible, so I can cut corners like bounds checking and observe if it makes a difference.

My question: what alternative compilation methods work for scala? I'm interested in tools like llvm, vmkit, soot, gcj, etc. Who is using those successfully with scala at this point, or are none of these methods currently compatible or maintained?


Source: (StackOverflow)

Recommendations for a binary expression tree library for boolean expressions in Java

I'm doing some very simple program analyses/transformations in Java using Soot, and I find myself needing to do some simple combinations of boolean expressions. So for example, during my analysis, I'll have an expression like (a < 25) && (b >= 10) and I want to join that expression with (a >=-10) via an OR operator to get a full expression like (a >=-10) || (a < 25) && (b >= 10). Basically, just combining two boolean expression trees into one expression. I might further desire to automatically convert the expression tree into an equivalent conjunctive normal form version of the tree.

Another requirement I have is the ability to simplify the expression (via custom code, if needed) when we have expressions that can be trivially eliminated. For example (a < 20) || (a >= 20) reduces to TRUE, since (a < 20) = (!(a >= 20)), so we can eliminate some terms as we go.

I know it's a classic introductory problem to code up a boolean expression tree, and I'm pretty sure I've implemented it before (once, long ago, for a data structures class :) ) I know I could do it again, if needed... But given that this is likely something that's been handled before, I wonder if there are any recommendations on a library I should look into to tackle the above. I hate to re-invent the wheel when there's probably a perfectly good one out there already.

So to summarize I'm looking for a Java libary that has:

  • Boolean expression trees
  • Combination of expressions
  • Simplification of terms (this is pretty specific, so it's "nice to have")
  • Conversion to CNF

Any recommendations?

(NOTE: I won't be evaluating these trees, so each of the nodes will be unresolved predicates like variable != 20 or foo >= 50, so evaluation isn't a requirement, but it doesn't hurt if it's part of the library, either.)


Source: (StackOverflow)

Add timeout behavior to a class using an old framework

I am using the SOOT framework for some static analysis. However, sometimes the analysis takes hours and I want to set a timeout to stop analysis and continue it with another program.

To achieve that kind of behavior I run the analysis in a thread:

thread = new Thread(new Runnable() { run(){ buildCallgraph(); } )};

!! The buildCallgraph() method is provided by SOOT and I have no chance to change it. !!

Currently I have no idea how to stop the thread. Interrupt won't work since buildCallgraph() is never checking if it's thread has been interrupted. Thread.stop() shouldn't be used.

So, does anyone has an idea how to terminate the Thread?

Regards Robert


Source: (StackOverflow)

Soot - How to prevent loadClassAndSupport to create an empty SootClass?

Using the soot framework (v.2.5.0) I'm trying to load a certain class:

SootClass clazz = Scene.v().loadClassAndSupport("example.MyClass");

Before calling Scene#loadClassAndSupport the class example.MyClass is NOT within the scene - which is correct.
The class also doesn't exist on the soot classpath and there the statement above throws a RuntimeException telling that the class could not be found. And that's also correct behaviour.

But after that exception has been thrown the class example.MyClass is within soot's scene!
Another call to Scene#loadClassAndSupport therefore returns a SootClass instance where isPhantom is set to false but it doesn't have any methods or fields.

  1. Is this behaviour intended by the soot framework or is it a bug?
  2. If it is intended, how can I prevent Soot from adding a "dummy" SootClass to the scene?
  3. Is there another way to test whether a certain class is within Soot's classpath without adding it to Soot's scene?

Update:
An ugly but working workaround is:

try {
  SootClass sootClass = Scene.v().loadClassAndSupport( className );
  sootClass.setApplicationClass();
  // class found and loaded...
} catch(RuntimeException e) {
  SootClass sootClass = Scene.v().loadClassAndSupport( className );
  Scene.v().removeClass( sootClass );
  // class not on soot's classpath or not loadable...
}

Source: (StackOverflow)

call graph for apk files. but it generates no output

i am trying to get a call graph for apk files. i run the code below. but afterward when i check the sootOutput file, it's empty!! any ideas? P.S: it prints the size of the graph and has no error!

thank you in advance

import java.io.IOException;
import java.util.Collections;
import org.xmlpull.v1.XmlPullParserException;
import soot.PackManager;
import soot.Scene;
import soot.SootMethod;
import soot.jimple.infoflow.android.SetupApplication;
import soot.options.Options;

public class call {

    public call() {
        // TODO Auto-generated constructor stub
    }

    public static void main(String[] args) {

        // TODO Auto-generated method stub

        SetupApplication app = new SetupApplication("D:\\Users\\ML\\AppData\\Local\\Android\\sdk\\platforms","D:/b.apk");
        try {
            app.calculateSourcesSinksEntrypoints("C:\\Users\\ML\\workspace\\Graph\\1.txt");
        } catch (IOException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (XmlPullParserException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }

        soot.G.reset();

        Options.v().set_src_prec(Options.src_prec_apk);
        Options.v().set_process_dir(Collections.singletonList("D:/b.apk"));
        Options.v().set_android_jars("D:\\Users\\ML\\AppData\\Local\\Android\\sdk\\platforms");
        Options.v().set_whole_program(true);
        Options.v().set_allow_phantom_refs(true);
        Options.v().set_output_format(Options.output_format_boutput_format_class);
        Options.v().setPhaseOption("cg.spark", "on");

        Scene.v().loadNecessaryClasses();

        SootMethod entryPoint = app.getEntryPointCreator().createDummyMain();
        Options.v().set_main_class(entryPoint.getSignature());
        Scene.v().setEntryPoints(Collections.singletonList(entryPoint));
        //System.out.println(entryPoint.getActiveBody());

        PackManager.v().runPacks();
        System.out.println(Scene.v().getCallGraph().size()); 
    }

}

Source: (StackOverflow)

Soot version of Jasmin failing to assemble Jasmin assembly files

I have both the version of Jasmin 2.4 from the Jasmin SourceForge and the version of Jasmin 2.4 from the Soot project (at sable.mcgill.ca, labeled "jasminclasses"), and the Soot version (which I need) does not seem to be working properly.

I have made a simple compiler which compiles initially to Jasmin JVM assembly then uses Jasmin to assemble into JVM class files. I used to use the normal version of Jasmin from Jasmin's SourceForge site, and it was working great; everything compiled and ran correctly. Now I have started doing optimization using the Soot framework, and all that works great as long as I don't try to convert the optimized code back into a class file.

Since I'm using Soot now, I have to use Soot's version of Jasmin, which supports the JasminOutputStream that Soot uses. Soot's version of Jasmin does appear as though it's still supposed to be able to handle processing Jasmin files the "old fashioned" way, reading in a ".j" file instead of taking an input stream, but when I try (for the initial assemble before the optimization), the Soot version fails.

If I do

java -cp jasmin.jar jasmin.Main MyClass.j

I get output "Generated: MyClass.class" as expected.

If I do (where jasminclasses is the Soot version of Jasmin)

java -cp jasminclasses-2.4.0.jar jasmin.Main MyClass.j

I get output

MyClass.j:5: Warning - Syntax error.
.field public n
                ^
MyClass.j:5: Error - Couldn't repair and continue parse.
.field public n
                ^
MyClass.j: Found 2 errors`

Line 5 is just .field public n I Nothing incorrect about it, and as shown above, it compiles fine with the normal version of Jasmin.

For completeness, here's some more code around that point:

.source MyClass.j
.class public MyClass
.super AnotherClass

.field public n I

.method public <init>()V
 aload_0
 invokenonvirtual AnotherClass/<init>()V
 return
.end method

Everything there is fine and assembles fine with normal Jasmin.

Does anyone know if the Soot version of Jasmin expects a different syntax? As with most stuff concerning Soot and Jasmin, there's not much on the web at all in the first place, let alone much on what I'm searching for, so my Googling isn't coming up with much.

Thank you in advance for any assistance offered, I'm really getting frustrated here. My next step is going to be to debug Soot's Jasmin package and see what it's doing in there and why it's failing, but I'm hoping I don't have to go that far for now just for this.


Source: (StackOverflow)

Using Soot programmatically to analyze .java source files

I have just started playing around with Soot in order to analyze .java files programmatically. From what I've read, Soot seems to be a very powerful tool for source code analysis but most of the material I found online talks about using it as a command-line tool.

I need to programmatically load classes from .java files in a given directory, construct a Program Dependence Graph (PDG) and do some Program Slicing. I am still not sure if Soot offers slicing but I can implement that myself once I have the PDG.

To get started, I tried using the code below:

Options.v().set_whole_program(true);
Options.v().set_soot_classpath("...");

SootClass c = Scene.v().loadClassAndSupport("MyClass");
c.setApplicationClass();

CHATransformer.v().transform();
CallGraph cg = Scene.v().getCallGraph();

However, it does not work. It gets stuck at the loadClassAndSupport call for a few seconds and then my program just exists abruptly, without giving any exception or anything.

If anyone has tried to use Soot programmatically, are there any other options that I need to set? Or can you point me to a tutorial where they set up Soot programmatically from scratch?


Source: (StackOverflow)

the soot-based flowdroid with an exception error when test an APK

I am trying to test the broadcast receiver component in an android application based on the taint analysis. However, when i am using the frowdroid to test the related application, it shows:

Exception in thread "main" java.lang.NoSuchMethodError: soot.jimple.infoflow.results.InfoflowResults.getResults()Ljava/util/Map;
    at soot.jimple.infoflow.android.TestApps.Test$MyResultsAvailableHandler.onResultsAvailable(Test.java:80)
    at soot.jimple.infoflow.Infoflow.runAnalysis(Infoflow.java:415)
    at soot.jimple.infoflow.Infoflow.computeInfoflow(Infoflow.java:137)
    at soot.jimple.infoflow.android.SetupApplication.runInfoflow(SetupApplication.java:700)
    at soot.jimple.infoflow.android.TestApps.Test.runAnalysis(Test.java:554)
    at soot.jimple.infoflow.android.TestApps.Test.main(Test.java:217)

all the jar files are using the newest nightly version that come from the homepage, but i really have no idea for this kind problem cause i also checkd the source code and there is nothing wrong for the getResult() method. Anybody can help???


Source: (StackOverflow)

Soot:Invalid option -android-jars

While I wanted to run soot using the option -android-jars from command line, I got the error "Invalid option". I downloaded the soot source code (sootall-2.5.0) from https://www.sable.mcgill.ca/soot/soot_download.html, and I built the project in eclipse successfully.

I also downloaded soot-master and soot-develop source code. I saw this two have the option "-android-jars" but when I built project, there were too many errors... So I failed again.

How can I solve this problem? I am very very fresh new about Soot. I hope somebody can help me. thx~


Source: (StackOverflow)

Instrumenting Android apps with Soot using a helper class

I am instrumenting Android applications using a helper class following the example for Java instrumentation in http://www.sable.mcgill.ca/soot/tutorial/profiler2/profiler2.html.

In my BodyTransformer, I have a static block to load MyCounter class

counterClass = Scene.v().loadClassAndSupport("MyCounter");

Since Soot.Main.main(args) that processes my args (in which I provide -android-jars) is not executed while it is loading MyCounter, Soot cannot find my android jar and gives the error:

Caused by: java.lang.RuntimeException: You are analyzing an Android application but did not define android.jar. Options -android-jars or -force-android-jar should be used.
at soot.Scene.defaultClassPath(Scene.java:455)
at soot.Scene.getSootClassPath(Scene.java:224)
at soot.SootResolver.<init>(SootResolver.java:81)
at soot.Singletons.soot_SootResolver(Singletons.java:802)
at soot.SootResolver.v(SootResolver.java:91)
at soot.Scene.loadClass(Scene.java:667)
at soot.Scene.loadClassAndSupport(Scene.java:653)
at MyBodyTransformer.<clinit>(MyBodyTransformer.java:26)
... 1 more

As a solution, I provided my command line arguments (android jars, soot classpath, prepend classpath and process directory) in my main class, before creating my BodyTransformer. Now, it works.

I would like to ask whether there is a more proper way to solve this problem.


Source: (StackOverflow)

Analyzing Android application with Soot

I am writing some code that analyze android source code, basically to trace the definitions of local variables, and I want to use Soot in my code to extract some information from Android source code and build a high level call graph of the classes , all my work is with the java source code of the application..

I am not sure whether I need the android jars reffered to in http://www.bodden.de/2013/01/08/soot-android-instrumentation/ since the work does not involve reading or writing Dalvik bytecode - I could not download the jars anyway!!-

I am wondering if someone could give me some guidance on this, I read the mailing list of soot and tried the solutions provided but no luck- problems because of imported libraries and the R class-!![ i am testing it with a basic hello world source code]

Any help would be highly appreciated including any reference to any other tool for android static analysis..

Many thanks,,

the arguments used for the soot.Main call are:

List<String> argsList = new ArrayList<String>(Arrays.asList(args));
   argsList.addAll(Arrays.asList(new String[]{
           "-allow-phantom-refs",
           "-w",
           "-soot-class-path",
           "C:/Users/workspace_A/sootTest/src/com/example/soottest",       
            "-output-format",
           "jimple",
           "MainActivity"}

some of the results:

Warning: java.lang.NoClassDefFoundError is a phantom class!
Warning: java.lang.StringBuffer is a phantom class!
Warning: java.lang.Boolean is a phantom class!
Warning: java.lang.Long is a phantom class!
Warning: java.lang.Integer is a phantom class!
Warning: java.lang.Short is a phantom class!
Warning: java.lang.Float is a phantom class!
Warning: java.lang.Double is a phantom class!
Warning: java.lang.Throwable is a phantom class!
Warning: java.lang.Class is a phantom class!
Warning: java.lang.Character is a phantom class!
Warning: java.lang.AssertionError is a phantom class!
Warning: java.lang.Byte is a phantom class!
Warning: java.lang.Void is a phantom class!
Warning: java.lang.ClassFormatError is a phantom class!
Warning: java.lang.InstantiationError is a phantom class!
Warning: java.lang.Runnable is a phantom class!
Warning: java.lang.ref.Finalizer is a phantom class!
Warning: java.lang.IncompatibleClassChangeError is a phantom class!
Warning: java.lang.NoSuchFieldError is a phantom class!
Warning: java.lang.StackOverflowError is a phantom class!
Warning: java.lang.Thread is a phantom class!
Warning: java.lang.IllegalAccessError is a phantom class!
Warning: java.lang.ArrayStoreException is a phantom class!
Warning: java.dyn.InvokeDynamic is a phantom class!
Warning: java.lang.NoSuchMethodError is a phantom class!
Warning: java.lang.LinkageError is a phantom class!
Warning: java.lang.ExceptionInInitializerError is a phantom class!
Warning: java.lang.InternalError is a phantom class!
Warning: java.lang.VerifyError is a phantom class!
Warning: java.io.Serializable is a phantom class!
Warning: java.lang.ArrayIndexOutOfBoundsException is a phantom class!
Warning: java.lang.ClassCastException is a phantom class!
Warning: java.lang.ArithmeticException is a phantom class!
Warning: java.lang.IndexOutOfBoundsException is a phantom class!
Warning: java.lang.AbstractMethodError is a phantom class!
Warning: java.lang.Object is a phantom class!
Warning: java.lang.ThreadDeath is a phantom class!
Warning: java.lang.String is a phantom class!
Warning: java.lang.UnknownError is a phantom class!
Warning: java.lang.ClassCircularityError is a phantom class!
Warning: java.lang.Cloneable is a phantom class!
Warning: java.lang.NegativeArraySizeException is a phantom class!
Warning: java.lang.UnsatisfiedLinkError is a phantom class!
Warning: java.lang.Error is a phantom class!
Warning: java.lang.OutOfMemoryError is a phantom class!
Warning: java.lang.IllegalMonitorStateException is a phantom class!
Warning: java.lang.RuntimeException is a phantom class!
Warning: java.lang.NullPointerException is a phantom class!
Warning: java.lang.ClassNotFoundException is a phantom class!
C:\Users\workspace_A\sootTest\src\com\example\soottest\MainActivity.java:3,8:
  Semantic Error: no visible type named android.os.Bundle
C:\Users\workspace_A\sootTest\src\com\example\soottest\MainActivity.java:4,8:
  Semantic Error: no visible type named android.app.Activity
C:\Users\workspace_A\sootTest\src\com\example\soottest\MainActivity.java:5,8:
  Semantic Error: no visible type named android.view.Menu
C:\Users\workspace_A\sootTest\src\com\example\soottest\MainActivity.java:7,35:
  Semantic Error: no visible type named Activity
C:\Users\workspace_A\sootTest\src\com\example\soottest\MainActivity.java:9:
  Semantic Error: method does not override a method from its superclass
C:\Users\workspace_A\sootTest\src\com\example\soottest\MainActivity.java:10,26:
  Semantic Error: no visible type named Bundle
C:\Users\workspace_A\sootTest\src\com\example\soottest\MainActivity.java:12:
  Semantic Error: no method named setContentView(Unknown) in com.example.soottest.MainActivity matches.
C:\Users\workspace_A\sootTest\src\com\example\soottest\MainActivity.java:12,18:
  Semantic Error: R.layout not found
C:\Users\workspace_A\sootTest\src\com\example\soottest\MainActivity.java:12,27:
  Semantic Error: no field named activity_main
C:\Users\workspace_A\sootTest\src\com\example\soottest\MainActivity.java:15:
  Semantic Error: method does not override a method from its superclass
C:\Users\workspace_A\sootTest\src\com\example\soottest\MainActivity.java:16,37:
  Semantic Error: no visible type named Menu
C:\Users\workspace_A\sootTest\src\com\example\soottest\MainActivity.java:18:
  Semantic Error: no method named getMenuInflater() in com.example.soottest.MainActivity matches.
C:\Users\workspace_A\sootTest\src\com\example\soottest\MainActivity.java:18,29:
  Semantic Error: R.menu not found
C:\Users\workspace_A\sootTest\src\com\example\soottest\MainActivity.java:18,36:
  Semantic Error: no field named main
Exception in thread "main" soot.CompilationDeathException: there were errors during parsing and/or type checking (JastAdd frontend)
    at soot.JastAddInitialResolver.formAst(JastAddInitialResolver.java:63)
    at soot.JavaClassSource.resolve(JavaClassSource.java:54)
    at soot.SootResolver.bringToHierarchy(SootResolver.java:215)
    at soot.SootResolver.bringToSignatures(SootResolver.java:239)
    at soot.SootResolver.bringToBodies(SootResolver.java:280)
    at soot.SootResolver.processResolveWorklist(SootResolver.java:150)
    at soot.SootResolver.resolveClass(SootResolver.java:124)
    at soot.Scene.loadClass(Scene.java:448)
    at soot.Scene.loadClassAndSupport(Scene.java:433)
    at soot.Scene.loadNecessaryClass(Scene.java:1053)
    at soot.Scene.loadNecessaryClasses(Scene.java:1067)
    at soot.Main.run(Main.java:167)
    at soot.Main.main(Main.java:141)
    at sootCFG.CallGraphExample.main(CallGraphExample.java:60)

Source: (StackOverflow)

How to easily create Java bytecode dependent regression tests?

I have identified a bug in my application (which processes bytecode using soot) that only arises on specific bytecode instructions.

I want to create a test for that specific case. However, I'm not able to reliably write test code, that will compile to the expected bytecode, which would then trigger the bug.

This is my attempt to trigger the bug:

public void updateRhsOnIfEq() {
        int x = 15;
        int y = AircraftControl.readSensor(0);
        // FIXME != in bytecode instead of ==
        if (x == y) {
            AircraftControl.readSensor(y);
        }
        else {
            AircraftControl.readSensor(x);
        }
    }

The problem is, that the compiler changes the branch logic by inverting the comparison and switching the two branches. As you can see in the bytecode below, it does a != comparison instead of ==. However, the bug I'm testing for is only triggered by a ==.

 public void updateRhsOnIfEq();
     0  bipush 15
     2  istore_1 [x]
     3  iconst_0
     4  invokestatic AircraftControl.readSensor(int) : int [17]
     7  istore_2 [y]
     8  iload_1 [x]
     9  iload_2 [y]
    10  if_icmpne 21 <============================== Should be if_icmpeq
    13  iload_2 [y]
    14  invokestatic AircraftControl.readSensor(int) : int [17]
    17  pop
    18  goto 26
    21  iload_1 [x]
    22  invokestatic AircraftControl.readSensor(int) : int [17]
    25  pop
    26  return

Is there a way to write test cases that need to result in predictable bytecode easily? Is this possible at all given that there are different Java compilers, versions thereof etc?


Source: (StackOverflow)