Introduction to Soot Automated testing and J.P . Galeotti - - - PowerPoint PPT Presentation

introduction to soot
SMART_READER_LITE
LIVE PREVIEW

Introduction to Soot Automated testing and J.P . Galeotti - - - PowerPoint PPT Presentation

Sep 18, 2023 235 likes •458 views

Introduction to Soot Automated testing and J.P . Galeotti - Alessandra Gorla verification Thursday, November 22, 12 The Java virtual machine (JVM) The Java compiler translates a Java program into Java bytecode (input language of the JVM)

slide-1
SLIDE 1

J.P . Galeotti - Alessandra Gorla

Automated testing and verification

Introduction to Soot

Thursday, November 22, 12

slide-2
SLIDE 2

The Java virtual machine (JVM)

  • The Java compiler translates a Java program into Java bytecode

(input language of the JVM)

  • The Java bytecode is similar to machine language (assembler) for

the JVM

Thursday, November 22, 12

slide-3
SLIDE 3

The SOOT framework

  • Set of Java APIs to handle Java bytecode
  • Optimization
  • Annotation
  • It was created by the Sable Research Group (http://www.sable.mcgill.ca)
  • Web:
  • http://www.sable.mcgill.ca/soot/

Thursday, November 22, 12

slide-4
SLIDE 4

Intermediate representation

  • Jimple: main Soot intermediate representation
  • Grimp: Jimple + complex expressions
  • Shimple: Jimple + SSA
  • Baf: Java bytecode “for humans”

Thursday, November 22, 12

slide-5
SLIDE 5

Intermediate representations

Java Bytecode

  • Grimple (closer to Java)
  • Jimple/Shimple
  • Baf (closer to Bytecode)

Thursday, November 22, 12

slide-6
SLIDE 6

Jimple

  • A Jimple representation can be created from:
  • Java source code
  • Java bytecode
  • Main features:
  • 3-address code: all instructions use at most 3 addresses
  • Unstructured: while, if, for, etc. are replaced with GOTO

statements

  • Typing: all local variables are typed

Thursday, November 22, 12

slide-7
SLIDE 7

Example: Original Java and Jimple transformation

if (x+y!=z) return; else System.out.println(“foo”); t = x+y; if (t==z) goto label0; return; label0: ref = System.out; ref.println(“foo”);

Thursday, November 22, 12

slide-8
SLIDE 8

Soot: dataflow analysis

  • Eclipse plugin:
  • Right click on Java file to analyze
  • Soot->Process Source File -> Run Soot…
  • Output Options -> Output Format -> Jimple File
  • Phase Options -> Jimple Annotations Pack ->
  • Live Variables Tagger
  • Reaching Defs Tagger
  • Available Expressions Tagger
  • …etc

Thursday, November 22, 12

slide-9
SLIDE 9

Soot: dataflow analysis

  • (demo)

Thursday, November 22, 12

slide-10
SLIDE 10

Soot: dataflow analysis

  • Interactive Mode
  • Run.. -> General Options -> Interactive Mode
  • Executing a custom analysis
  • Run… -> Soot Main Class

Thursday, November 22, 12

slide-11
SLIDE 11

Developing a Soot analysis

  • Create new project
  • Add to project build path the libraries:
  • jasminclasses,.jar
  • polyglot.jar
  • sootclasses.jar
  • These libraries are stored in the lib/ plugin folder
  • Javadoc:
  • http://www.sable.mcgill.ca/soot/doc/

Thursday, November 22, 12

slide-12
SLIDE 12

Soot Dataflow Framework

  • Direction: Backward or Forward?
  • Approximation: May or Must?
  • Transfer Function definition:
  • E.g. how x:=expr should be treated?
  • Initial state definitions
  • Entry/exit node (depending on direction)
  • Intermediate nodes

Thursday, November 22, 12

slide-13
SLIDE 13
  • 1. Dataflow Direction
  • Soot has 3 analysis implementations
  • ForwardFlowAnalysis
  • BackwardFlowAnalysis
  • ForwardBranchedFlowAnalysis
  • The output is a object:
  • Map<Node,<IN set, OUT set>>

Thursday, November 22, 12

slide-14
SLIDE 14
  • 1. Dataflow direction

public class MyFwdAnalysis extends ForwardFlowAnalysis<Unit,FlowSet> {

  • public MyFwdAnalysis(DirectedGraph<Unit> g) {
  • super(g);
  • doAnalysis();
  • }

}

Thursday, November 22, 12

slide-15
SLIDE 15
  • 2. Approximation
  • Implement methods merge and copy

protected void merge(FlowSet inSet1, FlowSet inSet2, FlowSet outSet) { inSet1.intersection(inSet2, outSet); } protected void copy(FlowSet srcSet, FlowSet dstSet) { srcSet.copy(dstSet); }

Thursday, November 22, 12

slide-16
SLIDE 16
  • 3. Transfer Function
  • Implement method flowThrough

protected void flowThrough(FlowSet inSet,

Unit node, FlowSet outSet) { Kill(inSet,u,outSet); Gen(outSet,u);

}

  • Methods kill and gen are defined by the user

Thursday, November 22, 12

slide-17
SLIDE 17
  • 4. Initial flows
  • The initial flow content for entry/exit points, as well as other nodes:

protected FlowSet entryInitialFlow() { return new FlowSet();

}

protected FlowSet newInitialFlow() { return new FlowSet();

}

Thursday, November 22, 12

slide-18
SLIDE 18

FlowSets

  • Soot offers several FlowSet implementations:
  • ArraySparseSet
  • ArrayPackedSet
  • ToppedSet

Thursday, November 22, 12

slide-19
SLIDE 19

Executing a custom analysis

SootClass c = Scene.v().loadClassAndSupport("MyClass"); c.setApplicationClass(); SootMethod m = c.getMethodByName("myMethod"); Body b = m.retrieveActiveBody(); UnitGraph g = new ExceptionalUnitGraph(b); MyFwdAnalysis an = new MyFwdAnalysis(g); for (Unit unit : g) {

  • FlowSet in = an.getFlowBefore(unit);
  • FlowSet out = an.getFlowAfter(unit);

}

Thursday, November 22, 12

slide-20
SLIDE 20

Flow Transformation

  • The design pattern “Visitor” can be used to traverse the Jimple AST:
  • soot.jimple.AbstractStmtSwitch
  • soot.jimple.AbstractJimpleValueSwitch

Thursday, November 22, 12