crossingtud / spds Goto Github PK

Shippable only grants 2GB of heap memory to the JVM.

Some of the test cases (TreeMap, HashMap etc) consume a large amount of memory and shippable times out. We need to port the CI to our a different server (probably our own) which grants more memory.
This step may require us to switch to Jenkins.

Hi! I put together a minimal example to illustrate my confusion:

import java.util.LinkedList;
import java.util.List;

class Foo {
	void bar() {
		System.out.println("zomg bar");
	}
}

public class Test {
	public static List<Foo> foos() {
		List<Foo> x = new LinkedList<>();
		Foo foo = new Foo();
		x.add(foo);
		foo.bar();
		return x;
	}

	public static void main(String[] args) {
		System.out.println("hi!");
		System.out.println(foos());
	}
}

Ignoring all the usual soot setup machinery (I'm using DefaultBoomerangOptions and the pretransformer), after compiling the code I end up with the following Jimple:

...
        $stack2 = new java.util.LinkedList;
        specialinvoke $stack2.<java.util.LinkedList: void <init>()>();
        l0 = $stack2;
        $stack3 = new Foo;
        specialinvoke $stack3.<Foo: void <init>()>();
        l1 = $stack3;
        interfaceinvoke l0.<java.util.List: boolean add(java.lang.Object)>(l1);
        virtualinvoke l1.<Foo: void bar()>();
...

Now, if I point my forward query at $stack2 = new java.util.LinkedList, pass it to my solver instance, and call getInvokedMethodOnInstance on the result, I get the following:

{CS: l0.add(l1)=<java.util.List: boolean add(java.lang.Object)>, CS: $stack2.<init>()=<java.util.LinkedList: void <init>()>}

Which is what I'd expect, since I call the constructor on that list and also use .add on it.

On the other hand, if I do the exact same thing to the $stack3 = new Foo statement, I get an empty set of invoked methods, even though I call the constructor on it (obviously) and also call .bar on it.

I'm trying to understand what the fundamental difference is between those two cases and how I can make the latter query on my Foo instance also return the correct set of invoked methods.

On the test program, a vector object flows via an exception to a catch block. The vector object is stored as a field of the exception and unwrapped within the catch block. Within the catch block, the program erroneously accesses the first element of the empty vector.

WPDS and SynchronizedPDS do not contain a surefire-plugin configuration and their tests results are not included to shippable.

In WPDS the tests are also not contained in src/test, but in tests/tests, which is different than in the remaining modules and different than expected by maven.

The current state of the visualization draws nodes only but misses edges between them. We should use the rules of the PDS of fields to visualize the data-flow.

In this commit a test case is set to ignore.

When an unbalanced flow is always trigger (remove this line), the test case succeeds. I assume that a backward query does not appropriately return to a callee.

For reasonably sized data-flows the generation of the .json files takes too long to be practical.

At the moment the set of reachable method is globally for all queries. It resides in class WeightedBoomerang.

Instead, a set of reachableMethods must be maintained for each ForwardQuery individually.

How do I setup TamiFlex correctly such that we can analyse dacapo properly.

PhantomRefs?
Where are all dependencies?

Currently, this repository contains both implementations for IDEAL and Boomerang using the push-down systems. There are applications where we only need one of both, and having the single build for both is just overhead in the dependencies.
How about making a separation?

The analysis requires intermediate statements before end of branches see class StackTest.

@Test
public void test6() {
	ArrayList l = new ArrayList();
	Stack s = new Stack();
	if (staticallyUnknown()) {
		s.push(new Object());
		int x = 1;
	}
	if (staticallyUnknown()) {
		s.push(new Object());			
		int x = 1;
	}
	if(!s.isEmpty()) {
		Object pop = s.pop();
		mayBeInErrorState(s);
	}
}

The analysis is unsound when we remove the statements x = 1.

We need two sets of test cases:

1. short running tests which are executed on every commit and cover the basic tests.
2. all tests executed weekly.

I am working on the Jimple IR for android apk file.

One of the statements in the program is a post of a runnable object on the base object handler.

Class A {
Runnable a = new Runnable () {
public void run(){
...
}
}

onCreate() {
...
handler.post(a)
...
}
}

• where a is of type runnable and a is a reference use. Further more, a is defined as a class field.

I wish to find the points to set for 'a'.

I create a backward query for the statement and the value as 'a' - jimple local variable.

But the result is empty set of allocation sites or possible types. But if i query for the base which is of type handler i get precise answers for the allocation sites and possible types.

Please let me know if you need further details.

Prestar & Poststar
vs
Poststar in both directions

WPDS build and install,how to use?Can you provide detailed usage documentation?

I am using almost same classes as BoomerangExampleTarget example provides, except fields are non-static. When I query results I get imprecise results. These results don't even match to Class hierarchy. When I query on last line, results include l0[a, b, nested, field] and $stack4[b, nested, field] that doesn't make sense at all.

a = new ClassWithField();
a.field = new ObjectOfInterest();
b = (ClassWithField)identity(a);
n = new NestedClassWithField();
n.nested = b;
n.nested.field.poi = x*y; // query here for  n.nested.field

The getResults() method is highly inefficient, as it stores all results in one large Table.

Suggestion: Refactor the method to be called per method, i.e., getResults(SootMethod m). Then the table will not grow as massive as it does at the moment.

The analysis prevents the data-flow of a to flow into foo at such statements:
a = a.foo();

Where does a call return to?

It seems that such a call returns to static field loads?

A a = staticFieldAccess

When branching is involved, the analysis may become unsound and thus may miss coding mistakes, as shown below.

This test fails, as expected:

@Test
public void test1() {
    File file = new File();
    if (staticallyUnknown()) {
        file.open();
        mustBeInAcceptingState(file); // Correctly fails the test
    }
}

This test does NOT fail, but it should:

@Test
public void test2() {
    File file = new File();
    if (staticallyUnknown()) {
        file.open();
    }
    mustBeInAcceptingState(file); // Test succeeds unexpectedly
}

error occurs when maven first build:
Missing artifact de.fraunhofer.iem:PathExpression:jar:1.0.0:compile

When deploying to the soot nexus, we can choose whether we want to deploy to the releases or the snapshot repository.

Right now the top level pom declares a snapshot version and the modules have fixed versions.
A special case is the submodule PathExpression

We could either go with

1. Turn everything into a snapshot version, including PathExpression (does not make that much sense, since we'll have many identical versions)
2. Turn everything into a fixed released version (works, but does not accurately describe how we are building)
3. Remove PathExpression as a submodule. Build PathExpression seperately, deploy it to the releases. Use it as a dependency and download it from nexus. (this option is the most work, but will actually get rid of using submodules)

How do we want to proceed?

This results in a huge amount of tests, see recent build. This happens in both the WPDS job and the Extensive Test one.

Maybe this may be resolved by removing the maven profile defaultTests from ideaPDS (see #34).

After a call to socket.connect() the typestate of the variable socket is already in ERROR state.
It seems as the method connect internally calls another method that changes the typestate too early.
The object is set to state CONNECTED on return from connect.

socket.connect(new SocketAddress() {
		})

Hi,

I am trying to use this tool as a pointer analysis for an IFDS analysis. My IFDS analysis is using Jimple bodies, but Boomerang transforms bodies during Pre-transformer. What is recommended way to translate between Jimple/Boomerang? Or Do I need to run my IFDS analysis on Boomerang if I want to use WPDS?

Thanks,
Umar

Kill overwritten fields

Currently, it seems that no sources are deployed for the following projects:

• boomerangPDS
• synchronizedPDS
• WPDS
• testCore

In the SecuCheck project, we use a maven goal "copy-dependencies" and would like to download the sources as well that way. It seems that this is currently not possible due to the sources not being deployed.

Thanks!

Swapping statement 1 and 2 yields imprecise results for the aliasQuery?

		B b1 = new B();
		Alloc b2 = new Alloc();

		A a1 = new A(b1);
		A a2 = new A(b2);

		Object b3 = a1.getF();
		Object b4 = a2.getF();

		1: Benchmark.mayAliasQuery(b3, b4, false);
		2: Benchmark.pointsToQuery(b4);

Apologies if this is the wrong place to ask, but I see that there's a much more recently updated fork of this repo here but it doesn't have issue tracking turned on. Since the contributors appear similar, I figured I'd ask here.

I'm wondering what happened to the backwardSolveUnderScope method in the newer fork. Is there a suggested replacement for it or is the feature gone?

The BoomerangPretransformer adds a nop statement before each statement.
This is required as the analysis does not perform strong updates correctly in cases like the one below:

	@Test
	public void simpleAlias() {
		File y = new File();
		File x = y;
		x.open();
		x.close();
		mustBeInAcceptingState(x);
		mustBeInAcceptingState(y);
	}

Variable y is not in the correct state.

Update Visualization to reflect WPDS