A question about how to apply context sensitive points-to analysis in Soot

[kitty-1998]

Hi, I just try to use context-sensitive PTA in Soot, and has used Paddle (seems latest version soot doest not include it any more?) and GeomPTA (seems too many bugs). So, is there any other approach to performing CS-PTA? Thank you!

[StevenArzt]

There hasn't been much demand on context-sensitive general-purpose PTA over the last years. FlowDroid uses its own alias analysis based on IFDS which inherits context-sensitivity from IFDS. Boomerang [1] is the latest work on context-sensitive PTA that I am aware of. Simply speaking, it generalizes the ideas from FlowDroid's alias analysis to make it independent of data flow as the client analysis. Maybe Boomerang is an option for you.

From what I know, Boomerang is considerably slower than context-insensitive SPARK and FlowDroid's domain-specific alias analysis. Nevertheless, you can see even some speedup in comparison to SPARK in case the context-sensitive PTS avoids redundant computation in your client analysis.

[1] https://drops.dagstuhl.de/storage/00lipics/lipics-vol056-ecoop2016/LIPIcs.ECOOP.2016.22/LIPIcs.ECOOP.2016.22.pdf

[kitty-1998]

@StevenArzt Hi Steven, thanks for your detailed and kind reply. So, you mean Spark can perform context-sensitive points-to analysis, am I right? However, I did not find the related options. Could you please tell the related documents or code examples? Thank you!

[StevenArzt]

No, this is a misunderstanding. SPARK is context-INsensitive. It cannot perform a context-sensitive analysis.

[kitty-1998]

@StevenArzt Hi Steven, I appreciate of your kindest help! However, I still have a little question, how to invoke Soot to analyze different in two iterations? I used Soot to perform points-to analysis two times during one execution, but received the following error:

Caused by: java.lang.RuntimeException: Value $r0 of type java.lang.Class previously had type java.math.BigInteger
    at soot.jimple.spark.pag.PAG.makeLocalVarNode(PAG.java:741)
    at soot.jimple.spark.builder.MethodNodeFactory.caseLocal(MethodNodeFactory.java:343)
    at soot.jimple.internal.JimpleLocal.apply(JimpleLocal.java:129)
    at soot.jimple.spark.builder.MethodNodeFactory$1.caseAssignStmt(MethodNodeFactory.java:160)
    at soot.jimple.internal.JAssignStmt.apply(JAssignStmt.java:217)

It seems that this error is due to unreleased variable localToNodeMap in PAG.java, I have tried the following methods, but they all did not work:

public void releaseSoot(PAG pag) {
    pag.cleanUpMerges();
    pag.cleanPAG();
    Scene.v().releaseClientAccessibilityOracle();
    Scene.v().releaseActiveHierarchy();
    Scene.v().releaseCallGraph();
    Scene.v().releaseFastHierarchy();
    Scene.v().releasePointsToAnalysis();
    Scene.v().releaseReachableMethods();
    Scene.v().releaseSideEffectAnalysis();
    G.v().resetSpark();
    System.gc();
}

Could you please tell me the right approach to solving this problem? Thank you.

[StevenArzt]

What are your two iterations? Please provide more information. Are you trying to update the callgraph after changing the Jimple code? Is there a good reason to not perform an entire Soot reset and then run the second iteration?

[kitty-1998]

@StevenArzt Hi Steven. Two iterations means, in each iteration, I use soot to process separate class files. So, I should release the analysis results in the first iteration? And, in the second iteration, I found the above problem (the PAG has been assigned a value twice) leading to the failed exeuction of second iteration.

[kitty-1998]

solved.