Package sootup.spark

Class PointsToAnalysis

java.lang.Object

sootup.spark.PointsToAnalysis

public class PointsToAnalysis
extends Object

Client-facing pointer analysis API over a SPARK PAG.

Construct via fromSolver(Solver). The factory triggers Solver.solve() (if the PAG has not yet been built) and then runs an Andersen-style fixed-point propagation over the allocation, assignment, store, and load edges of the PAG. After construction the following queries are supported, all keyed by Jimple Value (a local, field ref, parameter ref, this, etc.) plus the MethodSignature of the method that contains the value:

• reachingObjects(Value, MethodSignature) — the set of AllocationNodes the value may point to.
• aliases(Value, MethodSignature) — the set of PAG vertices whose points-to set intersects the query value's.
• reachingTypes(Value, MethodSignature) — the set of run-time Types induced by the points-to set.

Values that the PAG does not model (numeric constants, arithmetic expressions, etc.) yield an empty result. The raw PAG-level points-to map is also exposed via getPointsToMap() for diagnostic purposes.

Method Summary

Modifier and Type	Method	Description
Set<Node>	aliases(@NonNull Value value, @NonNull MethodSignature containingMethodSig)	Returns the set of PAG vertices (other than the one for value itself) whose points-to set shares at least one allocation with reachingObjects(value, containingMethodSig) — i.e. nodes that may refer to a common run-time object.
Map<Node,Set<AllocationNode>>	getPointsToMap()	Read-only view of the raw PAG-level points-to map.
Set<AllocationNode>	reachingObjects(@NonNull Value value, @NonNull MethodSignature containingMethodSig)	Returns the set of allocation sites that value may point to within containingMethodSig.
Set<Type>	reachingTypes(@NonNull Value value, @NonNull MethodSignature containingMethodSig)	Returns the set of run-time types that the points-to set of value may induce within containingMethodSig.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

reachingObjects

public Set<AllocationNode> reachingObjects(@NonNull
 @NonNull Value value,
 @NonNull
 @NonNull MethodSignature containingMethodSig)

Returns the set of allocation sites that value may point to within containingMethodSig.

For an allocation expression the result is the singleton containing that allocation. For an instance field reference b.f the result is the union of heap[o, f] over each o in reachingObjects(b). Values not modeled by the PAG yield an empty set.

aliases

public Set<Node> aliases(@NonNull
 @NonNull Value value,
 @NonNull
 @NonNull MethodSignature containingMethodSig)

Returns the set of PAG vertices (other than the one for value itself) whose points-to set shares at least one allocation with reachingObjects(value, containingMethodSig) — i.e. nodes that may refer to a common run-time object.

reachingTypes

public Set<Type> reachingTypes(@NonNull
 @NonNull Value value,
 @NonNull
 @NonNull MethodSignature containingMethodSig)

Returns the set of run-time types that the points-to set of value may induce within containingMethodSig.

getPointsToMap

public Map<Node,Set<AllocationNode>> getPointsToMap()

Read-only view of the raw PAG-level points-to map. Intended for diagnostics and debugging that needs to walk every PAG vertex; prefer the Value-based query methods for analysis.