Skip to content

Incorporate Qilin Pointer Analysis

Dependencies

1
2
3
4
5
<dependency>
    <groupId>org.soot-oss</groupId>
    <artifactId>sootup.java.sourcecode</artifactId>
    <version>1.3.0</version>
</dependency>

1
compile "org.soot-oss:sootup.qilin:1.3.0"

How to create a pointer analysis

WIP: Beware most likely the API will change so you only need to specify SootUp objects!

One can create an Andersen's context-insensitive analysis with following code:

1
2
3
4
String entrypoint = "dacapo.antlr.Main";
PTAPattern ptaPattern = new PTAPattern("insens");
PTA pta = PTAFactory.createPTA(ptaPattern, view, entrypoint);
pta.run();

Users must specify the program's View, select a PTAPattern (indicating the desired types of pointer analyses to perform), and designate the entrypoint - which is serving as the entry point for the analysis.

How to use pointer analysis results

First, we can use Qilin's pointer analysis to get a On-the-Fly constructed callgraph:

1
OnFlyCallGraph cg = pta.getCallGraph();

Second, we can use it to get the points-to results for some interested local variables, fields, etc.

1
2
PointsToSet pts0 = pta.reachingObjects(method, v0);
PointsToSet pts1 = pta.reachingObjects(method, v1, f); // PTS(v1.f)

Third, we can check whether two variables, a and b, are aliases by checking whether there is an object that exists in both of their points-to sets.

Qilin does not currently offer a isMayAlias API within the PTA class. However, a similar functionality can be found in qilin.test.util.AliasAssertion with the method: boolean isMayAlias(PTA pta, Value va, Value vb) This method allows to check for potential aliasing between two values given a PTA instance.

A Full list of Pointer Analyses

Qilin's toolbox includes a rich set of pointer analyses, which are given below:

Note that the symbol k used in the table should be replaced with a concrete small constant like 1 or 2.

PTA patterns Description Reference
insens Andersen's context-insensitive analysis Paper
kc k-callsite-sensitive pointer analysis (denoted kCFA). Paper
ko k-object-sensitive pointer analysis (denoted kOBJ). Paper
kt k-type-sensitive pointer analysis (denoted kTYPE). Paper
kh hybrid k-object-sensitive pointer analysis. Paper
kht hybrid k-type-sensitive pointer analysis. Paper
B-2o BEAN-guided 2OBJ. Only k=2 is supported. Paper
D-2o Data-driven 2OBJ. Only k=2 is supported. Paper
D-2c Data-driven 2CFA. Only k=2 is supported. Paper
M-ko MAHJONG-guided kOBJ. Paper
M-kc MAHJONG-guided kCFA. Paper
E-ko EAGLE-guided kOBJ. Paper
T-ko TURNER-guided kOBJ. Paper
Z-ko ZIPPER-guided kOBJ. Paper
Z-kc ZIPPER-guided kCFA. Paper
Z-ko -cd The context debloated version of ZIPPER-guided kOBJ. Paper
ko -cd -cda=CONCH The context debloated version of kOBJ using Conch. Paper
ko -cd -cda=DEBLOATERX The context debloated version of kOBJ using DebloaterX. Paper
s-kc SELECTX-guided kCFA. Paper