Spring 2016 Program Analysis and Verification Static Analysis of Java via Soot Roman Manevich Ben-Gurion University

Agenda The Soot compiler framework for Java The Jimple intermediate language

Java Java: the high-level language Java bytecode reference Official reference from Oracle

Soot A framework for analyzing and transforming Java and Android Applications Developed at McGill university (Canada) https://sable.github.io/soot/ Supports several input languages Java source code Java bytecode Dalvik bytecode (Android) Jimple intermediate language Supported output languages Support several intermediate languages Jimple – what we will be using Shimple Baf Grimp Supports static analysis: CFG, pointer-analysis, etc. Eclipse plug-in (useful for giving demos and teaching)

Soot documentation and resources Soot survivor’s guide Soot tutorials Soot API Eric Bodden’s blog Running Soot: http://www.bodden.de/2008/08/21/soot-command-line/

Jimple synopsis TAC for Java: 15 statement types Core (intra-procedural) statements NopStmt IdentityStmt (r0 := @this: Foo; i0 := @parameter0: int; ) AssignStmt ($r1 = new Foo;) Intra-procedural control-flow statements IfStmt GotoStmt TableSwitchStmt (JVM tableSwitch instruction) LookupSwithcStmt (JVM lookupswitch instruction) Inter-procedural control-flow statements InvokeStmt ReturnStmt ReturnVoidStmt Monitor statements EnterMonitorStmt ExitMonitorStmt Exceptions ThrowStmt RetStmt

Jimple expressions

Java source

Running Soot – command line

Running Soot – output files output .jimple files go in “sootOutput”

Jimple code Locals IdentityStmts (default) static class initializer

Setting up for development Set up Java Set up Soot Set up abstract interpretation package

Setting up Java Make sure you have version 1.7 If you want to operate from command line make sure you have jdk 1.7 Set environment variable JAVA_HOME to point to your jdk installation path

Example inputs Store input files in a separate directory than the ones you use for implementing the analyses (otherwise, front-end breaks)

Abstract interpretation package

Example analyses Domain constructors Fixed point solvers Soot-specific utilities Infrastructure for implementing static analysis Example Java programs

Existing analyses

Static analysis package Implements Conversion of procedures to equation systems Abstract domain implementations Some examples: variable equalities (VE), constant propagation (CP), simple linear relations (lin), … Chaotic iterations Includes debugging information Domain combinators: Cartesian, Disjunctive completion, and Relational Code for displaying analysis results

Running the VE analysis Example: variable equalities

Running the VE analysis Adds the analysis to Soot’s list of intra-procedural analyses Creates the equation system Runs chaotic iteration Attaches results as StringTags

Running the VE analysis Command-line options: -cp . : adds the current directory to Soot’s CLASSPATH -pp : adds Java’s CLASSPATH to Soot’s CLASSPATH -f jimple : outputs jimple code -p jb use-original-names : keeps local variables names as they are -p jb.ls enabled:false : disables local splitter to reduce number of local variables -keep-line-number : writes source code line numbers in the resulting jimple code -print-tags : writes out tags for each jimple statement (analysis results) TestClass : specifies the class to analyze Enable assertions Which directory to run in

Debug printout 1/2

Debug printout 2/2

Analysis results inlined into .jimple

Implementing abstract domains

Variable equalities analysis

Major classes Variable per CFG node Combines all sub-algorithms to get entire static analysis A transformer for assume statements Converts CFG to equation system Chaotic iteration algorithm to compute fixed point An equation per CFG edge and join point A system of equations A transformer non-assume statements

See you next time