1. Spring 2016 Program Analysis and Verification
Static Analysis of Java via Soot
Roman Manevich
Ben-Gurion University

2. Agenda The Soot compiler framework for Java
The Jimple intermediate language

3. Java Java: the high-level language Java bytecode reference
Official reference from Oracle

4. Soot A framework for analyzing and transforming Java and Android Applications
Developed at McGill university (Canada)
Supports several input languages
Java source code
Java bytecode
Dalvik bytecode (Android)
Jimple intermediate language
Supported output languages
Support several intermediate languages
Jimple – what we will be using
Shimple
Baf
Grimp
Supports static analysis: CFG, pointer-analysis, etc.
Eclipse plug-in (useful for giving demos and teaching)

5. Soot documentation and resources
Soot survivor’s guide
Soot tutorials
Soot API
Eric Bodden’s blog
Running Soot:

6. Jimple synopsis TAC for Java: 15 statement types
Core (intra-procedural) statements
NopStmt
IdentityStmt (r0 Foo; i0 int; )
AssignStmt ($r1 = new Foo;)
Intra-procedural control-flow statements
IfStmt
GotoStmt
TableSwitchStmt (JVM tableSwitch instruction)
LookupSwithcStmt (JVM lookupswitch instruction)
Inter-procedural control-flow statements
InvokeStmt
ReturnStmt
ReturnVoidStmt
Monitor statements
EnterMonitorStmt
ExitMonitorStmt
Exceptions
ThrowStmt
RetStmt

7. Jimple expressions

8. Java source

9. Running Soot – command line

10. Running Soot – output files
output .jimple files go in “sootOutput”

11. Jimple code
Locals
IdentityStmts
(default) static class initializer

12. Setting up for development
Set up Java
Set up Soot
Set up abstract interpretation package

13. Setting up Java Make sure you have version 1.7
If you want to operate from command line make sure you have jdk 1.7
Set environment variable JAVA_HOME to point to your jdk installation path

14. Example inputs
Store input files in a separate directory than the ones you use for implementing the analyses (otherwise, front-end breaks)

15. Abstract interpretation package

16. Example analyses
Domain constructors
Fixed point solvers
Soot-specific utilities
Infrastructure for implementing static analysis
Example Java programs

17. Existing analyses

18. Static analysis package
Implements
Conversion of procedures to equation systems
Abstract domain implementations
Some examples: variable equalities (VE), constant propagation (CP), simple linear relations (lin), …
Chaotic iterations
Includes debugging information
Domain combinators: Cartesian, Disjunctive completion, and Relational
Code for displaying analysis results

19. Running the VE analysis
Example: variable equalities

20. Running the VE analysis
Adds the analysis to Soot’s list of intra-procedural analyses
Creates the equation system
Runs chaotic iteration
Attaches results as StringTags

21. Running the VE analysis
Command-line options:
-cp . : adds the current directory to Soot’s CLASSPATH
-pp : adds Java’s CLASSPATH to Soot’s CLASSPATH
-f jimple : outputs jimple code
-p jb use-original-names : keeps local variables names as they are
-p jb.ls enabled:false : disables local splitter to reduce number of local variables
-keep-line-number : writes source code line numbers in the resulting jimple code
-print-tags : writes out tags for each jimple statement (analysis results)
TestClass : specifies the class to analyze
Enable assertions
Which directory to run in

22. Debug printout 1/2

23. Debug printout 2/2

24. Analysis results inlined into .jimple

25. Implementing abstract domains

26. Variable equalities analysis

27. Major classes Variable per CFG node
Combines all sub-algorithms to get entire static analysis
A transformer for assume statements
Converts CFG to equation system
Chaotic iteration algorithm to compute fixed point
An equation per CFG edge and join point
A system of equations
A transformer non-assume statements

28. See you next time