【正文】 er program domains Running a Datalog Analysis chord_output/ bddbddb/ , , , name=cipa0cfadlog .include .include ... .bddvarorder M0xI0_F0_V0xV1_T0_H0。 。 [*] = e。 = el。 i M。 = a。 Floor f = new Floor()。 List fl = new List()。 i++) class Bldg { List events, floors。 } } for (int i = 0。 i M。 [ ] = f。 = fl。 static void main(String[] a) { Bldg b = new Bldg()。 } } 0 List Bldg Event List events floors Obj[] elems Obj[] elems Floor 0 Floor 1 Event 1 b el fl f e e f a a disjointreach(el, fl)? 0CFA Pointer Analysis for Java ? Flow sensitivity ? flowinsensitive: ignores intraprocedural control flow ? Call graph construction ? Heap abstraction ? Aggregate modeling ? Context sensitivity Example: Flow Insensitivity class List { Obj[] elems。 for (int i = 0。 for (int i = 0。 } Bldg() { List el = new List()。 List() { Obj[] a = new Obj[…]。 jq_Type t = ()。 jq_Type t = ()。 jq_Type t = ()。 for (Quad q : domI) { jq_Method m = ()。 return its index in either case ? void save() ? save domain to disk (.dom and .map files) ? String toUniqueString(T val) ? unique string representation of value ? int size() ? number of values in domain ? T get(int index) ? value having the given index。 if (start != null) add(start)。)VBldg start:() init:()VBldg … M N N chord_output/ bddbddb/ package 。 jq_Method start = ()。 for (jq_Method m : ()) add(m)。 Chord(name = M) public class DomM extends ProgramDomjq_Method { Override public void fill() { Program program = ()。 return cfg。 (bb)。 BasicBlock bb = (1, 1, 2, null)。 ControlFlowGraph cfg = new ControlFlowGraph(m, 1, 0, f)。 } ? Example: start:() Example Native Method Stub public ControlFlowGraph run(jq_Method m) { jq_Class c = ()。 } } Java Program Representations Java source code .java Quadcode Java bytecode .class HTMLized Java source code .html j2h Java2HTML javac Joeq Disassembled Java bytecode javap HTMLizing Java Source Code ? Programmatically: import 。 QuadVisitor qv = new () { public void visitNew(Quad q) { ... } public void visitPhi(Quad q) { ... } ... }。 jq_Field f = (q).getField()。 if (lo instanceof RegisterOperand amp。) 01 53 52 84 Control flow graph: BB0 (ENTRY) (in: none, out: BB2) BB2 (in: BB0 (ENTRY), out: BB1 (EXIT)) 1: GETSTATIC_A T1, .out 3: MOVE_A T2, AConst: Hello World! 2: INVOKEVIRTUAL_V println:(Ljava/lang/String。 3: ldc 3。 6: } 7: } File test/: PrettyPrinting Java Bytecode public class extends Constant pool: const 1 = Method 6.20。 2: 3: public class HelloWorld { 4: public static void main(String[] args) { 5: (Hello World!)。 // Field java/lang/:Ljava/io/PrintStream。 Run javac –g on .java files to keep debug info (lines, vars, source) in .class files Java Program Representations Java source code .java Quadcode Java bytecode .class javac Joeq Disassembled Java bytecode javap PrettyPrinting Quadcode Class: Method: main:([Ljava/lang/String。 Operand bo = (q)。 Register b = ((RegisterOperand) bo).getRegister()。 import .*。 for (BasicBlock bb : ()) for (Quad q : ()) (qv)。 ? From mand line: 1. Use j2h: ant –=JAVA_DIR –=HTML_DIR j2h_xref 2. Use Java2HTML: ant –=JAVA_DIR –=HTML_DIR j2h_fast Java Program Representations Java source code .java Jasmin code .j Quadcode Java bytecode .class HTMLized Java source code .html j2h Java2HTML javac Joeq Chord Disassembled Java bytecode javap Jasmin Analysis Scope Construction ? Determines which parts of the program to analyze ? Computed in either of these cases: ? =true ? () is called ? Algorithm specified by =[rta|cha|dynamic] ? Rapid Type Analysis (RTA) ? Class Hierarchy Analysis (CHA) ? Dynamic Analysis ? All three algorithms require specifying: ? =MAIN CLASS ? =CLASSPATH Analysis Scope Representation ? Reachable Methods ? stored in file specified by (default = []/) ? Resolved Reflection ? stored in file specified by (default = []/) resolvedClsForNameSites ... resolvedObjNewInstSites ... resolvedConNewInstSites ... resolvedAryNewInstSites ... mname:mdescame ... Class (String) Object () Object (Object[]) Object (Class, int) bci!mname:mdescameame1,ame2,...,ameN Rapid Type Analysis (RTA) ? Preferred (and default) scope construction algorithm ? Allows specifying reflection resolution via =[none|static|dynamic] ? Preferred way to resolve reflection is ?dynamic? and requires specifying how to run program: ? =id1,…,idN ? =ARGS1, …, =ARGSN Dynamic Analysis Based Scope Construction ? Runs program and observes which classes are loaded ? Requires JVMTI (set =true in file main/) ? Requires specifying how to run program: ? =id1,…,idN ? =ARGS1, …, =ARGSN ? All methods of each loaded class are deemed reachable ? Currently no support for reflection resolution Additional Analysis Scope Features ? Scope Reuse ? Enables using scope constructed by a previous run of Chord ? Constructs scope from files specified by and ? Specified via =true ? Scope