【文章內(nèi)容簡(jiǎn)介】
N CLASS ? =CLASSPATH Analysis Scope Representation ? Reachable Methods ? stored in file specified by (default = []/) ? Resolved Reflection ? stored in file specified by (default = []/) resolvedClsForNameSites ... resolvedObjNewInstSites ... resolvedConNewInstSites ... resolvedAryNewInstSites ... mname:mdesc@ame ... Class (String) Object () Object (Object[]) Object (Class, int) bci!mname:mdesc@ameame1,ame2,...,ameN Rapid Type Analysis (RTA) ? Preferred (and default) scope construction algorithm ? Allows specifying reflection resolution via =[none|static|dynamic] ? Preferred way to resolve reflection is ?dynamic? and requires specifying how to run program: ? =id1,…,idN ? =ARGS1, …, =ARGSN Dynamic Analysis Based Scope Construction ? Runs program and observes which classes are loaded ? Requires JVMTI (set =true in file main/) ? Requires specifying how to run program: ? =id1,…,idN ? =ARGS1, …, =ARGSN ? All methods of each loaded class are deemed reachable ? Currently no support for reflection resolution Additional Analysis Scope Features ? Scope Reuse ? Enables using scope constructed by a previous run of Chord ? Constructs scope from files specified by and ? Specified via =true ? Scope Exclusion ? Enables excluding certain classes from scope ? Treats all methods in such classes as noops ? Specified via three properties: 1. (default = ) 2. (default = ) 3. (default = [],[]) Native Method Stubs ? Specified in file main/src/chord/program/stubs/ in format: mname:mdesc@ame stub_ame where stub_ame denotes a class implementing: public interface { public ControlFlowGraph run(jq_Method m)。 } ? Example: start:() Example Native Method Stub public ControlFlowGraph run(jq_Method m) { jq_Class c = ()。 jq_Method n = ( new jq_NameAndDesc(run, ()V))。 RegisterFactory f = new RegisterFactory(0, 1)。 Register r = (0, c)。 ControlFlowGraph cfg = new ControlFlowGraph(m, 1, 0, f)。 Quad q1 = (0, m, , null, new MethodOperand(n), 1)。 (q1, 0, new RegisterOperand(r, c))。 Quad q2 = (1, m, )。 BasicBlock bb = (1, 1, 2, null)。 (q1)。 (q2)。 BasicBlock eb = (), xb = ()。 (bb)。 (eb)。 (xb)。 (bb)。 return cfg。 } void start() { ()。 return。 } Outline of Tutorial ? Part 1: ? Getting Started With Chord ? Program Representation ? Part 2: ? Analysis Using Datalog/BDDs ? Chaining Analyses Together ? Part 3: ? ContextSensitive Analysis ? Dynamic Analysis Program Domain ? Building block for analyses based on Datalog/BDDs ? Represents an indexed set of values of a fixed kind ? typically artifacts from program being analyzed (., set of all methods in the program) ? Assigns unique 0based index to each value ? everything in Datalog/BDDs must be numbered ? indices given in order in which values are added ? order affects efficiency of running analysis on large sets ? initial indices (0, 1, ...) typically given to frequentlyused values (., the main method) ? O(1) access to value given index, and vice versa Example Predefined Program Domains Name Description Defining Class T types M methods F fields V variables of ref type P quads (program points) H object allocation quads I method call quads E heapaccessing quads A abstract threads C abstract method contexts O abstract objects Writing a Program Domain Analysis Domain M: all methods in the program – main method has index 0 – () method has index 1 package 。 @Chord(name = M) public class DomM extends ProgramDomjq_Method { @Override public void fill() { Program program = ()。 add(())。 jq_Method start = ()。 if (start != null) add(start)。 for (jq_Method m : ()) add(m)。 } } Running a Program Domain Analysis ant –=… –=M run package 。 @Chord(name = M) public class DomM extends ProgramDomjq_Method { @Override public void fill() { Program program = ()。 add(())。 jq_Method start = ()。 if (start != null) add(start)。 for (jq_Method m : ()) add(m)。 } } Running a Program Domain Analysis main:([Ljava/lang/String。)V@Bldg start:() init:()V@Bldg … M N N chord_output/ bddbddb/ package 。 @Chord(name = M) public class DomM extends ProgramDomjq_Method { @Override public void fill() { Program program = ()。 add(())。 jq_Method start = ()。 if (start != null) add(start)。 for (jq_Method m : ()) add(m)。 } } T API ? void setName(String name) ? set name of domain ? boolean add(T val) ? add value to domain if not present。 return true if added ? int getOrAdd(T val) ? add value to domain if not present。 return its index in either case ? void save() ? save domain to disk (.dom and .map files) ? String toUniqueString(T val) ? unique string representation of value ? int size() ? number of values in domain ? T get(int index) ? value having the given index。 IndexOutofBoundsEx if not found ? int indexOf(T val) ? index of given value。 1 if not found Note: values once added cannot be removed! Program Relation ? Building block for analyses based on Datalog/BDDs ? Represents a set of tuples over one or more fixed program domains ? Represented symbolically as a BDD ? enables storing and manipulating large relations efficiently ? Provides various relational operations ? projection, selection, join, etc. ? BDD size and efficiency of operations depends heavily on encoding of relation content as op