0% found this document useful (0 votes)

270 views153 pages

Tutorial

The document describes Soot, a tool for analyzing and transforming Java bytecode. It provides an overview of Soot, describing what it is, its past and present uses, and the intermediate representations it uses like Baf, Jimple and Grimp. It also summarizes how Soot can be used as both a command line tool and Eclipse plugin to process, analyze, optimize and transform Java bytecode.

Uploaded by

vijayabalang

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

270 views153 pages

Tutorial

Uploaded by

vijayabalang

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

Soot, a Tool for Analyzing and Transforming

Java Bytecode
Laurie Hendren, Patrick Lam, Jennifer Lhoták, Ondřej Lhoták and Feng Qian
McGill University

Special thanks to John Jorgensen and Navindra Umanee for help in preparing
Soot 2.0 and this tutorial.

Soot development has been supported, in part, by research grants from NSERC,
FCAR and IBM

[Link]

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 1
Program and Cast

ACT I (Warming Up):

Introduction and Soot Basics (Laurie)
Intraprocedural Analysis in Soot (Patrick)
ACT II (The Home Stretch):
Interprocedural Analyses and Call Graphs
(Ondřej)
Attributes in Soot and Eclipse
(Ondřej,Feng,Jennifer)
Conclusion, Further Reading & Homework
(Laurie)

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 2
Introduction and Soot Basics

What is Soot?
Soot: Past and Present
Soot Overview
IRs: Baf, Jimple, Shimple, Grimp, Dava
Soot as an end-user tool and Soot as an
Eclipse plugin

... switching gears ....

Jimple and Soot Implementation Basics

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 3
What is Soot?

a free compiler infrastructure, written in Java

(LGPL)
was originally designed to analyze and
transform Java bytecode
original motivation was to provide a common
infrastructure with which researchers could
compare analyses (points-to analyses)
has been extended to include decompilation
and visualization

[Link]/soot/
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 4
What is Soot? (2)

Soot has many potential applications:

used as a stand-alone tool (command line
or Eclipse plugin)
extended to include new IRs, analyses,
transformations and visualizations
as the basis of building new
special-purpose tools

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 5
Soot: Past and Present

Started in 1996-97 with the development of

coffi by Clark Verbrugge and some first
prototypes of Jimple IR by Clark and Raja
Vallée-Rai.
First publicly-available versions of Soot 1.x
were associated with Raja’s [Link]. thesis
New contributions and releases have been
added by many graduate students at McGill
and research results have been the topics of
papers and theses.

[Link]/publications/
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 6
Soot: Past and Present (2)

Soot 1.x has been used by many research

groups for a wide variety of applications. Has
also been used in several compiler courses.
Last version was 1.2.5.
Soot 2.0 and the first version of the Eclipse
Plugin have just been released - June 2003 -
JIT for PLDI 2003.
This tutorial is based on Soot 2.0.

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 7
Soot Overview
Java SML Scheme Eiffel
source source source source

javac MLJ KAWA SmallEiffel

Eclipse
class files
SOOT

Produce Jimple 3−address IR

Analyze, Optimize and Tag

Generate Bytecode
Java
source

Optimized class files + attributes

Interpreter JIT Adaptive Engine Ahead−of−Time

Compiler

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 8
Soot IRs

Baf: is a compact rep. of Bytecode (stack-based)

Jimple:is Java’s simple, typed, 3-addr
(stackless) representation
Shimple: is a SSA-version of Jimple
Grimp:is like Jimple, but with expressions
agGRegated
Dava:structured representation used for
Decompiling Java

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 9
Soot as an end-user tool: Command-line

1. Install Java.
2. Download two .jar files (one for soot and one
for jasmin) and put them on your
CLASSPATH.

java [Link] --help

List options.
java [Link] --version
Print version information.

[Link]/software/#soot
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 10
Command-line: processing classes

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 11
Command-line: optimizing classes

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 12
Command-line: a more complex example

java [Link] -W -app -f jimple

-p jb use-original-names:true
-p [Link] on
-p [Link] simplify-offline:true
-p [Link] on
-p [Link] on -p [Link] off
Foo

Starting at [Link], process all reachable

classes in an interprocedural fashion and
produce Jimple as output for all application
classes.
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 13
Command-line: a more complex example

java [Link] -W -app -f jimple

-p jb use-original-names:true
-p [Link] on
-p [Link] simplify-offline:true
-p [Link] on
-p [Link] on -p [Link] off
Foo

When producing the original Jimple from the

class files, keep the original variable names, if
available in the attributes (i.e. class file produced
with javac -g).
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 14
Command-line: a more complex example

java [Link] -W -app -f jimple

-p jb use-original-names:true
-p [Link] on
-p [Link] simplify-offline:true
-p [Link] on
-p [Link] on -p [Link] off
Foo

Use Spark for points-to analysis and call graph,

with Spark simplifying the points-to problem by
collapsing equivalent variables.
Note: on is a short form for enabled:true.
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 15
Command-line: a more complex example

java [Link] -W -app -f jimple

-p jb use-original-names:true
-p [Link] on
-p [Link] simplify-offline:true
-p [Link] on
-p [Link] on -p [Link] off
Foo
Turn on the intra and interprocedural optimizations phases (-W).
Enable common sub-expression elimination (cse).
Enable static method binding (smb) and disable static inlining
(si).

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 16
Soot as an end-user tool: Eclipse Plugin

1. Install Java
2. Install Eclipse [Link]
3. Download one .jar file and unjar it into your Eclipse
plugin directory
4. Start Eclipse

IDE-based optimization, decompilation and

visualization
GUI for setting and storing Soot option configurations
tooltips for documentation on options
Eclipse views for Soot IRs
[Link]/software/#soot
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 17
Switching Gears ... Let’s get dirty

Now we want to understand:

details of Jimple
internal workings of Soot
To work with Soot in this way, you should
download the complete package
[Link] which contains the complete
Java source, class files, Javadoc documentation,
Soot tutorials, source and compiled forms of the
plugin,and our modified jasmin assembler.

[Link]/software/#soot
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 18
Jimple

Jimple is:
principal Soot Intermediate Representation
3-address code in a control-flow graph
a typed intermediate representation
stackless

Raja’s Thesis, CASCON99, CC2000, SAS2000

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 19
Kinds of Jimple Stmts I

Core statements:
NopStmt
DefinitionStmt: IdentityStmt,
AssignStmt
Intraprocedural control-flow:
IfStmt
GotoStmt
TableSwitchStmt,LookupSwitchStmt
Interprocedural control-flow:
InvokeStmt
ReturnStmt, ReturnVoidStmt

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 20
Kinds of Jimple Stmts II

ThrowStmt
throws an exception
RetStmt
not used; returns from a JSR
MonitorStmt: EnterMonitorStmt,
ExitMonitorStmt
mutual exclusion

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 21
IdentityStmt

this.m();
Where’s the definition of this?
IdentityStmt:
Used for assigning parameter values and
this ref to locals.
Gives each local at least one definition point.
Jimple rep of IdentityStmts:
r0 := @this;
i1 := @parameter0;

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 22
Context: other Jimple Stmts
public int foo([Link]) { // locals
r0 := @this; // IdentityStmt
r1 := @parameter0;

if r1 != null goto label0; // IfStmt

$i0 = [Link](); // AssignStmt

[Link](); // InvokeStmt
return $i0; // ReturnStmt

label0: // created by Printer

return 2;
}
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 23
Converting bytecode → Jimple → bytecode

These transformations are relatively hard to design so

that they produce correct, useful and efficient code.
Worth the price, we do want a 3-addr typed IR.
raw bytecode typed 3-address code (Jimple)
◦ each inst has implicit ◦ each stmt acts explicitly
effect on stack on named variables
◦ no types for local ◦ types for each local
variables variable
◦ > 200 kinds of insts ◦ only 15 kinds of stmts

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 24
Bytecode → Jimple

Performed in the jb phase.

Makes a naive translation from bytecode to
untyped Jimple, using variables for stack
locations.
splits DU-UD webs (so many different uses of
the stack do not interfere)
types locals (SAS 2000)
cleans up Jimple and packs locals
provides a good starting point for analysis
and optimization
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 25
Jimple → Bytecode
Performed in the bb or gb phase.
A naive translation introduces many spurious
stores and loads.
Two approaches (CC 2000),
aggregate expressions and then generate
stack code; or
perform store-load and store-load-load
elimination on the naive stack code.
Second approach works better and produces
very good bytecode.
Produces bytecode that is different than what
javac produces, breaks immature JITs.
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 26
Soot Data Structure Basics

Soot builds data structures to represent:

a complete environment (Scene)
classes (SootClass)
Fields and Methods (SootMethod,
SootField)
bodies of Methods (come in different
flavours, corresponding to different IR
levels, ie. JimpleBody)
These data structures are implemented using
OO techniques, and designed to be easy to
use and generic where possible.
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 27
Soot Classes

Scene.v()

Scene (singleton)

getSootClass()
getField()
SootClass SootField getSignature()

getMethod()

SootMethod getSignature()

getActiveBody()

JimpleBody

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 28
Body-centric View

SootMethod

getActiveBody()
getLocals()
JimpleBody Chain

getTraps()
getUnits()

Chain Chain

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 29
Getting a UnitGraph

SootMethod

getActiveBody()
UnitGraph getBody()
getLocals()
JimpleBody Chain
new BriefUnitGraph()
getTraps()
getUnits()

Chain Chain
getUnits()

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 30
What to do with a UnitGraph

getBody()
getHeads(), getTails()
getPredsOf(u), getSuccsOf(u)
getExtendedBasicBlockPathBetween
(from, to)

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 31
Control-flow units

We create an OO hierarchy of units, allowing

generic programming using Units.

Unit: abstract interface

Inst: Baf’s bytecode-level unit
(load x)
Stmt: Jimple’s three-address code units
(z = x + y)
Stmt: also used in Grimp
(z = x + y * 2 % n;)

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 32
Soot Philosophy on Units

Accesses should be abstract whenever

possible!
Accessing data:
getUseBoxes(), getDefBoxes(),
getUseAndDefBoxes()
(also control-flow information:)
fallsThrough(), branches(),
getBoxesPointingToThis(),
addBoxesPointingToThis(),
removeBoxesPointingToThis(),
redirectJumpsToThisTo()

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 33
What is a Box?
s: x = y op z

AssignStmt AssignStmt

x OpExpr
VB VB
y z
x OpExpr

VB VB

y z
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 34
What is a DefBox?

Value value = [Link]();

getValue(): Dereferencing a pointer.

x →x
setValue(): mutates the value in the Box.

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 36
On UseBoxes

Opposite of defBoxes.
List useBoxes = [Link]();
method [Link]() returns a list of
ValueBoxes, corresponding to all Values
which get used in ut, a Unit.
non-empty for most Soot Units.
ut: x = y op z ;

getUseBoxes(ut) = { y , z , y op z }
(List containing 3 ValueBoxes, 2
containing Locals & 1 Expr)
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 37
Why Boxes?
Change all instances of y to 1:

AssignStmt AssignStmt

x OpExpr
VB VB
y z
x OpExpr

VB VB

y z
setValue() ??
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 38
Search & Replace

/* Replace all uses of v1 in body with v2 */

void replace(Body body, Value v1, Value v2)
{ for (Unit ut : [Link]())
{ for (ValueBox vb : [Link]())
if( [Link]().equals(v1) )
[Link](v2);
}
}

replace(b, y, IntConstant.v(1));

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 39
More Abstract Accessors: Stmt

Jimple provides the following additional

accessors for special kinds of Values:

containsArrayRef(),
getArrayRef(), getArrayRefBox()
containsInvokeExpr(),
getInvokeExpr(), getInvokeExprBox()
containsFieldRef(),
getFieldRef(), getFieldRefBox()

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 40
Program and Cast

ACT I (Warming Up):

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 41
Intraprocedural Outline

About Soot’s Flow Analysis Framework

Flow Analysis Examples
Live Variables
Branched Nullness
Adding Analyses to Soot

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 42
Flow Analysis in Soot

Flow analysis is key part of compiler

framework
Soot has easy-to-use framework for
intraprocedural flow analysis
Soot itself, and its flow analysis framework,
are object-oriented.

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 43
Four Steps to Flow Analysis

1. Forward or backward? Branched or not?

2. Decide what you are approximating.
What is the domain’s confluence operator?
3. Write equation for each kind of IR statement.
4. State the starting approximation.

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 44
HOWTO: Soot Flow Analysis

A checklist of your obligations:

1. Subclass *FlowAnalysis
2. Implement abstraction: merge(), copy()
3. Implement flow function flowThrough()
4. Implement initial values:
newInitialFlow() and
entryInitialFlow()
5. Implement constructor
(it must call doAnalysis())

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 45
HOWTO: Soot Flow Analysis II

Soot provides you with:

impls of abstraction domains (flow sets)
standard abstractions trivial to implement;
an implemented flow analysis namely,
doAnalysis() method: executes
intraprocedural analyses on a CFG using a
worklist algorithm.

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 46
Flow Analysis Hierarchy

AbstractFlowAnalysis

FlowAnalysis BranchedFlowAnalysis

Forward- Backward- Forward-

[Link]
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 47
Soot Flow Analyses

AbstractFlowAnalysis

FlowAnalysis BranchedFlowAnalysis

Forward-
Forward- Backward-

Casts Nullness
PRE analy’s PRE analy’s
Avail. Expr. Liveness
Array Bds
[Link]
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 48
Backward vs. Forward Analyses
A forward analysis computes OUT from IN:
i
s
flow dir
fs (i)
fs (i)
t

ft (fs (i))
A backward analysis computes IN from OUT:
fs (ft (i))
s
flow dir
ft (i)
ft (i)
t
i
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 49
Outline: Soot Flow Analysis Examples

Will describe how to implement a flow analysis in

Soot and present examples:
live locals
branched nullness testing

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 50
Running Example 1: Live Variables
A local variable v is live at s if there exists some
statement s′ using v and a control-flow path from
s to s′ free of definitions of v.

{z, x}
y=x
{z, y}

{z, y} {y}
{z, y}
x=y z=2
{z, y}
{z, y}
b=y
{z}

{z}
a=z
{}

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 51
Steps to a Flow Analysis

As we’ve seen before:

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 52
Step 1: Forward or Backward?

Live variables is a backward flow analysis, since

flow fn computes IN sets from OUT sets.

In Soot, we subclass BackwardFlowAnalysis.

class LiveVariablesAnalysis
extends BackwardFlowAnalysis

[Link]
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 53
Step 2: Abstraction domain
Domain for Live Variables: sets of Locals
e.g. {x, y, z}

Partial order is subset inclusion

Merge operator is union

In Soot, we use the provided ArraySparseSet

implementation of FlowSet.

[Link]
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 54
Implementing an Abstraction
Need to implement copy(), merge() methods:

dest
copy dir CFG
src

copy() brings IN set to predecessor’s OUT set.

merge dir
dest = src1 ⊲⊳ src2

src1 src2

merge() joins two IN sets to make an OUT set.

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 55
More on Implementing an Abstraction

Signatures:

void merge(Object src1, Object src2,

Object dest);
void copy(Object src, Object dest);

We delegate implementation to FlowSet.

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 56
Flow Sets and Soot

Using a FlowSet is not mandatory, but helpful.

Impls: ToppedSet, ArraySparseSet,

ArrayPackedSet
// c = a ∩ b // c = a ∪ b
[Link](b, c); [Link](b,c);

// d = c // d = d ∪ {v}
[Link](d); [Link](v);

[Link]
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 57
Digression: types of FlowSets

Which FlowSet do you want?

ArraySparseSet: simple list
foo bar z
(simplest possible)
ArrayPackedSet: bitvector w/ map
00100101 10101111 10000000
(can complement, need universe)
ToppedSet:
FlowSet & isTop()
(adjoins a ⊤ to another FlowSet)

[Link].*Set
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 58
Step 2: copy() for live variables

protected void copy(Object src,

Object dest) {
FlowSet sourceSet = (FlowSet)src,
destSet = (FlowSet) dest;

[Link](destSet);
}

Use copy() method from FlowSet.

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 59
Step 2: merge() for live variables

In live variables, a variable v is live if there exists

any path from d to p, so we use union.

Like copy(), use FlowSet’s union:

void merge(...) {
// [cast Objects to FlowSets]
[Link](src2Set, destSet);
}
One might also use intersection(), or
implement a more exotic merge.

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 60
Step 3: Flow equations

Goal: At a unit like x = y * z:

kill def x;
gen uses y, z.
How? Implement this method:
protected void flowThrough
(Object srcValue,
Object u,
Object destValue)

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 61
Step 3: Casting

Soot’s flow analysis framework is polymorphic.

Need to cast to do useful work.

Start by:
casting srcValue, destValue to FlowSet.
casting u to Unit ut.
In code:
FlowSet src = (FlowSet)srcValue,
dest = (FlowSet)destValue;
Unit ut = (Unit)u;

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 62
Step 3: Copying

Need to copy src to dest to allow manipulation.

dest
copy dir CFG
src

[Link] (dest);

Use FlowSet methods.

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 63
Step 3: Implementing flowThrough

Must decide what happens at each statement (in

general, need to switch on unit type):

IN[ut]

ut flowThrough

OUT[ut]

IN[ut] = flowThrough(OUT[ut])
= OUT[ut] \ kills[ut] ∪ gens[ut]
flowThrough is the brains of a flow analysis.
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 64
Step 3: flowThrough for live locals

A local variable v is live at s if there exists some

statement s′ containing a use of v, and a
control-flow path from s to s′ free of def’ns of v.

Don’t care about the type of unit we’re analyzing:

Soot provides abstract accessors to values used
and defined in a unit.

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 65
Step 3: Implementing flowThrough: removing kills

// Take out kill set:

// for each local v def’d in
// this unit, remove v from dest
for (ValueBox box : [Link]())
{
Value value = [Link]();
if( value instanceof Local )
[Link]( value );
}

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 66
Step 3: Implementing flowThrough: adding gens
// Add gen set
// for each local v used in
// this unit, add v to dest
for (ValueBox box : [Link]())
{
Value value = [Link]();
if (value instanceof Local)
[Link](value);
}
N.B. our analysis is generic, not restricted to
Jimple.

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 67
Step 4: Initial values

• Soundly initialize IN, OUT sets prior to

analysis.
Create initial sets
Object newInitialFlow()
{return new ArraySparseSet();}

Create initial sets for exit nodes

Object entryInitialFlow()
{return new ArraySparseSet();}

Want conservative initial value at exit nodes,

optimistic value at all other nodes.
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 68
Step 5: Implement constructor

LiveVariablesAnalysis(UnitGraph g)
{
super(g);

doAnalysis();
}
Causes the flow sets to be computed, using
Soot’s flow analysis engine.

In other analyses, we precompute values.

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 69
Enjoy: Flow Analysis Results

You can instantiate an analysis and collect

results:
LiveVariablesAnalysis lv =
new LiveVariablesAnalysis(g);

// return SparseArraySets
// of live variables:
[Link](s);
[Link](s);

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 70
Running Example 2: Branched Nullness
A local variable v is non-null at s if all
control-flow paths reaching s result in v being
assigned a value different from null.
{}
{}
if (y==null) {y}
T F
{} {y}
{x}
x=new foo() [Link]()
{x, y}

y=null
{x}

{x}
y=b.f {x, b}

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 71
HOWTO: Soot Flow Analysis

Again, here’s what to do:

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 72
Step 1: Forward or Backward?

Nullness is a branched forward flow analysis,

since flow fn computes OUT sets from IN sets,
sensitive to branches

Now subclass ForwardBranchedFlowAnalysis.

class NullnessAnalysis
extends ForwardBranchedFlowAnalysis {

[Link]
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 73
Step 2: Abstraction domain
Domain: sets of Locals known to be non-null
Partial order is subset inclusion.

(More complicated abstractions possible∗ for this

problem; e.g. ⊥, ⊤, null, non-null per-local.)

Again use ArraySparseSet to implement:

void merge(Object in1, Object in2,

Object out);
void copy(Object src, Object dest);

∗
see [Link]
<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 74
Implementing an Abstraction
For a forward analysis, copy and merge mean:

src
copy dir CFG
dest

copy() brings OUT set to predecessor’s IN set.

src1 src2

merge dir
dest = src1 ⊲⊳ src2

merge() joins two OUT sets to make an IN set.

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 75
Step 2: copy() for nullness

Same as for live locals.

protected void copy(Object src,
Object dest) {
FlowSet sourceSet = (FlowSet)src,
destSet = (FlowSet) dest;

[Link](destSet);
}

Use copy() method from FlowSet.

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 76
Step 2: merge() for nullness

In branched nullness, a variable v is non-null if it

is non-null on all paths from start to s, so we
use intersection.

Like copy(), use FlowSet method – here,

intersection():
void merge(...) {
// [cast Objects to FlowSets]
[Link](srcSet2,
destSet);
}

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 77
Step 3: Branched Flow Function

Need to differentiate between branch and

fall-through OUT sets.
protected void
flowThrough(Object srcValue,
Unit unit,
List fallOut,
List branchOuts)
fallOut is a one-element list.
branchOuts contains a FlowSet for each
non-fallthrough successor.

<
Soot, a Tool for Analyzing and Transforming Java Bytecode – p. 78
Step 3: Flow equations