chordaversatileplatformforprogramanalysis(编辑修改稿)

chordaversatileplatformforprogramanalysis(编辑修改稿)内容摘要：

N CLASS • =CLASSPATH Analysis Scope Representation • Reachable Methods • stored in file specified by (default = []/) • Resolved Reflection • stored in file specified by (default = []/) resolvedClsForNameSites ... resolvedObjNewInstSites ... resolvedConNewInstSites ... resolvedAryNewInstSites ... mname:mdesc@ame ... Class (String) Object () Object (Object[]) Object (Class, int) bci!mname:mdesc@ameame1,ame2,...,ameN Rapid Type Analysis (RTA) • Preferred (and default) scope construction algorithm • Allows specifying reflection resolution via =[none|static|dynamic] • Preferred way to resolve reflection is „dynamic‟ and requires specifying how to run program: • =id1,…,idN • =ARGS1, …, =ARGSN Dynamic Analysis Based Scope Construction • Runs program and observes which classes are loaded • Requires JVMTI (set =true in file main/) • Requires specifying how to run program: • =id1,…,idN • =ARGS1, …, =ARGSN • All methods of each loaded class are deemed reachable • Currently no support for reflection resolution Additional Analysis Scope Features • Scope Reuse • Enables using scope constructed by a previous run of Chord • Constructs scope from files specified by and • Specified via =true • Scope Exclusion • Enables excluding certain classes from scope • Treats all methods in such classes as noops • Specified via three properties: 1. (default = ) 2. (default = ) 3. (default = [],[]) Native Method Stubs • Specified in file main/src/chord/program/stubs/ in format: mname:mdesc@ame stub_ame where stub_ame denotes a class implementing: public interface { public ControlFlowGraph run(jq_Method m)。 } • Example: start:() Example Native Method Stub public ControlFlowGraph run(jq_Method m) { jq_Class c = ()。 jq_Method n = ( new jq_NameAndDesc(run, ()V))。 RegisterFactory f = new RegisterFactory(0, 1)。 Register r = (0, c)。 ControlFlowGraph cfg = new ControlFlowGraph(m, 1, 0, f)。 Quad q1 = (0, m, , null, new MethodOperand(n), 1)。 (q1, 0, new RegisterOperand(r, c))。 Quad q2 = (1, m, )。 BasicBlock bb = (1, 1, 2, null)。 (q1)。 (q2)。 BasicBlock eb = (), xb = ()。 (bb)。 (eb)。 (xb)。 (bb)。 return cfg。 } void start() { ()。 return。 } Outline of Tutorial • Part 1: • Getting Started With Chord • Program Representation • Part 2: • Analysis Using Datalog/BDDs • Chaining Analyses Together • Part 3: • ContextSensitive Analysis • Dynamic Analysis Program Domain • Building block for analyses based on Datalog/BDDs • Represents an indexed set of values of a fixed kind • typically artifacts from program being analyzed (., set of all methods in the program) • Assigns unique 0based index to each value • everything in Datalog/BDDs must be numbered • indices given in order in which values are added • order affects efficiency of running analysis on large sets • initial indices (0, 1, ...) typically given to frequentlyused values (., the main method) • O(1) access to value given index, and vice versa Example Predefined Program Domains Name Description Defining Class T types M methods F fields V variables of ref type P quads (program points) H object allocation quads I method call quads E heapaccessing quads A abstract threads C abstract method contexts O abstract objects Writing a Program Domain Analysis Domain M: all methods in the program – main method has index 0 – () method has index 1 package。 @Chord(name = M) public class DomM extends ProgramDomjq_Method { @Override public void fill() { Program program = ()。 add(())。 jq_Method start = ()。 if (start != null) add(start)。 for (jq_Method m : ()) add(m)。 } } Running a Program Domain Analysis ant –=… –=M run package。 @Chord(name = M) public class DomM extends ProgramDomjq_Method { @Override public void fill() { Program program = ()。 add(())。 jq_Method start = ()。 if (start != null) add(start)。 for (jq_Method m : ()) add(m)。 } } Running a Program Domain Analysis main:([Ljava/lang/String。 )V@Bldg start:() init:()V@Bldg … M N N chord_output/ bddbddb/ package。 @Chord(name = M) public class DomM extends ProgramDomjq_Method { @Override public void fill() { Program program = ()。 add(())。 jq_Method start = ()。 if (start != null) add(start)。 for (jq_Method m : ()) add(m)。 } } T API • void setName(String name) • set name of domain • boolean add(T val) • add value to domain if not present。 return true if added • int getOrAdd(T val) • add value to domain if not present。 return its index in either case • void save() • save domain to disk (.dom and .map files) • String toUniqueString(T val) • unique string representation of value • int size() • number of values in domain • T get(int index) • value having the given index。 IndexOutofBoundsEx if not found • int indexOf(T val) • index of given value。 1 if not found Note: values once added cannot be removed! Program Relation • Building block for analyses based on Datalog/BDDs • Represents a set of tuples over one or more fixed program domains • Represented symbolically as a BDD • enables storing and manipulating large relations efficiently • Provides various relational operations • projection, selection, join, etc. • BDD size and efficiency of operations depends heavily on encoding of relation content as op。