Java源码示例:soot.jimple.StaticFieldRef
示例1
/**
* Gets the points-to-set for the given value
* @param targetValue The value for which to get the points-to-set
* @return The points-to-set for the given value
*/
private PointsToSet getPointsToSet(Value targetValue) {
PointsToAnalysis pta = Scene.v().getPointsToAnalysis();
synchronized (pta) {
if (targetValue instanceof Local)
return pta.reachingObjects((Local) targetValue);
else if (targetValue instanceof InstanceFieldRef) {
InstanceFieldRef iref = (InstanceFieldRef) targetValue;
return pta.reachingObjects((Local) iref.getBase(), iref.getField());
}
else if (targetValue instanceof StaticFieldRef) {
StaticFieldRef sref = (StaticFieldRef) targetValue;
return pta.reachingObjects(sref.getField());
}
else if (targetValue instanceof ArrayRef) {
ArrayRef aref = (ArrayRef) targetValue;
return pta.reachingObjects((Local) aref.getBase());
}
else
throw new RuntimeException("Unexpected value type for aliasing: " + targetValue.getClass());
}
}
示例2
/**
* Checks whether the given base value matches the base of the given
* taint abstraction
* @param baseValue The value to check
* @param source The taint abstraction to check
* @return True if the given value has the same base value as the given
* taint abstraction, otherwise false
*/
protected boolean baseMatches(final Value baseValue, Abstraction source) {
if (baseValue instanceof Local) {
if (baseValue.equals(source.getAccessPath().getPlainValue()))
return true;
}
else if (baseValue instanceof InstanceFieldRef) {
InstanceFieldRef ifr = (InstanceFieldRef) baseValue;
if (ifr.getBase().equals(source.getAccessPath().getPlainValue())
&& source.getAccessPath().firstFieldMatches(ifr.getField()))
return true;
}
else if (baseValue instanceof StaticFieldRef) {
StaticFieldRef sfr = (StaticFieldRef) baseValue;
if (source.getAccessPath().firstFieldMatches(sfr.getField()))
return true;
}
return false;
}
示例3
public void jimplify (DexBody body) {
int source = ((OneRegisterInstruction)instruction).getRegisterA();
FieldReference f = (FieldReference)((ReferenceInstruction)instruction).getReference();
StaticFieldRef instanceField = Jimple.v().newStaticFieldRef(getStaticSootFieldRef(f));
Local sourceValue = body.getRegisterLocal(source);
assign = getAssignStmt(body, sourceValue, instanceField);
setUnit(assign);
addTags(assign);
body.add(assign);
if (IDalvikTyper.ENABLE_DVKTYPER) {
Debug.printDbg(IDalvikTyper.DEBUG, "constraint: "+ assign);
int op = (int)instruction.getOpcode().value;
DalvikTyper.v().setType(assign.getRightOpBox(), instanceField.getType(), true);
}
}
示例4
@Override
public void isParamVulnAndStore(SootMethod originMethod, Stmt originStmt, Value reachedValue) { //avoid sideeffect
//constant already guaranteed by caller
System.out.println(originStmt);
String funcSig = originStmt.getInvokeExpr().getMethod().getSignature();
String valueString = reachedValue.toString();
if (evaluateResult(funcSig, valueString)) {
if(DEBUG) {
System.out.println("result found");
System.out.println("originstmt: " + originStmt + " reachedValue: " + reachedValue);
}
this.results.add(new Pair<>(originMethod, new Pair<>(originStmt, valueString)));
}
if(DEBUG) {
if (reachedValue instanceof Constant || reachedValue instanceof StaticFieldRef) {
System.out.println("originstmt: " + originStmt + " reachedValue: " + reachedValue);
}
}
}
示例5
@Override
protected boolean killFlow(SootMethod m, Stmt curr, Val value) {
if (!m.getActiveBody().getLocals().contains(value.value()) && !value.isStatic())
return true;
if (curr instanceof AssignStmt) {
AssignStmt as = (AssignStmt) curr;
// Kill x at any statement x = * during propagation.
if (as.getLeftOp().equals(value.value())) {
// But not for a statement x = x.f
if (as.getRightOp() instanceof InstanceFieldRef) {
InstanceFieldRef iie = (InstanceFieldRef) as.getRightOp();
if (iie.getBase().equals(value.value())) {
return false;
}
}
return true;
}
if (as.getLeftOp() instanceof StaticFieldRef) {
StaticFieldRef sfr = (StaticFieldRef) as.getLeftOp();
if (value.isStatic() && value.equals(new StaticFieldVal(as.getLeftOp(), sfr.getField(), m))) {
return true;
}
}
}
return false;
}
示例6
/**
* Checks whether the given base value matches the base of the given
* taint abstraction and ends there. So a will match a, but not a.x.
* Not that this function will still match a to a.*.
* @param baseValue The value to check
* @param source The taint abstraction to check
* @return True if the given value has the same base value as the given
* taint abstraction and no further elements, otherwise false
*/
protected boolean baseMatchesStrict(final Value baseValue, Abstraction source) {
if (!baseMatches(baseValue, source))
return false;
if (baseValue instanceof Local)
return source.getAccessPath().isLocal();
else if (baseValue instanceof InstanceFieldRef || baseValue instanceof StaticFieldRef)
return source.getAccessPath().getFieldCount() == 1;
throw new RuntimeException("Unexpected left side");
}
示例7
private Insn buildGetInsn(ConcreteRef sourceRef, Register destinationReg) {
if (sourceRef instanceof StaticFieldRef) {
return buildStaticFieldGetInsn(destinationReg, (StaticFieldRef) sourceRef);
} else if (sourceRef instanceof InstanceFieldRef) {
return buildInstanceFieldGetInsn(destinationReg, (InstanceFieldRef) sourceRef);
} else if (sourceRef instanceof ArrayRef) {
return buildArrayGetInsn(destinationReg, (ArrayRef) sourceRef);
} else {
throw new RuntimeException("unsupported type of ConcreteRef: " + sourceRef.getClass());
}
}
示例8
private Insn buildPutInsn(ConcreteRef destRef, Value source) {
if (destRef instanceof StaticFieldRef) {
return buildStaticFieldPutInsn((StaticFieldRef) destRef, source);
} else if (destRef instanceof InstanceFieldRef) {
return buildInstanceFieldPutInsn((InstanceFieldRef) destRef, source);
} else if (destRef instanceof ArrayRef) {
return buildArrayPutInsn((ArrayRef) destRef, source);
} else {
throw new RuntimeException("unsupported type of ConcreteRef: " + destRef.getClass());
}
}
示例9
private Insn buildStaticFieldPutInsn(StaticFieldRef destRef, Value source) {
SootField destSootField = destRef.getField();
Register sourceReg = regAlloc.asImmediate(source, constantV);
BuilderFieldReference destField = DexPrinter.toFieldReference(destSootField, belongingFile);
Opcode opc = getPutGetOpcodeWithTypeSuffix("sput", destField.getType());
return new Insn21c(opc, sourceReg, destField);
}
示例10
public void jimplify (DexBody body) {
int dest = ((OneRegisterInstruction)instruction).getRegisterA();
FieldReference f = (FieldReference)((ReferenceInstruction)instruction).getReference();
StaticFieldRef r = Jimple.v().newStaticFieldRef(getStaticSootFieldRef(f));
assign = Jimple.v().newAssignStmt(body.getRegisterLocal(dest), r);
setUnit(assign);
addTags(assign);
body.add(assign);
if (IDalvikTyper.ENABLE_DVKTYPER) {
Debug.printDbg(IDalvikTyper.DEBUG, "constraint: "+ assign);
int op = (int)instruction.getOpcode().value;
DalvikTyper.v().setType(assign.getLeftOpBox(), r.getType(), false);
}
}
示例11
private boolean containsStaticFieldAccess(Stmt succ) {
if (succ instanceof AssignStmt) {
AssignStmt assignStmt = (AssignStmt) succ;
return assignStmt.getLeftOp() instanceof StaticFieldRef
|| assignStmt.getRightOp() instanceof StaticFieldRef;
}
return false;
}
示例12
protected Field getWrittenField(Stmt curr) {
AssignStmt as = (AssignStmt) curr;
if (as.getLeftOp() instanceof StaticFieldRef) {
StaticFieldRef staticFieldRef = (StaticFieldRef) as.getLeftOp();
return new Field(staticFieldRef.getField());
}
InstanceFieldRef ifr = (InstanceFieldRef) as.getLeftOp();
return new Field(ifr.getField());
}
示例13
/**
* Returns a normal edge function.
*
* @param curr The current statement.
* @param currNode The current variable.
* @param succNode The variable the current variable is propagated to after the statement.
* @param zeroValue The zero value, which represents the absence of a data flow fact.
* @param pointsToAnalysis The pointer analysis.
* @return A normal edge function.
*/
public EdgeFunction<BasePropagationValue> getNormalEdgeFunction(Unit curr, Value currNode,
Value succNode, Value zeroValue, PointsToAnalysis pointsToAnalysis) {
if (curr instanceof AssignStmt) {
if (logger.isDebugEnabled()) {
logger.debug("Normal edge: " + curr);
logger.debug(currNode + " " + succNode);
}
AssignStmt assignStmt = (AssignStmt) curr;
final Value left = assignStmt.getLeftOp();
final String type = left.getType().toString();
final Value right = assignStmt.getRightOp();
if (Model.v().isModeledType(type)) {
if (currNode.equivTo(zeroValue) && succNode.equivTo(left)) {
if (right instanceof StaticFieldRef) {
StaticFieldRef staticFieldRef = (StaticFieldRef) right;
Argument[] arguments =
Model.v().getArgumentsForStaticField(staticFieldRef.getField().getSignature());
EdgeFunction<BasePropagationValue> result =
PropagationTransformerFactory.makeTransformer(null, arguments, false);
if (arguments != null) {
if (logger.isDebugEnabled()) {
logger.debug("Returning " + result);
}
return PropagationTransformerFactory.makeTransformer(null, arguments, false);
}
} else if (right instanceof NullConstant) {
return PropagationTransformerFactory.makeTransformer(null, null, false);
}
}
}
}
return EdgeIdentity.v();
}
示例14
@Override
public boolean isCallStmt(Unit unit) {
Stmt stmt = (Stmt) unit;
if (stmt.containsInvokeExpr()) {
return true;
} else if (stmt instanceof AssignStmt) {
Value right = ((AssignStmt) stmt).getRightOp();
return right instanceof StaticFieldRef
&& AnalysisParameters.v().isAnalysisClass(
((StaticFieldRef) right).getField().getDeclaringClass().getName());
} else {
return false;
}
}
示例15
/**
* Gets whether a value and an access path may potentially point to the same
* runtime object
* @param ap The access path
* @param val The value
* @return The access path that actually matched if the given value and
* access path alias. In the simplest case, this is the given access path.
* When using recursive access paths, it can however also be a base
* expansion. If the given access path and value do not alias, null is
* returned.
*/
public AccessPath mayAlias(AccessPath ap, Value val) {
// What cannot be represented in an access path cannot alias
if (!AccessPath.canContainValue(val))
return null;
// Constants can never alias
if (val instanceof Constant)
return null;
// For instance field references, the base must match
if (val instanceof Local)
if (ap.getPlainValue() != val)
return null;
// For array references, the base must match
if (val instanceof ArrayRef)
if (ap.getPlainValue() != ((ArrayRef) val).getBase())
return null;
// For instance field references, the base local must match
if (val instanceof InstanceFieldRef) {
if (!ap.isLocal() && !ap.isInstanceFieldRef())
return null;
if (((InstanceFieldRef) val).getBase() != ap.getPlainValue())
return null;
}
// If the value is a static field reference, the access path must be
// static as well
if (val instanceof StaticFieldRef)
if (!ap.isStaticFieldRef())
return null;
// If we have an interactive aliasing algorithm, we check that as well
/*
if (aliasingStrategy.isInteractive())
return aliasingStrategy.mayAlias(new AccessPath(val1, false), new AccessPath(val2, false));
*/
// Get the field set from the value
SootField[] fields = val instanceof FieldRef
? new SootField[] { ((FieldRef) val).getField() } : new SootField[0];
return getReferencedAPBase(ap, fields);
}
示例16
public boolean isStaticFieldWrite(SootMethod method, SootField variable, Set<SootMethod> runList) {
// Without a body, we cannot say much
if (!method.hasActiveBody())
return false;
// Do not process the same method twice
if (!runList.add(method))
return false;
// Do we already have an entry?
Map<SootField, StaticFieldUse> entry = staticFieldUses.get(method);
if (entry != null) {
StaticFieldUse b = entry.get(variable);
if (b != null && b != StaticFieldUse.Unknown) {
return b == StaticFieldUse.Write;
}
}
// Scan for references to this variable
for (Unit u : method.getActiveBody().getUnits()) {
if (u instanceof AssignStmt) {
AssignStmt assign = (AssignStmt) u;
if (assign.getLeftOp() instanceof StaticFieldRef) {
SootField sf = ((StaticFieldRef) assign.getLeftOp()).getField();
registerStaticVariableUse(method, sf, StaticFieldUse.Write);
return true;
}
}
if (((Stmt) u).containsInvokeExpr())
for (Iterator<Edge> edgeIt = Scene.v().getCallGraph().edgesOutOf(u); edgeIt.hasNext(); ) {
Edge e = edgeIt.next();
if (isStaticFieldWrite(e.getTgt().method(), variable, runList));
return true;
}
}
// Variable is not read
registerStaticVariableUse(method, variable, StaticFieldUse.Unwrite);
return false;
}
示例17
public void caseStaticFieldRef(StaticFieldRef expr) {
st.addStatement(new Nop());
}
示例18
public void caseStaticFieldRef(StaticFieldRef v) {
printFieldRef(v);
}
示例19
private Insn buildStaticFieldGetInsn(Register destinationReg, StaticFieldRef sourceRef) {
SootField sourceSootField = sourceRef.getField();
BuilderFieldReference sourceField = DexPrinter.toFieldReference(sourceSootField, belongingFile);
Opcode opc = getPutGetOpcodeWithTypeSuffix("sget", sourceField.getType());
return new Insn21c(opc, destinationReg, sourceField);
}
示例20
private void javafy_ref(ValueBox vb) {
Ref r = (Ref) vb.getValue();
if (r instanceof StaticFieldRef) {
SootFieldRef fieldRef = ((StaticFieldRef) r).getFieldRef();
//addPackage(fieldRef.declaringClass().getJavaPackageName());
String className = fieldRef.declaringClass().toString();
String packageName = fieldRef.declaringClass().getJavaPackageName();
String classPackageName = packageName;
if (className.lastIndexOf('.') > 0) {// 0 doesnt make sense
classPackageName = className.substring(0, className.lastIndexOf('.'));
}
if(!packageName.equals(classPackageName))
throw new DecompilationException("Unable to retrieve package name for identifier. Please report to developer.");
addToImportList(className);
vb.setValue(new DStaticFieldRef(fieldRef, getMethod().getDeclaringClass().getName()));
} else if (r instanceof ArrayRef) {
ArrayRef ar = (ArrayRef) r;
javafy(ar.getBaseBox());
javafy(ar.getIndexBox());
}
else if (r instanceof InstanceFieldRef) {
InstanceFieldRef ifr = (InstanceFieldRef) r;
javafy(ifr.getBaseBox());
vb.setValue(new DInstanceFieldRef(ifr.getBase(), ifr.getFieldRef(),
thisLocals));
}
else if (r instanceof ThisRef) {
ThisRef tr = (ThisRef) r;
vb.setValue(new DThisRef((RefType) tr.getType()));
}
}
示例21
public void caseStaticFieldRef(StaticFieldRef ref) {
result = result.add(mgr.INITIALIZATION_ERRORS);
}
示例22
/**
* <p>
* Utility method for checking if a {@link Unit} might have side effects. It
* simply returns true for any unit which invokes a method directly or which
* might invoke static initializers indirectly (by creating a new object or
* by refering to a static field; see sections 2.17.4, 2.17.5, and 5.5 of
* the Java Virtual Machine Specification).
* </p>
*
* <code>mightHaveSideEffects()</code> is declared package-private so that
* it is available to unit tests that are part of this package.
*
* @param u
* The unit whose potential for side effects is to be checked.
*
* @return whether or not <code>u</code> has the potential for side effects.
*/
static boolean mightHaveSideEffects(Unit u) {
if (u instanceof Inst) {
Inst i = (Inst) u;
return (i.containsInvokeExpr() || (i instanceof StaticPutInst)
|| (i instanceof StaticGetInst) || (i instanceof NewInst));
} else if (u instanceof Stmt) {
for (ValueBox vb : u.getUseBoxes()) {
Value v = vb.getValue();
if ((v instanceof StaticFieldRef) || (v instanceof InvokeExpr)
|| (v instanceof NewExpr)) {
return true;
}
}
}
return false;
}
示例23
private boolean isFieldRef(Value op) {
return op instanceof InstanceFieldRef || op instanceof StaticFieldRef;
}
示例24
/**
* Returns a call flow function.
*
* @param src A statement that is the source of a call edge in the call graph. This is generally a
* call statement, but field accesses can also lead to edges leading to class
* initializers.
* @param dest The destination method.
* @param zeroValue The zero value for the analysis, which represents the absence of a data flow
* fact.
* @return The call flow function for the input statement.
*/
public FlowFunction<Value> getCallFlowFunction(Unit src, final SootMethod dest,
final Value zeroValue) {
if (logger.isDebugEnabled()) {
logger.debug("Call: " + src);
}
String declaringClass = dest.getDeclaringClass().getName();
if (!AnalysisParameters.v().isAnalysisClass(declaringClass)) {
// Only propagate through analysis classes.
return KillAll.v();
}
Stmt stmt = (Stmt) src;
// Some statements other than call statements (e.g., field accesses) can lead to call edges to
// class initializers.
boolean containsInvokeExpr = stmt.containsInvokeExpr();
final InvokeExpr ie = containsInvokeExpr ? stmt.getInvokeExpr() : null;
if (containsInvokeExpr
&& (Model.v().getArgumentsForGenMethod(ie) != null || Model.v()
.getArgumentsForCopyConstructor(ie.getMethodRef()) != null)) {
return KillAll.v();
}
return new FlowFunction<Value>() {
@Override
public Set<Value> computeTargets(Value source) {
if (logger.isDebugEnabled()) {
logger.debug("Source: " + source);
}
if (dest.getName().equals(SootMethod.staticInitializerName)) {
if (source instanceof FieldRef) {
return Collections.singleton(source);
} else {
return Collections.emptySet();
}
}
final List<Value> paramLocals = new ArrayList<Value>();
for (int i = 0; i < dest.getParameterCount(); ++i) {
// TODO (Damien): maybe activate again?
// if (ie.getArg(i) instanceof NullConstant && source.equals(zeroValue)) {
// return Collections.singleton((Value) dest.getActiveBody().getParameterLocal(i));
// }
paramLocals.add(dest.getActiveBody().getParameterLocal(i));
}
int argIndex = FunctionFactoryUtils.shouldPropagateSource(source, ie.getArgs());
if (argIndex != -1) {
if (logger.isDebugEnabled()) {
logger.debug("Returning " + paramLocals.get(argIndex));
}
return Collections.singleton(paramLocals.get(argIndex));
}
if (source instanceof StaticFieldRef) {
// Always propagate static fields.
return Collections.singleton(source);
} else if (source instanceof InstanceFieldRef) {
if (FunctionFactoryUtils.shouldPropagateInstanceField((InstanceFieldRef) source, ie)) {
return Collections.singleton(source);
}
}
if (logger.isDebugEnabled()) {
logger.debug("Returning empty set");
}
return Collections.emptySet();
}
};
}
示例25
protected void addSceneTransformer(Map<SootMethod, Set<String>> entryPointMap) {
Ic3ResultBuilder resultBuilder = new Ic3ResultBuilder();
resultBuilder.setEntryPointMap(entryPointMap);
DateFormat dateFormat = new SimpleDateFormat("yyyy-MM-dd_HH-mm-ss");
String debugDirPath = System.getProperty("user.home") + File.separator + "debug";
File debugDir = new File(debugDirPath);
if (!debugDir.exists()) {
debugDir.mkdir();
}
String fileName = dateFormat.format(new Date()) + ".txt";
String debugFilename = debugDirPath + File.separator + fileName;
String pack = AnalysisParameters.v().useShimple() ? "wstp" : "wjtp";
Transform transform =
new Transform(pack + ".ifds", new PropagationSceneTransformer(resultBuilder,
new PropagationSceneTransformerFilePrinter(debugFilename, new SymbolFilter() {
@Override
public boolean filterOut(Value symbol) {
return symbol instanceof StaticFieldRef
&& ((StaticFieldRef) symbol).getField().getDeclaringClass().getName()
.startsWith("android.provider");
}
})));
if (PackManager.v().getPack(pack).get(pack + ".ifds") == null) {
PackManager.v().getPack(pack).add(transform);
} else {
Iterator<?> it = PackManager.v().getPack(pack).iterator();
while (it.hasNext()) {
Object current = it.next();
if (current instanceof Transform
&& ((Transform) current).getPhaseName().equals(pack + ".ifds")) {
it.remove();
break;
}
}
PackManager.v().getPack(pack).add(transform);
}
}
示例26
/**
* Checks whether the given value can be the base value value of an access
* path
* @param val The value to check
* @return True if the given value can be the base value value of an access
* path
*/
public static boolean canContainValue(Value val) {
return val instanceof Local
|| val instanceof InstanceFieldRef
|| val instanceof StaticFieldRef
|| val instanceof ArrayRef;
}
