Abstracts over the concrete type of IllegalValue
.
Abstracts over the concrete type of IllegalValue
.
This type needs to be refined whenever the class IllegalValue
is refined or the type DomainValue
is refined.
Abstracts over the concrete type of ReturnAddressValue
.
Abstracts over the concrete type of ReturnAddressValue
. Needs to be fixed
by some sub-trait/sub-class. In the simplest case (i.e., when neither the
Value
trait nor the ReturnAddressValue
trait was refined) it is sufficient
to write:
type DomainReturnAddressValue = ReturnAddressValue
Abstracts over the concrete type of Value
.
Abstracts over the concrete type of Value
. Needs to be refined by traits that
inherit from Domain
and which extend Domain
's Value
trait.
A simple type alias of the type DomainValue
; used to facilitate comprehension.
A simple type alias of the type DomainValue
; used to facilitate comprehension.
A type alias for Iterable
s of ExceptionValue
s; used to facilitate comprehension.
A type alias for Iterable
s of ExceptionValue
s; used to facilitate comprehension.
Represents a value that has no well defined state/type.
Represents a value that has no well defined state/type. Such values are the result of a join of two incompatible values and are generally only found in registers (in the locals) and then identify a value that is dead.
org.opalj.ai.Domain.Value for further details.
An instruction's current register values/locals are represented using an array.
An instruction's current register values/locals are represented using an array.
An instruction's operands are represented using a list where the first element of the list represents the top level operand stack value.
An instruction's operands are represented using a list where the first element of the list represents the top level operand stack value.
Stores a single return address (i.e., a program counter/index into the code array).
Stores a single return address (i.e., a program counter/index into the code array).
Though the framework completely handles all aspects related to return address
values, it is nevertheless necessary that this class inherits from Value
as return addresses are stored on the stack/in the registers. However,
if the Value
trait should be refined, all additional methods may – from
the point-of-view of OPAL-AI - just throw an OperationNotSupportedException
as these additional methods will never be called by OPAL-AI.
A collection of (not furhter stored) return address values.
A collection of (not furhter stored) return address values. Primarily used when we join the executions of subroutines.
Abstracts over a concrete operand stack value or a value stored in one of the local variables/registers.
Abstracts over a concrete operand stack value or a value stored in one of the local variables/registers.
In general, subclasses and users of a Domain
should not have/declare
a direct dependency on Value
. Instead they should use DomainValue
as otherwise
extensibility of a Domain
may be hampered or even be impossible. The only
exceptions are, of course, classes that directly inherit from this class.
If you directly extend/refine this trait (i.e., in a subclass of the Domain
trait
you write something like trait Value extends super.Value
), make sure that
you also extend all classes/traits that inherit from this type
(this may require a deep mixin composition and that you refine the type
DomainType
accordingly).
However, OPAL was designed such that extending this class should – in general
– not be necessary. It may also be easier to encode the desired semantics – as
far as possible – as part of the domain.
Standard inheritance from this trait is always supported and is the primary mechanism to model an abstract domain's lattice w.r.t. some special type of value. In general, the implementation should try to avoid creating new instances of values unless strictly required to model the domain's semantics. This will greatly improve the overall performance as this framework heavily uses reference-based equality checks to speed up the evaluation.
OPAL does not rely on any special equality semantics w.r.t. values and
never directly or indirectly calls a Value
's equals
or eq
method. Hence,
a domain can encode equality such that it best fits its need.
However, some of the provided domains rely on the following semantics for equals:
Two domain values have to be equal (==
) iff they represent the same
information. This includes additional information, such as, the value of
the origin.
E.g., a value (AnIntegerValue
) that represents an arbitrary Integer
value
has to return true
if the domain value with which it is compared also
represents an arbitrary Integer
value (AnIntegerValue
). However,
it may still be necessary to use multiple objects to represent an arbitrary
integer value if, e.g., constraints should be attached to specific values.
For example, after a comparison of an integer value with a predefined
value (e.g., AnIntegerValue < 4
) it is possible to constrain the respective
value on the subsequent paths (< 4 on one path and >= 4 on the other path).
To make that possible, it is however necessary to distinguish the
AnIntegervalue
from some other AnIntegerValue
to avoid constraining
unrelated values.
public void foo(int a,int b) { if(a < 4) { z = a - 2 // here a is constrained (< 4), b and z are unconstrained } else { z = a + 2 // here a is constrained (>= 4), b and z are unconstrained } }
In general, equals
is only defined for values belonging to the same
domain. If values need to be compared across domains, they need to be adapted
to a target domain first.
The class tag can be used to create type safe arrays or to extract the concrete type of the domain value.
The class tag can be used to create type safe arrays or to extract the concrete type of the domain value.
val DomainReferenceValue(v) = value // of type "DomainValue" // v is now of the type DomainReferenceValue
The class tag for the type DomainValue
.
The class tag for the type DomainValue
.
Required to generate instances of arrays in which values of type
DomainValue
can be stored in a type-safe manner.
In the sub-trait or class that fixes the type of DomainValue
it is necessary
to implement this abstract val
using:
val DomainValueTag : ClassTag[DomainValue] = implicitly
(As of Scala 2.10 it is necessary that you do not use implicit
in the subclass -
it will compile, but fail at runtime.)
The result of the merge of two incompatible values has
to be reported as a MetaInformationUpdate[DomainIllegalValue]
.
The result of the merge of two incompatible values has
to be reported as a MetaInformationUpdate[DomainIllegalValue]
.
Factory method to create an instance of a ReturnAddressValue
.
Factory method to create an instance of a ReturnAddressValue
.
The singleton instance of the IllegalValue
.
The singleton instance of the IllegalValue
.
The singleton instance of ReturnAddressValues
The singleton instance of ReturnAddressValues
The result of merging two values should never be reported as a
StructuralUpdate
if the computed value is an IllegalValue
.
The result of merging two values should never be reported as a
StructuralUpdate
if the computed value is an IllegalValue
. The JVM semantics guarantee
that the value will not be used and, hence, continuing the interpretation is meaningless.
This method is solely defined for documentation purposes and to catch implementation errors early on.
Called by the abstract interpreter when an exception is thrown that is not (guaranteed to be) handled within the same method.
Called by the abstract interpreter when an exception is thrown that is not (guaranteed to be) handled within the same method.
This method is only intended to be called by the AI framework.
Called by the abstract interpreter when the abstract interpretation of a method has ended.
Called by the abstract interpreter when the abstract interpretation of a method has ended. The abstract interpretation of a method ends if either the fixpoint is reached or the interpretation was aborted.
By default this method does nothing.
Domains that override this method are expected to also call
super.abstractInterpretationEnded(aiResult)
.
This method is called after all values which differ have been joined, but before
joinPostProcessing
will be called.
This method is called after all values which differ have been joined, but before
joinPostProcessing
will be called.
This methods is called after the evaluation of the instruction with
the given pc
with respect to targetPC
, but before the values are propagated
(joined) and before it is checked whether the interpretation needs to be continued.
This methods is called after the evaluation of the instruction with
the given pc
with respect to targetPC
, but before the values are propagated
(joined) and before it is checked whether the interpretation needs to be continued.
I.e., if the operands (newOperands
) or locals (newLocals
) are further refined
then the refined operands and locals are joined (if necessary).
During the evaluation of the instruction it is possible that this method
is called multiple times with different targetPC
s. The latter is not only
true for control flow instructions, but also for those instructions
that may raise an exception.
This method can and is intended to be overridden to further refine the operand
stack/the locals. However, the overriding method should always forward the (possibly
refined) operands and locals to the super
method (stackable traits
).
Returns all PCs that may lead to the ab(normal) termination of the method.
Returns all PCs that may lead to the ab(normal) termination of the method. I.e., those instructions (in particular method call instructions) that may throw some unhandled exceptions will also be returned; even if the instruction may also have regular and also exception handlers!
This information is lazily computed.
Returns the PCs of the first instruction of all subroutines.
Returns the set of all instructions executed after the instruction with the
given pc
.
Returns the set of all instructions executed after the instruction with the
given pc
. If this set is empty, either the instruction belongs to dead code,
the instruction is a return
instruction or the instruction
throws an exception
that is never handled internally.
The set is recalculated on demand.
The given value
, which is a value with computational type reference, is returned
by the return instruction with the given pc
.
The given value
, which is a value with computational type reference, is returned
by the return instruction with the given pc
.
This method is only intended to be called by the AI framework.
This method is called immediately before a join operation with regard
to the specified pc
is performed.
This method is called immediately before a join operation with regard
to the specified pc
is performed.
This method is intended to be overwritten by clients to perform custom operations.
Creates a graph representation of the CFG.
Creates a graph representation of the CFG.
This implementation is for debugging purposes only. It is NOT performance optimized!
,The returned graph is recomputed whenever this method is called.
Returns the dominator tree.
Returns the dominator tree.
To get the list of all evaluated instructions and their dominators.
val result = AI(...,...,...) val evaluated = result.evaluatedInstructions
The given value
, which is a value with computational type double, is returned
by the return instruction with the given pc
.
The given value
, which is a value with computational type double, is returned
by the return instruction with the given pc
.
This method is only intended to be called by the AI framework.
Called by the framework after evaluating the instruction with the given pc.
Called by the framework after evaluating the instruction with the given pc. I.e., the state of all potential successor instructions was updated and the flow method was called – potentially multiple times – accordingly.
By default this method does nothing.
Returns the program counter(s) of the instruction(s) that is(are) executed next if the evaluation of this instruction may raise an exception.
Returns the program counter(s) of the instruction(s) that is(are) executed next if the evaluation of this instruction may raise an exception.
The returned set is always empty for instructions that cannot raise exceptions,
such as the StackManagementInstruction
s.
The successor instructions are necessarily the handlers of catch blocks.
,The org.opalj.br.instructions.ATHROW has successors if and only if the thrown exception is directly handled inside this code block.
Called by the framework after performing a computation to inform the domain about the result.
Called by the framework after performing a computation to inform the domain
about the result.
That is, after evaluating the effect of the instruction with currentPC
on the current
stack and register and (if necessary) joining the updated stack and registers with the stack
and registers associated with the instruction successorPC
. (Hence, this method
is ONLY called for return
instructions if the return instruction throws an
IllegalMonitorStateException
.)
This function basically informs the domain about the instruction that
may be evaluated next. The flow function is called for every possible
successor of the instruction with currentPC
. This includes all branch
targets as well as those instructions that handle exceptions.
In some cases it will even be the case that flow
is called multiple times with
the same pair of program counters: (currentPC
, successorPC
). This may happen,
e.g., in case of a switch instruction where multiple values have the same
body/target instruction and we do not have precise information about the switch value.
E.g., as in the following snippet:
switch (i) { // pc: X => Y (for "1"), Y (for "2"), Y (for "3") case 1: case 2: case 3: System.out.println("Great."); // pc: Y default: System.out.println("Not So Great."); // pc: Z }
The flow function is also called after instructions that are domain independent
such as dup
and load
instructions which just manipulate the registers
and stack in a generic way.
This enables the domain to precisely follow the evaluation
progress and in particular to perform control-flow dependent analyses.
The program counter of the instruction that is currently evaluated by the abstract interpreter.
The current operands. I.e., the operand stack before the instruction is evaluated.
The current locals. I.e., the locals before the instruction is evaluated.
The program counter of an instruction that is a potential
successor of the instruction with currentPC
. In general the AI framework
adds the pc of the successor instruction to the beginning of the worklist
unless it is a join instruction. In this case the pc is added to the end – in
the context of the current (sub)routine. Hence, the AI framework first evaluates
all paths leading to a join instruction before the join instruction will
be evaluated.
true
if and only if the evaluation of
the instruction with the program counter currentPC
threw an exception;
false
otherwise. Hence, if this parameter is true
the instruction
with successorPC
is the first instruction of the handler.
> 0
if and only if we have an exceptional
control flow that terminates one or more subroutines.
In this case the successor instruction is scheduled (if at all) after all
subroutines that will be terminated by the exception.
true
if a join was performed. I.e., the successor
instruction is an instruction (Code.cfJoins
) that was already
previously evaluated and where multiple paths potentially join.
The current list of instructions that will be evaluated next.
If you want to force the evaluation of the instruction
with the program counter successorPC
it is sufficient to test whether
the list already contains successorPC
and – if not – to prepend it.
If the worklist already contains successorPC
then the domain is allowed
to move the PC to the beginning of the worklist.
If the PC does not belong to the same (current) (sub)routine, it is not allowed to be moved to the beginning of the worklist. (Subroutines can only be found in code generated by old Java compilers; before Java 6. Subroutines are identified by jsr/ret instructions. A subroutine can be identified by going back in the worklist and by looking for specific "program counters" (e.g., SUBROUTINE_START, SUBROUTINE_END). These program counters mark the beginning of a subroutine. In other words, an instruction can be freely moved around unless a special program counter value is found. All special program counters use negative values. Additionally, neither the negative values nor the positive values between two negative values should be changed. Furthermore, no value (PC) should be put between negative values that capture subroutine information. If the domain updates the worklist, it is the responsibility of the domain to call the tracer and to inform it about the changes. Note that the worklist is not allowed to contain duplicates related to the evaluation of the current (sub-)routine.
The array that associates every instruction with its
operand stack that is in effect. Note, that only those elements of the
array contain values that are related to instructions that were
evaluated in the past; the other elements are null
. Furthermore,
it identifies the operandsArray
of the subroutine that will execute the
instruction with successorPC
.
The operandsArray may be null
for the current instruction (not the successor
instruction) if the execution of the current instruction leads to the termination
of the current subroutine. In this case the information about the operands
and locals associated with all instructions belonging to the subroutine is
reset.
The array that associates every instruction with its current
register values. Note, that only those elements of the
array contain values that are related to instructions that were evaluated in
the past. The other elements are null
. Furthermore,
it identifies the localsArray
of the subroutine that will execute the
instruction with successorPC
.
The localsArray may be null
for the current instruction (not the successor
instruction) if the execution of the current instruction leads to the termination
of the current subroutine. In this case the information about the operands
and locals associated with all instructions belonging to the subroutine is
reset.
The updated worklist. In most cases this is simply the given worklist
.
The default case is also to return the given worklist
.
This method is called by the abstract interpretation framework.
The given value
, which is a value with computational type float, is returned
by the return instruction with the given pc
.
The given value
, which is a value with computational type float, is returned
by the return instruction with the given pc
.
This method is only intended to be called by the AI framework.
Returns true if the exception handler may handle at least one exception thrown by an instruction in the try block.
Returns true
if the instruction with the given pc has multiple direct
predecessors (more than one).
Tests if the instruction with the given pc
has a successor instruction with
a pc'
that satisfies the given predicate p
.
Override this method to perform custom initialization steps.
Override this method to perform custom initialization steps.
Always use abstract override
and call the super method; it is recommended
to complete the initialization of this domain before calling the super method.
The given value
, which is a value with computational type integer, is returned
by the return instruction with the given pc
.
The given value
, which is a value with computational type integer, is returned
by the return instruction with the given pc
.
This method is only intended to be called by the AI framework.
Tests if the instruction with the given pc is a direct or indirect predecessor of the given successor instruction.
Joins the given operand stacks and local variables.
Joins the given operand stacks and local variables.
In general there should be no need to refine this method. Overriding this method should only be done for analysis purposes.
This method heavily relies on reference comparisons to speed up the overall process of performing an abstract interpretation of a method. Hence, a computation should – whenever possible – return (one of) the original object(s) if that value has the same abstract state as the result. Furthermore, if all original values capture the same abstract state as the result of the computation, the "left" value/the value that was already used in the past should be returned.
The joined operand stack and registers.
Returns NoUpdate
if this memory layout already subsumes the
other memory layout.
The operand stacks are guaranteed to contain compatible values w.r.t. the
computational type (unless the bytecode is not valid or OPAL contains
an error). I.e., if the result of joining two operand stack values is an
IllegalValue
we assume that the domain implementation is incorrect.
However, the joining of two register values can result in an illegal value -
which identifies the value as being dead.
The size of the operands stacks that are to be joined and the number of registers/locals that are to be joined can be expected to be identical under the assumption that the bytecode is valid and the framework contains no bugs.
Enables the customization of the behavior of the base join method.
Enables the customization of the behavior of the base join method.
This method in particular enables, in case of a MetaInformationUpdate, to raise the update type to force the continuation of the abstract interpretation process.
Methods should always override
this method and should call the super method.
The current update type. The level can be raised. It is an error to lower the update level.
The old operands, before the join. Should not be changed.
The old locals, before the join. Should not be changed.
The new operands; may be updated.
The new locals; may be updated.
The pc of the jsr(w) instruction.
The given value
, which is a value with computational type long, is returned
by the return instruction with the given pc
.
The given value
, which is a value with computational type long, is returned
by the return instruction with the given pc
.
This method is only intended to be called by the AI framework.
Merges the given domain value v1
with the domain value v2
and returns
the merged value which is v1
if v1
is an abstraction of v2
, v2
if v2
is an abstraction of v1
or some other value if a new value is computed that
abstracts over both values.
Merges the given domain value v1
with the domain value v2
and returns
the merged value which is v1
if v1
is an abstraction of v2
, v2
if v2
is an abstraction of v1
or some other value if a new value is computed that
abstracts over both values.
This operation is commutative.
Returns the program counter(s) of the instruction(s) that is(are) executed before the instruction with the given pc.
Returns the program counter(s) of the instruction(s) that is(are) executed before the instruction with the given pc.
If the instruction with the given pc
was never executed an empty set is
returned.
A valid program counter.
Returns a string representation of the properties associated with the instruction with the respective program counter.
Returns a string representation of the properties associated with the instruction with the respective program counter.
Associating properties with an instruction and maintaining those properties
is, however, at the sole responsibility of the Domain
.
This method is predefined to facilitate the development of support tools and is not used by the abstract interpretation framework.
Domain
s that define (additional) properties should (abstract
) override
this method and should return a textual representation of the property.
Returns the program counter(s) of the instruction(s) that is(are) executed next if the evaluation of this instruction may succeed without raising an exception.
Returns the program counter(s) of the instruction(s) that is(are) executed next if the evaluation of this instruction may succeed without raising an exception.
The returned set is always empty for return
instructions. It is also empty for
instructions that always throw an exception (e.g., an integer value that is divided
by zero will always result in a NullPointException.)
The org.opalj.br.instructions.ATHROW instruction will never have a
regularSuccessor
. The return
instructions will never have any successors.
The pc of the ret instruction.
Called when a return instruction with the given pc
is reached.
Called when a return instruction with the given pc
is reached.
In other words, when the method returns normally.
This method is only intended to be called by the AI framework.
This function can be called when the instruction successorPC
needs to be
scheduled.
This function can be called when the instruction successorPC
needs to be
scheduled. The function will test if the instruction is already scheduled and
– if so – returns the given worklist. Otherwise the instruction
is scheduled in the correct (subroutine-)context.
Creates a summary of the given domain values by summarizing and
joining the given values
.
Creates a summary of the given domain values by summarizing and
joining the given values
. For the precise details
regarding the calculation of a summary see Value.summarize(...)
.
The program counter that will be used for the summary value if a new value is returned that abstracts over/summarizes the given values.
An Iterable
over one or more values.
The current algorithm is generic and should satisfy most needs, but it is not very efficient. However, it should be easy to tailor it for a specific domain/domain values, if need be.
Returns the type(type bounds) of the given value.
Returns the type(type bounds) of the given value.
In general a single value can have multiple type bounds which depend on the
control flow.
However, all types that the value represents must belong to the same
computational type category. I.e., it is possible that the value either has the
type "NullPointerException
or IllegalArgumentException
", but it will never have
– at the same time – the (Java) types int
and long
. Furthermore,
it is possible that the returned type(s) is(are) only an upper bound of the
real type unless the type is a primitive type.
This default implementation always returns org.opalj.ai.UnknownType.
typeOfValue
This method is typically not implemented by a single Domain
trait/object, but is
instead implemented collaboratively by all domains that implement the semantics
of certain values. To achieve that, other Domain
traits that implement a
concrete domain's semantics have to abstract override
this method and only
return the value's type if the domain knows anything about the type. If a method
that overrides this method has no knowledge about the given value, it should
delegate this call to its super method.
Example
trait FloatValues extends Domain[...] { ... abstract override def typeOfValue(value: DomainValue): TypesAnswer = value match { case r: FloatValue ⇒ IsFloatValue case _ ⇒ super.typeOfValue(value) } }
Replaces all occurrences of oldValue
(using reference-quality) with newValue
.
Replaces all occurrences of oldValue
(using reference-quality) with newValue
. If no
occurrences are found, the original operands and locals data structures
are returned.
Records the abstract interpretation time control-flow graph (CFG). This CFG is always (still) a sound approximation of the generally incomputable real CFG.
Usage (Mixin-Composition Order)
This domain overrides the
flow
method and requires that it is mixed in before every other domain that overrides theflow
method and which may manipulate theworklist
. E.g., the mixin order should be:If the mixin order is not correct, the CFG may not be complete/concrete.
Core Properties
initProperties
.