Use soot to get the control flow of the program

I posted a question post in the Forum, hoping to find a list of methods containing specific operations through the program.

For more information, see question: http://topic.csdn.net/u/20120919/16/8b595b1d-7c95-43c3-896f-7e001a93ce93.html

The topic of this blog post is to use soot to get the control flow diagram, which also contains solutions to the above problems.

Get the soot program of the control flow graph of the specified method:

Unitgraphg; @ overrideprotected void internaltransform (body, String, map) {sootmethod method = body. getmethod (); If (method. getname (). equals ("methodname") = false) {// specify the function return;} G = newexceptionalunitgraph (body); List <unit> ulist = G. getheads (); // gets the graph header, that is, the entry function. The unit list is returned, indicating that multiple entries may exist. Unit u = ulist. get (0); // here, only one function entry is used, that is, only one of the control flows is found while (! Unitbelonglist (u, G. gettails () // traverse until the last element of the graph {u = G. getsuccsof (u ). get (0); // get the subsequent node System of the current node continuously. out. println ("thisis the result, Look At This ------------" + U. tostring (); // print the node information, that is, the control flow information of the node} Boolean unitbelonglist (Unit U, list <unit> G) // helper function, determines that the node is not in the node list. This method is pasted to ensure the integrity of the program. It has nothing to do with the soot operation. You can skip {for (unit I: G) {if (I. equals (u) return true;} return false ;}

Previously, it was impossible to obtain all the control flow information by directly traversing unitgraph to output the information of each node. I consulted Shijie and said that some hidden operations may not be on the key nodes It outputs, you need to find the graph header and traverse it step by step to obtain the complete control flow.

The above method is improved. You can refer to it directly.

Source code of the analyzed method:

 void add()    {           int a=3;            intb=5;           int c=0;           c=a+b;               }

The bytecode of this method:

After executing the soot method, you can obtain the complete control flow information in the console:

You can see that the printed control flow information corresponds to the Operations displayed in the bytecode file. The instructions in the value assignment operation bytecode are istore, and the control flow information is "= ", constants are iconst and numerical values in bytecode, and are numerical values in the control flow. This matching relationship can be achieved through simple string operations.

Return to the problem at the beginning and obtain the list of functions that contain specific operations. The following example shows the function list:

To find a function that contains the setcontentview () operation, we first find the corresponding bytecode for this operation:

Then analyze the entire project code to obtain their control flow information. The control flow information segment is:

It can be matched that the returned type of this clip is null and the name is com/handlesoot/trysoothandleractivity. setcontentview function. After successful matching, add a tag to the function where the clip is located. Finally, traverse the project source code and output a list of all functions containing the specified operation.

If you have a simpler and more effective method, you are welcome to propose and learn from each other ~