Skip to content

Qilin Design

QilinPTA edited this page Mar 24, 2022 · 3 revisions

Qilin's Architecture

The architecture of Qilin.

The figure above depicts the architecture of Qilin. Qilin is built on top of Soot, for supporting fine-grained context-sensitive pointer analysis for Java programs. Its main components are introduced briefly in a top-down manner below.

Qilin's toolbox

Currently, Qilin's toolbox includes not only a number of widely used method-level context-sensitive pointer analyses (e.g., insens, kCFA, kOBJ, kTYPE, and Hybrid) but also a number of recently proposed representative fine-grained analyses (e.g., Eagle, Turner, and Conch), as described in our ECOOP'22 paper.

Qilin's context-sensitivity-controlling (CSC) parameters

In Qilin, context-sensitivity for a given analysis is defined by a set of three context-sensitivity-controlling (CSC) parameters, a context constructor, a context selector, and a heap abstractor, each of which can be instantiated to support different flavors (i.e., granularities) of context-sensitivity from the method level to the variable level.

Developers can implement their own context-sensitive pointer analyses in Qilin by either using a number of built-in instantiations or defining their own instantiations.

Qilin's solver

In Qilin, its parameterized pointer analysis is performed together with callgraph construction and exception analysis. To solve the pointer analysis efficiently, we have designed a new incremental worklist-based constraint solver. For details, please read Sections 3.2 and 3.3 of our ECOOP'22 paper.

Feature handlers

Java programs usually contain native code and reflection code, which will often make pointer analysis results unsound (when some of such code is not analysed). To mitigate this issue, we have designed special handlers to simulate the runtime semantics.

To model a native method, we have designed a native code handler to simulate its semantics by generating a method body in Jimple. Currently, Qilin handles a small set of native methods, such thread:start(), DoPrivileged() and clone(). For details, please refer to our ECOOP'22 paper. Future users can add their own native code handlers under this directory.

As for Java reflection, Qilin provides a reflection handler to handle the reflective targets that are discovered beforehand and made available in a reflection log file. Future users can also add their own reflection handlers under this directory.