What is WALA?!  Javalibraries for static and dynamic program  analysis!  Initially   developed at IBM T.J. Watson Research...
(Some) Previous Uses of WALA!    Research      •  over 40 publications from 2003-present      •  Including one at PLDI’10 ...
WALA Features: Static Analysis!    Pointer analysis / call graph construction      •  Several algorithms provided (RTA, va...
Other Key WALA Features!    Multiple language front-ends     •  Bytecode: Java, .NET (internal)     •  Source (CAst): Java...
What We’ll Cover!  Overviews of main modules  •  Important features  •  Key class names  •  How things fit together  •  Ho...
How to get WALA!    Walkthrough on “Getting Started” page at wala.sf.net!    Code available in SVN repository      •  Trun...
GENERAL UTILITIES
!"#"$%&&$()*+*),-   4"5+2"-#$6*#*7028$%209&)    ()*+,$*-.$/012)"#,3           !"#$%&#
!"#$%&!$&()&*)+,)#)-"$.-#                              !"#$%#                                   *+#,-%!"#$%#              ...
!"#$%&(%)*+),+-$+.+/)0)%1/                    (51()$*+!"#$%&,-#(#                      !"#$!%&#$   (%)!%&#$         !"#$%&...
!"#$%&()*!%*+%,$%-%.*#*)/.                     !"#$%&(3$*4./#01#2*,-#(#            !"#$%&&()*(+,)&($+-./(*01        ./#01#...
!"#$%%&%()&*(+"*,                           !!"#$%&!$((%)*+!*,,-&+.!&/!0                           !!!!$((%)*+!"1!2!%)3.4*...
!"#$%&(")*&+,)(,#,-.".$/-           !"#$%&&($)*+,     -#($%&&($)*+,!"#$%"&$()*+"#$%"&$,-        !"#$%"&$()*/#";$#60&6#7,(*...
!"#$%&%()&*+,(               -%+&%.%/0*012/            !"#$%&%!(%)*+*,%&-./                        !"#$%&%0,%)*+*,%&-./!"#...
!"#$%$&()"*+,$*)$-$./"/01.              !"#$%$&&($)"*"($+,-./01   !"#$%&$()*%+(,$*-.   /%$0(%10234"#$%50$6716$8-3"79"!"*(,...
!"#"$%&!$()*+)"$(,%-#./  0$"(1,*2%$.,3"($&*                            (                        -        .                ...
!"#"$%&!$()*+)"$(,%-#./       0"),*1%$.,2"($&*            %        7       8            9               %   7    6        ...
!"#"$%&!$()*+)"$(,%-#./          011.         !""#$%&$(&
!"#$%&()*"+,%-.       !"#$%&"()               *+#,-(-.!"#$%&"()       !"#$%&%/-0("%$-()
!"#"$%&()*+#,-+              !"#$$%&$$(&)*+,(-.*/$,+0(&1234               .*/5(&678*(96:/#,6;(,<#%*(34                    ...
!"#"$%&()*"+,%-      ! )                        12345678)                        12345678*      " *                       ...
!"#"$%&()*"+,%-!"#$%&()*+,-!.+*/0+12%/3.&/0+3*+%*#$.45./607.8+*)9:.+;")&/%0)<=/+%)5)07.>?+./"+)).@2%/3.&/0+()%0)A0)9/*)/<B...
!"#"$%&()*"+,%-      ! )      " *         !"#$%&()%*%+%(%,                  !"#$%-.)%*%+%(%.%,# +         $ /   !"#$%/0)%*...
INTERMEDIATEREPRESENTATION
!"#$%&()*+,                                 !"#$%&()!"#$%&!$()*+,-.*/($0(,-11"2*3(4*/15                !"                 ...
!"#$%&(%&)                       !"=       #$%&%#(%&&%#)*              BCD(                                     =>))      ...
!"#$%&$()"*+,-.#                       !!"#$%&()&*+$  !!",+&+#$%&()&*+$!!"-+./01#$%&()&*+$            !!""7%&0)&#$2+81#$%&...
!"#$%&$()"*+,-.#                  !!"#$%&()&*+$           !!"",%&-)&#$.+/0#$%&()&*+$!!"#$.+/0#$%&()&*+$                   ...
!"#$%&(%&)*#+,#-./)0! +,#1./)0#2&.3,/)#/,0%,1(%#345)#167)&0#,1#(.1%)8%      " 9#:(.2;<#.=#4#345)#,1#4#/,0%,1(%#(.1%)8%    ...
!"#$%&(%&)*#+,#-./)0        !"#$#%!&#$$#!(                BCD                                       >?>            )*#!"& ...
!"#$%&&%&()*#+(,$)(                                               A5+B:5     !"=         #$%&%#(%&&%#)*         C5<A5+#*( ...
!"#$%&&%&()*#+,-      ()*                      +,-./      !"#                         $"%           !"#&"                 ...
!"#$%&&%&()*#+,-(#!./(0(.1(  (           !"#$%&##()                    9:;05  &            %,##/01#2677  ,  .         %.##...
!"#$%&()*#+,-.#$%&()#/01  !"                !#$%&(.$%#$%&(/0              )*%#$%&(         ,-*%123%,-+*,%,-/,-($40        ...
!"#$%&()*#+,-)(%.)#/01       !"                !#$%&(    ,$%#$%&(-.               !)*%$+($#$%&(       /$%)*%$+($!0($1-20%....
!"#$%&()*#+%(,-#.,/)0!"    !0-%45(%/02/06$7    &()*28)*5$205,9$4          #$%&()*+),$-./0%12/0%3                          ...
SCOPES AND CLASSHIERARCHIES
Building a Call GraphbuildCG(String jarFile) {  // represents code to be analyzed  AnalyisScope scope = AnalysisScopeReade...
AnalysisScope!    Represents a set of files to analyze!    To construct from classpath:     AnalysisScopeReader.makeJavaBi...
Background: Class Loaders!    In Java, a class is identified by name and class loader      •  E.g., < Primordial, java.lan...
Multiple Names in Bytecode// this is java.lang.Objectclass Object {  public String toString() { … }}// no overriding of to...
WALA Name ResolutionEntity references resolved via IClassHierarchyEntity      Reference Type    Resolved Resolver Method  ...
More on class hierarchies!    For Java class hierarchy: ClassHierarchy.make(scope)!    Supports Java-style subtyping (sing...
INTERPROCEDURALDATAFLOW ANALYSIS
Tabulation-Based Analysis                 (Reps, Horwitz, Sagiv, POPL95)!    “Functional approach” to context-sensitive an...
Tabulation Overview                          T              TabulationDomain          IFlowFunctionMap              Provid...
Supergraph!    Collection of “procedure graphs,” connected by calls      •  ICFGSupergraph: procedure graphs are CFGs     ...
Domain / Flow Functions / Seeds!    TabulationDomain      •  Maintains mapping from facts to integers      •  Controls wor...
Partially Balanced Problems!    For when flows can start / end in a non-entrypoint      •  E.g., slice from non-entrypoint...
Debugging Your Analysis!    IFDSExplorer      •  Gives GUI view of analysis result      •  Needs paths to GraphViz dot exe...
Deep Dive: Reaching Defs!    The classic dataflow analysis, for Java static fields!    Three implementations available in ...
Example    class StaticDataflow {      static int f, g;      static void m() { f = 2; }      static void testInterproc() {...
The Domain and Supergraph!    Supergraph: ICFGSupergraph      •  Procedures: call graph nodes (CGNode)           "  In con...
Flow Functions (1)!    Normal flow for non-putstatics is     IdentityFlowFunction.identity()!    Most call-related flow fu...
Flow Functions (2)             Normal flow function for putstatic                (modified for formatting / clarity)public...
Seeds!    Standard tabulation approach: special ‘0’ fact      •  Add ‘0 -> 0’ edge to all flow functions      •  Seed with...
Putting it all Together!    ReachingDefsProblem collects domain, supergraph,     flow functions, seeds!    Running analysi...
CALL GRAPHS / POINTERANALYSIS
Call Graph Builder OverviewAnalysisOptions               Heap Model Specifies entrypoints,                               H...
Entrypoints!    What are entrypoint methods?     •  main() method        "  Util.makeMainEntrypoints()     •  All applicat...
Heap Model!    Controls abstraction of pointers and object instances!    InstanceKey: abstraction of an object      •  All...
Context Selector!    Gives context to use for callee method at some call site!    Context examples      •  The default con...
Built-In Algorithms      (Grove and Chambers, TOPLAS 2001)       Rapid Type Analysis (RTA)                     0-CFA      ...
Performance Tips!    Use AnalyisScope exclusions      •  Often, much of standard library (e.g., GUI libraries) is         ...
Code Modelling (Advanced)!    SSAContextInterpreter: builds SSA for a method      •  Normally, based on bytecode      •  C...
Refinement-Based Points-To                     Analysis!    Refines analysis precision as requested by client      •  Comp...
SLICING
Slicer Overview Statement                      DataDependenceOptionsSeed for the slicer                Which data deps to ...
Statement!    Identifies a node in the System Dependence Graph (SDG)     [Horwitz,Reps,Binkley,TOPLAS’90]!    Key statemen...
Dependence Options!    DataDependenceOptions      •  FULL (all deps) and NONE (no deps)      •  NO_BASE_PTRS: ignore depen...
Thin Slicing!    Just “top-level” data dependencies      (see [Sridharan-Fink-Bodik PLDI’07])!    For context-sensitive th...
Performance Tips!    Some configs do not scale to large programs      •  E.g., context-sensitive slicing with heap deps   ...
INSTRUMENTING BYTECODESWITH SHRIKE
Key Shrike Features!    Patch-based instrumentation API      •  Each instrumentation pass implemented as a patch      •  S...
Key Shrike ClassesClassReader              ClassWriterImmutable view            Generates JVMof .class file info;    repre...
Instrumenting A Method (1)instrument(byte[] orig, int i) {  // mutable helper class  ClassInstrumenter ci =               ...
Instrumenting A Method (2)doInstrumentation(MethodData md) {  // manages the patching process  MethodEditor me = new Metho...
Shrike Clients!    Small example: see com.ibm.wala.shrike.bench.Bench!    Dila (com.ibm.wala.dila in incubator)      •  Dy...
Java Annotation Support!    Supported features      •  Reading .class file attributes      •  Parsing some annotation info...
Eclipse Support!    WALA projects are Eclipse plug-ins     •  Easy to invoke from other plug-in!    Various utilities in c...
FRONT ENDS / CAST
!"#"$%&()$*(+                                             =/.+5.$>                             #/*:;/:5           ())(*$"+...
!"#"$%&()*+($,-*.$/.+                                 !"#"                       89:#                              <=>3$)?...
!"#$%&()*+,-.#/0.$+,  !"#$%&                                  )*+*                 !"#$%&( 1&23&#4                        ...
!"#$%&(&)*&#+  !"#$%&    !"#$%&,- &()&#*          ! ./0123)4)567&89*&:            ;<=*97>?@A                 ! ,B1+,-&./)&...
!"#"$%&()*$+&,*$-(&./$0.,                        1/2/34.56,                        -./*+0/,5(*      &C5*(                 ...
!"#$%&%()*)+,$-.*#)&%+         94;#                                     >%+ <(.+#         <%)=                            ...
!"#"$%&()*+,-)&.%)/,*01,1&")/,                               -,.#  #)&%3                                                 4...
!"#$%&$()"*+,",%-$()"   *..%96#:(#;   ####70827-#9$$:#<<#9=012345%:(>                                            !"#$#%!&#...
!"#$%"&(&")*%+,-!%.+$/"#                                  E+,F4"G:#$&H&00(&)                                  &&IJ/&E+,F4"...
!"#$%&(")*+*",-.//*,0*..%96#:(#;####70827-#9$$:#<<#9=012345%:(>                                          !"#$#%!&#$$#!(?  ...
!!"#$%&()*+%&    !"#$#%!&#$$#!(                      !"#$#%!&#$$#!(         )*#!"                                )*#!"!"#$...
WALA Tutorial at PLDI 2010
Upcoming SlideShare
Loading in …5
×

WALA Tutorial at PLDI 2010

3,607 views

Published on

This is the tutorial that we delivered at PLDI 2010

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,607
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
65
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

WALA Tutorial at PLDI 2010

  1. 1. What is WALA?!  Javalibraries for static and dynamic program analysis!  Initially developed at IBM T.J. Watson Research Center!  Open source release in 2006 under Eclipse Public License!  Key design goals •  Robustness •  Efficiency •  Extensibility
  2. 2. (Some) Previous Uses of WALA!  Research •  over 40 publications from 2003-present •  Including one at PLDI’10 (MemSAT) •  http://wala.sf.net/wiki/index.php/Publications.php!  Products •  Rational Software Analyzer: NPEs (Loginov et al. ISSTA’08), resource leak detection (Torlak and Chandra, ICSE’10) •  Rational AppScan: taint analysis (Tripp et al., PLDI’09), string analysis (Geay et al., ICSE’09) •  Tivoli Storage Manager: Javascript analysis •  WebSphere: analysis of J2EE apps
  3. 3. WALA Features: Static Analysis!  Pointer analysis / call graph construction •  Several algorithms provided (RTA, variants of Andersen’s analysis) •  Highly customizable (e.g., context sensitivity policy) •  Tuned for performance (time and space)!  Interprocedural dataflow analysis framework •  Tabulation solver (Reps-Horwitz-Sagiv POPL’95) with extensions •  Also tuned for performance!  Context-sensitive slicing framework •  With customizable dependency tracking
  4. 4. Other Key WALA Features!  Multiple language front-ends •  Bytecode: Java, .NET (internal) •  Source (CAst): Java, Javascript, X10, PHP (partial, internal), ABAP (internal) •  Add your own!!  Generic analysis utilities / data structures •  Graphs, sets, maps, constraint solvers, …!  Limited code transformation •  Java bytecode instrumentation via Shrike •  But, main WALA IR is immutable, and no code gen provided "  designed primarily for computing analysis info
  5. 5. What We’ll Cover!  Overviews of main modules •  Important features •  Key class names •  How things fit together •  How to customize!  “Deep dives” into real code •  Interprocedural dataflow analysis example •  CAst Javascript front-end
  6. 6. How to get WALA!  Walkthrough on “Getting Started” page at wala.sf.net!  Code available in SVN repository •  Trunk or previous tagged releases •  Split into several Eclipse projects, e.g., com.ibm.wala.core, com.ibm.wala.core.tests!  Dependence on Eclipse •  Easiest to build / run from Eclipse, but command line also supported •  Runtime dependence on some Eclipse plugins (progress monitors, GUI functionality, etc.); must be in classpath
  7. 7. GENERAL UTILITIES
  8. 8. !"#"$%&&$()*+*),- 4"5+2"-#$6*#*7028$%209&) ()*+,$*-.$/012)"#,3 !"#$%&#
  9. 9. !"#$%&!$&()&*)+,)#)-"$.-# !"#$%# *+#,-%!"#$%# $&()%!"#$%# ./#0%1#2(.)%*+#,-%$&()%!"#$%# :;;)%#./#0%1#2( ./#0%1#2( , ,64 ,6"3=<5 " !!!!!! 435 " !!!!!! ,)%78,9 !!!!!!
  10. 10. !"#$%&(%)*+),+-$+.+/)0)%1/ (51()$*+!"#$%&,-#(# !"#$!%&#$ (%)!%&#$ !"#$%&()$*+,-#(# .//+#01#23#4**-2%)#%).+))1.03+.-04+5.%/6&+/.+0/&.-0$.+-0$). ! 7+/.+81$&.9:;0<=;%/>?#%).-+$81$& ! *-0$.+81$&.9/5;#+$1@.+)#%). ! A024520)+#+.)5.+1@0.%/62+&+/.+-1$)%1/ ! ,+#020/4+1/;5)0)%1/B0;1$)%C%/6)1.03+41.)
  11. 11. !"#$%&()*!%*+%,$%-%.*#*)/. !"#$%&(3$*4./#01#2*,-#(# !"#$%&&()*(+,)&($+-./(*01 ./#01#2*5)2+/#2*6 ./#01#2* !"#$%&()$*+,-#(#!#0%-,#1%23-"#$).41/55/.,/$*)/.-/62)*-%*- ! !*#*%-,7)*).*/1/55/.#.&,$)0#*%,/$*)/.- ! +%,/-)*/$35#.#4%--%*/61/55/.,/$*)/.- ! 8/55/.,/$*)/.-1/5%#.&4//.&%5#.&
  12. 12. !"#$%%&%()&*(+"*, !!"#$%&!$((%)*+!*,,-&+.!&/!0 !!!!$((%)*+!"1!2!%)3.4*,,-&/5 !"#$%%&%()*") !!!!$((%)*+!61!2!1&78.4*,,-&/5 +",) -&%.) !!!!&3!-"1!92!61/!0 !!!!!!*66)1.!"1!22!615 !!!!:/$)0#+"()*") !!!!1).#1+!"15 /$)0#+"()*") !!:! -".*(*/(0"12(3"#$%("4(#&*,"*(&521"5"*.*&/, " 6.7.5"*"7&8"3(#9(*4/(/*0"7(&521"5"*.*&/, " :,,"7*(*4/(&521"5"*.*&/,(%&;"(,.5"(7",$1*, " <.=*/79(&*"7>.="(.11/4,($,"(.,(,*.3.73(#&*,"*, " </7(3";"1/25"*(/19?(5.@/7(*&5"(.3(,2.="(=/,*,
  13. 13. !"#$%&(")*&+,)(,#,-.".$/- !"#$%&&($)*+, -#($%&&($)*+,!"#$%"&$()*+"#$%"&$,- !"#$%"&$()*/#";$#60&6#7,(*.-+."*/#"0123#$450&6#7,- +."*/#";$#60&6#<&1.",(*.-8&+6*%660&6#,(*.- !"#$%"&$()*/#"=1::0&6#7,(*.-3&&9#%.*:&."%+.70&6#,(*.- +."*/#"=1::0&6#<&1.",(*0- 8&+6*%66>6/#,(*7$:?*(*67"- 3&&9#%.*@%7>6/#,(*7$:?*(*67"- .)&/0*+,
  14. 14. !"#$%&%()&*+,( -%+&%.%/0*012/ !"#$%&%!(%)*+*,%&-./ !"#$%&%0,%)*+*,%&-./!"#$%&#()*&+,-$. 4"#8&#$%&#8(99/0&()*&+7,-$"/0&.-$%&#/0&,!"#$"()*&+. 4"#8&#$%&#:+&0/0&()*&+7,-$"/0&.!"#$%&#123()*&+,.4#&+2#/+5-6$!#&+2#&/0&7,4"#8&#$7. !"#$%&%1&*23-./
  15. 15. !"#$%$&()"*+,$*)$-$./"/01. !"#$%$&&($)"*"($+,-./01 !"#$%&$()*%+(,$*-. /%$0(%10234"#$%50$6716$8-3"79"!"*(,$*. /%$0(%102:"$;%$<68"!4"#$%50$6+(,$*8-3"7. =<%"#$%50$6716$>1)<%-3"79"!"*(,$*. /%$0(%102:"$;%$<68"34"#$%?)@@716$8-3"79"!"*(,$*. /%$0(%102:"$;%$<68"!4"#$%?)@@+(,$*8-3"7. =<%"#$%?)@@716$>1)<%-3"79"!"*(,$*. A1=6"(66B6#$-3"80@9"3"68%9"!"*(,$*. ,11*$(<"C(8B6#$-3"80@9"3"68%9"!"*(,$*. ?$%2:"$;%$<68"!4"#$%B6#$+(,$*8-3"80@9"3"68%.!"#$%$&5+"67,-.01 234#$+$&!"#$%$&&($)"*"($+,-.01
  16. 16. !"#"$%&!$()*+)"$(,%-#./ 0$"(1,*2%$.,3"($&* ( - . 0 / 1 2( - . / 0 1 2 !"#$%&(%) ( - . / 0 !)*+,&,!"#$%&(%) ( - / !"#3(%4"5+,&
  17. 17. !"#"$%&!$()*+)"$(,%-#./ 0"),*1%$.,2"($&* % 7 8 9 % 7 6 9 % : ; 6 6 : !"#$%&"()*+, ;6 ; : 9 7 8 % !"#"()(-1(2+3&+,%&/, 4526+,+*!"#"()(-1(2+3&+,%&/,% 7 9 : ; 6 8 !"#!(-./0+,1(2+3&+,%&/, 4526+,+*!"#!(-./0+,1(2+3&+,%&/,
  18. 18. !"#"$%&!$()*+)"$(,%-#./ 011. !""#$%&$(&
  19. 19. !"#$%&()*"+,%-. !"#$%&"() *+#,-(-.!"#$%&"() !"#$%&%/-0("%$-()
  20. 20. !"#"$%&()*+#,-+ !"#$$%&$$(&)*+,(-.*/$,+0(&1234 .*/5(&678*(96:/#,6;(,<#%*(34 !5(&678*(96:/#,6;(,<#%*( .*/>**/?1*(&/,(34 83<!"&4=!=<#$% .*/@,%*5(&678*(96:/#,634 83<!"4=!=<#$% .*/A%.*5(&678*(96:/#,634 83<!"4=!=<#$%
  21. 21. !"#"$%&()*"+,%- ! ) 12345678) 12345678* " * 9:77578:338;:3<57# + $ , % - !485:=>8?@A5B846:?715681<?=42@?8:AA782478?<CD56 & . / ( 0 !"#$%&()*+$(,*#%-.#/#)&+012/
  22. 22. !"#"$%&()*"+,%-!"#$%&()*+,-!.+*/0+12%/3.&/0+3*+%*#$.45./607.8+*)9:.+;")&/%0)<=/+%)5)07.>?+./"+)).@2%/3.&/0+()%0)A0)9/*)/<B*$".9C5./D*!!.7E)7.F<)07.>>GH!"#$%&()*+,-!.+*/0+12%/3.&/0+3*+%*#$.45./I75.8+*)9:.+;")&/%0)<=/+%)5:+0JK=/+%)5/0>?%:<:+0JLL)07.9MNOPP/0LL)07.9MQO>+./"+)).@2%/3.&/0+;%$/.+<R.+0<>>G.$9.%:<:+0JLL)07.9MNOPP/0LL)07.9MSO>+./"+)).@2%/3.&/0+;%$/.+<0).<>>G.$9.?+./"+)2%/3.&/0+E7.)/%/,C%)9/*)&.<>GHH!"#$%&T#9/+*&/D../-!.+*/0+12%/3.&/0+3*+%*#$.45./D../-!.+*/0+<>?+./"+)2%/3.&/0+()%0)C%)9/*)&.<>GH
  23. 23. !"#"$%&()*"+,%- ! ) " * !"#$%&()%*%+%(%, !"#$%-.)%*%+%(%.%,# + $ / !"#$%/0)%*%+%(%0%, !"#$%12)%*%+%.%2%, % , !"#$%34)%*%+%(%.%0%2%4%, !"#$%56)%*%+%(%.%0%2%4%6%, !"#$%78)%*%+%8%, & - !"#$%9:)%*%+%:%, . ( 0
  24. 24. INTERMEDIATEREPRESENTATION
  25. 25. !"#$%&()*+, !"#$%&()!"#$%&!$()*+,-.*/($0(,-11"2*3(4*/15 !" *+(,-.!"#$%&() /0&!"#$%&()
  26. 26. !"#$%&(%&) !"= #$%&%#(%&&%#)* BCD( =>)) !+%#$$ $>-0 ,0%&%12#345%56789:%#(/#) ?>@-? ,-%&%.#$/#0*A@ ;5<7;2%#-
  27. 27. !"#$%&$()"*+,-.# !!"#$%&()&*+$ !!",+&+#$%&()&*+$!!"-+./01#$%&()&*+$ !!""7%&0)&#$2+81#$%&()&*+$!!"-+$21%*+$#$%&()&*+$ !!"#$2+81#$%&()&*+$ !!"3*145"))1%%#$%&()&*+$ !!",1&#$%&()&*+$ !!"6(&#$%&()&*+$
  28. 28. !"#$%&$()"*+,-.# !!"#$%&()&*+$ !!"",%&-)&#$.+/0#$%&()&*+$!!"#$.+/0#$%&()&*+$ 6(5&*70&($8-5(0#$.+/0#$%&()&*+$ ",%&-)&304*)-5#$.+/0 1-.-!)*2&#$.+/0
  29. 29. !"#$%&(%&)*#+,#-./)0! +,#1./)0#2&.3,/)#/,0%,1(%#345)#167)&0#,1#(.1%)8% " 9#:(.2;<#.=#4#345)#,1#4#/,0%,1(%#(.1%)8% " )>?>#,10,/)#4#(.1/,%,.145#.&#5..2! @0)/#%.#/)1.%)#2&)(,0)#,1=.&64%,.1 " )>?>#45,40,1?#A,%B#.%B)&#345)0 " )>?>#2&)(,0)#%;2)! $2)(,=,)/#7;#2.5,(;#/&,1?#!"#(&)4%,.1 !!"#$%&(#&)$*+ 3(1#$4$/012.*1$&/5 ,-).( $/012.*1$&/
  30. 30. !"#$%&(%&)*#+,#-./)0 !"#$#%!&#$$#!( BCD >?> )*#!"& "?, !:#$#;%!(# )*#!" :?@"/ +/#$#01!234#456789#!&.!:, =<64#E<71FG: !A#$#;%!(#A *7894#E<71FG@ +,#$#-%!".!/( <4=6<1#!,
  31. 31. !"#$%&&%&()*#+(,$)( A5+B:5 !"= #$%&%#(%&&%#)* C5<A5+#*( D5<A5+$*%E) !+%#$$0 ,0%&%12#345%56789:%#(/#)- C5<B:5:#*> ,-%&%.#$/#0* D5<B:5:$*%E?@ ;5<7;2%#-
  32. 32. !"#$%&&%&()*#+,- ()* +,-./ !"# $"% !"#&" 0 &" $"%
  33. 33. !"#$%&&%&()*#+,-(#!./(0(.1( ( !"#$%&##() 9:;05 & %,##/01#2677 , . %.##/01#2345 677 345 * %,677-#%.345-#%*9:;05 %*##+$%,-%.) 8234-5%(#43)%#-0(1&)(#643)%#7(.(08#%,-(6 ! $)()#9(180(9#%,-()#8.9#3%:(0#;.3<.#%,-() ! (=7=#13.10(%(#%,-()#/034#13.)%8.%) ! (=7=#13.10(%(#%,-()#/034#8318%&3.!.%(0/81(#83<)#5)(#8103))#8.7587()new TypeInference(ir, doPrimitives); getType(vn)
  34. 34. !"#$%&()*#+,-.#$%&()#/01 !" !#$%&(.$%#$%&(/0 )*%#$%&( ,-*%123%,-+*,%,-/,-($40 +*,%,- 5$%="7/0 5$%6,1*%7,-$/0 5$%7<*%:;;*$%/0 5$%6,1*%89/0 5$%7<*%7,-$/0 5$%6,1*%:;;*$%/0 5$%7<*%89/0 ,-*%123%,-+*,%,->%<?$*><->;;*$%>,->%&$>,-*%123%,-><11<@
  35. 35. !"#$%&()*#+,-)(%.)#/01 !" !#$%&( ,$%#$%&(-. !)*%$+($#$%&( /$%)*%$+($!0($1-20%. /$%320$4567$8-20%.,$%)*%$+($!0($19%:;$<9:09==<$%9209%&$920<%85+%209:88:*
  36. 36. !"#$%&()*#+%(,-#.,/)0!" !0-%45(%/02/06$7 &()*28)*5$205,9$4 #$%&()*+),$-./0%12/0%3 :44);2<20),$-
  37. 37. SCOPES AND CLASSHIERARCHIES
  38. 38. Building a Call GraphbuildCG(String jarFile) { // represents code to be analyzed AnalyisScope scope = AnalysisScopeReader (1) .makeJavaBinaryAnalysisScope(jarFile, null); // a class hierarchy for name resolution, etc. IClassHierarchy cha = ClassHierarchy.make(scope); (2) // what are the call graph entrypoints? Iterable<Entrypoint> e = (3) Util.makeMainEntrypoints(scope, cha); // encapsulates various analysis options AnalysisOptions o = new AnalysisOptions(scope, e); (4) // builds call graph via pointer analysis CallGraphBuilder builder = (5) Util.makeZeroCFABuilder(o, new AnalysisCache(), cha, scope); CallGraph cg = builder.makeCallGraph(o, null); (6)}
  39. 39. AnalysisScope!  Represents a set of files to analyze!  To construct from classpath: AnalysisScopeReader.makeJavaBinaryAnalysisScope()!  To read info from scope text file: AnalysisScopeReader.readJavaScope() •  Each line of scope file gives loader, lang, type, val "  E.g., “Application,Java,jarFile,bcel-5.2.jar” "  Common types: classFile, sourceFile, binaryDir, jarFile "  Examples in com.ibm.wala.core.tests/dat!  Exclusions: exclude some classes from consideration •  Used to improve scalability of pointer analysis, etc. •  Also specified in text file; see, e.g., com.ibm.wala.core.tests/dat/GUIExclusions.txt
  40. 40. Background: Class Loaders!  In Java, a class is identified by name and class loader •  E.g., < Primordial, java.lang.Object >!  Class loaders form a tree, rooted at Primordial!  Name lookup first delegates to parent class loader •  So, can’t write an app class java.lang.Object!  User-defined class loaders can provide isolation •  Used by Eclipse for plugins, J2EE app servers!  WALA naming models class loaders
  41. 41. Multiple Names in Bytecode// this is java.lang.Objectclass Object { public String toString() { … }}// no overriding of toString()class B extends Object {}class A extends B {}Legal names in bytecode:<Application, A, toString()>,<Application, B, toString()>,<Application, java.lang.Object, toString()>,<Primordial, java.lang.Object, toString()>Resolved entity:<Primordial, java.lang.Object, toString()>
  42. 42. WALA Name ResolutionEntity references resolved via IClassHierarchyEntity Reference Type Resolved Resolver Method Typeclass TypeReference IClass lookupClass()method MethodReference IMethod resolveMethod()Field FieldReference IField resolveField()
  43. 43. More on class hierarchies!  For Java class hierarchy: ClassHierarchy.make(scope)!  Supports Java-style subtyping (single inheritance, multiple interfaces)!  Necessary for constructing method IRs, since only resolved IMethods have bytecode info!  Watch out for memory leaks! •  Resolved entities (IClass, IMethod, etc.) keep pointers back to class hierarchy •  In general, use entity references in analysis results
  44. 44. INTERPROCEDURALDATAFLOW ANALYSIS
  45. 45. Tabulation-Based Analysis (Reps, Horwitz, Sagiv, POPL95)!  “Functional approach” to context-sensitive analysis (Sharir and Pnueli, 1981)!  Tabulates partial function summaries on demand!  Some enhancements in WALA’s implementation •  Multiple return sites for calls (for exceptions) •  Optional merge operators •  Handles partially balanced problems •  Customizable worklist orderings
  46. 46. Tabulation Overview T TabulationDomain IFlowFunctionMap Provides numbering of Edge flow functions for domain facts supergraph ISupergraph Supergraph over Seeds which analysis is Initial path edges forTabulationProblem computed analysis TabulationSolver TabulationResult
  47. 47. Supergraph!  Collection of “procedure graphs,” connected by calls •  ICFGSupergraph: procedure graphs are CFGs •  SDGSupergraph: procedure graphs are PDGs!  Example call representation for ICFGSupergraph •  (For general supergraph , possibly many calls, returns, entries, exits)CALLER CALLEE CALL ENTRY Normal call-to-ret Exc. call-to-ret Normal call-to-entry RETURN Normal ret-to-exit EXIT EXC. Exc. ret-to-exit EXIT HANDLER
  48. 48. Domain / Flow Functions / Seeds!  TabulationDomain •  Maintains mapping from facts to integers •  Controls worklist priorities (optional)!  IFlowFunctionMap •  Flow functions on supergraph edges •  All functions map int (or two ints) to IntSet (via TabulationDomain) •  Function for each type of edge (normal, call->return, call->entry, exit->return) •  Also, call->return function for “missing” calls "  For handling missing code, CG expansion (Snugglebug)!  Seeds (TabulationProblem.initialSeeds()) •  Depends on problem / domain representation
  49. 49. Partially Balanced Problems!  For when flows can start / end in a non-entrypoint •  E.g., slice from non-entrypoint statement!  PartiallyBalancedTabulationProblem •  Additional “unbalanced” return flow function for return without a call •  getFakeEntry(): source node for path edges of partially balanced flows!  Compute with PartiallyBalancedTabulationSolver!  Examples: ContextSensitiveReachingDefs, Slicer
  50. 50. Debugging Your Analysis!  IFDSExplorer •  Gives GUI view of analysis result •  Needs paths to GraphViz dot executable and PDF viewer!  Set VM property com.ibm.wala.fixedpoint.impl.verbose to true for occasional lightweight info!  Increase TabulationSolver.DEBUG_LEVEL for detailed info
  51. 51. Deep Dive: Reaching Defs!  The classic dataflow analysis, for Java static fields!  Three implementations available in com.ibm.wala.core.tests •  IntraprocReachingDefs "  Uses BitVectorSolver, a specialized DataflowSolver •  ContextInsensitiveReachingDefs "  Uses BitVectorSolver over interprocedural CFG •  ContextSensitiveReachingDefs "  Uses TabulationSolver!  We’ll focus on ContextSensitiveReachingDefs
  52. 52. Example class StaticDataflow { static int f, g; static void m() { f = 2; } static void testInterproc() { f = 3; m(); (1) g = 4; m(); (2) } }Context-sensitive analysis should give different result after (1) and (2)
  53. 53. The Domain and Supergraph!  Supergraph: ICFGSupergraph •  Procedures: call graph nodes (CGNode) "  In context-sensitive call graph, possibly many CGNodes for one Imethod •  Nodes: BasicBlockInContext<IExplodedBasicBlock> "  “exploded” basic block has at most one instruction (eases writing transfer functions) "  BasicBlockInContext pairs BB with enclosing CGNode!  Domain (static field writes): Pair<CGNode,Integer> •  Integer is index in IR instruction array; only valid way to uniquely identify IR instruction •  ReachingDefsDomain extends MutableMapping to maintain fact numbering
  54. 54. Flow Functions (1)!  Normal flow for non-putstatics is IdentityFlowFunction.identity()!  Most call-related flow functions are also identity •  Since static fields are in global scope!  Call-to-return function is KillEverything.singleton() •  Defs must survive callee to reach return
  55. 55. Flow Functions (2) Normal flow function for putstatic (modified for formatting / clarity)public IntSet getTargets(int d1) { IntSet result = MutableSparseIntSet.makeEmpty(); // first, gen this statement int factNum = domain.getMappedIndex(Pair.make(node, index)); result.add(factNum); // if incoming statement defs the same static field, kill it; // otherwise, keep it if (d1 != factNum) { // must be different statement IField sf = cha.resolveField(putInstr.getField()); Pair<CGNode, Integer> other = domain.getMappedObject(d1); SSAPutInstruction otherPut = getPutInstr(other); IField otherSF = cha.resolveField(otherPut.getField()); if (!sf.equals(otherSF)) { result.add(d1); } } return result;}
  56. 56. Seeds!  Standard tabulation approach: special ‘0’ fact •  Add ‘0 -> 0’ edge to all flow functions •  Seed with (main_entry, 0) -> (main_entry, 0)!  Our approach: partially balanced tabulation •  For field write numbered n in basic block b of method m, add seed (m_entry, n) -> (b, n) "  (source fact doesn’t matter) •  Unbalanced flow function is just identity •  Advantage: keeps other flow functions cleaner •  See ReachingDefsProblem.collectInitialSeeds()
  57. 57. Putting it all Together!  ReachingDefsProblem collects domain, supergraph, flow functions, seeds!  Running analysis (simplified): PartiallyBalancedTabulationSolver solver = new PartiallyBalancedTabulationSolver( new ReachingDefsProblem()); TabulationResult result = solver.solve();!  In the real code: •  Lots of long generic type instantiations (sigh) •  Handling CancelException (enables cancelling running analysis from GUI)
  58. 58. CALL GRAPHS / POINTERANALYSIS
  59. 59. Call Graph Builder OverviewAnalysisOptions Heap Model Specifies entrypoints, How should Context Selector objects and What context to usehow to handle reflection, pointers be when analyzing call to etc. abstracted? some method? CallGraphBuilder CallGraph PointerAnalysis
  60. 60. Entrypoints!  What are entrypoint methods? •  main() method "  Util.makeMainEntrypoints() •  All application methods "  AllApplicationEntrypoints •  JavaEE Servlet methods, Eclipse plugin entries, …!  What types are passed to entrypoint arguments? •  Just declared parameter types (DefaultEntrypoint) •  Some concrete subtype (ArgumentTypeEntrypoint) •  All subtypes (SubtypesEntrypoint)
  61. 61. Heap Model!  Controls abstraction of pointers and object instances!  InstanceKey: abstraction of an object •  All objects of some type (ConcreteTypeKey) •  Objects allocated by some statement in some calling context (AllocationSiteInNode) •  ZeroXInstanceKeys: customizable factory!  PointerKey: abstraction of a pointer •  Local variable in some calling context (LocalPointerKey) •  Several merged vars (offline substitution), etc.
  62. 62. Context Selector!  Gives context to use for callee method at some call site!  Context examples •  The default context (Everywhere) •  A call string (CallStringContext) •  Receiver object (ReceiverInstanceContext)!  ContextSelector examples •  nCFAContextSelector: n-level call strings •  ContainerContextSelector: object sensitivity for containers
  63. 63. Built-In Algorithms (Grove and Chambers, TOPLAS 2001) Rapid Type Analysis (RTA) 0-CFA Increasing precision context-insensitive, class-based heap 0-1-CFA context-insensitive, allocation-site-based heap 0-1-Container-CFA 0-1-CFA with object-sensitive containersFor builders, see com.ibm.wala.ipa.callgraph.impl.Util
  64. 64. Performance Tips!  Use AnalyisScope exclusions •  Often, much of standard library (e.g., GUI libraries) is irrelevant!  Analyze older libraries •  Java 1.4 libraries much smaller than Java 6!  Tune context-sensitivity policy •  E.g., more sensitivity just for containers
  65. 65. Code Modelling (Advanced)!  SSAContextInterpreter: builds SSA for a method •  Normally, based on bytecode •  Customized for reflection, Object.clone(), etc.!  MethodTargetSelector: determines method dispatch •  Normally, based on types / class hierarchy •  Customized for native methods, JavaEE, etc.!  ClassTargetSelector: determines types of allocated objects •  Normally, type referenced in new expression •  Customized for adding synthetic fields, JavaEE, etc.
  66. 66. Refinement-Based Points-To Analysis!  Refines analysis precision as requested by client •  Computes results on demand •  See Sridharan and Bodik, PLDI 2006!  Implemented in DemandRefinementPointsTo •  Baseline analysis is context insensitive "  Field sensitivity, on-the-fly call graph via refinement •  Context sensitivity (modulo recursion), other regular properties via additional state machines •  Refinement policy can be easily customized •  Can also compute “flows to” on demand!  Usage fairly well documented on wiki!  See DemandCastChecker for an example client
  67. 67. SLICING
  68. 68. Slicer Overview Statement DataDependenceOptionsSeed for the slicer Which data deps to consider ControlDependenceOptions Which control deps to consider CallGraph PointerAnalysis Slicer.compute{Forward|Backward}Slice() Collection<Statement>
  69. 69. Statement!  Identifies a node in the System Dependence Graph (SDG) [Horwitz,Reps,Binkley,TOPLAS’90]!  Key statement types •  NormalStatement "  Normal SSA IR instruction "  Represented by CGNode and instruction index •  ParamCaller, ParamCallee "  Extra nodes for modeling parameter passing "  SDG edges from def -> ParamCaller -> ParamCallee -> use •  NormalReturnCaller, NormalReturnCallee "  Analogous to ParamCaller, ParamCallee "  Also ExceptionalReturnCaller/Callee •  HeapParamCaller, HeapParamCallee, etc. "  For modeling interprocedural heap-based data deps "  Edges via interprocedural mod-ref analysis
  70. 70. Dependence Options!  DataDependenceOptions •  FULL (all deps) and NONE (no deps) •  NO_BASE_PTRS: ignore dependencies for memory access base pointers "  E.g., exclude forward deps from defs of x to y=x.f •  NO_HEAP: ignore dependencies to/from heap locs •  NO_EXCEPTIONS: ignore deps from throw to catch •  Various combinations (e.g., NO_BASE_NO_HEAP)!  ControlDependenceOptions •  FULL (all deps) and NONE (no deps) •  NO_EXCEPTIONAL_EDGES: ignore exceptional control flow
  71. 71. Thin Slicing!  Just “top-level” data dependencies (see [Sridharan-Fink-Bodik PLDI’07])!  For context-sensitive thin slicing, use Slicer with DataDependenceOptions.NO_BASE_PTRS and ControlDependenceOptions.NONE!  For efficient context-insensitive thin slicing, use the CISlicer class
  72. 72. Performance Tips!  Some configs do not scale to large programs •  E.g., context-sensitive slicing with heap deps •  Discussion in [SFB07]!  Run with minimum dependencies needed!  Apply pointer analysis scalability tips •  Exclusions, earlier Java libraries
  73. 73. INSTRUMENTING BYTECODESWITH SHRIKE
  74. 74. Key Shrike Features!  Patch-based instrumentation API •  Each instrumentation pass implemented as a patch •  Several patches can be applied simultaneously to original bytecode "  No worries about instrumenting the instrumentation •  Branch targets / exc. handlers automatically updated!  Efficient •  Unmodified class methods copied without parsing •  Efficient bytecode representation / parsing "  Array of immutable instruction objects "  Constant instrs represented with single shared object!  Some ugliness hidden •  JSRs, exception handler ranges, 64k method limit
  75. 75. Key Shrike ClassesClassReader ClassWriterImmutable view Generates JVMof .class file info; representation of a ShrikeCT:reads data lazily class reading / writing .class files MethodEditor ClassInstrumenter Core class for Utility for instrumenting an transforming existing class (mutable)bytecodes via patchesMethodData CTCompiler ShrikeBT: Mutable view of Compiles ShrikeBT method instrumenting method info into JVM bytecodes bytecodes
  76. 76. Instrumenting A Method (1)instrument(byte[] orig, int i) { // mutable helper class ClassInstrumenter ci = (1) new ClassInstrumenter(orig); // mutable representation of method data MethodData md = ci.visitMethod(i); (2) // see next slide; mutates md, ci doInstrumentation(md); (3) // output instrumented class in JVM format ClassWriter w = ci.emitClass(); (4) byte[] modified = w.makeBytes(); (5)}
  77. 77. Instrumenting A Method (2)doInstrumentation(MethodData md) { // manages the patching process MethodEditor me = new MethodEditor(md); (1) me.beginPass(); (2) // add patches me.insertAtStart(new Patch() { … }); (3) me.insertBefore(j, new Patch() { … }); (4) … // apply patches (simultaneously) me.applyPatches(); me.endPass(); (5)}
  78. 78. Shrike Clients!  Small example: see com.ibm.wala.shrike.bench.Bench!  Dila (com.ibm.wala.dila in incubator) •  Dynamic call graph construction (CallGraphInstrumentation) •  Utilities for runtime instrumentation "  Instrumenting class loader "  Mechanisms for controlling what gets instrumented •  Work continues on better WALA integration / docs
  79. 79. Java Annotation Support!  Supported features •  Reading .class file attributes •  Parsing some annotation info from attributes "  E.g., generics (com.ibm.wala.types.generics) •  Manipulating JVM class attributes directly "  See ClassWriter.addClassAttribute()!  Missing features •  Higher-level APIs for modifying known annotations •  Automatic fixing of StackMapTable attribute after instrumentation "  Speeds bytecode verification in Java 6
  80. 80. Eclipse Support!  WALA projects are Eclipse plug-ins •  Easy to invoke from other plug-in!  Various utilities in com.ibm.wala.ide project •  EclipseProjectPath: creates AnalysisScope for Eclipse project •  JdtUtil: find all Java projects, code within projects, etc.!  JDT CAst frontend for Java source analysis!  Prototype utils in com.ibm.wala.eclipse project •  E.g., display call graph for selected project
  81. 81. FRONT ENDS / CAST
  82. 82. !"#"$%&()$*(+ =/.+5.$> #/*:;/:5 ())(*$"+,$ -./*+0/,(. -($%&$-./*+0/,(. =/.+5.$?!"#"$%& 12.345$67,58(95 %*,5.*/0$12.345 -($%&$-./*+0/,(. 67,58(95 <(.)/, &;*,3)5$03@./.7
  83. 83. !"#"$%&()*+($,-*.$/.+ !"#" 89:# <=>3$)?5/*@, ()*+,$!"#"$%& -./,012, ;%# 31$%&$ 3)45674/1) 21/<A5? "-; 34@4)*5
  84. 84. !"#$%&()*+,-.#/0.$+, !"#$%& )*+* !"#$%&( 1&23&#4 ,-./&#0&#50&6-3&4 ()*+,$%& !"#"$%&
  85. 85. !"#$%&(&)*&#+ !"#$%& !"#$%&,- &()&#* ! ./0123)4)567&89*&: ;<=*97>?@A ! ,B1+,-&./)&* ! 2$@7&#@)CBD09@C6: EB<FG ! ,B1 ! 2BD0HE$@*9I+9@C6: 09J$CC)-)K)#$@ ! LD,2L87$9@!8#$M7: ! 2A@*&#*&4&C9MK&@7:
  86. 86. !"#"$%&()*$+&,*$-(&./$0., 1/2/34.56, -./*+0/,5(* &C5*( 8D8 %9)$6/.+:. -./*+0/,5(* ())(*$"+,$ ;:*< EFG!"#"$%& -($%&$ -./*+0/,5(* -./*+0/,(. 8(0?@0(, 1/2/ -./*+0/,5(* =4056+:$1>- "7"8 -./*+0/,5(* A+,()$"B-#&
  87. 87. !"#$%&%()*)+,$-.*#)&%+ 94;# >%+ <(.+# <%)= !7 !7 #)&%+ !"#$%&$()" *+"+%,$()" -)"$%)./0.)1 449/-)":+%#()" >,%#+% *%,23/-%+,$()" 4)&%+/5,22("6 7+)%8("6
  88. 88. !"#"$%&()*+,-)&.%)/,*01,1&")/, -,.# #)&%3 4%3 1%)2 1(03# !5 #)&%3 4/%#3%* !"#$%&$()"#* 56(").)-#$.%/"#0/$)% +,-#$.%/"#0/$)%2&",-3")1*45,/*-)&.%).&1-*)/*6787*9/::/,*7$2*;97-)< ! 9/:=,")/,*/>*?1,1&%*",@*!"#"$%&()*7$2*,/@1- ! A,3B*(1%1*/>*%/@1*)5")*.,@1&-)",@-*45,/2&",-3")1*97-)*7$2*)/*6787*C&1*+4*>/&: ! $5"&1@*=B*",/)51&*,)1&,"3*!"#"$%&()*)&",-3")/& ! DE)1,@-*?1,1&%*)&",-3")/,*:"%5,1&B
  89. 89. !"#$%&$()"*+,",%-$()" *..%96#:(#; ####70827-#9$$:#<<#9=012345%:(> !"#$#%!&#$$#!( ? )*#!" 70827- +"#$#,-!./0#012345#!&6! << ,-!./0# 9#$$#: 9=012345%:( 70827-#!"@58A73-5438.7#,BC40B0-85#70D275,!0#@EA#8700#F34/
  90. 90. !"#$%"&(&")*%+,-!%.+$/"# E+,F4"G:#$&H&00(&) &&IJ/&E+,F4"G:#$14+!,(6!""#$%&(&) &&I=&/&E+,F4"G:#$1*8EK,(6&&&&*+,-*.&$//&00&$1+2-345#(6 &&I@&/&.+L&F4"G:#(7 &&IJ15-GG+55"*&/&I@6 &&I@13MM#NIJ19&//&,*-+O( &&I@1!345+&/&I=6 *+,-*. 7 && BCD 00 ;<= 8.9":+& @<A $&//& $1+2-345#( ><? P5,Q*3.543,"*&I-84M5&BCD&*+G-*589+4&"9+*&,K+&PRQ
  91. 91. !"#$%&(")*+*",-.//*,0*..%96#:(#;####70827-#9$$:#<<#9=012345%:(> !"#$#%!&#$$#!(? F&6&GH#I#F&6&KH )*#!" 70827- F&6&GH#I#F&6JH +"#$#,-!./0#012345#!&6! << F&6&JH#I#F&6JH ,-!./0# 9#$$#: F&6H#I#F&6JH 9=012345%:( 70827-#!" @58A73-5438.7#B.C,05#5.27B0#C.5,8,.-5#*7.D#@EA
  92. 92. !!"#$%&()*+%& !"#$#%!&#$$#!( !"#$#%!&#$$#!( )*#!" )*#!"!"#$#+,!-./#/01234#!&5! !8#$#+,!-./#/01234# !&5! !9#$#:%!"5!8( 6/716,#!" 6/716,#!9 ;<=<#>-/4#?-@A#@6-@2B27+-,#+,#CC<#?-,!/64+-, ;<=<#+D@3/D/,74#*133AE@61,/>#CC<#F-,!/64+-, ! +G/G#@H+4#-,3A#+,4/67/>#*-6#3+!/#!231/4

×