Skip to content

Latest commit

 

History

History
92 lines (69 loc) · 4.25 KB

README.md

File metadata and controls

92 lines (69 loc) · 4.25 KB

Maple-IR

Maple-IR is a industrial IR-based static analysis framework for Java bytecode. Currently, it implements SSA-form based analysis as well as construction and destruction from bytecode to IR. The toolchain takes bytecode input, lifts it to SSA IR, transforms the IR, then recompiles back down to bytecode. This is done by symbolically executing each method while simulating the stack, similar to how Binary Ninja or IDA Pro's Hex-Rays operate. Intraprocedural data-flow analysis is fully implemented, and optimizations such as constant folding and copy propogation are implemented as well. A CFG Graphviz exporter is also available; see below for examples.

Maple-IR is not in active development. It is on hiatus indefinitely, although code contributions are welcome. Please file questions, comments, and issues on the issue tracker.

Maple-IR in its current form is not yet production-ready, although it can be made so with little effort.

If you use Maple-IR, please let us know! We would love to hear about any cool projects you use it for.

LLVM but worse!

"It's like LLVM, but worse."

Technical details

SSA destruction is implemented using the methods of Sreedhar et al. and Boissinot et al.. The Boissinot destructor is currently the default destructor. SSA construction is implemented based on a fast 1-pass linear scan algorithm loosely based on Cytron et al.'s method using dominance frontiers. For more details see SSAGenPass.java. Bytecode destruction is tricky in Java due to exception ranges. Furthermore, linearizing the control flow graph (CFG) in a simple manner is difficult due to loop nesting. Linearization is handled by recursively applying Tarjan's superconnected components algorithm. Exception tables for each method are discarded and regenerated based on the control flow graph's structure. For more details, see ControlFlowGraphDumper.

For more details, see the whitepaper.

Screenshots and examples

Here is the Graphviz visualization for the optimized, destructed (post-SSA) IR for the following code:

void test130() {
    int x = 5;
    int y = 10;

    do {
        try {
            trap(x, y);
            y = x;
            trap(x, y);
            y = 123;
        } catch (RuntimeException e) {
            do {
                trap(x, y);
                int z = y;
                trap(x, y);
                y = x;
                trap(x, y);
                x = z;
                trap(x, y);
            } while(!p());
        }
    } while(p());

    System.out.println(x);
    System.out.println(y);
}

Example output


Here is a nastier function, in optimized SSA form, taken from the Fernflower decompiler:

Fernflower example

Caveats

  • Since the project uses a fork of the ObjectWeb ASM framework, it's not compatible with other implementations. This should be addressed before you use Maple-IR as a library.
  • Interprocedural analysis has not been fully implemented (it's difficult).

Compiling

To build:

mvn compile test package

You can also get Maple-IR on Jitpack.

Credits

Contact: ecx or bibl [at] mapleir.org

sharing will lead to reported and beat down (bless)

License

Maple-IR is licensed under the GPLv3. For more information, please see here.

Copyright (c) 2018 Bibl and ecx86