-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhelp.txt
executable file
·376 lines (356 loc) · 30.4 KB
/
help.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
usage: doop -i <INPUT> -a <NAME> [OPTION]...
== Configuration options ==
-a,--analysis <NAME> The name of the analysis. Valid values:
1-call-site-sensitive,
1-call-site-sensitive+heap,
1-object-1-type-sensitive+heap,
1-object-sensitive,
1-object-sensitive+heap, 1-type-sensitive,
1-type-sensitive+heap,
2-call-site-sensitive+2-heap,
2-call-site-sensitive+heap,
2-object-sensitive+2-heap,
2-object-sensitive+heap,
2-type-object-sensitive+2-heap,
2-type-object-sensitive+heap,
2-type-sensitive+heap,
3-object-sensitive+3-heap,
3-type-sensitive+2-heap,
3-type-sensitive+3-heap,
adaptive-2-object-sensitive+heap,
basic-only, context-insensitive,
context-insensitive-plus,
context-insensitive-plusplus, data-flow,
dependency-analysis,
fully-guided-context-sensitive, micro,
partitioned-2-object-sensitive+heap,
selective-2-object-sensitive+heap,
sound-may-point-to,
sticky-2-object-sensitive, types-only,
xtractor, ----- (LB analyses) -----,
2-object-sensitive+heap-plus,
adaptive-insens-2objH,
adaptive2-insens-2objH, must-point-to,
naive, paddle-2-object-sensitive,
paddle-2-object-sensitive+heap,
partial-insens-s2objH,
refA-2-call-site-sensitive+heap,
refA-2-object-sensitive+heap,
refA-2-type-sensitive+heap,
refB-2-call-site-sensitive+heap,
refB-2-object-sensitive+heap,
refB-2-type-sensitive+heap,
scc-2-object-sensitive+heap,
selective-2-type-sensitive+heap,
selective_A-1-object-sensitive,
selective_B-1-object-sensitive,
special-2-object-sensitive+heap,
stutter-2-object-sensitive+heap,
uniform-1-object-sensitive,
uniform-2-object-sensitive+heap,
uniform-2-type-sensitive+heap
--android Force Android mode for code inputs that
are not in .apk format.
--app-only Only analyze the application input(s),
ignore libraries/platform.
--auto-app-regex-mode <MODE> When no app regex is given, either compute
an app regex for the first input ('first')
or for all inputs ('all').
--cfg Perform a CFG analysis.
--coarse-grained-allocation-sites Aggressively merge allocation sites for
all regular object types, in lib and app
alike.
--constant-folding Enable constant folding logic.
--cs-library Enable context-sensitive analysis for
internal library objects.
--dacapo Load additional logic for DaCapo (2006)
benchmarks properties.
--dacapo-bach Load additional logic for DaCapo (Bach)
benchmarks properties.
--define-cpp-macro <MACRO> Define a C preprocessor macro that will be
available in analysis logic.
--disable-merge-exceptions Do not merge exception objects.
--disable-points-to Disable (most) points-to analysis
reasoning. This should only be combined
with analyses that compensate (e.g.,
types-only).
--distinguish-all-string-buffers Avoids merging string buffer objects (not
recommended).
--distinguish-all-string-constants Treat string constants as regular objects.
--dry-run Do a dry run of the analysis (generate
facts and compile but don't run analysis
logic).
--extra-logic <FILE> Include files with extra rules.
--featherweight-analysis Perform a featherweight analysis (global
state and complex objects immutable).
--gen-opt-directives Generate additional relations for code
optimization uses.
-h,--help <SECTION> Display help and exit. Valid values: all,
configuration, data-flow, datalog-engine,
entry-points, fact-generation,
heap-snapshots, information-flow,
native-code, open-programs, python,
reflection, server-logic, statistics,
xtras
-i,--input-file <INPUT> The (application) input files of the
analysis. Accepted formats: .jar, .war,
.apk, .aar, maven-id
--id <ID> The analysis id. If omitted, it is
automatically generated.
-L,--level <LOG_LEVEL> Set the log level: debug, info or error
(default: info).
-l,--library-file <LIBRARY> The dependency/library files of the
application. Accepted formats: .jar, .apk,
.aar
--max-memory <MEMORY_SIZE> The maximum memory that the analysis can
consume (does not include memory needed by
fact generation). Example values: 2m, 4g.
--no-merge-library-objects Disable the default policy of merging
library (non-collection) objects of the
same type per-method.
--no-merges No merges for string constants.
--no-standard-exports Do not export standard relations.
-p,--properties <PROPERTIES> The path to a properties file containing
analysis options. This option can be mixed
with any other and is processed first.
--platform <PLATFORM> The platform on which to perform the
analysis. For Android, the plaftorm suffix
can either be 'stubs' (provided by the
Android SDK), 'fulljars' (a custom Android
build), or 'apks' (custom Dalvik
equivalent). Default: java_8. Valid
values: java_3, java_4, java_5, java_6,
java_7, java_7_debug, java_8,
java_8_debug, java_8_mini, java_9,
java_10, java_11, java_12, java_13,
java_14, java_15, java_16,
android_22_fulljars, android_25_fulljars,
android_2_stubs, android_3_stubs,
android_4_stubs, android_5_stubs,
android_6_stubs, android_7_stubs,
android_8_stubs, android_9_stubs,
android_10_stubs, android_11_stubs,
android_12_stubs, android_13_stubs,
android_14_stubs, android_15_stubs,
android_16_stubs, android_17_stubs,
android_18_stubs, android_19_stubs,
android_20_stubs, android_21_stubs,
android_22_stubs, android_23_stubs,
android_24_stubs, android_25_stubs,
android_26_stubs, android_27_stubs,
android_28_stubs, android_29_stubs,
android_25_apks, android_26_robolectric,
python_2
--regex <EXPRESSION> A regex expression for the Java package
names of the analyzed application.
--run-jphantom Run jphantom for non-existent referenced
code.
--sanity Load additional logic for sanity checks.
--sarif Output SARIF results for specific
relations.
--special-cs-methods <FILE> Use a file that specifies special context
sensitivity for some methods.
--symbolic-reasoning Symbolic reasoning for expressions.
-t,--timeout <TIMEOUT> The analysis execution timeout in minutes
(default: 90 minutes).
--use-local-java-platform <PATH> The path to the Java platform to use.
--user-defined-partitions <FILE> Use a file that specifies the partitions
of the analyzed program.
-v,--version Display version and exit.
== Data flow ==
--data-flow-goto-lib Allow data-flow logic to go into library
code using CHA.
--data-flow-only-lib Run data-flow logic only for library code.
== Datalog engine ==
--souffle-debug Enable profiling in the Souffle binary.
--souffle-force-recompile Force recompilation of Souffle logic.
--souffle-incremental-output Use the functor for incremental output in
Souffle.
--souffle-jobs <NUMBER> Specify number of Souffle jobs to run
(default: 4).
--souffle-live-profile Enable live profiling in the Souffle
binary.
--souffle-mode <MODE> How to run Souffle: compile to binary, use
interpreter, only translate to C++. Valid
values: compiled, interpreted, translated
--souffle-profile Enable profiling in the Souffle binary.
--souffle-provenance Call the provenance browser.
--souffle-use-functors Enable the use of user-defined functors in
Souffle.
--use-analysis-binary <PATH> Use precompiled analysis binary (for
Windows compatibility).
== Entry points ==
--discover-main-methods Discover main() methods.
--discover-tests Discover and treat test code (e.g. JUnit)
as entry points.
--exclude-implicitly-reachable-code Don't make any method implicitly
reachable.
--ignore-main-method If main class is not given explicitly, do
not try to discover it from jar/filename
info. Open-program analysis variant may be
triggered in this case.
--keep-spec <FILE> Give a 'keep' specification.
--main <MAIN> Specify the main class(es) separated by
spaces.
== Fact generation ==
--also-resolve <CLASS> Force resolution of class(es) by Soot.
--cache The analysis will use the cached facts, if
they exist.
--dont-cache-facts Don't cache generated facts.
--extract-more-strings Extract more string constants from the
input code (may degrade analysis
performance).
--fact-gen-cores <NUMBER> Number of cores to use for parallel fact
generation.
--facts-only Only generate facts and exit.
--generate-artifacts-map Generate artifacts map.
--generate-jimple Generate Jimple/Shimple files along with
.facts files.
--generate-tac Generate Three Address Code experimental
representation, along with .facts files.
--input-id <ID> Import facts from dir with id ID and start
the analysis. Application/library inputs
are ignored.
--report-phantoms Report phantom methods/types during fact
generation.
--thorough-fact-gen Attempt to resolve as many classes during
fact generation (may take more time).
--unique-facts Eliminate redundancy from .facts files.
--wala-fact-gen Use WALA to generate the facts.
--Xfacts-subset <SUBSET> Produce facts only for a subset of the
given classes. Valid values: PLATFORM,
APP, APP_N_DEPS
--Xignore-factgen-errors Continue with analysis despite fact
generation errors.
--Xsymlink-input-facts Use symbolic links instead of copying
cached facts. Used with --cache or
--input-id.
== Heap snapshots ==
--heapdl-dvpt Import dynamic var-points-to information.
--heapdl-file <HEAPDLS> Use dynamic information from memory dump,
using HeapDL. Takes one or more files
(`.hprof` format or stack traces).
--heapdl-nostrings Do not model string values uniquely in a
memory dump.
--import-dynamic-facts <FACTS_FILE> Use dynamic information from file.
== Information flow ==
--information-flow <APPLICATION_PLATFORM> Load additional logic to perform
information flow analysis. Valid values:
alfresco, android, beans, minimal, spring,
webapps
--information-flow-extra-controls <CONTROLS> Load additional sensitive layout control
from string triplets
"id1,type1,parent_id1,...".
--information-flow-high-soundness Enter high soundness mode for information
flow microbenchmarks.
== Native code ==
--native-code-backend <BACKEND> Use back-end to scan native code (portable
built-in, system binutils, Radare2). Valid
values: builtin, binutils, radare
--only-precise-native-strings Skip strings without enclosing function
information.
--scan-native-code Scan native code for specific patterns.
--simulate-native-returns Assume native methods return mock objects.
== Open programs ==
--open-programs <STRATEGY> Create analysis entry points and
environment using various strategies (such
as 'concrete-types' or 'jackee').
--open-programs-context-insensitive-entrypoints
--open-programs-heap-context-insensitive-entrypoints
== Python ==
--full-tensor-precision Full precision tensor shape analysis (not
guaranteed to finish).
--single-file-analysis Flag to be passed to WALAs IR translator
to produce IR that makes the analysis of a
single script file easier.
--tensor-shape-analysis Enable tensor shape analysis for Python.
== Reflection ==
--distinguish-reflection-only-string-constants Merge all string constants except those
useful for reflection.
--distinguish-string-buffers-per-package Merges string buffer objects only on a
per-package basis (default behavior for
reflection-classic).
--light-reflection-glue Handle some shallow reflection patterns
without full reflection support.
--reflection Enable logic for handling Java reflection.
--reflection-classic Enable (classic subset of) logic for
handling Java reflection.
--reflection-dynamic-proxies Enable handling of the Java dynamic proxy
API.
--reflection-high-soundness-mode Enable extra rules for more sound handling
of reflection.
--reflection-invent-unknown-objects
--reflection-method-handles Reflection-based handling of the method
handle APIs.
--reflection-refined-objects
--reflection-speculative-use-based-analysis
--reflection-substring-analysis Allows reasoning on what substrings may
yield reflection objects.
--tamiflex <FILE> Use file with tamiflex data for
reflection.
== Server logic ==
--server-cha Run server queries related to CHA.
--server-logic Run server queries under
addons/server-logic.
--server-logic-threshold <THRESHOLD> Threshold when reporting points-to
information in server logic (per points-to
set). default: 1000
== Statistics ==
--extra-metrics Run extra metrics logic under
addons/statistics.
--stats <LEVEL> Set statistics collection logic. Valid
values: none, default, full
== Xtras ==
--Xcontext-dependency-heuristic Run context dependency heuristics logic
under addons/oracular.
--Xcontext-remover Run the context remover for reduced memory
use (only available in context-insensitive
analysis).
--Xdex Use custom front-end to generate facts for
.apk inputs, using Soot for other inputs.
--Xextra-facts <FILE> Include files with extra facts.
--Xgenerics-pre Enable precise generics pre-analysis to
infer content types for Collections and
Maps.
--Xignore-wrong-staticness Ignore 'wrong static-ness' errors in Soot.
--Ximport-partitions <FILE> Specify the partitions.
--Xisolate-fact-generation Isolate invocations to the fact generator.
--Xlb Use legacy LB engine.
--Xlegacy-android-processing If true the analysis uses the legacy
processor for Android resources.
--Xlegacy-soot-invocation If true, Soot will be invoked using a
custom classloader (may use less memory,
only supported on Java < 9).
--Xlow-mem Use less memory. Does not support all
options.
--Xmodel-stdlib Model standard library APIs instead of
analyzing their code.
--Xno-ssa Disable the default policy of using SSA
transformation on input.
--Xoracular-heuristics Run sensitivity heuristics logic under
addons/oracular.
--Xprecise-generics Precise handling for maps and collections.
--XR-out-dir <R_OUT_DIR> When linking .aar inputs, place generated
R code in <R_OUT_DIR>.
--Xreflection-coloring Merge strings that will not conflict in
reflection resolution.
--Xreflection-context-sensitivity Enable context-sensitive handling of
reflection.
--Xscaler-pre Enable the analysis to be the pre-analysis
of Scaler, and outputs the information
required by Scaler.
--Xvia-ddlog Convert and run Souffle with DDlog.
--Xzipper <FILE> Use file with precision-critical methods
selected by Zipper, these methods are
analyzed context-sensitively.
--Xzipper-pre Enable the analysis to be the pre-analysis
of Zipper, and outputs the information
required by Zipper.
Use --help <SECTION> for more information, available sections: all, configuration, data-flow,
datalog-engine, entry-points, fact-generation, heap-snapshots, information-flow, native-code,
open-programs, python, reflection, server-logic, statistics, xtras
Deprecated Gradle features were used in this build, making it incompatible with Gradle 8.0.
You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.
See https://docs.gradle.org/7.3.3/userguide/command_line_interface.html#sec:command_line_warnings
BUILD SUCCESSFUL in 16s
24 actionable tasks: 12 executed, 12 up-to-date