Effective Soundness-Guided Reflection Analysis Yue Li , Tian Tan and - - PowerPoint PPT Presentation

Effective Soundness-Guided Reflection Analysis

Yue Li, Tian Tan and Jingling Xue

Complier Research Group @ UNSW, Australia September 10, 2015

SAS 2015 Saint-Malo

Static analysis for OO in practice ?

Static analysis for OO in practice ?

re re re … reflection !

Class Person { void setName(String nm) {…}; } Person p = new Person(); p.setName(“John”); … …

Class Person { void setName(String nm) {…}; } Person p = new Person(); p.setName(“John”); … …

Class Person { void setName(String nm) {…}; } Person p = new Person(); p.setName(“John”); … …

Class Person { void setName(String nm) {…}; } Person p = new Person(); p.setName(“John”); … … class method field

Class Person { void setName(String nm) {…}; } Person p = new Person(); p.setName(“John”); … … class method field

Class Person { void setName(String nm) {…}; } Person p = new Person(); p.setName(“John”); … … Class c = Class.forName(“Person”); Method m = c.getMethod(“setName”, …); Object p = c.newInstance(); m.invoke(p, “John”); class method field

Class Person { void setName(String nm) {…}; } Person p = new Person(); p.setName(“John”); … … Class c = Class.forName(“Person”); Method m = c.getMethod(“setName”, …); Object p = c.newInstance(); m.invoke(p, “John”); class method

Compile Time

field

Class Person { void setName(String nm) {…}; } Person p = new Person(); p.setName(“John”); … … Class c = Class.forName(“Person”); Method m = c.getMethod(“setName”, …); Object p = c.newInstance(); m.invoke(p, “John”); class method

Compile Time

field

Class Person { void setName(String nm) {…}; } Person p = new Person(); p.setName(“John”); … … Class c = Class.forName(“Person”); Method m = c.getMethod(“setName”, …); Object p = c.newInstance(); m.invoke(p, “John”); class method

Compile Time Runtime

field

Class c = Class.forName(cName); Method m = c.getMethod(mName, …); A a = new A(); m.invoke(a, …);

B u g D e t e c t i

• n

Class c = Class.forName(cName); Method m = c.getMethod(mName, …); A a = new A(); m.invoke(a, …); Method 1 Method 2

B u g D e t e c t i

• n

Method 3 Bug

Class c = Class.forName(cName); Method m = c.getMethod(mName, …); A a = new A(); m.invoke(a, …); Method 1 Method 2

B u g D e t e c t i

• n

Method 3 Bug

Soundness

Soundness

ICSE’11 OOPSLA’09 APLAS’05 ECOOP’14

Soundness

ICSE’11 OOPSLA’09 APLAS’05 ECOOP’14

Soundness Best-Effort

ICSE’11 OOPSLA’09 APLAS’05 ECOOP’14

Soundness

SAS’15

Best-Effort

ICSE’11 OOPSLA’09 APLAS’05 ECOOP’14

Soundness

SAS’15

Best-Effort More sound

1

ICSE’11 OOPSLA’09 APLAS’05 ECOOP’14

Soundness

SAS’15

Best-Effort More sound

1

Unsoundness

ICSE’11 OOPSLA’09 APLAS’05 ECOOP’14

Soundness

SAS’15

Best-Effort More sound

1

Unsoundness Controllable

2

ICSE’11 OOPSLA’09 APLAS’05 ECOOP’14

Soundness

SAS’15

Best-Effort More sound

1

Unsoundness Controllable

2

Soundness-Guided

More sound

1

Controllable

2

More sound

1

The Challenging Problem

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

unknown

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

unknown

A a = (A) v2

Intra-procedural post-dominant cast operations

Existing Approach

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

unknown

A a = (A) v2

Intra-procedural post-dominant cast operations

cA

Existing Approach

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

unknown

A a = (A) v2

Intra-procedural post-dominant cast operations

• nly works for this intra-post-dominance pattern

cA

Existing Approach

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

unknown

A a = (A) v2

Intra-procedural post-dominant cast operations

• nly works for this intra-post-dominance pattern

I g I g n n

• r

r e e d d

cA

Existing Approach

Lazy Heap Modeling (LHM)

A reflectively created object (returned by newInstance()) is usually used in two cases in practice

Lazy Heap Modeling (LHM)

Observation

Lazy Heap Modeling (LHM)

Observation Intuition The side effect of a newInstance() call can be modeled lazily at these usage points

A reflectively created object (returned by newInstance()) is usually used in two cases in practice

Lazy Heap Modeling (LHM)

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

unknown

Lazy Heap Modeling (LHM)

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

unknown

cu

Lazy Heap Modeling (LHM)

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

unknown

cu

i

• u

Lazy Heap Modeling (LHM)

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

unknown

cu

i

• u

Abstract Heap Objects

• f newInstance()

are created lazily ( at LHM points )

Lazy Heap Modeling (LHM)

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

Case (I)

unknown

cu

i

• u

Abstract Heap Objects

• f newInstance()

are created lazily ( at LHM points )

B b = (B) v2 A a = (A) v1

i

• B

| B | i | b, v4

i

• B

| B | i | b

Lazy Heap Modeling (LHM)

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

Case (I)

unknown

cu

i

• u

Abstract Heap Objects

• f newInstance()

are created lazily ( at LHM points )

i

• A

A | i | | a |

Type Object Location

|

Pointed by

|

B b = (B) v2 A a = (A) v1

i

• B

| B | i | b, v4

i

• B

| B | i | b

Lazy Heap Modeling (LHM)

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

Case (I) Case (II)

unknown

cu

i

• u

Abstract Heap Objects

• f newInstance()

are created lazily ( at LHM points )

i

• A

A | i | | a |

Type Object Location

|

Pointed by

|

B b = (B) v2 A a = (A) v1 m1.invoke(v3, args)

i

• B

| B | i | b, v4

i

• B

| B | i | b

Lazy Heap Modeling (LHM)

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

Case (I) Case (II)

unknown

cu

i

• u

Abstract Heap Objects

• f newInstance()

are created lazily ( at LHM points )

i

• A

A | i | | a |

Type Object Location

|

Pointed by

|

Method m = c2.getDeclaredMethod(mName, ...)

B b = (B) v2 A a = (A) v1 m1.invoke(v3, args)

i

• B

| B | i | b, v4

i

• B

| B | i | b

Lazy Heap Modeling (LHM)

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

Case (I) Case (II)

unknown

cu

i

• u

Abstract Heap Objects

• f newInstance()

are created lazily ( at LHM points )

i

• A

A | i | | a |

Type Object Location

|

Pointed by

|

Method m = c2.getDeclaredMethod(mName, ...)

cD

B b = (B) v2 A a = (A) v1 m1.invoke(v3, args)

i

• B

| B | i | b, v4

i

• B

| B | i | b

Lazy Heap Modeling (LHM)

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

Case (I) Case (II)

unknown

cu

i

• u

Abstract Heap Objects

• f newInstance()

are created lazily ( at LHM points )

i

• A

A | i | | a |

Type Object Location

|

Pointed by

|

Method m = c2.getDeclaredMethod(mName, ...)

cD

B b = (B) v2 A a = (A) v1 m1.invoke(v3, args) v3.mName(args)

i

• B

| B | i | b, v4

i

• B

| B | i | b

Lazy Heap Modeling (LHM)

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

Case (I) Case (II)

unknown

cu

i

• u

Abstract Heap Objects

• f newInstance()

are created lazily ( at LHM points )

i

• A

A | i | | a |

Type Object Location

|

Pointed by

|

Method m = c2.getDeclaredMethod(mName, ...)

cD

i

• D

D | | i | v3 B b = (B) v2 A a = (A) v1 m1.invoke(v3, args) v3.mName(args)

i

• B

B | | i | v3

i

• B

| B | i | b, v4

i

• B

| B | i | b

Lazy Heap Modeling (LHM)

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

Case (I) Case (II)

unknown

cu

i

• u

Abstract Heap Objects

• f newInstance()

are created lazily ( at LHM points )

i

• A

A | i | | a |

Type Object Location

|

Pointed by

|

Method m = c2.getDeclaredMethod(mName, ...)

cD

?

i

• D

D | | i | v3 B b = (B) v2 A a = (A) v1 m1.invoke(v3, args) v3.mName(args)

i

• B

B | | i | v3

i

• B

| B | i | b, v4

i

• B

| B | i | b

Lazy Heap Modeling (LHM)

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

Case (I) Case (II)

unknown

cu

i

• u

Abstract Heap Objects

• f newInstance()

are created lazily ( at LHM points )

i

• A

A | i | | a |

Type Object Location

|

Pointed by

|

Method m = c2.getDeclaredMethod(mName, ...)

cD

? X

i

• D

D | | i | v3 B b = (B) v2 A a = (A) v1 m1.invoke(v3, args) v3.mName(args)

i

• B

B | | i | v3

i

• B

| B | i | b, v4

i

• B

| B | i | b

Lazy Heap Modeling (LHM)

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

Case (I) Case (II)

unknown

cu

i

• u

Abstract Heap Objects

• f newInstance()

are created lazily ( at LHM points )

i

• A

A | i | | a |

Type Object Location

|

Pointed by

|

Method m = c2.getDeclaredMethod(mName, ...)

cD

? X

i

• B

| B | i | b, v3

i

• D

D | | i | v3 B b = (B) v2 A a = (A) v1 m1.invoke(v3, args) v3.mName(args)

i

• B

B | | i | v3

i

• B

| B | i | b, v4

i

• B

| B | i | b

Lazy Heap Modeling (LHM)

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

Case (I) Case (II)

unknown

cu

i

• u

Abstract Heap Objects

• f newInstance()

are created lazily ( at LHM points )

i

• A

A | i | | a |

Type Object Location

|

Pointed by

|

Method m = c2.getDeclaredMethod(mName, ...)

cD

? X

i

• B

| B | i | b, v3

i

• D

D | | i | v3 B b = (B) v2 A a = (A) v1 m1.invoke(v3, args) v3.mName(args)

I g I g n n

• r

r e e d d I g I g n n

• r

r e e d d I g I g n n

• r

r e e d d

Inference System of Solar

• = newInstance() çè m.invoke(o,…), f.get(o), f.set(o, …)

Collective Inference

More sound

1

Controllable

2

Controllable

2 If the information in a program is not enough to help infer the reflective targets, the soundness criteria is not satisfied

Lazy Heap Modeling (LHM)

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

Case (I) Case (II)

unknown

cu

i

• u

Abstract Heap Objects

• f newInstance()

are created lazily ( at LHM points )

i

• A

A | i | | a |

Type Object Location

|

Pointed by

|

Method m = c2.getDeclaredMethod(mName, ...)

cD

i

• D

D | | i | v3 B b = (B) v2 A a = (A) v1 m1.invoke(v3, args) v3.mName(args)

i

• B

| B | i | b, v3

Lazy Heap Modeling (LHM)

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

Case (I) Case (II)

unknown

cu

i

• u

Abstract Heap Objects

• f newInstance()

are created lazily ( at LHM points )

i

• A

A | i | | a |

Type Object Location

|

Pointed by

|

Method m = c2.getDeclaredMethod(mName, ...)

cD

i

• D

D | | i | v3 B b = (B) v2 A a = (A) v1 m1.invoke(v3, args) v3.mName(args)

i

• B

| B | i | b, v3

?

Lazy Heap Modeling (LHM)

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

Case (I) Case (II)

unknown

cu

i

• u

Abstract Heap Objects

• f newInstance()

are created lazily ( at LHM points )

i

• A

A | i | | a |

Type Object Location

|

Pointed by

|

Method m = c2.getDeclaredMethod(mName, ...)

cD

i

• D

D | | i | v3 B b = (B) v2 A a = (A) v1 m1.invoke(v3, args) v3.mName(args)

i

• B

| B | i | b, v3

?

X

Lazy Heap Modeling (LHM)

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

Case (I) Case (II)

unknown

cu

i

• u

Abstract Heap Objects

• f newInstance()

are created lazily ( at LHM points )

i

• A

A | i | | a |

Type Object Location

|

Pointed by

|

Method m = c2.getDeclaredMethod(mName, ...)

cD

i

• D

D | | i | v3 B b = (B) v2 A a = (A) v1 m1.invoke(v3, args) v3.mName(args)

i

• B

| B | i | b, v3

?

X

U U n n s

• s
• u

u n n d d

Lazy Heap Modeling (LHM)

Class c = Class.forName(cName)

Object v = c1.newInstance( )

i:

Case (I) Case (II)

unknown

cu

i

• u

Abstract Heap Objects

• f newInstance()

are created lazily ( at LHM points )

i

• A

A | i | | a |

Type Object Location

|

Pointed by

|

Method m = c2.getDeclaredMethod(mName, ...)

cD

i

• D

D | | i | v3 B b = (B) v2 A a = (A) v1 m1.invoke(v3, args) v3.mName(args)

i

• B

| B | i | b, v3

?

X

U U n n s

• s
• u

u n n d d To To be annotated

Controllable

2 If the information in a program is not enough to help infer the reflective targets, the soundness criteria is not satisfied The number of the reflective targets resolved or inferred

More sound

1

Controllable

2

Evaluation

VS

Evaluation

VS Large real-world Java benchmarks and applications Large and reflection-rich Java library: JDK 1.6

Recall

More sound

1 Recall: measured by the number of true reflective targets discovered at reflective call sites that are dynamically executed under certain inputs

Recall

More sound

1 Only Solar achieves total recall : all the true reflective targets found in recall are resolved by Solar. Recall: measured by the number of true reflective targets discovered at reflective call sites that are dynamically executed under certain inputs

The benefit of achieving higher recall: more true call graph edges discovered

The benefit of achieving higher recall: more true call graph edges discovered The figure shows the more true call graph edges found in recall by Solar than Elf (Solar - Elf) and by Elf than Doop (Elf - Doop) The true call graph edges are computed by instrumentation at runtime

Precision

More sound

1 Insight: Soundness ßà precision. Solar achieves higher recall (more sound), indicates worse precision ?

Precision

More sound

1 Insight: Soundness ßà precision. Solar achieves higher recall (more sound), indicates worse precision ? No! Solar maintains nearly the same precision as Doop and Elf (2 popular clients).

Precision

Devir Call: the percentage of the virtual calls whose targets can be disambiguated Safe Case: the percentage of the casts that can be statically shown to be safe

Controllable

2

In 10 evaluated programs, 7 can be analyzed scalably and soundly by Solar with full automation.

Controllable

2

In 10 evaluated programs, 7 can be analyzed scalably and soundly by Solar with full automation. For the remaining 3 programs, Probe is scalable and reports 13 unsound calls and 1 imprecise call.

Controllable

2

In 10 evaluated programs, 7 can be analyzed scalably and soundly by Solar with full automation.

Controllable

2 After manual check, all the identified 14 unsound/imprecise calls are the true ones. For the remaining 3 programs, Probe is scalable and reports 13 unsound calls and 1 imprecise call.

In 10 evaluated programs, 7 can be analyzed scalably and soundly by Solar with full automation.

Controllable

2 After manual check, all the identified 14 unsound/imprecise calls are the true ones. Probe also reports 7 corresponding annotation points for these 14 unsound/imprecise calls For the remaining 3 programs, Probe is scalable and reports 13 unsound calls and 1 imprecise call.

In 10 evaluated programs, 7 can be analyzed scalably and soundly by Solar with full automation.

Controllable

2 After manual check, all the identified 14 unsound/imprecise calls are the true ones. Probe also reports 7 corresponding annotation points for these 14 unsound/imprecise calls After the 7 light-weight annotations, Solar can analyze these 3 programs scalably and soundly For the remaining 3 programs, Probe is scalable and reports 13 unsound calls and 1 imprecise call.

Performance More sound

1

Controllable

2

Potential Impact

More sound

1

Reflection Analysis

Hundreds of Papers & Tools ¡

Potential Impact

More sound

1

Reflection Analysis

Hundreds of Papers & Tools ¡

Potential Impact

More sound

1

Reflection Analysis

Hundreds of Papers & Tools ¡

Nothing needs to change

Potential Impact

More sound

1

Reflection Analysis

Hundreds of Papers & Tools ¡

Nothing needs to change More bugs, etc.

Ø A static bug verification tool reports no bugs.

4 reflective calls are identified unsoundly analyzed by Solar

Potential Impact

More sound

1 Hundreds of Papers & Tools ¡

Reflection Analysis

Nothing needs to change More bugs, etc.

Controllable

2

Ø A static bug detection tool reports 10 bugs. Ø A static bug verification tool reports no bugs.

All reflective calls are reported soundly analyzed by Solar 4 reflective calls are identified unsoundly analyzed by Solar

Potential Impact

More sound

1 Hundreds of Papers & Tools ¡

Reflection Analysis

Nothing needs to change More bugs, etc.

Controllable

2

h#p://www.cse.unsw.edu.au/~corg/solar ¡

Static analysis for OO in practice ?

Static analysis for OO in practice ?

Reflection

Thank You

September 10, 2015

Yue Li

CORG @ UNSW, Australia

Controllable

2

Light-weight Annotations More sound

1 The number of annotations required for improving the soundness of unsoundly resolved reflective calls. Others: 338 vs Solar: 7