static analysis with demand driven value refinement
play

Static Analysis with Demand-Driven Value Refinement Benno Stein, - PowerPoint PPT Presentation

Sep 27, 2023 •232 likes •605 views

Static Analysis with Demand-Driven Value Refinement Benno Stein, Benjamin Barslev Nielsen, Bor-Yuh Evan Chang & Anders Mller Sound static analysis for JavaScript Static analysis for JavaScript is very challenging o[m]() 2 /17

  1. Static Analysis with 
 Demand-Driven Value Refinement Benno Stein, Benjamin Barslev Nielsen, Bor-Yuh Evan Chang & Anders Møller

  2. Sound static analysis for JavaScript • Static analysis for JavaScript is very challenging o[m]() 2 /17

  3. Sound static analysis for JavaScript • Static analysis for JavaScript is very challenging o[m]() Dynamic object structure 2 /17

  4. Sound static analysis for JavaScript • Static analysis for JavaScript is very challenging o[m]() Dynamic object structure Dynamically computed property name 2 /17

  5. Sound static analysis for JavaScript • Static analysis for JavaScript is very challenging o[m]() Dynamic dispatch Dynamic object structure Dynamically computed property name 2 /17

  6. Sound static analysis for JavaScript • Static analysis for JavaScript is very challenging o[m]() Dynamic dispatch Dynamic object structure Dynamically computed property name • Critical precision losses renders analysis useless • Too much spurious data-flow 2 /17

  7. State-of-the-art data-flow analyzers • Fail to analyze load of some very popular libraries • Critical precision losses occur • Common characteristics • Forwards whole program analysis • Tracks data-flow, e.g., strings, functions and other objects • Non-relational • Aims to mitigate critical precision losses by: Context sensitivity • Syntactic patterns and special-case techniques • 3 /17

  8. Critical code example Example program Analysis state func = o1[name] . . . o2[name] = func . . . o2.foo(…) 4 /17

  9. Critical code example Example program Analysis state func = o1[name] o1 = {foo: f1, bar: f2} . name = ⊤ str . . o2 = {} o2[name] = func . . . o2.foo(…) 4 /17

  10. Critical code example Example program Analysis state func = o1[name] o1 = {foo: f1, bar: f2} . name = ⊤ str . . o2 = {} func = f1|f2 o2[name] = func . . . o2.foo(…) 4 /17

  11. Critical code example Example program Analysis state func = o1[name] o1 = {foo: f1, bar: f2} . name = ⊤ str . . o2 = { ⊤ str : f1|f2} func = f1|f2 o2[name] = func . . . o2.foo(…) 4 /17

  12. Critical code example Example program Analysis state func = o1[name] o1 = {foo: f1, bar: f2} . name = ⊤ str . . o2 = { ⊤ str : f1|f2} func = f1|f2 o2[name] = func . Resolves both f1 and f2 . . o2.foo(…) 4 /17

  13. The Lodash library 5 /17

  14. Critical code example Example program Analysis state func = o1[name] o1 = {foo: f1, bar: f2} . . name = ⊤ str . o2 = {} func = f1|f2 o2[name] = func . . . o2.foo(…) 6 /17

  15. Critical code example Example program Analysis state func = o1[name] o1 = {foo: f1, bar: f2} . . name = ⊤ str . o2 = {} func = f1|f2 o2[name] = func . . . o2.foo(…) 6 /17

  16. Demand-driven value refinement Regain relational information through refinement queries Without modifying base analysis domain Refinement query: What is x, when y ↦ ̂ v ? What value can variable x have, given that y has value ̂ v ? 7 /17

  17. Critical code example Analysis state Example program o1 = {foo: f1, bar: f2} func = o1[name] name = ⊤ str . o2 = {} . func = f1|f2 . o2[name] = func . . . o2.foo(…) 8 /17

  18. Critical code example Analysis state Example program o1 = {foo: f1, bar: f2} func = o1[name] name = ⊤ str . o2 = {} . func = f1|f2 . What is name, when func ↦ f1? o2[name] = func . What is name, when func ↦ f2? . . o2.foo(…) 8 /17

  19. ̂ ̂ ̂ ̂ ̂ ̂ ̂ ̂ ̂ Backwards abstract interpreter for value refinement • Backwards goal-directed from the query location • Separation logic based abstract domain Intuitionistic - constraints hold for all extensions • Special symbolic variable RES represents value being refined • symbolic variables z , RES ∈ x , ̂ Var y , ̂ ::= ̂ h ∧ π | φ 1 ∨ φ 2 symbolic stores φ ∈ Store x 3 | ̂ h 1 * ̂ ::= true | unalloc ( ̂ heap constraints x ) | x ↦ ̂ x 1 [ ̂ x 2 ] ↦ ̂ x | h 2 h pure constraints ::= true | e | π 1 ∧ π 2 π symbolic expressions ::= ̂ x | ̂ e 1 ⊕ ̂ v | e 2 e ∈ Expr 9 /17

  20. Backwards abstract interpreter for value refinement • Based on refutation sound Hoare triples ⟨ φ ⟩ s ⟨ φ ′ � ⟩ • Refutation soundness: φ ′ � s For all concrete runs where holds after , the state s before must satisfy . φ • Encoding refinement queries: v ? ⇝ ⟨ x ↦ RES * y ↦ ̂ v ⟩ What is x, when y ↦ ̂ y ∧ ̂ y = ̂ 10 /17

  21. Critical code example func = o1[name] o2[name] = func 11 /17

  22. Critical code example Refinement query: What is name, when func ↦ f1? func = o1[name] o2[name] = func 11 /17

  23. ̂ ̂ Critical code example Refinement query: What is name, when func ↦ f1? func = o1[name] ⟨ name ↦ RES * func ↦ func = f1 ⟩ func ∧ o2[name] = func 11 /17

  24. ̂ ̂ ̂ ̂ ̂ ̂ Critical code example Refinement query: What is name, when func ↦ f1? ⟨ name ↦ RES * o1 ↦ func = f1 ⟩ o1 * o1 [ RES ] ↦ func ∧ func = o1[name] ⟨ name ↦ RES * func ↦ func = f1 ⟩ func ∧ o2[name] = func 11 /17

  25. ̂ ̂ ̂ ̂ Leveraging forwards analysis state Analysis state o1 = {foo: f1, bar: f2} ⟨ name ↦ RES * o1 ↦ func = f1 ⟩ o1 * o1 [ RES ] ↦ func ∧ Refinement result is the values of RES satisfying: o1 [ RES ] = f1 Refinement result: “foo” 12 /17

  26. Critical code example Analysis state Example program o1 = {foo: f1, bar: f2} func = o1[name] name = ⊤ str . o2 = {} . func = f1|f2 . o2[name] = func . . . o2.foo(…) 13 /17

  27. Critical code example Analysis state Example program o1 = {foo: f1, bar: f2} func = o1[name] name = ⊤ str . o2 = {} . func = f1|f2 . What is name, when func ↦ f1? o2[name] = func . . What is name, when func ↦ f2? . o2.foo(…) 13 /17

  28. Critical code example Analysis state Example program o1 = {foo: f1, bar: f2} func = o1[name] name = ⊤ str . o2 = {} . func = f1|f2 . What is name, when func ↦ f1? o2[name] = func “foo” . . What is name, when func ↦ f2? . “bar” o2.foo(…) 13 /17

  29. Critical code example Analysis state Example program o1 = {foo: f1, bar: f2} func = o1[name] name = ⊤ str . o2 = {foo: f1, bar: f2} . func = f1|f2 . What is name, when func ↦ f1? o2[name] = func “foo” . . What is name, when func ↦ f2? . “bar” o2.foo(…) 13 /17

  30. Critical code example Analysis state Example program o1 = {foo: f1, bar: f2} func = o1[name] name = ⊤ str . o2 = {foo: f1, bar: f2} . func = f1|f2 . What is name, when func ↦ f1? o2[name] = func “foo” . Resolves only f1 . What is name, when func ↦ f2? . “bar” o2.foo(…) 13 /17

  31. Implementation for JavaScript • TAJS VR : TAJS extended with demand-driven value refinement • TAJS is a state-of-the-art analyzer for JavaScript • Implemented in Java • Active research since 2009 • VR JS : Backwards abstract interpreter for JavaScript for answering refinement queries • Implemented in Scala from scratch 14 /17

  32. Compared to state-of-the-art #tests TAJS CompAbs TAJS VR Underscore 1 182 0 % 0 % 95% (2.9s) Lodash3 1 176 0 % 0 % 98% (5.5s) Lodash4 1 306 0 % 0 % 87% (24.7s) Prototype 2 6 0 % 33% (23.1s) 83% (97.7s) Scriptaculous 2 1 0 % 100% (62.0s) 100% (236.9s) JQuery 3 71 7% (14.4s) 0 % 7% (17.2s) JSAI tests 4 29 86% (12.3s) 34% (32.4s) 86% (14.3s) “x% (y)” means succeeded x% of test cases with average time y 1 : Most popular functional utility libraries 2 : Wei et al. [2016] 3 : Andreasen and Møller [2014] 4 : Kashyap et al. [2014] & Dewey et al. [2015] 15 /17

  33. Compared to state-of-the-art #tests TAJS CompAbs TAJS VR Underscore 1 182 0 % 0 % 95% (2.9s) Lodash3 1 176 0 % 0 % 98% (5.5s) Lodash4 1 306 0 % 0 % 87% (24.7s) succeeds analyzing 92% of Underscore and Lodash Prototype 2 6 0 % 33% (23.1s) 83% (97.7s) tests, which all are unanalyzable by existing analyzers Scriptaculous 2 1 0 % 100% (62.0s) 100% (236.9s) JQuery 3 71 7% (14.4s) 0 % 7% (17.2s) TAJS R V JSAI tests 4 29 86% (12.3s) 34% (32.4s) 86% (14.3s) “x% (y)” means succeeded x% of test cases with average time y 1 : Most popular functional utility libraries 2 : Wei et al. [2016] 3 : Andreasen and Møller [2014] 4 : Kashyap et al. [2014] & Dewey et al. [2015] 15 /17

  34. Value refinement insights • Value refinement is triggered in few locations • In Lodash4, it is triggered in 7 locations in >17000 LoC • Almost all queries are solved successfully (>99%) • Queries are answered efficiently (Avg. ~10ms) • Answering a query requires visiting few locations • Typically below 40 • Many queries requires interprocedural reasoning 16 /17

  35. Conclusion • New technique: Demand-Driven Value Refinement Relational reasoning on top of non-relational analysis • Eliminates critical precision loss on-the-fly • Uses backwards analysis for gaining relational precision • Exploiting forwards analysis state allows efficient refinements • • Experimental evaluation First analysis capable of analyzing most popular JavaScript library • No significant overhead for incorporating backwards analyzer • Open-source: https://www.brics.dk/TAJS/VR/ • 17 /17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
WMSBF Event Business Solutions 1 Employer-Focused, Demand-Driven Demand Driven model was

WMSBF Event Business Solutions 1 Employer-Focused, Demand-Driven Demand Driven model was

WMSBF Event Business Solutions 1 Employer-Focused, Demand-Driven Demand Driven model was promoted by Workforce Investment Act of 1998 This approach is unique to Michigan and has been supported by the MEDC since 2006 Address

652 views • 14 slides
Static Analysis of Race-Free Interrupt-Driven Programs Deepak DSouza Department of Computer

Static Analysis of Race-Free Interrupt-Driven Programs Deepak DSouza Department of Computer

Data Flow Analysis Concurrent Programs Race-Free Programs Sync-CFG Analysis Analysis Static Analysis of Race-Free Interrupt-Driven Programs Deepak DSouza Department of Computer Science and Automation Indian Institute of Science,

981 views • 47 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
Combinatorial Abstraction Refinement for Feasibility Analysis Martin Stigge Uppsala University,

Combinatorial Abstraction Refinement for Feasibility Analysis Martin Stigge Uppsala University,

Combinatorial Abstraction Refinement for Feasibility Analysis Martin Stigge Uppsala University, Sweden Joint work with Wang Yi Problem Overview Workload Model Scheduler Model Task A Task B EDF/Static Prio/... Task C Task A t Task B t

759 views • 51 slides
A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should

488 views • 37 slides
Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Interesting Questions Interesting Questions Is every statement reachable? Does every non- void method return a value? Compilation 2007 Compilation 2007 Will local variables definitely be assigned before Static Analysis Static

169 views • 13 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Accelerating Business Performance through Market-driven Demand Analytics and Supply Chain

Accelerating Business Performance through Market-driven Demand Analytics and Supply Chain

Accelerating Business Performance through Market-driven Demand Analytics and Supply Chain Optimization ToolsGroups Powerfully Simple software solutions deliver improved business outcomes in complex demand-driven environments. ToolsGroup

171 views • 4 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that Martin Steffen IfI UiO Spring 2014 Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on progress/interest

2.15k views • 194 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on

938 views • 69 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot & CNRS VTSA 2015 1 / 99 Static Analysis Establish

2.15k views • 186 slides
Compiler aided optimization of the pimpl-idiom Alexander Richardson (alr48@cam.ac.uk) University

Compiler aided optimization of the pimpl-idiom Alexander Richardson (alr48@cam.ac.uk) University

Compiler aided optimization of the pimpl-idiom Alexander Richardson (alr48@cam.ac.uk) University of Cambridge Tuesday 14 th April, 2015 Tuesday 14 th April, 2015 Alexander Richardson Compiler aided optimization of the pimpl-idiom 1 / 11

335 views • 15 slides
CSE 116: Fall 2019 Introduction to Functional Programming Higher-Order Functions Owen

CSE 116: Fall 2019 Introduction to Functional Programming Higher-Order Functions Owen

CSE 116: Fall 2019 Introduction to Functional Programming Higher-Order Functions Owen Arden UC Santa Cruz Based on course materials developed by Nadia Polikarpova Plan for this week Last week: user-defined data types and how

865 views • 16 slides
1. More readable 2. (Usually) More overhead 3. We dont know which one we aspire to more

1. More readable 2. (Usually) More overhead 3. We dont know which one we aspire to more

1. More readable 2. (Usually) More overhead 3. We dont know which one we aspire to more A clever title Christina Lee Two Stones, One Bird A clever title Christina Lee Kill two birds with one stone Kill two birds with one

1.99k views • 194 slides
WRITING FASTER CODE 1 . 1 WRITING FASTER CODE AND NOT HATING YOUR JOB AS A SOFTWARE DEVELOPER

WRITING FASTER CODE 1 . 1 WRITING FASTER CODE AND NOT HATING YOUR JOB AS A SOFTWARE DEVELOPER

WRITING FASTER CODE 1 . 1 WRITING FASTER CODE AND NOT HATING YOUR JOB AS A SOFTWARE DEVELOPER 1 . 2 WRITING FASTER PYTHON @SebaWitowski 1 . 3 PYTHON WAS NOT MADE TO BE FAST... ...BUT TO MAKE DEVELOPERS FAST. 2 . 1 It was nice to

451 views • 43 slides
C++11/14/1z in CMake Ben Morgan Overview How do we ensure the compiler and standard library

C++11/14/1z in CMake Ben Morgan Overview How do we ensure the compiler and standard library

C++11/14/1z in CMake Ben Morgan Overview How do we ensure the compiler and standard library in use support the features of C++ Standard used in code? Can we provide workarounds when/if they dont? How do we help users of Geant4 to

443 views • 9 slides
So you think you got it? 59 Wait a minute May everything we did in our Bounded Types

So you think you got it? 59 Wait a minute May everything we did in our Bounded Types

So you think you got it? 59 Wait a minute May everything we did in our Bounded Types example be done w/ only polymorphism??? 60 <U extends MyClass> vs. MyClass as parameter public class JustTesting{ public static void

585 views • 16 slides
The APGAS Library Resilient Parallel and Distributed Programming in Java 8 Olivier Tardieu IBM

The APGAS Library Resilient Parallel and Distributed Programming in Java 8 Olivier Tardieu IBM

The APGAS Library Resilient Parallel and Distributed Programming in Java 8 Olivier Tardieu IBM Research This material is based upon work supported by the U.S. Department of Energy, Office of Science, Advanced Scientific Computing Research

428 views • 18 slides
Cloud-Based File Synchronization Services Exploding in popularity Numerous providers:

Cloud-Based File Synchronization Services Exploding in popularity Numerous providers:

*-Box (star-box) Towards Reliability and Consistency in Dropbox-like File Synchronization Services Yupu Zhang , Chris Dragga, Andrea Arpaci-Dusseau, Remzi Arpaci-Dusseau University of Wisconsin - Madison 6/27/2013 1 Cloud-Based File

882 views • 31 slides

More recommend