Data-flow Analysis of Programs with Associative Arrays

Dynamic programming languages, such as PHP, JavaScript, and Python, provide built-in data structures including associative arrays and objects with similar semantics-object properties can be created at run-time and accessed via arbitrary expressions. While a high level of security and safety of applications written in these languages can be of a particular importance (consider a web application storing sensitive data and providing its functionality worldwide), dynamic data structures pose significant challenges for data-flow analysis making traditional static verification methods both unsound and imprecise. In this paper, we propose a sound and precise approach for value and points-to analysis of programs with associative arrays-like data structures, upon which data-flow analyses can be built. We implemented our approach in a web-application domain-in an analyzer of PHP code.Comment: In Proceedings ESSS 2014, arXiv:1405.055

Ariadne: Analysis for Machine Learning Program

Machine learning has transformed domains like vision and translation, and is now increasingly used in science, where the correctness of such code is vital. Python is popular for machine learning, in part because of its wealth of machine learning libraries, and is felt to make development faster; however, this dynamic language has less support for error detection at code creation time than tools like Eclipse. This is especially problematic for machine learning: given its statistical nature, code with subtle errors may run and produce results that look plausible but are meaningless. This can vitiate scientific results. We report on Ariadne: applying a static framework, WALA, to machine learning code that uses TensorFlow. We have created static analysis for Python, a type system for tracking tensors---Tensorflow's core data structures---and a data flow analysis to track their usage. We report on how it was built and present some early results

Designing and implementing control flow graph for magic 4th generation language

A good compiler which implements many optimizations during its compilation phases must be able to perform several static analysis techniques such as control flow or data flow analysis. Besides compilers, these techniques are common for static analyzers as well to retrieve information from source code, for example for code auditing, quality assurance or testing purposes. Implementing control flow analysis requires handling many special structures of the target language. In our paper we present our experiences in implementing control flow graph (CFG) construction for a special 4th generation language called Magic. While we were designing and implementing the CFG for this language, we identified differences compared to 3rd generation languages mostly because of the unique programming technique of Magic (e.g. data access, parallel task execution, events). Our work was motivated by our industrial partner who needed precise static analysis tools (e.g. for quality assurance or testing purposes) for this language. We believe that our experiences for Magic, as a representative of 4GLs, might be generalized for other languages too

Formal semantics and analysis of control flow in WS-BPEL

Web service composition refers to the creation of new (Web) services by combination of functionality provided by existing ones. This paradigm has gained significant attention in the Web services community and is seen as a pillar for building service-oriented applications. A number of domain-specific languages for service composition have been proposed with consensus being formed around a process-oriented language known as WS-BPEL (or BPEL). The kernel of BPEL consists of simple communication primitives that may be combined using control-flow constructs expressing sequence, branching, parallelism, synchronisation, etc. As a result, BPEL process definitions lend themselves to static flow-based analysis techniques. In this report, we describe a tool that performs two useful types of static checks and extracts meta-data to optimise dynamic resource management. The tool operates by translating BPEL processes into Petri nets and exploiting existing Petri net analysis techniques. It relies on a comprehensive and rigorously defined mapping of BPEL constructs into Petri net structures

Formal semantics and analysis of control flow in WS-BPEL

Web service composition refers to the creation of new (Web) services by combination of functionality provided by existing ones. This paradigm has gained significant attention in the Web services community and is seen as a pillar for building service-oriented applications. A number of domain-specific languages for service composition have been proposed with consensus being formed around a process-oriented language known as WS-BPEL (or BPEL). The kernel of BPEL consists of simple communication primitives that may be combined using control-flow constructs expressing sequence, branching, parallelism, synchronisation, etc. As a result, BPEL process definitions lend themselves to static flow-based analysis techniques. In this report, we describe a tool that performs two useful types of static checks and extracts meta-data to optimise dynamic resource management. The tool operates by translating BPEL processes into Petri nets and exploiting existing Petri net analysis techniques. It relies on a comprehensive and rigorously defined mapping of BPEL constructs into Petri net structures

A sound abstract interpreter for dynamic code

Dynamic languages, such as JavaScript, employ string-to-code primitives to turn dynamically generated text into executable code at run-time. These features make standard static analysis extremely hard if not impossible because its essential data structures, i.e., the control-flow graph and the system of recursive equations associated with the program to analyze, are themselves dynamically mutating objects. Hence, the need to handle string-to-code statements approximating what they can execute, and therefore allowing the analysis to continue (even in presence of string-to-code statements) with an acceptable degree of precision. In order to reach this goal, we propose a static analysis allowing us to collect string values and allowing us to soundly over-approximate and analyze the code potentially executed by a string-to-code statement

Unsteady flow phenomena in turbine shroud cavities

This paper presents those flow parameters at which coherent structures appear in the blade tip cavities of shrouded turbine blades. To the authors’ knowledge, this is reported for the first time in the open literature. The unsteady flow in a shroud cavity is analysed based on experimental data recorded in a labyrinth seal test rig. The unsteady static wall pressure in the shroud cavity inlet and outlet is measured using time-resolving pressure sensors. Sensors are located at staggered circumferential positions to allow cross-correlation between signals. The unsteady pressure signals are reduced using Fourier analysis and cross-correlation in combination with digital filters. Based on the data, a theory is formulated explaining the phenomena reflected in the measurements. The results suggest that pressure fluctuations with distinct numbers of nodes are rotating in the shroud cavity outlet. Moreover, modes with different node numbers appear to be super-imposed, rotating at a common speed in circumferential direction. The pressure fluctuations are not found at all operating points. Further analysis indicates that the pressure fluctuations are present at operating points matching distinct parameters correlating with the cavity flow coefficient. Unsteady RANS simulations predict similar flow structures for the design operating point of the test rig

Design of active debris flow mitigation measures: a comprehensive analysis of existing impact models

Debris flows occur in mountainous areas characterized by steep slope and occasional severe rainstorms. The massive urbanization in these areas raised the importance of studying and mitigating these phenomena. Concerning the strategy of protection, it is fundamental to evaluate both the effect of the magnitude (that concerns the definition of the hazard), in terms of mobilized volume and travel distance, and the best technical protection structures (that concerns the mitigation measures) to reduce the existing risk to an acceptable residual one. In particular, the mitigation measure design requires the evaluation of the effects of debris flow impact forces against them. In other words, once it is established that mitigation structures are required, the impacting pressure shall be evaluated and it should be verified that it does not exceed barrier resistance. In this paper, the author wants to focus on the definition and the evaluation of the impacting load of debris flows on protection structures: a critical review of main existing models and equations treated in scientific literature is here presented. Although most of these equations are based on solid physical basis, they are always affected by an empirical nature due to the presence of coefficients for fitting the numerical results with laboratory and, less frequently, field data. The predicting capability of these equations, namely the capability of fitting experimental/field data, is analysed and evaluated using ten different datasets available in scientific literature. The purpose of this paper is to provide a comprehensive analysis of the existing debris flow impact models, highlighting their strong points and limits. Moreover, this paper could have a practical aspect by helping engineers in the choice of the best technical solution and the safe design of debris flow protection structures. Existing design guidelines for debris flow protection barrier have been analysed. Finally, starting from the analysis of the hydro-static model response to fit field data and introducing some practical assumptions, an empirical formula is proposed for taking into account the dynamic effects of the phenomenon

Analyzing Dynamic Code: A Sound Abstract Interpreter for Evil Eval

Dynamic languages, such as JavaScript, employ string-to-code primitives to turn dynamically generated text into executable code at run-time. These features make standard static analysis extremely hard if not impossible, because its essential data structures, i.e., the control-flow graph and the system of recursive equations associated with the program to analyze, are themselves dynamically mutating objects. Nevertheless, assembling code at run-time by manipulating strings, such as by eval in JavaScript, has been always strongly discouraged, since it is often recognized that "eval is evil,"leading static analyzers to not consider such statements or ignoring their effects. Unfortunately, the lack of formal approaches to analyze string-to-code statements pose a perfect habitat for malicious code, that is surely evil and do not respect good practice rules, allowing them to hide malicious intents as strings to be converted to code and making static analyses blind to the real malicious aim of the code. Hence, the need to handle string-to-code statements approximating what they can execute, and therefore allowing the analysis to continue (even in the presence of dynamically generated program statements) with an acceptable degree of precision, should be clear. To reach this goal, we propose a static analysis allowing us to collect string values and to soundly over-approximate and analyze the code potentially executed by a string-to-code statement