Efficient Set Sharing Using ZBDDs

Set sharing is an abstract domain in which each concrete object is represented by the set of local variables from which it might be reachable. It is a useful abstraction to detect parallelism opportunities, since it contains definite information about which variables do not share in memory, i.e., about when the memory regions reachable from those variables are disjoint. Set sharing is a more precise alternative to pair sharing, in which each domain element is a set of all pairs of local variables from which a common object may be reachable. However, the exponential complexity of some set sharing operations has limited its wider application. This work introduces an efficient implementation of the set sharing domain using Zero-suppressed Binary Decision Diagrams (ZBDDs). Because ZBDDs were designed to represent sets of combinations (i.e., sets of sets), they naturally represent elements of the set sharing domain. We show how to synthesize the operations needed in the set sharing transfer functions from basic ZBDD operations. For some of the operations, we devise custom ZBDD algorithms that perform better in practice. We also compare our implementation of the abstract domain with an efficient, compact, bit set-based alternative, and show that the ZBDD version scales better in terms of both memory usage and running time

The Julia Static Analyzer for Java

The Julia static analyzer applies abstract interpretation to the analysis and verification of Java bytecode. It is the result of 13 years of engineering effort based on theoretical research on denotational and constraint-based static analysis through abstract interpretation. Julia is a library for static analysis, over which many checkers have been built , that verify the absence of a large set of typical errors of software: among them are null-pointer accesses, non-termination, wrong synchronization and injection threats to security. This article recaps the history of Julia, describes the technology under the hood of the tool, reports lessons learned from the market, current limitations and future work

Nullness Analysis in Boolean Form

Attempts to dereference nil result in anexception or a segmentation fault. Hence itis importantto know those program points where this might occur and provethe others (or the entire program) safe.Nullness analysis of computer programs checks or infers non-nil annotationsfor variables and object fields. Most nullnessanalyses currently use run-time checks or are incorrect or only verifymanual annotations. We use here abstract interpretationto build and prove correct a static nullness analysis for Javabytecode which infers non-nil annotations. It isbased on Boolean formulas, implemented with binary decisiondiagrams. Our experiments show it faster and more precise than the correctnullness analysis by Hubert, Jensen and Pichardie.We deal with static fields and exceptions, which isnot the case of most other analyses. We claim that the result istheoretically clean and the implementation strong and scalable

Magic-sets for localised analysis of Java bytecode

Static analyses based on denotational semantics can naturally modelfunctional behaviours of the code in a compositionaland completely context and flow sensitive way. But theyonly model the functional, ie., input/output behaviour of a program P,not enough if one needs P's internal behaviours,ie., from the input to some internal program points.This is, however, a frequent requirement for a useful staticanalysis. In this paper, weovercome this limitation, for the case of mono-threaded Java bytecode,with a technique used up to nowfor logic programs only. Namely, we define a programtransformation that adds new "magic" blocks of code to theprogram P, whose functional behaviours are the internal behaviours of P.We prove the transformation correct wrt. an operationalsemantics and define an equivalent denotational semantics, devised forabstract interpretation, whosedenotations for the magic blocks are hence the internal behavioursof P. We implement our transformationand instantiate it with abstract domains modellingsharing of two variables, non-cyclicity of variables,nullness of variables, class initialisation informationand size of the values bound to program variables.We get a static analyser for full mono-threaded Java bytecode that is faster andscales better than another operational pair-sharing analyser.It has the same speed but is more precisethan a constraint-based nullness analyser. It makes a polyhedralsize analysis of Java bytecode scale up to 1300 methods in a coupleof minutes and a zone-based size analysis scale to still largerapplications

A Termination Analyzer for Java Bytecode based on Path-Length

It is important to prove that supposedly terminating programs actuallyterminate, particularly if those programs must berun on critical systems or downloaded into a client such as a mobile phone.Although termination of computer programs is generally undecidable,it is possible and useful to provetermination of a large, non-trivial subset of the terminating programs.In this paper we present our termination analyser for sequential Java bytecode,based on a program property called path-length. We describe theanalyses which are needed before the path-length can be computed, such assharing, cyclicity and aliasing. Then weformally define the path-length analysis and prove it correct wrt areference denotational semantics of the bytecode. We show that a constraintlogic program P_CLPcan be built from the result of the path-length analysisof a Java bytecode program P andformally prove that if P_CLP terminates then also P terminates.Hence a termination prover for constraint logic programs can be appliedto prove the termination of P. We conclude with some discussion of thepossibilities and limitations of our approach.Ours is the first existing termination analyser for Java bytecodedealing with any kind of data structures dynamically allocated on the heapand which does not require any help or annotation on the part of the user

Magic-Sets Transformation for the Analysis of Java Bytecode

Denotational static analysis of Java bytecode has anice and clean compositional definition and an efficientimplementation with binary decision diagrams.But it models only the functionalie input/output behaviour of a program P,not enough if one needs P's internal behavioursie from the input to some internal program points.We overcome this limitation with a technique used up to nowfor logic programs only. It adds new magic blocks of codeto P, whose functional behaviours are the internal behaviours of P.We prove this transformation correct with an operationalsemantics. We define an equivalent denotational semantics, whosedenotations for the magic blocks are hence the internal behavioursof P. We implement our transformationand instantiate it with abstract domains modelling sharingof two variables and non-cyclicity of variables.We get a static analyser for full Java bytecode that is faster andscales better than another operational pair-sharing analyserand a constraint-based pointer analyser

A General Framework for Constraint-Based Static Analyses of Java Bytecode Programs

Questa tesi introduce un generico e parametrizzato framework per analisi statica dei programmi Java bytecode, basato sulla generazione e soluzione dei vincoli. All'interno del framework \ue8 possibile gestire sia i flussi di eccezione all'interno di programmi analizzati, sia i side-effect indotti dalle esecuzioni dei metodi che possono modificare la memoria. Questo framework \ue8 generico nel senso che diverse istanziazioni dei suoi parametri risultano in diverse analisi statiche capaci di catturare varie propriet\ue0 relative alla memoria delle variabili del programma ad ogni punto del programma. Le analisi statiche definite dal framework sono basate su interpretazione astratta, e quindi le propriet\ue0 d'interesse sono rappresentate da dei domini astratti. Il framework pu\uf2 essere usato per la definizione sia delle analisi statiche che producono le approssimazioni del tipo "possible" oppure "may", che quelle del tipo "definite" oppure "must". Nel primo caso, il risultato di tali analisi \ue8 una sovra-approssimazione di quello che potrebbe essere vero ad un certo punto del programma, mentre nel secondo caso il risultato rappresenta una sotto-approssimazione della situazione reale. Questa tesi fornisce un insieme di condizioni che diverse istanziazioni dei parametri del framework devono soddisfare affinch\ue9 le analisi statiche definite all'interno del framework siano "sound" (corrette). Quando i parametri istanziati soddisfano tali condizioni, il framework garantisce la correttezza dell'analisi corrispondente all'istanziazione in questione. Il vantaggio di questo approccio \ue8 che il designer di una nuova analisi statica deve soltanto mostrare che i parametri da lui istanziati soddisfano i criteri specificati dal framework.In questo modo la dimostrazione di correttezza dell'analisi completa \ue8 semplificata. Questa \ue8 una caratteristica molto importante del presente lavoro. La tesi introduce due nuove analisi statiche relatve alle propriet\ue0 della memoria: la Possible Reachability Analysis Between Program Variables e la Definite Expression Aliasing Analysis. La prima rappresenta un esempio delle analisi "possible" e determina, per ogni punto p del programma, quali sono le coppie ordinate delle variabili disponibili a tale punto, tali che v potrebbe raggiungere w al punto p, ovvero, che a partire dalla variabile v \ue8 possibile seguire un insieme di locazioni di memoria che portano all'oggetto legato alla variabile w. La seconda analisi \ue8 un esempio delle analisi "definite" e determina, per ogni punto p del programma ed ogni variabile v disponibile a tale punto, un insieme di espressioni il cui valore \ue8 sempre uguale al valore che la variabile v pu\uf2 avere al punto p, per ogni possibile esecuzione. Entrambe le analisi sono state formalizzate e dimostrate corrette grazie ai risultati teorici del framework introdotto in questa tesi. In pi\uf9, entrambe le analisi sono state implementate all'interno dell'analizzatore statico per Java e Android chiamato Julia (www.juliasoft.com). Gli esperimenti eseguiti sui programmi reali mostrano che la precisione dei principali tool di Julia (nullness e termination tool) \ue8 migliorata rispetto alle versioni precedenti di Julia nelle quali le nuove analisi non erano presenti.The present thesis introduces a generic parameterized framework for static analysis of Java bytecode programs, based on constraint generation and solving. This framework is able to deal with the exceptional flows inside the program and the side-effects induced by calls to non-pure methods. It is generic in the sense that different instantiations of its parameters give rise to different static analyses which might capture complex memory-related properties at each program point. Different properties of interest are represented as abstract domains, and therefore the static analyses defined inside the framework are abstract interpretation-based. The framework can be used to generate possible or may approximations of the property of interest, as well as definite or must approximations of that property. In the former case, the result of the static analysis is an over-approximation of what might be true at a given program point; in the latter, it is an under-approximation. This thesis provides a set of conditions that different instantiations of framework's parameters must satisfy in order to have a sound static analysis. When these conditions are satisfied by a parameter's instantiation, the framework guarantees that the corresponding static analysis is sound. It means that the designer of a novel static analysis should only show that the parameters he or she instantiated actually satisfy the conditions provided by the framework. This way the framework simplifies the proofs of soundness of the static analysis: instead of showing that the overall analysis is sound, it is enough to show that the provided instantiation describing the actual static analyses satisfies the conditions mentioned above. This a very important feature of the present approach. Then the thesis introduces two novel static analyses dealing with memory-related properties: the Possible Reachability Analysis Between Program Variables and the Definite Expression Aliasing Analysis. The former analysis is an example of a possible analysis which determines, for each program point p, which are the ordered pairs of variables available at p, such that v might reach w at p, i.e., such that starting from v it is possible to follow a path of memory locations that leads to the object bound to w. The latter analysis is an example of a definite analysis, and it determines, for each program point p and each variable v available at that point, a set of expressions which are always aliased to v at p. Both analyses have been formalized and proved sound by using the theoretical results of the framework. These analyses have been also implemented inside the Julia tool (www.juliasoft.com), which is a static analyzer for Java and Android. Experimental evaluation of these analyses on real-life benchmarks shows how the precision of Julia's principal checkers (nullness and termination checkers) increased compared to the previous version of Julia where these two analyses were not implemented. Moreover, this experimental evaluation showed that the presence of the reachability analysis actually decreased the total run-time of Julia. On the other hand, the aliasing analysis takes more time, but the number of possible warnings produced by the principal checkers drastically decreased