27 research outputs found
Symbol-Specific Sparsification of Interprocedural Distributive Environment Problems
Previous work has shown that one can often greatly speed up static analysis
by computing data flows not for every edge in the program's control-flow graph
but instead only along definition-use chains. This yields a so-called sparse
static analysis. Recent work on SparseDroid has shown that specifically taint
analysis can be "sparsified" with extraordinary effectiveness because the taint
state of one variable does not depend on those of others. This allows one to
soundly omit more flow-function computations than in the general case.
In this work, we now assess whether this result carries over to the more
generic setting of so-called Interprocedural Distributive Environment (IDE)
problems. Opposed to taint analysis, IDE comprises distributive problems with
large or even infinitely broad domains, such as typestate analysis or linear
constant propagation. Specifically, this paper presents Sparse IDE, a framework
that realizes sparsification for any static analysis that fits the IDE
framework.
We implement Sparse IDE in SparseHeros, as an extension to the popular Heros
IDE solver, and evaluate its performance on real-world Java libraries by
comparing it to the baseline IDE algorithm. To this end, we design, implement
and evaluate a linear constant propagation analysis client on top of
SparseHeros. Our experiments show that, although IDE analyses can only be
sparsified with respect to symbols and not (numeric) values, Sparse IDE can
nonetheless yield significantly lower runtimes and often also memory
consumptions compared to the original IDE.Comment: To be published in ICSE 202
A comparison and contrast of APKTool and Soot for injecting blockchain calls into Android applications
The injection of blockchain calls into an Android Application is an emerging and important tool for Android application developers. Blockchain technology provides a way of securely storing sensitive data and distributing that data while providing immutability. This paper will compare two compiler-based tools, APKTool, and the Soot framework and how they can inject blockchain calls into Android applications. A major contribution of this paper is that it compares the APKTool, and the Soot framework compilers for injecting blockchain calls, and the difficulties each tool introduces when implementing the injection of a blockchain call. To the best of our knowledge, the use of the Soot framework and the APKTool have never been used to inject blockchain calls. The reason behind this situation is the complexity of configuring blockchain calls in Android applications. Part of the difficulty is because of the constant changes in the API calls in the Android framework. This presents a challenge because the Soot and APKTool compilers have to be modified to adapt to changes in the Android API
Modular Abstract Definitional Interpreters for WebAssembly
Even though static analyses can improve performance and secure programs against vulnerabilities, no static whole-program analyses exist for WebAssembly (Wasm) to date. Part of the reason is that Wasm has many complex language concerns, and it is not obvious how to adopt existing analysis frameworks for these features. This paper explores how abstract definitional interpretation can be used to develop sophisticated analyses for Wasm and other complex languages efficiently. In particular, we show that the semantics of Wasm can be decomposed into 19 language-independent components that abstract different aspects of Wasm. We have written a highly configurable definitional interpreter for full Wasm 1.0 in 1628 LOC against these components. Analysis developers can instantiate this interpreter with different value and effect abstractions to obtain abstract definitional interpreters that compute inter-procedural control and data-flow information. This way, we develop the first whole-program dead code, constant propagation, and taint analyses for Wasm, each in less than 210 LOC. We evaluate our analyses on 1458 Wasm binaries collected by others in the wild. Our implementation is based on a novel framework for definitional abstract interpretation in Scala that eliminates scalability issues of prior work
Flow- and context-sensitive points-to analysis using generalized points-to graphs
© Springer-Verlag GmbH Germany 2016. Bottom-up interprocedural methods of program analysis construct summary flow functions for procedures to capture the effect of their calls and have been used effectively for many analyses. However, these methods seem computationally expensive for flow- and context- sensitive points-to analysis (FCPA) which requires modelling unknown locations accessed indirectly through pointers. Such accesses are com- monly handled by using placeholders to explicate unknown locations or by using multiple call-specific summary flow functions. We generalize the concept of points-to relations by using the counts of indirection levels leaving the unknown locations implicit. This allows us to create sum- mary flow functions in the form of generalized points-to graphs (GPGs) without the need of placeholders. By design, GPGs represent both mem- ory (in terms of classical points-to facts) and memory transformers (in terms of generalized points-to facts). We perform FCPA by progressively reducing generalized points-to facts to classical points-to facts. GPGs distinguish between may and must pointer updates thereby facilitating strong updates within calling contexts. The size of GPGs is linearly bounded by the number of variables and is independent of the number of statements. Empirical measurements on SPEC benchmarks show that GPGs are indeed compact in spite of large procedure sizes. This allows us to scale FCPA to 158 kLoC using GPGs (compared to 35 kLoC reported by liveness-based FCPA). Thus GPGs hold a promise of efficiency and scalability for FCPA without compro- mising precision
Fault localisation for WS-BPEL programs based on predicate switching and program slicing
Service-Oriented Architecture (SOA) enables the coordination of multiple loosely coupled services. This allows users to choose any service provided by the SOA without knowing implementation details, thus making coding easier and more flexible. Web services are basic units of SOA. However, the functionality of a single Web service is limited, and usually cannot completely satisfy the actual demand. Hence, it is necessary to coordinate multiple independent Web services to achieve complex business processes. Business Process Execution Language for Web Services (WS-BPEL) makes the coordination possible, by helping the integration of multiple Web services and providing an interface for users to invoke. When coordinating these services, however, illegal or faulty operations may be encountered, but current tools are not yet powerful enough to support the localisation and removal of these problems. In this paper, we propose a fault localisation technique for WS-BPEL programs based on predicate switching and program slicing, allowing developers to more precisely locate the suspicious faulty code. Case studies were conducted to investigate the effectiveness of the proposed technique, which was compared with predicate switching only, slicing only, and one existing fault localisation technique, namely Tarantula. The experimental results show that the proposed technique has a higher fault localisation effectiveness and precision than the baseline techniques
Ernst Denert Award for Software Engineering 2019
This open access book provides an overview of the dissertations of the five nominees for the Ernst Denert Award for Software Engineering in 2019. The prize, kindly sponsored by the Gerlind & Ernst Denert Stiftung, is awarded for excellent work within the discipline of Software Engineering, which includes methods, tools and procedures for better and efficient development of high quality software. An essential requirement for the nominated work is its applicability and usability in industrial practice. The book contains five papers describing the works by Sebastian Baltes (U Trier) on Software DevelopersâWork Habits and Expertise, Timo Greifenbergâs thesis on Artefaktbasierte Analyse modellgetriebener Softwareentwicklungsprojekte, Marco Konersmannâs (U Duisburg-Essen) work on Explicitly Integrated Architecture, Marija Selakovicâs (TU Darmstadt) research about Actionable Program Analyses for Improving Software Performance, and Johannes SpĂ€thâs (Paderborn U) thesis on Synchronized Pushdown Systems for Pointer and Data-Flow Analysis â which actually won the award. The chapters describe key findings of the respective works, show their relevance and applicability to practice and industrial software engineering projects, and provide additional information and findings that have only been discovered afterwards, e.g. when applying the results in industry. This way, the book is not only interesting to other researchers, but also to industrial software professionals who would like to learn about the application of state-of-the-art methods in their daily work
Actionable Program Analyses for Improving Software Performance
Nowadays, we have greater expectations of software than ever before. This is followed by constant pressure to run the same program on smaller and cheaper machines. To meet this demand, the applicationâs performance has become the essential concern in software development. Unfortunately, many applications still suffer from performance issues: coding or design errors that lead to performance degradation. However, finding performance issues is a challenging task: there is
limited knowledge on how performance issues are discovered and fixed in practice, and current performance profilers report only where resources are spent, but not where resources are wasted. The goal of this dissertation is to investigate actionable performance analyses that help developers optimize their software by applying relatively simple code changes. To understand causes and fixes of performance issues in real-world software, we first present an empirical study of 98 issues in popular JavaScript projects. The study illustrates the prevalence of simple and recurring optimization patterns that lead to significant performance improvements. Then, to help developers optimize their code, we propose two actionable performance analyses that suggest optimizations based on reordering opportunities and method inlining. In this work, we focus on optimizations with four key properties. First, the optimizations are effective, that is, the changes suggested by the analysis lead to statistically significant performance improvements. Second, the optimizations are exploitable, that is, they are easy to understand and apply. Third, the optimizations are recurring, that is, they are applicable across multiple projects. Fourth, the optimizations are out-of-reach for compilers, that is, compilers can not guarantee that a code transformation preserves the original semantics. To reliably detect optimization opportunities and measure their performance benefits, the code must be executed with sufficient test inputs. The last contribution complements state-of-the-art test generation techniques by proposing a novel automated approach for generating effective tests for higher-order functions. We implement our techniques in practical tools and evaluate their effectiveness on a set of popular software systems. The empirical evaluation demonstrates the potential of actionable analyses in improving software performance through relatively simple optimization opportunities
MockDetector: Detecting and tracking mock objects in unit tests
Unit testing is a widely used tool in modern software development processes. A well-known
issue in writing tests is handling dependencies: creating usable objects for dependencies
is often complicated. Developers must therefore often introduce mock objects to
stand in for dependencies during testing.
Test suites are an increasingly important component of the source code of a software
system. We believe that the static analysis of test suites, alongside the systems under
test, can enable developers to better characterize the behaviours of existing test suites,
thus guiding further test suite analysis and manipulation. However, because mock objects
are created using reflection, they confound existing static analysis techniques. At present,
it is impossible to statically distinguish methods invoked on mock objects from methods
invoked on real objects. Static analysis tools therefore currently cannot determine which
dependencies' methods are actually tested, versus mock methods being called.
In this thesis, we introduce MockDetector, a technique to identify mock objects and
track method invocations on mock objects. We first built a Soot-based imperative dataflow
analysis implementation of MockDetector. Then, to quickly prototype new analysis features
and to explore declarative program analysis, we created a Doop-based declarative
analysis, added features to it, and ported them back to the Soot-based analysis. Both
analyses handle common Java mock libraries' APIs for creating mock objects and propagate
the mock objects information through test cases. Following our observations of
tests in the wild, we have added special-case support for arrays and collections holding
mock objects. On our suite of 8 open-source benchmarks, our imperative dataflow analysis
approach reported 2,095 invocations on mock objects intraprocedurally, whereas our
declarative dataflow approach reported 2,130 invocations on mock objects (under context-insensitive base analyses in intraprocedural mode), out of a total number of 63,017 method
invocations in test suites; across benchmarks, mock invocations accounted for a range from
0.086% to 16.4% of the total invocations. Removing confounding mock invocations from
consideration as focal methods can improve the precision of focal method analysis, a key
prerequisite to further analysis of test cases