LambdaTransformer : uma solução para o tratamento de Expressões Lambda no JimpleFramework

Trabalho de conclusão de curso (graduação)—Universidade de Brasília, Instituto de Ciências Exatas, Departamento de Ciência da Computação, 2021.Análise de fluxo de dados é um tipo de análise estática que permite a coleta de informações sobre o comportamento dos dados de um programa em tempo de execução sem que esse código seja executado. Isso é feito com o uso de ferramentas como Grafos de Controle de Fluxo, CFG, uma representação de programa que facilita a visualização do comportamento do código e o desenvolvimento de análises. Códigos Java possuem bytecode baseado em pilha o que torna a criação de CFGs mais difícil. Frameworks como o Soot utilizam Representações Intermediárias, RIs, com estruturas mais amigáveis a criação do CFGs e escrita de análises para analisar códi- gos Java. O Jimple Framework implementa sua própria versão de Jimple, a principal RI de Soot, utilizando a linguagem de meta-programação Rascal com o intuito de tornar a escrita de análises menos verbosas em comparação ao Soot. A descompilação de bytecode Java da origem a código Jimple que pode passar por refinamentos com o intuito de tornar o código mais legível ou simplificar a realização de alguma análise. A partir de Java 8, expressões lambda foram introduzidas a linguagem, essas expressões são traduzidas em bytecodecomo instruções invoke- dynamic. Como todas as instruções presentes no bytecode Java, o Jimple Framework deve oferecer ferramentas que permitam a realização de análises estáticas, como análise de fluxo de dados, em códigos que possuam instruções esse tipo, porém esse tipo de instrução faz uso de ferramentas dentro da JVM que escondem o caminho dos dados, dessa forma impossibilitando a análise de fluxo e criação do CFG. O Jimple Framework deve refinar código Jimple para per- mitir análises de códigos com esse tipo de instruções. Este trabalho descreve o processo de desenvolvimento do LambdaTransformer um módulo do Jimple Framework capaz de transfor- mar instruções invokedynamic em invokestatic com o uso de funções de travessia de árvore e casamento de padrões.Dataflow analysis is a type of static analysis that allows gathering information about the behav- ior of a program’s data at runtime without executing the code. This is done using tools such as Control Flow Graphs, CFG, a program representation that facilitates the visualization of code behavior and the development of analysis. Java code has stack-based bytecode which makes CFG creation more difficult, sometimes impossible. Frameworks like Soot use Intermediate Representations, IRs, with more user-friendly structures for creating CFGs and writing analyzes to analyze Java code. Jimple Framework implements its own version of Jimple, Soot’s main IR, using the Rascal meta-programming language in order to make writing analysis less verbose compared to Soot. The decompilation of Java bytecode creates a Jimple code that can undergo refinements in order to make the code more readable or simplify performing some analysis. As of Java 8, lambda expressions were introduced to the language, these expressions are translated into bytecode as invokedynamic instructions. Like all instructions present in Java bytecode, Jim- ple Framework must offer tools that allow static analysis, such as data flow analysis, in codes that have instructions of this type, but this type of instruction makes use of tools within the JVM that hide the data flow, thus making flow analysis and CFG creation impossible. The Jim- ple Frameworkmust refine the Jimple code to allow code parsing with this type of instructions. This work describes the process of developing LambdaTransformer, a Jimple Framework mod- ule capable of transforming invokedynamic instructions into invokestatic instructions using tree traversal and pattern matching functions

User-centered tool design for data-flow analysis

In den letzten Jahrzehnten sind zunehmend statische Programmanalyse-Tools in der Industrie zum Einsatz gekommen. Allerdings sind sie für User-Experience-Probleme bekannt, wie die hohe Anzahl von Fehlalarmen, langsames Produzieren von Ergebnissen oder für unvollständige Problembeschreibungen. In dieser Arbeit adressieren wir diese Probleme mit Hilfe benutzerzentrierten Designs. Dazu untersuchen wir die Motivation der Nutzer zur Verwendung der Tools. Mit diesem Wissen extrahieren wir Designempfehlungen für die Entwicklung statischer Analysetools. Auf Basis dieser erstellen und bewerten wir im Anschluss neue Protoypen. Zu diesem Zweck konzentrieren wir uns auf zwei Nutzergruppen: die Analysenentwickler, die den Code einer statischen Analyse schreiben, und die Softwareentwickler, die den Code schreiben, welcher von einem Analysetool analysiert wird. Für beide Nutzergruppen berichten wir durch Umfragen über Motivationen und Strategien der Entwickler und präsentieren konkrete Designempfehlungen für statische Analysetools. Nach diesen Designempfehlungen erstellen wir Programmanalyse-Tools, die sich mit den wichtigsten User-Experience-Problemen befassen, die wir in den Umfragen identifizieren: VisuFlow zur Datenvisualisierung, Cheetah für schnellere Ergebnisse und Mudarri zur verbesserten Erklärbarkeit. Durch Nutzerstudien und empirische Auswertungen bewerten wir diese Analysetools und zeigen, dass es diese Tools den Entwicklern ermöglichen, ihre Aufgaben besser zu erfüllen als mit aktuellen Analysetools. Wir argumentieren daher für die Notwnedigkiet von benutzerzentrierteren Ansätzen, um die jahrzehntealten User-Experience-Probleme der statischen Analyse zu lösen. Dabei stellen wir den Benutzer ins Zentrum der Designmethodik, um Programmanalyse-Werkzeuge zu entwickeln, die den Bedürfnissen des Benutzers entsprechen.In the past decades, static analysis tools have been increasingly used in industry. However, they are also known for user-experience issues such as a high number of false positives, a lack of responsiveness, or the poor warning descriptions that they provide. To address user-experience issues in static analysis tools, we apply the user-centered design methodology. We first aim at understanding the users' motivations for using the tools, and derive design recommendations for building static analysis tools. Finally, we prototype and evaluate tools for static analysis following the recommendations. In this thesis, we focus on two groups of users: the analysis developers-who write the code of a static analysis, and the software developers-who write the code that is analyzed by an analysis tool. For both user groups, we report on developer motivations and strategies through surveys, and present concrete design recommendations for static analysis tools. We use those recommendations to build analysis tools, addressing the main user-experience issues we identify in the surveys: VisuFlow for data visualization, Cheetah for responsiveness, and Mudarri for explainability. We evaluated those tools through empirical evaluations and user studies, and showed that they allow developers to perform their tasks better than with current tools. Through this thesis, we motivate the need for more user-centered approaches for addressing decades-old user-experience issues in static analysis, putting the user at the center of the design process in order to create tools that suit their needs.Lisa Nguyen Quang Do ; Advisors: Prof. Dr. Eric Bodden, Prof. Dr. Karim AliTag der Verteidigung: 21.10.2019Universität Paderborn, Dissertation, 201