static analysis with demand driven value refinement
play

Static Analysis with Demand-Driven Value Refinement Benno Stein, - PowerPoint PPT Presentation

Sep 27, 2023 •232 likes •605 views

Static Analysis with Demand-Driven Value Refinement Benno Stein, Benjamin Barslev Nielsen, Bor-Yuh Evan Chang & Anders Mller Sound static analysis for JavaScript Static analysis for JavaScript is very challenging o[m]() 2 /17

  1. Static Analysis with 
 Demand-Driven Value Refinement Benno Stein, Benjamin Barslev Nielsen, Bor-Yuh Evan Chang & Anders Møller

  2. Sound static analysis for JavaScript • Static analysis for JavaScript is very challenging o[m]() 2 /17

  3. Sound static analysis for JavaScript • Static analysis for JavaScript is very challenging o[m]() Dynamic object structure 2 /17

  4. Sound static analysis for JavaScript • Static analysis for JavaScript is very challenging o[m]() Dynamic object structure Dynamically computed property name 2 /17

  5. Sound static analysis for JavaScript • Static analysis for JavaScript is very challenging o[m]() Dynamic dispatch Dynamic object structure Dynamically computed property name 2 /17

  6. Sound static analysis for JavaScript • Static analysis for JavaScript is very challenging o[m]() Dynamic dispatch Dynamic object structure Dynamically computed property name • Critical precision losses renders analysis useless • Too much spurious data-flow 2 /17

  7. State-of-the-art data-flow analyzers • Fail to analyze load of some very popular libraries • Critical precision losses occur • Common characteristics • Forwards whole program analysis • Tracks data-flow, e.g., strings, functions and other objects • Non-relational • Aims to mitigate critical precision losses by: Context sensitivity • Syntactic patterns and special-case techniques • 3 /17

  8. Critical code example Example program Analysis state func = o1[name] . . . o2[name] = func . . . o2.foo(…) 4 /17

  9. Critical code example Example program Analysis state func = o1[name] o1 = {foo: f1, bar: f2} . name = ⊤ str . . o2 = {} o2[name] = func . . . o2.foo(…) 4 /17

  10. Critical code example Example program Analysis state func = o1[name] o1 = {foo: f1, bar: f2} . name = ⊤ str . . o2 = {} func = f1|f2 o2[name] = func . . . o2.foo(…) 4 /17

  11. Critical code example Example program Analysis state func = o1[name] o1 = {foo: f1, bar: f2} . name = ⊤ str . . o2 = { ⊤ str : f1|f2} func = f1|f2 o2[name] = func . . . o2.foo(…) 4 /17

  12. Critical code example Example program Analysis state func = o1[name] o1 = {foo: f1, bar: f2} . name = ⊤ str . . o2 = { ⊤ str : f1|f2} func = f1|f2 o2[name] = func . Resolves both f1 and f2 . . o2.foo(…) 4 /17

  13. The Lodash library 5 /17

  14. Critical code example Example program Analysis state func = o1[name] o1 = {foo: f1, bar: f2} . . name = ⊤ str . o2 = {} func = f1|f2 o2[name] = func . . . o2.foo(…) 6 /17

  15. Critical code example Example program Analysis state func = o1[name] o1 = {foo: f1, bar: f2} . . name = ⊤ str . o2 = {} func = f1|f2 o2[name] = func . . . o2.foo(…) 6 /17

  16. Demand-driven value refinement Regain relational information through refinement queries Without modifying base analysis domain Refinement query: What is x, when y ↦ ̂ v ? What value can variable x have, given that y has value ̂ v ? 7 /17

  17. Critical code example Analysis state Example program o1 = {foo: f1, bar: f2} func = o1[name] name = ⊤ str . o2 = {} . func = f1|f2 . o2[name] = func . . . o2.foo(…) 8 /17

  18. Critical code example Analysis state Example program o1 = {foo: f1, bar: f2} func = o1[name] name = ⊤ str . o2 = {} . func = f1|f2 . What is name, when func ↦ f1? o2[name] = func . What is name, when func ↦ f2? . . o2.foo(…) 8 /17

  19. ̂ ̂ ̂ ̂ ̂ ̂ ̂ ̂ ̂ Backwards abstract interpreter for value refinement • Backwards goal-directed from the query location • Separation logic based abstract domain Intuitionistic - constraints hold for all extensions • Special symbolic variable RES represents value being refined • symbolic variables z , RES ∈ x , ̂ Var y , ̂ ::= ̂ h ∧ π | φ 1 ∨ φ 2 symbolic stores φ ∈ Store x 3 | ̂ h 1 * ̂ ::= true | unalloc ( ̂ heap constraints x ) | x ↦ ̂ x 1 [ ̂ x 2 ] ↦ ̂ x | h 2 h pure constraints ::= true | e | π 1 ∧ π 2 π symbolic expressions ::= ̂ x | ̂ e 1 ⊕ ̂ v | e 2 e ∈ Expr 9 /17

  20. Backwards abstract interpreter for value refinement • Based on refutation sound Hoare triples ⟨ φ ⟩ s ⟨ φ ′ � ⟩ • Refutation soundness: φ ′ � s For all concrete runs where holds after , the state s before must satisfy . φ • Encoding refinement queries: v ? ⇝ ⟨ x ↦ RES * y ↦ ̂ v ⟩ What is x, when y ↦ ̂ y ∧ ̂ y = ̂ 10 /17

  21. Critical code example func = o1[name] o2[name] = func 11 /17

  22. Critical code example Refinement query: What is name, when func ↦ f1? func = o1[name] o2[name] = func 11 /17

  23. ̂ ̂ Critical code example Refinement query: What is name, when func ↦ f1? func = o1[name] ⟨ name ↦ RES * func ↦ func = f1 ⟩ func ∧ o2[name] = func 11 /17

  24. ̂ ̂ ̂ ̂ ̂ ̂ Critical code example Refinement query: What is name, when func ↦ f1? ⟨ name ↦ RES * o1 ↦ func = f1 ⟩ o1 * o1 [ RES ] ↦ func ∧ func = o1[name] ⟨ name ↦ RES * func ↦ func = f1 ⟩ func ∧ o2[name] = func 11 /17

  25. ̂ ̂ ̂ ̂ Leveraging forwards analysis state Analysis state o1 = {foo: f1, bar: f2} ⟨ name ↦ RES * o1 ↦ func = f1 ⟩ o1 * o1 [ RES ] ↦ func ∧ Refinement result is the values of RES satisfying: o1 [ RES ] = f1 Refinement result: “foo” 12 /17

  26. Critical code example Analysis state Example program o1 = {foo: f1, bar: f2} func = o1[name] name = ⊤ str . o2 = {} . func = f1|f2 . o2[name] = func . . . o2.foo(…) 13 /17

  27. Critical code example Analysis state Example program o1 = {foo: f1, bar: f2} func = o1[name] name = ⊤ str . o2 = {} . func = f1|f2 . What is name, when func ↦ f1? o2[name] = func . . What is name, when func ↦ f2? . o2.foo(…) 13 /17

  28. Critical code example Analysis state Example program o1 = {foo: f1, bar: f2} func = o1[name] name = ⊤ str . o2 = {} . func = f1|f2 . What is name, when func ↦ f1? o2[name] = func “foo” . . What is name, when func ↦ f2? . “bar” o2.foo(…) 13 /17

  29. Critical code example Analysis state Example program o1 = {foo: f1, bar: f2} func = o1[name] name = ⊤ str . o2 = {foo: f1, bar: f2} . func = f1|f2 . What is name, when func ↦ f1? o2[name] = func “foo” . . What is name, when func ↦ f2? . “bar” o2.foo(…) 13 /17

  30. Critical code example Analysis state Example program o1 = {foo: f1, bar: f2} func = o1[name] name = ⊤ str . o2 = {foo: f1, bar: f2} . func = f1|f2 . What is name, when func ↦ f1? o2[name] = func “foo” . Resolves only f1 . What is name, when func ↦ f2? . “bar” o2.foo(…) 13 /17

  31. Implementation for JavaScript • TAJS VR : TAJS extended with demand-driven value refinement • TAJS is a state-of-the-art analyzer for JavaScript • Implemented in Java • Active research since 2009 • VR JS : Backwards abstract interpreter for JavaScript for answering refinement queries • Implemented in Scala from scratch 14 /17

  32. Compared to state-of-the-art #tests TAJS CompAbs TAJS VR Underscore 1 182 0 % 0 % 95% (2.9s) Lodash3 1 176 0 % 0 % 98% (5.5s) Lodash4 1 306 0 % 0 % 87% (24.7s) Prototype 2 6 0 % 33% (23.1s) 83% (97.7s) Scriptaculous 2 1 0 % 100% (62.0s) 100% (236.9s) JQuery 3 71 7% (14.4s) 0 % 7% (17.2s) JSAI tests 4 29 86% (12.3s) 34% (32.4s) 86% (14.3s) “x% (y)” means succeeded x% of test cases with average time y 1 : Most popular functional utility libraries 2 : Wei et al. [2016] 3 : Andreasen and Møller [2014] 4 : Kashyap et al. [2014] & Dewey et al. [2015] 15 /17

  33. Compared to state-of-the-art #tests TAJS CompAbs TAJS VR Underscore 1 182 0 % 0 % 95% (2.9s) Lodash3 1 176 0 % 0 % 98% (5.5s) Lodash4 1 306 0 % 0 % 87% (24.7s) succeeds analyzing 92% of Underscore and Lodash Prototype 2 6 0 % 33% (23.1s) 83% (97.7s) tests, which all are unanalyzable by existing analyzers Scriptaculous 2 1 0 % 100% (62.0s) 100% (236.9s) JQuery 3 71 7% (14.4s) 0 % 7% (17.2s) TAJS R V JSAI tests 4 29 86% (12.3s) 34% (32.4s) 86% (14.3s) “x% (y)” means succeeded x% of test cases with average time y 1 : Most popular functional utility libraries 2 : Wei et al. [2016] 3 : Andreasen and Møller [2014] 4 : Kashyap et al. [2014] & Dewey et al. [2015] 15 /17

  34. Value refinement insights • Value refinement is triggered in few locations • In Lodash4, it is triggered in 7 locations in >17000 LoC • Almost all queries are solved successfully (>99%) • Queries are answered efficiently (Avg. ~10ms) • Answering a query requires visiting few locations • Typically below 40 • Many queries requires interprocedural reasoning 16 /17

  35. Conclusion • New technique: Demand-Driven Value Refinement Relational reasoning on top of non-relational analysis • Eliminates critical precision loss on-the-fly • Uses backwards analysis for gaining relational precision • Exploiting forwards analysis state allows efficient refinements • • Experimental evaluation First analysis capable of analyzing most popular JavaScript library • No significant overhead for incorporating backwards analyzer • Open-source: https://www.brics.dk/TAJS/VR/ • 17 /17

Recommend

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
WMSBF Event Business Solutions 1 Employer-Focused, Demand-Driven Demand Driven model was

WMSBF Event Business Solutions 1 Employer-Focused, Demand-Driven Demand Driven model was

WMSBF Event Business Solutions 1 Employer-Focused, Demand-Driven Demand Driven model was promoted by Workforce Investment Act of 1998 This approach is unique to Michigan and has been supported by the MEDC since 2006 Address

652 views • 14 slides
Static Analysis of Race-Free Interrupt-Driven Programs Deepak DSouza Department of Computer

Static Analysis of Race-Free Interrupt-Driven Programs Deepak DSouza Department of Computer

Data Flow Analysis Concurrent Programs Race-Free Programs Sync-CFG Analysis Analysis Static Analysis of Race-Free Interrupt-Driven Programs Deepak DSouza Department of Computer Science and Automation Indian Institute of Science,

981 views • 47 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
Combinatorial Abstraction Refinement for Feasibility Analysis Martin Stigge Uppsala University,

Combinatorial Abstraction Refinement for Feasibility Analysis Martin Stigge Uppsala University,

Combinatorial Abstraction Refinement for Feasibility Analysis Martin Stigge Uppsala University, Sweden Joint work with Wang Yi Problem Overview Workload Model Scheduler Model Task A Task B EDF/Static Prio/... Task C Task A t Task B t

759 views • 51 slides
A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should

490 views • 37 slides
Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Interesting Questions Interesting Questions Is every statement reachable? Does every non- void method return a value? Compilation 2007 Compilation 2007 Will local variables definitely be assigned before Static Analysis Static

169 views • 13 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Accelerating Business Performance through Market-driven Demand Analytics and Supply Chain

Accelerating Business Performance through Market-driven Demand Analytics and Supply Chain

Accelerating Business Performance through Market-driven Demand Analytics and Supply Chain Optimization ToolsGroups Powerfully Simple software solutions deliver improved business outcomes in complex demand-driven environments. ToolsGroup

171 views • 4 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that Martin Steffen IfI UiO Spring 2014 Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on progress/interest

2.15k views • 194 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on

938 views • 69 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot & CNRS VTSA 2015 1 / 99 Static Analysis Establish

2.15k views • 186 slides
Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile philip@tecnocode.co.uk July 30, 2017 MANCHESTER What is static analysis? Compile-time testing of all possible code paths. Whats Coverity static analysis

236 views • 12 slides
Outline t t Why static analysis? t t What is it? Underlying technology t Some

Outline t t Why static analysis? t t What is it? Underlying technology t Some

2005-05-04 Static Analysis methods and tools An industrial study t Pr Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU t itle Outline t t Why static analysis? t t What is it? Underlying technology t Some tools

438 views • 19 slides
Effective Approaches to Abstraction Refinement for an Explicit Value Analysis Stefan Lwe

Effective Approaches to Abstraction Refinement for an Explicit Value Analysis Stefan Lwe

Effective Approaches to Abstraction Refinement for an Explicit Value Analysis Stefan Lwe SoSy-Lab Software Systems Outline of my Thesis Outline of my Talk Value Analysis by Example Value Analysis by Example Value Analysis by the Numbers

318 views • 27 slides
Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Static execution-time analysis CPU speed model Bounds on Static (Sub)program code exec time

Tid rum Static Execution Time Analysis Niklas Holsti Space Systems Finland Ltd (now) Tidorum Ltd(to be) Overview Area of interest Current state Work in progress What to do next 1 bo Akademi, ES lab, 2003-10-03 Tid rum

466 views • 12 slides
Refinement-Based Context-Sensitive Points-To Analysis for Java Manu Sridharan, Rastislav Bodk

Refinement-Based Context-Sensitive Points-To Analysis for Java Manu Sridharan, Rastislav Bodk

Refinement-Based Context-Sensitive Points-To Analysis for Java Manu Sridharan, Rastislav Bodk UC Berkeley PLDI 2006 1 What Does Refinement Buy You? Increased scalability: enable new clients Memory: orders of magnitude savings Time:

596 views • 18 slides
Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview

Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview

Outline Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation Overview TDDC90: Software Security Syntactic Analysis Ahmed Rezine Abstract Interpretation IDA, Linkpings Universitet Hsttermin 2014 Static Program

75 views • 7 slides
Introduction to Static Analysis for Assurance John Rushby Computer Science Laboratory SRI

Introduction to Static Analysis for Assurance John Rushby Computer Science Laboratory SRI

Introduction to Static Analysis for Assurance John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby Static Analysis for Assurance: 1 Overview What is static analysis? Examples of some techniques

732 views • 34 slides
Clock-Driven Scheduling (in-depth) Pre-compute static schedule off-line (e.g. at design

Clock-Driven Scheduling (in-depth) Pre-compute static schedule off-line (e.g. at design

CPSC-663: Real-Time Systems Clock-Driven Scheduling Clock-Driven Scheduling (in-depth) Pre-compute static schedule off-line (e.g. at design time): Task Scheduler: i := 0; k := 0; can afford expensive <set timer to expire at time t 0

266 views • 11 slides

More recommend