Abstract
This paper describes a general framework and its implementation in a tool called EXPLORER for statically answering a class of interprocedural control flow queries about Java programs. EXPLORER allows users to formulate queries about feasible callstack configurations using regular expressions, and it employs a precise, demand-driven algorithm for answering such queries. Specifically, EXPLORER constructs an automaton A that is iteratively refined until either the language accepted by A is empty (meaning that the query has been refuted) or until no further refinement is possible based on a precise, context-sensitive abstraction of the program. We evaluate EXPLORER by applying it to three different program analysis tasks, namely, (1) analysis of the observer design pattern in Java, (2) identification of a class of performance bugs, and (3) analysis of inter-component communication in Android applications. Our evaluation shows that EXPLORER is both efficient and precise.
- G. Agrawal, J. Li, and Q. Su. Evaluating a demand driven technique for call graph construction. In CC, pages 29–45. Springer, 2002. Google Scholar
Digital Library
- K. Ali and O. Lhotak. Application-only call graph construction. In ECOOP, pages 688–712. ACM, 2012. Google Scholar
Digital Library
- T. Azim and I. Neamtiu. Targeted and depth-first exploration for systematic testing of android apps. In OOPSLA, pages 641–660, 2013. Google Scholar
Digital Library
- D. Bacon and P. Sweeney. Fast static analysis of c++ virtual function calls. ACM Sigplan Notices, 31:324–341, 1996. Google Scholar
Digital Library
- C. Baier, J.-P. Katoen, et al. Principles of model checking, volume 26202649. MIT press Cambridge, 2008. Google Scholar
Digital Library
- T. Ball and S. K. Rajamani. Slic: a specification language for interface checking (of c). Microsoft Research, 2002.Google Scholar
- S. M. Blackburn, R. Garner, C. Hoffmann, A. M. Khang, K. S. McKinley, R. Bentzur, A. Diwan, D. Feinberg, D. Frampton, S. Z. Guyer, et al. The dacapo benchmarks: Java benchmarking development and analysis. In ACM Sigplan Notices, volume 41, pages 169–190. ACM, 2006. Google Scholar
Digital Library
- Y. Cao, Y. Fratantonio, A. Bianchi, M. Egele, C. Kruegel, G. Vigna, and Y. Chen. Edgeminer: Automatically detecting implicit control flow transitions through the android framework. In NDSS, 2015.Google Scholar
Cross Ref
- A. S. Christensen, A. Møller, and M. I. Schwartzbach. Precise analysis of string expressions. In Static Analysis Symposium (SAS), volume 2694 of LNCS, pages 1–18, 2003. Google Scholar
Digital Library
- E. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith. Counterexample-guided abstraction refinement. Journal of the ACM, 50(5):752–794, 2000.Google Scholar
Digital Library
- E. M. Clarke, O. Grumberg, and D. Peled. Model checking. MIT press, 1999. Google Scholar
Digital Library
- J. W. Cooper. Java design patterns: a tutorial. Addison-Wesley Professional, 2000. Google Scholar
Digital Library
- J. Dean, D. Grove, and C. Chambers. Optimization of objectoriented programs using static class hierarchy analysis. In ECOOP, pages 77–101, 1995. Google Scholar
Digital Library
- E. Duesterwald, R. Gupta, and M. L. Soffa. Demand-driven computation of interprocedural data flow. In POPL’95, pages 37–48. Google Scholar
Digital Library
- D. Engler, B. Chelf, A. Chou, and S. Hallem. Checking system rules using system-specific, programmer-written compiler extensions. In OSDI. USENIX Association, 2000. Google Scholar
Digital Library
- Y. Feng, S. Anand, I. Dillig, and A. Aiken. Apposcopy: Semantics-based detection of android malware through static analysis. In SIGSOFT FSE, 2014. Google Scholar
Digital Library
- L. Ford and D. R. Fulkerson. Flows in networks, volume 1962. Princeton Princeton University Press, 1962.Google Scholar
Cross Ref
- M. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang. Riskranker: scalable and accurate zero-day android malware detection. In MobiSys, pages 281–294, 2012. Google Scholar
Digital Library
- S. Z. Guyer and C. Lin. Client-driven pointer analysis. In Static Analysis, pages 214–236. Springer, 2003. Google Scholar
Digital Library
- N. Heintze and O. Tardieu. Demand-driven pointer analysis. In PLDI, pages 24–34. ACM, 2001. Google Scholar
Digital Library
- T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Software verification with BLAST. In SPIN Workshop, pages 235–239, 2003. Google Scholar
Digital Library
- S. Lerner, T. Millstein, E. Rice, and C. Chambers. Automated soundness proofs for dataflow analyses and transformations via local rules. In POPL, pages 364–377, 2005. Google Scholar
Digital Library
- O. Lhoták and L. Hendren. Scaling java points-to analysis using spark. In Compiler Construction, pages 153–169. Springer, 2003. Google Scholar
Digital Library
- Y. Liu, C. Xu, and S. Cheung. Characterizing and detecting performance bugs for smartphone applications. In ICSE, pages 1013–1024, 2014. Google Scholar
Digital Library
- M. Martin, B. Livshits, and M. S. Lam. Finding application errors and security flaws using PQL. In OOPSLA, pages 365– 383, 2005. Google Scholar
Digital Library
- A. Milanova, A. Rountev, and B. G. Ryder. Parameterized object sensitivity for points-to analysis for java. TOSEM, 14(1):1–41, 2005. Google Scholar
Digital Library
- F. Nielson and H. R. Nielson. Interprocedural control flow analysis. In ESOP, pages 20–39, 1999. Google Scholar
Digital Library
- D. Octeau, P. McDaniel, S. Jha, A. Bartel, E. Bodden, J. Klein, and Y. L. Traon. Effective inter-component communication mapping in android with epicc: an essential step towards holistic security analysis. In USENIX Security, 2013. Google Scholar
Digital Library
- F. B. Schneider. Enforceable security policies. TISSEC, 3(1):30–50, 2000. Google Scholar
Digital Library
- O. Shivers. Control flow analysis in scheme. In PLDI, pages 164–174. ACM, 1988. Google Scholar
Digital Library
- O. Shivers. Control-flow analysis of higher-order languages. PhD thesis, Carnegie Mellon University, 1991. Google Scholar
Digital Library
- S. Shoham, E. Yahav, S. Fink, and M. Pistoia. Static specification mining using automata-based abstractions. In ISSTA, pages 174–184. ACM, 2007. Google Scholar
Digital Library
- M. Sridharan and R. Bodik. Refinement-based contextsensitive points-to analysis for java. In PLDI, pages 387–400. ACM, 2006. Google Scholar
Digital Library
- M. Sridharan, D. Gopan, L. Shan, and R. Bodik. Demanddriven pointers-to analysis for java. In OOPSLA, pages 59–76. ACM, 2005. Google Scholar
Digital Library
- R. E. Strom and S. Yemini. Typestate: A programming language concept for enhancing software reliability. Software Engineering, IEEE Transactions on, (1):157–171, 1986. Google Scholar
Digital Library
- H. Tang, X. Wang, L. Zhang, B. Xie, L. Zhang, and H. Mei. Summary-based context-sensitive data-dependence analysis in presence of callbacks. In POPL, pages 83–95, 2015. Google Scholar
Digital Library
- R. Vallée-Rai, P. Co, E. Gagnon, L. Hendren, P. Lam, and V. Sundaresan. Soot-a java bytecode optimization framework. In CASCON, page 13, 1999. Google Scholar
Digital Library
- D. Yan, G. Xu, and A. Rountev. Demand-driven contextsensitive alias analysis for java. In ISSTA, pages 155–165, 2011. Google Scholar
Digital Library
- S. Yang, D. Yan, H. Wu, Y. Wang, and A. Rountev. Static control-flow analysis of user-driven callbacks in android applications. In ICSE, 2015. Google Scholar
Digital Library
- X. Zheng and R. Rugina. Demand-driven alias analysis for c. ACM SIGPLAN Notices, 43(1):197–208, 2008. Google Scholar
Digital Library
- Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In NDSS, 2012.Google Scholar
Index Terms
EXPLORER : query- and demand-driven exploration of interprocedural control flow properties
Recommendations
EXPLORER : query- and demand-driven exploration of interprocedural control flow properties
OOPSLA 2015: Proceedings of the 2015 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and ApplicationsThis paper describes a general framework and its implementation in a tool called EXPLORER for statically answering a class of interprocedural control flow queries about Java programs. EXPLORER allows users to formulate queries about feasible callstack ...
On-demand dynamic summary-based points-to analysis
CGO '12: Proceedings of the Tenth International Symposium on Code Generation and OptimizationStatic analyses can be typically accelerated by reducing redundancies. Modern demand-driven points-to or alias analysis techniques rest on the foundation of Context-Free Language (CFL) reachability. These techniques achieve high precision efficiently ...
Demand-driven points-to analysis for Java
Proceedings of the 20th annual ACM SIGPLAN conference on Object oriented programming systems languages and applicationsWe present a points-to analysis technique suitable for environments with small time and memory budgets, such as just-in-time (JIT) compilers and interactive development environments (IDEs). Our technique is demand-driven, performing only the work ...






Comments