Abstract
Reachability analysis is a fundamental program analysis with a wide variety of applications. We present FlowCFL, a type-based reachability analysis that accounts for mutable heap data. The underlying semantics of FlowCFL is Context-Free-Language (CFL)-reachability.
We make three contributions. First, we define a dynamic semantics that captures the notion of flow commonly used in reachability analysis. Second, we establish correctness of CFL-reachability over graphs with inverse edges (inverse edges are necessary for the handling of mutable heap data). Our approach combines CFL-reachability with reference immutability to avoid the addition of certain inverse edges, which results in graph reduction and precision improvement. The key contribution of our work is the formal account of correctness, which extends to the case when inverse edges are removed. Third, we present a type-based reachability analysis and establish equivalence between a certain CFL-reachability analysis and the type-based analysis, thus proving correctness of the type-based analysis.
Supplemental Material
- Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick D. McDaniel. 2014. FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '14, Edinburgh, United Kingdom-June 09-11, 2014. ACM, New York, NY, USA, 259-269. https://doi.org/10.1145/2594291.2594299 Google Scholar
Digital Library
- Joseph A. Bank, Andrew C. Myers, and Barbara Liskov. 1997. Parameterized Types for Java. In Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL '97). ACM, New York, NY, USA, 132-145. https://doi.org/10.1145/263699.263714 Google Scholar
Digital Library
- Michael Carbin, Sasa Misailovic, and Martin C. Rinard. 2013a. Verifying quantitative reliability for programs that execute on unreliable hardware. In Proceedings of the 2013 ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages & Applications, OOPSLA 2013, part of SPLASH 2013, Indianapolis, IN, USA, October 26-31, 2013. ACM, New York, NY, USA, 33-52. https://doi.org/10.1145/2509136.2509546 Google Scholar
Digital Library
- Michael Carbin, Sasa Misailovic, and Martin C. Rinard. 2013b. Verifying quantitative reliability for programs that execute on unreliable hardware (Appendix). http://groups.csail.mit.edu/pac/rely/rely13appendix.pdf.Google Scholar
- Krishnendu Chatterjee, Bhavya Choudhary, and Andreas Pavlogiannis. 2018. Optimal Dyck reachability for data-dependence and alias analysis. PACMPL 2, POPL ( 2018 ), 30 : 1-30 : 30. https://doi.org/10.1145/3158118 Google Scholar
Digital Library
- Werner Dietl, Michael D. Ernst, and Peter Müller. 2011. Tunable Static Inference for Generic Universe Types. In ECOOP 2011-Object-Oriented Programming-25th European Conference, Lancaster, UK, July 25-29, 2011 Proceedings (Lecture Notes in Computer Science), Mira Mezini (Ed.), Vol. 6813. Springer, Berlin, Heidelberg, 333-357. https://doi.org/10.1007/978-3-642-22655-7_16 Google Scholar
Cross Ref
- Julian Dolby, Christian Hammer, Daniel Marino, Frank Tip, Mandana Vaziri, and Jan Vitek. 2012. A data-centric approach to synchronization. ACM Transactions on Programming Languages and Systems 34, 1 (April 2012 ), 1-48. https://doi.org/ 10.1145/2160910.2160913 Google Scholar
Digital Library
- Yao Dong, Ana Milanova, and Julian Dolby. 2016. JCrypt: Towards Computation over Encrypted Data. In Proceedings of the 13th International Conference on Principles and Practices of Programming on the Java Platform: Virtual Machines, Languages, and Tools, Lugano, Switzerland, August 29-September 2, 2016. ACM, New York, NY, USA, 8 : 1-8 : 12. https: //doi.org/10.1145/2972206.2972209 Google Scholar
Digital Library
- Michael D. Ernst, René Just, Suzanne Millstein, Werner Dietl, Stuart Pernsteiner, Franziska Roesner, Karl Koscher, Paul o Barros, Ravi Bhoraskar, Seungyeop Han, Paul Vines, and Edward XueJun Wu. 2014. Collaborative Verification of Information Flow for a High-Assurance App Store. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, November 3-7, 2014. ACM, New York, NY, USA, 1092-1104. https: //doi.org/10.1145/2660267.2660343 Google Scholar
Digital Library
- Manuel Fähndrich, Jakob Rehof, and Manuvir Das. 2000. Scalable Context-sensitive Flow Analysis Using Instantiation Constraints. In Proceedings of the ACM SIGPLAN 2000 Conference on Programming Language Design and Implementation (PLDI '00). ACM, New York, NY, USA, 253-263. https://doi.org/10.1145/349299.349332 Google Scholar
Digital Library
- Christian Fritz, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves le Traon, Damien Octeau, and Patrick McDaniel. 2013. Highly precise taint analysis for Android applications. EC SPRIDE Technical Report TUD-CS-2013-0113. http://www.bodden.de/pubs/TUD-CS-2013-0113.pdf.Google Scholar
- Robert Fuhrer, Frank Tip, Adam Kieżun, Julian Dolby, and Markus Keller. 2005. Eficiently Refactoring Java Applications to Use Generic Libraries. In Proceedings of the 19th European Conference on Object-Oriented Programming (ECOOP'05). Springer-Verlag, Berlin, Heidelberg, 71-96. https://doi.org/10.1007/11531142_4 Google Scholar
Digital Library
- Wei Huang, Werner Dietl, Ana Milanova, and Michael D. Ernst. 2012a. Inference and Checking of Object Ownership. In Proceedings of the 26th European Conference on Object-Oriented Programming (ECOOP'12). Springer-Verlag, Berlin, Heidelberg, 181-206. https://doi.org/10.1007/978-3-642-31057-7_9 Google Scholar
Digital Library
- Wei Huang, Yao Dong, and Ana Milanova. 2014. Type-Based Taint Analysis for Java Web Applications. In Fundamental Approaches to Software Engineering-17th International Conference, FASE 2014, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2014, Grenoble, France, April 5-13, 2014, Proceedings (Lecture Notes in Computer Science), Stefania Gnesi and Arend Rensink (Eds.), Vol. 8411. Springer, Berlin, Heidelberg, 140-154. https://doi.org/10. 1007/978-3-642-54804-8_10 Google Scholar
Digital Library
- Wei Huang, Yao Dong, Ana Milanova, and Julian Dolby. 2015. Scalable and Precise Taint Analysis for Android. In Proceedings of the 2015 International Symposium on Software Testing and Analysis (ISSTA 2015 ). ACM, New York, NY, USA, 106-117. https://doi.org/10.1145/2771783.2771803 Google Scholar
Digital Library
- Wei Huang, Ana Milanova, Werner Dietl, and Michael D. Ernst. 2012b. Reim & ReImInfer: Checking and Inference of Reference Immutability and Method Purity. In Proceedings of the ACM International Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA '12). ACM, New York, NY, USA, 879-896. https://doi.org/10. 1145/2384616.2384680 Google Scholar
Digital Library
- Adam Kiezun, Michael D. Ernst, Frank Tip, and Robert M. Fuhrer. 2007. Refactoring for Parameterizing Java Classes. In Proceedings of the 29th International Conference on Software Engineering (ICSE '07). IEEE Computer Society, Washington, DC, USA, 437-446. https://doi.org/10.1109/ICSE. 2007.70 Google Scholar
Digital Library
- Yuanbo Li, Qirun Zhang, and Thomas W. Reps. 2020. Fast graph simplification for interleaved Dyck-reachability. In Proceedings of the 41st ACM SIGPLAN International Conference on Programming Language Design and Implementation, PLDI 2020, London, UK, June 15-20, 2020, Alastair F. Donaldson and Emina Torlak (Eds.). ACM, New York, NY, USA, 780-793. https://doi.org/10.1145/3385412.3386021 Google Scholar
Digital Library
- Jingbo Lu and Jingling Xue. 2019. Precision-preserving yet fast object-sensitive pointer analysis with partial context sensitivity. PACMPL 3, OOPSLA ( 2019 ), 148 : 1-148 : 29. https://doi.org/10.1145/3360574 Google Scholar
Digital Library
- Ana Milanova. 2018. Definite Reference Mutability. In 32nd European Conference on Object-Oriented Programming, ECOOP 2018, July 16-21, 2018, Amsterdam, The Netherlands (LIPIcs), Todd D. Millstein (Ed.), Vol. 109. Schloss Dagstuhl-LeibnizZentrum für Informatik, 25 : 1-25 : 30. https://doi.org/10.4230/LIPIcs.ECOOP. 2018.25 Google Scholar
Cross Ref
- Ana Milanova. 2020. FlowCFL: A Framework for Type-based Reachability Analysis in the Presence of Mutable Data. ( 2020 ). https://arxiv.org/abs/ 2005.06496Google Scholar
- Ana Milanova and Wei Huang. 2013. Composing polymorphic information flow systems with reference immutability. In Proceedings of the 15th Workshop on Formal Techniques for Java-like Programs, FTfJP 2013, Montpellier, France, July 1, 2013. ACM, New York, NY, USA, 5 : 1-5 :7. https://doi.org/10.1145/2489804.2489809 Google Scholar
Digital Library
- Ana Milanova, Wei Huang, and Yao Dong. 2014. CFL-reachability and context-sensitive integrity types. In 2014 International Conference on Principles and Practices of Programming on the Java Platform Virtual Machines, Languages and Tools, PPPJ '14, Cracow, Poland, September 23-26, 2014, Joanna Kolodziej and Bruce R. Childers (Eds.). ACM, New York, NY, USA, 99-109. https://doi.org/10.1145/2647508.2647522 Google Scholar
Digital Library
- Andrew C. Myers. 1999. JFlow: Practical Mostly-Static Information Flow Control. In POPL '99, Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, San Antonio, TX, USA, January 20-22, 1999. ACM, New York, NY, USA, 228-241. https://doi.org/10.1145/292540.292561 Google Scholar
Digital Library
- Jens Palsberg. 2001. Type-based analysis and applications. In Proceedings of the 2001 ACM SIGPLAN-SIGSOFT Workshop on Program Analysis For Software Tools and Engineering, PASTE'01, Snowbird, Utah, USA, June 18-19, 2001, John Field and Gregor Snelting (Eds.). ACM, New York, NY, USA, 20-27. https://doi.org/10.1145/379605.379635 Google Scholar
Digital Library
- Jaime Quinonez, Matthew S. Tschantz, and Michael D. Ernst. 2008. Inference of Reference Immutability. In Proceedings of the 22Nd European Conference on Object-Oriented Programming (ECOOP '08). Springer-Verlag, Berlin, Heidelberg, 616-641. https://doi.org/10.1007/978-3-540-70592-5_26 Google Scholar
Digital Library
- Jakob Rehof and Manuel Fähndrich. 2001. Type-base Flow Analysis: From Polymorphic Subtyping to CFL-reachability. In Proceedings of the 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL '01). ACM, New York, NY, USA, 54-66. https://doi.org/10.1145/360204.360208 Google Scholar
Digital Library
- Thomas W. Reps. 1998. Program analysis via graph reachability. Inf. Softw. Technol. 40, 11-12 ( 1998 ), 701-726. https: //doi.org/10.1016/S0950-5849 ( 98 ) 00093-7 Google Scholar
- Thomas W. Reps. 2000. Undecidability of context-sensitive data-independence analysis. ACM Trans. Program. Lang. Syst. 22, 1 ( 2000 ), 162-186. https://doi.org/10.1145/345099.345137 Google Scholar
Digital Library
- Thomas W. Reps, Susan Horwitz, and Shmuel Sagiv. 1995. Precise Interprocedural Dataflow Analysis via Graph Reachability. In Conference Record of POPL'95: 22nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, San Francisco, California, USA, January 23-25, 1995. ACM, New York, NY, USA, 49-61. https://doi.org/10.1145/199448.199462 Google Scholar
Digital Library
- Adrian Sampson, Werner Dietl, Emily Fortuna, Danushen Gnanapragasam, Luis Ceze, and Dan Grossman. 2011. EnerJ: approximate data types for safe and general low-power computation. In Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2011, San Jose, CA, USA, June 4-8, 2011. ACM, New York, NY, USA, 164-174. https://doi.org/10.1145/1993498.1993518 Google Scholar
Digital Library
- Umesh Shankar, Kunal Talwar, Jefrey S. Foster, and David Wagner. 2001. Detecting Format String Vulnerabilities with Type Qualifiers. In Proceedings of the 10th Conference on USENIX Security Symposium-Volume 10 (SSYM'01). USENIX Association, Berkeley, CA, USA, 16-16. http://dl.acm.org/citation.cfm?id= 1267612. 1267628Google Scholar
Digital Library
- Johannes Späth, Karim Ali, and Eric Bodden. 2019. Context-, flow-, and field-sensitive data-flow analysis using synchronized Pushdown systems. PACMPL 3, POPL ( 2019 ), 48 : 1-48 : 29. https://doi.org/10.1145/3290361 Google Scholar
Digital Library
- Manu Sridharan and Rastislav Bodík. 2006. Refinement-based Context-sensitive Points-to Analysis for Java. In Proceedings of the 27th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '06). ACM, New York, NY, USA, 387-400. https://doi.org/10.1145/1133981.1134027 Google Scholar
Digital Library
- Manu Sridharan, Denis Gopan, Lexin Shan, and Rastislav Bodík. 2005. Demand-driven points-to analysis for Java. In Proceedings of the 20th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, OOPSLA 2005, October 16-20, 2005, San Diego, CA, USA. ACM, New York, NY, USA, 59-76. https://doi.org/ 10.1145/1094811.1094817 Google Scholar
Digital Library
- Frank Tip, Robert M. Fuhrer, Adam Kieżun, Michael D. Ernst, Ittai Balaban, and Bjorn De Sutter. 2011. Refactoring using type constraints. ACM Transactions on Programming Languages and Systems 33, 3 (April 2011 ), 1-47. https: //doi.org/10.1145/1961204.1961205 Google Scholar
Digital Library
- Matthew S. Tschantz and Michael D. Ernst. 2005. Javari: Adding Reference Immutability to Java. In Proceedings of the 20th Annual ACM SIGPLAN Conference on Object-oriented Programming, Systems, Languages, and Applications (OOPSLA '05). ACM, New York, NY, USA, 211-230. https://doi.org/10.1145/1094811.1094828 Google Scholar
Digital Library
- Mandana Vaziri, Frank Tip, Julian Dolby, Christian Hammer, and Jan Vitek. 2010. A Type System for Data-centric Synchronization. In Proceedings of the 24th European Conference on Object-oriented Programming (ECOOP'10). SpringerVerlag, Berlin, Heidelberg, 304-328. http://dl.acm.org/citation.cfm?id= 1883978. 1884000Google Scholar
Digital Library
- Dennis M. Volpano, Cynthia E. Irvine, and Geofrey Smith. 1996. A Sound Type System for Secure Flow Analysis. J. Comput. Secur. 4, 2 /3 ( 1996 ), 167-188. https://doi.org/10.3233/JCS-1996-42-304 Google Scholar
Cross Ref
- Guoqing Xu, Atanas Rountev, and Manu Sridharan. 2009. Scaling CFL-Reachability-Based Points-To Analysis Using ContextSensitive Must-Not-Alias Analysis. In Proceedings of the 23rd European Conference on ECOOP 2009-Object-Oriented Programming (Genoa). Springer-Verlag, Berlin, Heidelberg, 98-122. https://doi.org/10.1007/978-3-642-03013-0_6 Google Scholar
Digital Library
- Qirun Zhang and Zhendong Su. 2017. Context-sensitive Data-dependence Analysis via Linear Conjunctive Language Reachability. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL 2017 ). ACM, New York, NY, USA, 344-358. https://doi.org/10.1145/3009837.3009848 Google Scholar
Digital Library
Index Terms
FlowCFL: generalized type-based reachability analysis: graph reduction and equivalence of CFL-based and type-based reachability
Recommendations
Scaling CFL-Reachability-Based Points-To Analysis Using Context-Sensitive Must-Not-Alias Analysis
Genoa: Proceedings of the 23rd European Conference on ECOOP 2009 --- Object-Oriented ProgrammingPointer analyses derived from a Context-Free-Language (CFL) reachability formulation achieve very high precision, but they do not scale well to compute the points-to solution for an entire large program. Our goal is to increase significantly the ...
CFL-reachability and context-sensitive integrity types
PPPJ '14: Proceedings of the 2014 International Conference on Principles and Practices of Programming on the Java platform: Virtual machines, Languages, and ToolsIntegrity types can help detect information flow vulnerabilities in web applications and Android apps. We study DFlow, a context-sensitive integrity type system and we give an interpretation of DFlow in terms of CFL-reachability. We propose DFlowCFL, a ...
Precise and scalable context-sensitive pointer analysis via value flow graph
ISMM '13: Proceedings of the 2013 international symposium on memory managementIn this paper, we propose a novel method for context-sensitive pointer analysis using the value flow graph (VFG) formulation. We achieve context-sensitivity by simultaneously applying function cloning and computing context-free language reachability (...






Comments