Abstract
Several real-world libraries (e.g., reentrant locks, GUI frameworks, serialization libraries) require their clients to use the provided API in a manner that conforms to a context-free specification. Motivated by this observation, this paper describes a new technique for verifying the correct usage of context-free API protocols. The key idea underlying our technique is to over-approximate the program’s feasible API call sequences using a context-free grammar (CFG) and then check language inclusion between this grammar and the specification. However, since this inclusion check may fail due to imprecision in the program’s CFG abstraction, we propose a novel refinement technique to progressively improve the CFG. In particular, our method obtains counterexamples from CFG inclusion queries and uses them to introduce new non-terminals and productions to the grammar while still over-approximating the program’s relevant behavior.
We have implemented the proposed algorithm in a tool called CFPChecker and evaluate it on 10 popular Java applications that use at least one API with a context-free specification. Our evaluation shows that CFPChecker is able to verify correct usage of the API in clients that use it correctly and produces counterexamples for those that do not. We also compare our method against three relevant baselines and demonstrate that CFPChecker enables verification of safety properties that are beyond the reach of existing tools.
- Aws Albarghouthi, Arie Gurfinkel, Yi Li, Sagar Chaki, and Marsha Chechik. 2013. UFO: verification with interpolants and abstract interpretation. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, 637-640.Google Scholar
Digital Library
- Jonathan Aldrich, Joshua Sunshine, Darpan Saini, and Zachary Sparks. 2009. Typestate-oriented programming. In Proceedings of the 24th ACM SIGPLAN conference companion on Object oriented programming systems languages and applications. ACM, 1015-1022.Google Scholar
Digital Library
- Chris Allan, Pavel Avgustinov, Aske Simon Christensen, Laurie J. Hendren, Sascha Kuzins, Ondrej Lhoták, Oege de Moor, Damien Sereni, Ganesh Sittampalam, and Julian Tibble. 2005. Adding trace matching with free variables to AspectJ. In OOPSLA.Google Scholar
- Rajeev Alur and Parthasarathy Madhusudan. 2004. Visibly pushdown languages. In Proceedings of the thirty-sixth annual ACM symposium on Theory of computing. ACM, 202-211.Google Scholar
Digital Library
- Cyrille Artho and Willem Visser. 2019. Java Pathfinder at SV-COMP 2019 (Competition Contribution). In Tools and Algorithms for the Construction and Analysis of Systems, Dirk Beyer, Marieke Huisman, Fabrice Kordon, and Bernhard Stefen (Eds.). Springer International Publishing, Cham, 224-228.Google Scholar
- Steven Arzt, Sarah Nadi, Karim Ali, Eric Bodden, Sebastian Erdweg, and Mira Mezini. 2015. Towards secure integration of cryptographic software. In 2015 ACM International Symposium on New Ideas, New Paradigms, and Reflections on Programming and Software (Onward!). ACM, 1-13.Google Scholar
Digital Library
- Gogul Balakrishnan, Sriram Sankaranarayanan, Franjo Ivančić, and Aarti Gupta. 2009. Refining the Control Structure of Loops Using Static Analysis. In Proceedings of the Seventh ACM International Conference on Embedded Software (EMSOFT '09). ACM, New York, NY, USA, 49-58. https://doi.org/10.1145/1629335.1629343 Google Scholar
Digital Library
- Thomas Ball, Ella Bounimova, Byron Cook, Vladimir Levin, Jakob Lichtenberg, Con McGarvey, Bohus Ondrusek, Sriram K Rajamani, and Abdullah Ustuner. 2006. Thorough static analysis of device drivers. ACM SIGOPS Operating Systems Review 40, 4 ( 2006 ), 73-85.Google Scholar
Digital Library
- Thomas Ball, Todd Millstein, and Sriram K. Rajamani. 2005. Polymorphic Predicate Abstraction. ACM Trans. Program. Lang. Syst. 27, 2 (March 2005 ), 314-343. https://doi.org/10.1145/1057387.1057391 Google Scholar
Digital Library
- Thomas Ball and Sriram K Rajamani. 2001. Automatically validating temporal safety properties of interfaces. In Proceedings of the 8th international SPIN workshop on Model checking of software. Springer-Verlag, 103-122.Google Scholar
Cross Ref
- Nels E Beckman, Duri Kim, and Jonathan Aldrich. 2011. An empirical study of object protocols in the wild. In European Conference on Object-Oriented Programming. Springer, 2-26.Google Scholar
Cross Ref
- Nels E Beckman, Aditya V Nori, Sriram K Rajamani, Robert J Simmons, Sai Deep Tetali, and Aditya V Thakur. 2010. Proofs from tests. IEEE Transactions on Software Engineering 36, 4 ( 2010 ), 495-508.Google Scholar
Digital Library
- Kevin Bierhof and Jonathan Aldrich. 2007. Modular typestate checking of aliased objects. ACM SIGPLAN Notices 42, 10 ( 2007 ), 301-320.Google Scholar
- Kevin Bierhof, Nels E Beckman, and Jonathan Aldrich. 2009. Practical API protocol checking with access permissions. In European Conference on Object-Oriented Programming. Springer, 195-219.Google Scholar
Digital Library
- Régis Blanc, Ashutosh Gupta, Laura Kovács, and Bernhard Kragl. 2013. Tree interpolation in vampire. In International Conference on Logic for Programming Artificial Intelligence and Reasoning. Springer, 173-181.Google Scholar
Cross Ref
- Eric Bodden. 2010. Eficient hybrid typestate analysis by determining continuation-equivalent states. In Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering-Volume 1. ACM, 5-14.Google Scholar
Digital Library
- Eric Bodden and Laurie Hendren. 2012. The Clara framework for hybrid typestate analysis. International Journal on Software Tools for Technology Transfer 14, 3 ( 2012 ), 307-326.Google Scholar
Cross Ref
- Dario Carotenuto, Aniello Murano, and Adriano Peron. 2007. 2-visibly pushdown automata. In International Conference on Developments in Language Theory. Springer, 132-144.Google Scholar
Cross Ref
- Krishnendu Chatterjee, Bhavya Choudhary, and Andreas Pavlogiannis. 2017. Optimal Dyck reachability for data-dependence and alias analysis. Proceedings of the ACM on Programming Languages 2, POPL ( 2017 ), 30.Google Scholar
- Feng Chen and Grigore Roşu. 2007. Mop: An Eficient and Generic Runtime Verification Framework. In Proceedings of the 22Nd Annual ACM SIGPLAN Conference on Object-oriented Programming Systems and Applications (OOPSLA '07). ACM, New York, NY, USA, 569-588. https://doi.org/10.1145/1297027.1297069 Google Scholar
Digital Library
- Hao Chen and David Wagner. 2002. MOPS: an infrastructure for examining security properties of software. In Proceedings of the 9th ACM conference on Computer and communications security. ACM, 235-244.Google Scholar
Digital Library
- Noam Chomsky. 1959. On certain formal properties of grammars. Information and control 2, 2 ( 1959 ), 137-167.Google Scholar
- Jürgen Christ, Jochen Hoenicke, and Alexander Nutz. 2012. SMTInterpol: An Interpolating SMT Solver. In Model Checking Software, Alastair Donaldson and David Parker (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 248-254.Google Scholar
- Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith. 2000. Counterexample-guided abstraction refinement. In International Conference on Computer Aided Verification. Springer, 154-169.Google Scholar
Cross Ref
- Thomas A Henzinger, Ranjit Jhala, Rupak Majumdar, and Kenneth L McMillan. 2004b. Abstractions from proofs. In ACM SIGPLAN Notices, Vol. 39. ACM, 232-244.Google Scholar
Digital Library
- Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, and Grégoire Sutre. 2002. Lazy Abstraction. In Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL '02). ACM, New York, NY, USA, 58-70. https://doi.org/10.1145/503272.503279 Google Scholar
Digital Library
- Thomas A Henzinger, Ranjit Jhala, Rupak Majumdar, and Grégoire Sutre. 2003. Software verification with BLAST. In International SPIN Workshop on Model Checking of Software. Springer, 235-239.Google Scholar
Cross Ref
- John E Hopcroft. 2008. Introduction to automata theory, languages, and computation. Pearson Education India.Google Scholar
- Graham Hughes and Tevfik Bultan. 2008. Interface grammars for modular software model checking. IEEE Transactions on Software Engineering 34, 5 ( 2008 ), 614-632.Google Scholar
Digital Library
- Dongyun Jin, Patrick O'Neil Meredith, Choonghwan Lee, and Grigore Roşu. 2012. JavaMOP: Eficient parametric runtime monitoring framework. In Proceedings of the 34th International Conference on Software Engineering. IEEE Press, 1427-1430.Google Scholar
Cross Ref
- Pallavi Joshi and Koushik Sen. 2008. Predictive typestate checking of multithreaded java programs. In Proceedings of the 2008 23rd IEEE/ACM international conference on automated software engineering. IEEE Computer Society, 288-296.Google Scholar
Digital Library
- Temesghen Kahsai, Philipp Rümmer, Huascar Sanchez, and Martin Schäf. 2016. JayHorn: A Framework for Verifying Java programs. In Computer Aided Verification, Swarat Chaudhuri and Azadeh Farzan (Eds.). Springer International Publishing, Cham, 352-358.Google Scholar
- Allen J Korenjak and John E Hopcroft. 1966. Simple deterministic languages. In 7th Annual Symposium on Switching and Automata Theory (swat 1966 ). IEEE, 36-46.Google Scholar
Digital Library
- Patrick Lam, Viktor Kuncak, and Martin Rinard. 2004. Generalized typestate checking using set interfaces and pluggable analyses. ACM SIGPLAN Notices 39, 3 ( 2004 ), 46-55.Google Scholar
- Yuanbo Li, Qirun Zhang, and Thomas Reps. 2020. Fast Graph Simplification for Interleaved Dyck-Reachability. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2020 ). Association for Computing Machinery, New York, NY, USA, 780-793. https://doi.org/10.1145/3385412.3386021 Google Scholar
Digital Library
- Benjamin Livshits, Manu Sridharan, Yannis Smaragdakis, Ondřej Lhoták, J. Nelson Amaral, Bor-Yuh Evan Chang, Samuel Z. Guyer, Uday P. Khedker, Anders Møller, and Dimitrios Vardoulakis. 2015. In Defense of Soundiness: A Manifesto. Commun. ACM 58, 2 (Jan. 2015 ), 44-46. https://doi.org/10.1145/2644805 Google Scholar
Digital Library
- Zhenyue Long, Georgel Calin, Rupak Majumdar, and Roland Meyer. 2012. Language-Theoretic Abstraction Refinement. In Fundamental Approaches to Software Engineering, Juan de Lara and Andrea Zisman (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 362-376.Google Scholar
- Ravichandhran Madhavan, Mikaël Mayer, Sumit Gulwani, and Viktor Kuncak. 2015. Automating grammar comparison. In Acm Sigplan Notices, Vol. 50. ACM, 183-200.Google Scholar
Digital Library
- Michael Martin, Benjamin Livshits, and Monica S. Lam. 2005. Finding Application Errors and Security Flaws Using PQL: A Program Query Language. In Proceedings of the 20th Annual ACM SIGPLAN Conference on Object-oriented Programming, Systems, Languages, and Applications (OOPSLA '05). ACM, New York, NY, USA, 365-383. https://doi.org/10.1145/1094811. 1094840 Google Scholar
Digital Library
- Kenneth L McMillan. 2005. Applications of Craig interpolants in model checking. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, 1-12.Google Scholar
Digital Library
- Kenneth L McMillan. 2006. Lazy abstraction with interpolants. In International Conference on Computer Aided Verification. Springer, 123-136.Google Scholar
Digital Library
- Patrick O'Neil Meredith, Dongyun Jin, Feng Chen, and Grigore Roşu. 2010. Eficient monitoring of parametric context-free patterns. Automated Software Engineering 17, 2 ( 2010 ), 149-180.Google Scholar
- Tmima Olshansky and Amir Pnueli. 1977. A direct algorithm for checking equivalence of LL (k) grammars. Theoretical Computer Science 4, 3 ( 1977 ), 321-349.Google Scholar
- Michael Pradel, Ciera Jaspan, Jonathan Aldrich, and Thomas R Gross. 2012a. Statically checking API protocol conformance with mined multi-object specifications. In Proceedings of the 34th International Conference on Software Engineering. IEEE Press, 925-935.Google Scholar
Cross Ref
- Michael Pradel, Ciera Jaspan, Jonathan Aldrich, and Thomas R Gross. 2012b. Statically checking API protocol conformance with mined multi-object specifications. In 2012 34th International Conference on Software Engineering (ICSE). IEEE, 925-935.Google Scholar
Cross Ref
- Thomas Reps. 2000. Undecidability of context-sensitive data-dependence analysis. ACM Transactions on Programming Languages and Systems (TOPLAS) 22, 1 ( 2000 ), 162-186.Google Scholar
Digital Library
- Thomas Reps, Susan Horwitz, and Mooly Sagiv. 1995. Precise interprocedural dataflow analysis via graph reachability. In Proceedings of the 22nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages. ACM, 49-61.Google Scholar
Digital Library
- Johannes Späth, Karim Ali, and Eric Bodden. 2019. Context-, Flow-, and Field-sensitive Data-flow Analysis Using Synchronized Pushdown Systems. Proc. ACM Program. Lang. 3, POPL, Article 48 ( Jan. 2019 ), 29 pages. https: //doi.org/10.1145/3290361 Google Scholar
Digital Library
- Manu Sridharan and Rastislav Bodík. 2006. Refinement-based context-sensitive points-to analysis for Java. In ACM SIGPLAN Notices, Vol. 41. ACM, 387-400.Google Scholar
Digital Library
- Manu Sridharan, Stephen J. Fink, and Rastislav Bodik. 2007. Thin Slicing. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '07). Association for Computing Machinery, New York, NY, USA, 112-122. https://doi.org/10.1145/1250734.1250748 Google Scholar
Digital Library
- Manu Sridharan, Denis Gopan, Lexin Shan, and Rastislav Bodík. 2005. Demand-driven points-to analysis for Java. In ACM SIGPLAN Notices, Vol. 40. ACM, 59-76.Google Scholar
Digital Library
- Robert E Strom and Shaula Yemini. 1986. Typestate: A programming language concept for enhancing software reliability. IEEE Transactions on Software Engineering 1 ( 1986 ), 157-171.Google Scholar
- Hao Tang, Xiaoyin Wang, Lingming Zhang, Bing Xie, Lu Zhang, and Hong Mei. 2015. Summary-Based Context-Sensitive Data-Dependence Analysis in Presence of Callbacks. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL '15). Association for Computing Machinery, New York, NY, USA, 83-95. https://doi.org/10.1145/2676726.2676997 Google Scholar
Digital Library
- Aditya Thakur, Junghee Lim, Akash Lal, Amanda Burton, Evan Driscoll, Matt Elder, Tycho Andersen, and Thomas Reps. 2010. Directed Proof Generation for Machine Code. In Proceedings of the 22Nd International Conference on Computer Aided Verification (CAV'10). Springer-Verlag, Berlin, Heidelberg, 288-305. https://doi.org/10.1007/978-3-642-14295-6_27 Google Scholar
Digital Library
- S. L. Torre, P. Madhusudan, and G. Parlato. 2007. A Robust Class of Context-Sensitive Languages. In 22nd Annual IEEE Symposium on Logic in Computer Science (LICS 2007 ). 161-170. https://doi.org/10.1109/LICS. 2007.9 Google Scholar
Digital Library
- Salvatore La Torre, Margherita Napoli, and Gennaro Parlato. 2013. On Multi-stack Visibly Pushdown Languages.Google Scholar
- Raja Vallée-Rai, Phong Co, Etienne Gagnon, Laurie Hendren, Patrick Lam, and Vijay Sundaresan. 1999. Soot-a Java bytecode optimization framework. In Proceedings of the 1999 conference of the Centre for Advanced Studies on Collaborative research. IBM Press, 13.Google Scholar
Digital Library
- Mark Weiser. 1981. Program Slicing. In Proceedings of the 5th International Conference on Software Engineering (ICSE '81). IEEE Press, 439-449.Google Scholar
Digital Library
- Guoqing Xu, Atanas Rountev, and Manu Sridharan. 2009. Scaling CFL-reachability-based points-to analysis using contextsensitive must-not-alias analysis. In European Conference on Object-Oriented Programming. Springer, 98-122.Google Scholar
- Hengbiao Yu, Zhenbang Chen, Ji Wang, Zhendong Su, and Wei Dong. 2018. Symbolic verification of regular properties. In Proceedings of the 40th International Conference on Software Engineering. ACM, 871-881.Google Scholar
Digital Library
- Qirun Zhang, Michael R Lyu, Hao Yuan, and Zhendong Su. 2013. Fast algorithms for Dyck-CFL-reachability with applications to alias analysis. In ACM SIGPLAN Notices, Vol. 48. ACM, 435-446.Google Scholar
Digital Library
- Qirun Zhang and Zhendong Su. 2017. Context-Sensitive Data-Dependence Analysis via Linear Conjunctive Language Reachability. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL 2017 ). Association for Computing Machinery, New York, NY, USA, 344-358. https://doi.org/10.1145/3009837.3009848 Google Scholar
Digital Library
Index Terms
Verifying correct usage of context-free API protocols
Recommendations
Efficient Verification of Sequential and Concurrent C Programs
There has been considerable progress in the domain of software verification over the last few years. This advancement has been driven, to a large extent, by the emergence of powerful yet automated abstraction techniques such as predicate abstraction. ...
Compositional Abstraction Refinement for Timed Systems
TASE '10: Proceedings of the 2010 4th IEEE International Symposium on Theoretical Aspects of Software EngineeringModel checking suffers from the state explosion problem. Compositional abstraction and abstraction refinement have been investigated in many areas to address this problem. This paper considers the compositional model checking for timed systems. We ...
Lexicalized context-free grammars
ACL '93: Proceedings of the 31st annual meeting on Association for Computational LinguisticsLexicalized context-free grammar(LCFG) is an attractive compromise between the parsing efficiency of context-free grammar (CFG) and the elegance and lexical sensitivity of lexicalized tree adjoining grammar (LTAG). LCFG is a restricted form of LTAG that ...






Comments