Selective control-flow abstraction via jumping

We present jumping, a form of selective control-flow abstraction useful for improving the scalability of goal-directed static analyses. Jumping is useful for analyzing programs with complex control-flow such as event-driven systems. In such systems, accounting for orderings between certain events is important for precision, yet analyzing the product graph of all possible event orderings is intractable. Jumping solves this problem by allowing the analysis to selectively abstract away control-flow between events irrelevant to a goal query while preserving information about the ordering of relevant events. We present a framework for designing sound jumping analyses and create an instantiation of the framework for per- forming precise inter-event analysis of Android applications. Our experimental evaluation showed that using jumping to augment a precise goal-directed analysis with inter-event reasoning enabled our analysis to prove 90–97% of dereferences safe across our benchmarks.

[1]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[2]  Hongseok Yang,et al.  Selective context-sensitivity guided by impact pre-analysis , 2014, PLDI.

[3]  Sam Blackshear,et al.  Thresher: precise refutations for heap reachability , 2013, PLDI.

[4]  Bor-Yuh Evan Chang,et al.  Fissile type analysis: modular checking of almost everywhere invariants , 2014, POPL.

[5]  Xin Zhang,et al.  On abstraction refinement for program analyses in Datalog , 2014, PLDI 2014.

[6]  Manu Sridharan,et al.  Refinement-based context-sensitive points-to analysis for Java , 2006, PLDI '06.

[7]  Yannis Smaragdakis,et al.  Introspective analysis: context-sensitivity, across the board , 2014, PLDI.

[8]  Patrick Cousot,et al.  Automatic Inference of Necessary Preconditions , 2013, VMCAI.

[9]  Michael D. Ernst,et al.  HAMPI: A solver for word equations over strings, regular expressions, and context-free grammars , 2012, TSEM.

[10]  Raghavan Komondoor,et al.  Two techniques to improve the precision of a demand-driven null-dereference verification approach , 2015, Sci. Comput. Program..

[11]  Pravesh Kothari,et al.  A randomized scheduler with probabilistic guarantees of finding bugs , 2010, ASPLOS XV.

[12]  Peter W. O'Hearn,et al.  Moving Fast with Software Verification , 2015, NFM.

[13]  François Bourdoncle,et al.  Abstract debugging of higher-order imperative languages , 1993, PLDI '93.

[14]  Andreas Podelski,et al.  Inductive data flow graphs , 2013, POPL.

[15]  Rupak Majumdar,et al.  Interprocedural analysis of asynchronous programs , 2007, POPL '07.

[16]  Xavier Rival,et al.  Understanding the Origin of Alarms in Astrée , 2005, SAS.

[17]  Amer Diwan,et al.  The DaCapo benchmarks: java benchmarking development and analysis , 2006, OOPSLA '06.

[18]  Peter W. O'Hearn,et al.  Symbolic Execution with Separation Logic , 2005, APLAS.

[19]  Eran Yahav,et al.  Verifying dereference safety via expanding-scope analysis , 2008, ISSTA '08.

[20]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[21]  Isil Dillig,et al.  Precise reasoning for programs using containers , 2011, POPL '11.

[22]  Yan Wang,et al.  Static Control-Flow Analysis of User-Driven Callbacks in Android Applications , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[23]  Matthew Might,et al.  Sound and precise malware analysis for android via pushdown reachability and entry-point saturation , 2013, SPSM '13.

[24]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[25]  Sam Blackshear,et al.  Flexible Goal-Directed Abstraction , 2015 .

[26]  Frank Tip,et al.  A survey of program slicing techniques , 1994, J. Program. Lang..

[27]  Isil Dillig,et al.  Sound, complete and scalable path-sensitive analysis , 2008, PLDI '08.

[28]  Sam Blackshear,et al.  Droidel: a general approach to Android framework modeling , 2015, SOAP@PLDI.

[29]  Mangala Gowri Nanda,et al.  Accurate Interprocedural Null-Dereference Analysis for Java , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[30]  Marsha Chechik,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2016, Lecture Notes in Computer Science.

[31]  Ravichandhran Madhavan,et al.  Null dereference verification via over-approximated weakest pre-conditions analysis , 2011, OOPSLA '11.