From CIL to Java bytecode: Semantics-based translation for static analysis leveraging

Abstract A formal translation of CIL (i.e., .Net) bytecode into Java bytecode is introduced and proved sound with respect to the language semantics. The resulting code is then analyzed with Julia, an industrial static analyzer of Java bytecode. The overall process of translation and analysis is fast, scales to industrial programs, and introduces a negligible number of false alarms. The main contribution of this work is to leverage existing, mature, and sound analyzers for Java bytecode by applying them also to the wide range of .Net software systems. Experimental results show the actual effectiveness of this approach when applied to all the system libraries of the Microsoft .Net framework version 4.0.30319 (about 5 MLOCs).

[1]  Pietro Ferrara,et al.  SARL: OO Framework Specification for Static Analysis , 2020, VSTTE.

[2]  Xavier Rival,et al.  The trace partitioning abstract domain , 2007, TOPL.

[3]  Robert Atkey,et al.  ThreadSafe: Static Analysis for Java Concurrency , 2015, Electron. Commun. Eur. Assoc. Softw. Sci. Technol..

[4]  Agostino Cortesi,et al.  A suite of abstract domains for static analysis of string values , 2015, Softw. Pract. Exp..

[5]  Ciera Jaspan,et al.  Lessons from building static analysis tools at Google , 2018, Commun. ACM.

[6]  Nikolai Tillmann,et al.  SPUR: a trace-based JIT compiler for CIL , 2010, OOPSLA.

[7]  Gilad Bracha,et al.  The Java Virtual Machine Specification, Java SE 8 Edition , 2013 .

[8]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[9]  Fausto Spoto The Julia Static Analyzer for Java , 2016, SAS.

[10]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[11]  Agostino Cortesi,et al.  DAPA: Degradation-Aware Privacy Analysis of Android Apps , 2016, STM.

[12]  Manuel Fähndrich,et al.  Static Contract Checking with Abstract Interpretation , 2010, FoVeOOS.

[13]  Agostino Cortesi,et al.  CIL to Java-Bytecode Translation for Static Analysis Leveraging , 2018, 2018 IEEE/ACM 6th International FME Workshop on Formal Methods in Software Engineering (FormaliSE).

[14]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[15]  Carlo A. Furia,et al.  Why Just Boogie? - Translating Between Intermediate Verification Languages , 2016, IFM.

[16]  Francesco Logozzo Cibai: An Abstract Interpretation-Based Static Analyzer for Modular Analysis and Verification of Java Classes , 2007, VMCAI.