Thresher

Blackshear, Sam; Chang, Bor-Yuh Evan; Sridharan, Manu

doi:10.1145/2499370.2462186

Cited by 6 publications

(1 citation statement)

References 61 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Backward analysis Several works on backward analysis [2,3,4,7] check the validity of given queries. Their techniques keep applying transfer functions that infer preconditions backward from given post-conditions until they find any contradictory condition that refutes the queries.…”

Section: Related Workmentioning

confidence: 99%

Automatically Tracing Imprecision Causes in JavaScript Static Analysis

2019

View full text Add to dashboard Cite

Researchers have developed various techniques for static analysis of JavaScript to improve analysis precision. To develop such techniques, they first identify causes of the precision losses for unproven properties. While most of the existing work has diagnosed main causes of imprecision in static analysis by manual investigation, manually tracing the imprecision causes is challenging because it requires detailed knowledge of analyzer internals. Recently, several studies proposed to localize the analysis imprecision causes automatically, but these localization techniques work for only specific analysis techniques.In this paper, we present an automatic technique that can trace analysis imprecision causes of JavaScript applications starting from user-selected variables. Given a set of program variables, our technique stops an analysis when any of the variables gets imprecise analysis values. It then traces the imprecise analysis values using intermediate analysis results back to program points where the imprecision first started. Our technique shows the trace information with a new representation called tracing graphs, whose nodes and edges together represent traces from imprecise points to precise points. In order to detect major causes of analysis imprecision automatically, we present four node/edge patterns in tracing graphs for common imprecision causes. We formalized the technique of generating tracing graphs and identifying patterns, and implemented them on SAFE, a state-of-the-art JavaScript static analyzer with various analysis configurations, such as contextsensitivity, loop-sensitivity, and heap cloning. Our evaluation demonstrates that the technique can easily find 96 % of the major causes of the imprecision problems in 17 applications by only automatic detection in tracing graphs using the patterns, and selectively adopting various advanced techniques can eliminate the found causes of imprecision. ACM CCS 2012Software and its engineering → Software verification; Automated static analysis;

show abstract

Section: Related Workmentioning

confidence: 99%

Automatically Tracing Imprecision Causes in JavaScript Static Analysis

2019

View full text Add to dashboard Cite

show abstract

Refuting Heap Reachability

Chang

2014

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Precise heap reachability information is a prerequisite for many static verification clients. However, the typical scenario is that the available heap information, computed by say an up-front points-to analysis, is not precise enough for the client of interest. This imprecise heap information in turn leads to a deluge of false alarms for the tool user to triage. Our position is to approach the false alarm problem not just by improving the up-front analysis but by also employing after-the-fact, goal-directed refutation analyses that yield targeted precision improvements. We have investigated refutation analysis in the context of detecting statically a class of Android memory leaks. For this client, we have found the necessity for an overall analysis capable of path-sensitive reasoning interprocedurally and with strong updates-a level of precision difficult to achieve globally in an up-front manner. Instead, our approach uses a refutation analysis that mixes highly precise, goal-directed reasoning with facts derived from the up-front analysis to prove alarms false and thus enabling effective and sound filtering of the overall list of alarms.The depth and breadth of what static verification tools can do is really quite astounding. However, the unfortunate truth is that for a software developer to fully realize the benefits of static verification, she must go through the onerous task of triaging the warnings that such a tool produces to determine whether the warnings are true bugs or false alarms. Only then can bug fixes be brought to bear. The situation is particularly dramatic when we consider the verification of modern programs that make extensive use of heap allocation. Precise heap information is a prerequisite for effective reasoning about nearly any non-trivial property of such programs. While there is a large body of work on heap reasoning, including in broad areas like pointer analysis and shape analysis, the all-too-common situation is that the available heap information is not quite precise enough for the client of interest.Our position is to approach the false alarm problem not just by improving up-front precision but also with analyses for alarm triage that can wield after-the-fact, targeted precision improvements on demand. In this context, we investigate the combination of a scalable, off-the-shelf points-to analysis as an up-front analyzer with an ultra-precise, after-the-fact refutation analysis for heap reachability queries. The particular challenge that we examine is how to maximally leverage the combination of the up-front analysis and the after-the-fact refutation analysis.The development of our approach has been driven in part by building a tool for detecting a pernicious class of memory leaks in Android applications. In brief, such a leak occurs when an operating system object of type Activity is reachable from a static field after the end of its lifecycle. At this point, the Activity object is no Fig. 1. From verification to alarm triage to bug fixes. The traditional setup (left) r...

show abstract

Model and Proof Generation for Heap-Manipulating Programs

Brain

David

Kroening

et al. 2014

Programming Languages and Systems

View full text Add to dashboard Cite

Abstract. Existing heap analysis techniques lack the ability to supply counterexamples in case of property violations. This hinders diagnosis, prevents test-case generation and is a barrier to the use of these tools among non-experts. We present a verification technique for reasoning about aliasing and reachability in the heap which uses ACDCL (a combination of the well-known CDCL SAT algorithm and abstract interpretation) to perform interleaved proof generation and model construction. Abstraction provides us with a tractable way of reasoning about heaps; ACDCL adds the ability to search for a model in an efficient way. We present a prototype tool and demonstrate a number of examples for which we are able to obtain useful concrete counterexamples.

show abstract

Thresher

Cited by 6 publications

References 61 publications

Automatically Tracing Imprecision Causes in JavaScript Static Analysis

Automatically Tracing Imprecision Causes in JavaScript Static Analysis

Refuting Heap Reachability

Model and Proof Generation for Heap-Manipulating Programs

Contact Info

Product

Resources

About