State of the World - Statically Verifying API Usage Rule

Statically Verifying API Usage Rule using Tracematches Xavier Noumbissi, Patrick Lam University of Waterloo November 4, 2010 (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 1 / 26

Outline 1 Problem 2 Constraint language 3 Example 4 Analysis Overview 5 Related Work 6 Future Work 7 Conclusion (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 2 / 26

Problem Software relies on Libraries LIBRARY 1 APPLICATION LIBRARY 2 (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 3 / 26

Problem Plug-in / Wrapper-Library Abstraction Layer PLUGIN 1 LIBRARY 1 APPLICATION PLUGIN 2 LIBRARY 2 (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 4 / 26

Verification Properties Problem Expressing Properties Two types of properties: State Properties: Pre- and Post-Conditions Temporal Properties: Typestates, LTL, etc. (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 5 / 26

Constraint language Tracematches Tracematches: Unauthorized events sequence Example: Do not write to a file after closing it. Regular Expression: open write* close+ write write close open close write start q 0 q 1 q 2 q 3 (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 6 / 26

Example Example Configuration BookEditor BookHandler Java API (FileWriter) (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 7 / 26

Application & Plug-in Example The Code p u b l i c class BookHandler { F i l e W r i t e r l1 ; p u b l i c void openbook ( S t r i n g b){ l 1 = new F i l e W r i t e r ( b ) ; } p u b l i c void printchapter ( S t r i n g s ){ l 1. w r i t e ( s ) ; } p u b l i c void p r i n t S e c t i o n ( S t r i n g s ){ i f ( n u l l == s ) l 1. f l u s h ( ) ; else l 1. w r i t e ( s ) ; } public void addindex ( String [ ] t ){ f o r ( i n t k =0; k<t. l e n g t h ; ++k ) { l 1. w r i t e ( t [ k ] ) ; } F i l e W r i t e r l 3 = l 1 ; / / I l l u s t r a t e s l 3. close ( ) ; / / a l i a s i n g } p u b l i c class BookEditor { p u b l i c s t a t i c void main ( S t r i n g [ ] args ){ BookHandler b = new BookHandler ( ) ; S t r i n g [ ] index = {"book", "chapter"}; StringBuilder s t r = new StringBuilder ( ) ; b. openbook ( "book.txt" ) ; b. p r i n t C h a p t e r ( "A chapter" ) ; s t r. append ( "Not in abstract CFG" ) ; b. p r i n t S e c t i o n ( "A section" ) ; b. addindex ( index ) ; b. close ( ) ; } } ACFG } public void close (){ l 1. f l u s h ( ) ; l 1. close ( ) ; } (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 8 / 26

Example Usage Rule A Usage Rule for java.io.filewriter No write or flush on a FileWriter after a close. write, flush close close write, flush start q 0 q 1 q 2 (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 9 / 26

A Violation of the Rule Example A Rule Violation The developer expects: close: closes the book s stream addindex: does not close the book s stream But: addindex: closes the stream close: flushes the stream before closing it (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 10 / 26

Method summaries Example Plug-in summary Summary of BookHandler.addIndex k = 0 if (k < t.length) T l1.write(t[k]); ++k; F FileWriter l3=l1; l3.close(); l 1.close() q 0 q 2 l 1.write() q 1 Must-alias information at intraprocedural level: l1 and l3 must alias (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 11 / 26

Plug-in summary Example Plug-in summary Reusable as long as Plug-in code unchanged Represents all events sequences on FileWriter objects Storage of summaries improves scalability (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 12 / 26

Example Application code Abstracted CFG for BookEditor.main The code q 0 q 1 b.openbook(...) Here s a CFG which only includes the BookHandler calls. Statements on edges q 2 q 3 b.printchapter(...) b.printsection(...) b.addindex(...) q 6 (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 13 / 26 q 4 b.closebook(...)

Edge Substitution - 1 Example Application code Substitute method-call edges with NFA summaries: Summarizes application behavior with respect to tracematch events May-alias information at interprocedural level Unless FileWriter objects may not alias (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 14 / 26

Edge Substitution - 2 Example Application code l 1.write() c 2 l 1.close() l 1.flush() l 1.close() c 5 c 6 c 7 l 1.write() c 0 c 1 c 4 l 1.flush() c 3 l 1.write() c 8 (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 15 / 26

Example Application code Tracematch: Runtime Monitor (RM) Combined execution of application and RM: Synchronous Product Automaton (SPA): defines a transition for an event only if it occurs in both automatons Shared actions: tracematch events (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 16 / 26

Example Application code Synchronous Product Automaton - 1 l 1.flush() c 5 q 1 c 6 q 2 l 1.flush() c 3 q 0 l 1.close() l 1.write() c 0 q 0 c 1 q 0 l 1.write() c 2 q 0 c 4 q 0 l 1.write() c 8 q 0 (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 17 / 26

Example Application code Synchronous Product Automaton - 2 l 1.flush() c 5 q 1 c 6 q 2 l 1.flush() c 3 q 0 l 1.close() l 1.write() c 0 q 0 c 1 q 0 l 1.write() c 2 q 0 c 4 q 0 l 1.write() c 8 q 0 An accepting path represents a violation of the rules. (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 18 / 26

Analysis Overview Our approach: Four Phases Overview 1 Compute plug-in summaries (Preliminary phase) 2 Generate application Abstract CFGs 3 Integrate plug-in summaries to abstract CFGs 4 Build SPA and check for accepting paths (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 19 / 26

Implementation Analysis Overview Overview Uses the Soot Framework Interaction of inter- and intra-procedural analysis Intraprocedural analysis as a region-based analysis (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 20 / 26

Analysis Overview Overview Computing Plug-in Summaries Advantages of storing summaries: Effects of whole program analysis with partial code No need to have plug-in code Manual creation of plug-in summary Plug-in summary as a contract (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 21 / 26

Analysis Overview Library Object Accesses Overview Library objects may be accessible as: Member variables Local instantiated variables Others: out of scope (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 22 / 26

Related Work Related Work Static optimization of runtime monitors: static verification of tracematches at the intraprocedural level (Bodden et al.) Analysis of multiple interactive objects: Uses tracematches to verify correct interaction of several objects (Naeem et al.) Component Level data-flow Analysis (CLA): computes summaries and properties of software with partial information (source code or summaries) of its components. (Rountev et al.) (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 23 / 26

Future Work Future Work Complete implementation Test analysis on production software Use of constraint-solvers to remove false positives from summaries Try to improve scalability of other analyses on tracematches using summaries (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 24 / 26

Contributions Conclusion Check that abstraction layers do not introduce bugs Use of summaries as contracts Use of summaries for other analyses on tracematches (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 25 / 26

THANK YOU! Conclusion Comments & Questions (University of Waterloo) Statically Verifying API Usage Rule November 4, 2010 26 / 26