Abstract
Semantic static analysis allows sound verification of program properties, that is, to prove that a given property holds for all possible executions. However, modern object-oriented applications make heavy use of third-party frameworks. These provide various functionalities (like libraries), as well as an extension of the execution model of the program. Applying standard models to statically analyze software relying on such frameworks could be potentially unsound and imprecise.
In this paper we introduce SARL, a domain-specific language which allows one to specify the runtime behaviors of frameworks of object-oriented programs. Such specifications can be then applied to automatically generate annotations on program components of the application to model the framework runtime environment. In addition, SARL specifications document which aspects of a framework are supported by the static analyzer and how. We adopted SARL to model WindowsForms and ASP.NET, two of the most popular .NET frameworks in an existing industrial static analyzer (Julia). We then analyzed the three most popular GitHub repositories using these frameworks, comparing the results with and without SARL. Our experimental results show that the application of SARL sensibly improved the precision and soundness of the analysis without affecting its runtime performances.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
- 2.
The documentation of the available annotations is available at https://static.juliasoft.com/docs/2.7.0.3/annotations.html.
- 3.
References
Asp.net boilerplate. https://github.com/aspnetboilerplate/aspnetboilerplate
Asp.net signalr. https://github.com/SignalR/SignalR
Cefsharp. https://github.com/cefsharp/CefSharp
Shadowsocks for windows. https://github.com/shadowsocks/shadowsocks-windows
Sharex. https://github.com/ShareX/ShareX
Umbraco CMS. https://github.com/umbraco/Umbraco-CMS
Ali, K., Lhoták, O.: Averroes: whole-program analysis without the whole program. In: Castagna, G. (ed.) ECOOP 2013. LNCS, vol. 7920, pp. 378–400. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39038-8_16
Arzt, S., Bodden, E.: Stubdroid: automatic inference of precise data-flow summaries for the android framework. In: Proceedings of ICSE 2016. IEEE (2016)
ASP.NET (2018). https://www.asp.net/
Ball, T., Rajamani, S.: Slic: a specification language for interface checking (of c). Technical report. MSR-TR-2001-21, January 2002
Centonze, P., Naumovich, G., Fink, S.J., Pistoia, M.: Role-based access control consistency validation. In: ISSTA (2006)
Ernst, M.D., Lovato, A., Macedonio, D., Spiridon, C., Spoto, F.: Boolean formulas for the static identification of injection attacks in Java. In: Davis, M., Fehnker, A., McIver, A., Voronkov, A. (eds.) LPAR 2015. LNCS, vol. 9450, pp. 130–145. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48899-7_10
Ferrara, P., Cortesi, A., Spoto, F.: Cil to Java-bytecode translation for static analysis leveraging. In: Proceedings of FormaliSE 2018. Springer (2018)
Forms, W.: (2018). https://docs.microsoft.com/it-it/dotnet/framework/winforms/
Hovemeyer, D., Pugh, W.: Finding bugs is easy. SIGPLAN Not. 39, 12 (2004)
Toman, J., Grossman, D.: Concerto: a framework for combined concrete and abstract interpretation. In: Proceedings of the ACM on Programming Languages, vol. 3 (2019)
Leavens, G.T., Baker, A.L., Ruby, C.: JML: a Java modeling language. In: Formal Underpinnings of Java Workshop 1998 (1998)
Lombok (2018). https://projectlombok.org/
Palsberg, J., Schwartzbach, M.I.: Object-oriented type inference. In: Proceedings of OOPSLA 1991. ACM Press (1991)
Spoto, F.: Nullness analysis in Boolean form. In: Proceedings of SEFM 2008. IEEE (2008)
Spoto, F., Mesnard, F., Payet, E.: A termination analyzer for java bytecode based on path-length. ACM Trans. Program. Lang. Syst. (TOPLAS) 32(3), 1–70 (2010)
Sridharan, M., Artzi, S., Pistoia, M., Guarnieri, S., Tripp, O., Berg, R.: F4f: taint analysis of framework-based web applications. In: Proceedings of the 2011 ACM International conference on Object-Oriented Programming, Systems, Languages, Languages, and Applications, vol. 16, pp. 1053–1068 (2011)
Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: TAJ: effective taint analysis of web application. In: PLDI. ACM (2009)
Unity (2018). https://unity3d.com/
Wikipedia: Software framework. https://en.wikipedia.org/wiki/Software_framework
Xamarin (2018). https://visualstudio.microsoft.com/xamarin/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Ferrara, P., Negrini, L. (2020). SARL: OO Framework Specification for Static Analysis. In: Christakis, M., Polikarpova, N., Duggirala, P.S., Schrammel, P. (eds) Software Verification. NSV VSTTE 2020 2020. Lecture Notes in Computer Science(), vol 12549. Springer, Cham. https://doi.org/10.1007/978-3-030-63618-0_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-63618-0_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-63617-3
Online ISBN: 978-3-030-63618-0
eBook Packages: Computer ScienceComputer Science (R0)