Fausto Spoto

A termination analyzer for Java bytecode based on path-length

It is important to prove that supposedly terminating programs actually terminate, particularly if those programs must be run on critical systems or downloaded into a client such as a mobile phone. Although termination of computer programs is generally undecidable, it is possible and useful to prove termination of a large, nontrivial subset of the terminating programs. In this article, we present our termination analyzer for sequential Java bytecode, based on a program property called path-length. We describe the analyses which are needed before the path-length can be computed such as sharing, cyclicity, and aliasing. Then we formally define the path-length analysis and prove it correct with respect to a reference denotational semantics of the bytecode. We show that a constraint logic program PCLP can be built from the result of the path-length analysis of a Java bytecode program P and formally prove that if PCLP terminates, then P also terminates. Hence a termination prover for constraint logic programs can be applied to prove the termination of P. We conclude with some discussion of the possibilities and limitations of our approach. Ours is the first existing termination analyzer for Java bytecode dealing with any kind of data structures dynamically allocated on the heap and which does not require any help or annotation on the part of the user.

Information flow analysis for java bytecode

We present a flow and context sensitive compositional information flow analysis for full (mono-threaded) Java bytecode. We base our analysis on the transformation of the Java bytecode into a control-flow graph of basic blocks of code which makes explicit the complex features of the Java bytecode. We represent information flows through Boolean functions and hence implement an accurate and efficient information flow analysis through binary decision diagrams. To the best of our knowledge, it is the first one for full Java bytecode.

Pair-sharing analysis of object-oriented programs

Pair-sharing analysis of object-oriented programs determines those pairs of program variables bound at run-time to overlapping data structures. This information is useful for program parallelisation and analysis. We follow a similar construction for logic programming and formalise the property, or abstract domain, Sh of pair-sharing. We prove that Sh induces a Galois insertion w.r.t the concrete domain of program states. We define a compositional abstract semantics for the static analysis over Sh, and prove it correct.

Class analyses as abstract interpretations of trace semantics

We use abstract interpretation to abstract a compositional trace semantics for a simple imperative object-oriented language into its projection over a set of program points called watchpoints. We say that the resulting watchpoint semantics is focused on the watchpoints. Every abstraction of the computational domain of this semantics induces an abstract, still compositional, and focused watchpoint semantics. This establishes a basis for developing static analyses obtaining information pertaining only to the watchpoints. As an example, we consider three domains for class analysis of object-oriented programs derived from three techniques present in the literature, namely, rapid type analysis, a simple dataflow analysis, and a constraint-based analysis. We obtain three static analyses which are provably correct and whose abstract operations are provably optimal. Moreover, we prove that our formalization of the constraint-based analysis is more precise than that of the other two analyses. We have implemented our watchpoint semantics and our three domains for class analysis. This implementation shows that the time and space costs of the analysis are actually proportional to the number of watchpoints, as a consequence of the focused nature of the watchpoint semantics.

Detecting non-cyclicity by abstract compilation into boolean functions

Programming languages such as C, C++ and Java bind variables to dynamically-allocated data-structures held in memory. This lets programs build cyclical data at run-time, which complicates termination analysis and garbage collection. It is hence desirable to spot those variables which are only bound to non-cyclical data at run-time. We solve this problem by using abstract interpretation to define the abstract domain NC representing those variables. We relate NC through a Galois insertion to the concrete domain of program states. Hence NC is not redundant. We define a correct abstract denotational semantics over NC, which uses preliminary sharing information between variables to get more precise results. We apply it to a simple example of analysis. We use a Boolean representation for the abstract denotations over NC, which leads to an efficient implementation in terms of binary decision diagrams and to the elegant and efficient use of abstract compilation.

Precise null-pointer analysis

In Java, C or C++, attempts to dereference the null value result in an exception or a segmentation fault. Hence, it is important to identify those program points where this undesired behaviour might occur or prove the other program points (and possibly the entire program) safe. To that purpose, null-pointer analysis of computer programs checks or infers non-null annotations for variables and object fields. With few notable exceptions, null-pointer analyses currently use run-time checks or are incorrect or only verify manually provided annotations. In this paper, we use abstract interpretation to build and prove correct a first, flow and context-sensitive static null-pointer analysis for Java bytecode (and hence Java) which infers non-null annotations. It is based on Boolean formulas, implemented with binary decision diagrams. For better precision, it identifies instance or static fields that remain always non-null after being initialised. Our experiments show this analysis faster and more precise than the correct null-pointer analysis by Hubert, Jensen and Pichardie. Moreover, our analysis deals with exceptions, which is not the case of most others; its formulation is theoretically clean and its implementation strong and scalable. We subsequently improve that analysis by using local reasoning about fields that are not always non-null, but happen to hold a non-null value when they are accessed. This is a frequent situation, since programmers typically check a field for non-nullness before its access. We conclude with an example of use of our analyses to infer null-pointer annotations which are more precise than those that other inference tools can achieve.

Static analysis of Android programs

Android is a programming language based on Java and an operating system for mobile or embedded devices. It features an extended event-based library and dynamic inflation of graphical views from declarative XML layout files. A static analyzer for Android programs must consider such features, for correctness and precision. This article is a description of how we extended the Julia system, based on abstract interpretation, to run formally correct analyses of Android programs. We have analyzed with Julia the Android sample applications by Google and a few larger open-source programs. Julia has found, automatically, bugs and flaws both in the Google samples and in the open-source programs.

An operational semantics for android activities

We define an operational semantics for a large part of the Android platform, encompassing the Dalvik bytecode but also, and more importantly, the inter-component communication mechanism used inside Android applications. This semantics is intended to provide a formal basis for the development of static analyses that consider the complex flow of information exposed by the cooperating components of Android applications.

Nullness Analysis in Boolean Form

Attempts to dereference null result in an exception or a segmentation fault. Hence it is important to know those program points where this might occur and prove the others (or the entire program) safe. Nullness analysis of computer programs checks or infers non-null annotations for variables and object fields. Most nullness analyses currently use run-time checks or are incorrect or only verify manual annotations. We use here abstract interpretation to build and prove correct a static nullness analysis for Java byte code which infers non-null annotations. It is based on Boolean formulas, implemented with binary decision diagrams. Our experiments show it faster and more precise than the correct nullness analysis by Hubert, Jensen and Pichardie. We deal with static fields and exceptions, which is not the case of most other analyses. We claim that the result is theoretically clean and the implementation strong and scalable.

Operational and goal-independent denotational semantics for Prolog with cut

Abstract In this paper we propose an operational and a denotational semantics for Prolog. We deal with the control rules of Prolog and the cut operator. Our denotational semantics provides a goal-independent semantics. This means that the behaviour of a goal in a program is defined as the evaluation of the goal in the denotation (semantics) of the program. We show how our denotational semantics can be specialised into a computed answer semantics and into a call pattern semantics. Our work provides a basis for a precise abstract interpretation of Prolog programs.