Results 1  10
of
55
Precise analysis of string expressions
 In Proc. 10th International Static Analysis Symposium, SAS ’03, volume 2694 of LNCS
, 2003
"... We perform static analysis of Java programs to answer a simple question: which values may occur as results of string expressions? The answers are summarized for each expression by a regular language that is guaranteed to contain all possible values. We present several applications of this analysis, ..."
Abstract

Cited by 157 (15 self)
 Add to MetaCart
We perform static analysis of Java programs to answer a simple question: which values may occur as results of string expressions? The answers are summarized for each expression by a regular language that is guaranteed to contain all possible values. We present several applications of this analysis, including statically checking the syntax of dynamically generated expressions, such as SQL queries. Our analysis constructs flow graphs from class files and generates a contextfree grammar with a nonterminal for each string expression. The language of this grammar is then widened into a regular language through a variant of an algorithm previously used for speech recognition. The collection of resulting regular languages is compactly represented as a special kind of multilevel automaton from which individual answers may be extracted. If a program error is detected, examples of invalid strings are automatically produced. We present extensive benchmarks demonstrating that the analysis is e#cient and produces results of useful precision.
Tree Automata With One Memory, Set Constraints and Cryptographic Protocols
"... We introduce a class of tree automata that perform tests on a memory that is updated using function symbol application and projection. The language emptiness problem for this class of tree automata is shown to be in DEXPTIME. ..."
Abstract

Cited by 71 (4 self)
 Add to MetaCart
We introduce a class of tree automata that perform tests on a memory that is updated using function symbol application and projection. The language emptiness problem for this class of tree automata is shown to be in DEXPTIME.
Type inference against races
 In SAS
, 2004
"... Abstract. The race condition checker rccjava uses a formal type system to statically identify potential race conditions in concurrent Java programs, but it requires programmersupplied type annotations. This paper describes a type inference algorithm for rccjava. Due to the interaction of parameteri ..."
Abstract

Cited by 42 (4 self)
 Add to MetaCart
Abstract. The race condition checker rccjava uses a formal type system to statically identify potential race conditions in concurrent Java programs, but it requires programmersupplied type annotations. This paper describes a type inference algorithm for rccjava. Due to the interaction of parameterized classes and dependent types, this type inference problem is NPcomplete. This complexity result motivates our new approach to type inference, which is via reduction to propositional satisfiability. This paper describes our type inference algorithm and its performance on programs of up to 30,000 lines of code. 1
Type Inference For Atomicity
, 2005
"... Atomicity is a fundamental correctness property in multithreaded programs. This paper presents an algorithm for verifying atomicity via type inference. The underlying type system supports guarded, writeguarded, and unguarded fields, as well as threadlocal data, parameterized classes and methods, a ..."
Abstract

Cited by 40 (3 self)
 Add to MetaCart
Atomicity is a fundamental correctness property in multithreaded programs. This paper presents an algorithm for verifying atomicity via type inference. The underlying type system supports guarded, writeguarded, and unguarded fields, as well as threadlocal data, parameterized classes and methods, and protected locks. We describe an implementation of this algorithm for Java and discuss its performance and usability on benchmarks totaling sixty thousand lines of code.
TypeIndexed Rows
, 2001
"... Record calculi use labels to distinguish between the elements of products and sums. This paper presents a novel variation, typeindexed rows, in which labels are discarded and the types of the elements themselves serve as indices. The calculus, TIR , can express tuples, recursive datatypes, monom ..."
Abstract

Cited by 34 (7 self)
 Add to MetaCart
Record calculi use labels to distinguish between the elements of products and sums. This paper presents a novel variation, typeindexed rows, in which labels are discarded and the types of the elements themselves serve as indices. The calculus, TIR , can express tuples, recursive datatypes, monomophic records, polymorphic extensible records, and closedworld style typebased overloading. Our key application of TIR , however, is to encode the \choice" types of XML, and the \unordered sequence" types of SGML. Indeed, TIR is the kernel of the language XM, a lazy functional language extending XML with polymorphism and higherorder functions. The system is built from rows, equality constraints, membership constraints and constrained parametric polymorphism. The constraint domain enjoys decidable entailment and satisfaction (in EXP). We present a type checking algorithm, and show how TIR may be implemented by a typedirected translation which replaces typeindexing by conven...
Transparent proxies for java futures
 In Proceedings of the nineteenth annual
, 2004
"... A proxy object is a surrogate or placeholder that controls access to another target object. Proxies can be used to support distributed programming, lazy or parallel evaluation, access control, and other simple forms of behavioral reflection. However, wrapper proxies (like futures or suspensions for ..."
Abstract

Cited by 34 (2 self)
 Add to MetaCart
A proxy object is a surrogate or placeholder that controls access to another target object. Proxies can be used to support distributed programming, lazy or parallel evaluation, access control, and other simple forms of behavioral reflection. However, wrapper proxies (like futures or suspensions for yettobecomputed results) can require significant code changes to be used in staticallytyped languages, while proxies more generally can inadvertently violate assumptions of transparency, resulting in subtle bugs. To solve these problems, we have designed and implemented a simple framework for proxy programming that employs a static analysis based on qualifier inference, but with additional novelties. Code for using wrapper proxies is automatically introduced via a classfiletoclassfile transformation, and potential violations of transparency are signaled to the programmer. We have formalized our analysis and proven it sound. Our framework has a variety of applications, including support for asynchronous method calls returning futures. Experimental results demonstrate the benefits of our framework: programmers are relieved of managing and/or checking proxy usage, analysis times are reasonably fast, overheads introduced by added dynamic checks are negligible, and performance improvements can be significant. For example, changing two lines in a simple RMIbased peertopeer application and then using our framework resulted in a large performance gain. 1
ControlFlow Analysis in Cubic Time
 ELECTRONIC NOTES OF THEORETICAL COMPUTER SCIENCE
, 2001
"... The spicalculus is a variant of the polyadic sscalculus that admits symmetric cryptography and that admits expressing communication protocols in a precise though still abstract way. This paper shows that contextindependent control flow analysis can be calculated in cubic time despite the fact th ..."
Abstract

Cited by 32 (11 self)
 Add to MetaCart
The spicalculus is a variant of the polyadic sscalculus that admits symmetric cryptography and that admits expressing communication protocols in a precise though still abstract way. This paper shows that contextindependent control flow analysis can be calculated in cubic time despite the fact that the spicalculus operates over an infinite universe of values. Our approach is based on Horn Clauses with Sharing and we develop transformations to pass from the infinite to the finite and to deal with the polyadic nature of input and output. We prove that this suffices for obtaining a cubic time implementation without sacrificing precision and without making simplifying assumptions on the nature of keys.
From Datalog rules to efficient programs with time and space guarantees
 In PPDP ’03: Proceedings of the 5th ACM SIGPLAN International Conference on Principles and Practice of Declarative Programming
, 2003
"... This paper describes a method for transforming any given set of Datalog rules into an efficient specialized implementation with guaranteed worstcase time and space complexities, and for computing the complexities from the rules. The running time is optimal in the sense that only useful combinations ..."
Abstract

Cited by 30 (12 self)
 Add to MetaCart
This paper describes a method for transforming any given set of Datalog rules into an efficient specialized implementation with guaranteed worstcase time and space complexities, and for computing the complexities from the rules. The running time is optimal in the sense that only useful combinations of facts that lead to all hypotheses of a rule being simultaneously true are considered, and each such combination is considered exactly once. The associated space usage is optimal in that it is the minimum space needed for such consideration modulo scheduling optimizations that may eliminate some summands in the space usage formula. The transformation is based on a general method for algorithm design that exploits fixedpoint computation, incremental maintenance of invariants, and combinations of indexed and linked data structures. We apply the method to a number of analysis problems, some with improved algorithm complexities and all with greatly improved algorithm understanding and greatly simplified complexity analysis.
Efficient fieldsensitive pointer analysis for C
 IN PROCEEDINGS OF THE ACM WORKSHOP ON PROGRAM ANALYSIS FOR SOFTWARE TOOLS AND ENGINEERING (PASTE
"... The subject of this paper is flow and contextinsensitive pointer analysis. We present a novel approach for precisely modelling struct variables and indirect function calls. Our method emphasises efficiency and simplicity and is based on a simple language of set constraints. We obtain an O(v 4) bou ..."
Abstract

Cited by 27 (8 self)
 Add to MetaCart
The subject of this paper is flow and contextinsensitive pointer analysis. We present a novel approach for precisely modelling struct variables and indirect function calls. Our method emphasises efficiency and simplicity and is based on a simple language of set constraints. We obtain an O(v 4) bound on the time needed to solve a set of constraints from this language, where v is the number of constraint variables. This gives, for the first time, some insight into the hardness of performing fieldsensitive pointer analysis of C. Furthermore, we experimentally evaluate the time versus precision tradeoff for our method by comparing against the fieldinsensitive equivalent. Our benchmark suite consists of 11 common C programs ranging in size from 15,000 to 200,000 lines of code. Our results indicate the fieldsensitive analysis is more expensive to compute, but yields significantly better precision. In addition, our technique has been integrated into the latest release (version 4.1) of the GNU Compiler GCC. Finally, we identify several previously unknown issues with an alternative and less precise approach to modelling struct variables, known as
Parametric regular path queries
 In PLDI ’04: Proceedings of the ACM SIGPLAN 2004 conference on Programming Language Design and Implementation
, 2004
"... Regular path queries are a way of declaratively expressing queries on graphs as regularexpressionlike patterns that are matched against paths in the graph. There are two kinds of queries: existential queries, which specify properties about individual paths, and universal queries, which specify pro ..."
Abstract

Cited by 22 (4 self)
 Add to MetaCart
Regular path queries are a way of declaratively expressing queries on graphs as regularexpressionlike patterns that are matched against paths in the graph. There are two kinds of queries: existential queries, which specify properties about individual paths, and universal queries, which specify properties about all paths. They provide a simple and convenient framework for expressing program analyses as queries on graph representations of programs, for expressing verification (modelchecking) problems as queries on transition systems, for querying semistructured data, etc. Parametric regular path queries extend the patterns with variables, called parameters, which significantly increase the expressiveness by allowing additional information along single or multiple paths to be captured and related. This paper shows how a variety of program analysis and modelchecking problems can be expressed easily and succinctly using parametric regular path queries. The paper describes the specification, design, analysis, and implementation of algorithms and data structures for efficiently solving existential and universal parametric regular path queries. Major contributions include the first complete algorithms and data structures for directly and efficiently solving existential and universal parametric regular path queries, detailed complexity analysis of the algorithms, detailed analytical and experimental performance comparison of variations of the algorithms and data structures, and investigation of efficiency tradeoffs between different formulations of queries. Categories and Subject Descriptors D.2.4 [Software Engineering]: Software/Program verification—model