7 Conclusion and Future Work - Fundamental Approaches to Software Engineering

We implemented CorC to support the Correctness-by-Construction process of program development. We created a textual and a graphical editor that can be used interchangeably to enable different styles of CbC-based program development. The program and its specification are written in one of the editors and can be verified using KeY. This reduces the proof complexity with respect to post-hoc verification. We extended the KeY ecosystem with CorC. CorC opens the possibility to utilize CbC in areas where post-hoc verification is used as pro- grammers could benefit from synergistic effects of both approaches. With tool support, CbC can be studied in experiments to determine the value of using CbC in industry.

For future work, we want to extend the tool support, and we want to evaluate empirically the benefits and drawbacks of CorC. To extend the expressiveness, we implement a rule for methods to use method calls in CorC. These methods have to be verified independently by CorC/KeY. We could investigate whether the method call rules of KeY can be used for our CbC approach. Another future work is the inference of conditions to reduce the manual effort. Postconditions can be generated automatically for known statements by using the strongest postcondition calculus. Invariants could be generated by incorporating external tools. As mentioned earlier, other host languages and other theorem provers can be integrated in our IDE.

The second work package for future work comprise the evaluation with a user study. We could compare the eﬀort of creating and verifying algorithms with post-hoc veriﬁcation and with our tool support. The feedback can be used to improve the usability of the tool.

References

1. Abrial, J.R.: The B-Book: Assigning Programs to Meanings. Cambridge University Press, Cambridge (2005)

2. Abrial, J.R.: Modeling in Event-B: System and Software Engineering. Cambridge University Press, Cambridge (2010)

3. Abrial, J.R., Butler, M., Hallerstede, S., Hoang, T.S., Mehta, F., Voisin, L.: Rodin:

an open toolset for modelling and reasoning in Event-B. Int. J. Softw. Tools Tech- nol. Transfer12(6), 447–466 (2010)

4. Ahrendt, W., Beckert, B., Bubel, R., H¨ahnle, R., Schmitt, P.H., Ulbrich, M.:

Deductive Software Veriﬁcation - The KeY Book: From Theory to Practice, vol.

10001. Springer, Heidelberg (2016).https://doi.org/10.1007/978-3-319-49812-6 5. Barnett, M., F¨ahndrich, M., Leino, K.R.M., M¨uller, P., Schulte, W., Venter, H.:

Speciﬁcation and veriﬁcation: the Spec# experience. Commun. ACM54(6), 81–91 (2011)

6. Barnett, M., Leino, K.R.M., Schulte, W.: The Spec# programming system: an overview. In: Barthe, G., Burdy, L., Huisman, M., Lanet, J.-L., Muntean, T. (eds.) CASSIS 2004. LNCS, vol. 3362, pp. 49–69. Springer, Heidelberg (2005). https://

doi.org/10.1007/978-3-540-30569-9 3

7. Bertot, Y., Cast´eran, P.: Interactive Theorem Proving and Program Development:

Coq’Art: The Calculus of Inductive Constructions. Springer, Heidelberg (2013).

https://doi.org/10.1007/978-3-662-07964-5

8. Cohen, E., et al.: VCC: a practical system for verifying concurrent C. In: Berghofer, S., Nipkow, T., Urban, C., Wenzel, M. (eds.) TPHOLs 2009. LNCS, vol. 5674, pp.

23–42. Springer, Heidelberg (2009).https://doi.org/10.1007/978-3-642-03359-9 2 9. Cok, D.R.: OpenJML: JML for Java 7 by extending OpenJDK. In: Bobaru, M.,

Havelund, K., Holzmann, G.J., Joshi, R. (eds.) NFM 2011. LNCS, vol. 6617, pp.

472–479. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20398- 5 35

10. Conserva Filho, M., Oliveira, M.V.M.: Implementing tactics of reﬁnement inCRe- fine. In: Eleftherakis, G., Hinchey, M., Holcombe, M. (eds.) SEFM 2012. LNCS, vol. 7504, pp. 342–351. Springer, Heidelberg (2012).https://doi.org/10.1007/978- 3-642-33826-7 24

11. Dijkstra, E.W.: Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM18(8), 453–457 (1975)

12. Dijkstra, E.W.: A Discipline of Programming. Prentice Hall, Upper Saddle River (1976)

13. Gries, D.: The Science of Programming. Springer, Heidelberg (1987).https://doi.

org/10.1007/978-1-4612-5983-1

14. Hall, A., Chapman, R.: Correctness by construction: developing a commercial secure system. IEEE Softw.19(1), 18–25 (2002)

15. Hentschel, M.: Integrating symbolic execution, debugging and veriﬁcation. Ph.D.

thesis, Technische Universit¨at Darmstadt (2016)

16. Jacobs, B., Smans, J., Piessens, F.: A quick tour of the verifast program veriﬁer. In:

Ueda, K. (ed.) APLAS 2010. LNCS, vol. 6461, pp. 304–311. Springer, Heidelberg (2010).https://doi.org/10.1007/978-3-642-17164-2 21

17. Kapur, D., Nie, X., Musser, D.R.: An overview of the Tecton proof system. Theoret.

Comput. Sci.133(2), 307–339 (1994)

18. Khazeev, M., Rivera, V., Mazzara, M., Johard, L.: Initial steps towards assessing the usability of a veriﬁcation tool. In: Ciancarini, P., Litvinov, S., Messina, A., Sillitti, A., Succi, G. (eds.) SEDA 2016. AISC, vol. 717, pp. 31–40. Springer, Cham (2018).https://doi.org/10.1007/978-3-319-70578-1 4

19. Kourie, D.G., Watson, B.W.: The Correctness-by-Construction Approach to Programming. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642- 27919-5

20. Kramer, R.: iContract - the Java design by contract tool. In: Proceedings, Technol- ogy of Object-Oriented Languages. TOOLS 26 (Cat. No. 98EX176), pp. 295–307.

IEEE, August 1998

21. Meyer, B.: Eiﬀel: a language and environment for software engineering. J. Syst.

Softw.8(3), 199–246 (1988)

22. Meyer, B.: Applying “design by contract”. Computer25(10), 40–51 (1992) 23. Morgan, C.: Programming from Speciﬁcations, 2nd edn. Prentice Hall, Upper Sad-

dle River (1994)

24. Nipkow, T., Paulson, L.C., Wenzel, M. (eds.): Isabelle/HOL. LNCS, vol. 2283.

Springer, Heidelberg (2002).https://doi.org/10.1007/3-540-45949-9

25. Oliveira, M.V.M., Cavalcanti, A., Woodcock, J.: ArcAngel: a tactic language for reﬁnement. Formal Aspects Comput.15(1), 28–47 (2003)

26. Oliveira, M.V.M., Gurgel, A.C., Castro, C.G.: CReﬁne: support for the circus reﬁnement calculus. In: 2008 Sixth IEEE International Conference on Software Engineering and Formal Methods, pp. 281–290. IEEE, November 2008

27. Plosch, R.: Tool support for design by contract. In: Proceedings, Technology of Object-Oriented Languages. TOOLS 26 (Cat. No. 98EX176), pp. 282–294. IEEE, August 1998

28. Tschannen, J., Furia, C.A., Nordio, M., Polikarpova, N.: AutoProof: auto-active functional veriﬁcation of object-oriented programs. In: Baier, C., Tinelli, C. (eds.) TACAS 2015. LNCS, vol. 9035, pp. 566–580. Springer, Heidelberg (2015).https://

doi.org/10.1007/978-3-662-46681-0 53

29. Watson, B.W., Kourie, D.G., Schaefer, I., Cleophas, L.: Correctness-by- construction and post-hoc veriﬁcation: a marriage of convenience? In: Margaria, T., Steﬀen, B. (eds.) ISoLA 2016. LNCS, vol. 9952, pp. 730–748. Springer, Cham (2016).https://doi.org/10.1007/978-3-319-47166-2 52

30. Wohlin, C., Runeson, P., H¨ost, M., Ohlsson, M.C., Regnell, B., Wessl´en, A.: Exper- imentation in Software Engineering. Springer, Heidelberg (2012).https://doi.org/

10.1007/978-3-642-29044-2

Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

for JavaScript Static Analysis

Joonyoung Park^1,2(B⁾ , Alexander Jordan¹⁽B⁾ , and Sukyoung Ryu²⁽B⁾

1 Oracle Labs Australia, Brisbane, Australia {joonyoung.p.park,alexander.jordan}@oracle.com

2 KAIST, Daejeon, Republic of Korea {sryu.cs,gmb55}@kaist.ac.kr

Abstract. Static program analysis often encounters problems in analyzing library code. Most real-world programs use library functions inten- sively, and library functions are usually written in diﬀerent languages.

For example, static analysis of JavaScript programs requires analysis of the standard built-in library implemented in host environments. A com- mon approach to analyze suchopaque code is for analysis developers to build models that provide the semantics of the code. Models can be built either manually, which is time consuming and error prone, or automatically, which may limit application to diﬀerent languages or analyzers. In this paper, we present a novel mechanism to support automatic modeling of opaque code, which is applicable to various languages and analyzers.

For a given static analysis, our approach automatically computes analysis results of opaque code via dynamic testing during static analysis.

By using testing techniques, the mechanism does not guarantee sound over-approximation of program behaviors in general. However, it is fully automatic, is scalable in terms of the size of opaque code, and provides more precise results than conventional over-approximation approaches.

Our evaluation shows that although not all functionalities in opaque code can (or should) be modeled automatically using our technique, a large number of JavaScript built-in functions are approximated soundly yet more precisely than existing manual models.

Keywords: Automatic modeling

·

Static analysis

·

Opaque code

·

JavaScript

1 Introduction

Static analysis is widely used to optimize programs and to find bugs in them, but it often faces difficulties in analyzing library code. Since most real-world programs use various libraries usually written in different programming languages, analysis developers should provide analysis results for libraries as well. For example, static analysis of JavaScript apps involves analysis of the builtin functions implemented in host environments like the V8 runtime system written in C++.

c The Author(s) 2019

R. H¨ahnle and W. van der Aalst (Eds.): FASE 2019, LNCS 11424, pp. 43–60, 2019.

https://doi.org/10.1007/978-3-030-16722-6_3

A conventional approach to analyze such opaque code is for analysis developers to create models that provide the analysis results of the opaque code.

Models approximate the behaviors of opaque code, they are often tightly integrated with speciﬁc static analyzers to support precise abstract semantics that are compatible with the analyzers’ internals.

Developers can create models either manually or automatically. Manual modeling is complex, time consuming, and error prone because developers need to consider all the possible behaviors of the code they model. In the case of JavaScript, the number of APIs to be modeled is large and ever-growing as the language evolves. Thus, various approaches have been proposed to model opaque code automatically. They create models either from specifications of the code’s behaviors [2,26] or using dynamic information during execution of the code [8,9,22]. The former approach heavily depends on the quality and format of available specifications, and the latter approach is limited to the capability of instrumentation or specific analyzers.

In this paper, we propose a novel mechanism to model the behaviors of opaque code to be used by static analysis. While existing approaches aim to create general models for the opaque code’s behaviors, which can produce analysis results for all possible inputs, our approach computes specific results of opaque code during static analysis. This on-demand modeling is specific to the abstract states of a program being analyzed, and it consists of three steps: sampling, run, and abstraction. When static analysis encounters opaque code with some abstract state, our approach generates samples that are a subset of all possible inputs of the opaque code by concretizing the abstract state. After evaluating the code using the concretized values, it abstracts the results and uses it during analysis. Since the sampling generally covers only a small subset of infinitely many possible inputs to opaque code, our approach does not guarantee the soundness of the modeling results just like other automatic modeling techniques.

The sampling strategy should select well-distributed samples to explore the opaque code’s behaviors as much as possible and to avoid redundant ones. Gen- erating too few samples may miss too much behaviors, while redundant samples can cause the performance overhead. As a simple yet eﬀective way to control the number of samples, we propose to usecombinatorial testing [11].

We implemented the proposed automatic modeling as an extension of SAFE, a JavaScript static analyzer [13,17]. For opaque code encountered during analysis, the extension generates concrete inputs from abstract states, and executes the code dynamically using the concrete inputs via a JavaScript engine (Node.js in our implementation). Then, it abstracts the execution results using the oper- ations provided by SAFE such as lattice-join and our over-approximation, and resumes the analysis.

Our paper makes the following contributions:

– We present a novel way to handle opaque code during static analysis by computing a precise on-demand model of the code using (1) input samples that represent analysis states, (2) dynamic execution, and (3) abstraction.

– We propose a combinatorial sampling strategy to eﬃciently generate well- distributed input samples.

– We evaluate our tool against hand-written models for large parts of JavaScript’s builtin functions in terms of precision, soundness, and performance.

– Our tool revealed implementation errors in existing hand-written models, demonstrating that it can be used for automatic testing of static analyzers.

In the remainder of this paper, we present our Sample-Run-Abstract approach to model opaque code for static analysis (Sect.2) and describe the sampling strategy (Sect.3) we use. We then discuss our implementation and experiences of applying it to JavaScript analysis (Sect.4), evaluate the implementation using ECMAScript 5.1 builtin functions as benchmarks (Sect.5), discuss related work (Sect.6), and conclude (Sect.7).

Dalam dokumen Fundamental Approaches to Software Engineering (Halaman 50-56)