Higher-Order and Symbolic Computation

, Volume 23, Issue 1, pp 29–86 | Cite as

Magic-sets for localised analysis of Java bytecode

  • Fausto SpotoEmail author
  • Étienne Payet


Static analyses based on denotational semantics can naturally model functional behaviours of the code in a compositional and completely context and flow sensitive way. But they only model the functional i.e., input/output behaviour of a program P, not enough if one needs P’s internal behaviours i.e., from the input to some internal program points. This is, however, a frequent requirement for a useful static analysis. In this paper, we overcome this limitation, for the case of mono-threaded Java bytecode, with a technique used up to now for logic programs only. Namely, we define a program transformation that adds new magic blocks of code to the program P, whose functional behaviours are the internal behaviours of P. We prove the transformation correct w.r.t. an operational semantics and define an equivalent denotational semantics, devised for abstract interpretation, whose denotations for the magic blocks are hence the internal behaviours of P. We implement our transformation and instantiate it with abstract domains modelling sharing of two variables, non-cyclicity of variables, nullness of variables, class initialisation information and size of the values bound to program variables. We get a static analyser for full mono-threaded Java bytecode that is faster and scales better than another operational pair-sharing analyser. It has the same speed but is more precise than a constraint-based nullness analyser. It makes a polyhedral size analysis of Java bytecode scale up to 1300 methods in a couple of minutes and a zone-based size analysis scale to still larger applications.


Magic-sets Abstract interpretation Static analysis Denotational semantics 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aho, A.V., Sethi, R., Ullman, J.D.: Compilers, Principles Techniques and Tools. Addison-Wesley, Reading (1986) Google Scholar
  2. 2.
    Albert, E., Arenas, P., Codish, C., Genaim, S., Puebla, G., Zanardini, D.: Termination analysis of Java bytecode. In: Barthe, G., de Boer, F.S. (eds.) Proc. of Formal Methods for Open Object-Based Distributed Systems, 10th IFIP WG 6.1 International Conference, FMOODS’08, Oslo, Norway, June 2008. Lecture Notes in Computer Science, vol. 5051, pp. 2–18. Springer, Berlin (2008) Google Scholar
  3. 3.
    Armstrong, T., Marriott, K., Schachte, P., Søndergaard, H.: Two classes of Boolean functions for dependency analysis. Sci. Comput. Program. 31(1), 3–45 (1998) zbMATHCrossRefGoogle Scholar
  4. 4.
    Bagnara, R., Hill, P.M., Zaffanella, E.: The Parma polyhedra library: Toward a complete set of numerical abstractions for the analysis and verification of hardware and software systems. Sci. Comput. Program. 72(1–2), 3–21 (2008) MathSciNetCrossRefGoogle Scholar
  5. 5.
    Bancilhon, F., Maier, D., Sagiv, Y., Ullman, J.: Magic sets and other strange ways to implement logic programs. In: Proc. of the 5th ACM Symposium on Principles of Database Systems, pp. 1–15 (1986) Google Scholar
  6. 6.
    Barnett, M., Chang, B.-Y.E., DeLine, R., Jacobs, B., Boogie, K.R.M. Leino: A modular reusable verifier for object-oriented programs. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.P. (eds.) Proc. of the 4th International Symposium on Formal Methods for Components and Objects (FMCO’05), Amsterdam, The Netherlands, November 2005. Lecture Notes in Computer Science, vol. 4111, pp. 364–387. Springer, Berlin (2005) CrossRefGoogle Scholar
  7. 7.
    Barnett, M., Fahndrich, M., Logozzo, F.: Foxtrot and Clousot: Language agnostic dynamic and static contract checking for .NET. Technical Report MSR-TR-2008-105, Microsoft Research (August 2008) Google Scholar
  8. 8.
    Beeri, C., Ramakrishnan, R.: On the power of magic. J. Log. Program. 10(3 & 4), 255–300 (1991) MathSciNetzbMATHCrossRefGoogle Scholar
  9. 9.
    Bodei, C., Degano, P., Nielson, F., Nielson, H.R.: Static analysis for secrecy and non-interference in networks of processes. In: Proc. of PaCT’01, Lecture Notes in Computer Science, vol. 2127, pp. 27–41. Springer, Berlin (2001) Google Scholar
  10. 10.
    Bryant, R.E.: Graph-based algorithms for Boolean function manipulation. IEEE Trans. Comput. 35(8), 677–691 (1986) zbMATHCrossRefGoogle Scholar
  11. 11.
    Clark, D., Hankin, C., Hunt, S.: Information flow for ALGOL-like languages. Comput. Lang. 28(1), 3–28 (2002) zbMATHGoogle Scholar
  12. 12.
    Codish, M.: Efficient goal directed bottom-up evaluation of logic programs. J. Log. Program. 38(3), 355–370 (1999) MathSciNetzbMATHCrossRefGoogle Scholar
  13. 13.
    Codish, M., Dams, D., Yardeni, E.: Bottom-up abstract interpretation of logic programs. J. Theor. Comput. Sci. 124, 93–125 (1994) MathSciNetzbMATHCrossRefGoogle Scholar
  14. 14.
    Cook, B., Podelski, A., Rybalchenko, A.: Termination proofs for systems code. In: Schwartzbach, M.I., Ball, T. (eds.) Proc. of the ACM SIGPLAN 2006 Conference on Programming Language Design and Implementation (PLDI’06), Ottawa, Ontario, Canada, June 2006, pp. 415–426. ACM, New York (2006) CrossRefGoogle Scholar
  15. 15.
    Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proc. of the 4th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’77), pp. 238–252 (1977) Google Scholar
  16. 16.
    Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: Proc. of the 6th ACM Symposium on Principles of Programming Languages (POPL’79), pp. 269–282 (1979) Google Scholar
  17. 17.
    Cousot, P., Cousot, R.: Abstract interpretation and applications to logic programs. J. Log. Program. 13(2 & 3), 103–179 (1992) MathSciNetzbMATHCrossRefGoogle Scholar
  18. 18.
    Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among variables of a program. In: Proc. Fifth ACM Symp. Principles of Programming Languages, pp. 84–96 (1978) Google Scholar
  19. 19.
    Danvy, O., Filinski, A.: Representing control, a study of the CPS transformation. Math. Struct. Comput. Sci. 2(4), 361–391 (1992) MathSciNetzbMATHCrossRefGoogle Scholar
  20. 20.
    Hubert, L., Jensen, T., Pichardie, D.: Semantic foundations and inference of non-null annotations. In: Barthe, G., de Boer, F.S. (eds.) Proc. of the 10th International Conference on Formal Methods for Open Object-based Distributed Systems (FMOODS’08), Oslo, Norway, June 2008. Lecture Notes in Computer Science, pp. 142–149. Springer, Berlin (2008) Google Scholar
  21. 21.
    Klein, G., Nipkow, T.: A machine-checked model for a Java-like language, virtual machine, and compiler. ACM Trans. Program. Lang. Syst. (TOPLAS) 28(4), 619–695 (2006) CrossRefGoogle Scholar
  22. 22.
    Laud, P.: Semantics and program analysis of computationally secure information flow. In: Proc. of the 10th European Symposium On Programming (ESOP’01). Lecture Notes in Computer Science, vol. 2028, pp. 77–91. Springer, Berlin (2001) Google Scholar
  23. 23.
    Leino, K.R.M., Müller, P.: Object invariants in dynamic contexts. In: Odersky, M. (ed.) Proc. of the 18th European Conference on Object-Oriented Programming (ECOOP’04), Oslo, Norway, June 2004. Lecture Notes in Computer Science, vol. 3086, pp. 491–516. Springer, Berlin (2004) Google Scholar
  24. 24.
    Leino, K.R.M., Wallenburg, A.: Class-local object invariants. In: Proc. of the 1st India Software Engineering Conference (ISEC’08), Hyderabad, India, February 2008, pp. 57–66. ACM, New York (2008) CrossRefGoogle Scholar
  25. 25.
    Lindholm, T., Yellin, F.: The JavaTM Virtual Machine Specification, 2nd edn. Addison-Wesley, Reading (1999) Google Scholar
  26. 26.
    Logozzo, F.: Cibai: An abstract interpretation-based static analyzer for modular analysis and verification of Java classes. In: Cook, B., Podelski, A. (eds.) 8th International Conference on Verification, Model Checking and Abstract Interpretation (VMCAI’07), Nice, France, January 2007. Lecture Notes in Computer Science, vol. 4349, pp. 293–298. Springer, Berlin (2007) Google Scholar
  27. 27.
    Logozzo, F.: Class invariants as abstract interpretation of trace semantics. Comput. Lang. Syst. Struct. 35(2), 100–142 (2009) CrossRefGoogle Scholar
  28. 28.
    Logozzo, F., Fähndrich, M.: On the relative completeness of bytecode analysis versus source code analysis. In: Hendren, L.J. (ed.) Proc. of the 17th International Conference on Compiler Construction, (CC’08), Budapest, Hungary, 2008. Lecture Notes in Computer Science, vol. 4959, pp. 197–212. Springer, Berlin (2008) Google Scholar
  29. 29.
    Méndez, M., Navas, J., Hermenegildo, M.V.: An efficient, parametric fixpoint algorithm for incremental analysis of Java bytecode. In: Proc. of the Second Workshop on Bytecode Semantics, Verification, Analysis and Transformation, Braga, Portugal, March 2007. Electronic Notes on Theoretical Computer Science, vol. 190(1), pp. 51–66 Google Scholar
  30. 30.
    Miné, A.: A new numerical abstract domain based on difference-bound matrices. In: Proc. of the 2nd Symposium on Programs as Data Objects (PADO II), Aarhus, Danemark, May 2001. Lecture Notes in Computer Science, vol. 2053, pp. 155–172. Springer, Berlin (2001) Google Scholar
  31. 31.
    Müller, P.: Reasoning about object structures using ownership. In: Meyer, B., Woodcock, J. (eds.) Proc. of the Workshop on Verified Software: Theories, Tools, Experiments (VSTTE’07). Lecture Notes in Computer Science, vol. 4171. Springer, Berlin (2007) Google Scholar
  32. 32.
    Palsberg, J., Schwartzbach, M.I.: Object-oriented type inference. In: Proc. of OOPSLA’91, ACM SIGPLAN Notices, vol. 26(11), pp. 146–161. ACM Press, New York (1991) Google Scholar
  33. 33.
    Payet, É., Spoto, F.: Magic-sets transformation for the analysis of Java bytecode. In: Nielson, H.R., Filé, G. (eds.) Proceedings of the 14th International Static Analysis Symposium (SAS’07), Kongens Lyngby, Denmark, August 2007. Lecture Notes in Computer Science, vol. 4634, pp. 452–467. Springer, Berlin (2007) Google Scholar
  34. 34.
    Pollet, I., Le Charlier, B., Cortesi, A.: Distinctness and sharing domains for static analysis of Java programs. In: 15th European Conference on Object-Oriented Programming (ECOOP’01), Budapest, Hungary, June 2001. Lecture Notes in Computer Science, vol. 2072, pp. 77–98. Springer, Berlin (2001) Google Scholar
  35. 35.
    Rossignoli, S., Spoto, F.: Detecting non-cyclicity by abstract compilation into boolean functions. In: Emerson, E.A., Namjoshi, K.S. (eds.) Proc. of Verification, Model Checking and Abstract Interpretation, Charleston, SC, USA, January 2006. Lecture Notes in Computer Science, vol. 3855, pp. 95–110. Springer, Berlin (2006) CrossRefGoogle Scholar
  36. 36.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003) CrossRefGoogle Scholar
  37. 37.
    Schmidt, D.A.: Trace-based abstract interpretation of operational semantics. J. Lisp Symb. Comput. 10(3), 237–271 (1998) CrossRefGoogle Scholar
  38. 38.
    Secci, S., Spoto, F.: Pair-sharing analysis of object-oriented programs. In: Hankin, C. (ed.) Proc. of the 12th Static Analysis Symposium (SAS’05), London, UK, September 2005. Lecture Notes in Computer Science, vol. 3672, pp. 320–335. Springer, Berlin (2005) Google Scholar
  39. 39.
    Spoto, F.: Precise null-pointer analysis. J. Softw. Syst. Model. (to appear) Google Scholar
  40. 40.
    Spoto, F.: Watchpoint semantics: a tool for compositional and focussed static analyses. In: Cousot, P. (ed.) Proceedings of the 8th International Static Analysis Symposium (SAS’01), Paris, July 2001. Lecture Notes in Computer Science, vol. 2126, pp. 127–145. Springer, Berlin (2001) Google Scholar
  41. 41.
    Spoto, F.: Nullness analysis in Boolean form. In: Cerone, A., Gruner, S. (eds.) Proc. of the 6th IEEE International Conference on Software Engineering and Formal Methods (SEFM’08), Cape Town, South Africa, November 2008, pp. 21–30. IEEE, New York (2008) CrossRefGoogle Scholar
  42. 42.
    Spoto, F., Hill, P.M., Payet, É.: Path-length analysis for object-oriented programs. In: Proc. of Emerging Applications of Abstract Interpretation, Vienna, Austria March 2006.
  43. 43.
    Spoto, F., Mesnard, F., Payet, É.: A termination analyzer for Java bytecode based on path-length. ACM Trans. Program. Lang. Syst. 32(3) (2010) Google Scholar
  44. 44.
    Sussman, G.J., Steele, G.L.: Scheme: An interpreter for extended lambda calculus. In: AI Memo, vol. 349. MIT Artificial Intelligence Laboratory (December 1975) Google Scholar
  45. 45.
    Sussman, G.J., Steele, G.L.: Scheme: An interpreter for extended lambda calculus. High.-Order Symb. Comput. 11(4), 405–439 (1998) zbMATHCrossRefGoogle Scholar
  46. 46.
    Tarski, A.: A lattice-theoretical fixpoint theorem and its applications. Pac. J. Math. 5, 285–309 (1955) MathSciNetzbMATHGoogle Scholar
  47. 47.
    The julia Static Analyser.
  48. 48.
    Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. J. Comput. Secur. 4(2,3), 167–187 (1996) Google Scholar
  49. 49.
    Winskel, G.: The Formal Semantics of Programming Languages. MIT Press, Cambridge (1993) zbMATHGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  1. 1.Dipartimento di InformaticaUniversità di VeronaVeronaItaly
  2. 2.IREMIAUniversité de la RéunionRéunionFrance

Personalised recommendations