Download - Static Analysis of String Values
Giulia Costantini¹, Pietro Ferrara², Agostino Cortesi¹
² ETH ZurichSwitzerland
ICFEM 2011, Durham, England
¹ Università Ca’ FoscariVenice, Italy
Static Analysis of String Values
G. Costantini, P. Ferrara, and A. Cortesi: “Static Analysis of String Values”ICFEM, Durham, England
Strings• Strings are everywhere:> SQL queries> Reflection
• Wrong use could have catastrophic effects
G. Costantini, P. Ferrara, and A. Cortesi: “Static Analysis of String Values”ICFEM, Durham, England
Sound static analysis• Prove properties > at compile time (static)> respected by all executions (sound)
• Abstract interpretation> Cousot&Cousot 77/79>Mathematical framework to• Define the semantics• Soundly approximate it
> Ideal goal: fast and precise abstraction
G. Costantini, P. Ferrara, and A. Cortesi: “Static Analysis of String Values”ICFEM, Durham, England
Bases of abstract interpretation
Concrete Abstract
{1, 5, 8}
+ 0 -
⊤
⊥
{…, -1, 0, 1, ….}
{1, 2, ….}
Abstraction
Concretization
∅
G. Costantini, P. Ferrara, and A. Cortesi: “Static Analysis of String Values”ICFEM, Durham, England
SemanticsConcrete Abstract
+ 0 -
⊤
⊥{2, 6, 9}x++ x++{1, 5,
8}
{…, -1, 0, 1, ….}
{1, 2, ….}
∅
G. Costantini, P. Ferrara, and A. Cortesi: “Static Analysis of String Values”ICFEM, Durham, England
Upper boundConcrete Abstract
{0}
+ 0 -
⊤
⊥
{0, 1}
∅
{1}
if(…) x=0;else x=1;{…, -1, 0, 1, ….}
G. Costantini, P. Ferrara, and A. Cortesi: “Static Analysis of String Values”ICFEM, Durham, England
Numerical analyses• Common interface for several
analyses
• Semantics of +, -, *, /, constants, …
+ 0 -
⊤
⊥x++
Odd Even
⊤
⊥
x++[0..3] [1..4]x++
G. Costantini, P. Ferrara, and A. Cortesi: “Static Analysis of String Values”ICFEM, Durham, England
Outline1. Introduction2. Generic framework for string
analysis3. String domains
a) Character inclusionb) Prefix and suffixc) Bricksd) String graphs
4. Conclusion
G. Costantini, P. Ferrara, and A. Cortesi: “Static Analysis of String Values”ICFEM, Durham, England
String operators• Set of standard operators on strings:> new String(“str”)• or “str”
> concat(s1, s2)• or s1+s2
> readLine()> substring(b, e, s)> contains(c, s)
• Each domain has a lattice structure
G. Costantini, P. Ferrara, and A. Cortesi: “Static Analysis of String Values”ICFEM, Durham, England
Running examplestring x = "a";
while(…)
x = "0" + x + "1";
return x;
Because of approximation/user
input/…
with
with
G. Costantini, P. Ferrara, and A. Cortesi: “Static Analysis of String Values”ICFEM, Durham, England
Outline1. Introduction2. Generic framework for string
analysis3. String domains
a) Character inclusionb) Prefix and suffixc) Bricksd) String graphs
4. Conclusion
G. Costantini, P. Ferrara, and A. Cortesi: “Static Analysis of String Values”ICFEM, Durham, England
Character inclusion• Strings approximated through> C: characters surely contained>MC: characters possibly containedConcrete Abstract
C MC
Chars
∅{a }{0 }{1}
{a ,0 }{0 ,1}
Chars
∅
{a }{0 }{1}
{a ,0 }{0 ,1}
∅
Strings
{ a }{ 0 } { 1 }{ 0 a 1 }
{ 0 a 1 , a }{ a , 0 }{ 0 , 1 }
{ a 0 , 0 a 1 , 0 ab , … }{ 0 a , aa , , … }
G. Costantini, P. Ferrara, and A. Cortesi: “Static Analysis of String Values”ICFEM, Durham, England
Character inclusion – Running example
Concretization
C : MC :
C : MC :
C : MC :
string x = "a";
while(…)
x = "0" + x + "1";
return x;
{ a , a 0 , 000 a 1 , 0101 a 010 ,… }
G. Costantini, P. Ferrara, and A. Cortesi: “Static Analysis of String Values”ICFEM, Durham, England
Prefix & Suffix• Strings approximated through> PR: prefix of the string> SU: suffix of the stringConcrete Abstract
PR SU
⊥
ϵ
∅
Strings
{ a 1 }{ 0 } { 1 }{ a 10 }
{ a 10 , a 1 }{ a 1 , 0 }{ 0 , 1 }
{ a 1 , a 10 , a 1 zf , … }{ 1 a , a 1 a , f ds 1 a , …}
⊥
ϵ
G. Costantini, P. Ferrara, and A. Cortesi: “Static Analysis of String Values”ICFEM, Durham, England
Prefix & Suffix – Running example
Concretization
PR : , SU :
PR : SU :
PR : , SU :
Strings
string x = "a";
while(…)
x = "0" + x + "1";
return x;
G. Costantini, P. Ferrara, and A. Cortesi: “Static Analysis of String Values”ICFEM, Durham, England
Bricks• Sequence of
Concrete Abstract
⊥
Strings
{ a } { 0 }ϵ{ 0 a 1 }
{ 0 a 1 , a }{ a , 0 }{ 0 , ϵ }
{ a , 0 ,𝜖 }
⊥
⊤
G. Costantini, P. Ferrara, and A. Cortesi: “Static Analysis of String Values”ICFEM, Durham, England
Bricks – Running example
[ a ]1,1
) =
=
ConcretizationStrings
string x = "a";
while(…)
x = "0" + x + "1";
return x; ==
=Widening!
G. Costantini, P. Ferrara, and A. Cortesi: “Static Analysis of String Values”ICFEM, Durham, England
String graphs• Adaptation of type graphs (tree
automata)> Rely on their normalization and wideningConcrete Abstract
∅
Strings
{ a } { 0 }{ϵ }{ 0 a 1 }
{ 0 a 1 , a }{ a , 0 }{ 0 , ϵ }
{ a , 0 , ϵ }
max
⊥ a 1 0
a 0 ¿
G. Costantini, P. Ferrara, and A. Cortesi: “Static Analysis of String Values”ICFEM, Durham, England
String graphs – Running example
a
0 a concat
1
a ⊔ =
str
t 1
concat
t 2
string x = "a";
while(…)
x = "0" + x + "1";
return x;
= 0 a 1
0 a 1 a
¿
0 a 1
G. Costantini, P. Ferrara, and A. Cortesi: “Static Analysis of String Values”ICFEM, Durham, England
a
¿
0 a 1
String graphs – Running example
string x = "a";
while(…)
x = "0" + x + "1";
return x;
⊔ =
a ¿concat
0 1
0 a 1
a ¿concat
0 1
0 a 1 0 a 1 a ¿concat
0 1
¿
a
¿
0 a 1
G. Costantini, P. Ferrara, and A. Cortesi: “Static Analysis of String Values”ICFEM, Durham, England
0 a 1 a ¿concat
0 1
¿
a
String graphs – Running example
string x = "a";
while(…)
x = "0" + x + "1";
return x;
0 a 1 a ¿concat
0 1
¿
a
¿
0 a 1
Normalization
G. Costantini, P. Ferrara, and A. Cortesi: “Static Analysis of String Values”ICFEM, Durham, England
0 a 1 a ¿concat
0 1
¿
a
String graphs – Running example
string x = "a";
while(…)
x = "0" + x + "1";
return x;
0concat
1 a
¿
Concretization with
Widening!
G. Costantini, P. Ferrara, and A. Cortesi: “Static Analysis of String Values”ICFEM, Durham, England
Outline1. Introduction2. Generic framework for string
analysis3. String domains
a) Character inclusionb) Prefix and suffixc) Bricksd) String graphs
4. Conclusion
G. Costantini, P. Ferrara, and A. Cortesi: “Static Analysis of String Values”ICFEM, Durham, England
ConclusionCharacter
sOrder Complexit
yCharacter inclusion Prefix and
suffix Bricks String graphs