Runtime Instrumentation for Precise Flow-Sensitive Type Analysis

We describe a combination of runtime information and static analysis for checking properties of complex and configurable systems. The basic idea of our approach is to 1) let the program execute and thereby read the important dynamic configuration data, then 2) invoke static analysis from this runtime state to detect possible errors that can happen in the continued execution. This approach improves analysis precision, particularly with respect to types of global variables and nested data structures. It also enables the resolution of modules that are loaded based on dynamically computed information. We describe an implementation of this approach in a tool that statically computes possible types of variables in PHP applications, including detailed types of nested maps (arrays). PHP is a dynamically typed language; PHP programs extensively use nested value maps, as well as ’include’ directives whose arguments are dynamically computed file names. We have applied our analysis tool to over 50’000 lines of PHP code, including the popular DokuWiki software, which has a plug-in architecture. The analysis identified 200 problems in the code and in the type hints of the original source code base. Some of these problems can cause exploits, infinite loops, and crashes. Our experiments show that dynamic information simplifies the development of the analysis and decreases the number of false alarms compared to a purely static analysis approach.

Barringer, Howard
Falcone, Yliès
Finkbeiner, Bernd
Havelund, Klaus
Lee, Insup
Pace, Gordon J.
Rosu, Grigore
Sokolsky, Oleg
Tillmann, Nikolai
Published in:
Runtime Verification - First International Conference, RV 2010, St. Julians, Malta, November 1-4, 2010. Proceedings, 6418, 300-314
Presented at:
1st International Conference on Runtime Verification, St. Julians, Malta, November 1-4, 2010

 Record created 2010-12-01, last modified 2020-04-20

Rate this document:

Rate this document:
(Not yet reviewed)