research-article

Judge: identifying, understanding, and evaluating sources of unsoundness in call graphs

Authors:
Michael Reif

TU Darmstadt, Germany

TU Darmstadt, Germany
View Profile

,
Florian Kübler

TU Darmstadt, Germany

TU Darmstadt, Germany
View Profile

,
Michael Eichberg

TU Darmstadt, Germany

TU Darmstadt, Germany
View Profile

,
Dominik Helm

TU Darmstadt, Germany

TU Darmstadt, Germany
View Profile

,
Mira Mezini

TU Darmstadt, Germany

TU Darmstadt, Germany
View Profile

ISSTA 2019: Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and AnalysisJuly 2019Pages 251–261https://doi.org/10.1145/3293882.3330555

Published:10 July 2019Publication History

ISSTA 2019: Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis

Pages 251–261

ABSTRACT

Call graphs are widely used; in particular for advanced control- and data-flow analyses. Even though many call graph algorithms with different precision and scalability properties have been proposed, a comprehensive understanding of sources of unsoundness, their relevance, and the capabilities of existing call graph algorithms in this respect is missing. To address this problem, we propose Judge, a toolchain that helps with understanding sources of unsoundness and improving the soundness of call graphs. In several experiments, we use Judge and an extensive test suite related to sources of unsoundness to (a) compute capability profiles for call graph implementations of Soot, WALA, DOOP, and OPAL, (b) to determine the prevalence of language features and APIs that affect soundness in modern Java Bytecode, (c) to compare the call graphs of Soot, WALA, DOOP, and OPAL – highlighting important differences in their implementations, and (d) to evaluate the necessary effort to achieve project-specific reasonable sound call graphs. We show that soundness-relevant features/APIs are frequently used and that support for them differs vastly, up to the point where comparing call graphs computed by the same base algorithms (e.g., RTA) but different frameworks is bogus. We also show that Judge can support users in establishing the soundness of call graphs with reasonable effort.

References

{Online; accessed 20-January-2019}. Doop’s commit id: cdc59ce71d6510198da396cf6a7d20d73c6466d9.Google Scholar
{Online; accessed 20-January-2019}. OPAL’s commit id: 3107c45c8a00de0e132691a6275d39b5a4aa415b.Google Scholar
Karim Ali and Ondřej Lhoták. 2012. Application-only call graph construction. In European Conference on Object-Oriented Programming. Springer, 688–712. Google ScholarDigital Library
Karim Ali and Ondřej Lhoták. 2013. Averroes: Whole-program analysis without the whole program. In European Conference on Object-Oriented Programming. Springer, 378–400. Google ScholarDigital Library
Karim Ali, Marianna Rapoport, Ondřej Lhoták, Julian Dolby, and Frank Tip. 2014. Constructing call graphs of Scala programs. In European Conference on Object-Oriented Programming. Springer, 54–79. Google ScholarDigital Library
Karim Ali, Marianna Rapoport, Ondřej Lhoták, Julian Dolby, and Frank Tip. 2015. Type-Based Call Graph Construction Algorithms for Scala. ACM Trans. Softw. Eng. Methodol. 25, 1, Article 9 (Dec. 2015), 43 pages. Google ScholarDigital Library
Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014.Google ScholarDigital Library
Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. Acm Sigplan Notices 49, 6 (2014), 259–269. Google ScholarDigital Library
David F Bacon and Peter F Sweeney. 1996. Fast static analysis of C++ virtual function calls. ACM Sigplan Notices 31, 10 (1996), 324–341. Google ScholarDigital Library
Paulo Barros, René Just, Suzanne Millstein, Paul Vines, Werner Dietl, Michael D Ernst, et al. 2015. Static analysis of implicit control flow: Resolving Java reflection and Android intents (T). In Automated Software Engineering (ASE), 2015 30th IEEE/ACM International Conference on. IEEE, 669–679. Google ScholarDigital Library
Stephen M Blackburn, Robin Garner, Chris Hoffmann, Asjad M Khang, Kathryn S McKinley, Rotem Bentzur, Amer Diwan, Daniel Feinberg, Daniel Frampton, Samuel Z Guyer, et al. 2006. The DaCapo benchmarks: Java benchmarking development and analysis. In ACM Sigplan Notices, Vol. 41. ACM, 169–190. Google ScholarDigital Library
Eric Bodden, Andreas Sewe, Jan Sinschek, Hela Oueslati, and Mira Mezin. 2011. Taming reflection. In Proceeding of the 33rd international conference on Software engineering - ICSE ’11. ACM Press, New York, New York, USA, 241. Google ScholarDigital Library
Jeffrey Dean, David Grove, and Craig Chambers. 1995. Optimization of objectoriented programs using static class hierarchy analysis. In European Conference on Object-Oriented Programming. Springer, 77–101. Google ScholarDigital Library
JB Dietrich, Henrik Schole, Li Sui, and Ewan Tempero. 2017. XCorpus–An executable Corpus of Java Programs. (2017).Google Scholar
Lisa Nguyen Quang Do, Michael Eichberg, and Eric Bodden. 2016. Toward an automated benchmark management system. In Proceedings of the 5th ACM SIGPLAN International Workshop on State Of the Art in Program Analysis. ACM, 13–17. Google ScholarDigital Library
Michael Eichberg, F Kübler, D Helm, M Reif, G Salvaneschi, and M Mezini. 2018. Lattice Based Modularization of Static Analyses. In ISSTA Companion/ECOOP Companion. ACM. Google ScholarDigital Library
Kotlin Foundation. {Online; accessed 24-August-2018}. Kotlin Language. https: //kotlinlang.org/.Google Scholar
George Fourtounis, George Kastrinis, and Yannis Smaragdakis. 2018. Static Analysis of Java Dynamic Proxies. In Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2018). ACM, New York, NY, USA, 209–220. Google ScholarDigital Library
J Gosling, B Joy, G Steele, G Bracha, A Buckely, and D Smith. 2018. The Java Virtual Machine Specification, 2018. Oracle Ameria.Google Scholar
David Grove and Craig Chambers. 2001. A framework for call graph construction algorithms. ACM Transactions on Programming Languages and Systems (TOPLAS) 23, 6 (2001), 685–746. Google ScholarDigital Library
Rich Hickey. {Online; accessed 24-August-2018}. Clojure Language.Google Scholar
IBM. {Online; accessed 19-April-2018}. WALA - Static Analysis Framework for Java. http://wala.sourceforge.net/.Google Scholar
Artima Inc. {Online; accessed 24-August-2018}. ScalaTest. http://www.scalatest. org/.Google Scholar
Xiaoni Lai, Zhaoyi Luo, Karim Ali, Ondřej Lhoták, Julian Dolby, and Frank Tip. 2015. Evaluating Call Graph Construction for JVM-hosted Language Implementations. Technical Report CS-2015-03. University of Waterloo, David R. Cheriton School of Computer Science.Google Scholar
École Polytechnique Fédérale Lausanne. {Online; accessed 24-August-2018}. Scala Language. https://www.scala-lang.org/.Google Scholar
Ondvrej Lhoták. 2007. Comparing call graphs. In Proceedings of the 7th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering - PASTE ’07. ACM Press, New York, New York, USA, 37–42. Google ScholarDigital Library
Ondřej Lhoták and Laurie Hendren. 2003. Scaling Java points-to analysis using S park. In International Conference on Compiler Construction. Springer, 153–169. Google ScholarDigital Library
B. Livshits. {Online; accessed -August-2018}. SecuriBench Micro. https://suif. stanford.edu/~livshits/work/securibench-micro/.Google Scholar
Benjamin Livshits, Manu Sridharan, Yannis Smaragdakis, Ondřej Lhoták, J Nelson Amaral, Bor-Yuh Evan Chang, Samuel Z Guyer, Uday P Khedker, Anders Møller, and Dimitrios Vardoulakis. 2015. In defense of soundiness: a manifesto. Commun. ACM 58, 2 (2015), 44–46. Google ScholarDigital Library
Luis Mastrangelo, Luca Ponzanelli, Andrea Mocci, Michele Lanza, Matthias Hauswirth, and Nathaniel Nystrom. 2015. Use at Your Own Risk: The Java Unsafe API in the Wild. In Proceedings of the 2015 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA 2015). ACM, New York, NY, USA, 695–710. Google ScholarDigital Library
Gail C Murphy, David Notkin, William G Griswold, and Erica S Lan. 1998. An empirical study of static call graph extractors. ACM Transactions on Software Engineering and Methodology (TOSEM) 7, 2 (1998), 158–191. Google ScholarDigital Library
MvnRepository. {Online; accessed 15-July-2018}. Maven - Popular Projects.a. https://mvnrepository.com/popular.Google Scholar
The Apache Groovy project. {Online; accessed 24-August-2018}. Groovy Language. http://groovy-lang.org/.Google Scholar
Michael Reif, Michael Eichberg, Ben Hermann, Johannes Lerch, and Mira Mezini. 2016. Call graph construction for java libraries. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering. ACM, 474–486. Google ScholarDigital Library
Michael Reif, Michael Eichberg, Ben Hermann, and Mira Mezini. 2017. Hermes: assessment and creation of effective test corpora. In Proceedings of the 6th ACM SIGPLAN International Workshop on State Of the Art in Program Analysis. ACM, 43–48. Google ScholarDigital Library
Michael Reif, Florian Kübler, Michael Eichberg, and Mira Mezini. 2018. Systematic evaluation of the unsoundness of call graph construction algorithms for Java. In Companion Proceedings for the ISSTA/ECOOP 2018 Workshops. ACM, 107–112. Google ScholarDigital Library
Olin Shivers. 1988. Control flow analysis in scheme. In ACM SIGPLAN Notices, Vol. 23. ACM, 164–174. Google ScholarDigital Library
Yannis Smaragdakis. {Online; accessed 23-August-2018}. DOOP - Framework for Java Pointer and Taint Analysis. https://bitbucket.org/yanniss/doop/.Google Scholar
Yannis Smaragdakis. {Online; accessed 23-August-2018}. DOOP Benchmarks. https://bitbucket.org/yanniss/doop-benchmarks/.Google Scholar
Yannis Smaragdakis, George Balatsouras, George Kastrinis, and Martin Bravenboer. 2015. More sound static handling of Java reflection. In Asian Symposium on Programming Languages and Systems. Springer, 485–503.Google ScholarCross Ref
Johannes Späth, Lisa Nguyen Quang Do, Karim Ali, and Eric Bodden. 2016. Boomerang: Demand-Driven Flow- and Context-Sensitive Pointer Analysis for Java. In 30th European Conference on Object-Oriented Programming (ECOOP 2016) (Leibniz International Proceedings in Informatics (LIPIcs)), Shriram Krishnamurthi and Benjamin S. Lerner (Eds.), Vol. 56. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, 22:1–22:26.Google Scholar
Li Sui, Jens Dietrich, Michael Emery, Shawn Rasheed, and Amjed Tahir. 2018. On the Soundness of Call Graph Construction in the Presence of Dynamic Language Features-A Benchmark and Tool Evaluation. In Asian Symposium on Programming Languages and Systems. Springer, 69–88.Google Scholar
Vijay Sundaresan, Laurie Hendren, Chrislain Razafimahefa, Raja Vallée-Rai, Patrick Lam, Etienne Gagnon, and Charles Godin. 2000. Practical virtual method call resolution for Java. Vol. 35. ACM. Google ScholarDigital Library
Ewan Tempero, Craig Anslow, Jens Dietrich, Ted Han, Jing Li, Markus Lumpe, Hayden Melton, and James Noble. 2010. The Qualitas Corpus: A curated collection of Java code for empirical studies. In Software Engineering Conference (APSEC), 2010 17th Asia Pacific. IEEE, 336–345. Google ScholarDigital Library
Ricardo Terra, Luis Fernando Miranda, Marco Tulio Valente, and Roberto S Bigonha. 2013. Qualitas. class Corpus: A compiled version of the Qualitas Corpus. ACM SIGSOFT Software Engineering Notes 38, 5 (2013), 1–4. Google ScholarDigital Library
Frank Tip and Jens Palsberg. 2000. Scalable propagation-based call graph construction algorithms. Vol. 35. ACM. Google ScholarDigital Library

Index Terms

Judge: identifying, understanding, and evaluating sources of unsoundness in call graphs
1. General and reference
  1. Cross-computing tools and techniques
    1. Evaluation
2. Software and its engineering
  1. Software notations and tools
    1. General programming languages
      1. Language features
        Polymorphism

Recommendations

Systematic evaluation of the unsoundness of call graph construction algorithms for Java
ISSTA '18: Companion Proceedings for the ISSTA/ECOOP 2018 Workshops

Call graphs are at the core of many static analyses ranging from the detection of unused methods to advanced control-and data-flow analyses. Therefore, a comprehensive understanding of the precision and recall of the respective graphs is crucial to ...
Read More
On the unsoundness of static analysis for Android GUIs
SOAP 2016: Proceedings of the 5th ACM SIGPLAN International Workshop on State Of the Art in Program Analysis

Android software presents exciting new challenges for the static analysis community. However, static analyses for Android are typically unsound. This is due to the lack of specification of the Android framework, the continuous evolution of framework ...
Read More
Evaluating the benefits of context-sensitive points-to analysis using a BDD-based implementation

We present Paddle, a framework of BDD-based context-sensitive points-to and call graph analyses for Java, as well as client analyses that use their results. Paddle supports several variations of context-sensitive analyses, including call site strings ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ISSTA 2019: Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis
July 2019
451 pages
ISBN:9781450362245
DOI:10.1145/3293882
General Chair:
Dongmei Zhang
Microsoft Research, China
,
Program Chair:
Anders Møller
Aarhus University, Denmark
Copyright © 2019 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 10 July 2019
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
call graph construction
soundness
static analysis
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate58of213submissions,27%
Upcoming Conference
ISSTA '24

Sponsor:

sigsoft

33rd ACM SIGSOFT International Symposium on Software Testing and Analysis

September 16 - 20, 2024

Vienna , Austria
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 25
  Total Citations
  View Citations
- 578
  Total Downloads
- Downloads (Last 12 months)144
- Downloads (Last 6 weeks)15
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Judge: identifying, understanding, and evaluating sources of unsoundness in call graphs

ISSTA 2019: Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis

ABSTRACT

References

Cited By

Index Terms

Recommendations

Systematic evaluation of the unsoundness of call graph construction algorithms for Java

On the unsoundness of static analysis for Android GUIs

Evaluating the benefits of context-sensitive points-to analysis using a BDD-based implementation