Historia: Refuting Callback Reachability with Message-History Logics

IF 2.2 Q2 COMPUTER SCIENCE, SOFTWARE ENGINEERING
Meier, Shawn, Mover, Sergio, Kaki, Gowtham, Chang, Bor-Yuh Evan
{"title":"Historia: Refuting Callback Reachability with Message-History Logics","authors":"Meier, Shawn, Mover, Sergio, Kaki, Gowtham, Chang, Bor-Yuh Evan","doi":"10.1145/3622865","DOIUrl":null,"url":null,"abstract":"This paper considers the callback reachability problem --- determining if a callback can be called by an event-driven framework in an unexpected state. Event-driven programming frameworks are pervasive for creating user-interactive applications (apps) on just about every modern platform. Control flow between callbacks is determined by the framework and largely opaque to the programmer. This opacity of the callback control flow not only causes difficulty for the programmer but is also difficult for those developing static analysis. Previous static analysis techniques address this opacity either by assuming an arbitrary framework implementation or attempting to eagerly specify all possible callback control flow, but this is either too coarse to prove properties requiring callback-ordering constraints or too burdensome and tricky to get right. Instead, we present a middle way where the callback control flow can be gradually refined in a targeted manner to prove assertions of interest. The key insight to get this middle way is by reasoning about the history of method invocations at the boundary between app and framework code --- enabling a decoupling of the specification of callback control flow from the analysis of app code. We call the sequence of such boundary-method invocations message histories and develop message-history logics to do this reasoning. In particular, we define the notion of an application-only transition system with boundary transitions, a message-history program logic for programs with such transitions, and a temporal specification logic for capturing callback control flow in a targeted and compositional manner. Then to utilize the logics in a goal-directed verifier, we define a way to combine after-the-fact an assertion about message histories with a specification of callback control flow. We implemented a prototype message history-based verifier called Historia and provide evidence that our approach is uniquely capable of distinguishing between buggy and fixed versions on challenging examples drawn from real-world issues and that our targeted specification approach enables proving the absence of multi-callback bug patterns in real-world open-source Android apps.","PeriodicalId":20697,"journal":{"name":"Proceedings of the ACM on Programming Languages","volume":"1 1","pages":"0"},"PeriodicalIF":2.2000,"publicationDate":"2023-10-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the ACM on Programming Languages","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3622865","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}
引用次数: 0

Abstract

This paper considers the callback reachability problem --- determining if a callback can be called by an event-driven framework in an unexpected state. Event-driven programming frameworks are pervasive for creating user-interactive applications (apps) on just about every modern platform. Control flow between callbacks is determined by the framework and largely opaque to the programmer. This opacity of the callback control flow not only causes difficulty for the programmer but is also difficult for those developing static analysis. Previous static analysis techniques address this opacity either by assuming an arbitrary framework implementation or attempting to eagerly specify all possible callback control flow, but this is either too coarse to prove properties requiring callback-ordering constraints or too burdensome and tricky to get right. Instead, we present a middle way where the callback control flow can be gradually refined in a targeted manner to prove assertions of interest. The key insight to get this middle way is by reasoning about the history of method invocations at the boundary between app and framework code --- enabling a decoupling of the specification of callback control flow from the analysis of app code. We call the sequence of such boundary-method invocations message histories and develop message-history logics to do this reasoning. In particular, we define the notion of an application-only transition system with boundary transitions, a message-history program logic for programs with such transitions, and a temporal specification logic for capturing callback control flow in a targeted and compositional manner. Then to utilize the logics in a goal-directed verifier, we define a way to combine after-the-fact an assertion about message histories with a specification of callback control flow. We implemented a prototype message history-based verifier called Historia and provide evidence that our approach is uniquely capable of distinguishing between buggy and fixed versions on challenging examples drawn from real-world issues and that our targeted specification approach enables proving the absence of multi-callback bug patterns in real-world open-source Android apps.
历史:用消息历史逻辑驳斥回调可达性
本文考虑回调可达性问题——确定事件驱动框架是否可以在意外状态下调用回调。事件驱动的编程框架在几乎每个现代平台上都广泛用于创建用户交互应用程序(app)。回调之间的控制流由框架决定,对程序员来说很大程度上是不透明的。这种回调控制流的不透明性不仅给程序员带来了困难,也给开发静态分析的人员带来了困难。以前的静态分析技术通过假设任意的框架实现或尝试迫切地指定所有可能的回调控制流来解决这种不透明性,但这要么太粗糙,无法证明需要回调排序约束的属性,要么太繁琐,难以正确处理。相反,我们提出了一种中间方法,其中回调控制流可以以有针对性的方式逐步改进,以证明感兴趣的断言。获得这种中间方法的关键洞察力是通过推理应用程序和框架代码之间边界的方法调用历史——使回调控制流的规范与应用程序代码的分析解耦。我们将这些边界方法调用的序列称为消息历史,并开发消息历史逻辑来执行此推理。特别是,我们定义了具有边界转换的仅应用程序转换系统的概念、用于具有此类转换的程序的消息历史程序逻辑,以及用于以目标和组合方式捕获回调控制流的临时规范逻辑。然后,为了利用目标导向验证器中的逻辑,我们定义了一种方法,将关于消息历史的事后断言与回调控制流规范结合起来。我们实现了一个名为Historia的基于消息历史的原型验证器,并提供了证据,证明我们的方法在从现实世界问题中提取的具有挑战性的例子中能够独特地区分有bug的版本和固定的版本,并且我们的目标规范方法能够证明在现实世界的开源Android应用中不存在多回调错误模式。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
Proceedings of the ACM on Programming Languages
Proceedings of the ACM on Programming Languages Engineering-Safety, Risk, Reliability and Quality
CiteScore
5.20
自引率
22.20%
发文量
192
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信