research-article

Lightweight verification of array indexing

Authors:
Martin Kellogg

University of Washington, USA

University of Washington, USA
View Profile

,
Vlastimil Dort

Charles University in Prague, Czechia

Charles University in Prague, Czechia
View Profile

,
Suzanne Millstein

University of Washington, USA

University of Washington, USA
View Profile

,
Michael D. Ernst

University of Washington, USA

University of Washington, USA
View Profile

ISSTA 2018: Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and AnalysisJuly 2018Pages 3–14https://doi.org/10.1145/3213846.3213849

Published:12 July 2018Publication History

Related Artifact: Replication package for Lightweight Verification of Array Indexing July 2018 software https://doi.org/10.1145/3234989

ISSTA 2018: Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis

Pages 3–14

ABSTRACT

In languages like C, out-of-bounds array accesses lead to security vulnerabilities and crashes. Even in managed languages like Java, which check array bounds at run time, out-of-bounds accesses cause exceptions that terminate the program.

We present a lightweight type system that certifies, at compile time, that array accesses in the program are in-bounds. The type system consists of several cooperating hierarchies of dependent types, specialized to the domain of array bounds-checking. Programmers write type annotations at procedure boundaries, allowing modular verification at a cost that scales linearly with program size.

We implemented our type system for Java in a tool called the Index Checker. We evaluated the Index Checker on over 100,000 lines of open-source code and discovered array access errors even in well-tested, industrial projects such as Google Guava.

References

2002. PLDI 2002: Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation. Berlin, Germany.Google Scholar
Wolfgang Ahrendt, Bernhard Beckert, Daniel Bruns, Richard Bubel, Christoph Gladisch, Sarah Grebing, Reiner Hähnle, Martin Hentschel, Mihai Herda, Vladimir Klebanov, Wojciech Mostowski, Christoph Scheben, Peter H. Schmitt, and Mattias Ulbrich. 2014. The KeY platform for verification and analysis of Java programs. In VSTTE 2014: 6th Working Conference on Verified Software: Theories, Tools, Experiments. Vienna, Austria, 55–71.Google ScholarCross Ref
Nathaniel Ayewah, David Hovemeyer, J. David Morgenthaler, John Penix, and William Pugh. 2008. Using Static Analysis to Find Bugs. IEEE Software 25, 5 (2008), 22–29. Google ScholarDigital Library
Mike Barnett, Bor-Yuh Evan Chang, Robert DeLine, Bart Jacobs, and K Rustan M Leino. 2005. Boogie: A modular reusable verifier for object-oriented programs. In International Symposium on Formal Methods for Components and Objects. Springer, 364–387. Google ScholarDigital Library
Paulo Barros, René Just, Suzanne Millstein, Paul Vines, Werner Dietl, Marcelo d’Amorim, and Michael D. Ernst. 2015. Static analysis of implicit control flow: Resolving Java reflection and Android intents. In ASE 2015: Proceedings of the 30th Annual International Conference on Automated Software Engineering. Lincoln, NE, USA, 669–679.Google Scholar
Al Bessey, Ken Block, Benjamin Chelf, Andy Chou, Bryan Fulton, Seth Hallem, Charles Henri-Gros, Asya Kamsky, Scott McPeak, and Dawson R. Engler. 2010. A few billion lines of code later: Using static analysis to find bugs in the real world. Commun. ACM 53, 2 (2010), 66–75. Google ScholarDigital Library
Rastislav Bodík, Rajiv Gupta, and Vivek Sarkar. 2000. ABCD: Eliminating Array Bounds Checks on Demand. In PLDI 2000: Proceedings of the ACM SIGPLAN 2000 Conference on Programming Language Design and Implementation. Vancouver, BC, Canada, 321–333. Google ScholarDigital Library
Dan Brotherston, Werner Dietl, and Ondřej Lhoták. 2017. Granullar: gradual nullable types for Java. In CC 2017: 26th International Conference on Compiler Construction. Austin, TX, USA, 87–97. Google ScholarDigital Library
Lilian Burdy, Yoonsik Cheon, David Cok, Michael D. Ernst, Joe Kiniry, Gary T. Leavens, K. Rustan M. Leino, and Erik Poll. 2005. An overview of JML tools and applications. Software Tools for Technology Transfer 7, 3 (June 2005), 212–232.Google ScholarCross Ref
Jeremy Condit, Matthew Harren, Zachary Anderson, David Gay, and George C. Necula. 2007. Dependent types for low-level programming. In ESOP 2007: 16th European Symposium on Programming. Braga, Portugal, 520–535. Google ScholarDigital Library
Patrick Cousot. 1997. Types as abstract interpretations. In POPL ’97: Proceedings of the 24th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. Paris, France, 316–331. Google ScholarDigital Library
Al Danial. Accessed June 7, 2018. cloc. http://cloc.sourceforge.net/.Google Scholar
Oege De Moor, Damien Sereni, Mathieu Verbaere, Elnar Hajiyev, Pavel Avgustinov, Torbjörn Ekman, Neil Ongkingco, and Julian Tibble. 2007.. ql: Objectoriented queries made easy. In International Summer School on Generative and Transformational Techniques in Software Engineering. Springer, Braga, Portugal, 78–133.Google Scholar
Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In TACAS 2008: Tools and Algorithms for the Construction and Analysis of Systems (TACAS). Budapest, Hungary, 337–340. Google ScholarDigital Library
David L. Detlefs, K. Rustan M. Leino, Greg Nelson, and James B. Saxe. 1998. Extended Static Checking. SRC Research Report 159. Compaq Systems Research Center.Google Scholar
Archibald Samuel Elliott, Andrew Ruef, Michael Hicks, and David Tarditi. {n. d.}. Checked C: Making C safe by extension.Google Scholar
Michael Ernst. Accessed June 7, 2018. plume-lib. https://github.com/mernst/ plume-lib.Google Scholar
Michael D. Ernst. 2003. Static and dynamic analysis: Synergy and duality. In WODA 2003: Workshop on Dynamic Analysis. Portland, OR, USA, 24–27.Google Scholar
David Evans. 1996. Static detection of dynamic memory errors. In PLDI ’96: Proceedings of the SIGPLAN ’96 Conference on Programming Language Design and Implementation. Philadelphia, PA, USA, 44–53. Google ScholarDigital Library
Manuel Fähndrich, Michael Barnett, and Francesco Logozzo. 2010. Embedded contract languages. In SAC 2010: Proceedings of the 2010 ACM Symposium on Applied Computing. Sierre, Switzerland, 2103–2110. Google ScholarDigital Library
Manuel Fähndrich and Francesco Logozzo. 2010. Static contract checking with abstract interpretation. In International Conference on Formal Verification of Object-Oriented Software. Paris, France, 10–30. Google ScholarDigital Library
James Finkle and Supriya Kurane. 2014. U.S. hospital breach biggest yet to exploit Heartbleed bug: expert. https://www.reuters.com/article/ us-community-health-cybersecurity-idUSKBN0GK0H420140820.Google Scholar
Cormac Flanagan, K. Rustan M. Leino, Mark Lillibridge, Greg Nelson, James B. Saxe, and Raymie Stata. 2002. Extended static checking for Java, See { 1 }, 234–245. Google ScholarDigital Library
Jeffrey S. Foster, Tachio Terauchi, and Alex Aiken. 2002. Flow-sensitive type qualifiers, See { 1 }, 1–12. Google ScholarDigital Library
David Gilbert. Accessed June 7, 2018. JFreeChart. https://github.com/jfree/ jfreechart.Google Scholar
Alberto Goffi, Alessandra Gorla, Andrea Mattavelli, Mauro Pezzè, and Paolo Tonella. 2014. Search-based synthesis of equivalent method sequences. In FSE 2014: Proceedings of the ACM SIGSOFT 22nd Symposium on the Foundations of Software Engineering. Hong Kong, 366–376. Google ScholarDigital Library
Google Inc. Accessed June 7, 2018. Google Guava. https://github.com/google/ guava.Google Scholar
Brian Hackett, Manuvir Das, Daniel Wang, and Zhe Yang. 2006. Modular checking for buffer overflows in the large. In ICSE 2006, Proceedings of the 28th International Conference on Software Engineering. Shanghai, China, 232–241. Google ScholarDigital Library
Reed Hastings and Bob Joyce. 1992. Purify: A tool for detecting memory leaks and access errors in C and C++ programs. In USENIX: Proceedings of the Winter 1992 USENIX Conference. San Francisco, CA, USA, 125–138.Google Scholar
Chris Hawblitzel, Jon Howell, Manos Kapritsos, Jacob R. Lorch, Bryan Parno, Michael L. Roberts, Srinath Setty, and Brian Zill. 2015. IronFleet: proving practical distributed systems correct. In SOSP 2015, Proceedings of the 23rd ACM Symposium on Operating Systems Principles. Monterey, CA, USA, 1–17. Google ScholarDigital Library
Trevor Jim, J. Greg Morrisett, Dan Grossman, Michael W. Hicks, James Cheney, and Yanling Wang. 2002. Cyclone: A safe dialect of C. In USENIX 2002: Proceedings of the 2002 USENIX Annual Technical Conference. Monterey, CA, USA, 275–288. Google ScholarDigital Library
Cliff B. Jones. 1983. Tentative steps toward a development method for interfering programs. ACM Transactions on Programming Languages and Systems (TOPLAS) 5, 4 (1983), 596–619. Google ScholarDigital Library
Vincent Laviron and Francesco Logozzo. 2011. SubPolyhedra: a family of numerical abstract domains for the (more) scalable inference of linear inequalities. Software Tools for Technology Transfer 13, 6 (2011), 585–601. Google ScholarDigital Library
Gary T. Leavens, Erik Poll, Curtis Clifton, Yoonsik Cheon, Clyde Ruby, David Cok, Peter Müller, Joseph Kiniry, Patrice Chalin, Daniel M. Zimmerman, and Werner Dietl. 2013. JML Reference Manual.Google Scholar
K. Rustan M. Leino. 2010. Dafny: An automatic program verifier for functional correctness. In LPAR 2010: Proceedings of the 16th International Conference on Logic for Programming, Artificial Intelligence, and Reasoning. Dakar, Senegal, 348–370. Google ScholarDigital Library
K. Rustan M. Leino and Greg Nelson. 1998. An extended static checker for Modula-3. In CC ’98: Compiler Construction: 7th International Conference. Lisbon, Portugal, 302–305. Google ScholarDigital Library
K. Rustan M. Leino and Clément Pit-Claudel. 2016. Trigger selection strategies to stabilize program verifiers. In CAV 2016: 28th International Conference on Computer Aided Verification. Toronto, Canada, 361–381.Google Scholar
Francesco Logozzo and Manuel Fähndrich. 2008. Pentagons: A weakly relational abstract domain for the efficient validation of array accesses. In SAC 2008: Proceedings of the 2008 ACM Symposium on Applied Computing. Fortaleza, Ceará, Brazil, 184–188. Google ScholarDigital Library
Santosh Nagarakatte, Milo M. K. Martin, and Steve Zdancewic. 2015. Everything you want to know about pointer-based checking. In SNAPL 2015: the Inaugural Summit oN Advances in Programming Languages. Asilomar, CA, USA, 190–208.Google Scholar
George C. Necula, Jeremy Condit, Matthew Harren, Scott McPeak, and Westley Weimer. 2005. CCured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst. 27, 3 (2005), 477–526. Google ScholarDigital Library
Nicholas Nethercote and Julian Seward. 2007. Valgrind: A Framework for Heavyweight Dynamic Binary Insrumentation. In PLDI 2007: Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation. San Diego, CA, USA, 89–100. Google ScholarDigital Library
Serkan Özkan. 2018. CVE Details. https://www.cvedetails.com/ vulnerabilities-by-types.php. Summary of http://cve.mitre.org/.Google Scholar
Matthew M. Papi, Mahmood Ali, Telmo Luis Correa Jr., Jeff H. Perkins, and Michael D. Ernst. 2008. Practical pluggable types for Java. In ISSTA 2008, Proceedings of the 2008 International Symposium on Software Testing and Analysis. Seattle, WA, USA, 201–212. Google ScholarDigital Library
Frank Pfenning. 1992. Dependent types in logic programming. In Types in Logic Programming, Frank Pfenning (Ed.). MIT Press, Cambridge, MA, Chapter 10, 285–311.Google Scholar
William Pugh. 1991. The Omega test: a fast and practical integer programming algorithm for dependence analysis. In Proceedings, Supercomputing ’91. Albuquerque, New Mexico, 4–13. Google ScholarDigital Library
Feng Qian, Laurie Hendren, and Clark Verbrugge. 2002. A comprehensive approach to array bounds check elimination for Java. In CC 2002: Compiler Construction: 11th International Conference. Grenoble, France, 325–341. Google ScholarDigital Library
Patrick M. Rondon, Ming Kawaguchi, and Ranjit Jhala. 2008. Liquid types. In PLDI 2008: Proceedings of the ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation. Tucson, AZ, USA, 159–169. Google ScholarDigital Library
Joseph Santino. 2016. Enforcing correct array indexes with a type system. In FSE 2016: Proceedings of the ACM SIGSOFT 24th Symposium on the Foundations of Software Engineering. Seattle, WA, USA, 1142–1144. Google ScholarDigital Library
Norihisa Suzuki and Kiyoshi Ishihata. 1977. Implementation of an array bound checker. In POPL ’77: Proceedings of the Fourth Annual ACM Symposium on Principles of Programming Languages. Los Angeles, CA, 132–143. Google ScholarDigital Library
David Tarditi. 2016. Extending C with bounds safety. https://github.com/ Microsoft/checkedc/releases/download/v0.6-final/checkedc-v0.6.pdf. Accessed: 2017-05-11. ISSTA’18, July 16–21, 2018, Amsterdam, Netherlands Martin Kellogg, Vlastimil Dort, Suzanne Millstein, and Michael D. ErnstGoogle Scholar
Shiyi Wei, Piotr Mardziel, Andrew Ruef, Jeffrey S. Foster, and Michael Hicks. 2018. Evaluating design tradeoffs in numeric static analysis for Java. In ESOP 2018: 27th European Symposium on Programming. Thessaloniki, Greece.Google ScholarCross Ref
Hongwei Xi and Frank Pfenning. 1998. Eliminating array bound checking through dependent types. ACM SIGPLAN Notices 33, 5 (1998), 249–257. Google ScholarDigital Library

Index Terms

Lightweight verification of array indexing
1. Software and its engineering
  1. Software notations and tools
    1. General programming languages
      1. Language features
        Data types and structures
  2. Software organization and properties
    1. Software functional properties
      1. Formal methods
        Automated static analysis
        Software verification

Recommendations

Scalability and precision by combining expressive type systems and deductive verification

Type systems and modern type checkers can be used very successfully to obtain formal correctness guarantees with little specification overhead. However, type systems in practical scenarios have to trade precision for decidability and scalability. Tools ...
Read More
JavaCOP: Declarative pluggable types for java

Pluggable types enable users to enforce multiple type systems in one programming language. We have developed a suite of tools, called the JavaCOP framework, that allows developers to create pluggable type systems for Java. JavaCOP provides a simple ...
Read More
Building and using pluggable type systems
FSE '10: Proceedings of the eighteenth ACM SIGSOFT international symposium on Foundations of software engineering

Are you a practitioner who is tired of null pointer exceptions, unintended side effects, SQL injections, concurrency errors, mistaken equality tests, and other run-time errors that appear during testing or in the field? A pluggable type system can ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ISSTA 2018: Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis
July 2018
379 pages
ISBN:9781450356992
DOI:10.1145/3213846
General Chair:
Frank Tip
Northeastern University, USA
,
Program Chair:
Eric Bodden
University of Paderborn, Germany / Fraunhofer IEM, Germany
Copyright © 2018 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 12 July 2018
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Badges
- Artifacts Available
- Artifacts Evaluated & Functional
Author Tags
Checker Framework
Index Checker
Pluggable type systems
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate58of213submissions,27%
Upcoming Conference
ISSTA '24

Sponsor:

sigsoft

33rd ACM SIGSOFT International Symposium on Software Testing and Analysis

September 16 - 20, 2024

Vienna , Austria
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 3
  Total Citations
  View Citations
- 262
  Total Downloads
- Downloads (Last 12 months)10
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Lightweight verification of array indexing

ISSTA 2018: Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis

ABSTRACT

References

Cited By

Index Terms

Recommendations

Scalability and precision by combining expressive type systems and deductive verification

JavaCOP: Declarative pluggable types for java

Building and using pluggable type systems