RefaFlex: Safer Refactorings for Reflective Java Programs

Eric | April 26, 2012

Andreas Thies and I have just had accepted a paper for publication at this year’s ISSTA. I have just put our camera-ready copy online. We describe an approach to ensuring the correctness of refactorings for Java programs that use reflection:

If programs access types and members through reflection, refactoring tools cannot guarantee that refactorings on those programs are behavior preserving. Refactoring approaches for highly reflective languages like Smalltalk therefore check behavior preservation using regression testing.

In this paper we propose RefaFlex, a novel and more de- fensive approach towards the refactoring of reflective (Java) programs. RefaFlex uses a dynamic program analysis to log reflective calls during test runs and then uses this in- formation to proactively prevent the programmer from exe- cuting refactorings that could otherwise alter the program’s behavior. This makes re-running test cases obsolete: when a refactoring is permitted, tests passing originally are guar- anteed to pass for the refactored program as well. In some cases, we further re-write reflective calls, permitting refac- torings that would otherwise have to be rejected.

We have implemented RefaFlex as an open source Eclipse plugin and offer extensions for six Eclipse refactor- ing tools addressing naming, typing, and accessibility issues. Our evaluation with 21,524 refactoring runs on three open source programs shows that our tool successfully prevents 1,358 non-behaviour-preserving refactorings which the plain Eclipse refactorings would have incorrectly permitted. 

Download the paper here – Browse our project website here

Comments Off on RefaFlex: Safer Refactorings for Reflective Java Programs

Position Paper: Static Flow-Sensitive & Context-Sensitive Information-flow Analysis for Software Product Lines

Eric | April 22, 2012

In our recent paper accepted at the SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS), we demonstrate how inter-procedural information-flow analyses for regular programs can be transparently lifted to software product lines (SPLs), so that they can deal with conditional-compilation constructs such as #ifdef. Out approach is based on the IFDS/IDE framework by Reps, Horwitz and Sagiv. Currently, our approach is constrained to direct information flow, but we are already considering an extension to indirect flow as well.

Read the full abstract and paper here:

A software product line encodes a potentially large variety of software products as variants of some common code base, e.g., through the use of #ifdef statements or other forms of conditional compilation. Traditional information-flow analyses cannot cope with such constructs. Hence, to check for possibly insecure information flow in a product line, one currently has to analyze each resulting product separately, of which there may be thousands, making this task intractable.

We report about ongoing work that will instead enable users to check the security of information flows in entire software product lines in one single pass, without having to generate individual products from the product line. Executing the analysis on the product line promises to be orders of magnitude more faster than analyzing products individually.

We discuss the design of our information-flow analysis and our ongoing implementation using the IFDS/IDE framework by Reps, Horwitz and Sagiv.

Download the paper here

Comments Off on Position Paper: Static Flow-Sensitive & Context-Sensitive Information-flow Analysis for Software Product Lines

RV 2012 – Call for Papers

Eric | April 15, 2012

3rd International Conference on Runtime Verification (RV 2012)
September 25 – September 28, 2012

Runtime verification is concerned with monitoring and analysis of software and hardware system executions. Runtime verification techniques are crucial for system correctness and reliability; they are significantly more powerful and versatile than conventional testing, and more practical than exhaustive formal verification. Runtime verification can be used prior to deployment, for verification and debugging purposes, and after deployment for ensuring reliability, safety and security, and for providing fault containment and recovery. Topics of interest to the conference include:

  • specification languages and formalisms for traces
  • specification mining
  • program instrumentation
  • monitor construction techniques
  • logging, recording, and replay
  • fault detection, localization, recovery and repair
  • program steering and adaptation
  • metrics and statistical information gathering
  • combination of static and dynamic analyses
  • program execution visualization

Abstract submissions are due on May 27th. Read more here.

Comments Off on RV 2012 – Call for Papers