skip to main content
10.1145/3385412.3386026acmconferencesArticle/Chapter ViewAbstractPublication PagespldiConference Proceedingsconference-collections
research-article

Static analysis of Java enterprise applications: frameworks and caches, the elephants in the room

Published: 11 June 2020 Publication History

Abstract

Enterprise applications are a major success domain of Java, and Java is the default setting for much modern static analysis research. It would stand to reason that high-quality static analysis of Java enterprise applications would be commonplace, but this is far from true. Major analysis frameworks feature virtually no support for enterprise applications and offer analyses that are woefully incomplete and vastly imprecise, when at all scalable.
In this work, we present two techniques for drastically enhancing the completeness and precision of static analysis for Java enterprise applications. The first technique identifies domain-specific concepts underlying all enterprise application frameworks, captures them in an extensible, declarative form, and achieves modeling of components and entry points in a largely framework-independent way. The second technique offers precision and scalability via a sound-modulo-analysis modeling of standard data structures.
In realistic enterprise applications (an order of magnitude larger than prior benchmarks in the literature) our techniques achieve high degrees of completeness (on average more than 4x higher than conventional techniques) and speedups of about 6x compared to the most precise conventional analysis, with higher precision on multiple metrics. The result is JackEE, an enterprise analysis framework that can offer precise, high-completeness static modeling of realistic enterprise applications.

References

[1]
2019. Dependency injection. https://en.wikipedia.org/wiki/ Dependency_injection Accessed: 2019-11-22. PLDI ’20, June 15–20, 2020, London, UK A. Antoniadis, N. Filippakis, P. Krishnan, R. Ramesh, N. Allen, and Y. Smaragdakis 2019. Java Platform, Enterprise Edition. https://en.wikipedia.org/ wiki/Java_Platform,_Enterprise_Edition Accessed: 2019-11-19. 2019. TIOBE Index. https://www.tiobe.com/tiobe-index/ Accessed: 2019-11-19.
[2]
Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: Precise Context, Flow, Field, Objectsensitive and Lifecycle-aware Taint Analysis for Android Apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’14). ACM, New York, NY, USA, 259–269.
[3]
Osbert Bastani, Rahul Sharma, Alex Aiken, and Percy Liang. 2018. Active Learning of Points-to Specifications. In Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2018). ACM, New York, NY, USA, 678–692.
[4]
Eric Bodden, Andreas Sewe, Jan Sinschek, Hela Oueslati, and Mira Mezini. 2011. Taming Reflection: Aiding Static Analysis in the Presence of Reflection and Custom Class Loaders. In Proceedings of the 33rd International Conference on Software Engineering (ICSE ’11). ACM, New York, NY, USA, 241–250.
[5]
Martin Bravenboer and Yannis Smaragdakis. 2009. Strictly Declarative Specification of Sophisticated Points-to Analyses. In OOPSLA ’09: Proceedings of the 24th annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications.
[6]
Matthias Buchler, Johan Oudinet, and Alexander Pretschner. 2012. SPaCiTE – Web Application Testing Engine. In Proceedings of the 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation (ICST ’12). IEEE Computer Society, Washington, DC, USA, 858–859.
[7]
Jens Dietrich, François Gauthier, and Padmanabhan Krishnan. 2018. Driver Generation for Java EE Web Applications. In Australasian Software Engineering Conference (ASWEC). IEEE, 121–25.
[8]
Stephen J. Fink et al. [n. d.]. T.J. Watson Libraries for Analysis (WALA). http://wala.sourceforge.net.
[9]
Pratik Fegade and Christian Wimmer. 2020. Scalable Pointer Analysis of Data Structures Using Semantic Models. In Proceedings of the 29th International Conference on Compiler Construction (CC 2020). Association for Computing Machinery, New York, NY, USA, 39–50.
[10]
Martin Fowler. 2002. Patterns of Enterprise Application Architecture. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA.
[11]
Martin Fowler. 2004. Inversion of Control Containers and the Dependency Injection pattern. https://martinfowler.com/articles/injection. html Accessed: 2019-11-22.
[12]
Neville Grech and Yannis Smaragdakis. 2017. P/Taint: Unified Pointsto and Taint Analysis. Proc. ACM Program. Lang. 1, OOPSLA, Article 102 (Oct. 2017), 28 pages.
[13]
Rod Johnson. 2002. Expert One-on-One J2EE Design and Development. Wiley Publishing, Inc.
[14]
Yue Li, Tian Tan, Anders Møller, and Yannis Smaragdakis. 2018. Precision-guided Context Sensitivity for Pointer Analysis. Proc. ACM Program. Lang. 2, OOPSLA, Article 141 (Oct. 2018), 29 pages.
[15]
Yue Li, Tian Tan, Anders Møller, and Yannis Smaragdakis. 2018. Scalability-first Pointer Analysis with Self-tuning Context-sensitivity. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2018). ACM, New York, NY, USA, 129–140.
[16]
Ana Milanova, Atanas Rountev, and Barbara G. Ryder. 2005. Parameterized object sensitivity for points-to analysis for Java. ACM Trans. Softw. Eng. Methodol. 14, 1 (2005), 1–41.
[17]
Oracle. 2019. Java EE at a glance. https://www.oracle.com/java/ technologies/java-ee-glance.html Accessed: 2019-11-19.
[18]
Java Communtity Process. 2019. JSR 330: Dependency Injection for Java. https://jcp.org/en/jsr/detail?id=330 Accessed: 2019-11-22.
[19]
Mathias Romme Schwarz. 2013. Design and Analysis of Web Application Frameworks. Ph.D. Dissertation. Superviser: Anders Møller.
[20]
Micha Sharir and Amir Pnueli. 1981. Two Approaches to Interprocedural Data Flow Analysis. Chapter 7, 189–233.
[21]
Olin G. Shivers. 1991. Control-Flow Analysis of Higher-Order Languages. Ph.D. Dissertation. Carnegie Mellon University.
[22]
Yannis Smaragdakis, Martin Bravenboer, and Ondřej Lhoták. 2011. Pick Your Contexts Well: Understanding Object-Sensitivity. In Proc. of the 38th ACM SIGPLAN-SIGACT Symp. on Principles of Programming Languages (POPL ’11). ACM, New York, NY, USA, 17–30.
[23]
Yannis Smaragdakis, George Kastrinis, and George Balatsouras. 2014. Introspective Analysis: Context-sensitivity, Across the Board. In Proc. of the 2014 ACM SIGPLAN Conf. on Programming Language Design and Implementation (PLDI ’14). ACM, New York, NY, USA, 485–495.
[24]
Manu Sridharan. 2019.
[25]
Commit: remove com.ibm.wala.j2ee. https://github.com/wala/WALA/commit/ 7045a06e51acfe954b950bab3480bc8b436f4481 Accessed: 2019-11-19.
[26]
Manu Sridharan, Shay Artzi, Marco Pistoia, Salvatore Guarnieri, Omer Tripp, and Ryan Berg. 2011. F4F: Taint Analysis of Frameworkbased Web Applications. In Proceedings of the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA ’11). ACM, New York, NY, USA, 1053–1068.
[27]
Manu Sridharan, Satish Chandra, Julian Dolby, Stephen J. Fink, and Eran Yahav. 2013. Alias Analysis for Object-Oriented Programs. In Aliasing in Object-Oriented Programming. Types, Analysis and Verification, Dave Clarke, James Noble, and Tobias Wrigstad (Eds.). Lecture Notes in Computer Science, Vol. 7850. Springer Berlin Heidelberg, 196–232.
[28]
John Toman and Dan Grossman. 2019. Concerto: A Framework for Combined Concrete and Abstract Interpretation. Proc. ACM Program. Lang. 3, POPL, Article 43 (Jan. 2019), 29 pages. 3290356
[29]
Omer Tripp, Marco Pistoia, Patrick Cousot, Radhia Cousot, and Salvatore Guarnieri. 2013. Andromeda: Accurate and Scalable Security Analysis of Web Applications. In Fundamental Approaches to Software Engineering, Vittorio Cortellessa and Dániel Varró (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 210–225.
[30]
Omer Tripp, Marco Pistoia, Stephen J. Fink, Manu Sridharan, and Omri Weisman. 2009. TAJ: Effective Taint Analysis of Web Applications. In Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’09). ACM, New York, NY, USA, 87–97.

Cited By

View all
  • (2024)EXCHAINProceedings of the 21st USENIX Symposium on Networked Systems Design and Implementation10.5555/3691825.3691937(2047-2062)Online publication date: 16-Apr-2024
  • (2024)DAInfer: Inferring API Aliasing Specifications from Library Documentation via Neurosymbolic OptimizationProceedings of the ACM on Software Engineering10.1145/36608161:FSE(2469-2492)Online publication date: 12-Jul-2024
  • (2024)Scaling Type-Based Points-to Analysis with SaturationProceedings of the ACM on Programming Languages10.1145/36564178:PLDI(990-1013)Online publication date: 20-Jun-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
PLDI 2020: Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation
June 2020
1174 pages
ISBN:9781450376136
DOI:10.1145/3385412
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 June 2020

Permissions

Request permissions for this article.

Check for updates

Badges

Author Tags

  1. Java EE
  2. points-to analysis
  3. static analysis

Qualifiers

  • Research-article

Funding Sources

  • ERC (European Research Council)

Conference

PLDI '20
Sponsor:

Acceptance Rates

Overall Acceptance Rate 406 of 2,067 submissions, 20%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)131
  • Downloads (Last 6 weeks)17
Reflects downloads up to 14 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)EXCHAINProceedings of the 21st USENIX Symposium on Networked Systems Design and Implementation10.5555/3691825.3691937(2047-2062)Online publication date: 16-Apr-2024
  • (2024)DAInfer: Inferring API Aliasing Specifications from Library Documentation via Neurosymbolic OptimizationProceedings of the ACM on Software Engineering10.1145/36608161:FSE(2469-2492)Online publication date: 12-Jul-2024
  • (2024)Scaling Type-Based Points-to Analysis with SaturationProceedings of the ACM on Programming Languages10.1145/36564178:PLDI(990-1013)Online publication date: 20-Jun-2024
  • (2024)Data Lineage Analysis for Enterprise Applications by Manta: The Story of Java and C# ScannersProceedings of the 46th International Conference on Software Engineering: Software Engineering in Practice10.1145/3639477.3639739(25-35)Online publication date: 14-Apr-2024
  • (2024)MicroFuzz: An Efficient Fuzzing Framework for MicroservicesProceedings of the 46th International Conference on Software Engineering: Software Engineering in Practice10.1145/3639477.3639723(216-227)Online publication date: 14-Apr-2024
  • (2024)WeBridge: Synthesizing Stored Procedures for Large-Scale Real-World Web ApplicationsProceedings of the ACM on Management of Data10.1145/36393192:1(1-29)Online publication date: 26-Mar-2024
  • (2024)Efficiently Trimming the Fat: Streamlining Software Dependencies with Java Reflection and Dependency AnalysisProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639123(1-12)Online publication date: 20-May-2024
  • (2024)Cross-Language Taint Analysis: Generating Caller-Sensitive Native Code Specification for JavaIEEE Transactions on Software Engineering10.1109/TSE.2024.339225450:6(1518-1533)Online publication date: 27-May-2024
  • (2024)Generic Sensitivity: Generics-Guided Context Sensitivity for Pointer AnalysisIEEE Transactions on Software Engineering10.1109/TSE.2024.337764550:5(1144-1162)Online publication date: 12-Apr-2024
  • (2024)AutoWeb: Automatically Inferring Web Framework Semantics via Configuration MutationEngineering of Complex Computer Systems10.1007/978-3-031-66456-4_20(369-389)Online publication date: 29-Sep-2024
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media