Francesco Logozzo

Francesco Logozzo
Microsoft

About

70
Publications
3,924
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
1,512
Citations

Publications

Publications (70)
Article
Key lessons for designing static analyses tools deployed to find bugs in hundreds of millions of lines of code.
Conference Paper
We want to prove that a static analysis of a given program is complete, namely, no imprecision arises when asking some query on the program behavior in the concrete (ie, for its concrete semantics) or in the abstract (ie, for its abstract interpretation). Completeness proofs are therefore useful to assign confidence to alarms raised by static analy...
Article
We want to prove that a static analysis of a given program is complete, namely, no imprecision arises when asking some query on the program behavior in the concrete (i.e., for its concrete semantics) or in the abstract (i.e., for its abstract interpretation). Completeness proofs are therefore useful to assign confidence to alarms raised by static a...
Article
We provide a formal model of tracing JIT compilation of programs using abstract interpretation. Hot path detection corresponds to an abstraction of the trace semantics of the program. The optimization phase corresponds to a transform of the original program that preserves its trace semantics up to an observation modeled by some abstraction. We prov...
Article
SAS2013 Artifact Submission Experience Report is presented by experts. The submitted artifacts would be used by the program committee as a secondary evaluation criteria whose sole purpose is to find additional positive arguments for the paper's acceptance. The motivation to submit artifacts as complete VMs was to provide flexibility to the authors...
Article
We introduce Verification Modulo Versions (VMV), a new static analysis technique for reducing the number of alarms reported by static verifiers while providing sound semantic guarantees. First, VMV extracts semantic environment conditions from a base program P. Environmental conditions can either be sufficient conditions (implying the safety of P)...
Article
We introduce Verification Modulo Versions (VMV), a new static analysis technique for reducing the number of alarms reported by static verifiers while providing sound semantic guarantees. First, VMV extracts semantic environment conditions from a base program P. Environmental conditions can either be sufficient conditions (implying the safety of P)...
Article
Tracing just-in-time compilation is a popular compilation schema for the efficient implementation of dynamic languages, which is commonly used for JavaScript, Python, and PHP. It relies on two key ideas. First, it monitors the execution of the program to detect so-called hot paths, i.e., the most frequently executed paths. Then, it uses some store...
Conference Paper
Tracing just-in-time compilation is a popular compilation schema for the efficient implementation of dynamic languages, which is commonly used for JavaScript, Python, and PHP. It relies on two key ideas. First, it monitors the execution of the program to detect so-called hot paths, i.e., the most frequently executed paths. Then, it uses some store...
Conference Paper
Contracts are a simple yet very powerful form of specification. They consists of method preconditions and post-conditions, of object invariants, and of assertions and loop invariants. Ideally, the programmer will annotate all of her code with contracts which are mechanically checked by some static analysis tool. In practice, programmers only write...
Conference Paper
In this tutorial I will introduce CodeContracts, the .NET solution for contract specifications. CodeContracts consist of a language and compiler-agnostic API to express contracts, and of a set of tools to automatically generate the documentation and to perform dynamic and static verification. The CodeContracts API is part of .NET since v4, the tool...
Article
Full-text available
We consider the problem of synthesizing provably non-overflowing integer arithmetic expressions or Boolean relations among integer arithmetic expressions. First we use a numerical abstract domain to infer numerical properties among program variables. Then we check if those properties guarantee that a given expression does not overflow. If this is n...
Patent
Full-text available
In one embodiment, a computer system identifies a portion of software code that is to be verified using invariants. The computer system infers invariants from the software code portion at a join point. The linear inequalities of the invariants include a first abstract domain that includes linear equalities among variables, and a second, different a...
Book
We describe our ongoing effort of moving a desktop static analyzer, Clousot, into a cloud-based one, Cloudot. A cloud-based static analyzer runs as a service. Clients issue analysis requests through the local network or over the internet. The analysis takes advantage of the large computation resources offered by the cloud: the underlying infrastruc...
Conference Paper
Full-text available
We consider the problem of automatic precondition inference. We argue that the common notion of sufficient precondition inference (i.e., under which precondition is the program correct?) imposes too large a burden on callers, and hence it is unfit for automatic program analysis. Therefore, we define the problem of necessary precondition inference (...
Conference Paper
We present a new static analysis to infer necessary field conditions for object-oriented programs. A necessary field condition is a property that should hold on the fields of a given object, for otherwise there exists a calling context leading to a failure due to bad object state. Our analysis also infers the provenance of the necessary condition,...
Article
Full-text available
We motivate, define and design a simple static analysis to check that comparisons of floating point values use compatible bit widths and thus compatible precision ranges. Precision mismatches arise due to the difference in bit widths of processor internal floating point registers (typically 80 or 64 bits) and their corresponding widths when stored...
Article
Full-text available
We present SIDE, a Semantic Integrated Development Environment. SIDE uses static analysis to enrich existing IDE features and also adds new features. It augments the way existing compilers find syntactic errors - in real time, as the programmer is writing code without execution - by also finding semantic errors, e.g., arithmetic expressions that ma...
Conference Paper
We study the problem of suggesting code repairs at design time, based on the warnings issued by modular program verifiers. We introduce the concept of a verified repair, a change to a program's source that removes bad execution traces while increasing the number of good traces, where the bad/good traces form a partition of all the traces of a progr...
Article
Full-text available
Method extraction is a common refactoring feature provided by most modern IDEs. It replaces a user-selected piece of code with a call to an automatically generated method. We address the problem of automatically inferring contracts (precondition, postcondition) for the extracted method. We require the inferred contract: (a) to be valid for the extr...
Article
Full-text available
Integrating tools and extensions into existing languages, compilers, debuggers, and IDEs can be difficult, work-intensive, and often results in a one-off integration. In this paper, we report on our experience of building and integrating the CodeContract tool set into an existing programming environment. The CodeContract tools enable 1) authoring o...
Conference Paper
In this tutorial I will report our experience with CodeContracts [5], and in particular with its static checker (cccheck/clousot) [6]. CodeContracts are a language-agnostic solution to the specification problem. Preconditions, postconditions and object invariants are with opportune method calls acting as specification markers [4]. The CodeContracts...
Article
We introduce SubPolyhedra (SubPoly), a new family of numerical abstract domains to infer and propagate linear inequalities. The key insight is that the reduced product of linear equalities and intervals produces powerful yet scalable analyses. Abstract domains in SubPoly are as expressive as Polyhedra, but they drop some of the deductive power to a...
Conference Paper
Full-text available
We introduce FunArray, a parametric segmentation abstract domain functor for the fully automatic and scalable analysis of array content properties. The functor enables a natural, painless and efficient lifting of existing abstract domains for scalar variables to the analysis of uniform compound data-structures such as arrays and collections. The an...
Conference Paper
CodeContracts provide a language agnostic way to specify and check preconditions, postconditions and object invariants (collectively called contracts [17]). Specifications take the form of calls to static methods of a Contract library [7]. The authoring library is available out-of-the-box to all .NET programmers from υ4.
Conference Paper
Full-text available
Programmers often insert assertions in their code to be optionally checked at runtime, at least during the debugging phase. In the context of design by contracts, these assertions would better be given as a precondition of the method/procedure which can detect that a caller has violated the procedure’s contract in a way which definitely leads to an...
Article
Full-text available
In the context of program design by contracts, programmers often insert assertions in their code to be optionally checked at runtime, at least during the debugging phase. These assertions would better be given as a precondition of the method/procedure in which they appear. Potential errors would be discovered earlier and, more importantly, the prec...
Article
Tracing just-in-time compilers (TJITs) determine frequently executed traces (hot paths and loops) in running programs and focus their optimization effort by emitting optimized machine code specialized to these traces. Prior work has established this strategy to be especially beneficial for dynamic languages such as JavaScript, where the TJIT interf...
Conference Paper
Full-text available
Tracing just-in-time compilers (TJITs) determine frequently executed traces (hot paths and loops) in running programs and focus their optimization effort by emitting optimized machine code specialized to these traces. Prior work has established this strategy to be especially beneficial for dy- namic languages such as JavaScript, where the TJIT inte...
Article
We introduce Pentagons (Pntg), a weakly relational numerical abstract domain useful for the validation of array accesses in byte-code and intermediate languages (IL). This abstract domain captures properties of the form of x∈[a,b]∧x<y. It is more precise than the well known Interval domain, but it is less precise than the Octagon domain.The goal of...
Conference Paper
We introduce RATA, a static analysis based on abstract in- terpretation for the rapid inference of atomic types in JavaScript pro- grams. RATA enables aggressive type specialization optimizations in dy- namic languages. RATA is a combination of an interval analysis (to de- termine the range of variables), a kind analysis (to determine if a variable...
Conference Paper
Full-text available
Specifying application interfaces (APIs) with information that goes beyond method argument and return types is a long-standing quest of programming language researchers and practitioners. The number of type system extensions or specification languages is a testament to that. Unfortunately, the number of such systems is also roughly equal to the num...
Conference Paper
Full-text available
We present an overview of Clousot, our current tool to statically check CodeContracts. CodeContracts enable a compiler and language-independent specification of Contracts (precondition, postconditions and object invariants). Clousot checks every method in isolation using an assume/guarantee reasoning: For each method under analysis Clousot assumes...
Conference Paper
We focus our attention on the loss of precision induced by abstract domain operations. We introduce a new technique, hints, which allows us to systematically rene the operations dened over elements of an abstract domain. We formally dene hints in the abstract inter- pretation theory, we prove their soundness, and we characterize two families of hin...
Conference Paper
In SCOPE, a SQL style cloud-level data-mining scripting language, table processing capabilities are often provided by user defined .NET methods. The SCOPE compiler can optimize a query plan if it knows certain dataflow relations between the input and output tables, such as column independence, column equality, or that a column’s values are non-null...
Article
We present a generic framework for the automatic and modular inference of sound class invariants for class-based object-oriented languages. We define a trace-based semantics for classes which considers all possible orderings, with all possible arguments, of invocations of all the methods of a class. We prove a correspondence theorem between such a...
Conference Paper
We introduce Subpolyhedra (SubPoly) a new numerical abstract domain to infer and propagate linear inequalities. Subpoly is as expressive as Polyhedra, but it drops some of the deductive power to achieve scalability. Subpoly is based on the insight that the reduced product of linear equalities and intervals produces powerful yet scalable analyses. P...
Conference Paper
Full-text available
This demonstration presents two tools, Code Con-tracts and Pex, that utilize specification constructs for advanced testing, runtime checking, and static checking of object-oriented .NET programs.
Article
We aim to extend the notion of distance of sets to partially ordered sets (posets). We discuss several possible definitions, and we propose a relaxed definition of distance between elements of a domain. We apply it in the abstract interpretation theory, and we show in some preliminary examples how it seems well suited to formally quantify the relat...
Article
Full-text available
A generic semantic-based framework is presented for the definition and manipulation of class hierarchies for object-oriented languages. The framework is based on the notion of observable of a class, i.e. an abstrac-tion of its semantics when focussing on a behavioral property of interest. By exploiting such a notion, we define the semantic subclass...
Conference Paper
Full-text available
The .NET intermediate language (MSIL) allows expressing both statically verifiable memory and type safe code (typically called managed), as well as unsafe code using direct pointer manipulations. Unsafe code can be expressed in C# by marking regions of code as unsafe. Writing unsafe code can be useful where the rules of managed code are too strict....
Conference Paper
Full-text available
We discuss the challenges faced by bytecode analyzers designed for code verification compared to similar analyzers for source code. While a bytecode-level analysis brings many simplifications, e.g., fewer cases, independence from source syntax, name resolution, etc., it also introduces precision loss that must be recovered either via preprocessing,...
Conference Paper
Full-text available
We introduce Pentagons (Pentagons ), a weakly relational numerical abstract domain useful for the validation of array accesses in byte-code and intermediate languages (IL). This abstract domain captures properties of the form of x in [a, b] && x < y. It is more precise than the well known Interval domain, but it is less precise than the Octagon dom...
Conference Paper
Formal techniques can help analyze programs, precisely describe program behavior, and verify program properties. Newer languages such as Java and C# provide good platforms to bridge the gap between formal techniques and practical program development, because of their reasonably clear semantics and standardized libraries. Moreover, these languages a...
Article
Full-text available
Formal techniques can help analyze programs, precisely describe program behavior, and verify program properties. Newer languages such as Java and C# provide good platforms to bridge the gap between formal techniques and practical program development, because of their reasonably clear semantics and standardized libraries. Moreover, these languages a...
Conference Paper
Full-text available
Software security has become more important than ever. Unfortunately, still now, the security of a software system is almost always retrofitted to an afterthought. When security problems arise, understanding and correcting them can be very challenging. On the one hand, the program analysis research community has created numerous static and dynamic...
Article
Full-text available
This volume contains the proceedings of the Bytecode 2007 workshop, the Second Workshop on Bytecode Semantics, Verification, Analysis and Transformation, held in Braga, Portugal, on the 31st of March 2007 as part of ETAPS 2007. Bytecode, such as produced by e.g. Java and .NET compilers, has become an important topic of interest, both for industry a...
Conference Paper
We introduce Cibai a generic static analyzer based on ab-stract interpretation for the modular analysis and verification of Java classes. We present the abstract semantics and the underlying abstract domain, a combination of an aliasing analysis and octagons. We discuss some implementation issues, and we compare Cibai with similar tools, showing ho...
Article
Full-text available
We extend an existing points-to analysis for Java in two ways. First, we fully support .NET which has structs and parameter passing by reference. Second, we increase the precision for calls to non- analyzable methods. A method is non-analyzable when its code is not available either because it is abstract (an interface method or an abstract class me...
Article
Software security has become more important than ever. Un- fortunately, still now, the security of a software system is almost always retrofitted to an afterthought. When security problems arise, understand- ing and correcting them can be very challenging. On the one hand, the program analysis research community has created numerous static and dyna...
Conference Paper
Full-text available
A semantics-based framework is presented for the definition and manipulation of class hierarchies for object-oriented languages. The framework is based on the notion of observable of a class, i.e., an abstrac- tion of its semantics when focusing on a behavioral property of interest. We define a semantic subclass relation, capturing the fact that a...
Conference Paper
This paper describes a sound technique that combines the precision of theorem proving with the loop-invariant inference of abstract interpretation. The loop-invariant computations are invoked on demand when the need for a stronger loop invariant arises, which allows a gradual increase in the level of precision used by the abstract interpreter. The...
Article
Full-text available
The aim of this position paper is to draw a quick overview of the main contributions in abstract interpretation of object-oriented programs, and to draw possible lines of research in this field.
Conference Paper
Full-text available
This chapter investigates a formal approach to the verification of non-functional software requirements that are crucial in Service-oriented Systems, like portability, time and space efficiency, and dependability/robustness. The key-idea is the notion of observable, i.e., an abstraction of the concrete semantics when focusing on a behavioral proper...
Article
Full-text available
In mainstream object oriented languages the subclass relation is defined in terms of subtyping, i.e. a class A is a subclass of B if the type of A is a subtype of B. In this paper this notion is extended to consider arbitrary class properties obtained by a modular static analysis of the class. In such a setting, the subclass relation boils down to...
Article
The University of Pennsylvania Working Papers in Linguistics (PWPL) is an occasional series published by the Penn Linguistics Club. The series has included volumes of previously unpublished work, or work in progress, by linguists with an ongoing affiliation with the Department, as well as volumes of papers from NWAV and the Penn Linguistics Colloqu...
Article
We presented a framework for the modular analysis of object-oriented languages. We defined a liberal and generic trace semantics for class-bases object-oriented languages and we proved it sound and complete w.r.t. a trace semantics for object-oriented programs. We derived systematically the equations characterizing class invariants as an abstractio...
Conference Paper
We present a separate compositional analysis for objectoriented languages. We show how a generic static analysis of a context that uses an object can be split into two separate semantic functions involving respectively only the context and the object. The fundamental idea is to use a regular expressions for approximating the interactions between th...
Article
Dans la thèse nous présentons un cadre pour l'analyse statique de langages orientés objets qui tient compte des propriétés de modularité de ces langages. Il y a plusieurs défis à relever pour obtenir une analyse statique efficace de langages orientés objet. Tout d'abord, elle doit gérer les particularités de ces langages telles que l'héritage, le p...
Conference Paper
We present a generic framework for the automatic and modular inference of sound class invariants for class-based object oriented languages. The idea is to derive a sound class invariant as a conservative abstraction of the class semantics. In particular we show how a class invariant can be characterized as the solution of a set of equations extract...
Article
In this paper we present a generic constraint domain for symbolic modular analysis. The idea is that the semantics of a module can be approximated by a set of relations symbolically linking the input, output and local variables. We show how this result is correct w.r.t. a trace semantics, and how it can be used to perform an (incremental) modular a...
Conference Paper
In this paper we address the problem of performing a class static analysis in a modular fashion, i.e. by just analyzing the class code and not the full program. In particular we show two things: the first one is how starting from a class C we can derive an approximation Ca to be used either as a class documentation or as a tester for a client using...
Article
In this paper we address the problem of performing a class static analysis in a modular fashion, i.e. by just analyzing the class code and not the full program. In particular we show two things: the first one is how starting from a class C we can derive an approximation C to be used either as a class documentation or as a tester for a client using...
Article
In this paper we propose a fully semantic-based framework for performance evaluation. This framework is intended to be used in early stages of system design, as a tool for taking decision. More exactly, the idea is to sketch the system in a prototyping language, as pi-calculus and then to use our framework to derive its performance, parameterized b...
Article
This paper presents anew technique forcombining theinference power of abstractinterpretation withthe precision and flexibilityofan automatic satisfiability- modulo-theories theorem prover.

Projects

Project (1)
Project
I worked on detecting problematic data flows in PHP/Hack and Python that could lead to security or privacy issues.