Sam Blackshear's research while affiliated with Meta and other places

Publications (15)

Preprint
Full-text available
The Move language provides abstractions for programming with digital assets via a mix of value semantics and reference semantics. Ensuring memory safety in programs with references that access a shared, mutable global ledger is difficult, yet essential for the use-cases targeted by Move. The language meets this challenge with a novel memory model a...
Preprint
Full-text available
A program that maintains key safety properties even when interacting with arbitrary untrusted code is said to enjoy \emph{robust safety}. Proving that a program written in a mainstream language is robustly safe is typically challenging because it requires static verification tools that work precisely even in the presence of language features like d...
Chapter
Full-text available
The Libra blockchain is designed to store billions of dollars in assets, so the security of code that executes transactions is important. The Libra blockchain has a new language for implementing transactions, called “Move.” This paper describes the Move Prover, an automatic formal verification system for Move. We overview the unique features of the...
Preprint
Smart contracts are programs that implement transactions on modern blockchain platforms. In this rapidly evolving environment, smart-contract programming languages must allow users to write programs that flexibly manage and transfer assets, while providing strong protection against sophisticated attacks. Addressing this need, we present flexible an...
Article
Full-text available
Automatic static detection of data races is one of the most basic problems in reasoning about concurrency. We present RacerD—a static program analysis for detecting data races in Java programs which is fast, can scale to large code, and has proven effective in an industrial software engineering scenario. To our knowledge, RacerD is the first inter-...
Article
We present jumping, a form of selective control-flow abstraction useful for improving the scalability of goal-directed static analyses. Jumping is useful for analyzing programs with complex control-flow such as event-driven systems. In such systems, accounting for orderings between certain events is important for precision, yet analyzing the produc...
Conference Paper
We present an approach and tool for general-purpose modeling of Android for static analysis. Our approach is to explicate the reflective bridge between the Android framework and an application to make the framework source amenable to static analysis. Our Droidel tool does this by automatically generating application-specific stubs that summarize th...
Article
We introduce Verification Modulo Versions (VMV), a new static analysis technique for reducing the number of alarms reported by static verifiers while providing sound semantic guarantees. First, VMV extracts semantic environment conditions from a base program P. Environmental conditions can either be sufficient conditions (implying the safety of P)...
Article
We introduce Verification Modulo Versions (VMV), a new static analysis technique for reducing the number of alarms reported by static verifiers while providing sound semantic guarantees. First, VMV extracts semantic environment conditions from a base program P. Environmental conditions can either be sufficient conditions (implying the safety of P)...
Article
The increasingly larger selection of mobile apps has made it difficult for users to understand what a particular app does and how it differs from the others. A user typically learns about an app from the app's public information (while deciding whether to install it), from the app's UI (while exploring the UI), and from the app's actual behaviors (...
Conference Paper
Modular assertion checkers are plagued with false alarms due to the need for precise environment specifications (preconditions and callee postconditions). Even the fully precise checkers report assertion failures under the most demonic environments allowed by unconstrained or partial specifications. The inability to preclude overly adversarial envi...
Conference Paper
Modular assertion checkers are plagued with false alarms due to the need for precise environment specifications (preconditions and callee postconditions). Even the fully precise checkers report assertion failures under the most demonic environments allowed by unconstrained or partial specifications. The inability to preclude overly adversarial envi...
Article
We present a precise, path-sensitive static analysis for reasoning about heap reachability, that is, whether an object can be reached from another variable or object via pointer dereferences. Precise reachability information is useful for a number of clients, including static detection of a class of Android memory leaks. For this client, we found t...
Article
We present a precise, path-sensitive static analysis for reasoning about heap reachability, that is, whether an object can be reached from another variable or object via pointer dereferences. Precise reachability information is useful for a number of clients, including static detection of a class of Android memory leaks. For this client, we found t...
Conference Paper
Full-text available
We present techniques for determining the precision gap between Andersen's points-to analysis and precise flow-insensitive points-to analysis in practice. While previous work has shown that such a gap may exist, no efficient algorithm for precise flow-insensitive analysis is known, making measurement of the gap on real-world programs difficult. We...

Citations

... Data races form a popular category of bugs in sharedmemory systems (including Go) and have been the focus of many proposals to detect them in the last three decades [1,30]. Two techniques for data race detection are popularstatic analysis [28,41,42,61,71,84] and dynamic analysis [27,39,43,44,48,57,58,66,69,74,76,77,80]. Google's Go distribution ships with a built-in dynamic data race detector [10] based on ThreadSanitizer [79], which integrates lock-set [76] and happens-before [44,66] algorithms to report races. ...
... In literature review of static analysis tools for android apps [20], the authors looked in multiple tools and their precision. One of their findings is that path sensitivity was often overlooked, with only 5 out of 30 of the surveyed tools provided it: Woodpecker [16], Apparecium [32], Anadroid [21], THRESHER [5] and ContentScope [36]. ...
... EdgeMiner [11] and Scandal [29] model the registration of callbacks. Droidel [9] also captures callback registration by modeling the reflection calls inside the Android framework code. Similarly, Pasket [25] automatically learns implementations of framework classes that behave according to particular design patterns. ...
... The result showed that most tools support a few of the five sensitivities and the number of sensitivities supported by these tools varies. Hopper [4] and Thresher [3] are the only two tools that support five sensitivities while they integrate sensitivity into the algorithm designed for concrete analysis tasks, which make them difficult to extend. ...
... There has been work on equivalence checking of sequential executions across program versions using uninterpreted function abstraction and program verifiers [11,16]. Verification Modulo Versions [17,18] compares two sequential programs w.r.t. a set of assertions. Differential symbolic execution [21] summarizes differences in summaries of two procedures, and Marinescu et al. [20] use symbolic execution for generating tests over program differences. ...
... The drastic consequences of small program changes on verification tools is sometimes recognized as verification's "butterfly effect" [Leino and Pit-Claudel 2016]. Many program analysis techniques exhibit brittle behaviors [Karpenkov et al. 2016;Logozzo et al. 2014]. This may be in line with the inherent hardness; for instance, the class of programs for which an abstract interpreter is complete is undecidable [Giacobazzi et al. 2015]. ...
... We note that there are many other approaches interested in detecting anti-patterns in the code level as introduced by Morales et al. (2016) and Alharbi et al. (2014). However, it has been noted that anti-pattern detection at the design level reduces many code anti-patterns and is more general. ...
... Memory leaks impact a considerable number of real Android apps, as it has been shown in the recent work by Toffalini et al. [14], and therefore a number of solutions to detect them have been proposed in the literature. Since memory leaks are usually due to bad programming practices that negatively impact the app's memory usage, several source code static analysis approaches have been proposed in the literature to detect possible root causes of Android memory leaks [15], [19]- [22]. A key limitation of these approaches is that they focus only on subsets of bad practices. ...
... More recently, other kinds of program features have been used to statistically classify analysis alarms [39,11,34,77]. Further out, there is a large body of work on using statistical techniques for mining likely specifications and reporting anomalies as bugs (e.g., [60,52,43,72]) and for improving the performance of static analyzers (e.g., [32,33,17]). ...
... Inclusion-based points-to analysis [5] is more precise than equality-based analysis. A study by Blackshear et al. [9] shows that "The precision gap between Andersen's and precise flow-insensitive analysis is non-existent in practice." An inclusion-based points-to analysis collects a set of inclusion constraints from the input program and constructs a constraint graph. ...