Abstract: A novel system, computer program product, and method are disclosed for transforming a program to facilitate points-to analysis. The method begins with accessing at least a portion of program code, such as JavaScript. In one example, a method with at least one dynamic property correlation is identified for extraction. When a method m is identified for extraction with the dynamic property correlation, a body of the loop l in the method m is extracted. A new method mp is created to include the body of the loop l with the variable i as a parameter. The loop l is substituted in the program code of the method m with the new method mp to create a transformed program code.

Abstract: Systems and methods are provided for creating a data structure associated with a software application that is based on at least one framework. According to the method, at least one Java Server Page file associated with the software application is analyzed. The Java Server Page (JSP) file includes at least one call to at least one library tag, and at least one Expression Language (EL) expression. A set of tag library usage information for the JSP file is generated based. The set of tag library usage information includes at least one variable, and a value of the at least one variable created by the at least one call. The EL expression is evaluated based on the variable and the value of the variable. A data structure is created for a static analysis engine based on EL expression. The data structure includes at least one Java expression representing the EL expression.

Abstract: Systems, methods are program products for simulating black box test results using information obtained from white box testing, including analyzing computer software (e.g., an application) to identify a potential vulnerability within the computer software application and a plurality of milestones associated with the potential vulnerability, where each of the milestones indicates a location within the computer software application, tracing a path from a first one of the milestones to an entry point into the computer software application, identifying an input to the entry point that would result in a control flow from the entry point and through each of the milestones, describing the potential vulnerability in a description indicating the entry point and the input, and presenting the description via a computer-controlled output medium.

Abstract: Disclosed is a novel computer implemented system, on demand service, computer program product and a method that provides a set of lock usages that improves concurrency resulting in execution performance of the software application by reducing lock contention through refactoring. More specifically, disclosed is a method to refactor a software application. The method starts with accessing at least a portion of a software application that can execute in an operating environment where there are more two or more threads of execution. Next, a determination is made if there is at least one lock used in the software application to enforce limits on accessing a resource. In response to determining that there is a lock with a first type of construct with a given set of features, the software application is refactored with the lock to preserve behavior of the software application.

Abstract: A method includes determining selected global variables in a program for which flow of the selected global variables through the program is to be tracked. The selected global variables are less than all the global variables in the program. The method includes using a static analysis performed on the program, tracking flow through the program for the selected global variables. In response to one or more of the selected global variables being used in security-sensitive operations in the flow, use is analyzed of each one of the selected global variables in a corresponding security-sensitive operation. In response to a determination the use may be a potential security violation, the potential security violation is reported. Apparatus and computer program products are also disclosed.

Abstract: Systems, methods are program products for simulating black box test results using information obtained from white box testing, including analyzing computer software (e.g., an application) to identify a potential vulnerability within the computer software application and a plurality of milestones associated with the potential vulnerability, where each of the milestones indicates a location within the computer software application, tracing a path from a first one of the milestones to an entry point into the computer software application, identifying an input to the entry point that would result in a control flow from the entry point and through each of the milestones, describing the potential vulnerability in a description indicating the entry point and the input, and presenting the description via a computer-controlled output medium.

Abstract: Systems and methods are provided for statically analyzing a software application that is based on at least one framework. According to the method, source code of the software application and a specification associated with the software application are analyzed. The specification includes a list of synthetic methods that model framework-related behavior of the software application, and a list of entry points indicating the synthetic methods and/or application methods of the software application that can be invoked by the framework. Based on the source code and the specification, intermediate representations for the source code and the synthetic methods are generated. Based on the intermediate representations and the specification, call graphs are generated to model which application methods of the software application invoke synthetic methods or other application methods of the software application.

Abstract: Systems and methods are provided for creating a data structure associated with a software application that is based on at least one framework. According to the method, source code and at least one configuration file of the software application is analyzed by at least one framework-specific processor so as to determine entry point information indicating entry points in the source code, request attribute access information indicating where attributes attached to a request data structure are read and written, and forward information indicating forwards performed by the software application. A data structure for a static analysis engine is created based on this information. The data structure includes a list of synthetic methods that model framework-related behavior of the software application, and a list of entry points indicating the synthetic methods and/or application methods of the software application that can be invoked by the framework.

Abstract: Automated refactorings as implemented in modern IDEs for Java usually make no special provisions for concurrent code. Thus, refactored programs may exhibit unexpected new concurrent behaviors. We analyze the types of such behavioral changes caused by current refactoring engines and develop techniques to make them behavior-preserving, ranging from simple techniques to deal with concurrency-related language constructs to a framework that computes and tracks synchronization dependencies. By basing our development directly on the Java Memory Model we can state and prove precise correctness results about refactoring concurrent programs. We show that a broad range of refactorings are not influenced by concurrency at all, whereas other important refactorings can be made behavior-preserving for correctly synchronized programs by using our framework. Experience with a prototype implementation shows that our techniques are easy to implement and require only minimal changes to existing refactoring engines.

Abstract: A technique for feedback-directed call graph expansion includes performing symbolic analysis on an interprocedural control flow graph representation of software code, skipping over a virtual method call in the control flow graph, using information obtained from the symbolic analysis as feedback to identify a target of the virtual method call, and iterating the symbolic analysis on a modified version of the control flow graph that associates the target with the virtual method.

Abstract: A method of detecting a datarace between first and second memory accesses within a program, including: determining whether the first and second memory accesses are to the same memory location; determining whether the first and second memory accesses are executed by different threads in the program; determining whether the first and second memory accesses are guarded by a common synchronization object; and determining whether there is an execution ordering enforced between the first and second memory accesses.

Abstract: A method of detecting a datarace between first and second memory accesses within a program, including: determining whether the first and second memory accesses are to the same memory location; determining whether the first and second memory accesses are executed by different threads in the program; determining whether the first and second memory accesses are guarded by a common synchronization object; and determining whether there is an execution ordering enforced between the first and second memory accesses.

Abstract: A method of detecting a datarace between first and second memory accesses within a program, including: determining whether the first and second memory accesses are to the same memory location; determining whether the first and second memory accesses are executed by different threads in the program; determining whether the first and second memory accesses are guarded by a common synchronization object; and determining whether there is an execution ordering enforced between the first and second memory accesses.