Historia: Refuting Callback Reachability with Message-History Logics (Artifact)

This is the artifact for the paper Historia: Refuting Callback Reachability with Message-History Logics and contains the implementation and open source Android applications used for evaluation.  Please see README.pdf in the archive for instructions.

This paper considers the callback reachability problem — determining if a callback can be called by an event-
driven framework in an unexpected state. Event-driven programming frameworks are pervasive for creating
user-interactive applications (apps) on just about every modern platform. Control flow between callbacks is
determined by the framework and largely opaque to the programmer. This opacity of the callback control flow
not only causes difficulty for the programmer but is also difficult for those developing static analysis. Previous
static analysis techniques address this opacity either by assuming an arbitrary framework implementation or
attempting to eagerly specify all possible callback control flow, but this is either too coarse to prove properties
requiring callback-ordering constraints or too burdensome and tricky to get right. Instead, we present a middle
way where the callback control flow can be gradually refined in a targeted manner to prove assertions of
interest. The key insight to get this middle way is by reasoning about the history of method invocations
at the boundary between app and framework code — enabling a decoupling of the specification of callback
control flow from the analysis of app code. We call the sequence of such boundary-method invocations
message histories and develop message-history logics to do this reasoning. In particular, we define the notion
of an application-only transition system with boundary transitions, a message-history program logic for
programs with such transitions, and a temporal specification logic for capturing callback control flow in a
targeted and compositional manner. Then to utilize the logics in a goal-directed verifier, we define a way
to combine after-the-fact an assertion about message histories with a specification of callback control flow.
We implemented a prototype message history-based verifier called Historia and provide evidence that our
approach is uniquely capable of distinguishing between buggy and fixed versions on challenging examples
drawn from real-world issues and that our targeted specification approach enables proving the absence of
multi-callback bug patterns in real-world open-source Android apps.