243793 – dflow pointcut

Bug 243793 - dflow pointcut

Summary: dflow pointcut

Status:	NEW

Alias:	None

Product:	AspectJ
Classification:	Tools
Component:	Runtime (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P3 enhancement (vote)
Target Milestone:	---
Assignee:	aspectj inbox
QA Contact:

URL:	www.graco.c.u-tokyo.ac.jp/~masuhara/p...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2008-08-11 13:43 EDT by Rohit Sethi
Modified:	2008-08-11 18:58 EDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rohit Sethi

2008-08-11 13:43:04 EDT

The dflow pointcut, as specified by Hidehiko Masuhara and Kazunori Kawauchi in the  follwoing paper: www.graco.c.u-tokyo.ac.jp/~masuhara/papers/aplas2003.pdf

Essentially this pointcut tracks where data originates from. I believe the paper authors made a reference implementation for another language, so perhaps you could contact them and use that as a starting point.

Implementing this would have significant impact in securing Java EE applications, since we could develop standard libraries that track data from source to sink. Just before reaching the sink point, we could apply appropriate encoding and/or validation prior to data being consumed. In addition, the compiler could eventually provide optimization on what might otherwise be an expensive pointcut.

Comment 1 Eric Bodden

2008-08-11 15:28:08 EDT

Does anybody know if a performance evaluation of this feature has been done in the meantime? If I remember correctly then the evaluation of the pointcut could potentially be very expensive without (whole-program?) optimizations.

Comment 2 Rohit Sethi

2008-08-11 16:50:38 EDT

I haven't seen any performance evaluations - admittedly I've only done simple google searching. My guess is that you're correct and performance impact is very high; would clearly documenting (e.g. in the programmers guide) the potential performance impact be an adequate compensating control for this?

Comment 3 Eric Bodden

2008-08-11 16:58:29 EDT

(In reply to comment #2)
> would clearly documenting (e.g. in the programmers guide) the
> potential performance impact be an adequate compensating control for this?


I guess that depends on how high the overhead really is. If it is prohibitively high then I wonder whether it's worth the effort at all. We should maybe ask Hidehiko for his opinion.

Comment 4 Rohit Sethi

2008-08-11 18:58:48 EDT

(In reply to comment #3)
> (In reply to comment #2)
> > would clearly documenting (e.g. in the programmers guide) the
> > potential performance impact be an adequate compensating control for this?
> 
> 
> I guess that depends on how high the overhead really is. If it is prohibitively
> high then I wonder whether it's worth the effort at all. We should maybe ask
> Hidehiko for his opinion.
> 

I tried to contact Hidehiko earlier about implementing the dflow pointcut in AspectJ and didn't get any response. Perhaps you guys will be more successful given that you are developers for AspectJ.