The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.04 - April (2013 vol.39)
pp: 516-536
Xiaoyin Wang , Peking University, Beijing
Lu Zhang , Peking University, Beijing
Tao Xie , North Carolina State University, Raleigh
Hong Mei , Peking University, Beijing
Jiasu Sun , Peking University, Beijing
ABSTRACT
Nowadays, a software product usually faces a global market. To meet the requirements of different local users, the software product must be internationalized. In an internationalized software product, user-visible hard-coded constant strings are externalized to resource files so that local versions can be generated by translating the resource files. In many cases, a software product is not internationalized at the beginning of the software development process. To internationalize an existing product, the developers must locate the user-visible constant strings that should be externalized. This locating process is tedious and error-prone due to 1) the large number of both user-visible and non-user-visible constant strings and 2) the complex data flows from constant strings to the Graphical User Interface (GUI). In this paper, we propose an automatic approach to locating need-to-externalize constant strings in the source code of a software product. Given a list of precollected API methods that output values of their string argument variables to the GUI and the source code of the software product under analysis, our approach traces from the invocation sites (within the source code) of these methods back to the need-to-externalize constant strings using generalized string-taint analysis. In our empirical evaluation, we used our approach to locate need-to-externalize constant strings in the uninternationalized versions of seven real-world open source software products. The results of our evaluation demonstrate that our approach is able to effectively locate need-to-externalize constant strings in uninternationalized software products. Furthermore, to help developers understand why a constant string requires translation and properly translate the need-to-externalize strings, we provide visual representation of the string dependencies related to the need-to-externalize strings.
INDEX TERMS
Software, Graphical user interfaces, Prototypes, Java, Libraries, Production, Globalization, string-taint analysis, Software internationalization, need-to-externalize constant strings
CITATION
Xiaoyin Wang, Lu Zhang, Tao Xie, Hong Mei, Jiasu Sun, "Locating Need-to-Externalize Constant Strings for Software Internationalization with Generalized String-Taint Analysis", IEEE Transactions on Software Engineering, vol.39, no. 4, pp. 516-536, April 2013, doi:10.1109/TSE.2012.40
REFERENCES
[1] A. Christensen, A. Møller, and M. Schwartzbach, "Precise Analysis of String Expressions," Proc. Static Analysis Symp., pp. 1-18, 2003.
[2] J.A. Clause, W. Li, and A. Orso, "Dytan: A Generic Dynamic Taint Analysis Framework," Proc. Int'l Symp. Software Testing and Analysis , pp. 196-206, 2007.
[3] R. Cytron, J. Ferrante, B. Rosen, M. Wegman, and K. Zadeck, "Efficiently Computing Static Single Assignment Form and the Control Dependence Graph," ACM Trans. Programming Languages and Systems, vol. 13, no. 4, pp. 451-490, Oct. 1991.
[4] V. Dagiene and R. Laucius, "Internationalization of Open Source Software: Framework and Some Issues," Proc. Int'l Conf. Information Technology: Research and Education, pp. 204-207, 2004.
[5] B. Esselink, A Practical Guide to Software Localization: For Translators, Engineers and Project Managers. John Benjamins Publishing Co, 2000.
[6] M. Gabel, L. Jiang, and Z. Su, "Scalable Semantic Code Clone," Proc. Int'l Conf. Software Eng., pp. 321-330, 2008.
[7] E. Geay, M. Pistoia, T. Tateishi, B. Ryder, and D. Julian, "Modular String-Sensitive Permission Analysis with Demand-Driven Precision," Proc. Int'l Conf. Software Eng., pp. 177-187, 2009.
[8] C. Gould, Z. Su, and P.T. Devanbu, "Static Checking of Dynamically Generated Queries in Database Applications," Proc. Int'l Conf. Software Eng., pp. 645-654, 2004.
[9] P. Guo, J.H. Perkins, S. McCamant, and M.D. Ernst, "Dynamic Inference of Abstract Types," Proc. Int'l Symp. Software Testing and Analysis, pp. 255-265, 2006.
[10] W.G.J. Halfond and A. Orso, "AMNESIA: Analysis and Monitoring for Neutralizing SQL-Injection Attacks," Proc. IEEE/ACM Conf. Automated Software Eng., pp. 174-183, 2005.
[11] J. Hogan, C. Ho-Stuart, and B. Pham, "Current Issues in Software Internationalisation," Proc. Australian Computer Science Conf., 2003.
[12] P. Hooimeijer, B. Livshits, D. Molnar, P. Saxena, and M. Veanes, "Fast and Precise Sanitizer Analysis with BEK," Proc. USENIX Conf. Security, 2011.
[13] J. Kam and J. Ullman, "Global Data Flow Analysis and Iterative Algorithms," J. ACM, vol. 23, no. 1, pp. 158-171, Jan. 1976.
[14] A. Kieżun, P.J. Guo, K. Jayaraman, and M. Ernst, "Automatic Creation of SQL Injection and Cross-Site Scripting Attacks," Proc. Int'l Conf. Software Eng., pp. 199-209, 2009.
[15] Y. Minamide, "Static Approximation of Dynamically Generated Web Pages," Proc. Int'l Conf. World Wide Web, pp. 432-441, 2005.
[16] F. Nielson, H. Nielson, and C. Hankin, Principles of Program Analysis. Springer, 1999.
[17] R. O'Callahan and D. Jackson, "Lackwit: A Program Understanding Tool Based on Type Inference," Proc. Int'l Conf. Software Eng., pp. 338-348, 1997.
[18] T. Tateishi, M. Pistoia, and O. Tripp, "Path- and Index-Sensitive String Analysis Based on Monadic Second-Order Logic," Proc. Int'l Symp. Software Testing and Analysis, pp. 166-176, 2011.
[19] E. Uren, R. Howard, and T. Perinotti, Software Internationalization and Localization: An Introduction. Van Nostrand Reinhold, 1993.
[20] M. Veanes, P. Hooimeijer, B. Livshits, D. Molnar, and N. Bjorner, "Symbolic Finite State Transducers: Algorithms and Applications," Proc. ACM SIGPLAN-SIGACT Symp. Principles of Programming Languages, pp. 137-150, 2012.
[21] X. Wang, D. Lo, J. Cheng, L. Zhang, H. Mei, and Y. Jeffery, "Matching Dependence-Related Queries in the System Dependence Graph," Proc. IEEE/ACM Conf. Automated Software Eng., pp. 457-466, 2010.
[22] X. Wang, L. Zhang, T. Xie, H. Mei, and J. Sun, "Locating Need-to-Translate Constant Strings for Software Internationalization," Proc. Int'l Conf. Software Eng., pp. 353-363, 2009.
[23] X. Wang, L. Zhang, T. Xie, H. Mei, and J. Sun, "TranStrL: An Automatic Need-to-Translate String Locator for Software Internationalization," Proc. Int'l Conf. Software Eng., pp. 555-558, 2009.
[24] X. Wang, L. Zhang, T. Xie, H. Mei, and J. Sun, "Locating Need-to-Translate Constant Strings in Web Applications," Proc. Int'l Symp. the Foundations of Software Eng., pp. 87-96, 2010.
[25] G. Wassermann and Z. Su, "Sound and Precise Analysis of Web Applications for Injection Vulnerabilities," Proc. ACM Conf. Programming Language Design and Implementation, pp. 32-41, 2007.
[26] G. Wassermann and Z. Su, "Static Detection of Cross-Site Scripting Vulnerabilities," Proc. Int'l Conf. Software Eng., pp. 171-180, 2008.
[27] M. Weiser, "Program Slicing," Proc. Int'l Conf. Software Eng., pp. 439-449, 1981.
[28] R. Wilson and M. Lam, "Efficient Context-Sensitive Pointer Analysis for C Programs," Proc. ACM SIGPLAN Conf. Programming Language Design and Implementation, pp. 1-12, 1995.
[29] Y. Xie and A. Aiken, "Static Detection of Security Vulnerabilities in Scripting Languages," Proc. USENIX Security Symp., pp. 176-192, 2006.
[30] F. Yu, M. Alkhalaf, and T. Bultan, "Generating Vulnerability Signatures for String Manipulating Programs Using Automata-Based Forward and Backward Symbolic Analyses," Proc. ACM/IEEE Conf. Automated Software Eng., pp. 605-609, 2009.
[31] F. Yu, M. Alkhalaf, and T. Bultan, "Patching Vulnerabilities with Sanitization Synthesis," Proc. Int'l Conf. Software Eng., 2011.
48 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool