Showing papers presented at "Static Analysis Symposium in 2004"
26 Aug 2004
TL;DR: By some efficient simplifications and approximations to the quantifier elimination procedure, not only does the method scale to higher dimensions, but also enjoys performance advantages for some larger examples.
Abstract: Linear-relations analysis of transition systems discovers linear invariant relationships among the variables of the system. These relationships help establish important safety and liveness properties. Efficient techniques for the analysis of systems using polyhedra have been explored, leading to the development of successful tools like HyTech. However, existing techniques rely on the use of approximations such as widening and extrapolation in order to ensure termination. In an earlier paper, we demonstrated the use of Farkas Lemma to provide a translation from the linear-relations analysis problem into a system of constraints on the unknown coefficients of a candidate invariant. However, since the constraints in question are non-linear, a naive application of the method does not scale. In this paper, we show that by some efficient simplifications and approximations to the quantifier elimination procedure, not only does the method scale to higher dimensions, but also enjoys performance advantages for some larger examples.
123 citations
26 Aug 2004
TL;DR: This work specifies an information flow analysis for a simple imperative language, using a Hoare-like logic that facilitates static checking of a larger class of programs than can be checked by extant type-based approaches.
Abstract: We specify an information flow analysis for a simple imperative language, using a Hoare-like logic. The logic facilitates static checking of a larger class of programs than can be checked by extant type-based approaches in which a program is deemed insecure when it contains an insecure subprogram. The logic is based on an abstract interpretation of program traces that makes independence between program variables explicit. Unlike other, more precise, approaches based on a Hoare-like logic, our approach does not require a theorem prover to generate invariants. We demonstrate the modularity of our approach by showing that a frame rule holds in our logic. Moreover, given an insecure but terminating program, we show how strongest postconditions can be employed to statically generate failure explanations.
122 citations
26 Aug 2004
TL;DR: Having observed the problems that procedural side effects cause, a bottom-up phase is developed that constructs concise procedure summaries in a manner that permits their subsequent removal, resulting in an efficient two-phase pointer analysis in the style of Andersen that is simultaneously bottom- up and top-down context-sensitive.
Abstract: This paper addresses scalability and accuracy of summary-based context-sensitive pointer analysis formulated as a two-phase computation. The first phase, or bottom-up phase, propagates procedure summaries from callees to callers. Then, the second phase, or top-down phase, computes the actual pointer information. These two phases can be independently context-sensitive. Having observed the problems that procedural side effects cause, we developed a bottom-up phase that constructs concise procedure summaries in a manner that permits their subsequent removal. This transformation results in an efficient two-phase pointer analysis in the style of Andersen [1] that is simultaneously bottom-up and top-down context-sensitive. Context sensitivity becomes inherent to even a context-insensitive analysis allowing for an accurate and efficient top-down phase. The implemented context-sensitive analysis exhibits scalability comparable to that of its context-insensitive counterpart. For instance, to analyze 176.gcc, the largest C benchmark in SPEC 2000, our analysis takes 190 seconds as opposed to 44 seconds for the context-insensitive analysis. Given the common practice of treating recursive subgraphs context-insensitively, its accuracy is equivalent to an analysis which completely inlines all procedure calls.
90 citations
26 Aug 2004
TL;DR: This paper presents the Blast specification language, a two-level specification language used to break down a verification task into several independent calls of the model-checking engine and provides a means for structuring and maintaining specifications.
Abstract: Blast is an automatic verification tool for checking temporal safety properties of C programs. Blast is based on lazy predicate abstraction driven by interpolation-based predicate discovery. In this paper, we present the Blast specification language. The language specifies program properties at two levels of precision. At the lower level, monitor automata are used to specify temporal safety properties of program executions (traces). At the higher level, relational reachability queries over program locations are used to combine lower-level trace properties. The two-level specification language can be used to break down a verification task into several independent calls of the model-checking engine. In this way, each call to the model checker may have to analyze only part of the program, or part of the specification, and may thus succeed in a reduction of the number of predicates needed for the analysis. In addition, the two-level specification language provides a means for structuring and maintaining specifications.
88 citations
26 Aug 2004
TL;DR: A new numeric abstract domain called octahedron that represents constraints of the form (± x j ± ... ± x k ≥ c), where x i are numerical variables such that x i ≥ 0.
Abstract: An interesting area in static analysis is the study of numeric properties. Complex properties can be analyzed using abstract interpretation, provided that an adequate abstract domain is defined. Each domain can represent and manipulate a family of properties, providing a different trade-off between the precision and complexity of the analysis. The contribution of this paper is a new numeric abstract domain called octahedron that represents constraints of the form (± x j ± ... ± x k ≥ c), where x i are numerical variables such that x i ≥ 0. The implementation of octahedra is based on a new kind of decision diagrams called Octahedron Decision Diagrams (OhDD).
83 citations
26 Aug 2004
TL;DR: A method for generating polynomial invariants of imperative programs is presented using the abstract interpretation framework and it is shown that for programs withPolynomial assignments, an invariant consisting of a conjunction of polynomials can be automatically generated for each program point.
Abstract: A method for generating polynomial invariants of imperative programs is presented using the abstract interpretation framework. It is shown that for programs with polynomial assignments, an invariant consisting of a conjunction of polynomial equalities can be automatically generated for each program point. The proposed approach takes into account tests in conditional statements as well as in loops, insofar as they can be abstracted to be polynomial equalities and disequalities. The semantics of each statement is given as a transformation on polynomial ideals. Merging of paths in a program is defined as the intersection of the polynomial ideals associated with each path. For a loop junction, a widening operator based on selecting polynomials up to a certain degree is proposed. The algorithm for finding invariants using this widening operator is shown to terminate in finitely many steps. The proposed approach has been implemented and successfully tried on many programs. A table providing details about the programs is given.
76 citations
26 Aug 2004
TL;DR: This paper addresses the verification of properties of imperative programs with recursive procedure calls, heap-allocated storage, and destructive updating of pointer-valued fields – i.e., interprocedural shape analysis.
Abstract: This paper addresses the verification of properties of imperative programs with recursive procedure calls, heap-allocated storage, and destructive updating of pointer-valued fields – i.e., interprocedural shape analysis. It presents a way to harness some previously known approaches to interprocedural dataflow analysis – which in past work have been applied only to much less rich settings – for interprocedural shape analysis.
56 citations
26 Aug 2004
TL;DR: One of the continuing challenges in abstract interpretation is the creation of abstractions that yield analyses that are both tractable and precise enough to prove interesting properties about real-world programs.
Abstract: One of the continuing challenges in abstract interpretation is the creation of abstractions that yield analyses that are both tractable and precise enough to prove interesting properties about real-world programs. One source of difficulty is the need to handle programs with different behaviors along different execution paths. Disjunctive (powerset) abstractions capture such distinctions in a natural way. However, in general, powerset abstractions increase space and time costs by an exponential factor. Thus, powerset abstractions are generally perceived as very costly.
55 citations
26 Aug 2004
TL;DR: A type inference algorithm for rccjava that reduces the complexity of the type inference problem via reduction to propositional satisfiability and its performance on programs of up to 30,000 lines of code.
Abstract: The race condition checker rccjava uses a formal type system to statically identify potential race conditions in concurrent Java programs, but it requires programmer-supplied type annotations. This paper describes a type inference algorithm for rccjava. Due to the interaction of parameterized classes and dependent types, this type inference problem is NP-complete. This complexity result motivates our new approach to type inference, which is via reduction to propositional satisfiability. This paper describes our type inference algorithm and its performance on programs of up to 30,000 lines of code.
55 citations
26 Aug 2004
TL;DR: A polynomial-time algorithm for global value numbering, which is the problem of discovering equivalences among program sub-expressions, is described and it is shown that there are programs for which the set of all equivalences contains terms whose value graph representation requires exponential size.
Abstract: We describe a polynomial-time algorithm for global value numbering, which is the problem of discovering equivalences among program sub-expressions. We treat all conditionals as non-deterministic and all program operators as uninterpreted. We show that there are programs for which the set of all equivalences contains terms whose value graph representation requires exponential size. Our algorithm discovers all equivalences among terms of size at most s in time that grows linearly with s. For global value numbering, it suffices to choose s to be the size of the program. Earlier deterministic algorithms for the same problem are either incomplete or take exponential time.
48 citations
26 Aug 2004
TL;DR: In this article, the authors present a static analysis that computes quantitative information for recursive heap structures in programs with destructive updates, which is able to extract quantitative information about the height and the balancing of such structures and verify the correctness of rebalancing operations after AVL tree insertions.
Abstract: This paper presents a static analysis that computes quantitative information for recursive heap structures in programs with destructive updates. The algorithm targets tree structures and is able to extract quantitative information about the height and the balancing of such structures. We formulate the algorithm as a dataflow analysis. We use a heap abstraction that captures both shape invariants and quantities of heap structures. Then, we give a precise specification of the transfer functions that describe how each statement updates this abstraction. The algorithm is able to verify the correctness of re-balancing operations after AVL tree insertions.
26 Aug 2004
TL;DR: This paper addresses the problem of checking programs written in an object-oriented language to ensure that they satisfy the information flow policies, confidentiality and integrity by presenting an algorithm that infers such security types in a modular manner.
Abstract: This paper addresses the problem of checking programs written in an object-oriented language to ensure that they satisfy the information flow policies, confidentiality and integrity. Policy is specified using security types. An algorithm that infers such security types in a modular manner is presented. The specification of the algorithm involves inference for libraries. Library classes and methods maybe parameterized by security levels. It is shown how modular inference is achieved in the presence of method inheritance and override. Soundness and completeness theorems for the inference algorithm are given.
26 Aug 2004
TL;DR: This work presents a static analysis for capturing the spatial structure of biological systems and illustrates it on a few examples.
Abstract: Programming language technology can contribute to the development and understanding of Systems Biology by providing formal calculi for specifying and analysing the dynamic behaviour of biological systems. Our focus is on BioAmbients, a variation of the ambient calculi developed for modelling mobility in computer systems. We present a static analysis for capturing the spatial structure of biological systems and we illustrate it on a few examples.
26 Aug 2004
TL;DR: Array-Range Analysis computes at compile time the range of possible index values for each array-index expression in a program, which can be used to detect potential out-of-bounds array accesses and to identify non-aliasing arrayAccesses.
Abstract: Array-Range Analysis computes at compile time the range of possible index values for each array-index expression in a program This information can be used to detect potential out-of-bounds array accesses and to identify non-aliasing array accesses In a language like C, where arrays can be accessed indirectly via pointers, and where pointer arithmetic is allowed, range analysis must be extended to compute the range of possible values for each pointer dereference
26 Aug 2004
TL;DR: This work presents a novel static analysis for approximating the algebraic relational semantics of imperative programs by based on abstract interpretation in the lattice of polynomial pseudo ideals of bounded degree – finite-dimensional vector spaces ofPolynomials of boundeddegree which are closed under bounded degree products.
Abstract: We present a novel static analysis for approximating the algebraic relational semantics of imperative programs. Our method is based on abstract interpretation in the lattice of polynomial pseudo ideals of bounded degree – finite-dimensional vector spaces of polynomials of bounded degree which are closed under bounded degree products. For a fixed bound, the space complexity of our approach and the iterations required to converge on fixed points are bounded by a polynomial in the number of program variables. Nevertheless, for several programs taken from the literature on non-linear polynomial invariant generation, our analysis produces results that are as precise as those produced by more heavy-weight Grobner basis methods.
26 Aug 2004
TL;DR: A scalable pointer analysis for embedded applications that is able to distinguish between instances of recursively defined data structures and elements of arrays and brings experimental evidence that this approach is tractable and precise for real-size embedded applications.
Abstract: In this paper we present a scalable pointer analysis for embedded applications that is able to distinguish between instances of recursively defined data structures and elements of arrays. The main contribution consists of an efficient yet precise algorithm that can handle multithreaded programs. We first perform an inexpensive flow-sensitive analysis of each function in the program that generates semantic equations describing the effect of the function on the memory graph. These equations bear numerical constraints that describe nonuniform points-to relationships. We then iteratively solve these equations in order to obtain an abstract storage graph that describes the shape of data structures at every point of the program for all possible thread interleavings. We bring experimental evidence that this approach is tractable and precise for real-size embedded applications.
26 Aug 2004
TL;DR: The two logics presented in this paper can be seen as extreme values in a framework which attempts to reconcile the naturally oposite goals of expressiveness and decidability.
Abstract: In this paper we investigate the existence of a deductive verification method based on a logic that describes pointer aliasing. The main idea of such a method is that the user has to annotate the program with loop invariants, pre- and post-conditions. The annotations are then automatically checked for validity by propagating weakest preconditions and verifying a number of induced implications. Such a method requires an underlying logic which is decidable and has a sound and complete weakest precondition calculus. We start by presenting a powerful logic (wAL) which can describe the shapes of most recursively defined data structures (lists, trees, etc.) has a complete weakest precondition calculus but is undecidable. Next, we identify a decidable subset (pAL) for which we show closure under the weakest precondition operators. In the latter logic one loses the ability of describing unbounded heap structures, yet bounded structures can be characterized up to isomorphism. For this logic two sound and complete proof systems are given, one based on natural deduction, and another based on the effective method of analytic tableaux. The two logics presented in this paper can be seen as extreme values in a framework which attempts to reconcile the naturally oposite goals of expressiveness and decidability.
26 Aug 2004
TL;DR: This work redevelops and extends Dams’s results on over- and under-approximation with higher-order Galois connections and extends the range of acceptable values for these values.
Abstract: We redevelop and extend Dams’s results on over- and under-approximation with higher-order Galois connections:
26 Aug 2004
TL;DR: Role logic is a notation for describing properties of relational structures in shape analysis, databases and knowledge bases as mentioned in this paper, which is decidable and can be expressed as a two-variable logic with counting.
Abstract: Role logic is a notation for describing properties of relational structures in shape analysis, databases and knowledge bases. A natural fragment of role logic corresponds to two-variable logic with counting and is therefore decidable.
26 Aug 2004
TL;DR: Free conditional expression diagrams (FCEDs), which extend binary decision diagrams with internal nodes corresponding to linear arithmetic operators or uninterpreted functions, are introduced, which can represent values of expressions in a program involving conditionals and linear arithmetic.
Abstract: We describe data structures and algorithms for performing a path-sensitive program analysis to discover equivalences of expressions involving linear arithmetic or uninterpreted functions. We assume that conditionals are abstracted as boolean variables, which may be repeated to reflect equivalent conditionals. We introduce free conditional expression diagrams (FCEDs), which extend binary decision diagrams (BDDs) with internal nodes corresponding to linear arithmetic operators or uninterpreted functions. FCEDs can represent values of expressions in a program involving conditionals and linear arithmetic (or uninterpreted functions). We show how to construct them easily from a program, and give a randomized linear time algorithm (or quadratic time for uninterpreted functions) for comparing FCEDs for equality. FCEDs are compact due to maximal representation sharing for portions of the program with independent conditionals. They inherit from BDDs the precise reasoning about boolean expressions needed to handle dependent conditionals.
26 Aug 2004
TL;DR: This article rephrase the previous logic programming approach into a more abstract setting, which leads to a criterion expressed in a logical way and simpler proofs, as expected, and proves that in some sense, it already had the best syntactic criterion for logic programming.
Abstract: Termination has been a subject of intensive research in the logic programming community for the last two decades. Most works deal with proving universal left termination of a given class of queries, i.e. finiteness of all the possible derivations produced by a Prolog engine from any query in that class. In contrast, the study of the dual problem: non-termination w.r.t. the left selection rule i.e the existence of one query in a given class of queries which admits an infinite left derivation, has given rise to only a few papers. In this article, we study non-termination in the more general constraint logic programming framework. We rephrase our previous logic programming approach into this more abstract setting, which leads to a criterion expressed in a logical way and simpler proofs, as expected. Also, by reconsidering our previous work, we now prove that in some sense, we already had the best syntactic criterion for logic programming. Last but not least, we offer a set of correct algorithms for inferring non-termination for CLP.
26 Aug 2004
TL;DR: A technique is presented that allows general gate-level combinational asynchronous circuits with uncertain delay characteristics to be reasoned about and is particularly suited to the simulation and model checking of circuits where the identification of possible glitch states is required.
Abstract: A technique, based upon abstract interpretation, is presented that allows general gate-level combinational asynchronous circuits with uncertain delay characteristics to be reasoned about Our approach is particularly suited to the simulation and model checking of circuits where the identification of possible glitch states (static and dynamic hazards) is required A hierarchy of alternative abstractions linked by Galois connections is presented, each offering varying tradeoffs between accuracy and complexity Many of these abstract domains resemble extended, multi-value logics: transitional logics that include extra values representing transitions as well as steady states, and static/clean logics that include the values S and C representing 'unknown but fixed for all time' and 'can never glitch' respectively
Proceedings Article•
01 Jan 2004
TL;DR: A static analysis that computes quantitative information for recursive heap structures in programs with destructive updates and is able to verify the correctness of re-balancing operations after AVL tree insertions.
26 Aug 2004
TL;DR: This paper presents the first example of a static analysis of the gated data dependence graph developed using the methodology of abstract interpretation, and is shown to be sound with respect to a concrete semantics for the representation.
Abstract: Several authors have advocated the use of the gated data dependence graph as a compiler intermediate representation. If this representation is to gain acceptance, it is important to show that we may construct static analyses which operate directly on it. In this paper we present the first example of such an analysis, developed using the methodology of abstract interpretation. The analysis is shown to be sound with respect to a concrete semantics for the representation. Experimental results are presented which indicate that the analysis performs well in comparison to conventional techniques.
26 Aug 2004
TL;DR: This talk briefly overviews the ongoing work to develop a declarative language for describing Web services on theSemantic Web, contrasting it with emerging industrial Web service and Semantic Web standards.
Abstract: Two trends are emerging in the World Wide Web (WWW). The first is the proliferation of Web Services – self-contained, Web-accessible software applications and associated distributed systems architectures. The second is the emergence of the “Semantic Web,” the vision for a next-generation WWW that is computer interpretable. Today’s Web was designed primarily for human use. To enable reliable, large-scale automated interoperation of Web services, their properties and capabilities must be understandable to a computer program. In this talk we briefly overview our ongoing work to develop a declarative language for describing Web services on the Semantic Web, contrasting it with emerging industrial Web service and Semantic Web standards. Our declarative representation of Web services enables automation of a wide variety of tasks including discovery, invocation, interoperation, composition, simulation, verification and monitoring.
Proceedings Article•
02 Oct 2004
26 Aug 2004
TL;DR: The potential impact and research value of program generation is discussed, examples of research in the area are given, and a future work direction is outlined that is considered most interesting.
Abstract: Program generation is among the most promising techniques in the effort to increase the automation of programming tasks. In this talk, we discuss the potential impact and research value of program generation, we give examples of our research in the area, and we outline a future work direction that we consider most interesting.
26 Aug 2004
TL;DR: It is proved how standard completeness refinement in abstract interpretation provides a systematic way for refining abstract symbolic trajectory evaluation in order to gain completeness for the properties of interest.
Abstract: In this paper we study the relation between the lack of completeness in abstract symbolic trajectory evaluation and the structure of the counterexamples that can be derived in case of property failure. We characterize the presence of false negatives as a loss of completeness of the underlying abstraction. We prove how standard completeness refinement in abstract interpretation provides a systematic way for refining abstract symbolic trajectory evaluation in order to gain completeness for the properties of interest.
26 Aug 2004
TL;DR: This talk reviews this new research direction and reports on preliminary steps carried out in the lab towards realizing its vision, which is to create molecular devices equipped with the medical knowledge to perform disease diagnosis and therapy inside the living body.
Abstract: Although electronic computers are the only “computer species” we are accustomed to, the mathematical notion of a programmable computer has nothing to do with wires and logic gates. In fact, Alan Turing’s notional computer, which marked in 1936 the birth of modern computer science and still stands at its heart, has greater similarity to natural biomolecular machines such as the ribosome and polymerases than to electronic computers. Recently, a new “computer species” made of biological molecules has emerged. These simple molecular computers inspired by the Turing machine, of which a trillion can fit into a microliter, do not compete with electronic computers in solving complex computational problems; their potential lies elsewhere. Their molecular scale and their ability to interact directly with the biochemical environment in which they operate suggest that in the future they may be the basis of a new kind of “smart drugs”: molecular devices equipped with the medical knowledge to perform disease diagnosis and therapy inside the living body. They would detect and diagnose molecular disease symptoms and, when necessary, administer the requisite drug molecules to the cell, tissue or organ in which they operate. In the talk we review this new research direction and report on preliminary steps carried out in our lab towards realizing its vision.