Showing papers presented at "Static Analysis Symposium in 2013"
20 Jun 2013
TL;DR: This work shows how to simulate existing abstract domains in this way, without having to directly implement program analyses or make certain heuristic choices, such as the terms and predicates that form the parameters of the abstract domain.
Abstract: Program proving can be viewed as solving for unknown relations (such as loop invariants, procedure summaries and so on) that occur in the logical verification conditions of a program, such that the verification conditions are valid. Generic logical tools exist that can solve such problems modulo certain background theories, and therefore can be used for program analysis. Here, we extend these techniques to solve for quantified relations. This makes it possible to guide the solver by constraining the form of the proof, allowing it to converge when it otherwise would not. We show how to simulate existing abstract domains in this way, without having to directly implement program analyses or make certain heuristic choices, such as the terms and predicates that form the parameters of the abstract domain. Moreover, the approach gives the flexibility to go beyond these domains and experiment quickly with various invariant forms.
127 citations
20 Jun 2013
TL;DR: It is shown that invariants in program verification can be regarded as geometric concepts in machine learning, and the learning algorithm is extended to obtain a sound procedure that can generate proofs containing invariants that are arbitrary boolean combinations of polynomial inequalities.
Abstract: We formalize the problem of program verification as a learning problem, showing that invariants in program verification can be regarded as geometric concepts in machine learning. Safety properties define bad states: states a program should not reach. Program verification explains why a program’s set of reachable states is disjoint from the set of bad states. In Hoare Logic, these explanations are predicates that form inductive assertions. Using samples for reachable and bad states and by applying well known machine learning algorithms for classification, we are able to generate inductive assertions. By relaxing the search for an exact proof to classifiers, we obtain complexity theoretic improvements. Further, we extend the learning algorithm to obtain a sound procedure that can generate proofs containing invariants that are arbitrary boolean combinations of polynomial inequalities. We have evaluated our approach on a number of challenging benchmarks and the results are promising.
97 citations
20 Jun 2013
TL;DR: An approach to verify safety properties of Erlang-style, higher-order concurrent programs automatically and formalise an abstract model of λ Actor programs called Actor Communicating System (ACS), which has a natural interpretation as a vector addition system.
Abstract: This paper presents an approach to verify safety properties of Erlang-style, higher-order concurrent programs automatically. Inspired by Core Erlang, we introduce λ Actor, a prototypical functional language with pattern-matching algebraic data types, augmented with process creation and asynchronous message-passing primitives. We formalise an abstract model of λ Actor programs called Actor Communicating System (ACS) which has a natural interpretation as a vector addition system, for which some verification problems are decidable. We give a parametric abstract interpretation framework for λ Actor and use it to build a polytime computable, flow-based, abstract semantics of λ Actor programs, which we then use to bootstrap the ACS construction, thus deriving a more accurate abstract model of the input program.
63 citations
20 Jun 2013
TL;DR: A parameterized abstract domain is presented for proving program termination by abstract interpretation that automatically synthesizes piecewise-defined ranking functions and infers sufficient conditions for program termination.
Abstract: We present a parameterized abstract domain for proving program termination by abstract interpretation. The domain automatically synthesizes piecewise-defined ranking functions and infers sufficient conditions for program termination. The analysis uses over-approximations but we prove its soundness, meaning that all program executions respecting these sufficient conditions are indeed terminating.
60 citations
20 Jun 2013
TL;DR: This work addresses the problem of computing semantic differences between a program and a patched version of the program and obtains a precise characterization of the difference between program versions.
Abstract: We address the problem of computing semantic differences between a program and a patched version of the program. Our goal is to obtain a precise characterization of the difference between program versions, or establish their equivalence when no difference exists.
47 citations
20 Jun 2013
TL;DR: A novel approach for predicate abstraction of programs running on relaxed memory models is presented and two steps are presented for this approach, which consists of two steps.
Abstract: We present a novel approach for predicate abstraction of programs running on relaxed memory models. Our approach consists of two steps.
46 citations
20 Jun 2013
TL;DR: The approach is based on a new representation of sets of heaps, which is to some degree inspired by works on separation logic with higher-order list predicates, but it is graph-based and uses a more fine-grained (byte-precise) memory model in order to support the various low-level memory operations.
Abstract: We propose a new approach to shape analysis of programs with linked lists that use low-level memory operations. Such operations include pointer arithmetic, safe usage of invalid pointers, block operations with memory, reinterpretation of the memory contents, address alignment, etc. Our approach is based on a new representation of sets of heaps, which is to some degree inspired by works on separation logic with higher-order list predicates, but it is graph-based and uses a more fine-grained (byte-precise) memory model in order to support the various low-level memory operations. The approach was implemented in the Predator tool and successfully validated on multiple non-trivial case studies that are beyond the capabilities of other current fully automated shape analysis tools.
39 citations
20 Jun 2013
TL;DR: This paper shows that witness generators can be implemented quite easily for a number of standard compiler optimizations; this exercise shows that stuttering simulation is a sound and complete witness format.
Abstract: We study two closely related problems: (a) showing that a program transformation is correct and (b) propagating an invariant through a program transformation. The second problem is motivated by an application which utilizes program invariants to improve the quality of compiler optimizations. We show that both problems can be addressed by augmenting a transformation with an auxiliary witness generation procedure. For every application of the transformation, the witness generator constructs a relation which guarantees the correctness of that instance. We show that stuttering simulation is a sound and complete witness format. Completeness means that, under mild conditions, every correct transformation induces a stuttering simulation witness which is strong enough to prove that the transformation is correct. A witness is self-contained, in that its correctness is independent of the optimization procedure which generates it. Any invariant of a source program can be turned into an invariant of the target of a transformation by suitably composing it with its witness. Stuttering simulations readily compose, forming a single witness for a sequence of transformations. Witness generation is simpler than a formal proof of correctness, and it is comprehensive, unlike the heuristics used for translation validation. We define witnesses for a number of standard compiler optimizations; this exercise shows that witness generators can be implemented quite easily.
34 citations
20 Jun 2013
TL;DR: In this paper, a posteriori verification of the abstract domain of polyhedra is proposed to lower the overhead of certification of the polyhedral domain of programs using abstract interpretation, and a single-representation, constraints-based implementation is presented.
Abstract: Polyhedra form an established abstract domain for inferring runtime properties of programs using abstract interpretation. Computations on them need to be certified for the whole static analysis results to be trusted. In this work, we look at how far we can get down the road of a posteriori verification to lower the overhead of certification of the abstract domain of polyhedra. We demonstrate methods for making the cost of inclusion certificate generation negligible. From a performance point of view, our single-representation, constraints-based implementation compares with state-of-the-art implementations.
34 citations
20 Jun 2013
TL;DR: This work extends Abstract Conflict Driven Clause Learning (acdcl) solvers with proof generation and interpolation, leading to the first interpolation procedure for floating-point logic and subsequently, theFirst interpolation-based verifiers for programs with floating- point variables.
Abstract: One approach for smt solvers to improve efficiency is to delegate reasoning to abstract domains. Solvers using abstract domains do not support interpolation and cannot be used for interpolation-based verification. We extend Abstract Conflict Driven Clause Learning (acdcl) solvers with proof generation and interpolation. Our results lead to the first interpolation procedure for floating-point logic and subsequently, the first interpolation-based verifiers for programs with floating-point variables. We demonstrate the potential of this approach by verifying a number of programs which are challenging for current verification tools.
32 citations
20 Jun 2013
TL;DR: This paper presents a meta-analysis of static analyzers based on abstract interpretation that shows how the design and implementation of static analysis techniques on real languages is still error-prone.
Abstract: Static analyzers based on abstract interpretation are complex pieces of software implementing delicate algorithms. Even if static analysis techniques are well understood, their implementation on real languages is still error-prone.
20 Jun 2013
TL;DR: Two strategies which may be easily applied to standard abstract interpretation-based static analyzers are shown, restricting the scope of widening, and intertwining the computation of ascending and descending chains.
Abstract: We show two strategies which may be easily applied to standard abstract interpretation-based static analyzers. They consist in 1) restricting the scope of widening, and 2) intertwining the computation of ascending and descending chains. Using these optimizations it is possible to improve the precision of the analysis, without any change to the abstract domains.
20 Jun 2013
TL;DR: This invited lecture is a survey of the authors' work over the last 12 years or so, dealing with the precise analysis of numerical programs, essentially control programs such as the ones found in the aerospace, nuclear and automotive industry.
Abstract: This invited lecture is a survey of our work over the last 12 years or so, dealing with the precise analysis of numerical programs, essentially control programs such as the ones found in the aerospace, nuclear and automotive industry
20 Jun 2013
TL;DR: The lack of domain structure has negative consequences, both for the precision of program analysis and for the termination of standard Kleene iteration.
Abstract: The classical theoretical framework for static analysis of programs is abstract interpretation. Much of the power and elegance of that framework rests on the assumption that an abstract domain is a lattice. Nonetheless, and for good reason, the literature on program analysis provides many examples of non-lattice domains, including non-convex numeric domains. The lack of domain structure, however, has negative consequences, both for the precision of program analysis and for the termination of standard Kleene iteration. In this paper we explore these consequences and present general remedies.
20 Jun 2013
TL;DR: Many parallel programs are meant to be deterministic: for the same input, the program must produce the same output, regardless of scheduling choices, but due to complex parallel interaction, programmers make subtle mistakes that lead to violations of determinism.
Abstract: Many parallel programs are meant to be deterministic: for the same input, the program must produce the same output, regardless of scheduling choices. Unfortunately, due to complex parallel interaction, programmers make subtle mistakes that lead to violations of determinism.
20 Jun 2013
TL;DR: The main idea is to represent partial temporal specifications as symbolic automata – automata where transitions may be labeled by variables, and a variable can be substituted by a letter, a word, or a regular language.
Abstract: We present a formal framework for static specification mining. The main idea is to represent partial temporal specifications as symbolic automata – automata where transitions may be labeled by variables, and a variable can be substituted by a letter, a word, or a regular language. Using symbolic automata, we construct an abstract domain for static specification mining, capturing both the partialness of a specification and the precision of a specification. We show interesting relationships between lattice operations of this domain and common operators for manipulating partial temporal specifications, such as building a more informative specification by consolidating two partial specifications.
20 Jun 2013
TL;DR: These diagrams are, not surprisingly, used as a basic tool to introduce heap manipulations in introductory programming courses.
Abstract: Data-structure manipulation is not just a perplexing ordeal for newbies, but also a tedious errand for seasoned programmers. Even after a programmer gets the "hang of things", programming complex pointer manipulations (like reversing a linked list) still makes one reach for a notebook to draw some box-and-arrow diagrams to work out the low-level pointer jugglery. These diagrams are, not surprisingly, used as a basic tool to introduce heap manipulations in introductory programming courses.
20 Jun 2013
TL;DR: A shape analysis for programs that manipulate overlaid data structures which share sets of objects is presented, able to reason in a modular manner about non-overlaid data Structures and compose information only at a few program points, e.g., procedure returns.
Abstract: We present a shape analysis for programs that manipulate overlaid data structures which share sets of objects. The abstract domain contains Separation Logic formulas that (1) combine a per-object separating conjunction with a per-field separating conjunction and (2) constrain a set of variables interpreted as sets of objects. The definition of the abstract domain operators is based on a notion of homomorphism between formulas, viewed as graphs, used recently to define optimal decision procedures for fragments of the Separation Logic. Based on a Frame Rule that supports the two versions of the separating conjunction, the analysis is able to reason in a modular manner about non-overlaid data structures and then, compose information only at a few program points, e.g., procedure returns. We have implemented this analysis in a prototype tool and applied it on several interesting case studies that manipulate overlaid and nested linked lists.
20 Jun 2013
TL;DR: This work studies the problem of provenance tracking in concurrent programs, in which several principals execute concurrent processes and exchange messages over unbounded but unordered channels.
Abstract: Provenance information records the source and ownership history of an object. We study the problem of provenance tracking in concurrent programs, in which several principals execute concurrent processes and exchange messages over unbounded but unordered channels. The provenance of a message, roughly, is a function of the sequence of principals that have transmitted the message in the past. The provenance verification problem is to statically decide, given a message passing program and a set of allowed provenances, whether the provenance of all messages in all possible program executions, belongs to the allowed set.
20 Jun 2013
TL;DR: This work shows that in presence of contextual locking, control-point reachability becomes PSPACE-hard, already if the number of processes is increased to three, and considers the problem of regular reachability, i.e., whether a configuration within a given regular set can be reached.
Abstract: Contextual locking is a scheme for synchronizing between possibly recursive processes that has been proposed by Chadha et al. recently. Contextual locking allows for arbitrary usage of locks within the same procedure call and Chadha et al. show that control-point reachability for two processes adhering to contextual locking is decidable in polynomial time. Here, we complement these results. We show that in presence of contextual locking, control-point reachability becomes PSPACE-hard, already if the number of processes is increased to three. On the other hand, we show that PSPACE is both necessary and sufficient for deciding control-point reachability of k processes for k > 2, and that this upper bound remains valid even if dynamic spawning of new processes is allowed. Furthermore, we consider the problem of regular reachability, i.e., whether a configuration within a given regular set can be reached. Here, we show that this problem is decidable for recursive processes with dynamic thread creation and contextual locking. Finally, we generalize this result to processes that additionally use a form of join operations.
20 Jun 2013
TL;DR: Abstract parsing is a static-analysis technique for a program that, given a reference LR(k) context-free grammar, statically checks whether or not every dynamically generated string output by the program conforms to the grammar.
Abstract: parsing is a static-analysis technique for a program that, given a reference LR(k) context-free grammar, statically checks whether or not every dynamically generated string output by the program conforms to the grammar. The technique operates by applying an LR(k) parser for the reference language to data-flow equations extracted from the program, immediately parsing all the possible string outputs to validate their syntactic well-formedness.
20 Jun 2013
TL;DR: This work proposes a new approach to heap analysis through an abstract domain of automata, called automatic shapes, that allows to define universally quantified properties of programs manipulating acyclic heaps with a single pointer field, including data-structures such singly-linked lists.
Abstract: We propose a new approach to heap analysis through an abstract domain of automata, called automatic shapes. Automatic shapes are modeled after a particular version of quantified data automata on skinny trees (QSDAs), that allows to define universally quantified properties of programs manipulating acyclic heaps with a single pointer field, including data-structures such singly-linked lists. To ensure convergence of the abstract fixed-point computation, we introduce a subclass of QSDAs called elastic QSDAs, which forms an abstract domain. We evaluate our approach on several list manipulating programs and we show that the proposed domain is powerful enough to prove a large class of these programs correct.
20 Jun 2013
TL;DR: A new approach for producing precise constrained slices of programs in a language such as C that incorporates abstract interpretation into term-rewriting, resulting in a novel technique for slicing loops whose precision is linked to the power of the given abstract lattice
Abstract: We propose a new approach for producing precise constrained slices of programs in a language such as C. We build upon a previous approach for this problem, which is based on term-rewriting, which primarily targets loop-free fragments and is fully precise in this setting. We incorporate abstract interpretation into term-rewriting, using a given arbitrary abstract lattice, resulting in a novel technique for slicing loops whose precision is linked to the power of the given abstract lattice. We address pointers in a first-class manner, including when they are used within loops to traverse and update recursive data structures. Finally, we illustrate the comparative precision of our slices over those of previous approaches using representative examples.
20 Jun 2013
TL;DR: This presentation explains the development of OpenMP, a pragma-based extension to C to support parallelism in a richer way than languages such as Cilk.
Abstract: OpenMP is a pragma-based extension to C to support parallelism. The OpenMP standard recently added support for task-based parallelism but in a richer way than languages such as Cilk. Naive implementations give each task its own stack for task-local memory, which is very inefficient.
20 Jun 2013
TL;DR: This talk examines static analysis techniques for continuous-time dynamical systems, and explores parallels between commonly used static analysis approaches and a variety of approaches to prove/disprove reachability and stability properties.
Abstract: In this talk, we examine static analysis techniques for continuous-time dynamical systems. Continuous time systems arise in many domains including engineered control systems, physical and biological systems. They are increasingly of interest to the static analysis community, due to the focus on hybrid (cyber-physical) systems that capture discrete programs interacting with a continuous external environment. We examine two types of properties that are typically verified: reachability and stability, and explore parallels between commonly used static analysis approaches and a variety of approaches to prove/disprove reachability and stability properties.