Abstract
We present a new, precise technique for fully path- and context-sensitive program analysis. Our technique exploits two observations: First, using quantified, recursive formulas, path- and context-sensitive conditions for many program properties can be expressed exactly. To compute a closed form solution to such recursive constraints, we differentiate between observable and unobservable variables, the latter of which are existentially quantified in our approach. Using the insight that unobservable variables can be eliminated outside a certain scope, our technique computes satisfiability- and validity-preserving closed-form solutions to the original recursive constraints. We prove the solution is as precise as the original system for answering may and must queries as well as being small in practice, allowing our technique to scale to the entire Linux kernel, a program with over 6 million lines of code.
- A. Aiken, S. Bugrara, I. Dillig, T. Dillig, B. Hackett, and P. Hawkins. An overview od the SATURN project. In Proc. Workshop on Program Analysis for Software Tools and Engineering, pages 43--48, 2007.]] Google Scholar
Digital Library
- A. Aiken, E.L. Wimmers, and J. Palsberg. Optimal Representations of Polymorphic Types with Subtyping. Higher-Order and Symbolic Computation, 12(3):237--282, 1999.]] Google Scholar
Digital Library
- T. Ball and S. Rajamani. Bebop: A symbolic model checker for boolean programs. In Proceedings of the 7th International SPIN Workshop on SPIN Model Checking and Software Verification, pages 113--130, London, UK, 2000. Springer-Verlag.]] Google Scholar
Digital Library
- T. Ball and S. Rajamani. Automatically validating temporal safety properties of interfaces. LNCS, 2057:103--122, 2001.]] Google Scholar
Digital Library
- T. Ball and S. Rajamani. Bebop: a path-sensitive interprocedural dataflow engine. In PASTE '01: Proceedings of the 2001 ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering, pages 97--103, New York, NY, USA, 2001. ACM.]] Google Scholar
Digital Library
- R. Bloem, I. Moon, K. Ravi, and F. Somenzi. Approximations for fixpoint computations in symbolic model checking.]]Google Scholar
- G. Boole. An Investigation of the Laws of Thought. Dover Publications, Incorporated, 1858.]] Google Scholar
Digital Library
- S. Bugrara and A. Aiken. Verifying the safety of user pointer dereferences. In IEEE Symposium on Security and Privacy, 2008.]] Google Scholar
Digital Library
- J. Burch, E. Clarke, K. McMillan, D.. Dill, and L. Hwang. Symbolic model checking: $10^20$ states and beyond. In Proc. Symposium on Logic in Computer Science, June 1990.]] Google Scholar
Digital Library
- D. Dill and H. Wong-Toi. Verification of real-time systems by successive over and under approximation. In Proc. International Conference On Computer Aided Verification, volume 939, pages 409--422, 1995.]] Google Scholar
Digital Library
- M. Das, S. Lerner, and M. Seigle. ESP: Path-sensitive program verification in polynomial time. In Proc. Conference on Programming Language Design and Implementation, pages 57--68, 2002.]] Google Scholar
Digital Library
- I. Dillig, T. Dillig, and A. Aiken. Static error detection using semantic inconsistency inference. In Proc. Conference on Programming Language Design and Implementation, pages 335--345, 2007.]] Google Scholar
Digital Library
- J. Esparaza and S. Schwoon. A bdd-based model checker for recursive programs. Lecture Notes in Computer Science, 2102/2001:324--336, 2001.]] Google Scholar
Digital Library
- B. Hackett and A. Aiken. How is aliasing used in systems software? In Proc. International Symposium on Foundations of Software Engineering, pages 69--80, 2006.]] Google Scholar
Digital Library
- F. Henglein. Type inference and semi-unification. In Proc. Conference on LISP and Functional Programming, pages 184--197, 1988.]] Google Scholar
Digital Library
- T. Henzinger, R. Jhala, R. Majumdar, and K. McMillan. Abstractions from proofs. In Proc. 31st Symposium on Principles of Programming Languages, pages 232--244, 2004.]] Google Scholar
Digital Library
- F. Ivancic, Z. Yang, M.K. Ganai, A. Gupta, I. Shlyakhter, and P. Ashar. F-soft:software verification platform. Lecture Notes in Computer Science, 3576/2005:301--306, 2005.]] Google Scholar
Digital Library
- F. Lin. On strongest necessary and weakest sufficient conditions. In Proc. International Conference on Principles of Knowledge Representation and Reasoning, pages 143--159, April 2000.]]Google Scholar
- A. Mycroft. Polymorphic type schemes and recursive definitions. In Proc. Colloquium on International Symposium on Programming, pages 217--228, 1984.]] Google Scholar
Digital Library
- T. Reps, S. Horwitz, and M. Sagiv. Precise interprocedural dataflow analysis via graph reachability. In POPL '95: Proceedings of the 22nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 49--61, New York, NY, USA, 1995. ACM.]] Google Scholar
Digital Library
- D. Schmidt. A calculus of logical relations for over- and underapproximating static analyses. Science of Computer Programming, 64(1):29--53, 2007.]] Google Scholar
Digital Library
- M. Sharir and A. Pnueli. Two approaches to interprocedural data flow analysis. Program Flow Analysis: Theory and Applications, pages 189--234, 1981.]]Google Scholar
- Y. Xie and A. Aiken. Scalable error detection using boolean satisfiability. SIGPLAN Not., 40(1):351--363, 2005.]] Google Scholar
Digital Library
Index Terms
Sound, complete and scalable path-sensitive analysis
Recommendations
Sound, complete and scalable path-sensitive analysis
PLDI '08: Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and ImplementationWe present a new, precise technique for fully path- and context-sensitive program analysis. Our technique exploits two observations: First, using quantified, recursive formulas, path- and context-sensitive conditions for many program properties can be ...
Selective X-Sensitive Analysis Guided by Impact Pre-Analysis
We present a method for selectively applying context-sensitivity during interprocedural program analysis. Our method applies context-sensitivity only when and where doing so is likely to improve the precision that matters for resolving given queries. ...
Context-, flow-, and field-sensitive data-flow analysis using synchronized Pushdown systems
Precise static analyses are context-, field- and flow-sensitive. Context- and field-sensitivity are both expressible as context-free language (CFL) reachability problems. Solving both CFL problems along the same data-flow path is undecidable, which is ...







Comments