skip to main content
research-article

Sound, complete and scalable path-sensitive analysis

Published:07 June 2008Publication History
Skip Abstract Section

Abstract

We present a new, precise technique for fully path- and context-sensitive program analysis. Our technique exploits two observations: First, using quantified, recursive formulas, path- and context-sensitive conditions for many program properties can be expressed exactly. To compute a closed form solution to such recursive constraints, we differentiate between observable and unobservable variables, the latter of which are existentially quantified in our approach. Using the insight that unobservable variables can be eliminated outside a certain scope, our technique computes satisfiability- and validity-preserving closed-form solutions to the original recursive constraints. We prove the solution is as precise as the original system for answering may and must queries as well as being small in practice, allowing our technique to scale to the entire Linux kernel, a program with over 6 million lines of code.

References

  1. A. Aiken, S. Bugrara, I. Dillig, T. Dillig, B. Hackett, and P. Hawkins. An overview od the SATURN project. In Proc. Workshop on Program Analysis for Software Tools and Engineering, pages 43--48, 2007.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. A. Aiken, E.L. Wimmers, and J. Palsberg. Optimal Representations of Polymorphic Types with Subtyping. Higher-Order and Symbolic Computation, 12(3):237--282, 1999.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. T. Ball and S. Rajamani. Bebop: A symbolic model checker for boolean programs. In Proceedings of the 7th International SPIN Workshop on SPIN Model Checking and Software Verification, pages 113--130, London, UK, 2000. Springer-Verlag.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. T. Ball and S. Rajamani. Automatically validating temporal safety properties of interfaces. LNCS, 2057:103--122, 2001.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. T. Ball and S. Rajamani. Bebop: a path-sensitive interprocedural dataflow engine. In PASTE '01: Proceedings of the 2001 ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering, pages 97--103, New York, NY, USA, 2001. ACM.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. R. Bloem, I. Moon, K. Ravi, and F. Somenzi. Approximations for fixpoint computations in symbolic model checking.]]Google ScholarGoogle Scholar
  7. G. Boole. An Investigation of the Laws of Thought. Dover Publications, Incorporated, 1858.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. S. Bugrara and A. Aiken. Verifying the safety of user pointer dereferences. In IEEE Symposium on Security and Privacy, 2008.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. J. Burch, E. Clarke, K. McMillan, D.. Dill, and L. Hwang. Symbolic model checking: $10^20$ states and beyond. In Proc. Symposium on Logic in Computer Science, June 1990.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. D. Dill and H. Wong-Toi. Verification of real-time systems by successive over and under approximation. In Proc. International Conference On Computer Aided Verification, volume 939, pages 409--422, 1995.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. M. Das, S. Lerner, and M. Seigle. ESP: Path-sensitive program verification in polynomial time. In Proc. Conference on Programming Language Design and Implementation, pages 57--68, 2002.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. I. Dillig, T. Dillig, and A. Aiken. Static error detection using semantic inconsistency inference. In Proc. Conference on Programming Language Design and Implementation, pages 335--345, 2007.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. J. Esparaza and S. Schwoon. A bdd-based model checker for recursive programs. Lecture Notes in Computer Science, 2102/2001:324--336, 2001.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. B. Hackett and A. Aiken. How is aliasing used in systems software? In Proc. International Symposium on Foundations of Software Engineering, pages 69--80, 2006.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. F. Henglein. Type inference and semi-unification. In Proc. Conference on LISP and Functional Programming, pages 184--197, 1988.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. T. Henzinger, R. Jhala, R. Majumdar, and K. McMillan. Abstractions from proofs. In Proc. 31st Symposium on Principles of Programming Languages, pages 232--244, 2004.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. F. Ivancic, Z. Yang, M.K. Ganai, A. Gupta, I. Shlyakhter, and P. Ashar. F-soft:software verification platform. Lecture Notes in Computer Science, 3576/2005:301--306, 2005.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. F. Lin. On strongest necessary and weakest sufficient conditions. In Proc. International Conference on Principles of Knowledge Representation and Reasoning, pages 143--159, April 2000.]]Google ScholarGoogle Scholar
  19. A. Mycroft. Polymorphic type schemes and recursive definitions. In Proc. Colloquium on International Symposium on Programming, pages 217--228, 1984.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. T. Reps, S. Horwitz, and M. Sagiv. Precise interprocedural dataflow analysis via graph reachability. In POPL '95: Proceedings of the 22nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 49--61, New York, NY, USA, 1995. ACM.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. D. Schmidt. A calculus of logical relations for over- and underapproximating static analyses. Science of Computer Programming, 64(1):29--53, 2007.]] Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. M. Sharir and A. Pnueli. Two approaches to interprocedural data flow analysis. Program Flow Analysis: Theory and Applications, pages 189--234, 1981.]]Google ScholarGoogle Scholar
  23. Y. Xie and A. Aiken. Scalable error detection using boolean satisfiability. SIGPLAN Not., 40(1):351--363, 2005.]] Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Sound, complete and scalable path-sensitive analysis

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!