Abstract
Numerical abstract domains are an important ingredient of modern static analyzers used for verifying critical program properties (e.g., absence of buffer overflow or memory safety). Among the many numerical domains introduced over the years, Polyhedra is the most expressive one, but also the most expensive: it has worst-case exponential space and time complexity. As a consequence, static analysis with the Polyhedra domain is thought to be impractical when applied to large scale, real world programs.
In this paper, we present a new approach and a complete implementation for speeding up Polyhedra domain analysis. Our approach does not lose precision, and for many practical cases, is orders of magnitude faster than state-of-the-art solutions. The key insight underlying our work is that polyhedra arising during analysis can usually be kept decomposed, thus considerably reducing the overall complexity.
We first present the theory underlying our approach, which identifies the interaction between partitions of variables and domain operators. Based on the theory we develop new algorithms for these operators that work with decomposed polyhedra. We implemented these algorithms using the same interface as existing libraries, thus enabling static analyzers to use our implementation with little effort. In our evaluation, we analyze large benchmarks from the popular software verification competition, including Linux device drivers with over 50K lines of code. Our experimental results demonstrate massive gains in both space and time: we show end-to-end speedups of two to five orders of magnitude compared to state-of-the-art Polyhedra implementations as well as significant memory gains, on all larger benchmarks. In fact, in many cases our analysis terminates in seconds where prior code runs out of memory or times out after 4 hours.
We believe this work is an important step in making the Polyhedra abstract domain both feasible and practically usable for handling large, real-world programs.
- ELINA: ETH Library for Numerical Analysis. http://elina.ethz.ch.Google Scholar
- R. Bagnara, P. M. Hill, and E. Zaffanella. The Parma Polyhedra Library: Toward a complete set of numerical abstractions for the analysis and verification of hardware and software systems. Sci. Comput. Program., 72(1-2):3–21, 2008. Google Scholar
Digital Library
- D. Beyer. Reliable and reproducible competition results with benchexec and witnesses (report on sv-comp 2016). In Proc. Tools and Algorithms for the Construction and Analysis of Systems (TACAS), pages 887–904, 2016. Google Scholar
Digital Library
- B. Blanchet, P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné, D. Monniaux, and X. Rival. A static analyzer for large safety-critical software. In Proc. Programming Language Design and Implementation (PLDI), pages 196–207, 2003. Google Scholar
Digital Library
- N. Chernikova. Algorithm for discovering the set of all the solutions of a linear programming problem. USSR Computational Mathematics and Mathematical Physics, 8(6):282 – 293, 1968.Google Scholar
Cross Ref
- P. Cousot and N. Halbwachs. Automatic discovery of linear restraints among variables of a program. In Proc. Symposium on Principles of Programming Languages (POPL), pages 84–96, 1978. Google Scholar
Digital Library
- R. Cousot, R. Bagnara, P. M. Hill, E. Ricci, and E. Zaffanella. Precise widening operators for convex polyhedra. Science of Computer Programming, 58(1):28 – 56, 2005. Google Scholar
Digital Library
- G. Gange, J. A. Navas, P. Schachte, H. Søndergaard, and P. J. Stuckey. Exploiting Sparsity in Difference-Bound Matrices, pages 189–211. 2016.Google Scholar
- A. Gurfinkel, T. Kahsai, A. Komuravelli, and J. A. Navas. The Sea-Horn verification framework. In Proc. Computer Aided Verification (CAV), pages 343–361, 2015.Google Scholar
Cross Ref
- N. Halbwachs, D. Merchat, and L. Gonnord. Some ways to reduce the space dimension in polyhedra computations. Formal Methods in System Design (FMSD), 29(1):79–95, 2006. Google Scholar
Digital Library
- K. Heo, H. Oh, and H. Yang. Learning a variable-clustering strategy for Octagon from labeled data generated by a static analysis. In Proc. Static Analysis Symposium (SAS), pages 237–256, 2016.Google Scholar
Cross Ref
- J. L. Imbert. Fourier’s elimination: Which to choose? Principles and Practice of Constraint Programming, pages 117–129, 1993.Google Scholar
- B. Jeannet and A. Miné. APRON: A library of numerical abstract domains for static analysis. In Proc. Computer Aided Verification (CAV), volume 5643, pages 661–667, 2009. Google Scholar
Digital Library
- V. Laviron and F. Logozzo. Subpolyhedra: A (more) scalable approach to infer linear inequalities. In Proc. Verification, Model Checking, and Abstract Interpretation (VMCAI), volume 5403, pages 229–244, 2009. Google Scholar
Digital Library
- H. Le Verge. A note on Chernikova’s algorithm. Technical Report 635, IRISA, 1992.Google Scholar
- F. Logozzo and M. Fähndrich. Pentagons: A weakly relational abstract domain for the efficient validation of array accesses. In Proc. Symposium on Applied Computing, pages 184–188, 2008. Google Scholar
Digital Library
- A. Miné. A new numerical abstract domain based on difference-bound matrices. In Proc. Programs As Data Objects (PADO), pages 155–172, 2001. Google Scholar
Digital Library
- A. Miné. Relational abstract domains for the detection of floatingpoint run-time errors. In Proc. European Symposium on Programming (ESOP), pages 3–17, 2004.Google Scholar
- A. Miné. The octagon abstract domain. Higher Order and Symbolic Computation, 19(1):31–100, 2006. Google Scholar
Digital Library
- A. Miné, E. Rodriguez-Carbonell, and A. Simon. Speeding up polyhedral analysis by identifying common constraints. Electronic Notes in Theoretical Computer Science, 267(1):127 – 138, 2010. Google Scholar
Digital Library
- T. S. Motzkin, H. Raiffa, G. L. Thompson, and R. M. Thrall. The double description method. In Proc. Contributions to the theory of games, vol. 2, pages 51–73. 1953.Google Scholar
- M. Sagiv, T. Reps, and R. Wilhelm. Parametric shape analysis via 3-valued logic. In Proc. Symposium on Principles of Programming Languages (POPL), pages 105–118, 1999. Google Scholar
Digital Library
- A. Simon and A. King. Exploiting sparsity in polyhedral analysis. In Proc. Static Analysis Symposium (SAS), pages 336–351, 2005. Google Scholar
Digital Library
- A. Simon, A. Venet, G. Amato, F. Scozzari, and E. Zaffanella. Efficient constraint/generator removal from double description of polyhedra. Electronic Notes in Theoretical Computer Science, 307:3 – 15, 2014. Google Scholar
Digital Library
- G. Singh, M. Püschel, and M. Vechev. Making numerical program analysis fast. In Proc. Programming Language Design and Implementation (PLDI), pages 303–313, 2015. Google Scholar
Digital Library
- A. Toubhans, B.-Y. E. Chang, and X. Rival. Reduced product combination of abstract domains for shapes. In Proc. Verification, Model Checking, and Abstract Interpretation (VMCAI), pages 375– 395, 2013. Google Scholar
Digital Library
- C. Urban and A. Miné. An abstract domain to infer ordinal-valued ranking functions. In Proc. European Symposium on Programming (ESOP), pages 412–431, 2014. Google Scholar
Digital Library
- C. Urban and A. Miné. A decision tree abstract domain for proving conditional termination. In Proc. Static Analysis Symposium (SAS), pages 302–318, 2014.Google Scholar
Cross Ref
- A. Venet and G. Brat. Precise and efficient static array bound checking for large embedded C programs. In Proc. Programming Language Design and Implementation (PLDI), pages 231–242, 2004. Google Scholar
Digital Library
- A. J. Venet. The Gauge domain: Scalable analysis of linear inequality invariants. In Proc. Computer Aided Verification (CAV), pages 139– 154, 2012. Google Scholar
Digital Library
Index Terms
Fast polyhedra abstract domain
Recommendations
Fast polyhedra abstract domain
POPL '17: Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming LanguagesNumerical abstract domains are an important ingredient of modern static analyzers used for verifying critical program properties (e.g., absence of buffer overflow or memory safety). Among the many numerical domains introduced over the years, Polyhedra ...
Learning fast and precise numerical analysis
PLDI 2020: Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and ImplementationNumerical abstract domains are a key component of modern static analyzers. Despite recent advances, precise analysis with highly expressive domains remains too costly for many real-world programs. To address this challenge, we introduce a new data-...
A practical construction for decomposing numerical abstract domains
Numerical abstract domains such as Polyhedra, Octahedron, Octagon, Interval, and others are an essential component of static program analysis. The choice of domain offers a performance/precision tradeoff ranging from cheap and imprecise (Interval) to ...







Comments