skip to main content
research-article
Free Access

A Fresh Look at Zones and Octagons

Published:03 September 2021Publication History
Skip Abstract Section

Abstract

Zones and Octagons are popular abstract domains for static program analysis. They enable the automated discovery of simple numerical relations that hold between pairs of program variables. Both domains are well understood mathematically but the detailed implementation of static analyses based on these domains poses many interesting algorithmic challenges. In this article, we study the two abstract domains, their implementation and use. Utilizing improved data structures and algorithms for the manipulation of graphs that represent difference-bound constraints, we present fast implementations of both abstract domains, built around a common infrastructure. We compare the performance of these implementations against alternative approaches offering the same precision. We quantify the differences in performance by measuring their speed and precision on standard benchmarks. We also assess, in the context of software verification, the extent to which the improved precision translates to better verification outcomes. Experiments demonstrate that our new implementations improve the state of the art for both Zones and Octagons significantly.

References

  1. A. V. Aho, M. R. Garey, and J. D. Ullman. 1972. The transitive reduction of a directed graph. SIAM J. Comput. 1, 2 (1972), 131–137.Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Roberto Bagnara. 1997. Data-Flow Analysis for Constraint Logic-based Languages. Ph.D. Dissertation. Università di Pisa.Google ScholarGoogle Scholar
  3. Roberto Bagnara, Patricia M. Hill, Elena Mazzi, and Enea Zaffanella. 2005. Widening operators for weakly-relational numeric abstractions. In Proceedings of the 12th International Symposium on Static Analysis (Lecture Notes in Computer Science), C. Hankin and I. Siveroni (Eds.), Vol. 3672. Springer, 3–18.Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Roberto Bagnara, Patricia M. Hill, and Enea Zaffanella. 2008. The parma polyhedra library: Toward a complete set of numerical abstractions for the analysis and verification of hardware and software systems. Sci. Comput. Program. 72, 1–2 (2008), 3–21.Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Roberto Bagnara, Patricia M. Hill, and Enea Zaffanella. 2009. Weakly-relational shapes for numeric abstractions: Improved algorithms and proofs of correctness. Formal Methods Syst. Design 35, 3 (2009), 279–323.Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. F. Banterle and R. Giacobazzi. 2007. A fast implementation of the octagon abstract domain on graphics hardware. In Proceedings of the Conference on Static Analysis (Lecture Notes in Computer Science), H. Riis Nielson and G. Filé (Eds.), Vol. 4634. Springer, 315–332.Google ScholarGoogle Scholar
  7. Richard Bellman. 1958. On a routing problem. Quart. Appl. Math. 16, 1 (1958), 87–90.Google ScholarGoogle ScholarCross RefCross Ref
  8. Bruno Blanchet, Patrick Cousot, Radhia Cousot, Jérôme Feret, Laurent Mauborgne, Antoine Miné, David Monniaux, and Xavier Rival. 2003. A static analyzer for large safety-critical software. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’03). ACM Press, 196–207.Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Preston Briggs and Linda Torczon. 1993. An efficient representation for sparse sets. ACM Lett. Program. Lang. Syst. 2, 1–4 (1993), 59–69.Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Aziem Chawdhary and Andy King. 2017. Compact difference bound matrices. In Proceedings of the Conference on Programming Languages and Systems (APLAS’17) (Lecture Notes in Computer Science), B.-Y. E. Chang (Ed.), Vol. 10695. Springer, 471–490.Google ScholarGoogle ScholarCross RefCross Ref
  11. Aziem Chawdhary, Ed Robbins, and Andy King. 2016. Incrementally Closing Octagons. Version 1. Retrieved from https://arXiv.org/format/1610.02952.Google ScholarGoogle Scholar
  12. Boris V. Cherkassky and Andrew V. Goldberg. 1999. Negative-cycle detection algorithms. Math. Program. 85, 2 (1999), 277–311.Google ScholarGoogle ScholarCross RefCross Ref
  13. Clam team [n.d.]. Clam: Crab for Llvm Abstraction Manager. Retrieved from https://github.com/seahorn/crab-llvm.Google ScholarGoogle Scholar
  14. R. Clarisó and J. Cortadella. 2004. The octahedron abstract domain. In Proceedings of the Conference on Static Analysis (Lecture Notes in Computer Science), R. Giacobazzi (Ed.), Vol. 3148. Springer, 312–327.Google ScholarGoogle Scholar
  15. T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein. 2009. Introduction to Algorithms. MIT Press.Google ScholarGoogle Scholar
  16. Scott Cotton and Oded Maler. 2006. Fast and flexible difference constraint propagation for DPLL(T). In Proceedings of the Conference on Theory and Applications of Satisfiability Testing (SAT’06) (Lecture Notes in Computer Science), A. Biere and C. P. Gomes (Eds.), Vol. 4121. Springer, 170–183.Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. P. Cousot and R. Cousot. 1977. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the 4th ACM Symposium on Principles of Programming Languages. ACM Press, 238–252.Google ScholarGoogle Scholar
  18. P. Cousot and R. Cousot. 1979. Systematic design of program analysis frameworks. In Proceedings of the 6th ACM Symposium on Principles of Programming Languages. ACM Press, 269–282.Google ScholarGoogle Scholar
  19. Patrick Cousot, Radhia Cousot, Jérôme Feret, Laurent Mauborgne, Antoine Miné, and Xavier Rival. 2009. Why does Astrée scale up?Formal Methods Syst. Design 35, 3 (2009), 229–264.Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Patrick Cousot and Nicolas Halbwachs. 1978. Automatic discovery of linear restraints among variables of a program. In Proceedings of the 5th ACM Symposium on Principles of Programming Languages. ACM Press, 84–97.Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Crab [n.d.]. CoRnucopia of ABstractions: A Language-Agnostic Library for Abstract Interpretation. Retrieved from https://github.com/seahorn/crab.Google ScholarGoogle Scholar
  22. EBPF [n.d.]. A Set of EBPF Programs. Retrieved from https://github.com/vbpf/ebpf-samples.Google ScholarGoogle Scholar
  23. ELINA team [n.d.]. ELINA: ETH LIbrary for Numerical Analysis. Retrieved from https://github.com/eth-srl/ELINA.Google ScholarGoogle Scholar
  24. Thibaut Feydy, Andreas Schutt, and Peter J. Stuckey. 2008. Global difference constraint propagation for finite domain solvers. In Proceedings of the 10th International ACM SIGPLAN Conference on Principles and Practice of Declarative Programming. ACM Press, 226–235.Google ScholarGoogle Scholar
  25. R. W. Floyd. 1962. Algorithm 97: Shortest path. Commun. ACM 5 (1962), 345.Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Lestor R. Ford and D. R. Fulkerson. 1962. Flows in Networks. Princeton University Press.Google ScholarGoogle Scholar
  27. Graeme Gange, Jorge Navas, Peter Schachte, Harald Søndergaard, and Peter J. Stuckey. 2015. Interval analysis and machine arithmetic: Why signedness ignorance is bliss. ACM Trans. Program. Lang. Syst. 37, 1 (2015), 1:1–1:35.Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Graeme Gange, Jorge Navas, Peter Schachte, Harald Søndergaard, and Peter J. Stuckey. 2016. Exploiting sparsity in difference-bound matrices. In Proceedings of the 23rd International Symposium on Static Analysis (Lecture Notes in Computer Science), X. Rival (Ed.), Vol. 9837. Springer, 189–211.Google ScholarGoogle Scholar
  29. Graeme Gange, Jorge Navas, Peter Schachte, Harald Søndergaard, and Peter J. Stuckey. 2019. Dissecting widening: Separating termination from information. In Proceedings of the 17th Asian Symposium on Programming Languages and Systems (Lecture Notes in Computer Science), A. W. Lin (Ed.), Vol. 11893. Springer, 95–114.Google ScholarGoogle Scholar
  30. Elazar Gershuni, Nadav Amit, Arie Gurfinkel, Nina Narodytska, Jorge A. Navas, Noam Rinetzky, Leonid Ryzhyk, and Mooly Sagiv. 2019. Simple and precise static analysis of untrusted Linux kernel extensions. In Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation. 1069–1084.Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Sung-Chul Han, Franz Franchetti, and Markus Püschel. 2006. Program generation for the all-pairs shortest path problem. In Proceedings of the International Conference on Parallel Architectures and Compilation Techniques. IEEE, 222–232.Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Warwick Harvey and Peter J. Stuckey. 1997. A unit two variable per inequality integer constraint solver for constraint logic programming. In Proceedings of the Australasian Computer Science Conference. 102–111.Google ScholarGoogle Scholar
  33. Jingxuan He, Gagandeep Singh, Markus Püschel, and Martin Vechev. 2020. Learning fast and precise numerical analysis. In Proceedings of the 41st ACM Symposium on Programming Language Design and Implementation. ACM Press, 1112–1127.Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Kihong Heo, Hakjoo Oh, and Hongseok Yang. 2016. Learning a variable-clustering strategy for octagon from labeled data generated by a static analysis. In Proceedings of the Conference on Static Analysis (Lecture Notes in Computer Science), X. Rival (Ed.), Vol. 9837. Springer, 237–256.Google ScholarGoogle ScholarCross RefCross Ref
  35. J. Jaffar, M. J. Maher, P. J. Stuckey, and R. H. C. Yap. 1994. Beyond finite domains. In Proceedings of the International Workshop on Principles and Practices of Constraint Programming (Lecture Notes in Computer Science), Vol. 874. Springer, 86–93.Google ScholarGoogle ScholarCross RefCross Ref
  36. Bertrand Jeannet and Antoine Miné. 2009. A library of numerical abstract domains for static analysis. In Proceedings of the Conference on Computer Aided Verification (Lecture Notes in Computer Science), A. Bouajjani and O. Maler (Eds.), Vol. 5643. Springer, 661–667.Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Donald B. Johnson. 1977. Efficient algorithms for shortest paths in sparse networks. J. ACM 24, 1 (1977), 1–13.Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Jacques-Henri Jourdan. 2016. Verasco: A Formally Verified C Static Analyzer. Ph.D. Dissertation. Université Paris Diderot.Google ScholarGoogle Scholar
  39. Jacques-Henri Jourdan. 2017. Sparsity preserving algorithms for octagons. Electr. Notes Theor. Comput. Sci. 331 (2017), 57–70.Google ScholarGoogle ScholarCross RefCross Ref
  40. Jakub Kuderski, Jorge A. Navas, and Arie Gurfinkel. 2019. Unification-based pointer analysis without oversharing. In Proceedings of the 19th Conference on Formal Methods in Computer-Aided Design (FMCAD’19). FMCAD, Inc., 37–45.Google ScholarGoogle ScholarCross RefCross Ref
  41. Shuvendu K. Lahiri and Madanlal Musuvathi. 2005. An efficient decision procedure for UTVPI constraints. In Frontiers of Combining Systems, Bernhard Gramlich (Ed.). Springer, 168–183.Google ScholarGoogle Scholar
  42. Kim G. Larsen, Fredrik Larsson, Paul Pettersson, and Wang Yi. 1997. Efficient verification of real-time systems: Compact data structure and state-space reduction. In Proceedings of the 18th International Symposium on Real-time Systems. IEEE Comp. Soc., 14–24.Google ScholarGoogle ScholarCross RefCross Ref
  43. Francesco Logozzo and Manuel Fähndrich. 2008. Pentagons: A weakly relational abstract domain for the efficient validation of array accesses. In Proceedings of the ACM Symposium on Applied Computing. ACM Press, 184–188.Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Antoine Miné. 2000. Représentation d’ensembles de contraintes de somme ou de différence de deux variables et application à l’analyse automatiques de programmes. Master’s Thesis. École Normale Supérieure, Paris.Google ScholarGoogle Scholar
  45. Antoine Miné. 2001. A new numerical abstract domain based on difference-bound matrices. In Proceedings of the Conference on Programs as Data Objects (Lecture Notes in Computer Science), Olivier Danvy and Andrzej Filinski (Eds.), Vol. 2053. Springer, 155–172.Google ScholarGoogle ScholarCross RefCross Ref
  46. Antoine Miné. 2001. The octagon abstract domain. In Proceedings of the 8th Working Conference on Reverse Engineering, E. Burd, P. Aiken, and R. Koschke (Eds.). IEEE, 310–319.Google ScholarGoogle ScholarCross RefCross Ref
  47. Antoine Miné. 2002. A few graph-based relational numerical abstract domains. In Proceedings of the Conference on Static Analysis (Lecture Notes in Computer Science), Manuel Hermenegildo and German Puebla (Eds.), Vol. 2477. Springer, 117–132.Google ScholarGoogle ScholarCross RefCross Ref
  48. Antoine Miné. 2004. Weakly Relational Numerical Abstract Domains. Ph.D. Dissertation. École Polytechnique, Paris.Google ScholarGoogle Scholar
  49. Antoine Miné. 2006. The octagon abstract domain. Higher-Order Symbol. Comput. 19, 1 (2006), 31–100.Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Antoine Miné. 2006. Symbolic methods to enhance the precision of numerical abstract domains. In Proceedings of the Conference on Verification, Model Checking, and Abstract Interpretation (Lecture Notes in Computer Science), E. A. Emerson and K. S. Namjoshi (Eds.), Vol. 3855. Springer, 348–363.Google ScholarGoogle Scholar
  51. G. Nemhauser. 1972. A generalized permanent label setting algorithm for the shortest path between specified nodes. J. Math. Anal. Appl. 38, 2 (1972), 328–334.Google ScholarGoogle ScholarCross RefCross Ref
  52. Prevail team [n.d.]. PREVAIL: A Polynomial-Runtime EBPF Verifier Using an Abstract Interpretation Layer. Retrieved from https://github.com/vbpf/ebpf-verifier.Google ScholarGoogle Scholar
  53. S. Sankaranarayanan, H. Sipma, and Z. Manna. 2004. Constraint-based linear relations analysis. In Proceedings of the Conference on Static Analysis (Lecture Notes in Computer Science), R. Giacobazzi (Ed.), Vol. 3148. Springer, 53–68.Google ScholarGoogle Scholar
  54. A. Schutt and P. J. Stuckey. 2010. Incremental satisfiability and implication for UTVPI constraints. INFORMS J. Comput. 22, 4 (2010), 514–527.Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. R. Shostak. 1981. Deciding linear inequalities by computing loop residues. J. ACM 28, 4 (1981), 769–779.Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. Axel Simon and Andy King. 2005. Exploiting sparsity in polyhedral analysis. In Proceedings of the Conference on Static Analysis (Lecture Notes in Computer Science), C. Hankin (Ed.), Vol. 3672. Springer, 336–351.Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. Axel Simon, Andy King, and Jacob M. Howe. 2003. Two variables per linear inequality as an abstract domain. In Proceedings of the 12th International Workshop: Logic-based Program Synthesis and Transformation (Lecture Notes in Computer Science), M. Leuschel (Ed.), Vol. 2664. Springer, 71–89.Google ScholarGoogle Scholar
  58. Gagandeep Singh, Markus Püschel, and Martin Vechev. 2015. Making numerical program analysis fast. In Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM Press, 303–313.Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Gagandeep Singh, Markus Püschel, and Martin T. Vechev. 2018. A practical construction for decomposing numerical abstract domains. Proceedings of the ACM on Programming Languages (POPL’18). 55:1–55:28.Google ScholarGoogle Scholar
  60. SVCOMP 2019. Competition on Software Verification (SV-COMP). Retrieved from http://sv-comp.sosy-lab.org/2019/. Benchmarks available at https://github.com/sosy-lab/sv-benchmarks/c.Google ScholarGoogle Scholar
  61. Arnaud Venet and Guillaume Brat. 2004. Precise and efficient static array bound checking for large embedded C programs. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM Press, 231–242.Google ScholarGoogle ScholarDigital LibraryDigital Library
  62. Arnaud J. Venet. 2012. The gauge domain: Scalable analysis of linear inequality invariants. In Proceedings of the Conference on Computer Aided Verification (Lecture Notes in Computer Science), P. Madushan and S. A. Seshia (Eds.), Vol. 7358. Springer, 139–154.Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. A Fresh Look at Zones and Octagons

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        HTML Format

        View this article in HTML Format .

        View HTML Format
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!