Abstract
Zones and Octagons are popular abstract domains for static program analysis. They enable the automated discovery of simple numerical relations that hold between pairs of program variables. Both domains are well understood mathematically but the detailed implementation of static analyses based on these domains poses many interesting algorithmic challenges. In this article, we study the two abstract domains, their implementation and use. Utilizing improved data structures and algorithms for the manipulation of graphs that represent difference-bound constraints, we present fast implementations of both abstract domains, built around a common infrastructure. We compare the performance of these implementations against alternative approaches offering the same precision. We quantify the differences in performance by measuring their speed and precision on standard benchmarks. We also assess, in the context of software verification, the extent to which the improved precision translates to better verification outcomes. Experiments demonstrate that our new implementations improve the state of the art for both Zones and Octagons significantly.
- A. V. Aho, M. R. Garey, and J. D. Ullman. 1972. The transitive reduction of a directed graph. SIAM J. Comput. 1, 2 (1972), 131–137.Google Scholar
Digital Library
- Roberto Bagnara. 1997. Data-Flow Analysis for Constraint Logic-based Languages. Ph.D. Dissertation. Università di Pisa.Google Scholar
- Roberto Bagnara, Patricia M. Hill, Elena Mazzi, and Enea Zaffanella. 2005. Widening operators for weakly-relational numeric abstractions. In Proceedings of the 12th International Symposium on Static Analysis (Lecture Notes in Computer Science), C. Hankin and I. Siveroni (Eds.), Vol. 3672. Springer, 3–18.Google Scholar
Digital Library
- Roberto Bagnara, Patricia M. Hill, and Enea Zaffanella. 2008. The parma polyhedra library: Toward a complete set of numerical abstractions for the analysis and verification of hardware and software systems. Sci. Comput. Program. 72, 1–2 (2008), 3–21.Google Scholar
Digital Library
- Roberto Bagnara, Patricia M. Hill, and Enea Zaffanella. 2009. Weakly-relational shapes for numeric abstractions: Improved algorithms and proofs of correctness. Formal Methods Syst. Design 35, 3 (2009), 279–323.Google Scholar
Digital Library
- F. Banterle and R. Giacobazzi. 2007. A fast implementation of the octagon abstract domain on graphics hardware. In Proceedings of the Conference on Static Analysis (Lecture Notes in Computer Science), H. Riis Nielson and G. Filé (Eds.), Vol. 4634. Springer, 315–332.Google Scholar
- Richard Bellman. 1958. On a routing problem. Quart. Appl. Math. 16, 1 (1958), 87–90.Google Scholar
Cross Ref
- Bruno Blanchet, Patrick Cousot, Radhia Cousot, Jérôme Feret, Laurent Mauborgne, Antoine Miné, David Monniaux, and Xavier Rival. 2003. A static analyzer for large safety-critical software. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’03). ACM Press, 196–207.Google Scholar
Digital Library
- Preston Briggs and Linda Torczon. 1993. An efficient representation for sparse sets. ACM Lett. Program. Lang. Syst. 2, 1–4 (1993), 59–69.Google Scholar
Digital Library
- Aziem Chawdhary and Andy King. 2017. Compact difference bound matrices. In Proceedings of the Conference on Programming Languages and Systems (APLAS’17) (Lecture Notes in Computer Science), B.-Y. E. Chang (Ed.), Vol. 10695. Springer, 471–490.Google Scholar
Cross Ref
- Aziem Chawdhary, Ed Robbins, and Andy King. 2016. Incrementally Closing Octagons. Version 1. Retrieved from https://arXiv.org/format/1610.02952.Google Scholar
- Boris V. Cherkassky and Andrew V. Goldberg. 1999. Negative-cycle detection algorithms. Math. Program. 85, 2 (1999), 277–311.Google Scholar
Cross Ref
- Clam team [n.d.]. Clam: Crab for Llvm Abstraction Manager. Retrieved from https://github.com/seahorn/crab-llvm.Google Scholar
- R. Clarisó and J. Cortadella. 2004. The octahedron abstract domain. In Proceedings of the Conference on Static Analysis (Lecture Notes in Computer Science), R. Giacobazzi (Ed.), Vol. 3148. Springer, 312–327.Google Scholar
- T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein. 2009. Introduction to Algorithms. MIT Press.Google Scholar
- Scott Cotton and Oded Maler. 2006. Fast and flexible difference constraint propagation for DPLL(T). In Proceedings of the Conference on Theory and Applications of Satisfiability Testing (SAT’06) (Lecture Notes in Computer Science), A. Biere and C. P. Gomes (Eds.), Vol. 4121. Springer, 170–183.Google Scholar
Digital Library
- P. Cousot and R. Cousot. 1977. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the 4th ACM Symposium on Principles of Programming Languages. ACM Press, 238–252.Google Scholar
- P. Cousot and R. Cousot. 1979. Systematic design of program analysis frameworks. In Proceedings of the 6th ACM Symposium on Principles of Programming Languages. ACM Press, 269–282.Google Scholar
- Patrick Cousot, Radhia Cousot, Jérôme Feret, Laurent Mauborgne, Antoine Miné, and Xavier Rival. 2009. Why does Astrée scale up?Formal Methods Syst. Design 35, 3 (2009), 229–264.Google Scholar
Digital Library
- Patrick Cousot and Nicolas Halbwachs. 1978. Automatic discovery of linear restraints among variables of a program. In Proceedings of the 5th ACM Symposium on Principles of Programming Languages. ACM Press, 84–97.Google Scholar
Digital Library
- Crab [n.d.]. CoRnucopia of ABstractions: A Language-Agnostic Library for Abstract Interpretation. Retrieved from https://github.com/seahorn/crab.Google Scholar
- EBPF [n.d.]. A Set of EBPF Programs. Retrieved from https://github.com/vbpf/ebpf-samples.Google Scholar
- ELINA team [n.d.]. ELINA: ETH LIbrary for Numerical Analysis. Retrieved from https://github.com/eth-srl/ELINA.Google Scholar
- Thibaut Feydy, Andreas Schutt, and Peter J. Stuckey. 2008. Global difference constraint propagation for finite domain solvers. In Proceedings of the 10th International ACM SIGPLAN Conference on Principles and Practice of Declarative Programming. ACM Press, 226–235.Google Scholar
- R. W. Floyd. 1962. Algorithm 97: Shortest path. Commun. ACM 5 (1962), 345.Google Scholar
Digital Library
- Lestor R. Ford and D. R. Fulkerson. 1962. Flows in Networks. Princeton University Press.Google Scholar
- Graeme Gange, Jorge Navas, Peter Schachte, Harald Søndergaard, and Peter J. Stuckey. 2015. Interval analysis and machine arithmetic: Why signedness ignorance is bliss. ACM Trans. Program. Lang. Syst. 37, 1 (2015), 1:1–1:35.Google Scholar
Digital Library
- Graeme Gange, Jorge Navas, Peter Schachte, Harald Søndergaard, and Peter J. Stuckey. 2016. Exploiting sparsity in difference-bound matrices. In Proceedings of the 23rd International Symposium on Static Analysis (Lecture Notes in Computer Science), X. Rival (Ed.), Vol. 9837. Springer, 189–211.Google Scholar
- Graeme Gange, Jorge Navas, Peter Schachte, Harald Søndergaard, and Peter J. Stuckey. 2019. Dissecting widening: Separating termination from information. In Proceedings of the 17th Asian Symposium on Programming Languages and Systems (Lecture Notes in Computer Science), A. W. Lin (Ed.), Vol. 11893. Springer, 95–114.Google Scholar
- Elazar Gershuni, Nadav Amit, Arie Gurfinkel, Nina Narodytska, Jorge A. Navas, Noam Rinetzky, Leonid Ryzhyk, and Mooly Sagiv. 2019. Simple and precise static analysis of untrusted Linux kernel extensions. In Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation. 1069–1084.Google Scholar
Digital Library
- Sung-Chul Han, Franz Franchetti, and Markus Püschel. 2006. Program generation for the all-pairs shortest path problem. In Proceedings of the International Conference on Parallel Architectures and Compilation Techniques. IEEE, 222–232.Google Scholar
Digital Library
- Warwick Harvey and Peter J. Stuckey. 1997. A unit two variable per inequality integer constraint solver for constraint logic programming. In Proceedings of the Australasian Computer Science Conference. 102–111.Google Scholar
- Jingxuan He, Gagandeep Singh, Markus Püschel, and Martin Vechev. 2020. Learning fast and precise numerical analysis. In Proceedings of the 41st ACM Symposium on Programming Language Design and Implementation. ACM Press, 1112–1127.Google Scholar
Digital Library
- Kihong Heo, Hakjoo Oh, and Hongseok Yang. 2016. Learning a variable-clustering strategy for octagon from labeled data generated by a static analysis. In Proceedings of the Conference on Static Analysis (Lecture Notes in Computer Science), X. Rival (Ed.), Vol. 9837. Springer, 237–256.Google Scholar
Cross Ref
- J. Jaffar, M. J. Maher, P. J. Stuckey, and R. H. C. Yap. 1994. Beyond finite domains. In Proceedings of the International Workshop on Principles and Practices of Constraint Programming (Lecture Notes in Computer Science), Vol. 874. Springer, 86–93.Google Scholar
Cross Ref
- Bertrand Jeannet and Antoine Miné. 2009. A library of numerical abstract domains for static analysis. In Proceedings of the Conference on Computer Aided Verification (Lecture Notes in Computer Science), A. Bouajjani and O. Maler (Eds.), Vol. 5643. Springer, 661–667.Google Scholar
Digital Library
- Donald B. Johnson. 1977. Efficient algorithms for shortest paths in sparse networks. J. ACM 24, 1 (1977), 1–13.Google Scholar
Digital Library
- Jacques-Henri Jourdan. 2016. Verasco: A Formally Verified C Static Analyzer. Ph.D. Dissertation. Université Paris Diderot.Google Scholar
- Jacques-Henri Jourdan. 2017. Sparsity preserving algorithms for octagons. Electr. Notes Theor. Comput. Sci. 331 (2017), 57–70.Google Scholar
Cross Ref
- Jakub Kuderski, Jorge A. Navas, and Arie Gurfinkel. 2019. Unification-based pointer analysis without oversharing. In Proceedings of the 19th Conference on Formal Methods in Computer-Aided Design (FMCAD’19). FMCAD, Inc., 37–45.Google Scholar
Cross Ref
- Shuvendu K. Lahiri and Madanlal Musuvathi. 2005. An efficient decision procedure for UTVPI constraints. In Frontiers of Combining Systems, Bernhard Gramlich (Ed.). Springer, 168–183.Google Scholar
- Kim G. Larsen, Fredrik Larsson, Paul Pettersson, and Wang Yi. 1997. Efficient verification of real-time systems: Compact data structure and state-space reduction. In Proceedings of the 18th International Symposium on Real-time Systems. IEEE Comp. Soc., 14–24.Google Scholar
Cross Ref
- Francesco Logozzo and Manuel Fähndrich. 2008. Pentagons: A weakly relational abstract domain for the efficient validation of array accesses. In Proceedings of the ACM Symposium on Applied Computing. ACM Press, 184–188.Google Scholar
Digital Library
- Antoine Miné. 2000. Représentation d’ensembles de contraintes de somme ou de différence de deux variables et application à l’analyse automatiques de programmes. Master’s Thesis. École Normale Supérieure, Paris.Google Scholar
- Antoine Miné. 2001. A new numerical abstract domain based on difference-bound matrices. In Proceedings of the Conference on Programs as Data Objects (Lecture Notes in Computer Science), Olivier Danvy and Andrzej Filinski (Eds.), Vol. 2053. Springer, 155–172.Google Scholar
Cross Ref
- Antoine Miné. 2001. The octagon abstract domain. In Proceedings of the 8th Working Conference on Reverse Engineering, E. Burd, P. Aiken, and R. Koschke (Eds.). IEEE, 310–319.Google Scholar
Cross Ref
- Antoine Miné. 2002. A few graph-based relational numerical abstract domains. In Proceedings of the Conference on Static Analysis (Lecture Notes in Computer Science), Manuel Hermenegildo and German Puebla (Eds.), Vol. 2477. Springer, 117–132.Google Scholar
Cross Ref
- Antoine Miné. 2004. Weakly Relational Numerical Abstract Domains. Ph.D. Dissertation. École Polytechnique, Paris.Google Scholar
- Antoine Miné. 2006. The octagon abstract domain. Higher-Order Symbol. Comput. 19, 1 (2006), 31–100.Google Scholar
Digital Library
- Antoine Miné. 2006. Symbolic methods to enhance the precision of numerical abstract domains. In Proceedings of the Conference on Verification, Model Checking, and Abstract Interpretation (Lecture Notes in Computer Science), E. A. Emerson and K. S. Namjoshi (Eds.), Vol. 3855. Springer, 348–363.Google Scholar
- G. Nemhauser. 1972. A generalized permanent label setting algorithm for the shortest path between specified nodes. J. Math. Anal. Appl. 38, 2 (1972), 328–334.Google Scholar
Cross Ref
- Prevail team [n.d.]. PREVAIL: A Polynomial-Runtime EBPF Verifier Using an Abstract Interpretation Layer. Retrieved from https://github.com/vbpf/ebpf-verifier.Google Scholar
- S. Sankaranarayanan, H. Sipma, and Z. Manna. 2004. Constraint-based linear relations analysis. In Proceedings of the Conference on Static Analysis (Lecture Notes in Computer Science), R. Giacobazzi (Ed.), Vol. 3148. Springer, 53–68.Google Scholar
- A. Schutt and P. J. Stuckey. 2010. Incremental satisfiability and implication for UTVPI constraints. INFORMS J. Comput. 22, 4 (2010), 514–527.Google Scholar
Digital Library
- R. Shostak. 1981. Deciding linear inequalities by computing loop residues. J. ACM 28, 4 (1981), 769–779.Google Scholar
Digital Library
- Axel Simon and Andy King. 2005. Exploiting sparsity in polyhedral analysis. In Proceedings of the Conference on Static Analysis (Lecture Notes in Computer Science), C. Hankin (Ed.), Vol. 3672. Springer, 336–351.Google Scholar
Digital Library
- Axel Simon, Andy King, and Jacob M. Howe. 2003. Two variables per linear inequality as an abstract domain. In Proceedings of the 12th International Workshop: Logic-based Program Synthesis and Transformation (Lecture Notes in Computer Science), M. Leuschel (Ed.), Vol. 2664. Springer, 71–89.Google Scholar
- Gagandeep Singh, Markus Püschel, and Martin Vechev. 2015. Making numerical program analysis fast. In Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM Press, 303–313.Google Scholar
Digital Library
- Gagandeep Singh, Markus Püschel, and Martin T. Vechev. 2018. A practical construction for decomposing numerical abstract domains. Proceedings of the ACM on Programming Languages (POPL’18). 55:1–55:28.Google Scholar
- SVCOMP 2019. Competition on Software Verification (SV-COMP). Retrieved from http://sv-comp.sosy-lab.org/2019/. Benchmarks available at https://github.com/sosy-lab/sv-benchmarks/c.Google Scholar
- Arnaud Venet and Guillaume Brat. 2004. Precise and efficient static array bound checking for large embedded C programs. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM Press, 231–242.Google Scholar
Digital Library
- Arnaud J. Venet. 2012. The gauge domain: Scalable analysis of linear inequality invariants. In Proceedings of the Conference on Computer Aided Verification (Lecture Notes in Computer Science), P. Madushan and S. A. Seshia (Eds.), Vol. 7358. Springer, 139–154.Google Scholar
Digital Library
Index Terms
A Fresh Look at Zones and Octagons
Recommendations
The octagon abstract domain
This article presents the octagon abstract domain , a relational numerical abstract domain for static analysis by abstract interpretation. It allows representing conjunctions of constraints of the form X Y c where X and Y range among program ...
SubPolyhedra: a family of numerical abstract domains for the (more) scalable inference of linear inequalities
We introduce SubPolyhedra (SubPoly), a new family of numerical abstract domains to infer and propagate linear inequalities. The key insight is that the reduced product of linear equalities and intervals produces powerful yet scalable analyses. Abstract ...
Pushdown control-flow analysis for free
POPL '16Traditional control-flow analysis (CFA) for higher-order languages introduces spurious connections between callers and callees, and different invocations of a function may pollute each other's return flows. Recently, three distinct approaches have been ...






Comments