Exploiting Domain and Program Structure to Synthesize Efficient and Precise Data Flow Analyses (T)

A key challenge in implementing an efficient and precise data flow analysis is determining how to abstract the domain of values that a program variable can take on and how to update abstracted values to reflect program semantics. Such updates are performed by a transfer function and recent work by Thakur, Elder and Reps defined the bilateral algorithm for computing the most precise transfer function for a given abstract domain. In this paper, we identify and exploit the special case where abstract domains are comprised of disjoint subsets. For such domains, transfer functions computed using a customized algorithm can improve performance and in combination with symbolic modeling of block-level transfer functions improve precision as well. We implemented these algorithms in Soot and used them to perform data flow analysis on more than 100 non-trivial Java methods drawn from open source projects. Our experimental data are promising as they demonstrate that a 25-fold reduction in analysis time can be achieved and precision can be increased relative to existing methods.

[1]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[2]  Alex Groce,et al.  Modular verification of software components in C , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[3]  Laurie Hendren,et al.  Soot: a Java bytecode optimization framework , 2010, CASCON.

[4]  Todd Millstein,et al.  Automatic predicate abstraction of C programs , 2001, PLDI '01.

[5]  Daniel Kroening,et al.  Predicate Abstraction of ANSI-C Programs Using SAT , 2004, Formal Methods Syst. Des..

[6]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[7]  Albert Oliveras,et al.  SMT Techniques for Fast Predicate Abstraction , 2006, CAV.

[8]  Cormac Flanagan,et al.  Predicate abstraction for software verification , 2002, POPL '02.

[9]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[10]  Matthew B. Dwyer,et al.  Green: reducing, reusing and recycling constraints in program analysis , 2012, SIGSOFT FSE.

[11]  Hridesh Rajan,et al.  Boa: A language and infrastructure for analyzing ultra-large-scale software repositories , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[12]  Gary A. Kildall,et al.  A unified approach to global program optimization , 1973, POPL.

[13]  Thomas W. Reps,et al.  TSL: A System for Generating Abstract Interpreters and its Application to Machine-Code Analysis , 2013, TOPL.

[14]  Yannick Moy,et al.  A Software Analysis Perspective , 2012 .

[15]  Lori A. Clarke,et al.  A flexible architecture for building data flow analyzers , 1995, Proceedings of IEEE 18th International Conference on Software Engineering.

[16]  Michael Stepp,et al.  An empirical study of Java bytecode programs , 2007, Softw. Pract. Exp..

[17]  Ji Wang,et al.  Interval Polyhedra: An Abstract Domain to Infer Interval Linear Relationships , 2009, SAS.

[18]  David Monniaux,et al.  Modular Abstractions of Reactive Nodes Using Disjunctive Invariants , 2011, APLAS.

[19]  Sagar Chaki,et al.  Efficient Predicate Abstraction of Program Summaries , 2011, NASA Formal Methods.

[20]  Thomas W. Reps,et al.  Bilateral Algorithms for Symbolic Abstraction , 2012, SAS.

[21]  Nikolai Kosmatov,et al.  Frama-C - A Software Analysis Perspective , 2012, SEFM.

[22]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[23]  Thomas W. Reps,et al.  Symbolic Implementation of the Best Transformer , 2004, VMCAI.

[24]  Steven W. K. Tjiang,et al.  Sharlit—a tool for building optimizers , 1992, PLDI '92.

[25]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[26]  Natarajan Shankar,et al.  Abstract and Model Check While You Prove , 1999, CAV.

[27]  Simon Peyton Jones,et al.  Hoopl: a modular, reusable library for dataflow analysis and transformation , 2010 .

[28]  Roberto Bagnara,et al.  The Parma Polyhedra Library: Toward a complete set of numerical abstractions for the analysis and verification of hardware and software systems , 2006, Sci. Comput. Program..