Widening as Abstract Domain

Verification using static analysis often hinges on precise numeric invariants. Numeric domains of infinite height can infer these invariants, but require widening/narrowing which complicates the fixpoint computation and is often too imprecise. As a consequence, several strategies have been proposed to prevent a precision loss during widening or to narrow in a smarter way. Most of these strategies are difficult to retrofit into an existing analysis as they either require a pre-analysis, an on-the-fly modification of the CFG, or modifications to the fixpoint algorithm. We propose to encode widening and its various refinements from the literature as cofibered abstract domains that wrap standard numeric domains, thereby providing a modular way to add numeric analysis to any static analysis, that is, without modifying the fixpoint engine. Since these domains cannot make any assumptions about the structure of the program, our approach is suitable to the analysis of executables, where the (potentially irreducible) CFG is re-constructed on-the-fly. Moreover, our domain-based approach not only mirrors the precision of more intrusive approaches in the literature but also requires fewer iterations to find a fixpoint of loops than many heuristics that merely aim for precision.

[1]  Thomas W. Reps,et al.  Guided Static Analysis , 2007, SAS.

[2]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI.

[3]  Nicolas Halbwachs,et al.  Verification of Real-Time Systems using Linear Relation Analysis , 1997, Formal Methods Syst. Des..

[4]  Axel Simon,et al.  Precise Static Analysis of Binaries by Extracting Relational Information , 2011, 2011 18th Working Conference on Reverse Engineering.

[5]  Manfred Broy,et al.  Formal Methods in Programming and Their Applications , 1993, Lecture Notes in Computer Science.

[6]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.

[7]  Kalmer Apinis,et al.  Side-Effecting Constraint Systems: A Swiss Army Knife for Program Analysis , 2012, APLAS.

[8]  Thomas W. Reps,et al.  CodeSurfer/x86-A Platform for Analyzing x86 Executables , 2005, CC.

[9]  Patrick Cousot,et al.  Design and Implementation of a Special-Purpose Static Program Analyzer for Safety-Critical Real-Time Embedded Software , 2002, The Essence of Computation.

[10]  François Bourdoncle,et al.  Efficient chaotic iteration strategies with widenings , 1993, Formal Methods in Programming and Their Applications.

[11]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[12]  Bertrand Jeannet,et al.  Widening with Thresholds for Programs with Complex Control Graphs , 2011, ATVA.

[13]  Bertrand Jeannet,et al.  Apron: A Library of Numerical Abstract Domains for Static Analysis , 2009, CAV.

[14]  Patrick Cousot,et al.  Combination of Abstractions in the ASTRÉE Static Analyzer , 2006, ASIAN.

[15]  Arnaud Venet,et al.  Abstract Cofibered Domains: Application to the Alias Analysis of Untyped Programs , 1996, SAS.

[16]  Andy King,et al.  Widening Polyhedra with Landmarks , 2006, APLAS.

[17]  Nicolas Halbwachs,et al.  When the Decreasing Sequence Fails , 2012, SAS.

[18]  Patrick Cousot,et al.  Abstract Interpretation and Application to Logic Programs , 1992, J. Log. Program..

[19]  David A. Schmidt,et al.  The Essence of Computation , 2002 .

[20]  Roberto Bagnara,et al.  Precise widening operators for convex polyhedra , 2003, Sci. Comput. Program..

[21]  Thomas W. Reps,et al.  Lookahead Widening , 2006, CAV.