A parametric segmentation functor for fully automatic and scalable array content analysis

We introduce FunArray, a parametric segmentation abstract domain functor for the fully automatic and scalable analysis of array content properties. The functor enables a natural, painless and efficient lifting of existing abstract domains for scalar variables to the analysis of uniform compound data-structures such as arrays and collections. The analysis automatically and semantically divides arrays into consecutive non-overlapping possibly empty segments. Segments are delimited by sets of bound expressions and abstracted uniformly. All symbolic expressions appearing in a bound set are equal in the concrete. The FunArray can be naturally combined via reduced product with any existing analysis for scalar variables. The analysis is presented as a general framework parameterized by the choices of bound expressions, segment abstractions and the reduction operator. Once the functor has been instantiated with fixed parameters, the analysis is fully automatic. We first prototyped FunArray in Arrayal to adjust and experiment with the abstractions and the algorithms to obtain the appropriate precision/ratio cost. Then we implemented it into Clousot, an abstract interpretation-based static contract checker for .NET. We empirically validated the precision and the performance of the analysis by running it on the main libraries of .NET and on its own code. We were able to infer thousands of non-trivial invariants and verify the implementation with a modest overhead (circa 1%). To the best of our knowledge this is the first analysis of this kind applied to such a large code base, and proven to scale.

[1]  Nicolas Halbwachs,et al.  Discovering properties about arrays in simple programs , 2008, PLDI '08.

[2]  Bertrand Meyer,et al.  Eiffel: The Language , 1991 .

[3]  Andreas Podelski,et al.  Abstraction Refinement for Quantified Array Assertions , 2009, SAS.

[4]  Thomas A. Henzinger,et al.  Path invariants , 2007, PLDI '07.

[5]  Ranjit Jhala,et al.  Array Abstractions from Proofs , 2007, CAV.

[6]  Kenneth L. McMillan,et al.  Quantified Invariant Generation Using an Interpolating Saturation Prover , 2008, TACAS.

[7]  Antoine Miné,et al.  The octagon abstract domain , 2001, High. Order Symb. Comput..

[8]  Gary A. Kildall,et al.  A unified approach to global program optimization , 1973, POPL.

[9]  Patrick Cousot,et al.  Combination of Abstractions in the ASTRÉE Static Analyzer , 2006, ASIAN.

[10]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[11]  Patrick Cousot,et al.  Verification by Abstract Interpretation , 2003, Verification: Theory and Practice.

[12]  Manuel Fähndrich,et al.  On the Relative Completeness of Bytecode Analysis Versus Source Code Analysis , 2008, CC.

[13]  Isil Dillig,et al.  Fluid Updates: Beyond Strong vs. Weak Updates , 2010, ESOP.

[14]  David L. Dill,et al.  Timing Assumptions and Verification of Finite-State Concurrent Systems , 1989, Automatic Verification Methods for Finite State Systems.

[15]  Francesco Logozzo,et al.  Class-Level Modular Analysis for Object Oriented Languages , 2003, SAS.

[16]  Gary T. Leavens,et al.  Beyond Assertions: Advanced Specification and Verification with JML and ESC/Java2 , 2005, FMCO.

[17]  Thomas W. Reps,et al.  A framework for numeric analysis of array operations , 2005, POPL '05.

[18]  Francesco Logozzo,et al.  SubPolyhedra: A (More) Scalable Approach to Infer Linear Inequalities , 2009, VMCAI.

[19]  Michael Karr,et al.  Affine relationships among variables of a program , 1976, Acta Informatica.

[20]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[21]  Manuel Fähndrich,et al.  Pentagons: a weakly relational abstract domain for the efficient validation of array accesses , 2008, SAC '08.

[22]  Sumit Gulwani,et al.  Lifting abstract interpreters to quantified logical domains , 2008, POPL '08.

[23]  Manuel Fähndrich,et al.  Static Contract Checking with Abstract Interpretation , 2010, FoVeOOS.

[24]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[25]  Peter W. O'Hearn,et al.  Scalable Shape Analysis for Systems Code , 2008, CAV.

[26]  Robert E. Shostak,et al.  Deciding Linear Inequalities by Computing Loop Residues , 1981, JACM.

[27]  Dong-Ho Cho,et al.  Packet-scheduling algorithm based on priority of separate buffers for unicast and multicast services , 2003 .

[28]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[29]  Cormac Flanagan,et al.  Predicate abstraction for software verification , 2002, POPL '02.

[30]  Deepak Kapur,et al.  Heap analysis in the presence of collection libraries , 2007, PASTE '07.

[31]  Andrei Voronkov,et al.  Finding Loop Invariants for Programs over Arrays Using a Theorem Prover , 2009, FASE.

[32]  V. Pratt Two Easy Theories Whose Combination is Hard , 2002 .

[33]  Manuel Fähndrich,et al.  Embedded contract languages , 2010, SAC '10.

[34]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[35]  Isil Dillig,et al.  Precise reasoning for programs using containers , 2011, POPL '11.