Inferring Disjunctive Postconditions

Polyhedral analysis [9] is an abstract interpretation used for automatic discovery of invariant linear inequalities among numerical variables of a program. Convexity of this abstract domain allows efficient analysis but also loses precision via convex-hull and widening operators. To selectively recover the loss of precision, sets of polyhedra (disjunctive elements) may be used to capture more precise invariants. However a balance must be struck between precision and cost. We introduce the notion of affinity to characterize how closely related is a pair of polyhedra. Finding related elements in the polyhedron (base) domain allows the formulation of precise hull and widening operators lifted to the disjunctive (powerset extension of the) polyhedron domain. We have implemented a modular static analyzer based on the disjunctive polyhedral analysis where the relational domain and the proposed operators can progressively enhance precision at a reasonable cost.

[1]  Xavier Rival,et al.  Trace Partitioning in Abstract Interpretation Based Static Analyzers , 2005, ESOP.

[2]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[3]  Wei-Ngan Chin,et al.  Deriving Pre-Conditions for Array Bound Check Elimination , 2001, APLAS.

[4]  Shuvendu K. Lahiri,et al.  Indexed Predicate Discovery for Unbounded System Verification , 2004, CAV.

[5]  Nicolas Halbwachs,et al.  Détermination automatique de relations linéaires vérifiées par les variables d'un programme , 1979 .

[6]  William Pugh,et al.  The Omega test: A fast and practical integer programming algorithm for dependence analysis , 1991, Proceedings of the 1991 ACM/IEEE Conference on Supercomputing (Supercomputing '91).

[7]  William Pugh,et al.  A practical algorithm for exact array dependence analysis , 1992, CACM.

[8]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[9]  Patrick Cousot,et al.  Semantic foundations of program analysis , 1981 .

[10]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI.

[11]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[12]  Neil D. Jones,et al.  Program Flow Analysis: Theory and Application , 1981 .

[13]  Peter Lee,et al.  Trace-based program analysis , 1996, POPL '96.

[14]  Norihisa Suzuki,et al.  Implementation of an array bound checker , 1977, POPL.

[15]  Jack J. Dongarra,et al.  The LINPACK Benchmark: past, present and future , 2003, Concurr. Comput. Pract. Exp..

[16]  Harald Ganzinger,et al.  Programs as Data Objects , 1986, Lecture Notes in Computer Science.

[17]  Antoine Miné,et al.  A New Numerical Abstract Domain Based on Difference-Bound Matrices , 2001, PADO.

[18]  Patrick Cousot,et al.  Static determination of dynamic properties of programs , 1976 .

[19]  Roberto Bagnara,et al.  Widening operators for powerset domains , 2005, International Journal on Software Tools for Technology Transfer.

[20]  K. Rustan M. Leino,et al.  Loop Invariants on Demand , 2005, APLAS.

[21]  Kousha Etessami,et al.  Analysis of Recursive Game Graphs Using Data Flow Equations , 2004, VMCAI.

[22]  Cormac Flanagan,et al.  Predicate abstraction for software verification , 2002, POPL '02.

[23]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[24]  Sriram K. Rajamani,et al.  Counterexample Driven Refinement for Abstract Interpretation , 2006, TACAS.

[25]  Josef Svenningsson,et al.  Constraint Abstractions , 2001, PADO.

[26]  Roberto Giacobazzi,et al.  Optimal Domains for Disjunctive Abstract Intepretation , 1998, Sci. Comput. Program..

[27]  Sriram Sankaranarayanan,et al.  Static Analysis in Disjunctive Numerical Domains , 2006, SAS.