Refining the control structure of loops using static analysis

We present a simple yet useful technique for refining the control structure of loops that occur in imperative programs. Loops containing complex control flow are common in synchronous embedded controllers derived from modeling languages such as Lustre, Esterel, and Simulink/Stateflow. Our approach uses a set of labels to distinguish different control paths inside a given loop. The iterations of the loop are abstracted as a finite state automaton over these labels. Subsequently, we use static analysis techniques to identify infeasible iteration sequences and subtract such forbidden sequences from the initial language to obtain a refinement. In practice, the refinement of control flow sequences often simplifies the control flow patterns in the loop. We have applied the refinement technique to improve the precision of abstract interpretation in the presence of widening. Our experiments on a set of complex reactive loop benchmarks clearly show the utility of our refinement techniques. Abstraction interpretation with our refinement technique was able to verify all the properties for 10 out of the 13 benchmarks, while abstraction interpretation without refinement was able to verify only four. Other potentially useful applications include termination analysis and reverse engineering models from source code.

[1]  Andreas Podelski,et al.  Termination proofs for systems code , 2006, PLDI '06.

[2]  Sriram Sankaranarayanan,et al.  Static Analysis in Disjunctive Numerical Domains , 2006, SAS.

[3]  Henny B. Sipma,et al.  Linear Invariant Generation Using Non-linear Constraint Solving , 2003, CAV.

[4]  Javier Esparza,et al.  Efficient Algorithms for Model Checking Pushdown Systems , 2000, CAV.

[5]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI.

[6]  Gilberto Filé,et al.  Static Analysis, 14th International Symposium, SAS 2007, Kongens Lyngby, Denmark, August 22-24, 2007, Proceedings , 2007, SAS.

[7]  Helmut Seidl,et al.  Precise Fixpoint Computation Through Strategy Iteration , 2007, ESOP.

[8]  Frank Harary,et al.  Graph Theory , 2016 .

[9]  Henny B. Sipma,et al.  Synthesis of Linear Ranking Functions , 2001, TACAS.

[10]  Sriram Sankaranarayanan,et al.  SLR: Path-Sensitive Analysis through Infeasible-Path Detection and Syntactic Language Refinement , 2008, SAS.

[11]  Zijiang Yang,et al.  F-Soft: Software Verification Platform , 2005, CAV.

[12]  Thomas W. Reps,et al.  Lookahead Widening , 2006, CAV.

[13]  Laure Petrucci,et al.  FAST: Fast Acceleration of Symbolikc Transition Systems , 2003, CAV.

[14]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[15]  Nicolas Halbwachs,et al.  Dynamic Partitioning in Analyses of Numerical Properties , 1999, SAS.

[16]  Ankur Taly,et al.  Static Analysis by Policy Iteration on Relational Domains , 2007, ESOP.

[17]  Roberto Bagnara,et al.  Precise widening operators for convex polyhedra , 2003, Sci. Comput. Program..

[18]  Thomas W. Reps,et al.  Guided Static Analysis , 2007, SAS.

[19]  Sriram K. Rajamani,et al.  The SLAM Toolkit , 2001, CAV.

[20]  Antoine Miné,et al.  A New Numerical Abstract Domain Based on Difference-Bound Matrices , 2001, PADO.

[21]  Patrick Cousot,et al.  Static determination of dynamic properties of programs , 1976 .

[22]  Thomas A. Henzinger,et al.  The software model checker B last : Applications to software engineering , 2007 .

[23]  Sumit Gulwani,et al.  Control-flow refinement and progress invariants for bound analysis , 2009, PLDI '09.

[24]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[25]  Andy King,et al.  Widening Polyhedra with Landmarks , 2006, APLAS.

[26]  Eric Goubault,et al.  Static Analysis of Numerical Algorithms , 2006, SAS.

[27]  Xavier Rival,et al.  Trace Partitioning in Abstract Interpretation Based Static Analyzers , 2005, ESOP.

[28]  Jörg Brauer,et al.  Goanna: Syntactic Software Model Checking , 2008, ATVA.

[29]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[30]  Thomas A. Henzinger,et al.  Proving non-termination , 2008, POPL '08.

[31]  Nicolas Halbwachs,et al.  Synchronous Programming of Reactive Systems , 1992, CAV.

[32]  Sriram Sankaranarayanan,et al.  Program Analysis Using Symbolic Ranges , 2007, SAS.

[33]  Thomas A. Henzinger,et al.  The software model checker Blast , 2007, International Journal on Software Tools for Technology Transfer.

[34]  Nicolas Halbwachs,et al.  Verification of Real-Time Systems using Linear Relation Analysis , 1997, Formal Methods Syst. Des..