Improving static analyses of C programs with conditional predicates

Static code analysis is increasingly used to guarantee the absence of undesirable behaviors in industrial programs. Designing sound analyses is a continuing trade-off between precision and complexity. Notably, dataflow analyses often perform overly wide approximations when two control-flow paths meet, by merging states from each path.This paper presents a generic abstract interpretation based framework to enhance the precision of such analyses on join points. It relies on predicated domains, that preserve and reuse information valid only inside some branches of the code. Our predicates are derived from conditional statements, and postpone the loss of information.The work has been integrated into Frama-C, a C source code analysis platform. Experiments on real generated code show that our approach scales, and improves significantly the precision of the existing analyses of Frama-C. We automatically extend existing abstract domains.The new information reflects the structure of the conditionals of the program.This approach keeps path-sensitive information.Our transfer functions have been designed to scale on real programs.Our technique has been successfully applied to complex generated programs.

[1]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[2]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[3]  Roberto Bagnara,et al.  Widening Operators for Powerset Domains , 2004, VMCAI.

[4]  Hugo Herbelin,et al.  The Coq proof assistant : reference manual, version 6.1 , 1997 .

[5]  Sriram Sankaranarayanan,et al.  Static Analysis in Disjunctive Numerical Domains , 2006, SAS.

[6]  Agostino Cortesi,et al.  A Survey on Product Operators in Abstract Interpretation , 2013, Festschrift for Dave Schmidt.

[7]  Axel Simon,et al.  Synthesizing Predicates from Abstract Domain Losses , 2014, NASA Formal Methods.

[8]  Hassen Saïdi,et al.  Verifying Invariants Using theorem Proving , 1996, CAV.

[9]  Jochen Hoenicke,et al.  Software Model Checking for People Who Love Automata , 2013, CAV.

[10]  Edmund M. Clarke,et al.  Counterexample-Guided Abstraction Refinement , 2000, CAV.

[11]  Rupak Majumdar,et al.  Joining dataflow with predicates , 2005, ESEC/FSE-13.

[12]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[13]  Patrick Cousot,et al.  A Scalable Segmented Decision Tree Abstract Domain , 2010, Essays in Memory of Amir Pnueli.

[14]  Xavier Rival,et al.  Trace Partitioning in Abstract Interpretation Based Static Analyzers , 2005, ESOP.

[15]  J. Filliâtre,et al.  ACSL: ANSI/ISO C Specification Language , 2008 .

[16]  Sagar Chaki,et al.  Boxes: A Symbolic Abstract Domain of Boxes , 2010, SAS.

[17]  Xavier Leroy,et al.  A Formally-Verified C Static Analyzer , 2015, POPL.

[18]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[19]  Junjie Chen,et al.  A Binary Decision Tree Abstract Domain Functor , 2015, SAS.

[20]  Wei-Ngan Chin,et al.  Inferring Disjunctive Postconditions , 2006, ASIAN.

[21]  Patrick Cousot,et al.  Abstract Interpretation Frameworks , 1992, J. Log. Comput..

[22]  Antoine Miné,et al.  Symbolic Methods to Enhance the Precision of Numerical Abstract Domains , 2006, VMCAI.

[23]  Matthieu Sozeau,et al.  First-Class Type Classes , 2008, TPHOLs.

[24]  Nikolai Kosmatov,et al.  Frama-C - A Software Analysis Perspective , 2012, SEFM.

[25]  Sagar Chaki,et al.  Combining predicate and numeric abstraction for software model checking , 2008, 2008 Formal Methods in Computer-Aided Design.

[26]  Antoine Miné,et al.  A Decision Tree Abstract Domain for Proving Conditional Termination , 2014, SAS.

[27]  Roberto Giacobazzi,et al.  Optimal Domains for Disjunctive Abstract Intepretation , 1998, Sci. Comput. Program..

[28]  Henny B. Sipma,et al.  Efficient Strongly Relational Polyhedral Analysis , 2006, VMCAI.

[29]  François Bourdoncle,et al.  Efficient chaotic iteration strategies with widenings , 1993, Formal Methods in Programming and Their Applications.

[30]  Olivier Danvy,et al.  Proceedings Semantics, Abstract Interpretation, and Reasoning about Programs: Essays Dedicated to David A. Schmidt on the Occasion of his Sixtieth Birthday: Dave Schmidt: a Lifetime of Scholarship , 2013 .

[31]  Patrick Cousot,et al.  Static Analysis and Verification of Aerospace Software by Abstract Interpretation , 2010, Found. Trends Program. Lang..

[32]  Patrick Cousot,et al.  Combination of Abstractions in the ASTRÉE Static Analyzer , 2006, ASIAN.

[33]  Xavier Rival,et al.  The trace partitioning abstract domain , 2007, TOPL.

[34]  Julien Signoles,et al.  Combining Analyses for C Program Verification , 2012, FMICS.

[35]  Thomas A. Henzinger,et al.  Program Analysis with Dynamic Precision Adjustment , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[36]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[37]  Maria Handjieva,et al.  Refining Static Analyses by Trace-Based Partitioning Using Control Flow , 1998, SAS.

[38]  Nikolai Kosmatov,et al.  Behind the scenes in SANTE: a combination of static and dynamic analyses , 2013, Automated Software Engineering.