Guided Static Analysis

In static analysis, the semantics of the program is expressed as a set of equations. The equations are solved iteratively over some abstract domain. If the abstract domain is distributive and satisfies the ascending-chain condition, an iterative technique yields the most precise solution for the equations. However, if the above properties are not satisfied, the solution obtained is typically imprecise. Moreover, due to the properties of widening operators, the precision loss is sensitive to the order in which the state-space is explored. In this paper, we introduce guided static analysis, a framework for controlling the exploration of the state-space of a program. The framework guides the statespace exploration by applying standard static-analysis techniques to a sequence of modified versions of the analyzed program. As such, the framework does not require any modifications to existing analysis techniques, and thus can be easily integrated into existing static-analysis tools. We present two instantiations of the framework, which improve the precision of widening in (i) loops with multiple phases and (ii) loops in which the transformation performed on each iteration is chosen non-deterministically.

[1]  Nicolas Halbwachs,et al.  Verification of Real-Time Systems using Linear Relation Analysis , 1997, Formal Methods Syst. Des..

[2]  Eric Goubault,et al.  A Policy Iteration Algorithm for Computing Fixed Points in Static Analysis of Programs , 2005, CAV.

[3]  François Bourdoncle,et al.  Efficient chaotic iteration strategies with widenings , 1993, Formal Methods in Programming and Their Applications.

[4]  Xavier Rival,et al.  Trace Partitioning in Abstract Interpretation Based Static Analyzers , 2005, ESOP.

[5]  Thomas W. Reps,et al.  Lookahead Widening , 2006, CAV.

[6]  Ankur Taly,et al.  Static Analysis by Policy Iteration on Relational Domains , 2007, ESOP.

[7]  Shmuel Sagiv,et al.  TVLA: A System for Implementing Static Analyses , 2000, SAS.

[8]  Koushik Sen DART: Directed Automated Random Testing , 2009, Haifa Verification Conference.

[9]  Kousha Etessami,et al.  Analysis of Recursive Game Graphs Using Data Flow Equations , 2004, VMCAI.

[10]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[11]  Ofer Strichman,et al.  Proof-guided underapproximation-widening for multi-process systems , 2005, POPL '05.

[12]  Nicolas Halbwachs,et al.  Combining Widening and Acceleration in Linear Relation Analysis , 2006, SAS.

[13]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.

[14]  Roberto Bagnara,et al.  Possibly Not Closed Convex Polyhedra and the Parma Polyhedra Library , 2002, SAS.

[15]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[16]  P. Hill,et al.  Widening operators for powerset domains , 2006 .

[17]  Sriram Sankaranarayanan,et al.  Static Analysis in Disjunctive Numerical Domains , 2006, SAS.

[18]  Thomas Reps,et al.  WPDS++: A C++ library for weighted pushdown systems , 2005 .

[19]  Patrick Cousot,et al.  Design and Implementation of a Special-Purpose Static Program Analyzer for Safety-Critical Real-Time Embedded Software , 2002, The Essence of Computation.

[20]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.