Computing partially path-sensitive MFP solutions in data flow analyses

Data flow analysis traverses paths in a control flow graph (CFG) representation of programs to compute useful information. Many of these paths are infeasible, i.e. they cannot arise in any possible execution. The information computed along these paths adds imprecision to the conventional Maximal Fixed Point (MFP) solution of a data flow analysis. Existing approaches for removing this imprecision are either specific to a data flow problem or involve control flow graph restructuring which has exponential complexity. We introduce partial path-sensitivity to the MFP solution by identifying clusters of minimal infeasible path segments to distinguish between the data flowing along feasible and infeasible control flow paths. This allows us to lift any data flow analysis to an analysis over k+1 tuples where k is the number of clusters. Our flow function for a k+1 tuple shifts the values of the underlying analysis from an element in the tuple to other element(s) at the start and end of a cluster as appropriate. This allows us to maintain the distinctions where they are beneficial. Since k is linear in the number of conditional edges in the CFG, the effort is multiplied by a factor that is linear in the number of conditional edges (and is not exponential, unlike conventional approaches of achieving path sensitivity.) We have implemented our method of computing partially path sensitive MFP for reaching definitions analysis and value range analysis of variables. Our measurements on benchmark programs show up to 9% reduction in the number of reaching definitions and up to 14% cases where the value range of a variable is smaller.

[1]  Rajiv Gupta,et al.  Refining data flow information using infeasible paths , 1997, ESEC '97/FSE-5.

[2]  Dawson R. Engler,et al.  ARCHER: using symbolic, path-sensitive analysis to detect memory access errors , 2003, ESEC/FSE-11.

[3]  Zhe Yang,et al.  Software validation via scalable path-sensitive value flow analysis , 2004, ISSTA '04.

[4]  Michael A. Hennell,et al.  The causes and effects of infeasible paths in computer programs , 1985, ICSE '85.

[5]  Maria Handjieva,et al.  Refining Static Analyses by Trace-Based Partitioning Using Control Flow , 1998, SAS.

[6]  Arnaud Gotlieb,et al.  Explanation-Based Generalization of Infeasible Path , 2010, 2010 Third International Conference on Software Testing, Verification and Validation.

[7]  Xavier Rival,et al.  Trace Partitioning in Abstract Interpretation Based Static Analyzers , 2005, ESOP.

[8]  R. Govindarajan,et al.  Comprehensive path-sensitive data-flow analysis , 2008, CGO '08.

[9]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[10]  Yue Yang,et al.  Symbolic path simulation in path-sensitive dataflow analysis , 2005, PASTE '05.

[11]  Mario Jino,et al.  Identification of potentially infeasible program paths by monitoring the search for test data , 2000, Proceedings ASE 2000. Fifteenth IEEE International Conference on Automated Software Engineering.

[12]  Baowen Xu,et al.  Improve the Effectiveness of Test Case Generation on EFSM via Automatic Path Feasibility Analysis , 2011, 2011 IEEE 13th International Symposium on High-Assurance Systems Engineering.

[13]  Minh Ngoc Ngo,et al.  Detecting large number of infeasible paths through recognizing their patterns , 2007, ESEC-FSE '07.

[14]  Ting Chen,et al.  Exploiting Branch Constraints without Exhaustive Path Enumeration , 2005, WCET.

[15]  D. F. Yates,et al.  Predictive metric for likely feasibility of program paths , 1990 .

[16]  Isil Dillig,et al.  Sound, complete and scalable path-sensitive analysis , 2008, PLDI '08.

[17]  Tao Zhang,et al.  Using Branch Correlation to Identify Infeasible Paths for Anomaly Detection , 2006, 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06).

[18]  Barry K. Rosen,et al.  Qualified Data Flow Problems , 1981, IEEE Trans. Software Eng..

[19]  Amitabha Sanyal,et al.  Data Flow Analysis - Theory and Practice , 2009 .

[20]  Neil D. Jones,et al.  Program Flow Analysis: Theory and Application , 1981 .

[21]  Dinakar Dhurjati,et al.  Path-Sensitive Dataflow Analysis with Iterative Refinement , 2006, SAS.

[22]  Rajiv Gupta,et al.  Interprocedural conditional branch elimination , 1997, PLDI '97.

[23]  Shrawan Kumar,et al.  Precise range analysis on large industry code , 2013, ESEC/FSE 2013.

[24]  Antonia Bertolino,et al.  Automatic Generation of Path Covers Based on the Control Flow Analysis of Computer Programs , 1994, IEEE Trans. Software Eng..