Automatically Testing Implementations of Numerical Abstract Domains

Static program analyses are routinely applied as the basis of code optimizations and to detect safety and security issues in software systems. For their results to be reliable, static analyses should be sound (i.e., should not produce false negatives) and precise (i.e., should report a low number of false positives). Even though it is possible to prove properties of the design of a static analysis, ensuring soundness and precision for its implementation is challenging. Complex algorithms and sophisticated optimizations make static analyzers difficult to implement and test. In this paper, we present an automatic technique to test, among other properties, the soundness and precision of abstract domains, the core of all static analyzers based on abstract interpretation. In order to cover a wide range of test data and input states, we construct inputs by applying sequences of abstract-domain operations to representative domain elements, and vary the operations through gray-box fuzzing. We use mathematical properties of abstract domains as test oracles. Our experimental evaluation demonstrates the effectiveness of our approach. We detected several previously unknown soundness and precision errors in widely-used abstract domains. Our experiments also show that our approach is more effective than dynamic symbolic execution and than fuzzing the test inputs directly.

[1]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[2]  Koen Claessen,et al.  QuickCheck: a lightweight tool for random testing of Haskell programs , 2000, ICFP.

[3]  Xuejun Yang,et al.  Testing Static Analyzers with Randomly Generated Programs , 2012, NASA Formal Methods.

[4]  Valentin Wüstholz,et al.  Bounded Abstract Interpretation , 2016, SAS.

[5]  David Monniaux,et al.  PAGAI: A Path Sensitive Static Analyser , 2012, Electron. Notes Theor. Comput. Sci..

[6]  H. Le Verge,et al.  A Note on Chernikova's algorithm , 1992 .

[7]  Manuel Fähndrich,et al.  Static Contract Checking with Abstract Interpretation , 2010, FoVeOOS.

[8]  Bertrand Jeannet,et al.  Apron: A Library of Numerical Abstract Domains for Static Analysis , 2009, CAV.

[9]  Dawson R. Engler,et al.  Execution Generated Test Cases: How to Make Systems Code Crash Itself , 2005, SPIN.

[10]  Anders Møller,et al.  QuickChecking static analysis properties , 2017, Softw. Test. Verification Reliab..

[11]  Zhendong Su,et al.  Finding and Analyzing Compiler Warning Defects , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[12]  Markus Püschel,et al.  A practical construction for decomposing numerical abstract domains , 2017, Proc. ACM Program. Lang..

[13]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[14]  Anders Møller,et al.  Systematic approaches for increasing soundness and precision of static analyzers , 2017, SOAP@PLDI.

[15]  Catherine Dubois Proving ML Type Soundness Within Coq , 2000, TPHOLs.

[16]  Eric Goubault,et al.  The Zonotope Abstract Domain Taylor1+ , 2009, CAV.

[17]  Cristian Cadar,et al.  Automatic testing of symbolic execution engines via program generation and differential testing , 2017, 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[18]  Patrick Cousot,et al.  Static determination of dynamic properties of programs , 1976 .

[19]  Ondrej Lhoták,et al.  Safe and sound program analysis with Flix , 2018, ISSTA.

[20]  Zhong Shao,et al.  A type system for certi .ed binaries , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[21]  Markus Püschel,et al.  Making numerical program analysis fast , 2015, PLDI.

[22]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[23]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.

[24]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI.

[25]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[26]  Mark Harman,et al.  The Oracle Problem in Software Testing: A Survey , 2015, IEEE Transactions on Software Engineering.

[27]  Thomas W. Reps,et al.  Symbolic Implementation of the Best Transformer , 2004, VMCAI.

[28]  Patrick Cousot,et al.  Comparing the Galois Connection and Widening/Narrowing Approaches to Abstract Interpretation , 1992, PLILP.

[29]  Antoine Miné,et al.  The octagon abstract domain , 2001, Proceedings Eighth Working Conference on Reverse Engineering.

[30]  Peter Müller,et al.  An Experimental Evaluation of Deliberate Unsoundness in a Static Program Analyzer , 2015, VMCAI.

[31]  Dirk Beyer,et al.  CPAchecker: A Tool for Configurable Software Verification , 2009, CAV.

[32]  Thomas A. Henzinger,et al.  Conditional model checking: a technique to pass information between verifiers , 2012, SIGSOFT FSE.

[33]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[34]  Peter Müller,et al.  Collaborative Verification and Testing with Explicit Assumptions , 2012, FM.

[35]  Michael D. Ernst,et al.  Feedback-Directed Random Test Generation , 2007, 29th International Conference on Software Engineering (ICSE'07).

[36]  Manuel Fähndrich,et al.  Pentagons: a weakly relational abstract domain for the efficient validation of array accesses , 2008, SAC '08.

[37]  Markus Püschel,et al.  Fast polyhedra abstract domain , 2017, POPL.

[38]  Xavier Leroy,et al.  A Formally-Verified C Static Analyzer , 2015, POPL.

[39]  Andrew Ruef,et al.  Evaluating Design Tradeoffs in Numeric Static Analysis for Java , 2018, ESOP.

[40]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[41]  Zhendong Su,et al.  Compiler validation via equivalence modulo inputs , 2014, PLDI.

[42]  Eric Goubault,et al.  Static Analysis of Numerical Algorithms , 2006, SAS.

[43]  Zhendong Su,et al.  Finding deep compiler bugs via guided stochastic program mutation , 2015, OOPSLA.

[44]  Ondrej Lhoták,et al.  In defense of soundiness , 2015, Commun. ACM.