Synthesizing Predicates from Abstract Domain Losses

Numeric abstract domains are key to many verification problems. Their ability to scale hinges on using convex approximations of the possible variable valuations. In certain cases, this approximation is too coarse to verify certain verification conditions, namely those that require disjunctive invariants. A common approach to infer disjunctive invariants is to track a set of states. However, this easily leads to scalability problems. In this work, we propose to augment a numeric analysis with an abstract domain of predicates. Predicates are synthesized whenever an abstract domain loses precision due to convexity. The predicate domain is able to recover this loss at a later stage by re-applying the synthesized predicates on the numeric abstract domain. This symbiosis combines the ability of numeric domains to compactly summarize states with the ability of predicate abstraction to express disjunctive invariants and non-convex spaces. We further show how predicates can be used as a tool for communication between several numeric domains.

[1]  Gilberto Filé,et al.  Static Analysis, 14th International Symposium, SAS 2007, Kongens Lyngby, Denmark, August 22-24, 2007, Proceedings , 2007, SAS.

[2]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.

[3]  Thomas A. Henzinger,et al.  Program Analysis with Dynamic Precision Adjustment , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[4]  Sriram Sankaranarayanan,et al.  Static Analysis in Disjunctive Numerical Domains , 2006, SAS.

[5]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[6]  Todd Millstein,et al.  Automatic predicate abstraction of C programs , 2001, PLDI '01.

[7]  Sagar Chaki,et al.  Boxes: A Symbolic Abstract Domain of Boxes , 2010, SAS.

[8]  K. Rustan M. Leino,et al.  Loop Invariants on Demand , 2005, APLAS.

[9]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[10]  Thomas W. Reps,et al.  Guided Static Analysis , 2007, SAS.

[11]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI '03.

[12]  Sagar Chaki,et al.  Combining Predicate and Numeric Abstraction for Software Model Checking , 2008, FMCAD.

[13]  Axel Simon Splitting the Control Flow with Boolean Flags , 2008, SAS.

[14]  Nicolas Halbwachs,et al.  An Abstract Domain Extending Difference-Bound Matrices with Disequality Constraints , 2007, VMCAI.

[15]  Sriram K. Rajamani,et al.  Counterexample Driven Refinement for Abstract Interpretation , 2006, TACAS.

[16]  Arnaud Venet,et al.  Abstract Cofibered Domains: Application to the Alias Analysis of Untyped Programs , 1996, SAS.

[17]  Axel Simon,et al.  Widening as Abstract Domain , 2013, NASA Formal Methods.

[18]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[19]  Rupak Majumdar,et al.  Joining dataflow with predicates , 2005, ESEC/FSE-13.

[20]  Xavier Rival,et al.  Trace Partitioning in Abstract Interpretation Based Static Analyzers , 2005, ESOP.

[21]  Anna Philippou,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2018, Lecture Notes in Computer Science.

[22]  Philippe Granger,et al.  Improving the Results of Static Analyses Programs by Local Decreasing Iteration , 1992, FSTTCS.

[23]  Jochen Hoenicke,et al.  Software Model Checking for People Who Love Automata , 2013, CAV.

[24]  Kousha Etessami,et al.  Analysis of Recursive Game Graphs Using Data Flow Equations , 2004, VMCAI.

[25]  Axel Simon,et al.  Precise Static Analysis of Binaries by Extracting Relational Information , 2011, 2011 18th Working Conference on Reverse Engineering.

[26]  Kim G. Larsen,et al.  Memory Efficient Data Structures for Explicit Verification of Timed Systems , 2014, NASA Formal Methods.