Efficiently intertwining widening and narrowing

Non-trivial analysis problems require posets with infinite ascending and descending chains. In order to compute reasonably precise post-fixpoints of the resulting systems of equations, Cousot and Cousot have suggested accelerated fixpoint iteration by means of widening and narrowing. The strict separation into phases, however, may unnecessarily give up precision that cannot be recovered later, as over-approximated interim results have to be fully propagated through the equation the system. Additionally, classical two-phased approach is not suitable for equation systems with infinitely many unknowns---where demand driven solving must be used. Construction of an intertwined approach must be able to answer when it is safe to apply narrowing---or when widening must be applied. In general, this is a difficult problem. In case the right-hand sides of equations are monotonic, however, we can always apply narrowing whenever we have reached a post-fixpoint for an equation. The assumption of monotonicity, though, is not met in presence of widening. It is also not met by equation systems corresponding to context-sensitive inter-procedural analysis, possibly combining context-sensitive analysis of local information with flow-insensitive analysis of globals. As a remedy, we present a novel operator that combines a given widening operator with a given narrowing operator. We present adapted versions of round-robin as well as of worklist iteration, local and side-effecting solving algorithms for the combined operator and prove that the resulting solvers always return sound results and are guaranteed to terminate for monotonic systems whenever only finitely many unknowns (constraint variables) are encountered. Practical remedies are proposed for termination in the non-monotonic case.

[1]  Sumit Gulwani,et al.  Control-flow refinement and progress invariants for bound analysis , 2009, PLDI '09.

[2]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[3]  David Monniaux,et al.  Stratified Static Analysis Based on Variable Dependencies , 2011, NSAD@SAS.

[4]  Nicolas Halbwachs,et al.  Combining Widening and Acceleration in Linear Relation Analysis , 2006, SAS.

[5]  Pascal Van Hentenryck,et al.  A Universal Top-Down Fixpoint Algorithm , 1992 .

[6]  Laure Gonnord,et al.  Using Bounded Model Checking to Focus Fixpoint Iterations , 2011, SAS.

[7]  Johan Lewi,et al.  Efficient FixPoint Computation , 1994, SAS.

[8]  Helmut Seidl,et al.  Solving systems of rational equations through strategy iteration , 2011, TOPL.

[9]  Supratik Chakraborty,et al.  Automatically Refining Abstract Interpretations , 2008, TACAS.

[10]  François Bourdoncle,et al.  Efficient chaotic iteration strategies with widenings , 1993, Formal Methods in Programming and Their Applications.

[11]  Neil D. Jones,et al.  Program Flow Analysis: Theory and Application , 1981 .

[12]  Eric Goubault,et al.  Modular Static Analysis with Zonotopes , 2012, SAS.

[13]  Eric Goubault,et al.  The Zonotope Abstract Domain Taylor1+ , 2009, CAV.

[14]  Gerard J. M. Smit,et al.  A mathematical approach towards hardware design , 2010, Dynamically Reconfigurable Architectures.

[15]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[16]  Patrick Cousot,et al.  Semantic foundations of program analysis , 1981 .

[17]  Patrick Cousot,et al.  Static Determination of Dynamic Properties of Recursive Procedures , 1977, Formal Description of Programming Concepts.

[18]  Patrick Cousot,et al.  Comparing the Galois Connection and Widening/Narrowing Approaches to Abstract Interpretation , 1992, PLILP.

[19]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI '03.

[20]  Gianluca Amato,et al.  The Abstract Domain of Parallelotopes , 2012, Electron. Notes Theor. Comput. Sci..

[21]  Eric Goubault,et al.  A Policy Iteration Algorithm for Computing Fixed Points in Static Analysis of Programs , 2005, CAV.

[22]  Agostino Cortesi,et al.  Widening and narrowing operators for abstract interpretation , 2011, Comput. Lang. Syst. Struct..

[23]  Thomas W. Reps,et al.  Guided Static Analysis , 2007, SAS.

[24]  H. Seidl,et al.  Global invariants for analysing multi-threaded applications , 2003, Proceedings of the Estonian Academy of Sciences. Physics. Mathematics.

[25]  Martin Hofmann,et al.  What Is a Pure Functional? , 2010, ICALP.

[26]  David Monniaux,et al.  Succinct Representations for Abstract Interpretation , 2012, ArXiv.

[27]  Helmut Seidl,et al.  A Faster Solver for General Systems of Equations , 1999, Sci. Comput. Program..

[28]  Isil Dillig,et al.  Simplifying Loop Invariant Generation Using Splitter Predicates , 2011, CAV.

[29]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[30]  Martin Hofmann,et al.  Verifying a Local Generic Solver in Coq , 2010, SAS.

[31]  François Bourdoncle,et al.  Interprocedural Abstract Interpretation of Block Structured Languages with Nested Procedures, Aliasing and Recursivity , 1990, PLILP.

[32]  Nicolas Halbwachs,et al.  When the Decreasing Sequence Fails , 2012, SAS.

[33]  David Monniaux,et al.  Succinct Representations for Abstract Interpretation - Combined Analysis Algorithms and Experimental Evaluation , 2012, SAS.

[34]  Kalmer Apinis,et al.  How to combine widening and narrowing for non-monotonic systems of equations , 2013, PLDI.

[35]  Bertrand Jeannet,et al.  Apron: A Library of Numerical Abstract Domains for Static Analysis , 2009, CAV.

[36]  Andy King,et al.  Widening Polyhedra with Landmarks , 2006, APLAS.

[37]  Patrick Cousot,et al.  Combination of Abstractions in the ASTRÉE Static Analyzer , 2006, ASIAN.

[38]  Jan Gustafsson,et al.  The Mälardalen WCET Benchmarks: Past, Present And Future , 2010, WCET.

[39]  Patrick Cousot,et al.  Abstracting Induction by Extrapolation and Interpolation , 2015, VMCAI.

[40]  Kalmer Apinis,et al.  Side-Effecting Constraint Systems: A Swiss Army Knife for Program Analysis , 2012, APLAS.

[41]  Patrick Cousot,et al.  Abstract Interpretation Frameworks , 1992, J. Log. Comput..

[42]  Gianluca Amato,et al.  Localizing Widening and Narrowing , 2013, SAS.

[43]  Patrick Cousot,et al.  Static determination of dynamic properties of programs , 1976 .

[44]  Thomas W. Reps,et al.  Lookahead Widening , 2006, CAV.

[45]  Seppo Heikkilä,et al.  Fixed Point Theory in Ordered Sets and Applications , 2011 .

[46]  François Bourdoncle,et al.  Abstract interpretation by dynamic partitioning , 1992, Journal of Functional Programming.

[47]  Varmo Vene,et al.  Goblint : Path-Sensitive Data Race Analysis ? , 2009 .

[48]  David Monniaux,et al.  PAGAI: A Path Sensitive Static Analyser , 2012, Electron. Notes Theor. Comput. Sci..