Modular Analysis of Executables Using On-Demand Heyting Completion

A function-modular analysis is presented that computes precise function summaries in the presence of pointers and indirect calls. Our approach computes several summaries for a function, each specialized to a particular input property. A call site combines the effect of several summaries, based on what properties hold. The key novelty is that the properties are tailored to the function being analyzed. Moreover, they are represented in a domain-agnostic way by using Herbrand terms with variables. Callers instantiate these variables, based on their state. For each variable instantiation, a new summary is computed. Since the computed summaries are exact with respect to the property, our fixpoint computation resembles the process of Heyting completion where a domain is iteratively refined to be complete wrt. the intersection with a property. Our approach combines the advantages of a modular analysis, such as scalability and context-sensitivity, with the ability to compute meaningful summaries for functions that call other functions via pointers that were passed as arguments. We illustrate our framework in the context of inferring indirect callees in x86 executables.

[1]  Sarita V. Adve,et al.  Shared Memory Consistency Models: A Tutorial , 1996, Computer.

[2]  Pierre Wolper,et al.  The Complementation Problem for Büchi Automata with Appplications to Temporal Logic , 1987, Theor. Comput. Sci..

[3]  Maurice Herlihy,et al.  Linearizability: a correctness condition for concurrent objects , 1990, TOPL.

[4]  Amir Pnueli,et al.  On the learnability of infinitary regular sets , 1991, COLT '91.

[5]  Moshe Y. Vardi The Büchi Complementation Saga , 2007, STACS.

[6]  Sven Schewe,et al.  Tight Bounds for the Determinisation and Complementation of Generalised Büchi Automata , 2012, ATVA.

[7]  D. M. Hutton,et al.  The Art of Multiprocessor Programming , 2008 .

[8]  Orna Kupferman,et al.  Weak alternating automata are not that weak , 2001, TOCL.

[9]  Shuvendu K. Lahiri,et al.  Angelic Verification: Precise Verification Modulo Unknowns , 2015, CAV.

[10]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[11]  Axel Simon Deriving a complete type inference for Hindley-Milner and vector sizes using expansion , 2014, Sci. Comput. Program..

[12]  Hans-Juergen Boehm,et al.  Foundations of the C++ concurrency memory model , 2008, PLDI '08.

[13]  Mark R. Tuttle,et al.  Protocol verification using flows: An industrial experience , 2009, 2009 Formal Methods in Computer-Aided Design.

[14]  Roberto Giacobazzi,et al.  Making abstract domains condensing , 2002, TOCL.

[15]  Jorge A. Navas,et al.  The SeaHorn Verification Framework , 2015, CAV.

[16]  Ludwig Staiger,et al.  On Syntactic Congruences for Omega-Languages , 1993, Theor. Comput. Sci..

[17]  Kalmer Apinis,et al.  Efficiently intertwining widening and narrowing , 2015, Sci. Comput. Program..

[18]  Günter Grünsteidl,et al.  TTP - A Protocol for Fault-Tolerant Real-Time Systems , 1994, Computer.

[19]  Umesh V. Vazirani,et al.  An Introduction to Computational Learning Theory , 1994 .

[20]  Roberto Palmieri,et al.  Making Fast Consensus Generally Faster , 2016, 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[21]  Shaked Flur,et al.  Simplifying ARM concurrency: multicopy-atomic axiomatic and operational models for ARMv8 , 2017, Proc. ACM Program. Lang..

[22]  John Derrick,et al.  Verifying Linearisability , 2015, ACM Comput. Surv..

[23]  Jade Alglave,et al.  Understanding POWER multiprocessors , 2011, PLDI '11.

[24]  Helmut Seidl,et al.  Precise interprocedural analysis through linear algebra , 2004, POPL.

[25]  Patrick Lincoln,et al.  A formally verified algorithm for interactive consistency under a hybrid fault model , 1993, FTCS-23 The Twenty-Third International Symposium on Fault-Tolerant Computing.

[26]  Adam Chlipala,et al.  Chapar: certified causally consistent distributed key-value stores , 2016, POPL.

[27]  Orna Kupferman,et al.  On Complementing Nondeterministic Büchi Automata , 2003, CHARME.

[28]  Kenneth L. McMillan,et al.  Verification of Infinite State Systems by Compositional Model Checking , 1999, CHARME.

[29]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI '03.

[30]  Tatsuhiro Tsuchiya,et al.  Verification of consensus algorithms using satisfiability solving , 2011, Distributed Computing.

[31]  Helmut Veith,et al.  On the completeness of bounded model checking for threshold-based distributed algorithms: Reachability , 2014, Inf. Comput..

[32]  Kim Marriott,et al.  Precise and efficient groundness analysis for logic programs , 1993, LOPL.

[33]  John Derrick,et al.  Linearizability and Causality , 2016, SEFM.

[34]  Robert McNaughton,et al.  Testing and Generating Infinite Sequences by a Finite Automaton , 1966, Inf. Control..

[35]  Roberto Giacobazzi,et al.  A logical model for relational abstract domains , 1998, TOPL.

[36]  Yih-Kuen Tsay,et al.  GOAL for Games, Omega-Automata, and Logics , 2013, CAV.

[37]  Arnaud Venet,et al.  Abstract Cofibered Domains: Application to the Alias Analysis of Untyped Programs , 1996, SAS.

[38]  Nikolaj Bjørner,et al.  Cardinalities and universal quantifiers for verifying parameterized systems , 2016, PLDI.

[39]  Patrick Cousot,et al.  Modular Static Program Analysis , 2002, CC.

[40]  Leslie Lamport,et al.  Reaching Agreement in the Presence of Faults , 1980, JACM.

[41]  Yih-Kuen Tsay,et al.  State of Büchi Complementation , 2010, CIAA.

[42]  Jörg Brauer,et al.  Automatic Abstraction for Intervals Using Boolean Formulae , 2010, SAS.

[43]  Xinyu Feng,et al.  Characterizing Progress Properties of Concurrent Objects via Contextual Refinements , 2013, CONCUR.

[44]  Peter Sewell,et al.  Mathematizing C++ concurrency , 2011, POPL '11.

[45]  John Derrick,et al.  Verifying Linearizability on TSO Architectures , 2014, IFM.

[46]  Sven Schewe,et al.  Tight Bounds for Complementing Parity Automata , 2014, MFCS.

[47]  Barton P. Miller,et al.  Typestate Checking of Machine Code , 2001, ESOP.

[48]  Peter W. O'Hearn,et al.  Abstraction for concurrent objects , 2009, Theor. Comput. Sci..

[49]  Ramakrishna Kotla,et al.  Zyzzyva , 2007, SOSP.

[50]  Nir Shavit Data structures in the multicore age , 2011, CACM.

[51]  Ichiro Suzuki,et al.  Proving Properties of a Ring of Finite-State Machines , 1988, Inf. Process. Lett..

[52]  Howard Barringer,et al.  Learning to divide and conquer: applying the L* algorithm to automate assume-guarantee reasoning , 2008, Formal Methods Syst. Des..

[53]  David G. Andersen,et al.  There is more consensus in Egalitarian parliaments , 2013, SOSP.

[54]  Brijesh Dongol,et al.  Contextual Trace Refinement for Concurrent Objects: Safety and Progress , 2016, ICFEM.

[55]  Lijun Zhang,et al.  Leveraging Weighted Automata in Compositional Reasoning about Concurrent Probabilistic Systems , 2015, POPL.

[56]  Mihalis Yannakakis,et al.  Black Box Checking , 1999, FORTE.

[57]  Olin Shivers,et al.  Control-flow analysis of higher-order languages of taming lambda , 1991 .

[58]  Sava Krstić Parametrized System Verification with Guard Strengthening and Parameter Abstraction , 2005 .

[59]  Xinyu Feng,et al.  Deny-Guarantee Reasoning , 2009, ESOP.

[60]  Axel Simon,et al.  GDSL: A Universal Toolkit for Giving Semantics to Machine Language , 2013, APLAS.

[61]  A Pnueli,et al.  Two Approaches to Interprocedural Data Flow Analysis , 2018 .

[62]  John Derrick,et al.  An Observational Approach to Defining Linearizability on Weak Memory Models , 2017, FORTE.

[63]  Jeremy Manson,et al.  The Java memory model , 2005, POPL '05.

[64]  Thomas W. Reps,et al.  A Method for Symbolic Computation of Abstract Operations , 2012, CAV.

[65]  David E. Muller,et al.  Infinite sequences and finite machines , 1963, SWCT.

[66]  Alexey Gotsman,et al.  Library abstraction for C/C++ concurrency , 2013, POPL.

[67]  John Derrick,et al.  Defining Correctness Conditions for Concurrent Objects in Multicore Architectures , 2015, ECOOP.

[68]  Jaroslav Sevcík,et al.  Program transformations in weak memory models , 2009 .

[69]  Sebastian Burckhardt,et al.  Concurrent Library Correctness on the TSO Memory Model , 2012, ESOP.

[70]  Jean-Pierre Pécuchet On the Complementation of Büchi Automata , 1986, Theor. Comput. Sci..

[71]  Axel Simon,et al.  Structure-Preserving Compilation: Efficient Integration of Functional DSLs into Legacy Systems , 2014, PPDP '14.

[72]  Ronald L. Rivest,et al.  Inference of finite automata using homing sequences , 1989, STOC '89.

[73]  Robert P. Kurshan,et al.  Computer-Aided Verification of Coordinating Processes: The Automata-Theoretic Approach , 2014 .

[74]  Patrick Cousot,et al.  Automatic Inference of Necessary Preconditions , 2013, VMCAI.

[75]  Yih-Kuen Tsay,et al.  Büchi Store: An Open Repository of Büchi Automata , 2011, TACAS.

[76]  Radha Jagadeesan,et al.  Quarantining Weakness - Compositional Reasoning under Relaxed Memory Models (Extended Abstract) , 2013, ESOP.

[77]  Sarita V. Adve,et al.  Memory models: a case for rethinking parallel languages and hardware , 2009, PODC '09.

[78]  Amir Pnueli,et al.  Liveness with (0, 1, infty)-Counter Abstraction , 2002, CAV.

[79]  Lijun Zhang,et al.  A Novel Learning Algorithm for Büchi Automata Based on Family of DFAs and Classification Trees , 2016, TACAS.

[80]  S. Safra,et al.  On the complexity of omega -automata , 1988, [Proceedings 1988] 29th Annual Symposium on Foundations of Computer Science.

[81]  Axel Simon,et al.  FESA: Fold- and Expand-Based Shape Analysis , 2013, CC.

[82]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[83]  Kenneth L. McMillan,et al.  Parameterized Verification of the FLASH Cache Coherence Protocol by Compositional Model Checking , 2001, CHARME.

[84]  Hongseok Yang,et al.  Liveness-Preserving Atomicity Abstraction , 2011, ICALP.

[85]  Maria Sorea,et al.  Model checking a fault-tolerant startup algorithm: from design exploration to exhaustive fault simulation , 2004, International Conference on Dependable Systems and Networks, 2004.

[86]  Leslie Lamport,et al.  How to Make a Correct Multiprocess Program Execute Correctly on a Multiprocessor , 1997, IEEE Trans. Computers.

[87]  Michael D. Ernst,et al.  Planning for change in a formal verification of the raft consensus protocol , 2016, CPP.

[88]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.