Bounded Abstract Interpretation

In practice, software engineers are only able to spend a limited amount of resources on statically analyzing their code. Such resources may refer to their available time or their tolerance for imprecision, and usually depend on when in their workflow a static analysis is run. To serve these different needs, we propose a technique that enables engineers to interactively bound a static analysis based on the available resources. When all resources are exhausted, our technique soundly records the achieved verification results with a program instrumentation. Consequently, as more resources become available, any static analysis may continue from where the previous analysis left off. Our technique is applicable to any abstract interpreter, and we have implemented it for the .NET static analyzer Clousot. Our experiments show that bounded abstract interpretation can significantly increase the performance of the analysis (by up to 8x) while also increasing the quality of the reported warnings (more definite warnings that detect genuine bugs).

[1]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[2]  E. Bodden,et al.  Toward a Just-inTime Static Analysis , 2015 .

[3]  Shuvendu K. Lahiri,et al.  Towards Scalable Modular Checking of User-Defined Properties , 2010, VSTTE.

[4]  Armin Biere,et al.  Symbolic Model Checking without BDDs , 1999, TACAS.

[5]  Dawson R. Engler,et al.  Z-Ranking: Using Statistical Analysis to Counter the Impact of Static Analysis Approximations , 2003, SAS.

[6]  Benjamin Livshits,et al.  Toward a Just-in-Time Static Analysis , 2015 .

[7]  Hassen Saïdi,et al.  Construction of Abstract State Graphs with PVS , 1997, CAV.

[8]  Thomas A. Henzinger,et al.  Conditional Model Checking , 2011, ArXiv.

[9]  K. Rustan M. Leino,et al.  Fine-Grained Caching of Verification Results , 2015, CAV.

[10]  Kwangkeun Yi,et al.  Taming False Alarms from a Domain-Unaware C Analyzer by a Bayesian Statistical Post Analysis , 2005, SAS.

[11]  Valentin Tobias Wüstholz Partial Verification Results , 2015 .

[12]  Sam Blackshear,et al.  Verification modulo versions: towards usable verification , 2014, PLDI.

[13]  Peter Müller,et al.  Guiding Dynamic Symbolic Execution toward Unverified Program Executions , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[14]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[15]  Thomas A. Henzinger,et al.  Conditional model checking: a technique to pass information between verifiers , 2012, SIGSOFT FSE.

[16]  Thomas W. Reps,et al.  Guided Static Analysis , 2007, SAS.

[17]  Ciera Jaspan,et al.  Tricorder: Building a Program Analysis Ecosystem , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[18]  Maria Christakis Narrowing the gap between verification and systematic testing , 2017 .

[19]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[20]  Xavier Rival,et al.  Trace Partitioning in Abstract Interpretation Based Static Analyzers , 2005, ESOP.

[21]  Roberto Giacobazzi,et al.  Analyzing Program Analyses , 2015, POPL.

[22]  Thomas W. Reps,et al.  Lookahead Widening , 2006, CAV.

[23]  Manuel Fähndrich,et al.  Embedded contract languages , 2010, SAC '10.

[24]  Roberto Giacobazzi,et al.  Making abstract interpretations complete , 2000, JACM.

[25]  Peter Müller,et al.  Collaborative Verification and Testing with Explicit Assumptions , 2012, FM.

[26]  Shuvendu K. Lahiri,et al.  Angelic Verification: Precise Verification Modulo Unknowns , 2015, CAV.

[27]  Armin Biere,et al.  Bounded Model Checking Using Satisfiability Solving , 2001, Formal Methods Syst. Des..

[28]  Manuel Fähndrich,et al.  Static Contract Checking with Abstract Interpretation , 2010, FoVeOOS.

[29]  Daniel Kroening,et al.  Abstract conflict driven learning , 2013, POPL.

[30]  Peter Müller,et al.  An Experimental Evaluation of Deliberate Unsoundness in a Static Program Analyzer , 2015, VMCAI.

[31]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[32]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.