Some Experience on the Software Engineering of Abstract Interpretation Tools

The ''right'' way of writing and structuring compilers is well-known. The situation is a bit less clear for static analysis tools. It seems to us that a static analysis tool is ideally decomposed into three building blocks: (1) a front-end, which parses programs, generates semantic equations, and supervises the analysis process; (2) a fixpoint equation solver, which takes equations and solves them; (3) and an abstract domain, on which equations are interpreted. The expected advantages of such a modular structure is the ability of sharing development efforts between analyzers for different languages, using common solvers and abstract domains. However putting in practice such ideal concepts is not so easy, and some static analyzers merge for instance the blocks (1) and (2). We show how we instantiated these principles with three different static analyzers (addressing resp. imperative sequential programs, imperative concurrent programs, and synchronous dataflow programs), a generic fixpoint solver (Fixpoint), and two different abstract domains. We discussed our experience on the advantages and the limits of this approach compared to related work.

[1]  François Bourdoncle,et al.  Efficient chaotic iteration strategies with widenings , 1993, Formal Methods in Programming and Their Applications.

[2]  Roberto Bagnara,et al.  The Parma Polyhedra Library: Toward a complete set of numerical abstractions for the analysis and verification of hardware and software systems , 2006, Sci. Comput. Program..

[3]  Nicolas Halbwachs,et al.  Dynamic Partitioning in Analyses of Numerical Properties , 1999, SAS.

[4]  Xavier Leroy,et al.  Formal Verification of a C-like Memory Model and Its Uses for Verifying Program Transformations , 2008, Journal of Automated Reasoning.

[5]  Gilberto Filé,et al.  Static Analysis, 14th International Symposium, SAS 2007, Kongens Lyngby, Denmark, August 22-24, 2007, Proceedings , 2007, SAS.

[6]  Sriram Sankaranarayanan,et al.  Refining the control structure of loops using static analysis , 2009, EMSOFT '09.

[7]  Bor-Yuh Evan Chang,et al.  Relational inductive shape analysis , 2008, POPL '08.

[8]  Eric Goubault,et al.  Inferring Min and Max Invariants Using Max-Plus Polyhedra , 2008, SAS.

[9]  Philippe Granger,et al.  Static Analysis of Linear Congruence Equalities among Variables of a Program , 1991, TAPSOFT, Vol.1.

[10]  Thomas W. Reps,et al.  Guided Static Analysis , 2007, SAS.

[11]  Sriram Sankaranarayanan,et al.  Symbolic Model Checking of Hybrid Systems Using Template Polyhedra , 2008, TACAS.

[12]  Manfred Broy,et al.  Calculational system design , 1999 .

[13]  Bertrand Jeannet,et al.  Apron: A Library of Numerical Abstract Domains for Static Analysis , 2009, CAV.

[14]  Patrick Cousot,et al.  Why does Astrée scale up? , 2009, Formal Methods Syst. Des..

[15]  Antoine Miné,et al.  The octagon abstract domain , 2001, High. Order Symb. Comput..

[16]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[17]  Eric Goubault,et al.  Towards an Industrial Use of FLUCTUAT on Safety-Critical Avionics Software , 2009, FMICS.

[18]  Mark N. Wegman,et al.  Analysis of pointers and structures , 1990, SIGP.

[19]  Bertrand Jeannet Representing and Approximating Transfer Functions in Abstract Interpretation of Hetereogeneous Datatypes , 2002, SAS.

[20]  Richard Gerber,et al.  Composite model-checking: verification with type-specific symbolic representations , 1999, TSEM.

[21]  Tevfik Bultan,et al.  A Library for Composite Symbolic Representations , 2001, TACAS.

[22]  Bertrand Jeannet,et al.  Abstracting Call-Stacks for Interprocedural Verification of Imperative Programs , 2004, AMAST.

[23]  Eric Goubault,et al.  A Policy Iteration Algorithm for Computing Fixed Points in Static Analysis of Programs , 2005, CAV.

[24]  Florian Martin,et al.  PAG – an efficient program analyzer generator , 1998, International Journal on Software Tools for Technology Transfer.

[25]  Bertrand Jeannet Relational Interprocedural Verification of Concurrent Programs , 2009, SEFM.

[26]  Nicolas Halbwachs,et al.  Verification of Real-Time Systems using Linear Relation Analysis , 1997, Formal Methods Syst. Des..

[27]  Eric Goubault,et al.  The Zonotope Abstract Domain Taylor1+ , 2009, CAV.