283 research outputs found
Relational interprocedural analysis of concurrent programs
We extend the relational approach to interprocedural analysis of sequential programs to concurrent programs composed of a fixed number of threads. In the relational approach, a sequential program is analyzed by computing summaries of procedures, and by propagating reachability information using these summaries. We generalize this approach to concurrent programs by computing for each thread procedure summaries that takes into account the parallel execution of the other threads. Technically, we define our analysis method by instrumenting the operational semantics of programs, then by abstracting the call-stacks of the concurrent threads, and last by abstracting the program environments in order to lead to an effective analysis that always terminates. This method allows to extend to concurrent programs existing relational interprocedural analysis (e.g., numerical variables analysis, shape analysis). We implemented it for programs with scalar variables, and we experiment several classical synchronisation protocols in order to illustrate the precision of our technique, but also to analyze the approximations it performs
An empirical investigation into branch coverage for C programs using CUTE and AUSTIN
Automated test data generation has remained a topic of considerable interest for several decades because it lies at the heart of attempts to automate the process of Software Testing. This paper reports the results of an empirical study using the dynamic symbolic-execution tool. CUTE, and a search based tool, AUSTIN on five non-trivial open source applications. The aim is to provide practitioners with an assessment of what can be achieved by existing techniques with little or no specialist knowledge and to provide researchers with baseline data against which to measure subsequent work. To achieve this, each tool is applied 'as is', with neither additional tuning nor supporting harnesses and with no adjustments applied to the subject programs under test. The mere fact that these tools can be applied 'out of the box' in this manner reflects the growing maturity of Automated test data generation. However, as might be expected, the study reveals opportunities for improvement and suggests ways to hybridize these two approaches that have hitherto been developed entirely independently. (C) 2010 Elsevier Inc. All rights reserved
On Role Logic
We present role logic, a notation for describing properties of relational
structures in shape analysis, databases, and knowledge bases. We construct role
logic using the ideas of de Bruijn's notation for lambda calculus, an encoding
of first-order logic in lambda calculus, and a simple rule for implicit
arguments of unary and binary predicates. The unrestricted version of role
logic has the expressive power of first-order logic with transitive closure.
Using a syntactic restriction on role logic formulas, we identify a natural
fragment RL^2 of role logic. We show that the RL^2 fragment has the same
expressive power as two-variable logic with counting C^2 and is therefore
decidable. We present a translation of an imperative language into the
decidable fragment RL^2, which allows compositional verification of programs
that manipulate relational structures. In addition, we show how RL^2 encodes
boolean shape analysis constraints and an expressive description logic.Comment: 20 pages. Our later SAS 2004 result builds on this wor
Evaluating Design Tradeoffs in Numeric Static Analysis for Java
Numeric static analysis for Java has a broad range of potentially useful
applications, including array bounds checking and resource usage estimation.
However, designing a scalable numeric static analysis for real-world Java
programs presents a multitude of design choices, each of which may interact
with others. For example, an analysis could handle method calls via either a
top-down or bottom-up interprocedural analysis. Moreover, this choice could
interact with how we choose to represent aliasing in the heap and/or whether we
use a relational numeric domain, e.g., convex polyhedra. In this paper, we
present a family of abstract interpretation-based numeric static analyses for
Java and systematically evaluate the impact of 162 analysis configurations on
the DaCapo benchmark suite. Our experiment considered the precision and
performance of the analyses for discharging array bounds checks. We found that
top-down analysis is generally a better choice than bottom-up analysis, and
that using access paths to describe heap objects is better than using summary
objects corresponding to points-to analysis locations. Moreover, these two
choices are the most significant, while choices about the numeric domain,
representation of abstract objects, and context-sensitivity make much less
difference to the precision/performance tradeoff
Infrared: A Meta Bug Detector
The recent breakthroughs in deep learning methods have sparked a wave of
interest in learning-based bug detectors. Compared to the traditional static
analysis tools, these bug detectors are directly learned from data, thus,
easier to create. On the other hand, they are difficult to train, requiring a
large amount of data which is not readily available. In this paper, we propose
a new approach, called meta bug detection, which offers three crucial
advantages over existing learning-based bug detectors: bug-type generic (i.e.,
capable of catching the types of bugs that are totally unobserved during
training), self-explainable (i.e., capable of explaining its own prediction
without any external interpretability methods) and sample efficient (i.e.,
requiring substantially less training data than standard bug detectors). Our
extensive evaluation shows our meta bug detector (MBD) is effective in catching
a variety of bugs including null pointer dereference, array index out-of-bound,
file handle leak, and even data races in concurrent programs; in the process
MBD also significantly outperforms several noteworthy baselines including
Facebook Infer, a prominent static analysis tool, and FICS, the latest anomaly
detection method
- …