A Database Interface for Complex Objects

We describe a formal design for a logical query language using psi-terms as data structures to interact effectively and efficiently with a relational database. The structure of psi-terms provides an adequate representation for so-called complex objects. They generalize conventional terms used in logic programming: they are typed attributed structures, ordered thanks to a subtype ordering. Unification of psi-terms is an effective means for integrating multiple inheritance and partial information into a deduction process. We define a compact database representation for psi-terms, representing part of the subtyping relation in the database as well. We describe a retrieval algorithm based on an abstract interpretation of the psi-term unification process and prove its formal correctness. This algorithm is efficient in that it incrementally retrieves only additional facts that are actually needed by a query, and never retrieves the same fact twice

Modular Construction of Shape-Numeric Analyzers

The aim of static analysis is to infer invariants about programs that are precise enough to establish semantic properties, such as the absence of run-time errors. Broadly speaking, there are two major branches of static analysis for imperative programs. Pointer and shape analyses focus on inferring properties of pointers, dynamically-allocated memory, and recursive data structures, while numeric analyses seek to derive invariants on numeric values. Although simultaneous inference of shape-numeric invariants is often needed, this case is especially challenging and is not particularly well explored. Notably, simultaneous shape-numeric inference raises complex issues in the design of the static analyzer itself. In this paper, we study the construction of such shape-numeric, static analyzers. We set up an abstract interpretation framework that allows us to reason about simultaneous shape-numeric properties by combining shape and numeric abstractions into a modular, expressive abstract domain. Such a modular structure is highly desirable to make its formalization and implementation easier to do and get correct. To achieve this, we choose a concrete semantics that can be abstracted step-by-step, while preserving a high level of expressiveness. The structure of abstract operations (i.e., transfer, join, and comparison) follows the structure of this semantics. The advantage of this construction is to divide the analyzer in modules and functors that implement abstractions of distinct features.Comment: In Proceedings Festschrift for Dave Schmidt, arXiv:1309.455

How Fitting is Your Abstract Domain?

Abstract interpretation offers sound and decidable approxi- mations for undecidable queries related to program behavior. The effec- tiveness of an abstract domain is entirely reliant on the abstract domain itself, and the worst-case scenario is when the abstract interpreter pro- vides a response of “don’t know”, indicating that anything could happen during runtime. Conversely, a desirable outcome is when the abstract in- terpreter provides information that exceeds a specified level of precision, resulting in a more precise answer. The concept of completeness relates to the level of precision that is forfeited when performing computations within the abstract domain. Our focus is on the domain’s ability to ex- press program behaviour, which we refer to as adequacy. In this paper, we present a domain refinement strategy towards adequacy and a sim- ple sound proof system for adequacy, designed to determine whether an abstract domain is capable of providing satisfactory responses to spec- ified program queries. Notably, this proof system is both language and domain agnostic, and can be readily incorporated to support static pro- gram analysis

Sharing Ghost Variables in a Collection of Abstract Domains

International audienceWe propose a framework in which we share ghost variables across a collection of abstract domains allowing precise proofs of complex properties. In abstract interpretation, it is often necessary to be able to express complex properties while doing a precise analysis. A way to achieve that is to combine a collection of domains, each handling some kind of properties, using a reduced product. Separating domains allows an easier and more modular implementation, and eases soundness and termination proofs. This way, we can add a domain for any kind of property that is interesting. The reduced product, or an approximation of it, is in charge of refining abstract states, making the analysis precise. In program verification, ghost variables can be used to ease proofs of properties by storing intermediate values that do not appear directly in the execution. We propose a reduced product of abstract domains that allows domains to use ghost variables to ease the representation of their internal state. Domains must be totally agnostic with respect to other existing domains. In particular the handling of ghost variables must be entirely decentralized while still ensuring soundness and termination of the analysis

Interprocedural Shape Analysis Using Separation Logic-based Transformer Summaries

International audienceShape analyses aim at inferring semantic invariants related to the data-structures that programs manipulate. To achieve that, they typically abstract the set of reachable states. By contrast, abstractions for transformation relations between input states and output states not only provide a finer description of program executions but also enable the composition of the effect of program fragments so as to make the analysis modular. However, few logics can efficiently capture such transformation relations. In this paper, we propose to use connectors inspired by separation logic to describe memory state transformations and to represent procedure summaries. Based on this abstraction, we design a top-down interprocedural analysis using shape transformation relations as procedure summaries. Finally, we report on implementation and evaluation

Analyse statique de valeurs par interprétation abstraite de programmes fonctionnels manipulant des types algébriques récursifs

National audienceAfin de prévenir les erreurs de programmation, des analyseurs statiques ont été développés pour de nombreux langages ; cependant, aucun analyseur mature ne cible l'analyse de valeurs pour un langage fonctionnel à la ML. Des outils de vérification pour ces langages existent, tels les systèmes de types classiques ou les méthodes déductives, mais le raisonnement automatique sur des programmes numériques a jusqu'alors été peu exploré. Cet article décrit un analyseur statique de valeurs par interprétation abstraite pour un langage fonctionnel typé du premier ordre, approche sûre et automatique pour garantir l'absence d'erreurs à l'exécution. En se basant sur des domaines abstraits relationnels et en réalisant des résumés des champs récursifs des types algébriques, cette approche permet d'analyser des fonctions récursives manipulant des types algébriques récursifs et d'inférer dans un domaine abstrait leur relation entrée-sortie. Une implémentation est en cours sur la plateforme d'analyse multilangage MOPSA et analyse avec succès de courts programmes de quelques lignes. Ce travail ouvre ainsi la voie vers une analyse de valeurs précise et relationnelle basée sur l'interprétation abstraite pour les langages fonctionnels d'ordre supérieur à la ML

A Theoretical Foundation of Sensitivity in an Abstract Interpretation Framework

International audienceProgram analyses often utilize various forms of sensitivity such as context sensitivity, call-site sensitivity, and object sensitivity. These techniques all allow for more precise program analyses, that are able to compute more precise program invariants, and to verify stronger properties. Despite the fact that sensitivity techniques are now part of the standard toolkit of static analyses designers and implementers, no comprehensive frameworks allow the description of all common forms of sensitivity. As a consequence, the soundness proofs of static analysis tools involving sensitivity often rely on ad hoc formalization, which are not always carried out in an abstract interpretation framework. Moreover, this also means that opportunities to identify similarities between analysis techniques to better improve abstractions or to tune static analysis tools can easily be missed. In this paper, we present and formalize a framework for the description of sensitivity in static analysis. Our framework is based on a powerful abstract domain construction, and utilizes reduced cardinal power to tie basic abstract predicates to the properties analyses are sensitive to. We formalize this abstraction, and the main abstract operations that are needed to turn it into a generic abstract domain construction. We demonstrate that our approach can allow for a more precise description of program states, and that it can also describe a large set of sensitivity techniques, both when sensitivity criteria are static (known before the analysis) or dynamic (inferred as part of the analysis), and sensitive analysis tuning parameters. Last, we show that sensitivity techniques used in state of the art static analysis tools can be described in our framework

Programmanalyse des XRTL Zwischencodes

In dieser Arbeit stellen wir das Analysetool xGCC vor. Dieses Tool analysiert den XRTL Zwischencode, um Sicherheitseigenschaften, z.B. Speicherüberlauf, die Division durch Null und die Verwendung von uninitialisierten Variablen oder Speicherstücken, zu verifizieren. XRTL ist eine von uns entwickelte Erweiterung der Register Transfer Language (RTL). Dieser sprachunabh ängige Zwischencode wird von Frontends der GNU Compiler Collection (GCC) für verschiedene Programmiersprachen, wie z.B. C, C++, Java und Fortran 77, erzeugt. xGCC unterstützt diese Programmiersprachen, da sich unsere Compilermodifikationen auf den sprachunabhängigen Teil des Compilers beschränken. Für die Analyse von XRTL setzen wir die abstrakte Interpretation ein. Wir verwenden Listen von gültigen Intervallen, um Mengen von benötigten Registern und Speicherstücken darzustellen. Gültige Intervalle sind Intervalle für die zusätzlichen Bedingungen gelten, um die Implementierung der XRTL Operationen zu erleichtern. Die Präzision der Approximation ist durch die Listenlänge einstellbar. Wir zeigen, wie einfache und parallele XRTL Anweisungen abgearbeitet werden.Wir leiten Constraints aus der Bedingung von Verzweigungen ab, um den Suchraum einzuschränken. Wir verwenden das Widening/Narrowing, um die Fixpunktberechnung für XRTL Scheifen zu beschleunigen. Wir stellen die Implementierung von xGCC vor und erläutern die getroffenen Designentscheidungen. Mit Hilfe ausgewählter Beispiele demonstrieren wir verschiedene Klassen von Fehlern, die das Analysetool xGCC entdeckt. Wir untersuchen das Laufzeitverhalten der Analyse mit Beispielen aus den Numerical Recipes in C und stellen verschiedene Optimierungen vor.We present the xGCC analysis tool for the verification of safety properties of the XRTL intermediate code. These properties include the absence of buffer overow, division by zero and the use of uninitialized variables and memory. XRTL is our extension of the Register Transfer Language (RTL). This language independent intermediate code is generated by frontends of the GNU Compiler Collection (GCC) for the programming languages C, C++, Java and Fortran 77. These programming languages are supported by xGCC since we have modified only the language independent part of the compiler. We apply abstract interpretation for the analysis of XRTL. Lists of valid intervals are used for the abstraction of sets of registers and memory blocks. Valid intervals are intervals with additional contraints that simplify the implementation of the XRTL operations. The precision of the abstraction is parameterized by the list length. We describe the interpretation of sequential and parallel XRTL instructions.We take branching conditions into account for restricting the search space, and apply the Widening/Narrowing techniques to speed up the fixpoint computation for XRTL loops. We present the implementation of xGCC and explain the tool design.We demonstrate xGCC analysis tool on a collection of examples.We analyse the tool performance on examples from the Numerical Recipes in C, and introduce several optimizations