6 research outputs found
Analyzing program analyses
We want to prove that a static analysis of a given program is complete, namely, no imprecision arises when asking some query on the program behavior in the concrete (i.e., for its concrete semantics) or in the abstract (i.e., for its abstract interpretation). Completeness proofs are therefore useful to assign confidence to alarms raised by static analyses. We introduce the completeness class of an abstraction as the set of all programs for which the abstraction is complete. Our first result shows that for any nontrivial abstraction, its completeness class is not recursively enumerable. We then introduce a stratified deductive system a2A to prove the completeness of program analyses over an abstract domain A. We prove the soundness of the deductive system. We observe that the only sources of incompleteness are assignments and Boolean tests \u2014 unlikely a common belief in static analysis, joins do not induce incompleteness. The first layer of this proof system is generic, abstraction-agnostic, and it deals with the standard constructs for program composition, that is, sequential composition, branching and guarded iteration. The second layer is instead abstraction-specific: the designer of an abstract domain A provides conditions for completeness in A of assignments and Boolean tests which have to be checked by a suitable static analysis or assumed in the completeness proof as hypotheses. We instantiate the second layer of this proof system first with a generic nonrelational abstraction in order to provide a sound rule for the completeness of assignments. Orthogonally, we instantiate it to the numerical abstract domains of Intervals and Octagons, providing necessary and sufficient conditions for the completeness of their Boolean tests and of assignments for Octagons
A true positives theorem for a static race detector
RacerD is a static race detector that has been proven to be effective in engineering practice: it has seen thousands of data races fixed by developers before reaching production, and has supported the migration of Facebook's Android app rendering infrastructure from a single-threaded to a multi-threaded architecture. We prove a True Positives Theorem stating that, under certain assumptions, an idealized theoretical version of the analysis never reports a false positive. We also provide an empirical evaluation of an implementation of this analysis, versus the original RacerD.
The theorem was motivated in the first case by the desire to understand the observation from production that RacerD was providing remarkably accurate signal to developers, and then the theorem guided further analyzer design decisions. Technically, our result can be seen as saying that the analysis computes an under-approximation of an over-approximation, which is the reverse of the more usual (over of under) situation in static analysis. Until now, static analyzers that are effective in practice but unsound have often been regarded as ad hoc; in contrast, we suggest that, in the future, theorems of this variety might be generally useful in understanding, justifying and designing effective static analyses for bug catching
Inductive Reachability Witnesses
In this work, we consider the fundamental problem of reachability analysis
over imperative programs with real variables. The reachability property
requires that a program can reach certain target states during its execution.
Previous works that tackle reachability analysis are either unable to handle
programs consisting of general loops (e.g. symbolic execution), or lack
completeness guarantees (e.g. abstract interpretation), or are not automated
(e.g. incorrectness logic/reverse Hoare logic). In contrast, we propose a novel
approach for reachability analysis that can handle general programs, is
(semi-)complete, and can be entirely automated for a wide family of programs.
Our approach extends techniques from both invariant generation and
ranking-function synthesis to reachability analysis through the notion of
(Universal) Inductive Reachability Witnesses (IRWs/UIRWs). While traditional
invariant generation uses over-approximations of reachable states, we consider
the natural dual problem of under-approximating the set of program states that
can reach a target state. We then apply an argument similar to ranking
functions to ensure that all states in our under-approximation can indeed reach
the target set in finitely many steps
A True Positives Theorem for a Static Race Detector - Extended Version
RacerD is a static race detector that has been proven to be effective in engineering practice: it has seen thousands of data races fixed by developers before reaching production, and has supported the migration of Facebook's Android app rendering infrastructure from a single-threaded to a multi-threaded architecture. We prove a True Positives Theorem stating that, under certain assumptions, an idealized theoretical version of the analysis never reports a false positive. We also provide an empirical evaluation of an implementation of this analysis, versus the original RacerD. The theorem was motivated in the first case by the desire to understand the observation from production that RacerD was providing remarkably accurate signal to developers, and then the theorem guided further analyzer design decisions. Technically, our result can be seen as saying that the analysis computes an under-approximation of an over-approximation, which is the reverse of the more usual (over of under) situation in static analysis. Until now, static analyzers that are effective in practice but unsound have often been regarded as ad hoc; in contrast, we suggest that, in the future, theorems of this variety might be generally useful in understanding, justifying and designing effective static analyses for bug catching
On the Use of Quasiorders in Formal Language Theory
In this thesis we use quasiorders on words to offer a new perspective on two
well-studied problems from Formal Language Theory: deciding language inclusion
and manipulating the finite automata representations of regular languages.
First, we present a generic quasiorder-based framework that, when instantiated
with different quasiorders, yields different algorithms (some of them new) for
deciding language inclusion. We then instantiate this framework to devise an
efficient algorithm for searching with regular expressions on
grammar-compressed text. Finally, we define a framework of quasiorder-based
automata constructions to offer a new perspective on residual automata.Comment: PhD thesi
Complete Abstractions Everywhere
Abstract. While soundness captures an essential requirement of the intrinsic approximation of any static analysis, completeness encodes approximations that are as precise as possible. Although a static analysis of some undecidable program property cannot be complete relatively to its reference semantics, it may well happen that it is complete relatively to an approximated and decidable reference semantics. In this paper, we will argue on the ubiquity of completeness properties in static analysis and we will discuss the beneficial role that completeness can play as a tool for designing and fine-tuning static analyses by reasoning on the completeness properties of their underlying abstract domains.