16 research outputs found
LNCS
This paper presents Aligators, a tool for the generation of universally quantified array invariants. Aligators leverages recurrence solving and algebraic techniques to carry out inductive reasoning over array content. The Aligators’ loop extraction module allows treatment of multi-path loops by exploiting their commutativity and serializability properties. Our experience in applying Aligators on a collection of loops from open source software projects indicates the applicability of recurrence and algebraic solving techniques for reasoning about arrays
A Simple and Scalable Static Analysis for Bound Analysis and Amortized Complexity Analysis
We present the first scalable bound analysis that achieves amortized
complexity analysis. In contrast to earlier work, our bound analysis is not
based on general purpose reasoners such as abstract interpreters, software
model checkers or computer algebra tools. Rather, we derive bounds directly
from abstract program models, which we obtain from programs by comparatively
simple invariant generation and symbolic execution techniques. As a result, we
obtain an analysis that is more predictable and more scalable than earlier
approaches. Our experiments demonstrate that our analysis is fast and at the
same time able to compute bounds for challenging loops in a large real-world
benchmark. Technically, our approach is based on lossy vector addition systems
(VASS). Our bound analysis first computes a lexicographic ranking function that
proves the termination of a VASS, and then derives a bound from this ranking
function. Our methodology achieves amortized analysis based on a new insight
how lexicographic ranking functions can be used for bound analysis
Unrestricted Termination and Non-Termination Arguments for Bit-Vector Programs
Proving program termination is typically done by finding a well-founded
ranking function for the program states. Existing termination provers typically
find ranking functions using either linear algebra or templates. As such they
are often restricted to finding linear ranking functions over mathematical
integers. This class of functions is insufficient for proving termination of
many terminating programs, and furthermore a termination argument for a program
operating on mathematical integers does not always lead to a termination
argument for the same program operating on fixed-width machine integers. We
propose a termination analysis able to generate nonlinear, lexicographic
ranking functions and nonlinear recurrence sets that are correct for
fixed-width machine arithmetic and floating-point arithmetic Our technique is
based on a reduction from program \emph{termination} to second-order
\emph{satisfaction}. We provide formulations for termination and
non-termination in a fragment of second-order logic with restricted
quantification which is decidable over finite domains. The resulted technique
is a sound and complete analysis for the termination of finite-state programs
with fixed-width integers and IEEE floating-point arithmetic
Evaluating Design Tradeoffs in Numeric Static Analysis for Java
Numeric static analysis for Java has a broad range of potentially useful
applications, including array bounds checking and resource usage estimation.
However, designing a scalable numeric static analysis for real-world Java
programs presents a multitude of design choices, each of which may interact
with others. For example, an analysis could handle method calls via either a
top-down or bottom-up interprocedural analysis. Moreover, this choice could
interact with how we choose to represent aliasing in the heap and/or whether we
use a relational numeric domain, e.g., convex polyhedra. In this paper, we
present a family of abstract interpretation-based numeric static analyses for
Java and systematically evaluate the impact of 162 analysis configurations on
the DaCapo benchmark suite. Our experiment considered the precision and
performance of the analyses for discharging array bounds checks. We found that
top-down analysis is generally a better choice than bottom-up analysis, and
that using access paths to describe heap objects is better than using summary
objects corresponding to points-to analysis locations. Moreover, these two
choices are the most significant, while choices about the numeric domain,
representation of abstract objects, and context-sensitivity make much less
difference to the precision/performance tradeoff