123 research outputs found
Analyzing Conflict Freedom For Multi-threaded Programs With Time Annotations
Avoiding access conflicts is a major challenge in the design of
multi-threaded programs. In the context of real-time systems, the absence of
conflicts can be guaranteed by ensuring that no two potentially conflicting
accesses are ever scheduled concurrently.In this paper, we analyze programs
that carry time annotations specifying the time for executing each statement.
We propose a technique for verifying that a multi-threaded program with time
annotations is free of access conflicts. In particular, we generate constraints
that reflect the possible schedules for executing the program and the required
properties. We then invoke an SMT solver in order to verify that no execution
gives rise to concurrent conflicting accesses. Otherwise, we obtain a trace
that exhibits the access conflict.Comment: http://journal.ub.tu-berlin.de/eceasst/article/view/97
Inductive Program Synthesis via Iterative Forward-Backward Abstract Interpretation
A key challenge in example-based program synthesis is the gigantic search
space of programs. To address this challenge, various work proposed to use
abstract interpretation to prune the search space. However, most of existing
approaches have focused only on forward abstract interpretation, and thus
cannot fully exploit the power of abstract interpretation. In this paper, we
propose a novel approach to inductive program synthesis via iterative
forward-backward abstract interpretation. The forward abstract interpretation
computes possible outputs of a program given inputs, while the backward
abstract interpretation computes possible inputs of a program given outputs. By
iteratively performing the two abstract interpretations in an alternating
fashion, we can effectively determine if any completion of each partial program
as a candidate can satisfy the input-output examples. We apply our approach to
a standard formulation, syntax-guided synthesis (SyGuS), thereby supporting a
wide range of inductive synthesis tasks. We have implemented our approach and
evaluated it on a set of benchmarks from the prior work. The experimental
results show that our approach significantly outperforms the state-of-the-art
approaches thanks to the sophisticated abstract interpretation techniques
Automatic Verification of Message-Based Device Drivers
We develop a practical solution to the problem of automatic verification of
the interface between device drivers and the OS. Our solution relies on a
combination of improved driver architecture and verification tools. It supports
drivers written in C and can be implemented in any existing OS, which sets it
apart from previous proposals for verification-friendly drivers. Our
Linux-based evaluation shows that this methodology amplifies the power of
existing verification tools in detecting driver bugs, making it possible to
verify properties beyond the reach of traditional techniques.Comment: In Proceedings SSV 2012, arXiv:1211.587
Scalability-First Pointer Analysis with Self-Tuning Context-Sensitivity
Context-sensitivity is important in pointer analysis to ensure high
precision, but existing techniques suffer from unpredictable scala-
bility. Many variants of context-sensitivity exist, and it is difficult
to choose one that leads to reasonable analysis time and obtains
high precision, without running the analysis multiple times.
We present the Scaler framework that addresses this problem.
Scaler efficiently estimates the amount of points-to information
that would be needed to analyze each method with different variants
of context-sensitivity. It then selects an appropriate variant for
each method so that the total amount of points-to information is
bounded, while utilizing the available space to maximize precision.
Our experimental results demonstrate that Scaler achieves pre-
dictable scalability for all the evaluated programs (e.g., speedups
can reach 10x for 2-object-sensitivity), while providing a precision
that matches or even exceeds that of the best alternative techniques
Pluggable abstract domains for analyzing embedded software
ManuscriptMany abstract value domains such as intervals, bitwise, constants, and value-sets have been developed to support dataflow analysis. Different domains offer alternative tradeoffs between analysis speed and precision. Furthermore, some domains are a better match for certain kinds of code than others. This paper presents the design and implementation of cXprop, an analysis and transformation tool for C that implements "conditional X propagation," a generalization of the well-known conditional constant propagation algorithm where X is an abstract value domain supplied by the user. cXprop is interprocedural, context-insensitive, and achieves reasonable precision on pointer-rich codes. We have applied cXprop to sensor network programs running on TinyOS, in order to reduce code size through interprocedural dead code elimination, and to find limited-bitwidth global variables. Our analysis of global variables is supported by a novel concurrency model for interruptdriven software. cXprop reduces TinyOS application code size by an average of 9.2% and predicts an average data size reduction of 8.2% through RAM compression
Efficient Reflection String Analysis via Graph Coloring
Static analyses for reflection and other dynamic language features have recently increased in number and advanced in sophistication. Most such analyses rely on a whole-program model of the flow of strings, through the stack and heap. We show that this global modeling of strings remains a major bottleneck of static analyses and propose a compact encoding, in order to battle unnecessary complexity. In our encoding, strings are maximally merged if they can never serve to differentiate class members in reflection operations. We formulate the problem as an instance of graph coloring and propose a fast polynomial-time algorithm that exploits the unique features of the setting (esp. large cliques, leading to hundreds of colors for realistic programs). The encoding is applied to two different frameworks for string-guided Java reflection analysis from past literature and leads to significant optimization (e.g., a ~2x reduction in the number of string-flow inferences), for a whole-program points-to analysis that uses strings
Precision-guided context sensitivity for pointer analysis
Context sensitivity is an essential technique for ensuring high precision in Java pointer analyses. It has been
observed that applying context sensitivity partially, only on a select subset of the methods, can improve the
balance between analysis precision and speed. However, existing techniques are based on heuristics that
do not provide much insight into what characterizes this method subset. In this work, we present a more
principled approach for identifying precision-critical methods, based on general patterns of value flows that
explain where most of the imprecision arises in context-insensitive pointer analysis. Accordingly, we provide
an efficient algorithm to recognize these flow patterns in a given program and exploit them to yield good
tradeoffs between analysis precision and speed.
Our experimental results on standard benchmark and real-world programs show that a pointer analysis that
applies context sensitivity partially, only on the identified precision-critical methods, preserves effectively all
(98.8%) of the precision of a highly-precise conventional context-sensitive pointer analysis (2-object-sensitive
with a context-sensitive heap), with a substantial speedup (on average 3.4X, and up to 9.2X)
Predictive Monitoring against Pattern Regular Languages
In this paper, we focus on the problem of dynamically analysing concurrent
software against high-level temporal specifications. Existing techniques for
runtime monitoring against such specifications are primarily designed for
sequential software and remain inadequate in the presence of concurrency --
violations may be observed only in intricate thread interleavings, requiring
many re-runs of the underlying software. Towards this, we study the problem of
predictive runtime monitoring, inspired by the analogous problem of predictive
data race detection studied extensively recently. The predictive runtime
monitoring question asks, given an execution , if it can be soundly
reordered to expose violations of a specification.
In this paper, we focus on specifications that are given in regular
languages. Our notion of reorderings is trace equivalence, where an execution
is considered a reordering of another if it can be obtained from the latter by
successively commuting adjacent independent actions. We first show that the
problem of predictive admits a super-linear lower bound of , where
is the number of events in the execution, and is a parameter
describing the degree of commutativity. As a result, predictive runtime
monitoring even in this setting is unlikely to be efficiently solvable.
Towards this, we identify a sub-class of regular languages, called pattern
languages (and their extension generalized pattern languages). Pattern
languages can naturally express specific ordering of some number of (labelled)
events, and have been inspired by popular empirical hypotheses, the `small bug
depth' hypothesis. More importantly, we show that for pattern (and generalized
pattern) languages, the predictive monitoring problem can be solved using a
constant-space streaming linear-time algorithm
- …