25,420 research outputs found
Gradual Program Analysis
Dataflow analysis and gradual typing are both well-studied methods to gain information about computer programs in a finite amount of time. The gradual program analysis project seeks to combine those two techniques in order to gain the benefits of both. This thesis explores the background information necessary to understand gradual program analysis, and then briefly discusses the research itself, with reference to publication of work done so far. The background topics include essential aspects of programming language theory, such as syntax, semantics, and static typing; dataflow analysis concepts, such as abstract interpretation, semilattices, and fixpoint computations; and gradual typing theory, such as the concept of an unknown type, liftings of predicates, and liftings of functions
Program analysis for documentation
A program analysis for documentation (PAD) written in FORTRAN has three steps: listing the variables, describing the structure and writing the program specifications. Technical notes on editing criteria for reviewing program documentation, technical notes for PAD, and FORTRAN program analyzer for documentation are appended
Integer polyhedra for program analysis
Polyhedra are widely used in model checking and abstract interpretation. Polyhedral analysis is effective when the relationships between variables are linear, but suffers from imprecision when it is necessary to take into account the integrality of the represented space. Imprecision also arises when non-linear constraints occur. Moreover, in terms of tractability, even a space defined by linear constraints can become unmanageable owing to the excessive number of inequalities. Thus it is useful to identify those inequalities whose omission has least impact on the represented space. This paper shows how these issues can be addressed in a novel way by growing the integer hull of the space and approximating the number of integral points within a bounded polyhedron
Using Program Synthesis for Program Analysis
In this paper, we identify a fragment of second-order logic with restricted
quantification that is expressive enough to capture numerous static analysis
problems (e.g. safety proving, bug finding, termination and non-termination
proving, superoptimisation). We call this fragment the {\it synthesis
fragment}. Satisfiability of a formula in the synthesis fragment is decidable
over finite domains; specifically the decision problem is NEXPTIME-complete. If
a formula in this fragment is satisfiable, a solution consists of a satisfying
assignment from the second order variables to \emph{functions over finite
domains}. To concretely find these solutions, we synthesise \emph{programs}
that compute the functions. Our program synthesis algorithm is complete for
finite state programs, i.e. every \emph{function} over finite domains is
computed by some \emph{program} that we can synthesise. We can therefore use
our synthesiser as a decision procedure for the synthesis fragment of
second-order logic, which in turn allows us to use it as a powerful backend for
many program analysis tasks. To show the tractability of our approach, we
evaluate the program synthesiser on several static analysis problems.Comment: 19 pages, to appear in LPAR 2015. arXiv admin note: text overlap with
arXiv:1409.492
An Algebraic Framework for Compositional Program Analysis
The purpose of a program analysis is to compute an abstract meaning for a
program which approximates its dynamic behaviour. A compositional program
analysis accomplishes this task with a divide-and-conquer strategy: the meaning
of a program is computed by dividing it into sub-programs, computing their
meaning, and then combining the results. Compositional program analyses are
desirable because they can yield scalable (and easily parallelizable) program
analyses.
This paper presents algebraic framework for designing, implementing, and
proving the correctness of compositional program analyses. A program analysis
in our framework defined by an algebraic structure equipped with sequencing,
choice, and iteration operations. From the analysis design perspective, a
particularly interesting consequence of this is that the meaning of a loop is
computed by applying the iteration operator to the loop body. This style of
compositional loop analysis can yield interesting ways of computing loop
invariants that cannot be defined iteratively. We identify a class of
algorithms, the so-called path-expression algorithms [Tarjan1981,Scholz2007],
which can be used to efficiently implement analyses in our framework. Lastly,
we develop a theory for proving the correctness of an analysis by establishing
an approximation relationship between an algebra defining a concrete semantics
and an algebra defining an analysis.Comment: 15 page
Towards Vulnerability Discovery Using Staged Program Analysis
Eliminating vulnerabilities from low-level code is vital for securing
software. Static analysis is a promising approach for discovering
vulnerabilities since it can provide developers early feedback on the code they
write. But, it presents multiple challenges not the least of which is
understanding what makes a bug exploitable and conveying this information to
the developer. In this paper, we present the design and implementation of a
practical vulnerability assessment framework, called Melange. Melange performs
data and control flow analysis to diagnose potential security bugs, and outputs
well-formatted bug reports that help developers understand and fix security
bugs. Based on the intuition that real-world vulnerabilities manifest
themselves across multiple parts of a program, Melange performs both local and
global analyses. To scale up to large programs, global analysis is
demand-driven. Our prototype detects multiple vulnerability classes in C and
C++ code including type confusion, and garbage memory reads. We have evaluated
Melange extensively. Our case studies show that Melange scales up to large
codebases such as Chromium, is easy-to-use, and most importantly, capable of
discovering vulnerabilities in real-world code. Our findings indicate that
static analysis is a viable reinforcement to the software testing tool set.Comment: A revised version to appear in the proceedings of the 13th conference
on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA),
July 201
- …