108 research outputs found
Sharper and Simpler Nonlinear Interpolants for Program Verification
Interpolation of jointly infeasible predicates plays important roles in
various program verification techniques such as invariant synthesis and CEGAR.
Intrigued by the recent result by Dai et al.\ that combines real algebraic
geometry and SDP optimization in synthesis of polynomial interpolants, the
current paper contributes its enhancement that yields sharper and simpler
interpolants. The enhancement is made possible by: theoretical observations in
real algebraic geometry; and our continued fraction-based algorithm that rounds
off (potentially erroneous) numerical solutions of SDP solvers. Experiment
results support our tool's effectiveness; we also demonstrate the benefit of
sharp and simple interpolants in program verification examples
Efficient Reflection String Analysis via Graph Coloring
Static analyses for reflection and other dynamic language features have recently increased in number and advanced in sophistication. Most such analyses rely on a whole-program model of the flow of strings, through the stack and heap. We show that this global modeling of strings remains a major bottleneck of static analyses and propose a compact encoding, in order to battle unnecessary complexity. In our encoding, strings are maximally merged if they can never serve to differentiate class members in reflection operations. We formulate the problem as an instance of graph coloring and propose a fast polynomial-time algorithm that exploits the unique features of the setting (esp. large cliques, leading to hundreds of colors for realistic programs). The encoding is applied to two different frameworks for string-guided Java reflection analysis from past literature and leads to significant optimization (e.g., a ~2x reduction in the number of string-flow inferences), for a whole-program points-to analysis that uses strings
Static Analysis Symposium - 22nd International Symposium, SAS 2015, Saint-Malo, France, September 9-11, 2015. Proceedings
International audienc
Scalability-First Pointer Analysis with Self-Tuning Context-Sensitivity
Context-sensitivity is important in pointer analysis to ensure high
precision, but existing techniques suffer from unpredictable scala-
bility. Many variants of context-sensitivity exist, and it is difficult
to choose one that leads to reasonable analysis time and obtains
high precision, without running the analysis multiple times.
We present the Scaler framework that addresses this problem.
Scaler efficiently estimates the amount of points-to information
that would be needed to analyze each method with different variants
of context-sensitivity. It then selects an appropriate variant for
each method so that the total amount of points-to information is
bounded, while utilizing the available space to maximize precision.
Our experimental results demonstrate that Scaler achieves pre-
dictable scalability for all the evaluated programs (e.g., speedups
can reach 10x for 2-object-sensitivity), while providing a precision
that matches or even exceeds that of the best alternative techniques
A Sums-of-Squares Extension of Policy Iterations
In order to address the imprecision often introduced by widening operators in
static analysis, policy iteration based on min-computations amounts to
considering the characterization of reachable value set of a program as an
iterative computation of policies, starting from a post-fixpoint. Computing
each policy and the associated invariant relies on a sequence of numerical
optimizations. While the early research efforts relied on linear programming
(LP) to address linear properties of linear programs, the current state of the
art is still limited to the analysis of linear programs with at most quadratic
invariants, relying on semidefinite programming (SDP) solvers to compute
policies, and LP solvers to refine invariants.
We propose here to extend the class of programs considered through the use of
Sums-of-Squares (SOS) based optimization. Our approach enables the precise
analysis of switched systems with polynomial updates and guards. The analysis
presented has been implemented in Matlab and applied on existing programs
coming from the system control literature, improving both the range of
analyzable systems and the precision of previously handled ones.Comment: 29 pages, 4 figure
Generalized Property-Directed Reachability for Hybrid Systems
Generalized property-directed reachability (GPDR) belongs to the family of
the model-checking techniques called IC3/PDR. It has been successfully applied
to software verification; for example, it is the core of Spacer, a
state-of-the-art Horn-clause solver bundled with Z3. However, it has yet to be
applied to hybrid systems, which involve a continuous evolution of values over
time. As the first step towards GPDR- based model checking for hybrid systems,
this paper formalizes HGPDR, an adaptation of GPDR to hybrid systems, and
proves its soundness. We also implemented a semi-automated proof-of-concept
verifier, which allows a user to provide hints to guide verification steps.Comment: To appear in VMCAI 202
- …