21 research outputs found
Stratified Static Analysis Based on Variable Dependencies
In static analysis by abstract interpretation, one often uses widening
operators in order to enforce convergence within finite time to an inductive
invariant. Certain widening operators, including the classical one over finite
polyhedra, exhibit an unintuitive behavior: analyzing the program over a subset
of its variables may lead a more precise result than analyzing the original
program! In this article, we present simple workarounds for such behavior
A minimalistic look at widening operators
We consider the problem of formalizing the familiar notion of widening in
abstract interpretation in higher-order logic. It turns out that many axioms of
widening (e.g. widening sequences are ascending) are not useful for proving
correctness. After keeping only useful axioms, we give an equivalent
characterization of widening as a lazily constructed well-founded tree. In type
systems supporting dependent products and sums, this tree can be made to
reflect the condition of correct termination of the widening sequence
PAGAI: a path sensitive static analyzer
We describe the design and the implementation of PAGAI, a new static analyzer
working over the LLVM compiler infrastructure, which computes inductive
invariants on the numerical variables of the analyzed program. PAGAI implements
various state-of-the-art algorithms combining abstract interpretation and
decision procedures (SMT-solving), focusing on distinction of paths inside the
control flow graph while avoiding systematic exponential enumerations. It is
parametric in the abstract domain in use, the iteration algorithm, and the
decision procedure. We compared the time and precision of various combinations
of analysis algorithms and abstract domains, with extensive experiments both on
personal benchmarks and widely available GNU programs.Comment: Tools for Automatic Program AnalysiS (TAPAS 2012), Deauville : France
(2012
Polyhedral Approximation of Multivariate Polynomials using Handelman's Theorem
International audienceConvex polyhedra are commonly used in the static analysis of programs to represent over-approximations of sets of reachable states of numerical program variables. When the analyzed programs contain nonlinear instructions, they do not directly map to standard polyhedral operations: some kind of linearization is needed. Convex polyhe-dra are also used in satisfiability modulo theory solvers which combine a propositional satisfiability solver with a fast emptiness check for polyhedra. Existing decision procedures become expensive when nonlinear constraints are involved: a fast procedure to ensure emptiness of systems of nonlinear constraints is needed. We present a new linearization algorithm based on Handelman's representation of positive polynomials. Given a polyhedron and a polynomial (in)equality, we compute a polyhedron enclosing their intersection as the solution of a parametric linear programming problem. To get a scalable algorithm, we provide several heuristics that guide the construction of the Handelman's representation. To ensure the correctness of our polyhedral approximation , our Ocaml implementation generates certificates verified by a checker certified in Coq
Automated Random Testing of Numerical Constrained Types
International audienceWe propose an automated testing framework based on constraint programming techniques. Our framework allows the developer to attach a numerical constraint to a type that restricts its set of possible values. We use this constraint as a partial specification of the program, our goal being to derive property-based tests on such annotated programs. To achieve this, we rely on the user-provided constraints on the types of a program: for each function f present in the program, that returns a constrained type, we generate a test. The tests consists of generating uniformly pseudo-random inputs and checking whether f 's output satisfies the constraint. We are able to automate this process by providing a set of generators for primitive types and generator combinators for composite types. To derive generators for constrained types, we present in this paper a technique that characterizes their inhabitants as the solution set of a numerical CSP. This is done by combining abstract interpretation and constraint solving techniques that allow us to efficiently and uniformly generate solutions of numerical CSP. We validated our approach by implementing it as a syntax extension for the OCaml language
Invariant Generation through Strategy Iteration in Succinctly Represented Control Flow Graphs
We consider the problem of computing numerical invariants of programs, for
instance bounds on the values of numerical program variables. More
specifically, we study the problem of performing static analysis by abstract
interpretation using template linear constraint domains. Such invariants can be
obtained by Kleene iterations that are, in order to guarantee termination,
accelerated by widening operators. In many cases, however, applying this form
of extrapolation leads to invariants that are weaker than the strongest
inductive invariant that can be expressed within the abstract domain in use.
Another well-known source of imprecision of traditional abstract interpretation
techniques stems from their use of join operators at merge nodes in the control
flow graph. The mentioned weaknesses may prevent these methods from proving
safety properties. The technique we develop in this article addresses both of
these issues: contrary to Kleene iterations accelerated by widening operators,
it is guaranteed to yield the strongest inductive invariant that can be
expressed within the template linear constraint domain in use. It also eschews
join operators by distinguishing all paths of loop-free code segments. Formally
speaking, our technique computes the least fixpoint within a given template
linear constraint domain of a transition relation that is succinctly expressed
as an existentially quantified linear real arithmetic formula. In contrast to
previously published techniques that rely on quantifier elimination, our
algorithm is proved to have optimal complexity: we prove that the decision
problem associated with our fixpoint problem is in the second level of the
polynomial-time hierarchy.Comment: 35 pages, conference version published at ESOP 2011, this version is
a CoRR version of our submission to Logical Methods in Computer Scienc
Efficient Generation of Correctness Certificates for the Abstract Domain of Polyhedra
Polyhedra form an established abstract domain for inferring runtime
properties of programs using abstract interpretation. Computations on them need
to be certified for the whole static analysis results to be trusted. In this
work, we look at how far we can get down the road of a posteriori verification
to lower the overhead of certification of the abstract domain of polyhedra. We
demonstrate methods for making the cost of inclusion certificate generation
negligible. From a performance point of view, our single-representation,
constraints-based implementation compares with state-of-the-art
implementations
Inferring sufficient conditions with backward polyhedral under-approximations
International audienceIn this article, we discuss the automatic inference of sufficient pre-conditions by abstract interpretation and sketch the construction of an under-approximating backward analysis. We focus on numeric domains and propose transfer functions, including a lower widening, for polyhedra, without resorting to disjunctive completion nor complementation, while soundly handling non-determinism. Applications include the derivation of sufficient conditions for a program to never step outside an envelope of safe states, or dually to force it to eventually fail. Our construction is preliminary and essentially untried, but we hope to convince that this avenue of research is worth considering