Improving Strategies via SMT Solving

We consider the problem of computing numerical invariants of programs by abstract interpretation. Our method eschews two traditional sources of imprecision: (i) the use of widening operators for enforcing convergence within a finite number of iterations (ii) the use of merge operations (often, convex hulls) at the merge points of the control flow graph. It instead computes the least inductive invariant expressible in the domain at a restricted set of program points, and analyzes the rest of the code en bloc. We emphasize that we compute this inductive invariant precisely. For that we extend the strategy improvement algorithm of [Gawlitza and Seidl, 2007]. If we applied their method directly, we would have to solve an exponentially sized system of abstract semantic equations, resulting in memory exhaustion. Instead, we keep the system implicit and discover strategy improvements using SAT modulo real linear arithmetic (SMT). For evaluating strategies we use linear programming. Our algorithm has low polynomial space complexity and performs for contrived examples in the worst case exponentially many strategy improvement steps; this is unsurprising, since we show that the associated abstract reachability problem is Pi-p-2-complete

Logico-numerical max-strategy iteration

Strategy iteration methods are used for solving fixed point equations. It has been shown that they improve precision in static analysis based on abstract interpretation and template abstract domains, e.g. intervals, octagons or template polyhedra. However, they are limited to numerical programs. In this paper, we propose a method for applying max-strategy iteration to logico-numerical programs, i.e. programs with numerical and Boolean variables, without explicitly enumerating the Boolean state space. The method is optimal in the sense that it computes the least fixed point w.r.t. the abstract domain; in particular, it does not resort to widening. Moreover, we give experimental evidence about the efficiency and precision of the approach

Reachability for dynamic parametric processes

In a dynamic parametric process every subprocess may spawn arbitrarily many, identical child processes, that may communicate either over global variables, or over local variables that are shared with their parent. We show that reachability for dynamic parametric processes is decidable under mild assumptions. These assumptions are e.g. met if individual processes are realized by pushdown systems, or even higher-order pushdown systems. We also provide algorithms for subclasses of pushdown dynamic parametric processes, with complexity ranging between NP and DEXPTIME.Comment: 31 page

CARET analysis of multithreaded programs

Dynamic Pushdown Networks (DPNs) are a natural model for multithreaded programs with (recursive) procedure calls and thread creation. On the other hand, CARET is a temporal logic that allows to write linear temporal formulas while taking into account the matching between calls and returns. We consider in this paper the model-checking problem of DPNs against CARET formulas. We show that this problem can be effectively solved by a reduction to the emptiness problem of B\"uchi Dynamic Pushdown Systems. We then show that CARET model checking is also decidable for DPNs communicating with locks. Our results can, in particular, be used for the detection of concurrent malware.Comment: Pre-proceedings paper presented at the 27th International Symposium on Logic-Based Program Synthesis and Transformation (LOPSTR 2017), Namur, Belgium, 10-12 October 2017 (arXiv:1708.07854

Succinct Representations for Abstract Interpretation

Abstract interpretation techniques can be made more precise by distinguishing paths inside loops, at the expense of possibly exponential complexity. SMT-solving techniques and sparse representations of paths and sets of paths avoid this pitfall. We improve previously proposed techniques for guided static analysis and the generation of disjunctive invariants by combining them with techniques for succinct representations of paths and symbolic representations for transitions based on static single assignment. Because of the non-monotonicity of the results of abstract interpretation with widening operators, it is difficult to conclude that some abstraction is more precise than another based on theoretical local precision results. We thus conducted extensive comparisons between our new techniques and previous ones, on a variety of open-source packages.Comment: Static analysis symposium (SAS), Deauville : France (2012

A hard x ray split and delay unit for the HED experiment at the European XFEL

For the High Energy Density HED experiment [1] at the European XFEL [2] an x ray split and delay unit SDU is built covering photon energies from 5 keV up to 20 keV [3]. This SDU will enable time resolved x ray pump x ray probe experiments [4,5] as well as sequential diffractive imaging [6] on a femtosecond to picosecond time scale. Further, direct measurements of the temporal coherence properties will be possible by making use of a linear autocorrelation [7,8]. The set up is based on geometric wavefront beam splitting, which has successfully been implemented at an autocorrelator at FLASH [9]. The x ray FEL pulses are split by a sharp edge of a silicon mirror coated with multilayers. Both partial beams will then pass variable delay lines. For different photon energies the angle of incidence onto the multilayer mirrors will be adjusted in order to match the Bragg condition. For a photon energy of h amp; 957; 20 keV a grazing angle of amp; 952; 0.57 has to be set, which results in a footprint of the beam 6 amp; 963; on the mirror of l 98 mm. At this photon energy the reflectance of a Mo B4C multi layer coating with a multilayer period of d 3.2 nm and N 200 layers amounts to R 0.92. In order to enhance the maximum transmission for photon energies of h amp; 957; 8 keV and below, a Ni B4C multilayer coating can be applied beside the Mo B4C coating for this spectral region. Because of the different incidence angles, the path lengths of the beams will differ as a function of wavelength. Hence, maximum delays between 2.5 ps at h amp; 957; 20 keV and up to 23 ps at h amp; 957; 5 keV will be possibl

Using Bounded Model Checking to Focus Fixpoint Iterations

Two classical sources of imprecision in static analysis by abstract interpretation are widening and merge operations. Merge operations can be done away by distinguishing paths, as in trace partitioning, at the expense of enumerating an exponential number of paths. In this article, we describe how to avoid such systematic exploration by focusing on a single path at a time, designated by SMT-solving. Our method combines well with acceleration techniques, thus doing away with widenings as well in some cases. We illustrate it over the well-known domain of convex polyhedra

Lock Removal for Concurrent Trace Programs

Abstract. We propose a trace-based concurrent program analysis to soundly remove redundant synchronizations such as locks while preserving the behaviors of the concurrent computation. Our new method is computationally efficient in that it involves only thread-local computation and therefore avoids interleaving explosion, which is known as the main hurdle for scalable concurrency analysis. Our method builds on the partial-order theory and a unified analysis framework; therefore, it is more generally applicable than existing methods based on simple syntactic rules and ad hoc heuristics. We have implemented and evaluated the proposed method in the context of runtime verification of multithreaded Java and C programs. Our experimental results show that lock removal can significantly speed up symbolic predictive analysis for detecting concurrency bugs. Besides runtime verification, our new method will also be useful in applications such as debugging, performance optimization, program understanding, and maintenance.

Fluorescent Molecularly Imprinted Polymer Layers against Sialic Acid on Silica-Coated Polystyrene Cores-Assessment of the Binding Behavior to Cancer Cells

Simple Summary Cancer cells often have aberrant sialic acid expression. We used molecularly imprinted polymers in this study as novel tools for analyzing sialic acid expression as a biomarker on cancer cells. The sialic acid imprinted polymer shell was synthesized on a polystyrene core, providing low-density support for improving the suspension stability and scattering properties of the molecularly imprinted particles compared to previous core-shell formats. Our results show that these particles have an increased ability to bind to cancer cells. The binding of these particles may be inhibited by two different pentavalent sialic acid conjugates, pointing to the specificity of the sialic acid imprinted particles. Sialic acid (SA) is a monosaccharide usually linked to the terminus of glycan chains on the cell surface. It plays a crucial role in many biological processes, and hypersialylation is a common feature in cancer. Lectins are widely used to analyze the cell surface expression of SA. However, these protein molecules are usually expensive and easily denatured, which calls for the development of alternative glycan-specific receptors and cell imaging technologies. In this study, SA-imprinted fluorescent core-shell molecularly imprinted polymer particles (SA-MIPs) were employed to recognize SA on the cell surface of cancer cell lines. The SA-MIPs improved suspensibility and scattering properties compared with previously used core-shell SA-MIPs. Although SA-imprinting was performed using SA without preference for the alpha 2,3- and alpha 2,6-SA forms, we screened the cancer cell lines analyzed using the lectins Maackia Amurensis Lectin I (MAL I, alpha 2,3-SA) and Sambucus Nigra Lectin (SNA, alpha 2,6-SA). Our results show that the selected cancer cell lines in this study presented a varied binding behavior with the SA-MIPs. The binding pattern of the lectins was also demonstrated. Moreover, two different pentavalent SA conjugates were used to inhibit the binding of the SA-MIPs to breast, skin, and lung cancer cell lines, demonstrating the specificity of the SA-MIPs in both flow cytometry and confocal fluorescence microscopy. We concluded that the synthesized SA-MIPs might be a powerful future tool in the diagnostic analysis of various cancer cells.</p

Constrained Dynamic Tree Networks

We generalise Constrained Dynamic Pushdown Networks, introduced by Bouajjani\et al, to Constrained Dynamic Tree Networks.<br>In this model, we have trees of processes which may monitor their children.<br>We allow the processes to be defined by any computation model for which the alternating reachability problem is decidable.<br>We address the problem of symbolic reachability analysis for this model. More precisely, we consider the problem of computing an effective representation of their reachability<br>sets using finite state automata. <div>We show that backwards reachability sets starting from regular sets of configurations are always regular. </div><div>We provide an algorithm for computing backwards reachability sets using tree automata.<br><br></div