50 research outputs found
Scaling Bounded Model Checking By Transforming Programs With Arrays
Bounded Model Checking is one the most successful techniques for finding bugs
in program. However, model checkers are resource hungry and are often unable to
verify programs with loops iterating over large arrays.We present a
transformation that enables bounded model checkers to verify a certain class of
array properties. Our technique transforms an array-manipulating (ANSI-C)
program to an array-free and loop-free (ANSI-C) program thereby reducing the
resource requirements of a model checker significantly. Model checking of the
transformed program using an off-the-shelf bounded model checker simulates the
loop iterations efficiently. Thus, our transformed program is a sound
abstraction of the original program and is also precise in a large number of
cases - we formally characterize the class of programs for which it is
guaranteed to be precise. We demonstrate the applicability and usefulness of
our technique on both industry code as well as academic benchmarks
Verifying Heap-Manipulating Programs with Unknown Procedure Calls
10.1007/978-3-642-16901-4_13Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)6447 LNCS171-18
Succinct Representations for Abstract Interpretation
Abstract interpretation techniques can be made more precise by distinguishing
paths inside loops, at the expense of possibly exponential complexity.
SMT-solving techniques and sparse representations of paths and sets of paths
avoid this pitfall. We improve previously proposed techniques for guided static
analysis and the generation of disjunctive invariants by combining them with
techniques for succinct representations of paths and symbolic representations
for transitions based on static single assignment. Because of the
non-monotonicity of the results of abstract interpretation with widening
operators, it is difficult to conclude that some abstraction is more precise
than another based on theoretical local precision results. We thus conducted
extensive comparisons between our new techniques and previous ones, on a
variety of open-source packages.Comment: Static analysis symposium (SAS), Deauville : France (2012
Structurally Defined Conditional Data-Flow Static Analysis
Data flow analysis (DFA) is an important verification technique that computes the effect of data values propagating over program paths. While more precise than flow-insensitive analyses, such an analysis is time-consuming. This paper investigates the acceleration of DFA by structural decomposition of the underlying control flow graph. Specifically, we explore the cost and effectiveness of dividing program paths into subsets by partitioning path suffixes at conditional statements, applying a DFA on each subset, and then combining the resulting invariants. This yields a family of independent DFA problems that are solved in parallel and where the partial results of each problem represent safe program invariants. Empirical evaluations reveal that depending on the DFA type and its conditional implementation the invariants for a large fraction of program points can be computed in less time than traditional DFA. This work suggests a strategy for an “anytime DFA” algorithm: computing safe program invariants as the analysis proceeds
Using Bounded Model Checking to Focus Fixpoint Iterations
Two classical sources of imprecision in static analysis by abstract
interpretation are widening and merge operations. Merge operations can be done
away by distinguishing paths, as in trace partitioning, at the expense of
enumerating an exponential number of paths. In this article, we describe how to
avoid such systematic exploration by focusing on a single path at a time,
designated by SMT-solving. Our method combines well with acceleration
techniques, thus doing away with widenings as well in some cases. We illustrate
it over the well-known domain of convex polyhedra
Multivariant Assertion-based Guidance in Abstract Interpretation
Approximations during program analysis are a necessary evil, as they ensure
essential properties, such as soundness and termination of the analysis, but
they also imply not always producing useful results. Automatic techniques have
been studied to prevent precision loss, typically at the expense of larger
resource consumption. In both cases (i.e., when analysis produces inaccurate
results and when resource consumption is too high), it is necessary to have
some means for users to provide information to guide analysis and thus improve
precision and/or performance. We present techniques for supporting within an
abstract interpretation framework a rich set of assertions that can deal with
multivariance/context-sensitivity, and can handle different run-time semantics
for those assertions that cannot be discharged at compile time. We show how the
proposed approach can be applied to both improving precision and accelerating
analysis. We also provide some formal results on the effects of such assertions
on the analysis results.Comment: Pre-proceedings paper presented at the 28th International Symposium
on Logic-Based Program Synthesis and Transformation (LOPSTR 2018), Frankfurt
am Main, Germany, 4-6 September 2018 (arXiv:1808.03326
Logico-numerical max-strategy iteration
Strategy iteration methods are used for solving fixed point equations. It has been shown that they improve precision in static analysis based on abstract interpretation and template abstract domains, e.g. intervals, octagons or template polyhedra. However, they are limited to numerical programs. In this paper, we propose a method for applying max-strategy iteration to logico-numerical programs, i.e. programs with numerical and Boolean variables, without explicitly enumerating the Boolean state space. The method is optimal in the sense that it computes the least fixed point w.r.t. the abstract domain; in particular, it does not resort to widening. Moreover, we give experimental evidence about the efficiency and precision of the approach
Relational Thread-Modular Abstract Interpretation Under Relaxed Memory Models
International audienceWe address the verification problem of numeric properties in many-threaded concurrent programs under weakly consistent memory models, especially TSO. We build on previous work that proposed an abstract interpretation method to analyse these programs with rela-tional domains. This method was not sufficient to analyse more than two threads in a decent time. Our contribution here is to rely on a rely-guarantee framework with automatic inference of thread interferences to design an analysis with a thread-modular approach and describe re-lational abstractions of both thread states and interferences. We show how to adapt the usual computing procedure of interferences to the additional issues raised by weakly consistent memories. We demonstrate the precision and the performance of our method on a few examples, operating a prototype analyser that verifies safety properties like mutual exclusion. We discuss how weak memory models affect the scalability results compared to a sequentially consistent environment