An Abstract Interpretation-based Model of Tracing Just-In-Time Compilation

Tracing just-in-time compilation is a popular compilation technique for the efficient implementation of dynamic languages, which is commonly used for JavaScript, Python and PHP. We provide a formal model of tracing JIT compilation of programs using abstract interpretation. Hot path detection corresponds to an abstraction of the trace semantics of the program. The optimization phase corresponds to a transform of the original program that preserves its trace semantics up to an observation modeled by some abstraction. We provide a generic framework to express dynamic optimizations and prove them correct. We instantiate it to prove the correctness of dynamic type specialization and constant variable folding. We show that our framework is more general than the model of tracing compilation introduced by Guo and Palsberg [2011] based on operational bisimulations.Comment: To appear in ACM Transactions on Programming Languages and System

Clousot: Static Contract Checking with Abstract Interpretation

We present an overview of Clousot, our current tool to statically check CodeContracts. CodeContracts enable a compiler and language-independent specification of Contracts (precondition, postconditions and object invariants). Clousot checks every method in isolation using an assume/guarantee reasoning: For each method under analysis Clousot assumes its precondition and asserts the postcondition. For each invoked method, Clousot asserts its precondition and assumes the postcondition. Clousot also checks the absence of common runtime errors, such as null-pointer errors, buffer or array overruns, divisions by zero, as well as less common ones such as checked integer overflows or floating point precision mismatches in comparisons. At the core of Clousot there is an abstract interpretation engine which infers program facts. Facts are used to discharge the assertions. The use of abstract interpretation (vs usual weakest precondition-based checkers) has two main advantages: (i) the checker automatically infers loop invariants letting the user focus only on boundary specifications; (ii) the checker is deterministic in its behavior (which abstractly mimics the flow of the program) and it can be tuned for precision and cost. Clousot embodies other techniques, such as iterative domain refinement, goal-directed backward propagation, precondition and postcondition inference, and message prioritization

Precondition Inference from Intermittent Assertions and Application to Contracts on Collections

International audienceIn the context of program design by contracts, programmers often insert assertions in their code to be optionally checked at runtime, at least during the debugging phase. These assertions would better be given as a precondition of the method/procedure in which they appear. Potential errors would be discovered earlier and, more importantly, the precondition could be used in the context of separate static program analysis as part of the abstract semantics of the code. However in the case of collections (data structures such as arrays, lists, etc) checking both the precondition and the assertions at runtime appears superfluous and costly. So the precondition is often omitted since it is checked anyway at runtime by the assertions. It follows that the static analysis can be much less precise, a fact that can be difficult to understand since ''the precondition and assertions are equivalent'' (i.e. at runtime, up to the time at which warnings are produced, but not statically) e.g. for separate static analysis. We define precisely and formally the contract inference problem from intermittent assertions on scalar variables and elements of collections inserted in the code by the programmer. Our definition excludes no good run even when a non-deterministic choice (e.g. an interactive input) could lead to a bad one. We then introduce new abstract interpretation-based methods to automatically infer both the static contract precondition of a method/procedure and the code to check it at runtime on scalar and collection variables

Verification modulo versions: Towards usable verification

Abstract We introduce Verification Modulo Versions (VMV), a new static analysis technique for reducing the number of alarms reported by static verifiers while providing sound semantic guarantees. First, VMV extracts semantic environment conditions from a base program P. Environmental conditions can either be sufficient conditions (implying the safety of P) or necessary conditions (implied by the safety of P). Then, VMV instruments a new version of the program, P , with the inferred conditions. We prove that we can use (i) sufficient conditions to identify abstract regressions of P w.r.t. P; and (ii) necessary conditions to prove the relative correctness of P w.r.t. P. We show that the extraction of environmental conditions can be performed at a hierarchy of abstraction levels (history, state, or call conditions) with each subsequent level requiring a less sophisticated matching of the syntactic changes between P and P. Call conditions are particularly useful because they only require the syntactic matching of entry points and callee names across program versions. We have implemented VMV in a widely used static analysis and verification tool. We report our experience on two large code bases and demonstrate a substantial reduction in alarms while additionally providing relative correctness guarantees

Approximating Module Semantics with Constraints

In this paper we present a generic constraint domain for symbolic modular analysis. The idea is that the semantics of a module can be approximated by a set of relations symbolically linking the input, output and local variables. We show how this result is correct w.r.t. a trace semantics, and how it can be used to perform an (incremental) modular analysis. We claim that our construction generalizes existing modular analyses by showing how well-known modular analyses can be instantiated in our framework

Analyse statique modulaire des langages à objet.

We presented a framework for the modular analysis of object-oriented languages. We defined a liberal and generic trace semantics for class-bases object-oriented languages and we proved it sound and complete w.r.t. a trace semantics for object-oriented programs. We derived systematically the equations characterizing class invariants as an abstraction of the class concrete semantics. We dealt with the three main features of object-oriented languages: – inheritance, by considering the analysis of subclasses without accessing the parent's class source; – polymorphism, by studying an effective notion of behavioral subtyping; – encapsulation, by abstracting the interactions between an object and its context using regular expressions. The framework is very flexible and in particular we can distinguish three orthogonal axes for the analysis: – abstract domain: a class can be analyzed using either a generic abstract domain (Chapters 6 and 5) or a symbolic relational domain (Chapter 7) to obtain a more efficient analysis; – inheritance: a subclass can be analyzed either directly, by expanding the subclass relation, or indirectly, by using the parent's invariant (Chapters 8 and 9); – context: a class can be analyzed either aside from the instantiation context, so to obtain a result valid for all the contexts, or using an approximation of the context itself (Chapter 10). The future work will include the implementation and the study of the practical aspects of our results. In particular the interest will be the exploration of the orthogonal axes of the analysis. Furthermore, we plan to extend the results in order to cope with aspect-oriented languages [38], with concurrency and with temporal properties of objects.Dans la thèse nous présentons un cadre pour l'analyse statique de langages orientés objets qui tient compte des propriétés de modularité de ces langages. Il y a plusieurs défis à relever pour obtenir une analyse statique efficace de langages orientés objet. Tout d'abord, elle doit gérer les particularités de ces langages telles que l'héritage, le polymorphisme et la résolution de méthodes virtuelles. Deuxièmement, elle doit être modulaire. En fait, les programmes orientés objet typiques sont fait de plusieurs milliers de classes et une analyse monolithique du programmes complet peut être trop coûteuse pour être pratiquée. Troisièmement, la technologie orientée objet favorise la programmation par composants, en cela qu'un composant (une classe) est développée une fois pour toute et utilisée dans de nombreux contextes différents. Aussi, une analyse statique efficace doit pouvoir inférée des propriétés des composants valides pour toutes les instantiations possibles de contextes. Dans cette thèse, nous présentons une analyse qui relève les défis esquissés ci-dessus. En particulier, nous nous concentrons sur une analyse qui peut inférer des invariants de classe. Un invariant de classe est une propriété d'une classe valide pour chaque instanciation, avant et après l'exécution de n'importe quelle méthode de la classe. Notre analyse a plusieurs avantages. Elle est indépendante du langage, elle exploite la structure modulaire des langages orientés objet et elle gère les principales fonctionnalités de ces langages, à savoir l'héritage, le polymorphisme et l'encapsulation. Le cadre présenté dans cette thèse est très flexible. En particulier, il permet de régler finement l'analyse selon les trois axes orthogonaux suivants: - Domaine abstrait sous-jacent: une classe peut être analysée en utilisant soit un domaine abstrait générique soit un domaine abstrait symbolique de façon à obtenir une analyse plus efficace mais moins précise. - Gestion de l'héritage: une sous-classe peut être analysée soit directement, en expansant syntaxiquement la relation de sous-classe, soit indirectement, en utilisant l'invariant du parent afin d'éviter une explosion quadratique de la complexité. -Traitement des contextes d'instantiation: une classe peut être utilisée soit indépendamment du contexte, afin d'obtenir un résultat valable dans tous les contextes, soit en utilisant une approximation du contexte afin d'obtenir un résultat plus précis mais moins général

Class invariants as abstract interpretation of trace semantics

We present a generic framework for the automatic and modular inference of sound class invariants for class-based object-oriented languages. We define a trace-based semantics for classes which considers all possible orderings, with all possible arguments, of invocations of all the methods of a class. We prove a correspondence theorem between such a semantics and a generic, trace-based, semantics for complete object-oriented programs. We express state-based class invariants in a fixpoint form by considering an abstraction of the class semantics, and we show how class invariants can be automatically inferred exploiting a static analysis of the methods. Furthermore, we address the problem of inferring a subclass invariant without accessing to the parent code, but just to its invariant. © 2005 Published by Elsevier Ltd