Journal Staff

UPMAR

Scalable Logic Defined Static Analysis

Logic languages such as Datalog have been proposed as a method for specifying flexible and customisable static analysers. Using Datalog, various classes of static analyses can be expressed precisely and succinctly, requiring fewer lines of code than hand-crafted analysers. In this paradigm, a static analysis specification is encoded by a set of declarative logic rules and an o -the-shelf solver is used to compute the result of the static analysis. Unfortunately, when large-scale analyses are employed, Datalog-based tools currently fail to scale in comparison to hand-crafted static analysers. As a result, Datalog-based analysers have largely remained an academic curiosity, rather than industrially respectful tools. This thesis outlines our e orts in understanding the sources of performance limitations in Datalog-based tools. We propose a novel evaluation technique that is predicated on the fact that in the case of static analysis, the logical specification is a design time artefact and hence does not change during evaluation. Thus, instead of directly evaluating Datalog rules, our approach leverages partial evaluation to synthesise a specialised static analyser from these rules. This approach enables a novel indexing optimisations that automatically selects an optimal set of indexes to speedup and minimise memory usage in the Datalog computation. Lastly, we explore the case of more expressive logics, namely, constrained Horn clause and their use in proving the correctness of programs. We identify a bottleneck in various symbolic evaluation algorithms that centre around Craig interpolation. We propose a method of improving these evaluation algorithms by a proposing a method of guiding theorem provers to discover relevant interpolants with respect to the input logic specification. The culmination of our work is implemented in a general-purpose and highperformance tool called Souffl´e. We describe Souffl´e and evaluate its performance experimentally, showing significant improvement over alternative techniques and its scalability in real-world industrial use cases

Uniform Analysis for Communicating Timed Systems (Extended Technical Report)

Languages based on the theory of timed automata are a well established approach for modelling and analysing real-time systems, with many applications both in an industrial and academic context. Model checking for timed automata has been studied extensively during the last two decades; however, even now industrial-grade model checkers are available only for few timed automata dialects (in particular UPPAAL timed automata), exhibit limited scalability for systems with large discrete state space, and cannot handle parametrised systems, or systems with unboundedly many processes. Leveraging recent advances of general-purpose fixed-point engines, we present a flexible method for translating networks of timed automata to Horn constraints, which can then be solved via of-the-shelf solvers. The resulting analysis method is fully symbolic and applicable to systems with large or infinite discrete state space, can be extended to include various language features, for instance UPPAAL-style communication/broadcast channels and BIP-style interactions, and can analyse systems with infinite parallelism. Experiments with timed automata models demonstrate the feasibility of the method

Abstract Interpretation of Unstructured Imperative Languages on Unbounded Domains

In this thesis we present a novel program analysis technique that applies abstract interpretation to low-level intermediate languages with unbounded abstract domains. Unbounded abstract domains in program analysis occur in applications such as finding ranges of variables and its applications include elimination of assertions in programs, automatically deducing numerical stability, and array bounds checking. Unbounded abstract domains impose a major challenge in program analysis because it is difficult to ensure the termination of the analysis in the presence of program cycles. State-of-the-art methods propose a technique that relies on a structured composition of programs, e.g., they permit abstract interpretation with unbounded abstract domains for program languages that have while and if statements but do not have goto statements. This work demonstrates that unbounded abstract domains can be employed in program analysis for low-level intermediate languages commonly used in program language tools including compilers, integrated-development environments, and bug-checkers, where loops are implicit within the control flow graph. Our work combines methods of elimination-based data flow analysis with abstract interpretation. We have implemented the proposed framework in the LLVM compiler framework as a program analysis pass and have conducted experiments with a suite of test programs to show the feasibility of our approach

Applying Elimination-Based Algorithms to Abstract Interpretation

Unbounded abstract domains are used in static program analysis frameworks for representing ranges of variables, and their applications include elimination of assertions in programs, automatically deducing numerical stability, and eliminating array bounds checking. Unbounded abstract domains impose a major challenge in static program analysis because the termination of the analysis may not be guaranteed in the presence of program loops. To overcome the problem of termination, extrapolation techniques are applied to programs loops. State-of-the-art work proposes the use of cumbersome techniques to mark loop headers or relies on structurally composed programs, e.g., programs that consists of while and if statements but do not have goto statements. In this thesis we present a novel program analysis technique that applies abstract interpretation to low-level intermediate languages with unbounded abstract domains. Our work adapts methods of elimination-based data flow analysis to abstract interpretation. The proposed technique has several advantages over the state-of-the-art, most importantly, its ability to detect strongly connected components automatically. We have implemented a prototype of our proposed framework in the LLVM compiler infrastructure and have conducted experiments with a suite of test programs to show the viability of our approach

Abstract Interpretation of Unstructured Imperative Languages on Unbounded Domains

In this thesis we present a novel program analysis technique that applies abstract interpretation to low-level intermediate languages with unbounded abstract domains. Unbounded abstract domains in program analysis occur in applications such as finding ranges of variables and its applications include elimination of assertions in programs, automatically deducing numerical stability, and array bounds checking. Unbounded abstract domains impose a major challenge in program analysis because it is difficult to ensure the termination of the analysis in the presence of program cycles. State-of-the-art methods propose a technique that relies on a structured composition of programs, e.g., they permit abstract interpretation with unbounded abstract domains for program languages that have while and if statements but do not have goto statements. This work demonstrates that unbounded abstract domains can be employed in program analysis for low-level intermediate languages commonly used in program language tools including compilers, integrated-development environments, and bug-checkers, where loops are implicit within the control flow graph. Our work combines methods of elimination-based data flow analysis with abstract interpretation. We have implemented the proposed framework in the LLVM compiler framework as a program analysis pass and have conducted experiments with a suite of test programs to show the feasibility of our approach

Abstract Interpretation of Unstructured Imperative Languages on Unbounded Domains

In this thesis we present a novel program analysis technique that applies abstract interpretation to low-level intermediate languages with unbounded abstract domains. Unbounded abstract domains in program analysis occur in applications such as finding ranges of variables and its applications include elimination of assertions in programs, automatically deducing numerical stability, and array bounds checking. Unbounded abstract domains impose a major challenge in program analysis because it is difficult to ensure the termination of the analysis in the presence of program cycles. State-of-the-art methods propose a technique that relies on a structured composition of programs, e.g., they permit abstract interpretation with unbounded abstract domains for program languages that have while and if statements but do not have goto statements. This work demonstrates that unbounded abstract domains can be employed in program analysis for low-level intermediate languages commonly used in program language tools including compilers, integrated-development environments, and bug-checkers, where loops are implicit within the control flow graph. Our work combines methods of elimination-based data flow analysis with abstract interpretation. We have implemented the proposed framework in the LLVM compiler framework as a program analysis pass and have conducted experiments with a suite of test programs to show the feasibility of our approach

Guiding Craig interpolation with domain-specific abstractions

Craig interpolation is a standard method to construct and refine abstractions in model checking. To obtain abstractions that are suitable for the verification of software programs or hardware designs, model checkers rely on theorem provers to find the right interpolants, or interpolants containing the right predicates, in a generally infinite lattice of interpolants for any given interpolation problem. We present a semantic and solver-independent framework for systematically exploring interpolant lattices, based on the notion of interpolation abstraction. We discuss how interpolation abstractions can be constructed for a variety of logics, and how they can be applied in the context of software model checking.UPMAR