Correctness Witness Validation by Abstract Interpretation

Witnesses record automated program analysis results and make them exchangeable. To validate correctness witnesses through abstract interpretation, we introduce a novel abstract operation unassume. This operator incorporates witness invariants into the abstract program state. Given suitable invariants, the unassume operation can accelerate fixpoint convergence and yield more precise results. We demonstrate the feasibility of this approach by augmenting an abstract interpreter with unassume operators and evaluating the impact of incorporating witnesses on performance and precision. Using manually crafted witnesses, we can confirm verification results for multi-threaded programs with a reduction in effort ranging from 7% to 47% in CPU time. More intriguingly, we discover that using witnesses from model checkers can guide our analyzer to verify program properties that it could not verify on its own.Comment: 29 pages, 4 figures, 2 tables, extended version of the paper which is to appear at VMCAI 202

Dünaamilist mälu töötlevate C programmide staatiline andmejooksude analüüs

Kaasaegsed arvutiarhitektuurid võimaldavad üheaegselt läbi viia mitmeid arvutusi. Programmide kirjutamine niisuguste süsteemide jaoks on äärmiselt raske, kuna paralleelselt käivitatavate lõimede vaheline koosmõju on ettearvamatu. Üks eriti raskesti tabatav viga mitmelõimelises süsteemis on andmejooks, s.o. olukord, kus mitu lõime üritavad samaaegselt ühele ja samale jagatud mäluasukohale ligi pääseda. See võib kaasa tuua andmete riknemise ja sellega süsteemi kokku jooksmise või muu ebakorrektse käitumise. Staatiline programmianalüüs on formaalne meetod, millega saab välja arvutada programmi kõigi võimalike käitumiste ülemhulga, lahendades teatava andmevoogu kirjeldava võrrandisüsteemi. Käesoleva doktoritöö põhiteesiks on väide, et staatilise programmianalüüsiga on võimalik kindlaks teha andmejooksude puudumine reaalsetes keerukates süsteemides, eriti operatsioonisüsteemide tuumamoodulites. Selliste süsteemide jaoks on analüüside arendamine raskendatud, sest nii andmestruktuurid kui ka neid kaitsvad lukud luuakse alles programmi täitmise ajal. Probleemi ületamiseks on töö raames arendatud kolm uudset meetodit: aadressavaldiste võrduste analüüs, dünaamilise mälu regioon-analüüs ja süsteemkoodile sobiv mälukuju analüüs. Mainitud meetodid on realiseeritud mitmelõimeliste C programmide analüsaatorite raamistikus Goblint ja nende praktilisust on demonstreeritud mitmete vabavaraliste rakenduste ja operatsioonisüsteemi Linux tuumamoodulite analüüsiga.Modern computer architectures are capable of carrying out many computations at the same time. Writing and testing programs for such systems is notoriously difficult because the interaction between concurrently executing threads is unpredictable. A particularly elusive flaw in shared-memory concurrent systems is the data race, a situation where multiple threads may simultaneously attempt to update the same memory location. This may result in data corruption and ultimately system malfunction. Static program analysis is an automated formal method, which computes all possible run-time behaviours of a program by solving a system of data flow equations. This dissertation contends that static analysis can be used to verify the absence of data races in real-world systems, especially operating system modules like Linux device drivers. The challenge in developing static analyses for such code is that both data structures and locks protecting the data are created at run-time. To face this problem, three novel techniques were developed: an abstract domain for equalities between address expressions, a region-based heap abstraction, and a shape domain suitable for low-level programs. We have implemented these techniques in the Goblint analyzer and used it to experimentally validate the contention that verification of race-freedom in real-world systems is possible by means of static analysis