A static analyzer for large safety-critical software

Blanchet, Bruno; Cousot, Patrick; Cousot, Radhia; Feret, Jérôme; Mauborgne, Laurent; Miné, Antoine; Monniaux, David; Rival, Xavier

doi:10.1145/780822.781153

Cited by 219 publications

(212 citation statements)

References 35 publications

Supporting

Mentioning

208

Contrasting

Unclassified

Order By: Relevance

“…This technique, called "widening up to" in [40,41] and "widening with thresholds" in [12], consists in precomputing a set U of constraints that are likely to be invariants in a widening location (e.g., the negation of the exit condition of a "for" loop), and in keeping in P 1 ∇P 2 all the constraints in U which are satisfied by both P 1 and P 2 . In [40], the set U is computed, at a given widening point, as the set of all conditions that permit to come back to this control point, by propagating the exiting condition on the global loops.…”

Section: Limited Wideningmentioning

confidence: 99%

See 1 more Smart Citation

Abstract acceleration in linear relation analysis

Gonnord

Schrammel

2014

Science of Computer Programming

View full text Add to dashboard Cite

Linear Relation Analysis [28,39] is now a classical abstract interpretation based on an approximation of reachable numerical states of a program by convex polyhedra. Since it works with a lattice of infinite depth, it makes use of a widening operator to enforce the convergence of fixpoint computations. This paper takes place in the many attempts to improve the precision of the results reached using such a widening. It will first present an extended survey of the existing approaches in that direction. Then it will investigate the cases where the exact (abstract) effect of a loop can be computed. This technique is fully compatible with the use of widening, and whenever it applies, it generally improves both the precision and the performances of the analysis.

show abstract

Section: Limited Wideningmentioning

confidence: 99%

“…This delaying strategy was proposed in [40,12]. A variant is the loop unrolling technique used in [37,52].…”

Section: Widening Strategies 351 Delaying the Application Of The Wimentioning

confidence: 99%

Abstract acceleration in linear relation analysis

Gonnord

Schrammel

2014

Science of Computer Programming

View full text Add to dashboard Cite

show abstract

“…Moreover, narrowing alone is often not enough to obtain precise xpoints which has been illustrated in many papers that present improved widenings/narrowings [10,11,12,15,17]. All of these approaches require disruptive changes to the xpoint engine, for instance, tracking several abstract states [10,12], temporarily disabling parts of the CFG [11], performing a preanalysis with di erent semantics [13,15], collecting \landmarks" [17] or referring to user-supplied thresholds [5]. This paper shows that widening and its various re nements can be implemented without modifying an existing xpoint engine, thereby making numeric domains available to analyses that are oblivious to the…”

mentioning

confidence: 99%

“…The key idea of our approach is to implement abstract domains as co bered domains [18], an approach sometimes called \functor domains" [5]. Here, each domain h has a child g that it controls.…”

mentioning

confidence: 99%

See 1 more Smart Citation

Widening as Abstract Domain

Mihaila

Sepp

Simon

2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Veri cation using static analysis often hinges on precise numeric invariants. Numeric domains of in nite height can infer these invariants, but require widening/narrowing which complicates the xpoint computation and is often too imprecise. As a consequence, several strategies have been proposed to prevent a precision loss during widening or to narrow in a smarter way. Most of these strategies are di cult to retro t into an existing analysis as they either require a pre-analysis, an on-they modi cation of the CFG, or modi cations to the xpoint algorithm. We propose to encode widening and its various re nements from the literature as co bered abstract domains that wrap standard numeric domains, thereby providing a modular way to add numeric analysis to any static analysis, that is, without modifying the xpoint engine. Since these domains cannot make any assumptions about the structure of the program, our approach is suitable to the analysis of executables, where the (potentially irreducible) CFG is re-constructed on-the-y. Moreover, our domain-based approach not only mirrors the precision of more intrusive approaches in the literature but also requires fewer iterations to nd a xpoint of loops than many heuristics that merely aim for precision.Adding numeric domains of in nite height to a static analysis requires that widening and/or narrowing is applied within each loop of the program to ensure termination [7]. Commonly, this is implemented by modifying the xpoint algorithm to perform upward and downward iterations while a pre-analysis determines necessary widening points. Firstly, downward iterations can be problematic since a widened state can induce a precision loss in other domains that cannot be reverted with the narrowed numeric state [17]. Secondly, determining a minimal set of widening points requires non-trivial algorithms for irreducible control ow graphs (CFGs) [6]. Worse, these algorithms cannot be applied in the context of analyzing machine code, as the CFG is re-constructed on-the-y while computing the xpoint [3]. Moreover, narrowing alone is often not enough to obtain precise xpoints which has been illustrated in many papers that present improved widenings/narrowings [10,11,12,15,17]. All of these approaches require disruptive changes to the xpoint engine, for instance, tracking several abstract states [10,12], temporarily disabling parts of the CFG [11], performing a preanalysis with di erent semantics [13,15], collecting \landmarks" [17] or referring to user-supplied thresholds [5]. This paper shows that widening and its various re nements can be implemented without modifying an existing xpoint engine, thereby making numeric domains available to analyses that are oblivious to the

show abstract

Exploiting array manipulation habits to optimize garbage collection and type flow analysis

Colnet

Sonntag

2014

Softw Pract Exp

View full text Add to dashboard Cite

A widespread practice to implement a flexible array is to consider the storage area into two parts: the used area, which is already available for read/write operations, and the supply area, which is used in case of enlargement of the array. The main purpose of the supply area is to avoid as much as possible the reallocation of the whole storage area in case of enlargement. As the supply area is not used by the application, the main idea of the paper is to convey the information to the garbage collector, making it possible to avoid completely the marking of the supply area. We also present a simple method to analyze the types of objects, which are stored in an array as well as the possible presence of NULL values within the array. This allows us to better specialize the work of the garbage collector when marking the used area, and also, by transitivity, to improve overall results for type analysis of all expressions of the source code. After introducing several abstract data types, which represent the main arrays concerned by our technique (i.e., zero or variable indexing, circular arrays and hash maps), we measure its impact during the bootstrap of two compilers whose libraries are equipped with these abstract data types. We then measure, on various software products we have not written, the frequency of certain habits of manipulation of arrays, to assess the validity of our approach. Copyright EXPLOITING ARRAY MANIPULATION HABITS 1641 Create(cap) The creation operation to be used in order to prepare a new empty array with a given capacity cap: assert (cap >= 0); capacity = cap; size = 0; storage = malloc(cap); Extend(obj) To extend by one the array on its right, writing obj in the new slot. In case of reallocation (i.e. when the supply area is empty), the capacity is increased twofold:if ( size >= capacity ) { capacity = capacity * 2; storage = realloc(storage, capacity); } storage[size] = obj; size = size + 1; Read(ind)This function returns the object stored at index ind assuming that the index is correct, that is, a valid index in the used area:Write(ind, obj) Change the value at index ind using obj for the replacement, assuming that the ind is a valid index in the used area: assert ((0 <= ind) && (ind < size)); storage[ind] = obj; order of statements. For instance, using all the reachable assignments in a variable, we compute all the possible types for that variable. The analysis is flow insensitive, that is, the order of reachable assignments does not matter. We consider on the whole the set of reachable assignments.Concerning instance variables, we do not discriminate between the different instances from the same class (Figure 2); the type information is identical for all instances of a given class. For a formal method argument, we use the set of reachable effective arguments, that is, all reachable calls. Classically, to obtain the set of dynamic types of a given method call, we consider all the methods EXPLOITING ARRAY MANIPULATION HABITS 1645 Note that it is not necessary to reset with NULL the cell that...

show abstract

A static analyzer for large safety-critical software

Cited by 219 publications

References 35 publications

Abstract acceleration in linear relation analysis

Abstract acceleration in linear relation analysis

Widening as Abstract Domain

Exploiting array manipulation habits to optimize garbage collection and type flow analysis

Contact Info

Product

Resources

About