Pushdown control-flow analysis for free

Gilray, Thomas; Lyde, Steven; Adams, Michael D.; Might, Matthew; Horn, David Van

doi:10.1145/2914770.2837631

Cited by 11 publications

(24 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our formulation of a pushdown abstract interpreter computes an abstraction similar to the many existing variants of pushdown flow analysis (Earl et al 2010;Earl et al 2012;Gilray et al 2016;Vardoulakis 2012;Vardoulakis and Shivers 2011).…”

Section: Figure 13: Address Collection and Propagationmentioning

confidence: 99%

Abstracting definitional interpreters (functional pearl)

Darais

Labich

Nguyen

et al. 2017

Proc. ACM Program. Lang.

Self Cite

View full text Add to dashboard Cite

In this functional pearl, we examine the use of definitional interpreters as a basis for abstract interpretation of higher-order programming languages. As it turns out, definitional interpreters, especially those written in monadic style, can provide a nice basis for a wide variety of collecting semantics, abstract interpretations, symbolic executions, and their intermixings.But the real insight of this story is a replaying of an insight from Reynold's landmark paper, Definitional Interpreters for Higher-Order Programming Languages, in which he observes definitional interpreters enable the defined-language to inherit properties of the defining-language. We show the same holds true for definitional abstract interpreters. Remarkably, we observe that abstract definitional interpreters can inherit the so-called "pushdown control flow" property, wherein function calls and returns are precisely matched in the abstract semantics, simply by virtue of the function call mechanism of the defining-language.The first approaches to achieve this property for higher-order languages appeared within the last ten years, and have since been the subject of many papers. These approaches start from a state-machine semantics and uniformly involve significant technical engineering to recover the precision of pushdown control flow. In contrast, starting from a definitional interpreter, the pushdown control flow property is inherent in the metalanguage and requires no further technical mechanism to achieve.

show abstract

Section: Figure 13: Address Collection and Propagationmentioning

confidence: 99%

Abstracting definitional interpreters (functional pearl)

Darais

Labich

Nguyen

et al. 2017

Proc. ACM Program. Lang.

Self Cite

View full text Add to dashboard Cite

show abstract

“…We also transform the evaluation contexts into explicit continuations, and store-allocate continuations at function boundaries and permit two continuations to become conflated at a single continuation address; this redefines each continuation to be a sequence of intraprocedural frames paired with a continuation address for the current invocation. Although the continuation allocator may also be adjusted arbitrarily, recent work has shown that in order to achieve precise call-and-return matching at no asymptotic cost to analysis complexity, the choice of continuation address should be fixed as (e, ρ) where e and ρ are the call target's control and environment respectively [Gilray et al 2016b]. The property we desire for path-sensitive contract verification is that the analysis should only approximate values at different iterations of the same loop, and provide exact execution otherwise.…”

Section: From Symbolic Execution To Verificationmentioning

confidence: 99%

Soft contract verification for higher-order stateful programs

Nguyen

Gilray

Tobin-Hochstadt

et al. 2017

Proc. ACM Program. Lang.

Self Cite

View full text Add to dashboard Cite

Software contracts allow programmers to state rich program properties using the full expressive power of an object language. However, since they are enforced at runtime, monitoring contracts imposes significant overhead and delays error discovery. Soft contract verification aims to guarantee all or most of these properties ahead of time, enabling valuable optimizations and yielding a more general assurance of correctness. Existing methods for static contract verification satisfy the needs of more restricted target languages, but fail to address the challenges unique to those conjoining untyped, dynamic programming, higher-order functions, modularity, and statefulness. Our approach tackles all these features at once, in the context of the full Racket system-a mature environment for stateful, higher-order, multi-paradigm programming with or without types. Evaluating our method using a set of both pure and stateful benchmarks, we are able to verify 99.94% of checks statically (all but 28 of 49, 861).Stateful, higher-order functions pose significant challenges for static contract verification in particular. In the presence of these features, a modular analysis must permit code from the current module to escape permanently to an opaque context (unspecified code from outside the current module) that may be stateful and therefore store a reference to the escaped closure. Also, contracts themselves, being predicates written in unrestricted Racket, may exhibit stateful behavior; a sound approach must be robust to contracts which are arbitrarily expressive and interwoven with the code they monitor. In this paper, we present and evaluate our solution based on higher-order symbolic execution, explain the techniques we used to address such thorny issues, formalize a notion of behavioral approximation, and use it to provide a mechanized proof of soundness.

show abstract

“…What seems to be needed are increasingly nuanced, introspective, and adaptive forms of polyvariance which better suit their targets and the proper-ties we may wish to prove or discover for them. For example, a recent development shows that the polyvariance of continuations can be adapted in a way which guarantees perfect stack precision (i.e., perfect return flows [11,12,24,58]) at no asymptotic complexity overhead [16], a quite ideal trade-off between complexity and precision obtained through a subtle refinement of the polyvariance used. The direction of research in this area and the challenges of precisely modeling dynamic higher-order programming languages suggests an important development would be an easy way to adjust the polyvariance of a flow analysis (in theory and in practical implementations) that is both always safe and fully general.…”

Section: Allocator Instrumentationmentioning

confidence: 99%

Allocation characterizes polyvariance: a unified methodology for polyvariant control-flow analysis

Gilray

Adams

Might

2016

Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming

Self Cite

View full text Add to dashboard Cite

The polyvariance of a static analysis is the degree to which it structurally differentiates approximations of program values. Polyvariant techniques come in a number of different flavors that represent alternative heuristics for managing the trade-off an analysis strikes between precision and complexity. For example, call sensitivity supposes that values will tend to correlate with recent call sites, object sensitivity supposes that values will correlate with the allocation points of related objects, the Cartesian product algorithm supposes correlations between the values of arguments to the same function, and so forth. In this paper, we describe a unified methodology for implementing and understanding polyvariance in a higher-order setting (i.e., for control-flow analyses). We do this by extending the method of abstracting abstract machines (AAM), a systematic approach to producing an abstract interpretation of abstract-machine semantics. AAM eliminates recursion within a language's semantics by passing around an explicit store, and thus places importance on the strategy an analysis uses for allocating abstract addresses within the abstract heap or store. We build on AAM by showing that the design space of possible abstract allocators exactly and uniquely corresponds to the design space of polyvariant strategies. This allows us to both unify and generalize polyvariance as tunings of a single function. Changes to the behavior of this function easily recapitulate classic styles of analysis and produce novel variations, combinations of techniques, and fundamentally new techniques.

show abstract

Pushdown control-flow analysis for free

Cited by 11 publications

References 13 publications

Abstracting definitional interpreters (functional pearl)

Abstracting definitional interpreters (functional pearl)

Soft contract verification for higher-order stateful programs

Allocation characterizes polyvariance: a unified methodology for polyvariant control-flow analysis

Contact Info

Product

Resources

About