Algebraic Program Analysis
|
|
- Ambrose Allen
- 5 years ago
- Views:
Transcription
1 Introduction to Algebraic Program Analysis Zachary Kincaid 1 Thomas Reps 2,3 1 Princeton University 2 University of Wisconsin-Madison 3 GrammaTech, Inc. January 8,
2 Program analysis Design algorithms to answer questions about the dynamic behavior of software Correctness Is a program correct w.r.t. some specification? Security Can a program over-read a buffer? Performance How much memory will a program consume? 2
3 Algebraic program analysis A framework for designing program analyses based on algebra. Semantic algebra = space of program properties + composition operators Sequencing: Choice: Iteration: 3
4 Why algebraic program analysis? Compositional Incremental analysis Easy to parallelize Opens the door for new ways to compute loop invariants Abstractions of loops are computed from abstractions of loop bodies 4
5 Why algebraic program analysis? Compositional Incremental analysis Easy to parallelize Opens the door for new ways to compute loop invariants Abstractions of loops are computed from abstractions of loop bodies Why not algebraic program analysis? Loss of contextual information 4
6 Outline Background Iterative program analysis Abstract interpretation Intraprocedural analysis Overview Path expressions Compositional Recurrence Analysis Proving soundness Interprocedural analysis Functional approach Newtonian program analysis Newtonian program analysis via tensor product Newtonian program analysis and Gauss-Jordan elimination 5
7 Outline Background Iterative program analysis Abstract interpretation Intraprocedural analysis Overview Path expressions Compositional Recurrence Analysis Proving soundness break Interprocedural analysis Functional approach Newtonian program analysis Newtonian program analysis via tensor product Newtonian program analysis and Gauss-Jordan elimination 5
8 x = 2; y = 1 while(y!= 0): y = rand() mod x x = x + 2
9 y x = 2; y = 1 while(y!= 0): y = rand() mod x x = x + 2 x
10 y x = 2; y = 1 while(y!= 0): y = rand() mod x x = x + 2 Error states x
11 y x = 2; y = 1 while(y!= 0): y = rand() mod x x = x + 2 x Reachable states
12 y x = 2; y = 1 while(y!= 0): y = rand() mod x x = x + 2 x Computable invariant
13 y x = 2; y = 1 while(y!= 0): y = rand() mod x x = x + 2 x False alarm
14 Iterative program analysis Repeatedly evaluate the program under an abstract semantics until convergence upon a property that over-approximates all reachable states. SLAM, Astrée,... Initial states 7
15 Iterative program analysis Repeatedly evaluate the program under an abstract semantics until convergence upon a property that over-approximates all reachable states. SLAM, Astrée,... Initial states 7 (May) reach in 1 step
16 Iterative program analysis Repeatedly evaluate the program under an abstract semantics until convergence upon a property that over-approximates all reachable states. SLAM, Astrée,... Initial states 7 (May) reach in 2 steps
17 Iterative program analysis Repeatedly evaluate the program under an abstract semantics until convergence upon a property that over-approximates all reachable states. SLAM, Astrée,... Initial states 7 (May) reach in k steps
18 Iterative program analysis Repeatedly evaluate the program under an abstract semantics until convergence upon a property that over-approximates all reachable states. SLAM, Astrée,... Error states Initial states buffer overflow null pointer deref divide by zero... 7
19 Program model Control flow graph G = Loc, Edge, root Loc: set of control locations Edge: set of instruction-labeled edges root: root (entry location) while(n 1){ if(n % 2 == 0) n := n/2; else n := 3*n+1; i := i+1; } [n = 1] [n 1] [n % 2 = 0] [n % 2 0] i := i + 1 n := n/2 n := 3*n + 1 8
20 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i := 0 n := 100 [i n] i := i + 1 [i < n] 9
21 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i [, ] n [, ] i := 0 n := 100 [i n] i := i + 1 [i < n] 9
22 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i [0, 0] n [, ] i := 0 n := 100 [i n] i := i + 1 [i < n] 9
23 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i := 0 i [0, 0] n [100, 100] n := 100 [i n] i := i + 1 [i < n] 9
24 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i := 0 i [0, 0] n [100, 100] n := 100 [i n] i := i + 1 i [0, 0] n [100, 100] [i < n] 9
25 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i := 0 i [0, 0] n [100, 100] n := 100 [i n] i [1, 1] n [100, 100] i := i + 1 [i < n] 9
26 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i := 0 n := 100 i [0, 1] n [100, 100] [i n] i := i + 1 [i < n] 9
27 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i := 0 n := 100 i [0, 2] n [100, 100] [i n] i := i + 1 [i < n] 9
28 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i := 0 n := 100 i [0, 100] n [100, 100] [i n] i := i + 1 [i < n] 9
29 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i := 0 n := 100 i [0, 100] n [100, 100] [i n] i := i + 1 i [0, 99] n [100, 100] [i < n] 9
30 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i := 0 n := 100 i [0, 100] n [100, 100] i [1, 100] n [100, 100] i := i + 1 [i n] [i < n] 9
31 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i := 0 n := 100 i [0, 100] n [100, 100] [i n] i := i + 1 [i < n] 9
32 Example: interval analysis Interval {}}{ Property Var (Z { }) (Z { }) }{{} Interval store i := 0 i [100, n := 100] 100 n [100, 100] [i n] i := i + 1 [i < n] 9
33 Approximating a loop Ascending sequence of properties {}}{ p 1 p 2 p 2... Approximate limit w/ a widening operator ˆp 1 = p 1 ˆp i+1 = p i p i+1 10
34 Designing an iterative analysis 1 Define: Abstract domain L = L,,,, L: space of program properties L L: approximation order : L L L: join (least upper bound) operator : L L L widening (extrapolation) operator Property transformer: L : Edge (L L) maps each command to a monotone function on L 11
35 Designing an iterative analysis 1 Define: Abstract domain L = L,,,, L: space of program properties L L: approximation order : L L L: join (least upper bound) operator : L L L widening (extrapolation) operator Property transformer: L : Edge (L L) maps each command to a monotone function on L 2 Apply: chaotic iteration algorithm Computes a map inv : Loc L that is closed under the abstract semantics: (u, v) Edge.L (u, v) (inv(u)) inv(v) 11
36 Outline Background Iterative program analysis Abstract interpretation Intraprocedural analysis Overview Path expressions Compositional Recurrence Analysis Proving soundness Interprocedural analysis Functional approach Newtonian program analysis Newtonian program analysis via tensor product Newtonian program analysis and Gauss-Jordan elimination 12
37 Proving soundness [Cousot & Cousot 77] 1 Define: Concrete semantics C 2 Store,,,, C e (S) {s : s S.s e s } Concretization function γ : L 2 Store maps properties to set of stores that satisfy it { } [x 0; y 2], [x 0; y 3], γ([x [0, 1]; y [2, 3]]) = [x 1; y 2], [x 1; y 3]
38 Proving soundness [Cousot & Cousot 77] 1 Define: Concrete semantics C 2 Store,,,, C e (S) {s : s S.s e s } Concretization function γ : L 2 Store maps properties to set of stores that satisfy it { [x 0; y 2], [x 0; y 3], γ([x [0, 1]; y [2, 3]]) = [x 1; y 2], [x 1; y 3] } 2 Prove transformer simulation: for all properties p, edges e: C e (γ(p)) γ(l e (p))
39 Proving soundness [Cousot & Cousot 77] 1 Define: Concrete semantics C 2 Store,,,, C e (S) {s : s S.s e s } Concretization function γ : L 2 Store maps properties to set of stores that satisfy it { [x 0; y 2], [x 0; y 3], γ([x [0, 1]; y [2, 3]]) = [x 1; y 2], [x 1; y 3] } 2 Prove transformer simulation: for all properties p, edges e: C e (γ(p)) γ(l e (p)) 3 Apply fixpoint transfer: Chaotic iteration algorithm computes a map inv : Loc L such that Stores reachable at v γ(inv(v))
Sendmail crackaddr - Static Analysis strikes back
Sendmail crackaddr - Static Analysis strikes back Bogdan Mihaila Technical University of Munich, Germany December 6, 2014 Name Lastname < name@mail.org > ()()()()()()()()()... ()()() 1 / 25 Abstract Interpretation
More informationLecture 6. Abstract Interpretation
Lecture 6. Abstract Interpretation Wei Le 2014.10 Outline Motivation History What it is: an intuitive understanding An example Steps of abstract interpretation Galois connection Narrowing and Widening
More informationA Gentle Introduction to Program Analysis
A Gentle Introduction to Program Analysis Işıl Dillig University of Texas, Austin January 21, 2014 Programming Languages Mentoring Workshop 1 / 24 What is Program Analysis? Very broad topic, but generally
More informationStatic Analysis by A. I. of Embedded Critical Software
Static Analysis by Abstract Interpretation of Embedded Critical Software Julien Bertrane ENS, Julien.bertrane@ens.fr Patrick Cousot ENS & CIMS, Patrick.Cousot@ens.fr Radhia Cousot CNRS & ENS, Radhia.Cousot@ens.fr
More informationAdvanced Programming Methods. Introduction in program analysis
Advanced Programming Methods Introduction in program analysis What is Program Analysis? Very broad topic, but generally speaking, automated analysis of program behavior Program analysis is about developing
More informationStatic Analysis. Systems and Internet Infrastructure Security
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Static Analysis Trent
More informationStructuring an Abstract Interpreter through Value and State Abstractions: EVA, an Evolved Value Analysis for Frama C
Structuring an Abstract Interpreter through Value and State Abstractions: EVA, an Evolved Value Analysis for Frama C David Bühler CEA LIST, Software Safety Lab Frama-C & SPARK Day 2017 May 30th, 2017 David
More informationThe Apron Library. Bertrand Jeannet and Antoine Miné. CAV 09 conference 02/07/2009 INRIA, CNRS/ENS
The Apron Library Bertrand Jeannet and Antoine Miné INRIA, CNRS/ENS CAV 09 conference 02/07/2009 Context : Static Analysis What is it about? Discover properties of a program statically and automatically.
More informationCertified Memory Usage Analysis
Certified Memory Usage Analysis David Cachera, Thomas Jensen, David Pichardie, Gerardo Schneider IRISA, ENS Cachan Bretagne, France Context Embedded devices (smart cards, mobile phones) memory is limited
More informationProgram Analysis and Verification
Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 12: Interprocedural Analysis + Numerical Analysis Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav 1 Procedural program void main()
More informationFlow Analysis. Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM
Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful Reading: Sections 1.1-1.5, 2.1 Data-flow analysis (DFA) A framework for statically proving facts about program
More informationInterval Polyhedra: An Abstract Domain to Infer Interval Linear Relationships
Interval Polyhedra: An Abstract Domain to Infer Interval Linear Relationships Liqian Chen 1,2 Antoine Miné 3,2 Ji Wang 1 Patrick Cousot 2,4 1 National Lab. for Parallel and Distributed Processing, Changsha,
More informationBuilding a specialized static analyzer
Building a specialized static analyzer The Astrée experience Antoine Miné CNRS, École Normale Supérieure Security and Reliability of Software Systems 12 December 2008 Antoine Miné Building a specialized
More informationStatic Program Analysis CS701
Static Program Analysis CS701 Thomas Reps [Based on notes taken by Aditya Venkataraman on Oct 6th, 2015] Abstract This lecture introduces the area of static program analysis. We introduce the topics to
More informationVerification of Parameterized Concurrent Programs By Modular Reasoning about Data and Control
Verification of Parameterized Concurrent Programs By Modular Reasoning about Data and Control Zachary Kincaid Azadeh Farzan University of Toronto January 18, 2013 Z. Kincaid (U. Toronto) Modular Reasoning
More informationDuet: Static Analysis for Unbounded Parallelism
Duet: Static Analysis for Unbounded Parallelism Azadeh Farzan and Zachary Kincaid University of Toronto Abstract. Duet is a static analysis tool for concurrent programs in which the number of executing
More informationA New Abstraction Framework for Affine Transformers
A New Abstraction Framework for Affine Transformers Tushar Sharma and Thomas Reps SAS 17 Motivations Prove Program Assertions Function and loop summaries Sound with respect to bitvectors A NEW ABSTRACTION
More informationRelational Abstract Domains for the Detection of Floating-Point Run-Time Errors
ESOP 2004 Relational Abstract Domains for the Detection of Floating-Point Run-Time Errors Antoine Miné École Normale Supérieure Paris FRANCE This work was partially supported by the ASTRÉE RNTL project
More informationWidening Operator. Fixpoint Approximation with Widening. A widening operator 2 L ˆ L 7``! L is such that: Correctness: - 8x; y 2 L : (y) v (x y)
EXPERIENCE AN INTRODUCTION WITH THE DESIGN TOF A SPECIAL PURPOSE STATIC ANALYZER ABSTRACT INTERPRETATION P. Cousot Patrick.Cousot@ens.fr http://www.di.ens.fr/~cousot Biarritz IFIP-WG 2.3 2.4 meeting (1)
More informationStatic Analysis: Overview, Syntactic Analysis and Abstract Interpretation TDDC90: Software Security
Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation TDDC90: Software Security Ahmed Rezine IDA, Linköpings Universitet Hösttermin 2014 Outline Overview Syntactic Analysis Abstract
More informationVerasco: a Formally Verified C Static Analyzer
Verasco: a Formally Verified C Static Analyzer Jacques-Henri Jourdan Joint work with: Vincent Laporte, Sandrine Blazy, Xavier Leroy, David Pichardie,... June 13, 2017, Montpellier GdR GPL thesis prize
More informationIterative Program Analysis Abstract Interpretation
Iterative Program Analysis Abstract Interpretation Summary by Ben Riva & Ofri Ziv Soundness Theorem Theorem: If a computation fixed-point is sound, then its least-fixed-point is sound. More precisely,
More informationAbstract Interpretation of Floating-Point. Computations. Interaction, CEA-LIST/X/CNRS. February 20, Presentation at the University of Verona
1 Laboratory for ModElling and Analysis of Systems in Interaction, Laboratory for ModElling and Analysis of Systems in Interaction, Presentation at the University of Verona February 20, 2007 2 Outline
More informationApplications of Program analysis in Model-Based Design
Applications of Program analysis in Model-Based Design Prahlad Sampath (Prahlad.Sampath@mathworks.com) 2018 by The MathWorks, Inc., MATLAB, Simulink, Stateflow, are registered trademarks of The MathWorks,
More informationCS 6110 S14 Lecture 38 Abstract Interpretation 30 April 2014
CS 6110 S14 Lecture 38 Abstract Interpretation 30 April 2014 1 Introduction to Abstract Interpretation At this point in the course, we have looked at several aspects of programming languages: operational
More informationThe Apron Library. Antoine Miné. CEA Seminar December the 10th, CNRS, École normale supérieure
Antoine Miné CNRS, École normale supérieure CEA Seminar December the 10th, 2007 CEA December the 10th, 2007 Antoine Miné p. 1 / 64 Outline Introduction Introduction Main goals Theoretical background The
More informationAn Introduction to Heap Analysis. Pietro Ferrara. Chair of Programming Methodology ETH Zurich, Switzerland
An Introduction to Heap Analysis Pietro Ferrara Chair of Programming Methodology ETH Zurich, Switzerland Analisi e Verifica di Programmi Universita Ca Foscari, Venice, Italy Outline 1. Recall of numerical
More informationSelective Context-Sensitivity Guided by Impact Pre-Analysis
Selective Context-Sensitivity Guided by Impact Pre-Analysis Hakjoo Oh 1 Wonchan Lee 1 Kihong Heo 1 Hongseok Yang 2 Kwangkeun Yi 1 Seoul National University 1, University of Oxford 2 Abstract We present
More informationProgram Static Analysis. Overview
Program Static Analysis Overview Program static analysis Abstract interpretation Data flow analysis Intra-procedural Inter-procedural 2 1 What is static analysis? The analysis to understand computer software
More informationStatic Analysis and Verification of Aerospace Software by Abstract Interpretation
Static Analysis and Verification of Aerospace Software by Abstract Interpretation Julien Bertrane École normale supérieure, Paris Patrick Cousot, Courant Institute of Mathematical Sciences, NYU, New York
More informationEmbedded Software Verification Challenges and Solutions. Static Program Analysis
Embedded Software Verification Challenges and Solutions Static Program Analysis Chao Wang chaowang@nec-labs.com NEC Labs America Princeton, NJ ICCAD Tutorial November 11, 2008 www.nec-labs.com 1 Outline
More information4/24/18. Overview. Program Static Analysis. Has anyone done static analysis? What is static analysis? Why static analysis?
Overview Program Static Analysis Program static analysis Abstract interpretation Static analysis techniques 2 What is static analysis? The analysis to understand computer software without executing programs
More informationState of Practice. Automatic Verification of Embedded Control Software with ASTRÉE and beyond
Automatic Verification of Embedded Control Software with ASTRÉE and beyond Patrick Cousot Jerome C. Hunsaker Visiting Professor Department of Aeronautics and Astronautics, MIT cousot mit edu www.mit.edu/~cousot
More informationAbstract Interpretation of Floating-Point Computations
Abstract Interpretation of Floating-Point Computations Sylvie Putot Laboratory for ModElling and Analysis of Systems in Interaction, CEA-LIST/X/CNRS Session: Static Analysis for Safety and Performance
More informationTVLA: A SYSTEM FOR GENERATING ABSTRACT INTERPRETERS*
TVLA: A SYSTEM FOR GENERATING ABSTRACT INTERPRETERS* Tal Lev-Ami, Roman Manevich, and Mooly Sagiv Tel Aviv University {tla@trivnet.com, {rumster,msagiv}@post.tau.ac.il} Abstract TVLA (Three-Valued-Logic
More informationTowards an industrial use of FLUCTUAT on safety-critical avionics software
Towards an industrial use of FLUCTUAT on safety-critical avionics software David Delmas 1, Eric Goubault 2, Sylvie Putot 2, Jean Souyris 1, Karim Tekkal 3 and Franck Védrine 2 1. Airbus Operations S.A.S.,
More informationC Source Code Analysis for Memory Safety
C Source Code Analysis for Memory Safety Sound Static Analysis for Security Workshop NIST, June 26-27 Henny Sipma Kestrel Technology Kestrel Technology Founded: Location: Core activity: Languages supported:
More informationStatic Program Analysis
Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ws-1617/spa/ Schedule of Lectures Jan 17/19: Interprocedural DFA
More informationStatic Analysis methods and tools An industrial study. Pär Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU
Static Analysis methods and tools An industrial study Pär Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU Outline Why static analysis What is it Underlying technology Some tools (Coverity, KlocWork,
More informationSimplifying Loop Invariant Generation Using Splitter Predicates. Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University
Simplifying Loop Invariant Generation Using Splitter Predicates Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Loops and Loop Invariants Loop Head x = 0; while( x
More informationFormal Systems II: Applications
Formal Systems II: Applications Functional Verification of Java Programs: Java Dynamic Logic Bernhard Beckert Mattias Ulbrich SS 2017 KIT INSTITUT FÜR THEORETISCHE INFORMATIK KIT University of the State
More informationLoop Bound Analysis based on a Combination of Program Slicing, Abstract Interpretation, and Invariant Analysis
Loop Bound Analysis based on a Combination of Program Slicing, Abstract Interpretation, and Invariant Analysis Andreas Ermedahl, Christer Sandberg, Jan Gustafsson, Stefan Bygde, and Björn Lisper Department
More informationAutomatic Software Verification
Automatic Software Verification Instructor: Mooly Sagiv TA: Oded Padon Slides from Eran Yahav and the Noun Project, Wikipedia Course Requirements Summarize one lecture 10% one lecture notes 45% homework
More informationResource Usage Analysis and its Application to Resource Certification (Part I)
Resource Usage Analysis and its Application to Resource Certification (Part I) Germán Puebla 1 joint work with Elvira Albert 2, Puri Arenas 2, Samir Genaim 2, and Damiano Zanardini 1 1 Technical University
More informationWhy does ASTRÉE scale up?
Form Methods Syst Des (2009) 35: 229 264 DOI 10.1007/s10703-009-0089-6 Why does ASTRÉE scale up? Patrick Cousot Radhia Cousot Jérôme Feret Laurent Mauborgne Antoine Miné Xavier Rival Published online:
More informationNumerical static analysis with Soot
Numerical static analysis with Soot Gianluca Amato Università G. d Annunzio di Chieti Pescara ACM SIGPLAN International Workshop on the State Of the Art in Java Program Analysis SOAP 2013 (joint work with
More informationBackward Analysis via Over-Approximate Abstraction and Under-Approximate Subtraction
Backward Analysis via Over-Approximate Abstraction and Under-Approximate Subtraction Alexey Bakhirkin 1 Josh Berdine 2 Nir Piterman 1 1 University of Leicester, Department of Computer Science 2 Microsoft
More informationTime Stamps for Fixed-Point Approximation
URL: http://www.elsevier.nl/locate/entcs/volume45.html 12 pages Time Stamps for Fixed-Point Approximation Daniel Damian BRICS 1 Department of Computer Science, University of Aarhus Building 540, Ny Munkegade,
More informationFast Algorithms for Octagon Abstract Domain
Research Collection Master Thesis Fast Algorithms for Octagon Abstract Domain Author(s): Singh, Gagandeep Publication Date: 2014 Permanent Link: https://doi.org/10.3929/ethz-a-010154448 Rights / License:
More informationSelectively Sensitive Static Analysis by Impact Pre-analysis and Machine Learning 2017 년 8 월 허기홍
공학박사학위논문 예비분석과기계학습을이용하여선별적으로정확하게정적분석을하는방법 Selectively Sensitive Static Analysis by Impact Pre-analysis and Machine Learning 2017 년 8 월 서울대학교대학원 컴퓨터공학부 허기홍 예비분석과 기계학습을 이용하여 선별적으로 정확하게 정적분석을 하는 방법 지도교수 이
More informationChapter 1 Introduction
Chapter 1 Course INF5906 / autum 2017 Chapter 1 Learning Targets of Chapter. Apart from a motivational introduction, the chapter gives a high-level overview over larger topics covered in the lecture. They
More informationPierce Ch. 3, 8, 11, 15. Type Systems
Pierce Ch. 3, 8, 11, 15 Type Systems Goals Define the simple language of expressions A small subset of Lisp, with minor modifications Define the type system of this language Mathematical definition using
More informationStatic Program Analysis
Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ss-18/spa/ Preliminaries Outline of Lecture 1 Preliminaries Introduction
More informationAbstract Semantic Differencing for Numerical Programs
Abstract Semantic Differencing for Numerical Programs Nimrod Partush Eran Yahav Technion, Israel Semantic differencing Characterize semantic difference between similar programs 2 Motivating example 1.
More informationSymbolic Methods to Enhance the Precision of Numerical Abstract Domains
Symbolic Methods to Enhance the Precision of Numerical Abstract Domains Antoine Miné École Normale Supérieure, Paris, France, mine@di.ens.fr, http://www.di.ens.fr/ mine Abstract We present lightweight
More informationPrinciples of Program Analysis. Lecture 1 Harry Xu Spring 2013
Principles of Program Analysis Lecture 1 Harry Xu Spring 2013 An Imperfect World Software has bugs The northeast blackout of 2003, affected 10 million people in Ontario and 45 million in eight U.S. states
More informationInterprocedurally Analysing Linear Inequality Relations
Interprocedurally Analysing Linear Inequality Relations Helmut Seidl, Andrea Flexeder and Michael Petter Technische Universität München, Boltzmannstrasse 3, 85748 Garching, Germany, {seidl, flexeder, petter}@cs.tum.edu,
More informationModular and Verified Automatic Program Repairs
Modular and Verified Automatic Program Repairs from Francesco Logozzo and Thomas Ball at Microsoft Research, Redmond presenter name(s) removed for FERPA considerations Introduction Your programs will have
More informationStatic Program Analysis
Static Program Analysis Lecture 1: Introduction to Program Analysis Thomas Noll Lehrstuhl für Informatik 2 (Software Modeling and Verification) noll@cs.rwth-aachen.de http://moves.rwth-aachen.de/teaching/ws-1415/spa/
More informationFunctor abstract domain by example
A Parametric Segmentation Functor for Fully Automatic and Scalable Array Content Analysis Scalability Patrick Cousot, NYU & ENS Radhia Cousot, CNRS & ENS & MSR Francesco Logozzo, MSR Precision // here:
More informationThe Verification Grand Challenge and Abstract Interpretation
The Verification Grand Challenge and Abstract Interpretation Patrick Cousot École normale supérieure, 45 rue d Ulm 75230 Paris cedex 05, France Patrick.Cousot ens fr Visiting the Aeronautics and Astronautics
More informationCS-XXX: Graduate Programming Languages. Lecture 9 Simply Typed Lambda Calculus. Dan Grossman 2012
CS-XXX: Graduate Programming Languages Lecture 9 Simply Typed Lambda Calculus Dan Grossman 2012 Types Major new topic worthy of several lectures: Type systems Continue to use (CBV) Lambda Caluclus as our
More informationToday s class. Roots of equation Finish up incremental search Open methods. Numerical Methods, Fall 2011 Lecture 5. Prof. Jinbo Bi CSE, UConn
Today s class Roots of equation Finish up incremental search Open methods 1 False Position Method Although the interval [a,b] where the root becomes iteratively closer with the false position method, unlike
More informationChange- and Precision-sensitive Widening for BDD-based Integer Sets
Bachelor hesis elix Lublow Change- and Precision-sensitive Widening for BDD-based Integer Sets October 06, 2016 supervised by: Prof. Dr. Sibylle Schupp Sven Mattsen Hamburg University of echnology (UHH)
More informationThe ASTRÉE Analyzer Patrick Cousot 2, Radhia Cousot 1,3, Jerôme Feret 2, Laurent Mauborgne 2, Antoine Miné 2, David Monniaux 1,2, and Xavier Rival 2 1 CNRS 2 École Normale Supérieure, Paris, France Firstname.Lastname@ens.fr
More informationHierarchical Shape Abstraction of Dynamic Structures in Static Blocks
Hierarchical Shape Abstraction of Dynamic Structures in Static Blocks Pascal Sotin and Xavier Rival INRIA 4 novembre 2013 P. Sotin, X. Rival (INRIA) Hierarchical Shape Abstraction 4 novembre 2013 1 / 29
More informationA Note on Karr s Algorithm
A Note on Karr s Algorithm Markus Müller-Olm ½ and Helmut Seidl ¾ ½ FernUniversität Hagen, FB Informatik, LG PI 5, Universitätsstr. 1, 58097 Hagen, Germany mmo@ls5.informatik.uni-dortmund.de ¾ TU München,
More informationait: WORST-CASE EXECUTION TIME PREDICTION BY STATIC PROGRAM ANALYSIS
ait: WORST-CASE EXECUTION TIME PREDICTION BY STATIC PROGRAM ANALYSIS Christian Ferdinand and Reinhold Heckmann AbsInt Angewandte Informatik GmbH, Stuhlsatzenhausweg 69, D-66123 Saarbrucken, Germany info@absint.com
More informationStatic and dynamic analysis: synergy and duality
Static and dynamic analysis: synergy and duality Michael Ernst MIT Computer Science & Artificial Intelligence Lab http://pag.csail.mit.edu/~mernst/ PASTE June 7, 2004 Michael Ernst, page 1 Goals Theme:
More informationCompiler Construction 2010/2011 Loop Optimizations
Compiler Construction 2010/2011 Loop Optimizations Peter Thiemann January 25, 2011 Outline 1 Loop Optimizations 2 Dominators 3 Loop-Invariant Computations 4 Induction Variables 5 Array-Bounds Checks 6
More informationStatic Analysis of List-Manipulating Programs via Bit-Vectors and Numerical Abstractions
Static Analysis of List-Manipulating Programs via Bit-Vectors and Numerical Abstractions Liqian Chen 1,2 Renjian Li 1 Xueguang Wu 1 Ji Wang 1 1 National University of Defense Technology, Changsha, China
More informationReference Counting. Reference counting: a way to know whether a record has other users
Garbage Collection Today: various garbage collection strategies; basic ideas: Allocate until we run out of space; then try to free stuff Invariant: only the PL implementation (runtime system) knows about
More information6. The Bounded Re-transmission Protocol. Jean-Raymond Abrial
6. The Bounded Re-transmission Protocol Jean-Raymond Abrial 2009 Purpose of this Lecture 1 - The Bounded Re-transmission Protocol is a file transfer protocol - This is a problem dealing with fault tolerance
More informationCompiler Construction 2009/2010 SSA Static Single Assignment Form
Compiler Construction 2009/2010 SSA Static Single Assignment Form Peter Thiemann March 15, 2010 Outline 1 Static Single-Assignment Form 2 Converting to SSA Form 3 Optimization Algorithms Using SSA 4 Dependencies
More informationVerifying the Safety of Security-Critical Applications
Verifying the Safety of Security-Critical Applications Thomas Dillig Stanford University Thomas Dillig 1 of 31 Why Program Verification? Reliability and security of software is a huge problem. Thomas Dillig
More informationSemantics and Validation Lecture 1. Informal Introduction
Semantics and Validation Lecture 1. Informal Introduction Laboratoire Modélisation et Analyse de Systèmes en Interaction, CEA-LIST and Ecole Polytechnique Eric Goubault and Sylvie Putot November 26, 2013
More informationA classic tool: slicing. CSE503: Software Engineering. Slicing, dicing, chopping. Basic ideas. Weiser s approach. Example
A classic tool: slicing CSE503: Software Engineering David Notkin University of Washington Computer Science & Engineering Spring 2006 Of interest by itself And for the underlying representations Originally,
More informationA Formally-Verified C Static Analyzer
A Formally-Verified C Static Analyzer Jacques-Henri Jourdan Inria Paris-Rocquencourt jacques-henri.jourdan@inria.fr Vincent Laporte IRISA and U. Rennes 1 vincent.laporte@irisa.fr Sandrine Blazy IRISA and
More informationDay06 A. Young W. Lim Mon. Young W. Lim Day06 A Mon 1 / 16
Day06 A Young W. Lim 2017-09-18 Mon Young W. Lim Day06 A 2017-09-18 Mon 1 / 16 Outline 1 Based on 2 Introduction C Program Control Young W. Lim Day06 A 2017-09-18 Mon 2 / 16 Based on "C How to Program",
More informationStatic Analysis Basics II
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Static Analysis Basics
More informationFormal verification of a static analyzer based on abstract interpretation
Formal verification of a static analyzer based on abstract interpretation Sandrine Blazy joint work with J.-H. Jourdan, V. Laporte, A. Maroneze, X. Leroy, D. Pichardie IFIP WG 1.9/2.15, 2014-07-14 1 Background:
More informationImproving Pushdown System Model Checking
Improving Pushdown System Model Checking Akash Lal and Thomas Reps University of Wisconsin, Madison, Wisconsin 53706 {akash, reps}@cs.wisc.edu Abstract. In this paper, we reduce pushdown system (PDS) model
More informationFormal Semantics of Programming Languages
Formal Semantics of Programming Languages Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson http://www.daimi.au.dk/~bra8130/wiley_book/wiley.html Benefits of formal
More informationA Static Analyzer for Large Safety-Critical Software
A Static Analyzer for Large Safety-Critical Software (Extended Abstract) Bruno Blanchet Patrick Cousot Radhia Cousot Jérôme Feret Laurent Mauborgne Antoine Miné David Monniaux Xavier Rival ABSTRACT We
More informationStatic Analysis with Goanna
Static Analysis with Goanna Model checking for large code bases Ansgar Fehnker About Us R&D spin-out redlizards.com 5 years technology research Funded and backed by NICTA 1 Mistakes are made Even good
More informationInterprocedural Analysis. CS252r Fall 2015
Interprocedural Analysis CS252r Fall 2015 Procedures So far looked at intraprocedural analysis: analyzing a single procedure Interprocedural analysis uses calling relationships among procedures Enables
More informationStatic Program Analysis Part 9 pointer analysis. Anders Møller & Michael I. Schwartzbach Computer Science, Aarhus University
Static Program Analysis Part 9 pointer analysis Anders Møller & Michael I. Schwartzbach Computer Science, Aarhus University Agenda Introduction to points-to analysis Andersen s analysis Steensgaards s
More informationData-Flow Based Detection of Loop Bounds
Data-Flow Based Detection of Loop Bounds Christoph Cullmann and Florian Martin AbsInt Angewandte Informatik GmbH Science Park 1, D-66123 Saarbrücken, Germany cullmann,florian@absint.com, http://www.absint.com
More informationStatic Analysis and Dataflow Analysis
Static Analysis and Dataflow Analysis Static Analysis Static analyses consider all possible behaviors of a program without running it. 2 Static Analysis Static analyses consider all possible behaviors
More informationLoopy Belief Propagation
Loopy Belief Propagation Research Exam Kristin Branson September 29, 2003 Loopy Belief Propagation p.1/73 Problem Formalization Reasoning about any real-world problem requires assumptions about the structure
More informationType Checking. Outline. General properties of type systems. Types in programming languages. Notation for type rules.
Outline Type Checking General properties of type systems Types in programming languages Notation for type rules Logical rules of inference Common type rules 2 Static Checking Refers to the compile-time
More informationSMT-Style Program Analysis with Value-based Refinements
SMT-Style Program Analysis with Value-based Refinements Vijay D Silva Leopold Haller Daniel Kröning NSV-3 July 15, 2010 Outline Imprecision and Refinement in Abstract Interpretation SAT Style Abstract
More informationCSE Winter 2015 Quiz 1 Solutions
CSE 101 - Winter 2015 Quiz 1 Solutions January 12, 2015 1. What is the maximum possible number of vertices in a binary tree of height h? The height of a binary tree is the length of the longest path from
More informationType checking. Jianguo Lu. November 27, slides adapted from Sean Treichler and Alex Aiken s. Jianguo Lu November 27, / 39
Type checking Jianguo Lu November 27, 2014 slides adapted from Sean Treichler and Alex Aiken s Jianguo Lu November 27, 2014 1 / 39 Outline 1 Language translation 2 Type checking 3 optimization Jianguo
More informationOutline. General properties of type systems. Types in programming languages. Notation for type rules. Common type rules. Logical rules of inference
Type Checking Outline General properties of type systems Types in programming languages Notation for type rules Logical rules of inference Common type rules 2 Static Checking Refers to the compile-time
More informationInformation Flow Analysis and Type Systems for Secure C Language (VITC Project) Jun FURUSE. The University of Tokyo
Information Flow Analysis and Type Systems for Secure C Language (VITC Project) Jun FURUSE The University of Tokyo furuse@yl.is.s.u-tokyo.ac.jp e-society MEXT project toward secure and reliable software
More informationABSTRACT INTERPRETATION
Master of Science in Engineering ABSTRACT INTERPRETATION Pascal Roman Artho, partho@hsr.ch Seminar Program Analysis and Transformation Rapperswil, January 7, 2015 Agenda Informal Example What is the idea
More informationProgramming Languages
CSE 230: Winter 2008 Principles of Programming Languages Ocaml/HW #3 Q-A Session Push deadline = Mar 10 Session Mon 3pm? Lecture 15: Type Systems Ranjit Jhala UC San Diego Why Typed Languages? Development
More informationProgram analysis parameterized by the semantics in Maude
Program analysis parameterized by the semantics in Maude A. Riesco (joint work with I. M. Asăvoae and M. Asăvoae) Universidad Complutense de Madrid, Madrid, Spain Workshop on Logic, Algebra and Category
More informationXQ: An XML Query Language Language Reference Manual
XQ: An XML Query Language Language Reference Manual Kin Ng kn2006@columbia.edu 1. Introduction XQ is a query language for XML documents. This language enables programmers to express queries in a few simple
More information