Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

Static Analysis in Disjunctive Numerical Domains

  • Conference paper
Static Analysis (SAS 2006)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 4134))

Included in the following conference series:

Abstract

The convexity of numerical domains such as polyhedra, octagons, intervals and linear equalities enables tractable analysis of software for buffer overflows, null pointer dereferences and floating point errors. However, convexity also causes the analysis to fail in many common cases. Powerset extensions can remedy this shortcoming by considering disjunctions of predicates. Unfortunately, analysis using powerset domains can be exponentially more expensive as compared to analysis on the base domain. In this paper, we prove structural properties of fixed points computed in commonly used powerset extensions. We show that a fixed point computed on a powerset extension is also a fixed point in the base domain computed on an “elaboration” of the program’s CFG structure. Using this insight, we build analysis algorithms that approach path sensitive static analysis algorithms by performing the fixed point computation on the base domain while discovering an “elaboration” on the fly. Using restrictions on the nature of the elaborations, we design algorithms that scale polynomially in terms of the number of disjuncts. We have implemented a light-weight static analyzer for C programs with encouraging initial results.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Abramsky, S., Jung, A.: Domain theory. In: Handbook of Logic in Computer Science, ch. 1, vol. 3, pp. 1–168. Clarendon Press, UK (1994)

    Google Scholar 

  2. Bagnara, R., Hill, P.M., Zaffanella, E.: Widening operators for powerset domains. In: Steffen, B., Levi, G. (eds.) VMCAI 2004. LNCS, vol. 2937, pp. 135–148. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  3. Bagnara, R., Ricci, E., Zaffanella, E., Hill, P.M.: Possibly Not Closed Convex Polyhedra and the Parma Polyhedra Library. In: Hermenegildo, M.V., Puebla, G. (eds.) SAS 2002. LNCS, vol. 2477, pp. 213–229. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  4. Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: A static analyzer for large safety-critical software. In: ACM SIGPLAN PLDI 2003, vol. 548030, pp. 196–207. ACM Press, New York (2003)

    Google Scholar 

  5. Clarisó, R., Cortadella, J.: The octahedron abstract domain. In: Giacobazzi, R. (ed.) SAS 2004. LNCS, vol. 3148, pp. 312–327. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  6. Cousot, P., Cousot, R.: Static determination of dynamic properties of programs. In: Proc. Intl. Symp. on Programming, Dunod, pp. 106–130 (1976)

    Google Scholar 

  7. Cousot, P., Cousot, R.: Abstract Interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: ACM Principles of Programming Languages, pp. 238–252 (1977)

    Google Scholar 

  8. Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: Symposium on Principles of Programming Languages (POPL 1979), pp. 269–282. ACM Press, New York (1979)

    Chapter  Google Scholar 

  9. Cousot, P., Cousot, R.: Comparing the Galois connection and widening/narrowing approaches to Abstract interpretation, invited paper. In: Bruynooghe, M., Wirsing, M. (eds.) PLILP 1992. LNCS, vol. 631, pp. 269–295. Springer, Heidelberg (1992)

    Chapter  Google Scholar 

  10. Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among the variables of a program. In: ACM POPL, pp. 84–97 (January 1978)

    Google Scholar 

  11. Das, M., Lerner, S., Seigle, M.: ESP: Path-sensitive program verification in polynomial time. In: Proceedings of Programming Language Design and Implementation (PLDI 2002), pp. 57–68. ACM Press, New York (2002)

    Chapter  Google Scholar 

  12. Dor, N., Rodeh, M., Sagiv, M.: CSSV: Towards a realistic tool for statically detecting all buffer overflows in C. In: Proc. PLDI 2003. ACM Press, New York (2003)

    Google Scholar 

  13. Floyd, R.W.: Assigning meanings to programs. Proc. Symposia in Applied Mathematics 19, 19–32 (1967)

    MathSciNet  Google Scholar 

  14. Giacobazzi, R., Ranzato, F.: Optimal domains for disjunctive abstract intepretation. Sci. Comput. Program 32(1-3), 177–210 (1998)

    Article  MathSciNet  MATH  Google Scholar 

  15. Halbwachs, N., Proy, Y., Roumanoff, P.: Verification of real-time systems using linear relation analysis. Formal Methods in System Design 11, 157–185 (1997)

    Article  Google Scholar 

  16. Handjieva, M., Tzolovski, S.: Refining static analyses by trace-based partitioning using control flow. In: Levi, G. (ed.) SAS 1998. LNCS, vol. 1503, pp. 200–214. Springer, Heidelberg (1998)

    Chapter  Google Scholar 

  17. Hoare, C.A.R.: An axiomatic basis for computer programming. Commun. ACM 12(10), 576–580 (1969)

    Article  MATH  Google Scholar 

  18. Ivančić, F., Gupta, A., Ganai, M.K., Kahlon, V., Wang, C., Yang, Z.: Model checking C programs using F-Soft. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 301–306. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  19. Karr, M.: Affine relationships among variables of a program. Acta Inf. 6, 133–151 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  20. Manevich, R., Sagiv, M., Ramalingam, G., Field, J.: Partially disjunctive heap abstraction. In: Giacobazzi, R. (ed.) SAS 2004. LNCS, vol. 3148, pp. 265–279. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  21. Mauborgne, L., Rival, X.: Trace partitioning in abstract interpretation based static analyzers. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 5–20. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  22. Rugina, R., Rinard, M.: Symbolic bounds analysis of pointers, array indices, and accessed memory regions. In: Proc. PLDI. ACM Press, New York (2000)

    Google Scholar 

  23. Sankaranarayanan, S., Colón, M.A., Sipma, H.B., Manna, Z.: Efficient strongly relational polyhedral analysis. In: Emerson, E.A., Namjoshi, K.S. (eds.) VMCAI 2006. LNCS, vol. 3855, pp. 111–125. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  24. Sankaranarayanan, S., Sipma, H.B., Manna, Z.: Scalable analysis of linear systems using mathematical programming. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 25–41. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  25. Simon, A., King, A., Howe, J.M.: Two variables per linear inequality as an abstract domain. In: Leuschel, M.A. (ed.) LOPSTR 2002. LNCS, vol. 2664. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  26. Wagner, D., Foster, J., Brewer, E., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Proc. NDSS 2000, pp. 3–17. ACM Press, New York (2000)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. NEC Laboratories America, 4 Independence Way, Princeton, NJ

    Sriram Sankaranarayanan, Franjo Ivančić, Ilya Shlyakhter & Aarti Gupta

Authors
  1. Sriram Sankaranarayanan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Franjo Ivančić
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ilya Shlyakhter
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Aarti Gupta
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Seoul National University, P.O. Box, Korea

    Kwangkeun Yi

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Sankaranarayanan, S., Ivančić, F., Shlyakhter, I., Gupta, A. (2006). Static Analysis in Disjunctive Numerical Domains. In: Yi, K. (eds) Static Analysis. SAS 2006. Lecture Notes in Computer Science, vol 4134. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11823230_2

Download citation

  • DOI: https://doi.org/10.1007/11823230_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-37756-6

  • Online ISBN: 978-3-540-37758-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation