research-article

Public Access

Proteus: computing disjunctive loop summary via path dependency analysis

Authors:

Xiaohong LiAuthors Info & Claims

FSE 2016: Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering

Pages 61 - 72

https://doi.org/10.1145/2950290.2950340

Published: 01 November 2016 Publication History

Abstract

Loops are challenging structures for program analysis, especially when loops contain multiple paths with complex interleaving executions among these paths. In this paper, we first propose a classification of multi-path loops to understand the complexity of the loop execution, which is based on the variable updates on the loop conditions and the execution order of the loop paths. Secondly, we propose a loop analysis framework, named Proteus, which takes a loop program and a set of variables of interest as inputs and summarizes path-sensitive loop effects on the variables. The key contribution is to use a path dependency automaton (PDA) to capture the execution dependency between the paths. A DFS-based algorithm is proposed to traverse the PDA to summarize the effect for all feasible executions in the loop. The experimental results show that Proteus is effective in three applications: Proteus can 1) compute a more precise bound than the existing loop bound analysis techniques; 2) significantly outperform state-of-the-art tools for loop verification; and 3) generate test cases for deep loops within one second, while KLEE and Pex either need much more time or fail.

References

[1]

Competition on software verification 2016. http://sv-comp.sosy-lab.org/2016.

[2]

The interproc analyzer. http://pop-art.inrialpes.fr/people/ bjeannet/bjeannet-forge/interproc/index.html.

[3]

Lpi. http://lpi.forge.imag.fr/.

[4]

M. Antoine. The octagon abstract domain. Higher-Order and Symbolic Computation, 19:31–100, 2006.

Digital Library

[5]

D. Beyer, M. Dangl, and P. Wendler. Boosting k-induction with continuously-refined invariants. In CAV, pages 622–640, 2015.

[6]

M. Brain, S. Joshi, D. Kroening, and P. Schrammel. Safety verification and refutation by k-invariants and k-induction. In SAS, pages 145–161, 2015.

[7]

R. Brummayer and A. Biere. Boolector: An e?cient smt solver for bit-vectors and arrays. In TACAS, pages 174,177, 2009.

Digital Library

[8]

C. Cadar, D. Dunbar, and D. Engler. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI, pages 209–224, 2008.

Digital Library

[9]

E. Clarke, D. Kroening, and F. Lerda. A tool for checking ansi-c programs. In TACAS, pages 168–176, 2004.

[10]

P. Couso and R. Cousot. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In POPL, pages 238–252, 1977.

Digital Library

[11]

P. Cousot and N. Halbwachs. Automatic discovery of linear restraints among variables of a program. In POPL, pages 84–96, 1978.

Digital Library

[12]

K. Daniel, S. Natasha, T. Stefano, T. Aliaksei, and W. C. M. Loop summarization using state and transition invariants. Form. Methods Syst. Des., pages 221–261, 2013.

Digital Library

[13]

P. G. de Aledo and P. Sanchez. Framework for embedded system verification(competition contribution). In TACAS, pages 429–431, 2015.

[14]

L. de Moura and N. Bjørner. Z3: An efficient smt solver. In TACAS, pages 337–340, 2008.

Digital Library

[15]

A. F. Donaldson, L. Haller, D. Kroening, and P. Rümmer. Software verification using k-induction. In SAS, pages 351–368, 2011.

Digital Library

[16]

A. F. Donaldson, D. Kroening, and P. Rümmer. Automatic analysis of dma races using model checking and k-induction. In FMSD, pages 83–113, 2011.

Digital Library

[17]

Z. Duan, C. Tian, and L. Zhang. A decision procedure for propositional projection temporal logic with infinite models. In Acta Informatica, pages 43–78, 2008.

Digital Library

[18]

C. A. Furia and B. Meyer. Inferring loop invariants using postconditions. In Fields of Logic and Computation, pages 277–300, 2010.

Digital Library

[19]

P. Garg, C. Löding, P. Madhusudan, and D. Neider. ICE: A robust framework for learning invariants. In CAV, pages 69–87, 2014.

Digital Library

[20]

P. Godefroid and D. Luchaup. Automatic partial loop summarization in dynamic test generation. In ISSTA, pages 23–33, 2011.

Digital Library

[21]

P. Godefroid, A. V. Nori, S. K. Rajamani, and S. D. Tetali. Compositional may-must program analysis: Unleashing the power of alternation. In POPL, pages 43–56, 2010.

Digital Library

[22]

D. Gopan and T. Reps. Lookahead widening. In POPL, pages 452–466, 2006.

Digital Library

[23]

D. Gopan and T. Reps. Guided static analysis. In SAS, pages 349–365, 2007.

Digital Library

[24]

B. S. Gulavani and S. Gulwani. A numerical abstract domain based on expression abstraction and max operator with application in timing analysis. In CAV, pages 370–384, 2008.

Digital Library

[25]

B. S. Gulavani and S. K. Rajamani. Counterexample driven refinement for abstractinterpretation. In TACAS, pages 474–488, 2006.

Digital Library

[26]

S. Gulwani, S. Jain, and E. Koskinen. Control-flow refinement and progress invariants for bound analysis. In PLDI, pages 375–385, 2009.

Digital Library

[27]

S. Gulwani, K. K. Mehra, and T. Chilimbi. Speed: Precise and efficient static estimation of program computational complexity. In POPL, pages 127–139, 2009.

Digital Library

[28]

S. Gulwani and F. Zuleger. The reachability-bound problem. In PLDI, pages 292–304, 2010.

Digital Library

[29]

A. Gupta and A. Rybalchenko. Invgen: An efficient invariant generator. In CAV, pages 634–640, 2009.

Digital Library

[30]

A. Gurfinkel, T. Kahsai, and J. A. Navas. Seahorn: A framework for verifying c programs(competition contribution). In TACAS, pages 447–450, 2015.

Digital Library

[31]

A. Haran, M. Carter, M. Emmi, A. Lal, S. Qadeer, and Z. Rakamarica. Smack+corral: A modular verifier. In TACAS, pages 451–454, 2015.

Digital Library

[32]

B. Jeannet, P. Schrammel, and S. Sankaranarayanan. Abstract acceleration of general linear loops. In POPL, pages 529–540, 2014.

Digital Library

[33]

T. Kahsai and C. Tinelli. Pkind: A parallel k-induction based model checker. In PDMC, pages 55–62, 2011.

[34]

M. Karr. Affine relationships among variables of a program. Acta Informatica, 6:133–151, 1976.

Digital Library

[35]

S. Kong, Y. Jung, C. David, B.-Y. Wang, and K. Yi. Automatically inferring quantified loop invariants by algorithmic learning from simple templates. In APLAS, pages 328–343, 2010.

Digital Library

[36]

D. Kroening, M. Lewis, and G. Weissenbacher. Proving safety with trace automata and bounded model checking. In FM, pages 325–341, 2015.

[37]

C. Lattner and V. Adve. LLVM: A compilation framework for lifelong program analysis & transformation. In CGO, pages 75–88, 2004.

Digital Library

[38]

P. Lokuciejewski, D. Cordes, H. Falk, and P. Marwedel. A fast and precise static loop analysis based on abstract. In CGO, 2009.

Digital Library

[39]

F. Merz, S. Falke, and C. Sinz. LLBMC: Bounded model checking of C and C++ programs using a compiler IR. In VSTTE, pages 146–161, 2012.

Digital Library

[40]

D. Monniaux. Automatic modular abstractions for linear constraints. In POPL, pages 140–151, 2009.

Digital Library

[41]

D. Monniaux and P. Schrammel. Speeding up logico-numerical strategy iteration. In SAS, pages 253–267, 2011.

[42]

J. Morse, L. Cordeiro, D. Nicole1, and B. Fischer. Handling unbounded loops with esbmc 1.20(competition contribution). In TACAS, pages 619–622, 2013.

Digital Library

[43]

T. Nguyen, D. Kapur, W. Weimer, and S. Forrest. Using dynamic analysis to generate disjunctive invariants. In ICSE, pages 608–619, 2014.

Digital Library

[44]

A. Nistor, P.-C. Chang, C. Radoi, and S. Lu. Caramel: Detecting and fixing performance problems that have non-intrusive fixes. In ICSE, 2015.

Digital Library

[45]

K. J. Ottenstein and L. M. Ottenstein. The program dependence graph in a software development environment. In SDE, pages 177–184, 1984.

Digital Library

[46]

X. Rival and L. Mauborgne. The trace partitioning abstract domain. In ACM Trans. Program. Lang. Syst., 2005.

Digital Library

[47]

P. Saxena, P. Poosankam, S. McCamant, and D. Song. Loop-extended symbolic execution on binary programs. In ISSTA, pages 225–236, 2009.

Digital Library

[48]

P. Schrammel and B. Jeannet. Logico-numerical abstract acceleration and application to the verification of data-flow programs. In SAS, pages 233–248, 2011.

Digital Library

[49]

R. Sharma, I. Dillig, T. Dillig, and A. Aiken. Simplifying loop invariant generation using splitter predicates. In CAV, pages 703–719, 2011.

Digital Library

[50]

R. Sharma, S. Gupta, B. Hariharan, A. Aiken, and A. V. Nori. Verification as learning geometric concepts. In SAS, pages 388–411, 2013.

[51]

J. Strejˇcek and M. Trtík. Abstracting path conditions. In ISSTA, pages 155–165, 2012.

Digital Library

[52]

N. Tillmann and J. de Halleux. Pex-white box test generation for .NET. In NDSS, pages 134–153, 2008.

Digital Library

[53]

R. Wilhelm, E. Jakob, E. Andreas, H. Niklas, T. Stephan, W. David, B. Guillem, F. Christian, H. Reinhold, M. Tulika, M. Frank, P. Isabelle, P. Peter, S. Jan, and S. Per.

[54]

X. Xiao, S. Li, T. Xie, and N. Tillmann. Characteristic studies of loop problems for structural test generation via symbolic execution. In ASE, pages 246 – 256, 2013.

Digital Library

[55]

X. Xie, Y. Liu, W. Le, X. Li, and H. Chen. S-looper: Automatic summarization for multipath string loops. In ISSTA, pages 188–198, 2015.

Digital Library

Cited By

Verbeek FSefat MFu ZRavindran B(2025)On Extending Incorrectness Logic with Backwards ReasoningProceedings of the ACM on Programming Languages10.1145/37048509:POPL(391-415)Online publication date: 9-Jan-2025
https://dl.acm.org/doi/10.1145/3704850
Vandercammen MDe Roover C(2025)State Merging for Concolic Testing of Event-driven ApplicationsScience of Computer Programming10.1016/j.scico.2025.103264(103264)Online publication date: Jan-2025
https://doi.org/10.1016/j.scico.2025.103264
Ke JFu HLiu HSun ZChen LLi G(2025)Affine Disjunctive Invariant Generation with Farkas’ LemmaVerification, Model Checking, and Abstract Interpretation10.1007/978-3-031-82700-6_9(187-213)Online publication date: 20-Jan-2025
https://dl.acm.org/doi/10.1007/978-3-031-82700-6_9
Show More Cited By

Index Terms

Proteus: computing disjunctive loop summary via path dependency analysis
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging
  2. Software organization and properties
    1. Software functional properties
      1. Formal methods
        Automated static analysis
        Software verification
2. Theory of computation
  1. Semantics and reasoning
    1. Program reasoning
      1. Program analysis
      2. Program verification

Recommendations

S-looper: automatic summarization for multipath string loops
ISSTA 2015: Proceedings of the 2015 International Symposium on Software Testing and Analysis

Loops are important yet most challenging program constructs to analyze for various program analysis tasks. Existing loop analysis techniques mainly handle well loops that contain only integer variables with a single path in the loop body. The key ...
Timing optimization via nest-loop pipelining considering code size

Embedded systems have strict timing and code size requirements. Software pipelining is one of the most important optimization techniques to improve the execution time of loops by increasing the parallelism among successive loop iterations. However, ...
Static loop analysis and its applications
FSE 2016: Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering

Loops are challenging structures in program analysis, and an effective loop analysis is crucial in the applications, such as symbolic execution and program verification. In the research, we will first perform a deep analysis and propose a ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

FSE 2016: Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering

November 2016

1156 pages

ISBN:9781450342186

DOI:10.1145/2950290

General Chair:
Thomas Zimmermann
Microsoft Research, USA
,
Program Chairs:
Jane Cleland-Huang
University of Notre Dame, USA
,
Zhendong Su
University of California at Davis, USA

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 November 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

DARPA
National Science Foundation of China
National Research Foundation Singapore
US National Science Foundation

Conference

FSE'16

Sponsor:

SIGSOFT

FSE'16: 24nd ACM SIGSOFT International Symposium on the Foundations of Software Engineering

November 13 - 18, 2016

WA, Seattle, USA

Acceptance Rates

Overall Acceptance Rate 17 of 128 submissions, 13%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

38
Total Citations
View Citations
1,210
Total Downloads

Downloads (Last 12 months)255
Downloads (Last 6 weeks)42

Reflects downloads up to 11 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Verbeek FSefat MFu ZRavindran B(2025)On Extending Incorrectness Logic with Backwards ReasoningProceedings of the ACM on Programming Languages10.1145/37048509:POPL(391-415)Online publication date: 9-Jan-2025
https://dl.acm.org/doi/10.1145/3704850
Vandercammen MDe Roover C(2025)State Merging for Concolic Testing of Event-driven ApplicationsScience of Computer Programming10.1016/j.scico.2025.103264(103264)Online publication date: Jan-2025
https://doi.org/10.1016/j.scico.2025.103264
Ke JFu HLiu HSun ZChen LLi G(2025)Affine Disjunctive Invariant Generation with Farkas’ LemmaVerification, Model Checking, and Abstract Interpretation10.1007/978-3-031-82700-6_9(187-213)Online publication date: 20-Jan-2025
https://dl.acm.org/doi/10.1007/978-3-031-82700-6_9
Iyer RArgyraki KCandea GGavrilovska ATerry D(2024)Automatically reasoning about how systems code uses the CPU cacheProceedings of the 18th USENIX Conference on Operating Systems Design and Implementation10.5555/3691938.3691969(581-598)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.5555/3691938.3691969
Wang ZBu DTian WCui B(2024)Analyzing and Discovering Spatial Algorithm Complexity Vulnerabilities in RecursionApplied Sciences10.3390/app1405185514:5(1855)Online publication date: 23-Feb-2024
https://doi.org/10.3390/app14051855
Amjad AMunir SShafiq ZGulzar MLuo BLiao XXu JKirda ELie D(2024)Blocking Tracking JavaScript at the Function GranularityProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670329(2177-2191)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670329
Kuliamin V(2024)A Survey of Software Dynamic Analysis MethodsProgramming and Computing Software10.1134/S036176882401007950:1(90-114)Online publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1134/S0361768824010079
Li YFu HLong HLi G(2024)Constraint Based Invariant Generation with Modular OperationsDependable Software Engineering. Theories, Tools, and Applications10.1007/978-981-96-0602-3_4(64-84)Online publication date: 26-Nov-2024
https://dl.acm.org/doi/10.1007/978-981-96-0602-3_4
Shi QXu XZhang XCalandrino JTroncoso C(2023)Extracting protocol format as state machine via controlled static loop analysisProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620630(7019-7036)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620630
Shi QShao JYe YZheng MZhang XMeng WJensen CCremers CKirda E(2023)Lifting Network Protocol Implementation to Precise Format Specification with Security ApplicationsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616614(1287-1301)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616614
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten