Static Analysis in Disjunctive Numerical Domains
نویسندگان
چکیده
The convexity of numerical domains such as polyhedra, octagons, intervals and linear equalities enables tractable analysis of software for buffer overflows, null pointer dereferences and floating point errors. However, convexity also causes the analysis to fail in many common cases. Powerset extensions can remedy this shortcoming by considering disjunctions of predicates. Unfortunately, analysis using powerset domains can be exponentially more expensive as compared to analysis on the base domain. In this paper, we prove structural properties of fixed points computed in commonly used powerset extensions. We show that a fixed point computed on a powerset extension is also a fixed point in the base domain computed on an “elaboration” of the program’s CFG structure. Using this insight, we build analysis algorithms that approach path sensitive static analysis algorithms by performing the fixed point computation on the base domain while discovering an “elaboration” on the fly. Using restrictions on the nature of the elaborations, we design algorithms that scale polynomially in terms of the number of disjuncts. We have implemented a light-weight static analyzer as a part of the F-Soft project with encouraging initial results.
منابع مشابه
SMT-Based and Disjunctive Relational Abstract Domains for Static Analysis
Abstract Interpretation is a theory of sound approximation of program semantics. In recent decades, it has been widely and successfully applied to the static analysis of computer programs. In this thesis, we will work on abstract domains, one of the key concepts in abstract interpretation, which aim at automatically collecting information about the set of all possible values of the program vari...
متن کاملThree dimensional static and dynamic analysis of thick plates by the meshless local Petrov-Galerkin (MLPG) method under different loading conditions
In this paper, three dimensional (3D) static and dynamic analysis of thick plates based on the Meshless Local Petrov-Galerkin (MLPG) is presented. Using the kinematics of a three-dimensional continuum, the local weak form of the equilibrium equations is derived. A weak formulation for the set of governing equations is transformed into local integral equations on local sub-domains by using a uni...
متن کاملCs - R 9633 1996
In this paper we propose a simple framework based on rst-order logic, for the design and decomposition of abstract domains for static analysis. An assertion language is chosen that speciies the properties of interest, and abstract domains are deened to be suitably chosen sets of assertions. Composition and decomposition of abstract domains is facilitated by their logical speciication in rst-ord...
متن کاملInferring Disjunctive Postconditions
Polyhedral analysis [9] is an abstract interpretation used for automatic discovery of invariant linear inequalities among numerical variables of a program. Convexity of this abstract domain allows efficient analysis but also loses precision via convex-hull and widening operators. To selectively recover the loss of precision, sets of polyhedra (disjunctive elements) may be used to capture more p...
متن کاملSeminar: Aktuelle Themen aus der Theorie der Programmierung Numerical Domains A Practical Construction for Decomposing Numerical Abstract Domains
Domains Gagandeep Singh, Markus Püschel, Martin Vechev Numerical abstract domains such as Polyhedra, Octahedron, Octagon, Interval, and others are an essential component of static program analysis. The choice of domain offers a performance/precision tradeoff ranging from cheap and imprecise (Interval) to expensive and precise (Polyhedra). Recently, significant speedups were achieved for Octagon...
متن کامل