Loopfrog - loop summarization for static analysis

Loopfrog is a scalable static analyzer for ANSI-C programs, that combines the precision of model checking and the performance of abstract interpretation. In contrast to traditional static analyzers, it does not calculate the abstract fix-point of a program by iterative application of an abstract transformer. Instead, it calculates symbolic abstract transformers for program fragments (e.g., loops) using a loop summarization algorithm presented in [2]. Loopfrog computes abstract transformers starting from the inner-most loops, which results in linear (in the number of the looping constructs) run-time of the summarization procedure and which is often considerably smaller than the traditional saturation procedure of abstract interpetation. It also provides “leaping” counterexamples to aid in the diagnosis of errors. An example for a very coarse over-approximation is the following: replace the loop by a piece of code that “havocs” the program state by setting all variables written by the loop to non-deterministic values. A way to obtain better summaries for loops is by strengthening them with loop invariants. Loopfrog does not aim at invariant discovery itself; we draw the loop invariants from a library of abstract domains. The concretization γ(ŝ) of any abstract state ŝ corresponds to a predicate over concrete states, and is a candidate for some loop invariant. We heuristically traverse the lattice of abstract states in search of invariants that are preserved by the loop; the set of these abstract states then serves as the summary. Candidate states ŝ are checked as follows: as we start from an innermost loop, the body of the loop is itself loop-free. It is thus straight-forward to build the transition relation of the loop body by transforming the code fragment into a static single assignment (SSA) form. Let φb denote the resulting expression, which is a precise predicate transformer of the loop body. We then form the conjunction of the concretization of ŝ in the pre-state, the loop guard φg, the loop body φb, and the negation of the concretization in the post-state (denoted by the prime): γ(ŝ) ∧ φg ∧ φb ∧ ¬γ(ŝ′). If the loop body has any post-states that do not obey the constraints, the decision procedure will find this formula to be satisfiable. If the formula is unsatisfiable, the constraints are indeed an invariant. We consequently add γ(ŝ) → (¬φg ∧ γ(ŝ′)) to the loop summary. The overall result of a loop summarization is a symbolic expression over preand post-states that encodes (in an over-approximating manner) those invariants preserved by the loop that can be expressed by the abstract domain. Our experimental results show that execution times of the decision procedure are usually very small, even if complex abstract domains are used, owing to the relative shortness of the program fragments.