Path-Sensitive Dataflow Analysis with Iterative Refinement
نویسندگان
چکیده
In this paper, we present a new method for supporting abstraction refinement in path-sensitive dataflow analysis. We show how an adjustable merge criterion can be used as an interface to control the degree of abstraction. In particular, we partition the merge criterion with two sets of predicates — one related to the dataflow facts being propagated and the other related to path feasibility. These tracked predicates are then used to guide join operations and path feasibility analysis, so that expensive computations are performed only at the right places. Refinement amounts to lazily growing the path predicate set to recover lost precision. We have implemented our refinement technique in ESP, a software validation tool for C/C++ programs. We apply ESP to validate a future version of Windows against critical security properties. Our experience suggests that applying iterative refinement to path-sensitive dataflow analysis is both effective in cutting down spurious errors and scalable enough for solving real world problems.
منابع مشابه
Datapath Allocation
The datapath allocation is one of the basic operations executed in the process of high-level synthesis. The other operations are partitioning and scheduling. The datapath allocation problem consists of two important tasks: unit selection and unit assignment. Unit selection determines the number and types of RT components to be used in the design. Unit assignment involves the mapping of the vari...
متن کاملTowards a Flow- and Path-Sensitive Information Flow Analysis: Technical Report
This paper investigates a flowand path-sensitive static information flow analysis. Compared with security type systems with fixed labels, it has been shown that flow-sensitive type systems accept more secure programs. We show that an information flow analysis with fixed labels can be both flowand path-sensitive. The novel analysis has two major components: 1) a general-purpose program transform...
متن کاملPath-Sensitive Analysis Using Edge Strings
Path sensitivity improves the quality of static analysis by avoiding approximative merging of dataflow facts collected along distinct program paths. Because full path sensitivity has prohibitive cost, it is worthwhile to consider hybrid approaches that provide path sensitivity on selected subsets of paths. In this paper, we consider such a technique based on an edge string, a compact abstractio...
متن کاملCall-Site Heuristics for Scalable Context- Sensitive Interprocedural Analysis
When analyzing a program via an abstract interpretation (dataflow analysis) framework we would like to examine the program in a context-sensitive interprocedural manner. Analyzing the entire program in a manner that precisely considers interprocedural flow can lead to much more accurate results than local or context insensitive analyses (particularly for heap based analyses such as shape analys...
متن کاملPropagation Path Properties in Iterative Longest-Edge Refinement
In this work we investigate the refinement propagation process in longest-edge based local refinement algorithms for unstructured meshes of triangles. The conformity neighborhood of a triangle, the set of additional triangles that is needed to be refined to ensure mesh conformity is introduced to define the propagation path. We prove that asymptotically the propagation path extends on average t...
متن کامل