Article

Software validation via scalable path-sensitive value flow analysis

Authors:

Nurit Dor,

Stephen Adams,

Manuvir Das,

Zhe YangAuthors Info & Claims

ISSTA '04: Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis

Pages 12 - 22

https://doi.org/10.1145/1007512.1007515

Published: 01 July 2004 Publication History

Get Access

Abstract

In this paper, we present a new algorithm for tracking the flow of values through a program. Our algorithm represents a substantial improvement over the state of the art. Previously described value flow analyses that are control-flow sensitive do not scale well, nor do they eliminate value flow information from infeasible execution paths (i.e., they are path-insensitive). Our algorithm scales to large programs, and it is path-sensitive.The efficiency of our algorithm arises from three insights: The value flow problem can be "bit-vectorized" by tracking the flow of one value at a time; dataflow facts from different execution paths with the same value flow information can be merged; and information about complex aliasing that affects value flow can be plugged in from a different analysis.We have incorporated our analysis in ESP, a software validation tool. We have used ESP to validate the Windows operating system kernel (a million lines of code) against an important security property. This experience suggests that our algorithm scales to large programs, and is accurate enough to trace the flow of values in real code.

References

[1]

A. V. Aho, R. Sethi, and J. D. Ullman. Compilers: Principles, Techniques, and Tools. Addison-Wesley, 1986.]]

Digital Library

Google Scholar

[2]

A. Aiken, J. S. Foster, J. Kodumal, and T. Terauchi. Checking and inferring local non-aliasing. In Proceedings of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation (PLDI'03), pages 129--140, 2003.]]

Digital Library

Google Scholar

[3]

K. Ashcraft and D. Engler. Using Programmer-Written Compiler Extensions to Catch Security Holes. In Proceedings of the IEEE Symposium on Security and Privacy, 2002.]]

Digital Library

Google Scholar

[4]

T. Ball and S. K. Rajamani. Automatically validating temporal safety properties of interfaces. In Proceedings of SPIN '01, 8th Annual SPIN Workshop on Model Checking of Software, May 2001.]]

Digital Library

Google Scholar

[5]

R. Bodik and S. Anik. Path-sensitive value-flow analysis. In Conference Record of the Twenty-Fifth ACM Symposium on Principles of Programming Languages, pages 237--251, 1998.]]

Digital Library

Google Scholar

[6]

M. Bozga, R. Iosif, and Y. Laknech. Storeless semantics and alias logic. In Proceedings of the 2003 ACM SIGPLAN Workshop on Partial Evaluation and Semantics-Based Program Manipulation, pages 55--65, June 2003.]]

Digital Library

Google Scholar

[7]

W. R. Bush, J. D. Pincus, and D. J. Sielaff. A static analyzer for finding dynamic programming errors. Software - Practice and Experience, 30(7):775--802, 2000.]]

Digital Library

Google Scholar

[8]

R. Chatterjee, B. G. Ryder, and W. Landi. Relevant context inference. In Conference Record of the Twenty-Sixth ACM Symposium on Principles of Programming Languages, pages 133--146, 1999.]]

Digital Library

Google Scholar

[9]

M. Das. Unification-based pointer analysis with directional assignments. In Proceedings of the ACM SIGPLAN 2000 Conference on Programming Language Design and Implementation, 2000.]]

Digital Library

Google Scholar

[10]

M. Das, S. Lerner, and M. Seigle. ESP: Path-Sensitive Program Verification in Polynomial Time. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, 2002.]]

Digital Library

Google Scholar

[11]

M. Das, B. Liblit, M. Fähndrich, and J. Rehof. Estimating the Impact of Scalable Pointer Analysis on Optimization. In 8th International Symposium on Static Analysis, 2001.]]

Digital Library

Google Scholar

[12]

R. Deline and M. Fähndrich. Enforcing high-level protocols in low-level software. In Proceedings of the ACM SIGPLAN 2001 Conference on Programming Language Design and Implementation, 2001.]]

Digital Library

Google Scholar

[13]

N. Dor, S. Adams, M. Das, and Z. Yang. Path sensitive value flow analysis on large programs. Technical Report MSR-TR-2003-58, Microsoft Research, 2003.]]

Google Scholar

[14]

C. Flanagan, K. R. M. Leino, M. Lillibridge, G. Nelson, J. B. Saxe, and R. Stata. Extended Static Checking for Java. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, 2002.]]

Digital Library

Google Scholar

[15]

J. S. Foster, T. Terauchi, and A. Aiken. Flow-sensitive type qualifiers. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, 2002.]]

Digital Library

Google Scholar

[16]

D. Gries. The Science of Programming. Springer-Verlag, 1987.]]

Digital Library

Google Scholar

[17]

S. Hallem, B. Chelf, Y. Xie, and D. Engler. A system and language for building system-specific, static analyses. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, 2002.]]

Digital Library

Google Scholar

[18]

N. Heintze and O. Tardieu. Ultra-fast aliasing analysis using CLA: A million lines of C code in a second. In Proceedings of the 2001 ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 254--263, 2001.]]

Digital Library

Google Scholar

[19]

M. Hind. Pointer analysis: Haven't we solved this problem yet? In Proceedings of the 2001 ACM SIGPLAN-SIGSOFT Workshop on Program Analysis For Software Tools and Engineering (PASTE'01), pages 54--61, 2001.]]

Digital Library

Google Scholar

[20]

M. Hind and A. Pioli. Evaluating the effectiveness of pointer alias analyses. Science of Computer Programming, 39(1):31--55, Jan. 2001.]]

Digital Library

Google Scholar

[21]

S. Horwitz, T. Reps, and D. Binkley. Interprocedural slicing using dependence graphs. ACM Trans. Program. Lang. Syst., 12(1):26--60, January 1990.]]

Digital Library

Google Scholar

[22]

N. D. Jones and S. S. Muchnick. Flow analysis and optimization of LISP-like structures. In Conference Record of the Fourth ACM Symposium on Principles of Programming Languages, pages 244--256, 1979.]]

Digital Library

Google Scholar

[23]

U. P. Khedkar and D. M. Dhamdhere. A generalised theory of bit vector data flow analysis. ACM Trans. Program. Lang. Syst., 16(5):1472--1511, 1994.]]

Digital Library

Google Scholar

[24]

J. Knoop and B. Steffen. Efficient and optimal bit-vector dataflow analyses: A uniform interprocedural framework. Technical Report Bericht Nr. 9309, Institut für Informatik und Praktische Mathematik, Christian-Albrechts-Universität Kiel, Germany, 1993.]]

Google Scholar

[25]

A. Milanova, A. Rountev, and B. G. Ryder. Precise and Efficient Call Graph Construction for C Programs with Function Pointers. Journal of Automated Software Engineering, 2004. To appear.]]

Digital Library

Google Scholar

[26]

T. Reps, S. Horwitz, and M. Sagiv. Precise interprocedural data flow analysis via graph reachability. In Conference Record of the Twenty-Second ACM Symposium on Principles of Programming Languages, 1995.]]

Digital Library

Google Scholar

[27]

M. Sagiv, T. Reps, and R. Wilhelm. Parametric shape analysis via 3-valued logic. In Conference Record of the Twenty-Sixth ACM Symposium on Principles of Programming Languages, 1999.]]

Digital Library

Google Scholar

[28]

M. Shapiro and S. Horwitz. The effects of the precision of pointer analysis. In LNCS 1302, 4th International Symposium on Static Analysis, Sept. 1997.]]

Digital Library

Google Scholar

[29]

O. Shivers. Control-Flow Analysis Of Higher-Order Languages. PhD thesis, Carnegie Mellon University, May 1991.]]

Digital Library

Google Scholar

[30]

B. Steensgaard. Points-to analysis in almost linear time. In Conference Record of the Twenty-Third ACM Symposium on Principles of Programming Languages, 1996.]]

Digital Library

Google Scholar

[31]

R. P. Wilson and M. Lam. Efficient context-sensitive pointer analysis for C programs. In Proceedings of the ACM SIGPLAN 95 Conference on Programming Language Design and Implementation, 1995.]]

Digital Library

Google Scholar

Cited By

View all

Cai YYao PYe CZhang CCalandrino JTroncoso C(2023)Place your locks wellProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620446(3727-3744)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620446
Pathade KKhedker UAmaral JKulkarni M(2019)Path sensitive MFP solutions in presence of intersecting infeasible control flow path segmentsProceedings of the 28th International Conference on Compiler Construction10.1145/3302516.3307349(159-169)Online publication date: 16-Feb-2019
https://dl.acm.org/doi/10.1145/3302516.3307349
Xu XSui YYan HXue JAtlee JBultan TWhittle J(2019)VFixProceedings of the 41st International Conference on Software Engineering10.1109/ICSE.2019.00063(512-523)Online publication date: 25-May-2019
https://dl.acm.org/doi/10.1109/ICSE.2019.00063
Show More Cited By

Index Terms

Software validation via scalable path-sensitive value flow analysis

Recommendations

Software validation via scalable path-sensitive value flow analysis

In this paper, we present a new algorithm for tracking the flow of values through a program. Our algorithm represents a substantial improvement over the state of the art. Previously described value flow analyses that are control-flow sensitive do not ...
Semi-sparse flow-sensitive pointer analysis
POPL '09

Pointer analysis is a prerequisite for many program analyses, and the effectiveness of these analyses depends on the precision of the pointer information they receive. Two major axes of pointer analysis precision are flow-sensitivity and context-...
Semi-sparse flow-sensitive pointer analysis
POPL '09: Proceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages

Pointer analysis is a prerequisite for many program analyses, and the effectiveness of these analyses depends on the precision of the pointer information they receive. Two major axes of pointer analysis precision are flow-sensitivity and context-...

Reviews

Reviewer: James M. Perry

A new simulation algorithm for inter-procedural, context-sensitive, and path-sensitive value flow analysis is described in this paper. Value flow analysis investigates which memory locations hold a given value; it is used in software validation tools. The challenge for these tools is the development of practical algorithms for large programs. The authors apply known results for memory aliasing and path merging, with implicit representation of value sets, to produce a practical algorithm, which they demonstrate using a software validation tool, ESP. The topic of the paper is largely formal, but the authors do a good job of giving examples, and providing insight, appropriate repetition, and explanation. The formal part of the paper consists of a pointer assignment language, definitions of value alias sets and transfer functions, and pseudocode for computing the transfer function to obtain the value alias set for a variable created at a given point in a program. The transfer function is defined in terms of "must" and "may" sets. By varying the definition of these sets, the function calculation can trade-off between accuracy and scalability: a larger "must" set corresponds to more accuracy, and a smaller "may" set, to scalability. No formal definition of the transfer function's action on states was provided, except indirectly in the pseudocode. The authors briefly summarize related work, and provide references. Results of applying the algorithm to the Windows kernel are given, but comparisons with alternatives are not provided. The paper is of interest to software engineers working on software validation tools and program analysis. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Information & Contributors

Information

Published In

ISSTA '04: Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis

July 2004

294 pages

ISBN:1581138202

DOI:10.1145/1007512

General Chair:
George Avrunin
University of Massachusetts, USA
,
Program Chair:
Gregg Rothermel
University of Nebraska -- Lincoln, USA

ACM SIGSOFT Software Engineering Notes Volume 29, Issue 4
July 2004
284 pages
ISSN:0163-5948
DOI:10.1145/1013886
Issue’s Table of Contents

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 July 2004

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

ISSTA04

Sponsor:

ISSTA04: International Symposium on Software Testing and Analysis 2004

July 11 - 14, 2004

Massachusetts, Boston, USA

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Sponsor:
sigsoft

34th ACM SIGSOFT International Symposium on Software Testing and Analysis

June 25 - 28, 2025

Trondheim , Norway

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

53
Total Citations
View Citations
1,120
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Cai YYao PYe CZhang CCalandrino JTroncoso C(2023)Place your locks wellProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620446(3727-3744)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620446
Pathade KKhedker UAmaral JKulkarni M(2019)Path sensitive MFP solutions in presence of intersecting infeasible control flow path segmentsProceedings of the 28th International Conference on Compiler Construction10.1145/3302516.3307349(159-169)Online publication date: 16-Feb-2019
https://dl.acm.org/doi/10.1145/3302516.3307349
Xu XSui YYan HXue JAtlee JBultan TWhittle J(2019)VFixProceedings of the 41st International Conference on Software Engineering10.1109/ICSE.2019.00063(512-523)Online publication date: 25-May-2019
https://dl.acm.org/doi/10.1109/ICSE.2019.00063
Shi QXiao XWu RZhou JFan GZhang C(2018)Pinpoint: fast and precise sparse value flow analysis for million lines of codeACM SIGPLAN Notices10.1145/3296979.319241853:4(693-706)Online publication date: 11-Jun-2018
https://dl.acm.org/doi/10.1145/3296979.3192418
Shi QXiao XWu RZhou JFan GZhang CFoster JGrossman D(2018)Pinpoint: fast and precise sparse value flow analysis for million lines of codeProceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation10.1145/3192366.3192418(693-706)Online publication date: 11-Jun-2018
https://dl.acm.org/doi/10.1145/3192366.3192418
Pathade KKhedker UDubach CXue J(2018)Computing partially path-sensitive MFP solutions in data flow analysesProceedings of the 27th International Conference on Compiler Construction10.1145/3178372.3179497(37-47)Online publication date: 24-Feb-2018
https://dl.acm.org/doi/10.1145/3178372.3179497
Wang KHussain AZuo ZXu GAmiri Sani A(2017)GraspanACM SIGARCH Computer Architecture News10.1145/3093337.303774445:1(389-404)Online publication date: 4-Apr-2017
https://dl.acm.org/doi/10.1145/3093337.3037744
Wang KHussain AZuo ZXu GAmiri Sani A(2017)GraspanACM SIGPLAN Notices10.1145/3093336.303774452:4(389-404)Online publication date: 4-Apr-2017
https://dl.acm.org/doi/10.1145/3093336.3037744
Wang KHussain AZuo ZXu GAmiri Sani A(2017)GraspanACM SIGOPS Operating Systems Review10.1145/3093315.303774451:2(389-404)Online publication date: 4-Apr-2017
https://doi.org/10.1145/3093315.3037744
Wang KHussain AZuo ZXu GAmiri Sani AChen YTemam OCarter J(2017)GraspanProceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3037697.3037744(389-404)Online publication date: 4-Apr-2017
https://dl.acm.org/doi/10.1145/3037697.3037744
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations