research-article

Sound, complete and scalable path-sensitive analysis

Authors:

Alex AikenAuthors Info & Claims

PLDI '08: Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation

Pages 270 - 280

https://doi.org/10.1145/1375581.1375615

Published: 07 June 2008 Publication History

Abstract

We present a new, precise technique for fully path- and context-sensitive program analysis. Our technique exploits two observations: First, using quantified, recursive formulas, path- and context-sensitive conditions for many program properties can be expressed exactly. To compute a closed form solution to such recursive constraints, we differentiate between observable and unobservable variables, the latter of which are existentially quantified in our approach. Using the insight that unobservable variables can be eliminated outside a certain scope, our technique computes satisfiability- and validity-preserving closed-form solutions to the original recursive constraints. We prove the solution is as precise as the original system for answering may and must queries as well as being small in practice, allowing our technique to scale to the entire Linux kernel, a program with over 6 million lines of code.

References

[1]

A. Aiken, S. Bugrara, I. Dillig, T. Dillig, B. Hackett, and P. Hawkins. An overview od the SATURN project. In Proc. Workshop on Program Analysis for Software Tools and Engineering, pages 43--48, 2007.]]

Digital Library

[2]

A. Aiken, E.L. Wimmers, and J. Palsberg. Optimal Representations of Polymorphic Types with Subtyping. Higher-Order and Symbolic Computation, 12(3):237--282, 1999.]]

Digital Library

[3]

T. Ball and S. Rajamani. Bebop: A symbolic model checker for boolean programs. In Proceedings of the 7th International SPIN Workshop on SPIN Model Checking and Software Verification, pages 113--130, London, UK, 2000. Springer-Verlag.]]

Digital Library

[4]

T. Ball and S. Rajamani. Automatically validating temporal safety properties of interfaces. LNCS, 2057:103--122, 2001.]]

Digital Library

[5]

T. Ball and S. Rajamani. Bebop: a path-sensitive interprocedural dataflow engine. In PASTE '01: Proceedings of the 2001 ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering, pages 97--103, New York, NY, USA, 2001. ACM.]]

Digital Library

[6]

R. Bloem, I. Moon, K. Ravi, and F. Somenzi. Approximations for fixpoint computations in symbolic model checking.]]

[7]

G. Boole. An Investigation of the Laws of Thought. Dover Publications, Incorporated, 1858.]]

Digital Library

[8]

S. Bugrara and A. Aiken. Verifying the safety of user pointer dereferences. In IEEE Symposium on Security and Privacy, 2008.]]

Digital Library

[9]

J. Burch, E. Clarke, K. McMillan, D. Dill, and L. Hwang. Symbolic model checking: $10^20$ states and beyond. In Proc. Symposium on Logic in Computer Science, June 1990.]]

Digital Library

[10]

D. Dill and H. Wong-Toi. Verification of real-time systems by successive over and under approximation. In Proc. International Conference On Computer Aided Verification, volume 939, pages 409--422, 1995.]]

Digital Library

[11]

M. Das, S. Lerner, and M. Seigle. ESP: Path-sensitive program verification in polynomial time. In Proc. Conference on Programming Language Design and Implementation, pages 57--68, 2002.]]

Digital Library

[12]

I. Dillig, T. Dillig, and A. Aiken. Static error detection using semantic inconsistency inference. In Proc. Conference on Programming Language Design and Implementation, pages 335--345, 2007.]]

Digital Library

[13]

J. Esparaza and S. Schwoon. A bdd-based model checker for recursive programs. Lecture Notes in Computer Science, 2102/2001:324--336, 2001.]]

Digital Library

[14]

B. Hackett and A. Aiken. How is aliasing used in systems software? In Proc. International Symposium on Foundations of Software Engineering, pages 69--80, 2006.]]

Digital Library

[15]

F. Henglein. Type inference and semi-unification. In Proc. Conference on LISP and Functional Programming, pages 184--197, 1988.]]

Digital Library

[16]

T. Henzinger, R. Jhala, R. Majumdar, and K. McMillan. Abstractions from proofs. In Proc. 31st Symposium on Principles of Programming Languages, pages 232--244, 2004.]]

Digital Library

[17]

F. Ivancic, Z. Yang, M.K. Ganai, A. Gupta, I. Shlyakhter, and P. Ashar. F-soft:software verification platform. Lecture Notes in Computer Science, 3576/2005:301--306, 2005.]]

Digital Library

[18]

F. Lin. On strongest necessary and weakest sufficient conditions. In Proc. International Conference on Principles of Knowledge Representation and Reasoning, pages 143--159, April 2000.]]

[19]

A. Mycroft. Polymorphic type schemes and recursive definitions. In Proc. Colloquium on International Symposium on Programming, pages 217--228, 1984.]]

Digital Library

[20]

T. Reps, S. Horwitz, and M. Sagiv. Precise interprocedural dataflow analysis via graph reachability. In POPL '95: Proceedings of the 22nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 49--61, New York, NY, USA, 1995. ACM.]]

Digital Library

[21]

D. Schmidt. A calculus of logical relations for over- and underapproximating static analyses. Science of Computer Programming, 64(1):29--53, 2007.]]

Digital Library

[22]

M. Sharir and A. Pnueli. Two approaches to interprocedural data flow analysis. Program Flow Analysis: Theory and Applications, pages 189--234, 1981.]]

[23]

Y. Xie and A. Aiken. Scalable error detection using boolean satisfiability. SIGPLAN Not., 40(1):351--363, 2005.]]

Digital Library

Cited By

Guo YYao PZhang CChristakis MPradel M(2024)Precise Compositional Buffer Overflow Detection via Heap DisjointnessProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3652110(63-75)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3652110
Cheng XRen JSui Y(2024)Fast Graph Simplification for Path-Sensitive Typestate Analysis through Tempo-Spatial Multi-Point SlicingProceedings of the ACM on Software Engineering10.1145/36437491:FSE(494-516)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3643749
Sun YWang CFan GShi QZhang X(2024)Fast and Precise Static Null Exception Analysis With Synergistic PreprocessingIEEE Transactions on Software Engineering10.1109/TSE.2024.346655150:11(3022-3036)Online publication date: 1-Nov-2024
https://dl.acm.org/doi/10.1109/TSE.2024.3466551
Show More Cited By

Index Terms

Sound, complete and scalable path-sensitive analysis
1. General and reference
  1. Cross-computing tools and techniques
    1. Reliability
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Formal software verification
  2. Software organization and properties
    1. Extra-functional properties
      1. Software reliability
    2. Software functional properties
      1. Formal methods

Recommendations

Sound, complete and scalable path-sensitive analysis
PLDI '08

We present a new, precise technique for fully path- and context-sensitive program analysis. Our technique exploits two observations: First, using quantified, recursive formulas, path- and context-sensitive conditions for many program properties can be ...
Context-, flow-, and field-sensitive data-flow analysis using synchronized Pushdown systems

Precise static analyses are context-, field- and flow-sensitive. Context- and field-sensitivity are both expressible as context-free language (CFL) reachability problems. Solving both CFL problems along the same data-flow path is undecidable, which is ...
Demand-driven memory leak detection based on flow- and context-sensitive pointer analysis

We present a demand-driven approach to memory leak detection algorithm based on flow- and context-sensitive pointer analysis. The detection algorithm firstly assumes the presence of a memory leak at some program point and then runs a backward analysis to ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

PLDI '08: Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation

June 2008

396 pages

ISBN:9781595938602

DOI:10.1145/1375581

General Chair:
Rajiv Gupta
University of California, Riverside, USA
,
Program Chair:
Saman Amarasinghe
Massachusetts Institute of Technology, USA

ACM SIGPLAN Notices Volume 43, Issue 6
PLDI '08
June 2008
382 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/1379022
Issue’s Table of Contents

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 June 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

PLDI '08

Sponsor:

PLDI '08: ACM SIGPLAN Conference on Programming Language Design and Implementation

June 7 - 13, 2008

AZ, Tucson, USA

Acceptance Rates

Overall Acceptance Rate 406 of 2,067 submissions, 20%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

116
Total Citations
View Citations
1,130
Total Downloads

Downloads (Last 12 months)67
Downloads (Last 6 weeks)13

Reflects downloads up to 18 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Guo YYao PZhang CChristakis MPradel M(2024)Precise Compositional Buffer Overflow Detection via Heap DisjointnessProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3652110(63-75)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3652110
Cheng XRen JSui Y(2024)Fast Graph Simplification for Path-Sensitive Typestate Analysis through Tempo-Spatial Multi-Point SlicingProceedings of the ACM on Software Engineering10.1145/36437491:FSE(494-516)Online publication date: 12-Jul-2024
https://dl.acm.org/doi/10.1145/3643749
Sun YWang CFan GShi QZhang X(2024)Fast and Precise Static Null Exception Analysis With Synergistic PreprocessingIEEE Transactions on Software Engineering10.1109/TSE.2024.346655150:11(3022-3036)Online publication date: 1-Nov-2024
https://dl.acm.org/doi/10.1109/TSE.2024.3466551
Liu XYang CLi DZhou YLi SChen JChen Z(2023)Adonis: Practical and Efficient Control Flow Recovery through OS-level TracesACM Transactions on Software Engineering and Methodology10.1145/360718733:1(1-27)Online publication date: 4-Jul-2023
https://dl.acm.org/doi/10.1145/3607187
Ko YOh HGrundy JPollock LPenta M(2023)Learning to Boost Disjunctive Static Bug-FindersProceedings of the 45th International Conference on Software Engineering10.1109/ICSE48619.2023.00099(1097-1109)Online publication date: 14-May-2023
https://dl.acm.org/doi/10.1109/ICSE48619.2023.00099
Wang THe HLiu XLi SJia ZJiang YLiao QLi W(2023)ConfTainter: Static Taint Analysis For Configuration Options2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE)10.1109/ASE56229.2023.00067(1640-1651)Online publication date: 11-Sep-2023
https://doi.org/10.1109/ASE56229.2023.00067
Yu YLiu J(2022)TAPInspector: Safety and Liveness Verification of Concurrent Trigger-Action IoT SystemsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2022.321408417(3773-3788)Online publication date: 2022
https://doi.org/10.1109/TIFS.2022.3214084
Zhang HChen WHao YLi GZhai YZou XQian ZKim YKim JVigna GShi E(2021)Statically Discovering High-Order Taint Style Vulnerabilities in OS KernelsProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484798(811-824)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484798
Shi QYao PWu RZhang CFreund SYahav E(2021)Path-sensitive sparse analysis without path conditionsProceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation10.1145/3453483.3454086(930-943)Online publication date: 19-Jun-2021
https://dl.acm.org/doi/10.1145/3453483.3454086
Zuo ZZhang YPan QLu SLi YWang LLi XXu GFreund SYahav E(2021)Chianina: an evolving graph system for flow- and context-sensitive analyses of million lines of C codeProceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation10.1145/3453483.3454085(914-929)Online publication date: 19-Jun-2021
https://dl.acm.org/doi/10.1145/3453483.3454085
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents