Abstract
Interprocedural analysis by means of partial tabulation of summary functions may not terminate when the same procedure is analyzed for infinitely many abstract calling contexts or when the abstract domain has infinite strictly ascending chains. As a remedy, we present a novel local solver for general abstract equation systems, be they monotonic or not, and prove that this solver fails to terminate only when infinitely many variables are encountered. We clarify in which sense the computed results are sound. Moreover, we show that interprocedural analysis performed by this novel local solver, is guaranteed to terminate for all non-recursive programs — irrespective of whether the complete lattice is infinite or has infinite strictly ascending or descending chains.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
References
Alt, M., Martin, F.: Generation of efficient interprocedural analyzers with PAG. In: Mycroft, A. (ed.) SAS 1995. LNCS, vol. 983, pp. 33–50. Springer, Heidelberg (1995)
Amato, G., Scozzari, F., Seidl, H., Apinis, K., Vojdani, V.: Efficiently intertwining widening and narrowing. Sci. Comput. Program. 120, 1–24 (2016)
Apinis, K., Seidl, H., Vojdani, V.: Side-effecting constraint systems: a swiss army knife for program analysis. In: Igarashi, A., Jhala, R. (eds.) APLAS 2012. LNCS, vol. 7705, pp. 157–172. Springer, Heidelberg (2012)
Apinis, K., Seidl, H., Vojdani, V.: How to combine widening and narrowing for non-monotonic systems of equations. In: 34th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pp. 377–386. ACM (2013)
Apinis, K., Seidl, H., Vojdani, V.: Enhancing top-down solving with widening and narrowing. In: Probst, C.W., Hankin, C., Hansen, R.R. (eds.) Nielsons’ Festschrift. LNCS, vol. 9560, pp. 272–288. Springer, Heidelberg (2016). doi:10.1007/978-3-319-27810-0_14
Bagnara, R., Hill, P.M., Ricci, E., Zaffanella, E.: Precise widening operators for convex polyhedra. Sci. Comput. Program. 58(1–2), 28–56 (2005)
Bourdoncle, F.: Efficient chaotic iteration strategies with widenings. In: Bjørner, D., Broy, M., Pottosin, I.V. (eds.) Formal Methods in Programming and Their Applications. LNCS, vol. 735, pp. 128–141. Springer, Heidelberg (1993)
Chen, L., Miné, A., Wang, J., Cousot, P.: An abstract domain to discover interval linear equalities. In: Barthe, G., Hermenegildo, M. (eds.) VMCAI 2010. LNCS, vol. 5944, pp. 112–128. Springer, Heidelberg (2010)
Cousot, P.: Abstracting induction by extrapolation and interpolation. In: D’Souza, D., Lal, A., Larsen, K.G. (eds.) VMCAI 2015. LNCS, vol. 8931, pp. 19–42. Springer, Heidelberg (2015)
Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysisof programs by construction or approximation of fixpoints. In: Fourth ACM Symposium on Principles of Programming Languages (POPL), pp. 238–252. ACM (1977)
Cousot, P., Cousot, R.: Static determination of dynamic properties of generalized type unions. In: ACM Conference on Language Design for Reliable Software (LDRS), pp. 77–94. ACM (1977)
Cousot, P., Cousot, R.: Static determination of dynamic properties of recursive procedures. In: IFIP Conference on Formal Description of Programming Concepts, pp. 237–277, North-Holland (1977)
Cousot, P., Cousot, R.: Abstract interpretation frameworks. J. Log. Comput. 2(4), 511–547 (1992)
Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Rival, X.: Why does Astrée scale up? Formal Methods Syst. Design 35(3), 229–264 (2009)
Fecht, C., Seidl, H.: An even faster solver for general systems of equations. In: Cousot, R., Schmidt, D.A. (eds.) SAS 1996. LNCS, vol. 1145. Springer, Heidelberg (1996)
Gonnord, L., Halbwachs, N.: Combining widening and acceleration in linear relation analysis. In: Yi, K. (ed.) SAS 2006. LNCS, vol. 4134, pp. 144–160. Springer, Heidelberg (2006)
Hermenegildo, M.V., Bueno, F., Carro, M., López-García, P., Mera, E., Morales, J.F., Puebla, G.: An overview of Ciao and its design philosophy. Theor. Pract. Log. Program. 12(1–2), 219–252 (2012)
Hermenegildo, M.V., Puebla, G., Bueno, F., López-García, P.: Integrated program debugging, verification, and optimization using abstract interpretation (and the Ciao system preprocessor). Sci. Comput. Program. 58(1–2), 115–140 (2005)
Hofmann, M., Karbyshev, A., Seidl, H.: Verifying a local generic solver in Coq. In: Cousot, R., Martel, M. (eds.) SAS 2010. LNCS, vol. 6337, pp. 340–355. Springer, Heidelberg (2010)
Hofmann, M., Karbyshev, A., Seidl, H.: What is a pure functional? In: Gavoille, C., Kirchner, C., Meyer auf der Heide, F., Spirakis, P.G., Abramsky, S. (eds.) ICALP 2010. LNCS, vol. 6199, pp. 199–210. Springer, Heidelberg (2010)
Karbyshev, A.: Monadic Parametricity of Second-Order Functionals. Ph.D. thesis, Institut für Informatik, Technische Universität München, September 2013
MacNeille, H.M.: Partially ordered sets. Trans. Amer. Math. Soc. 42(3), 416–460 (1937)
Muthukumar, K., Hermenegildo, M.V.: Deriving a fixpoint computation algorithm for top-down abstract interpretation of logic programs. Technical report ACT-DC-153-90, Microelectronics and Computer Technology Corporation (MCC), Austin, TX 78759, April 1990
Schulze Frielinghaus, S., Seidl, H., Vogler, R.: Enforcing termination of interprocedural analysis. arXiv e-prints (2016). http://arxiv.org/abs/1606.07687
Seidl, H., Fecht, C.: Interprocedural analyses: a comparison. J. Logic Program. 43(2), 123–156 (2000)
Sharir, M., Pnueli, A.: Two approaches to interprocedural data flow analysis.In: Muchnick, S., Jones, N. (eds.) Program Flow Analysis: Theory and Application, pp. 189–233. Prentice-Hall (1981)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Experimental Evaluation
A Experimental Evaluation
We implemented the solvers TSTP and TSMP presented in Sects. 6 and 7 within the analysis framework Goblint Footnote 1. For that, these solvers have been extended to deal with side-effects (see [3] for a detailed discussion of this mechanism) to jointly deal with flow- and context-sensitive and flow-insensitive analyses. In order to perform a fair comparison of the new solvers with warrowing-based local solving as proposed in [2, 4], we provided a simplified version of TSMP. This simplified solver performs priority based iteration in the same way as TSMP but uses the warrowing operator instead of selecting operators according to extra flags. These three solvers were evaluated on the SPECint benchmark suiteFootnote 2 consisting of not too small real-world C programs (1,600 to 34,000 LOC). Furthermore, the following C programs where analyzed: entFootnote 3, figletFootnote 4, maradnsFootnote 5, wgetFootnote 6, and some programs from the coreutilsFootnote 7 package. The analyzed program wget is the largest one with around 77,000 LOC.
The analyses which we performed are put on top of a basic analysis of pointers, strings and enums. For enum variables, sets of possibles values are maintained. The benchmark programs were analyzed with full context-sensitivity of local data while globals were treated flow-insensitively.
The experimental setting is a fully context-sensitive interval analysis of int variables. Therefore, program 482.sphinx had to be excluded from the benchmark suite since it uses procedures which recurse on int arguments. Interestingly, the warrowing solver behaves exactly the same as TSMP on all of our benchmark programs. We interpret this by the fact that for the given analysis the right-hand sides are effectively monotonic. Accordingly, Fig. 7 only reports the relative precision of TSTP compared to TSMP.
Efficiency of TSMP vs. TSTP. (Color figure online)
Figure 6 compares the solvers TSMP and TSTP in terms of space and time. For a reasonable metric for space we choose the total number of variables (i.e., occurring pairs of program points and contexts) and for time the total number of evaluations of right-hand sides of a corresponding variable. The table indicates that the solver TSMP requires only around half of the variables of the solver TSTP. Interestingly, the percentage of evaluations of right-hand sides in a run of TSMP is still around 60 to 70 % of the solver TSTP.
Precision of TSMP vs. TSTP.
In the second experiment, as depicted by Fig. 7, we compare the precision of the two solvers. For a reasonable metric we only compare the values of variables which occur in both solver runs. As a result, between 80 and 95 % of the variables receive the same value. It is remarkable that the mixed phase solver is not necessarily more precise. In many cases, an increase in precision is observed, yes — there are, however, also input programs where the two-phase solver excels.
Rights and permissions
Copyright information
© 2016 Springer-Verlag GmbH Germany
About this paper
Cite this paper
Schulze Frielinghaus, S., Seidl, H., Vogler, R. (2016). Enforcing Termination of Interprocedural Analysis. In: Rival, X. (eds) Static Analysis. SAS 2016. Lecture Notes in Computer Science(), vol 9837. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-53413-7_22
Download citation
DOI: https://doi.org/10.1007/978-3-662-53413-7_22
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-53412-0
Online ISBN: 978-3-662-53413-7
eBook Packages: Computer ScienceComputer Science (R0)