In this paper, we present a new algorithm for partial program verification that runs in polynomial time and space. We are interested in checking that a program satisfies a given temporal safety property. Our insight is that by accurately modeling only those branches in a program for which the property-related behavior differs along the arms of the branch, we can design an algorithm that is accurate enough to verify the program with respect to the given property, without paying the potentially exponential cost of full pathsensitive analysis. We have implemented this “property simulation ” algorithm as part of a partial verification tool called ESP. We present the results of applying ESP to the problem of verifying the file I/O behavior of a version of the GNU C compiler (gcc, 140,000 LOC). We are able to prove that all of the 646 calls to fprintf in the source code of gcc are guaranteed to print to valid, open files. Our results show that property simulation scales to large programs and is accurate enough to verify meaningful properties.

ion Transformations Since the synchronization transformations deal primarily with the movement and manipulation of synchronization nodes, it is appropriate for the compiler to use an abstract, simplified representation of the actual computation in the ICFG. The compiler can therefore apply several transformations that replace concrete representations of computation with more abstract representations. The end result is a simpler and smaller ICFG, which improves the performance and functionality of the synchronization optimization algorithms. The transformations are as follows: ---Node Abstraction: A connected set of assignment, conditional nodes or summary nodes with a single incoming edge and a single outgoing edge is replaced by a single summary node. Figure 2 presents this transformation. \Delta 5 ---Procedure Abstraction: The invocation of a procedure that consists only of assignment, conditional nodes or summary nodes is replaced with a single node summarizing the execution of t...

Many software engineering applications utilize static program analyses to gain information about programs. Some applications perform static analysis over the whole program's call graph, while others are more interested in specific call chains within a program's call graph. A particular static call chain for an object-oriented program may in fact be impossible to execute, or infeasible, such that there is no input for which the chain will be taken. Identifying infeasible static call chains can save time and resources with respect to the targeted software development tool. This paper examines type infeasibility of call chains, which may be caused by inherently polymorphic call sites and are sometimes due to imprecision in call graphs. The problem of determining whether a call chain is type infeasible is defined and exemplified, and a key property characterizing type infeasible call chains is described. An empirical study was performed on a set of Java programs, and results from examining the call graphs of these programs are presented. Finally, an algorithm that automatically determines the type infeasibility of a call chain due to object parameters is presented.

This article presents an analysis to statically check the Java Card sharing policy. From the program text, both the violation and the guaranty of correctness can be detected in certain cases avoiding Runtime exception.

Abstract not found

This document presents an object language that allows one to program parallel and distributed applications that behave in a deterministic manner, even if they are distributed over local or wide area networks. An object

This paper describes the precise specification, design, analysis, implementation, and measurements of an efficient algorithm for solving regular tree grammar based constraints. The particular constraints are for dead-code elimination on recursive data, but the method used for the algorithm design and complexity analysis is general and applies to other program analysis problems as well. The method is centered around Paige's finite differencing, i.e., computing expensive set expressions incrementally, and allows the algorithm to be derived and analyzed formally and implemented easily. We study higherlevel transformations that make the derived algorithm concise and allow its complexity to be analyzed accurately. Although a rough analysis shows that the worst-case time complexity is cubic in program size, an accurate analysis shows that it is linear in the number of live program points and in other parameters, including mainly the arity of data constructors and the number of selector applications into whose arguments the value constructed at a program point might flow. These parameters explain the performance of the analysis in practice. Our implementation also runs two to ten times as fast as a previous implementation of an informally designed algorithm.

To produce high quality code, modern compilers use global optimization algorithms based on abstract interpretation. These algorithms are rather complex; their implementation is therefore a non--trivial task and error--prone. However, since they are based on a common theory, they have large similar parts. We conclude that analyzer writing better should be replaced with analyzer generation. We present the tool PAG that has a high level functional input language to specify data flow analyses. It offers the specification of even recursive data structures and is therefore not limited to bit vector problems. PAG generates efficient analyzers which can be easily integrated in existing compilers. The analyzers are interprocedural, they can handle recursive procedures with local variables and higher order functions. PAG has successfully been tested by generating several analyzers (e.g. alias analysis, constant propagation, interval analysis) for an industrial quality ANSI-C and Fortran90 comp...

As parallel machines become part of the mainstream computing environment, compilers will need to apply synchronization optimizations to deliver e#cient parallel software. This paper describes a new framework for synchronization optimizations and a new set of transformations for programs that implement critical sections using mutual exclusion locks. These transformations allow the compiler to move constructs that acquire and release locks both within and between procedures and to eliminate acquire and release constructs.

. We present the design, implementation and empirical evaluation of Bebop---a symbolic model checker for boolean programs. Bebop represents control #ow explicitly, and sets of states implicitly using BDDs. By harnessing the inherent modularity in procedural abstraction and exploiting the locality of variable scoping, Bebop is able to model check boolean programs with several thousand lines of code, hundreds of procedures, and several thousand variables in a few minutes. 1 Introduction Boolean programs are programs with the usual control-#ow constructs of an imperative language such as C but in which all variables have boolean type. Boolean programs contain procedures with call-by-value parameter passing and recursion, and a restricted form of control nondeterminism. Boolean programs are an interesting subject of study for a number of reasons. First, because the amount of storage a boolean program can access at any point is #nite, questions of reachability and termination #whic...