Abstract. Path sensitivity improves the quality of static analysis by avoiding approximative merging of dataflow facts collected along distinct program paths. Because full path sensitivity has prohibitive cost, it is worthwhile to consider hybrid approaches that provide path sensitivity on selected subsets of paths. In this paper, we consider such a technique based on an edge string, a compact abstraction of a set of static program paths. The edge string es = [e1, e2,..., ek], where each ei is an edge label found in a program’s control-flow graph, is used to disambiguate dataflow facts that manifest only on paths in which es occurs as a subsequence. The length of es dictates the tradeoff between precision and analysis cost. Loosely speaking, edge strings are a path-sensitive analog to the notion of call-strings exploited by context-sensitive analyses. We present a formalization of edge strings and discuss optimizations that incorporate additional relevance measures, based on the structure of the controlflow graph, to avoid exploring edge-string paths if no added precision accrues. We also provide a detailed implementation study in the context of the functional SSA intermediate representation used by MLton, a whole-program optimizing compiler for Standard ML. Our results indicate that small edge strings provide the necessary precision to identify infeasible paths for functional programs that leverage complex control and dataflow. 1

Path-sensitivity improves program analysis by excluding infeasible paths and avoiding the merging of paths into a single abstraction if they exhibit different behavior. The main challenge however is that path-sensitive analysis is not scalable. In this paper, we present a symbolic execution-based framework which uses dynamic programming (DP) in order to reuse analyses arising from symbolic execution already performed. A straightforward implementation of DP, however, will allow little reuse. This is because symbolic execution repeatedly considers similar subtrees with different contexts. The first of our contributions to use a method of interpolation in order to generalize the result of symbolic execution so that it can be reused in another context. This has the effect of pruning the symbolic execution space, and is the basis of making our analysis scalable. However, interpolation introduces inaccuracy because some of the paths pruned may in fact be infeasible. We therefore introduce a technique to ensure precision by testing that a notion of witness paths that concretely demonstrate a particular analysis, and we require that pruned paths satisfy the witness criterion. In the end, we show that, in a sense defined by traditional abstract interpretation, our framework loses no accuracy beyond the abstraction that is required to close loops via their invariants. We finally demonstrate practicality of our framework by instantiating it with a driving application: static backward slicing analysis. We show that our approach can produce slices significantly smaller than a path-insensitive version scaling up to tens of thousand of lines of C code. 1.

Abstract. Symbolic execution with interpolation is emerging as an alternative to CEGAR for software verification. The performance of both methods relies critically on interpolation in order to obtain the most general abstraction of the current symbolic or abstract state which can be shown to remain error-free. CEGAR naturally handles unbounded loops because it is based on abstract interpretation. In contrast, symbolic execution requires a special extension for such loops. In this paper, we present such an extension. Its main characteristic is that it performs eager subsumption, that is, it always attempts to perform abstraction in order to avoid exploring other symbolic states. It balances this primary desire for more abstraction with the secondary desire to maintain the strongest loop invariant, for earlier detection of infeasible paths, which entails less abstraction. Occasionally certain abstractions are not permitted because of the reachability of error states; this is the underlying mechanism which then causes selective unrolling, that is, the unrolling of a loop along relevant paths only. 1

Abstract. We present a novel approach for the automatic generation of inductive loop invariants over loops manipulating arrays. Unlike most existing approaches, it generates invariants containing disjunctions and quantifiers, which are rich enough for proving functional properties over programs which manipulate arrays. Our approach does not require the user to provide initial assertions or postconditions. It proceeds by recognizing through static analysis simple code patterns that respect stability properties on accessed locations, on an intermediate representation of parallel assignments. We associate with each pattern a formula that we prove to be a so-called local invariant, and we give conditions for local invariants to compose an inductive invariant of the complete loop. We also give conditions over invariants to be locally maximal, and we show that some of our pattern invariants are indeed maximal.