Model checking has been widely successful in validating and debugging designs in the hardware and protocol domains. However, state-space explosion limits the applicability of model checking tools, so model checkers typically operate on abstractions of systems. Recently, there has been significant interest in applying model checking to software. For infinite-state systems like software, abstraction is even more critical. Techniques for abstracting software are a prerequisite to making software model checking a reality. We present the first algorithm to automatically construct a predicate abstraction of programs written in an industrial programming language such as C, and its implementation in a tool-- C2bp. The C2bp tool is part of the SLAM toolkit, which uses a combination of predicate abstraction, model checking, symbolic reasoning, and iterative refinement to statically check temporal safety properties of programs. Predicate abstraction of software has many applications, including detecting program errors, synthesizing program invariants, and improving the precision of program analyses through predicate sensitivity. We discuss our experience applying the C2bp predicate abstraction tool to a variety of problems, ranging from checking that list-manipulating code preserves heap invariants to finding errors in Windows NT device drivers.

The views and conclusions contained in this document are those of the authors and should not be interpreted as

Abstract not found

Set-based analysis (SBA) produces good predictions about the behavior of functional and objectoriented programs. The analysis proceeds by inferring constraints that characterize the data flow relationships of the analyzed program. Experiences with MrSpidey, a static debugger based on SBA, indicate that SBA can adequately deal with programs of up to a couple of thousand lines of code. SBA fails, however, to cope with larger programs because it generates systems of constraints that are at least linear, and possibly quadratic, in the size of the analyzed program. This article presents theoretical and practical results concerning methods for reducing the size of constraint systems. The theoretical results include a proof-theoretic characterization of the observable behavior of constraint systems for program components, and a complete algorithm for deciding the observable equivalence of constraint systems. In the course of this development we establish a close connection between the observable equivalence of constraint systems and the equivalence of regular-tree grammars. We then exploit this connection to adapt a variety of algorithms for simplifying grammars to the problem of simplifying constraint systems. Based on the resulting algorithms, we have developed componential set-based analysis, a modular and polymorphic variant of SBA. Experimental results verify the effectiveness of the simplification

We describe the design and implementation of a system for very fast points-to analysis. On code bases of about a million lines of unpreprocessed C code, our system performs eldbased Andersen-style points-to analysis in less than a second and uses less than 10MB of memory. Our tw o main contributions are a database-centric analysis architecture called compile-link-analyze (CLA), and a new algorithm for implementing dynamic transitive closure. Our points-to analysis system is built into a forward data-dependence analysis tool that is deployed within Lucent to help with consistent type modi cations to large legacy C code bases. 1.

Flow-based safety analysis of higher-order languages has been studied by Shivers, and Palsberg and Schwartzbach. Open until now is the problem of finding a type system that accepts exactly the same programs as safety analysis. In this paper we prove that Amadio and Cardelli's type system with subtyping and recursive types accepts the same programs as a certain safety analysis. The proof involves mappings from types to flow information and back. As a result, we obtain an inference algorithm for the type system, thereby solving an open problem. 1 Introduction 1.1 Background Many program analyses for higher-order languages are based on flow analysis, also known as closure analysis. Examples include various analyses in the Standard ML of New Jersey compiler [3], and the binding-time analyses for Scheme in the partial evaluators Schism [5] and Similix [4]. Such analyses have the advantage that they can be applied to untyped languages. This is in contrast to more traditional abstract inter...

We describe a framework for flow analysis in higher-order languages. It is both a synthesis and extension of earlier work in this area, most notably [20, 22]. The framework makes explicit use of flow graphs for modeling control and data flow properties of untyped higher-order programs. The framework is parameterized, and can express a hierarchy of analyses with different cost/accuracy tradeoffs. The framework is also amenable to a direct, efficient implementation. We develop several instantiations of the framework, and prove their running-time complexity. In addition, we use the simplest instantiation to demonstrate the equivalence of a 0CFA style analysis[20] and the set-based analysis of [8]. 1 Introduction The flow analysis problem for higher-order programming languages such as Scheme[4] or ML[13] is concerned with tracking data and control flow in the presence of first-class (anonymous) procedures, rich data abstractions (e.g., lists, records, tuples, etc), and references. In th...

Previous algorithms for interprocedural control flow analysis of higher-order and/or object-oriented languages have been described that perform propagation or constraint satisfaction and take O(N³) time (such as Shivers's 0-CFA and Heintze's setbased analysis), or unification and take O(Na(N,N)) time (such as Steensgaard's pointer analysis), or optimistic reachability analysis and take O(N) time (such as Bacon and Sweeney's Rapid Type Analysis). We describe a general parameterized analysis framework that integrates propagation-based and unification-based analysis primitives and optimistic reachability analysis, whose instances mimic these existing algorithms as well as several new algorithms taking O(N), O(Na(N,N)), O(N²), and O(N² a(N,N)) time; our O(N) and O(Na(N,N)) algorithms produce more precise results than the previous algorithms with these complexities. We implemented our algorithm framework in the Vortex optimizing compiler, and we measured the cost and benefit of t...

MrSpidey is a user-friendly, interactive static debugger for Scheme. A static debugger supplements the standard debugger by analyzing the program and pinpointing those program operations that may cause run-time errors such as dereferencing the null pointer or applying non-functions. The program analysis of MrSpidey computes value set descriptions for each term in the program and constructs a value flow graph connecting the set descriptions. Using the set descriptions, MrSpidey can identify and highlight potentially erroneous program operations, whose cause the programmer can then explore by selectively exposing portions of the value flow graph. 1 Introduction A reliable program does not mis-apply program operations. Addition always operates on numbers, not strings. Concatenation works with strings, not numbers. To avoid the abuse of program operations, most languages impose a restrictive type system, which forbids the (syntactic) formation of certain faulty program phrases. However, ...

Defining the collecting semantics is usually the first crucial step in adapting the general methodology of abstract interpretation to the semantic framework or programming language at hand. In this paper we show how to define a collecting semantics for control flow analysis; due to the generality of the formulation we need to appeal to coinduction (or greatest fixed points) in order to define the analysis. We then prove the semantic soundness of the collecting semantics and that all totally deterministic instantiations have a least solution; this incorporates k-CFA, polymorphic splitting and a new class of uniform-k-CFA analyses. 1 Introduction Control flow analysis [16, 17] is known by many names: closure analysis [13, 15], set-based analysis [9] (touching upon other constraint-based analyses [1]), and flow analysis [6]. Although the fine formulational details differ they are all variations over a theme, producing analyses of di#erent precision: 0-CFA [16], k-CFA [16, 10], poly-k-CF...