We present lightweight and generic symbolic methods to improve the precision of numerical static analyses based on Abstract Interpretation. The main idea

In contrast to classical algebra and analysis the functions encountered in computer science are usually piecewise continuous functions or functions whose evaluation rules change dramatically depending on a subset of the input values. Because of the pervasiveness of the if-then-else construction in programming, we have to extend classical mathematical methods to handle this kind of object. We approach this class of functions using tabular expressions. In this paper we define a function algebra, over a many sorted algebra, which is closed under composition. Then, this function algebra is extended to tables. This enables us to define the composition of tables. We show that this algebra of tables is closed under composition. We give two algorithms to compute the composition of tables. 1 Introduction In literature we find several different approaches to define easily readable but mathematically precise notations for piecewise functions and functions changing definition depending on parame...

We study in this paper the problem of analyzing implementations of open systems --- systems in which only some of the components are present. We present an algorithm for automatically closing an open concurrent reactive system with its most general environment, i.e., the environment that can provide any input at any time to the system. The result is a nondeterministic closed (i.e., self-executable) system which can exhibit all the possible reactive behaviors of the original open system. These behaviors can then be analyzed using VeriSoft, an existing tool for systematically exploring the state spaces of closed systems composed of multiple (possibly nondeterministic) processes executing arbitrary code. We have implemented the techniques introduced in this paper in a prototype tool for automatically closing open programs written in the C programming language. We discuss preliminary experimental results obtained with a large telephone-switching software application developed at Lucent Tec...

One of the biggest challenges in operating systems, distributed systems, and mobile code is how to ensure safety of untrusted code. Two recent proposals are Software Fault Isolation (SFI) and Proof-Carrying Code (PCC). A difficult challenge is how to deal with memory accesses within loops. SFI generates run-time bounds checks at every access, which incurs non-negligible overhead in tight loops, while PCC currently requires that the loop be pre-annotated with invariants that specify these bounds. I present a static analysis for automatically determining the bounds of the memory accesses within a loop. Given a loop in either source code (e.g., C) or executable binary, the analysis attempts to generate a symbolic expression for each memory access in the loop that describes its range in terms of the context (e.g., values of variables) before the loop. An operating system can use the results of the analysis in one of two ways: [1] to prove statically that the surrounding context guarantees ...