Results 1  10
of
84
The Omega Test: a fast and practical integer programming algorithm for dependence analysis
 Communications of the ACM
, 1992
"... The Omega testi s ani nteger programmi ng algori thm that can determi ne whether a dependence exi sts between two array references, and i so, under what condi7: ns. Conventi nalwi[A m holds thati nteger programmiB techni:36 are far too expensi e to be used for dependence analysi6 except as a method ..."
Abstract

Cited by 521 (15 self)
 Add to MetaCart
(Show Context)
The Omega testi s ani nteger programmi ng algori thm that can determi ne whether a dependence exi sts between two array references, and i so, under what condi7: ns. Conventi nalwi[A m holds thati nteger programmiB techni:36 are far too expensi e to be used for dependence analysi6 except as a method of last resort for si:8 ti ns that cannot be deci:A by si[976 methods. We present evi[77B that suggests thiwi sdomi s wrong, and that the Omega testi s competi ti ve wi th approxi mate algori thms usedi n practi ce and sui table for usei n producti on compi lers. Experi ments suggest that, for almost all programs, the average ti me requi red by the Omega test to determi ne the di recti on vectors for an array pai ri s less than 500 secs on a 12 MIPS workstati on. The Omega testi based on an extensi n of Four i0Motzki var i ble eli937 ti n (aliB: r programmiA method) toi nteger programmi ng, and has worstcase exponenti al ti me complexi ty. However, we show that for manysiB7 ti ns i whi h ...
A First Step towards Automated Detection of Buffer Overrun Vulnerabilities
 IN NETWORK AND DISTRIBUTED SYSTEM SECURITY SYMPOSIUM
, 2000
"... We describe a new technique for finding potential buffer overrun vulnerabilities in securitycritical C code. The key to success is to use static analysis: we formulate detection of buffer overruns as an integer range analysis problem. One major advantage of static analysis is that security bugs can ..."
Abstract

Cited by 396 (9 self)
 Add to MetaCart
(Show Context)
We describe a new technique for finding potential buffer overrun vulnerabilities in securitycritical C code. The key to success is to use static analysis: we formulate detection of buffer overruns as an integer range analysis problem. One major advantage of static analysis is that security bugs can be eliminated before code is deployed. We have implemented our design and used our prototype to find new remotelyexploitable vulnerabilities in a large, widely deployed software package. An earlier hand audit missed these bugs.
The Octagon Abstract Domain
"... ... domain for static analysis by abstract interpretation. It extends a former numerical abstract domain based on DifferenceBound Matrices and allows us to represent invariants of the form (±x ± y ≤ c), where x and y are program variables and c is a real constant. We focus on giving an efficient re ..."
Abstract

Cited by 327 (24 self)
 Add to MetaCart
... domain for static analysis by abstract interpretation. It extends a former numerical abstract domain based on DifferenceBound Matrices and allows us to represent invariants of the form (±x ± y ≤ c), where x and y are program variables and c is a real constant. We focus on giving an efficient representation based on DifferenceBound Matrices—O(n²) memory cost, where n is the number of variables—and graphbased algorithms for all common abstract operators—O(n³) time cost. This includes a normal form algorithm to test equivalence of representation and a widening operator to compute least fixpoint approximations.
The Design and Implementation of a Certifying Compiler
, 1998
"... This paper presents the design and implementation of a compiler that translates programs written in a typesafe subset of the C programming language into highly optimized DEC Alpha assembly language programs, and a certifier that automatically checks the type safety and memory safety of any assembl ..."
Abstract

Cited by 288 (10 self)
 Add to MetaCart
(Show Context)
This paper presents the design and implementation of a compiler that translates programs written in a typesafe subset of the C programming language into highly optimized DEC Alpha assembly language programs, and a certifier that automatically checks the type safety and memory safety of any assembly language program produced by the compiler. The result of the certifier is either a formal proof of type safety or a counterexample pointing to a potential violation of the type system by the target program. The ensemble of the compiler and the certifier is called a certifying compiler. Several advantages of certifying compilation over previous approaches can be claimed. The notion of a certifying compiler is significantly easier to employ than a formal compiler verification, in part because it is generally easier to verify the correctness of the result of a computation than to prove the correctness of the computation itself. Also, the approach can be applied even to highly optimizing compilers, as demonstrated by the fact that our compiler generates target code, for a range of realistic C programs, which is competitive with both the cc and gee compilers with all optimizations enabled. The certifier also drastically improves the effectiveness of compiler testing because, for each test case, it statically signals compilation errors that might otherwise require many executions to detect. Finally, this approach is a practical way to produce the safety proofs for a ProofCarrying Code system, and thus may be useful in a system for safe mobile code.
Practical Dependence Testing
, 1991
"... Precise and efficient dependence tests are essential to the effectiveness of a parallelizing compiler. This paper proposes a dependence testing scheme based on classifying pairs of subscripted variable references. Exact yet fast dependence tests are presented for certain classes of array references, ..."
Abstract

Cited by 148 (16 self)
 Add to MetaCart
(Show Context)
Precise and efficient dependence tests are essential to the effectiveness of a parallelizing compiler. This paper proposes a dependence testing scheme based on classifying pairs of subscripted variable references. Exact yet fast dependence tests are presented for certain classes of array references, as well as empirical results showing that these references dominate scientific Fortran codes. These dependence tests are being implemented at Rice University in both PFC, a parallelizing compiler, and ParaScope, a parallel programming environment.
ABCD: Eliminating Array Bounds Checks on Demand
, 2000
"... To guarantee execution, Java and other strongly typed languages require bounds checking of array accesses. Because bounds checks may raise exceptions, they block code motion of instructions with side effects, thus preventing many useful code optimizations, such as partial redundancy elimination or i ..."
Abstract

Cited by 148 (7 self)
 Add to MetaCart
To guarantee execution, Java and other strongly typed languages require bounds checking of array accesses. Because bounds checks may raise exceptions, they block code motion of instructions with side effects, thus preventing many useful code optimizations, such as partial redundancy elimination or instruction scheduling of memory operations. Furthermore, because it is not expressible at level, the elimination of bounds checks can only be performed at run time, after the program is loaded. Using existing powerful boundscheck optimizers at run time is not feasible, however, because they are too heavyweight for the dynamic compilation setting. ABCD is a lightweight algorithm for elimination of &ray Checks on Demand. Its design emphasizes simplicity and efficiency. In essence, ABCD works by adding a few edges to the SSA value graph and performing a simple traversal of the graph. Despite its simplicity, ABCD is surprisingly powerful. On our benchmarks, ABCD removes on average 45 % of dynamic bound check instructions, sometimes achieving nearideal optimization. The efficiency of ABCD stems from two factors. First, ABCD works on a representation. As a result, it requires on average fewer than 10 simple analysis steps per bounds check. Second, ABCD is demanddriven. It can be applied to a set of frequently executed (hot) bounds checks, which makes it suitable for the dynamiccompilation setting, in which compiletime cost is constrained but hot statements are known.
Integrating decision procedures into heuristic theorem provers: A case study of linear arithmetic
 Machine Intelligence
, 1988
"... We discuss the problem of incorporating into a heuristic theorem prover a decision procedure for a fragment of the logic. An obvious goal when incorporating such a procedure is to reduce the search space explored by the heuristic component of the system, as would be achieved by eliminating from the ..."
Abstract

Cited by 118 (10 self)
 Add to MetaCart
(Show Context)
We discuss the problem of incorporating into a heuristic theorem prover a decision procedure for a fragment of the logic. An obvious goal when incorporating such a procedure is to reduce the search space explored by the heuristic component of the system, as would be achieved by eliminating from the system’s data base some explicitly stated axioms. For example, if a decision procedure for linear inequalities is added, one would hope to eliminate the explicit consideration of the transitivity axioms. However, the decision procedure must then be used in all the ways the eliminated axioms might have been. The difficulty of achieving this degree of integration is more dependent upon the complexity of the heuristic component than upon that of the decision procedure. The view of the decision procedure as a &quot;black box &quot; is frequently destroyed by the need pass large amounts of search strategic information back and forth between the two components. Finally, the efficiency of the decision procedure may be virtually irrelevant; the efficiency of the final system may depend most heavily on how easy it is to communicate between the two components. This paper is a case study of how we integrated a linear arithmetic procedure into a heuristic theorem prover. By linear arithmetic here we mean the decidable subset of number theory dealing with universally quantified formulas composed of the logical connectives, the identity relation, the Peano &quot;less than &quot; relation, the Peano addition and subtraction functions, Peano constants,
Lazy theorem proving for bounded model checking over infinite domains
, 2002
"... Abstract. We investigate the combination of propositional SAT checkers with domainspecific theorem provers as a foundation for bounded model checking over infinite domains. Given a program M over an infinite state type, a linear temporal logic formula ' with domainspecific constraints over pr ..."
Abstract

Cited by 90 (11 self)
 Add to MetaCart
Abstract. We investigate the combination of propositional SAT checkers with domainspecific theorem provers as a foundation for bounded model checking over infinite domains. Given a program M over an infinite state type, a linear temporal logic formula ' with domainspecific constraints over program states, and an upper bound k, our procedure determines if there is a falsifying path of length k to the hypothesis that M satisfies the specification '. This problem can be reduced to the satisfiability of Boolean constraint formulas. Our verification engine for these kinds of formulas is lazy in that propositional abstractions of Boolean constraint formulas are incrementally refined by generating lemmas on demand from an automated analysis of spurious counterexamples using theorem proving. We exemplify bounded model checking for timed automata and for RTL level descriptions, and investigate the lazy integration of SAT solving and theorem proving. 1 Introduction Model checking decides the problem of whether a system satisfies a temporal logic property by exploring the underlying state space. It applies primarily to finitestate systems but also to certain infinitestate systems, and the state space can be represented in symbolic or explicit form. Symbolic model checking has traditionally employed a boolean representation of state sets using binary decision diagrams (BDD) [4] as a way of checking temporal properties, whereas explicitstate model checkers enumerate the set of reachable states of the system.
An Efficient Data Dependence Analysis for Parallelizing Compilers
, 1990
"... this paper, we extend the existing numerical methods to overcome these difficulties. A geometrical analysis reveals that we can take advantage of the regular shape of the convex sets derived from multidimensional arrays in a data dependence test. The general methods proposed before assume very gene ..."
Abstract

Cited by 61 (2 self)
 Add to MetaCart
this paper, we extend the existing numerical methods to overcome these difficulties. A geometrical analysis reveals that we can take advantage of the regular shape of the convex sets derived from multidimensional arrays in a data dependence test. The general methods proposed before assume very general convex sets; this assumption causes their inefficiency. We have implemented a new algorithm called the ltest and performed some measurements. Results were quite encouraging (see Section 4). As in earlier numerical methods, the proposed scheme uses Diophantine equations and bounds of real functions. The major difference lies in the way multiple dimensions are treated. In earlier numerical methods, data areas accessed by two array references are examined dimension by dimension. If the examination of any dimension shows that the two areas representing the subscript expressions are disjoint, there is no data dependence between the two references. However, if each pair of areas appears to overlap in each individual dimension, it is unclear whether there is an overlapped area  3  when all dimensions are considered simultaneously. In this case, a data dependence has to be assumed. Our algorithm treats all dimensions simultaneously. Based on the subscripts, it selects a few suitable "viewing angles" so that it gets an exact view of the data areas. Selection of the viewing angles is rather straightforward and only a few angles are needed in most cases. We present the rest of our paper as follows. In Section 2, we give some examples to illustrate the difficulties in data dependence analysis on multidimensional array references. Some measurement results on a large set of real programs are presented to show the actual frequency of such difficult cases. In Section 3, we describe...
Beyond Finite Domains
, 1994
"... Introduction A finite domain constraint system can be viewed as an linear integer constraint system in which each variable has an upper and lower bound. Finite domains have been used successfully in Constraint Logic Programming (CLP) languages, for example CHIP [4], to attack combinatorial problems ..."
Abstract

Cited by 41 (3 self)
 Add to MetaCart
(Show Context)
Introduction A finite domain constraint system can be viewed as an linear integer constraint system in which each variable has an upper and lower bound. Finite domains have been used successfully in Constraint Logic Programming (CLP) languages, for example CHIP [4], to attack combinatorial problems such as resource allocation, digital circuit verification, etc. In these problems, finite domains allow a natural expression of the problem constraints because bounds on the problem variables are explicit in the problem. In other problems however, for example in temporal reasoning and some scheduling problems, there may not be natural bounds. For these problems, a standard approach has been to use ad hoc bounds, giving rise to a twofold problem. If a bound is too tight, then important solutions could be lost. If a bound is too loose, then significant inefficiency may result. This is because the algorithms used in finite domains work by propagating bounds on variables 1<F12.