Model checking has been widely successful in validating and debugging designs in the hardware and protocol domains. However, state-space explosion limits the applicability of model checking tools, so model checkers typically operate on abstractions of systems. Recently, there has been significant interest in applying model checking to software. For infinite-state systems like software, abstraction is even more critical. Techniques for abstracting software are a prerequisite to making software model checking a reality. We present the first algorithm to automatically construct a predicate abstraction of programs written in an industrial programming language such as C, and its implementation in a tool-- C2bp. The C2bp tool is part of the SLAM toolkit, which uses a combination of predicate abstraction, model checking, symbolic reasoning, and iterative refinement to statically check temporal safety properties of programs. Predicate abstraction of software has many applications, including detecting program errors, synthesizing program invariants, and improving the precision of program analyses through predicate sensitivity. We discuss our experience applying the C2bp predicate abstraction tool to a variety of problems, ranging from checking that list-manipulating code preserves heap invariants to finding errors in Windows NT device drivers.

Interprocedural analyses enable optimizing compilers to more precisely model the effects of non-inlined procedure calls, potentially resulting in substantial increases in application performance. Applying interprocedural analysis to programs written in object-oriented or functional languages is complicated by the difficulty of constructing an accurate program call graph. This paper presents a parameterized algorithmic framework for call graph construction in the presence of message sends and/or firstclass functions. We use this framework to describe and to implement a number of well-known and new algorithms. We then empirically assess these algorithms by applying them to a suite of medium-sized programs written in Cecil and Java, reporting on the relative cost of the analyses, the relative precision of the constructed call graphs, and the impact of this precision on the effectiveness of a number of interprocedural optimizations. 1 Introduction Interprocedural analysis can enable subs...

This paper evaluates three alias analyses based on programming language types. The first analysis uses type compatibility to determine aliases. The second extends the first by using additional high-level information such as field names. The third extends the second with a flow-insensitive analysis. Although other researchers suggests using types to disambiguate memory references, none evaluates its effectiveness. We perform both static and dynamic evaluations of type-based alias analyses for Modula-3, a statically-typed type-safe language. The static analysis reveals that type compatibility alone yields a very imprecise alias analysis, but the other two analyses significantly improve alias precision. We use redundant load elimination (RLE) to demonstrate the effectiveness of the three alias algorithms in terms of the opportunities for optimization, the impact on simulated execution times, and to compute an upper bound on what a perfect alias analysis would yield. We show modest dynamic...

. We present a simple, unified approach for the analysis and optimization of object field and array element accesses in strongly typed languages, that works in the presence of object references/pointers. This approach builds on Array SSA form [14], a uniform representation for capturing control and data flow properties at the level of array elements. The techniques presented here extend previous analyses at the array element level [15] to handle both array element and object field accesses uniformly. In the first part of this paper, we show how SSA-based program analyses developed for scalars and arrays can be extended to operate on object references in a strongly typed language like Java. The extension uses Array SSA form as its foundation by modeling object references as indices into hypothetical heap arrays. In the second part of this paper, we present two new sparse analysis algorithms using the heap array representation; one identifies redundant loads, and the other ...

Abstract not found

Precision and scalability are two desirable, yet often conflicting, features of data-flow analyses. This paper reports on a case study of the modification-side-effects problem for C in the presence of pointers from the perspective of contrasting the flow and context sensitivity of the solution procedure with respect to precision and scalability. The results show that the cost of precision of flow- and context-sensitive analysis is not always prohibitive, and that the precision of flow- and context-insensitive analysis is substantially better than worst-case estimates and can be sufficient for certain applications. Program characteristics that affect the performance of dataflow analysis are identified. Keywords Interprocedural data-flow analysis, modification side effects, flow sensitivity, context sensitivity, empirical study, pointer aliasing. 1 INTRODUCTION Accurate compile-time calculation of possible interprocedural side effects is crucial for aggressive compiler optimization, ...

Data flow analysis is a process for collecting run-time information about data in programs without actually executing them. In this paper, we focus at the use of data flow analysis to support program understanding and reverse engineering. Data flow analysis is beneficial for these applications since the information obtained can be used to compute relationships between data objects in programs. These relations play a key role, for example, in the determination of the logical components of a system and their interaction. The general support of program understanding and reverse engineering requires the ability to analyse a variety of source languages and the ability to combine the results of analysing multiple languages. We present a flexible and generic software architecture for describing and performing language-independent data flow analysis which allows such transparent multi-language analysis. All components of this architecture were formally specified. 1 Introduction Data flow anal...

Features of modern programming languages such as objects, method invocations, and automatic memory management have important software engineering benefits. Unfortunately, each of these features also have a performance overhead, and thus programs written in modern languages typically run slower than those written in traditional languages. This dissertation describes and evaluates fast techniques for reducing the overhead of two features of modern programming languages: objects and method invocations. To address the overhead of objects, and more specifically linked structures, we have designed a new alias analysis, type-based alias analysis (TBAA), which uses types to disambiguate memory references in Modula-3 programs. TBA...

ion Language 19 4.1 Data types : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 19 4.2 Language structure : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 20 4.2.1 Procedures : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 20 4.3 Language features : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 20 4.3.1 Elementary constructs : : : : : : : : : : : : : : : : : : : : : : : : : : : 21 4.3.2 Control constructs : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 23 4.4 Language definitions : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 24 4.4.1 Dhal : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 25 4.4.2 sDhal : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 25 4.4.3 pDhal : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 25 5 Control Flow Normalization 27 5.1 Motivation : : : : : : : : : : : : : : : : : : : : : : : : ...

. Pointer analysis is essential for optimizing and parallelizing compilers. It examines pointer assignment statements and estimates pointer-induced aliases among pointer variables or possible shapes of dynamic recursive data structures. However, previously proposed techniques perform pointer analysis without the knowledge of traversal patterns of dynamic recursive data structures to be constructed. This paper presents an algorithm to identify the traversal patterns of recursive data structures and propagate this information back to those statements that define the data structures. This approach recognizes the DEF/USE relationships between the statements that define and traverse dynamic recursive data structures. The outcome of this technique will be useful for pointer analysis and parallelization. Algorithms to perform pointer analysis and dependence test using the knowledge of traversal patterns will also be presented. 1 Introduction Pointer analysis is essential for optimizing and p...