Results 1  10
of
140
Analysis of Recursive State Machines
 In Proceedings of CAV 2001
, 2001
"... . Recursive state machines (RSMs) enhance the power of ordinary state machines by allowing vertices to correspond either to ordinary states or to potentially recursive invocations of other state machines. RSMs can model the control flow in sequential imperative programs containing recursive proc ..."
Abstract

Cited by 140 (29 self)
 Add to MetaCart
. Recursive state machines (RSMs) enhance the power of ordinary state machines by allowing vertices to correspond either to ordinary states or to potentially recursive invocations of other state machines. RSMs can model the control flow in sequential imperative programs containing recursive procedure calls. They can be viewed as a visual notation extending Statechartslike hierarchical state machines, where concurrency is disallowed but recursion is allowed. They are also related to various models of pushdown systems studied in the verification and program analysis communities. After introducing RSMs, we focus on whether statespace analysis can be performed efficiently for RSMs. We consider the two central problems for algorithmic analysis and model checking, namely, reachability (is a target state reachable from initial states) and cycle detection (is there a reachable cycle containing an accepting state). We show that both these problems can be solved in time O(n` 2 ) and space O(n`), where n is the size of the recursive machine and ` is the maximum, over all component state machines, of the minimum of the number of entries and the number of exits of each component. We also study the precise relationship between RSMs and closely related models. 1
A Generic Approach to the Static Analysis of Concurrent Programs with Procedures
, 2003
"... We present a generic aproach to the static analysis of concurrent programs with procedures. We model programs as communicating pushdown systems. It is known that typical dataow problems for this model are undecidable, because the emptiness problem for the intersection of contextfree languages, w ..."
Abstract

Cited by 95 (19 self)
 Add to MetaCart
We present a generic aproach to the static analysis of concurrent programs with procedures. We model programs as communicating pushdown systems. It is known that typical dataow problems for this model are undecidable, because the emptiness problem for the intersection of contextfree languages, which is undecidable, can be reduced to them. In this paper we propose an algebraic framework for de ning abstractions (upper approximations) of contextfree languages. We consider two classes of abstractions: nitechain abstractions, which are abstractions whose domains do not contain any in nite chains, and commutative abstractions corresponding to classes of languages that contain a word if and only if they contain all its permutations. We show how to compute such approximations by combining automata theoretic techniques with algorithms for solving systems of polynomial inequations in Kleene algebras.
WYSINWYX: What You See Is Not What You eXecute
, 2009
"... Over the last seven years, we have developed staticanalysis methods to recover a good approximation to the variables and dynamicallyallocated memory objects of a stripped executable, and to track the flow of values through them. The paper presents the algorithms that we developed, explains how the ..."
Abstract

Cited by 91 (12 self)
 Add to MetaCart
(Show Context)
Over the last seven years, we have developed staticanalysis methods to recover a good approximation to the variables and dynamicallyallocated memory objects of a stripped executable, and to track the flow of values through them. The paper presents the algorithms that we developed, explains how they are used to recover intermediate representations (IRs) from executables that are similar to the IRs that would be available if one started from source code, and describes their application in the context of program understanding and automated bug hunting. Unlike algorithms for analyzing executables that existed prior to our work, the ones presented in this paper provide useful information about memory accesses, even in the absence of debugging information. The ideas described in the paper are incorporated in a tool for analyzing Intel x86 executables, called CodeSurfer/x86. CodeSurfer/x86 builds a system dependence graph for the program, and provides a GUI for exploring the graph by (i) navigating its edges, and (ii) invoking operations, such as forward slicing, backward slicing, and chopping, to discover how parts of the program can impact other parts. To assess the usefulness of the IRs recovered by CodeSurfer/x86 in the context of automated bug hunting, we built a tool on top of CodeSurfer/x86, called DeviceDriver Analyzer for x86
Precise Interprocedural Analysis through Linear Algebra
, 2004
"... We apply linear algebra techniques to precise interprocedural dataflow analysis. Specifically, we describe analyses that determine for each program point identities that are valid among the program variables whenever control reaches that program point. Our analyses fully interpret assignment stateme ..."
Abstract

Cited by 81 (12 self)
 Add to MetaCart
We apply linear algebra techniques to precise interprocedural dataflow analysis. Specifically, we describe analyses that determine for each program point identities that are valid among the program variables whenever control reaches that program point. Our analyses fully interpret assignment statements with affine expressions on the right hand side while considering other assignments as nondeterministic and ignoring conditions at branches. Under this abstraction, the analysis computes the set of all affine relations and, more generally, all polynomial relations of bounded degree precisely. The running time of our algorithms is linear in the program size and polynomial in the number of occurring variables. We also show how to deal with affine preconditions and local variables and indicate how to handle parameters and return values of procedures.
Reducing Concurrent Analysis Under a Context Bound to Sequential Analysis
"... This paper addresses the analysis of concurrent programs with shared memory. Such an analysis is undecidable in the presence of multiple procedures. One approach used in recent work obtains decidability by providing only a partial guarantee of correctness: the approach bounds the number of context ..."
Abstract

Cited by 72 (11 self)
 Add to MetaCart
(Show Context)
This paper addresses the analysis of concurrent programs with shared memory. Such an analysis is undecidable in the presence of multiple procedures. One approach used in recent work obtains decidability by providing only a partial guarantee of correctness: the approach bounds the number of context switches allowed in the concurrent program, and aims to prove safety, or find bugs, under the given bound. In this paper, we show how to obtain simple and efficient algorithms for the analysis of concurrent programs with a context bound. We give a general reduction from a concurrent program P, and a given context bound K, to a slightly larger sequential program P K s such that the analysis of P K s can be used to prove properties about P. The reduction introduces symbolic constants and assume statements in P K s. Thus, any sequential analysis that can deal with these two additions can be extended to handle concurrent programs as well, under the context bound. We give instances of the reduction for common program models used in model checking, such as Boolean programs, pushdown systems (PDSs), and symbolic PDSs.
A relational approach to interprocedural shape analysis
 In 11th SAS
, 2004
"... Abstract. This paper addresses the verification of properties of imperative programs withrecursive procedure calls, heapallocated storage, and destructive updating of pointervalued fieldsi.e., interprocedural shape analysis. It presents a way to harness some previouslyknown approaches to interpr ..."
Abstract

Cited by 57 (17 self)
 Add to MetaCart
(Show Context)
Abstract. This paper addresses the verification of properties of imperative programs withrecursive procedure calls, heapallocated storage, and destructive updating of pointervalued fieldsi.e., interprocedural shape analysis. It presents a way to harness some previouslyknown approaches to interprocedural dataflow analysiswhich in past work have been applied only to much less rich settingsfor interprocedural shape analysis. 1 Introduction This paper concerns techniques for static analysis of recursive programs that manipulateheapallocated storage and perform destructive updating of pointervalued fields. The goal is to recover shape descriptors that provide information about the characteristicsof the data structures that a program's pointer variables can point to. Such information can be used to help programmers understand certain aspects of the program's behavior,to verify properties of the program, and to optimize or parallelize the program.
Verifying concurrent messagepassing C programs with recursive calls.
, 2005
"... Abstract. We consider the modelchecking problem for C programs with (1) data ranging over very large domains, (2) (recursive) procedure calls, and (3) concurrent parallel components that communicate via synchronizing actions. We model such programs using communicating pushdown systems, and reduce ..."
Abstract

Cited by 41 (16 self)
 Add to MetaCart
(Show Context)
Abstract. We consider the modelchecking problem for C programs with (1) data ranging over very large domains, (2) (recursive) procedure calls, and (3) concurrent parallel components that communicate via synchronizing actions. We model such programs using communicating pushdown systems, and reduce the reachability problem for this model to deciding the emptiness of the intersection of two contextfree languages L 1 and L 2 . We tackle this undecidable problem using a CounterExample Guided Abstraction Refinement (CEGAR) scheme. We implemented our technique in the model checker MAGIC and found a previously unknown bug in a version of a Windows NT Bluetooth driver.
Interprocedural analysis of concurrent programs under a context bound
 In TACAS
, 2007
"... Abstract. Analysis of recursive programs in the presence of concurrency and shared memory is undecidable. In previous work, Qadeer and Rehof [23] showed that contextbounded analysis is decidable for recursive programs under a finitestate abstraction of program data. In this paper, we show that con ..."
Abstract

Cited by 40 (6 self)
 Add to MetaCart
(Show Context)
Abstract. Analysis of recursive programs in the presence of concurrency and shared memory is undecidable. In previous work, Qadeer and Rehof [23] showed that contextbounded analysis is decidable for recursive programs under a finitestate abstraction of program data. In this paper, we show that contextbounded analysis is decidable for certain families of infinitestate abstractions, and also provide a new symbolic algorithm for the finitestate case. 1
Extended weighted pushdown systems
 In CAV
, 2005
"... Abstract. Recent work on weightedpushdown systems shows how to generalize interproceduraldataflow analysis to answer “stackqualified queries”, which answer the question “what dataflow values hold at a program node for a particular set of calling contexts?” The generalization, however, does not ac ..."
Abstract

Cited by 34 (23 self)
 Add to MetaCart
Abstract. Recent work on weightedpushdown systems shows how to generalize interproceduraldataflow analysis to answer “stackqualified queries”, which answer the question “what dataflow values hold at a program node for a particular set of calling contexts?” The generalization, however, does not account for precise handling of local variables. Extendedweightedpushdown systems address this issue, and provide answers to stackqualified queries in the presence of local variables as well. 1