Results 1  10
of
93
A Generic Approach to the Static Analysis of Concurrent Programs with Procedures
, 2003
"... We present a generic aproach to the static analysis of concurrent programs with procedures. We model programs as communicating pushdown systems. It is known that typical dataow problems for this model are undecidable, because the emptiness problem for the intersection of contextfree languages, w ..."
Abstract

Cited by 77 (16 self)
 Add to MetaCart
We present a generic aproach to the static analysis of concurrent programs with procedures. We model programs as communicating pushdown systems. It is known that typical dataow problems for this model are undecidable, because the emptiness problem for the intersection of contextfree languages, which is undecidable, can be reduced to them. In this paper we propose an algebraic framework for de ning abstractions (upper approximations) of contextfree languages. We consider two classes of abstractions: nitechain abstractions, which are abstractions whose domains do not contain any in nite chains, and commutative abstractions corresponding to classes of languages that contain a word if and only if they contain all its permutations. We show how to compute such approximations by combining automata theoretic techniques with algorithms for solving systems of polynomial inequations in Kleene algebras.
Precise Interprocedural Analysis through Linear Algebra
, 2004
"... We apply linear algebra techniques to precise interprocedural dataflow analysis. Specifically, we describe analyses that determine for each program point identities that are valid among the program variables whenever control reaches that program point. Our analyses fully interpret assignment stateme ..."
Abstract

Cited by 62 (10 self)
 Add to MetaCart
We apply linear algebra techniques to precise interprocedural dataflow analysis. Specifically, we describe analyses that determine for each program point identities that are valid among the program variables whenever control reaches that program point. Our analyses fully interpret assignment statements with affine expressions on the right hand side while considering other assignments as nondeterministic and ignoring conditions at branches. Under this abstraction, the analysis computes the set of all affine relations and, more generally, all polynomial relations of bounded degree precisely. The running time of our algorithms is linear in the program size and polynomial in the number of occurring variables. We also show how to deal with affine preconditions and local variables and indicate how to handle parameters and return values of procedures.
WYSINWYX: What You See Is Not What You eXecute
, 2009
"... Over the last seven years, we have developed staticanalysis methods to recover a good approximation to the variables and dynamicallyallocated memory objects of a stripped executable, and to track the flow of values through them. The paper presents the algorithms that we developed, explains how the ..."
Abstract

Cited by 52 (10 self)
 Add to MetaCart
Over the last seven years, we have developed staticanalysis methods to recover a good approximation to the variables and dynamicallyallocated memory objects of a stripped executable, and to track the flow of values through them. The paper presents the algorithms that we developed, explains how they are used to recover intermediate representations (IRs) from executables that are similar to the IRs that would be available if one started from source code, and describes their application in the context of program understanding and automated bug hunting. Unlike algorithms for analyzing executables that existed prior to our work, the ones presented in this paper provide useful information about memory accesses, even in the absence of debugging information. The ideas described in the paper are incorporated in a tool for analyzing Intel x86 executables, called CodeSurfer/x86. CodeSurfer/x86 builds a system dependence graph for the program, and provides a GUI for exploring the graph by (i) navigating its edges, and (ii) invoking operations, such as forward slicing, backward slicing, and chopping, to discover how parts of the program can impact other parts. To assess the usefulness of the IRs recovered by CodeSurfer/x86 in the context of automated bug hunting, we built a tool on top of CodeSurfer/x86, called DeviceDriver Analyzer for x86
Reducing Concurrent Analysis Under a Context Bound to Sequential Analysis
"... Abstract. This paper addresses the analysis of concurrent programs with shared memory. Such an analysis is undecidable in the presence of multiple procedures. One approach used in recent work obtains decidability by providing only a partial guarantee of correctness: the approach bounds the number of ..."
Abstract

Cited by 49 (11 self)
 Add to MetaCart
Abstract. This paper addresses the analysis of concurrent programs with shared memory. Such an analysis is undecidable in the presence of multiple procedures. One approach used in recent work obtains decidability by providing only a partial guarantee of correctness: the approach bounds the number of context switches allowed in the concurrent program, and aims to prove safety, or find bugs, under the given bound. In this paper, we show how to obtain simple and efficient algorithms for the analysis of concurrent programs with a context bound. We give a general reduction from a concurrent program P, and a given context bound K, to a slightly larger sequential program P K s such that the analysis of P K s can be used to prove properties about P. The reduction introduces symbolic constants and assume statements in P K s. Thus, any sequential analysis that can deal with these two additions can be extended to handle concurrent programs as well, under the context bound. We give instances of the reduction for common program models used in model checking, such as Boolean programs, pushdown systems (PDSs), and symbolic PDSs. 1
A relational approach to interprocedural shape analysis
 In 11th SAS
, 2004
"... Abstract. This paper addresses the verification of properties of imperative programs withrecursive procedure calls, heapallocated storage, and destructive updating of pointervalued fieldsi.e., interprocedural shape analysis. It presents a way to harness some previouslyknown approaches to interpr ..."
Abstract

Cited by 45 (11 self)
 Add to MetaCart
Abstract. This paper addresses the verification of properties of imperative programs withrecursive procedure calls, heapallocated storage, and destructive updating of pointervalued fieldsi.e., interprocedural shape analysis. It presents a way to harness some previouslyknown approaches to interprocedural dataflow analysiswhich in past work have been applied only to much less rich settingsfor interprocedural shape analysis. 1 Introduction This paper concerns techniques for static analysis of recursive programs that manipulateheapallocated storage and perform destructive updating of pointervalued fields. The goal is to recover shape descriptors that provide information about the characteristicsof the data structures that a program's pointer variables can point to. Such information can be used to help programmers understand certain aspects of the program's behavior,to verify properties of the program, and to optimize or parallelize the program.
Extended weighted pushdown systems
 In CAV
, 2005
"... Abstract. Recent work on weightedpushdown systems shows how to generalize interproceduraldataflow analysis to answer “stackqualified queries”, which answer the question “what dataflow values hold at a program node for a particular set of calling contexts?” The generalization, however, does not ac ..."
Abstract

Cited by 33 (25 self)
 Add to MetaCart
Abstract. Recent work on weightedpushdown systems shows how to generalize interproceduraldataflow analysis to answer “stackqualified queries”, which answer the question “what dataflow values hold at a program node for a particular set of calling contexts?” The generalization, however, does not account for precise handling of local variables. Extendedweightedpushdown systems address this issue, and provide answers to stackqualified queries in the presence of local variables as well. 1
Verifying concurrent messagepassing C programs with recursive calls
 In TACAS
, 2006
"... Abstract. We consider the modelchecking problem for C programs with (1) data ranging over very large domains, (2) (recursive) procedure calls, and (3) concurrent parallel components that communicate via synchronizing actions. We model such programs using communicating pushdown systems, and reduce t ..."
Abstract

Cited by 32 (15 self)
 Add to MetaCart
Abstract. We consider the modelchecking problem for C programs with (1) data ranging over very large domains, (2) (recursive) procedure calls, and (3) concurrent parallel components that communicate via synchronizing actions. We model such programs using communicating pushdown systems, and reduce the reachability problem for this model to deciding the emptiness of the intersection of two contextfree languages L1 and L2. We tackle this undecidable problem using a CounterExample Guided Abstraction Refinement (CEGAR) scheme. We implemented our technique in the model checker MAGIC and found a previously unknown bug in a version of a Windows NT Bluetooth driver. 1
Interprocedural analysis of concurrent programs under a context bound
 In TACAS
, 2007
"... Abstract. Analysis of recursive programs in the presence of concurrency and shared memory is undecidable. In previous work, Qadeer and Rehof [23] showed that contextbounded analysis is decidable for recursive programs under a finitestate abstraction of program data. In this paper, we show that con ..."
Abstract

Cited by 29 (7 self)
 Add to MetaCart
Abstract. Analysis of recursive programs in the presence of concurrency and shared memory is undecidable. In previous work, Qadeer and Rehof [23] showed that contextbounded analysis is decidable for recursive programs under a finitestate abstraction of program data. In this paper, we show that contextbounded analysis is decidable for certain families of infinitestate abstractions, and also provide a new symbolic algorithm for the finitestate case. 1
Stack size analysis for interruptdriven programs
 In Proceedings of the 10th International Symposium on Static Analysis, volume LNCS 2694
, 2003
"... Abstract. We study the problem of determining stack boundedness and the exact maximum stack size for three classes of interruptdriven programs. Interruptdriven programs are used in many realtime applications that require responsive interrupt handling. In order to ensure responsiveness, programmer ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
Abstract. We study the problem of determining stack boundedness and the exact maximum stack size for three classes of interruptdriven programs. Interruptdriven programs are used in many realtime applications that require responsive interrupt handling. In order to ensure responsiveness, programmers often enable interrupt processing in the body of lowerpriority interrupt handlers. In such programs a programming error can allow interrupt handlers to be interrupted in cyclic fashion to lead to an unbounded stack, causing the system to crash. For a restricted class of interruptdriven programs, we show that there is a polynomialtime procedure to check stack boundedness, while determining the exact maximum stack size is PSPACEcomplete. For a larger class of programs, the two problems are both PSPACEcomplete, and for the largest class of programs we consider, the two problems are PSPACEhard and can be solved in exponential time. 1