## Symbolic Analysis of Imperative Programming Languages (2006)

### Cached

### Download Links

- [www.it.usyd.edu.au]
- [sydney.edu.au]
- [www.auto.tuwien.ac.at]
- [www.auto.tuwien.ac.at]
- DBLP

### Other Repositories/Bibliography

Venue: | In Proceedings of the 7th Joint Modular Languages Conference, Springer LNCS |

Citations: | 1 - 1 self |

### BibTeX

@INPROCEEDINGS{Burgstaller06symbolicanalysis,

author = {Bernd Burgstaller and Bernhard Scholz and Johann Blieberger},

title = {Symbolic Analysis of Imperative Programming Languages},

booktitle = {In Proceedings of the 7th Joint Modular Languages Conference, Springer LNCS},

year = {2006},

pages = {172--194}

}

### OpenURL

### Abstract

Abstract. We present a generic symbolic analysis framework for imperative programming languages. Our framework is capable of computing all valid variable bindings of a program at given program points. This information is invaluable for domain-specific static program analyses such as memory leak detection, program parallelisation, and the detection of superfluous bound checks, variable aliases and task deadlocks. We employ path expression algebra to model the control flow information of programs. A homomorphism maps path expressions into the symbolic domain. At the center of the symbolic domain is a compact algebraic structure called supercontext. A supercontext contains the complete control and data flow analysis information valid at a given program point. Our approach to compute supercontexts is based purely on algebra and is fully automated. This novel representation of program semantics closes the gap between program analysis and computer algebra systems, which makes supercontexts an ideal intermediate representation for all domainspecific static program analyses. Our approach is more general than existing methods because it can derive solutions for arbitrary (even intra-loop) nodes of reducible and irreducible control flow graphs. We prove the correctness of our symbolic analysis method. Our experimental results show that the problem sizes arising from real-world applications such as the SPEC95 benchmark suite are tractable for our symbolic analysis framework. 1

### Citations

3825 |
Introduction to Automata Theory, Languages, and Computation
- Hopcroft, UlIman
- 1979
(Show Context)
Citation Context ...ssion over E such that every string in L(P ) is a program path from node v to node w. Standard algorithms such as Gaussian elimination can be applied to compute path expressions from a CFG (cf. e.g., =-=[25, 34]-=-). The following notational convention is used throughout the paper: to distinguish between corresponding entities from the standard semantic and symbolic domain, we subscript the first with the lette... |

938 |
Term Rewriting and All That
- Baader, Nipkow
- 1999
(Show Context)
Citation Context ...simplification a purely mechanical step in our symbolic analysis method. 6 Experiments The prototype implementation of our symbolic analysis framework constitutes a term rewrite system based on OBJ3 (=-=[3, 20]-=-) and Mathematica [38]. Together with the analysis results of Flow sample programs, we have made it available at [14]. Since the practicality of our symbolic analysis method critically depends on the ... |

448 | The omega test: a fast and practical integer programming algorithm for dependence analysis
- Pugh
- 1993
(Show Context)
Citation Context ... a system of symbolic constraints that describe the lower and upper bounds of pointers, array indices, and accessed memory regions. This system of constraints is then solved using ILP. The Omega test =-=[28]-=- developed by W. Pugh is an integer programming method that operates on a system of linear inequalities to determine whether a dependence between variables exists. It has been extended to nonlinear te... |

425 | Supercompilers for Parallel and Vector Computers - Zima, Chapman - 1990 |

277 |
Flow Analysis of Computer Programs
- Hecht
- 1977
(Show Context)
Citation Context ... a supercontext consists of an arbitrary (even infinite) number of contexts, it can represent the result of symbolic execution along an arbitrary (even infinite) number of program paths. According to =-=[24]-=- the meet over all paths (MOP) solution for a given CFG node n is the maximum information, relevant to the problem at hand, which can be derived from every possible execution path from the entry node ... |

250 |
Algorithms for Computer Algebra
- Geddes, Czapor, et al.
- 1992
(Show Context)
Citation Context ...iate polynomials from the ring Z[x], with indeterminates x = (x1, . . . , xν) ∈ V ν , are integer-valued expressions. To support division, the ring Z[x] is extended to the quotient field Q(Z[x]) (cf. =-=[18]-=-). By means of the rounding operation Rnd we can “wrap” a rational function x/y to obtain an integer-valued expression Rnd(x/y) 3 . Hence we 3 Simplifications of expressions involving operation Rnd ha... |

230 |
The Mathematica Book
- Wolfram
- 1996
(Show Context)
Citation Context ...dy of literature on this topic, e.g., [21, 26, 37, 36, 22, 19]. These methods are directly applicable to the recurrence system sets of our symbolic analysis framework. Modern CASs such as Mathematica =-=[38]-=- provide an ideal platform for the implementation of these methods. Due to space limitations we refer to [11] for the details involved with the construction of recurrence system sets for nested loops.... |

121 | Introducing OBJ
- Goguen, Winkler, et al.
- 2000
(Show Context)
Citation Context ...simplification a purely mechanical step in our symbolic analysis method. 6 Experiments The prototype implementation of our symbolic analysis framework constitutes a term rewrite system based on OBJ3 (=-=[3, 20]-=-) and Mathematica [38]. Together with the analysis results of Flow sample programs, we have made it available at [14]. Since the practicality of our symbolic analysis method critically depends on the ... |

111 | Symbolic bounds analysis of pointers, array indices, and accessed memory regions
- Rugina, Rinard
- 2000
(Show Context)
Citation Context ...echnique. It has been successfully applied to memory leak detection [32], compilation of parallel programs [17, 22, 37, 10], detection of superfluous bound checks, variable aliases and task deadlocks =-=[31, 13, 6, 7]-=-, and to worst-case execution time analysis [4, 8]. The results gained using symbolic analysis provide invaluable information for optimising compilers, code generators, program verification, testing a... |

105 | Symbolic analysis for parallelizing compilers
- Haghighat
- 1996
(Show Context)
Citation Context ...f programs without executing them. Symbolic analysis is an advanced static program analysis technique. It has been successfully applied to memory leak detection [32], compilation of parallel programs =-=[17, 22, 37, 10]-=-, detection of superfluous bound checks, variable aliases and task deadlocks [31, 13, 6, 7], and to worst-case execution time analysis [4, 8]. The results gained using symbolic analysis provide invalu... |

102 | Beyond induction variables: Detecting and classifying sequences using a demand-driven SSA form
- Gerlek, Stoltz, et al.
- 1995
(Show Context)
Citation Context ...rrence system set can be simplified if we are able to derive closed forms for the recurrence relations of the involved induction variables. There exists a vast body of literature on this topic, e.g., =-=[21, 26, 37, 36, 22, 19]-=-. These methods are directly applicable to the recurrence system sets of our symbolic analysis framework. Modern CASs such as Mathematica [38] provide an ideal platform for the implementation of these... |

83 | Counting solutions to Presburger formulas: how and why
- Pugh
- 1994
(Show Context)
Citation Context ... Techniques for Embedded Systems” under Contract DP 0560190 and the ARC Discovery Project Grant “Distributed Data Processing for Wireless Sensor Networks” under Contract DP 0664782.sSymbolic analysis =-=[17, 29, 23]-=- uses symbolic expressions to describe computations as algebraic formulæ over a program’s problem space. Symbolic analysis consists of two steps: (1) the computation of symbolic expressions that descr... |

75 | Constraint-based array dependence analysis
- Pugh, Wonnacott
- 1998
(Show Context)
Citation Context ...ped by W. Pugh is an integer programming method that operates on a system of linear inequalities to determine whether a dependence between variables exists. It has been extended to nonlinear tests in =-=[30, 29]-=-. 8 Conclusions and Future Work In this paper we have presented a generic symbolic analysis framework for imperative programming languages. At the center of our framework is a comprehensive and compac... |

69 |
A unified approach to path problems
- Tarjan
- 1981
(Show Context)
Citation Context ... a functional description of the input program in the symbolic domain. With our approach the control flow information of the input program is modelled by means of path expressions first introduced in =-=[34]-=-. A path expression is a regular expression whose language is the set of paths emanating from the start node of a control flow graph to a given node. We provide a natural homomorphism that maps the re... |

60 |
Mathematics for the analysis of algorithms. Birkhauser
- Greene, Knuth
- 1982
(Show Context)
Citation Context ...rrence system set can be simplified if we are able to derive closed forms for the recurrence relations of the involved induction variables. There exists a vast body of literature on this topic, e.g., =-=[21, 26, 37, 36, 22, 19]-=-. These methods are directly applicable to the recurrence system sets of our symbolic analysis framework. Modern CASs such as Mathematica [38] provide an ideal platform for the implementation of these... |

48 | Interprocedural Symbolic Analysis
- Havlak
- 1994
(Show Context)
Citation Context ... Techniques for Embedded Systems” under Contract DP 0560190 and the ARC Discovery Project Grant “Distributed Data Processing for Wireless Sensor Networks” under Contract DP 0664782.sSymbolic analysis =-=[17, 29, 23]-=- uses symbolic expressions to describe computations as algebraic formulæ over a program’s problem space. Symbolic analysis consists of two steps: (1) the computation of symbolic expressions that descr... |

35 | Chains of recurrences - a method to expedite the evaluation of closed-form functions
- Bachmann, Wang, et al.
- 1994
(Show Context)
Citation Context ...aintain predicates to guard the values of variables and it is restricted to reducible CFGs. No correctness proof of the used algorithms is given. Van Engelen et al. [37, 36] use chains of recurrences =-=[39, 2]-=- to model symbolic expressions. Analysis is carried out directly on the CFG, with loops being analysed in two phases. In the first phase recurrence relations are collected, whereas in the second phase... |

27 | Simplification and optimization transformation of chains of recurrences
- Zima
- 1995
(Show Context)
Citation Context ...aintain predicates to guard the values of variables and it is restricted to reducible CFGs. No correctness proof of the used algorithms is given. Van Engelen et al. [37, 36] use chains of recurrences =-=[39, 2]-=- to model symbolic expressions. Analysis is carried out directly on the CFG, with loops being analysed in two phases. In the first phase recurrence relations are collected, whereas in the second phase... |

24 |
editors. Symbolic evaluation methods for program analysis
- Clarke, Richardson
- 1981
(Show Context)
Citation Context ...fe for Msc(e), and fπ for Msc(π). Let P �= ∅ be a path expression of type (v, w). For all x ∈ SC, we define a mapping φ as follows. φ(Λ) = ι, (13) φ(e) = Msc(e) = fe, (14) φ(P1 + P2) = φ(P1) ∪ φ(P2), =-=(15)-=- φ(P1 · P2) = φ(P2) ◦ φ(P1), (16) φ(P ∗ 1 ) = φ(P1) ∗ . (17) Lemma 1. Let P �= ∅ be a path expression of type (v, w). Then for all x ∈ SC, � φ(P )(x) = � � fπ(x) . π∈L(P ) Proof in [11]. Based on Lemm... |

23 |
Abstract intrepretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints
- Cousot, Cousot
- 1977
(Show Context)
Citation Context ...cedures are indeed very small. Due to space limitations we refer to [12] for a description of the whole range of experiments carried out on the SPEC95 benchmark suite. 7 Related Work P. and R. Cousot =-=[16]-=- pioneered abstract interpretation as a theory of semantic approximation for semantic data and control flow analysis. The main differences between abstract interpretation and our symbolic analysis are... |

21 | Nonlinear and symbolic data dependence testing
- Blume, Eigenmann
- 1998
(Show Context)
Citation Context ...f programs without executing them. Symbolic analysis is an advanced static program analysis technique. It has been successfully applied to memory leak detection [32], compilation of parallel programs =-=[17, 22, 37, 10]-=-, detection of superfluous bound checks, variable aliases and task deadlocks [31, 13, 6, 7], and to worst-case execution time analysis [4, 8]. The results gained using symbolic analysis provide invalu... |

21 | A unified framework for nonlinear dependence testing and symbolic analysis
- Engelen
- 2004
(Show Context)
Citation Context ...f programs without executing them. Symbolic analysis is an advanced static program analysis technique. It has been successfully applied to memory leak detection [32], compilation of parallel programs =-=[17, 22, 37, 10]-=-, detection of superfluous bound checks, variable aliases and task deadlocks [31, 13, 6, 7], and to worst-case execution time analysis [4, 8]. The results gained using symbolic analysis provide invalu... |

15 | Discrete loops and worst case performance
- Blieberger
- 1994
(Show Context)
Citation Context ... specify a recurrence relation yields a symbolic expression). 6 Computing a symbolic upper bound for the number of loop iterations is beyond the scope of this paper. It is discussed, among others, in =-=[17, 5]-=-. 7 This contrasts the notion of range expressions in contemporary programming languages, where range L..U denotes the interval [L, U] .sDefinition 7. A range expression is a symbolic expression of th... |

13 | Some Techniques for Solving Recurrences
- Lueker
- 1980
(Show Context)
Citation Context ...from class Fsc.sfor the result of symbolic evaluation of the CFG cycle corresponding to path expression P1. This finite representation is an extension of a context by a system of symbolic recurrences =-=[26]-=- and is called a closure context. As will be pointed out below, a system of symbolic recurrences makes a closure context an exact representation of the infinite set of contexts that is due to a CFG cy... |

12 | Data-flow frameworks for worst-case execution time analysis
- Blieberger
- 2002
(Show Context)
Citation Context ...detection [32], compilation of parallel programs [17, 22, 37, 10], detection of superfluous bound checks, variable aliases and task deadlocks [31, 13, 6, 7], and to worst-case execution time analysis =-=[4, 8]-=-. The results gained using symbolic analysis provide invaluable information for optimising compilers, code generators, program verification, testing and debugging. ⋆ This work has been partially suppo... |

11 | Symbolic data flow analysis for detecting dealocks in Ada tasking programs
- Blieberger, Burgstaller, et al.
(Show Context)
Citation Context ...echnique. It has been successfully applied to memory leak detection [32], compilation of parallel programs [17, 22, 37, 10], detection of superfluous bound checks, variable aliases and task deadlocks =-=[31, 13, 6, 7]-=-, and to worst-case execution time analysis [4, 8]. The results gained using symbolic analysis provide invaluable information for optimising compilers, code generators, program verification, testing a... |

7 | Symbolic cache analysis for real-time systems
- Blieberger, Fahringer, et al.
(Show Context)
Citation Context ...detection [32], compilation of parallel programs [17, 22, 37, 10], detection of superfluous bound checks, variable aliases and task deadlocks [31, 13, 6, 7], and to worst-case execution time analysis =-=[4, 8]-=-. The results gained using symbolic analysis provide invaluable information for optimising compilers, code generators, program verification, testing and debugging. ⋆ This work has been partially suppo... |

6 | Interprocedural Symbolic Evaluation of Ada Programs with Aliases
- Blieberger, Burgstaller, et al.
- 1999
(Show Context)
Citation Context ...echnique. It has been successfully applied to memory leak detection [32], compilation of parallel programs [17, 22, 37, 10], detection of superfluous bound checks, variable aliases and task deadlocks =-=[31, 13, 6, 7]-=-, and to worst-case execution time analysis [4, 8]. The results gained using symbolic analysis provide invaluable information for optimising compilers, code generators, program verification, testing a... |

4 | Symbolic pointer analysis for detecting memory leaks
- Scholz, Blieberger, et al.
- 1999
(Show Context)
Citation Context ... that determine the dynamic behaviour of programs without executing them. Symbolic analysis is an advanced static program analysis technique. It has been successfully applied to memory leak detection =-=[32]-=-, compilation of parallel programs [17, 22, 37, 10], detection of superfluous bound checks, variable aliases and task deadlocks [31, 13, 6, 7], and to worst-case execution time analysis [4, 8]. The re... |

4 | The CR# algebra and its application in loop analysis and optimization
- Engelen
- 2004
(Show Context)
Citation Context ...rrence system set can be simplified if we are able to derive closed forms for the recurrence relations of the involved induction variables. There exists a vast body of literature on this topic, e.g., =-=[21, 26, 37, 36, 22, 19]-=-. These methods are directly applicable to the recurrence system sets of our symbolic analysis framework. Modern CASs such as Mathematica [38] provide an ideal platform for the implementation of these... |

2 | Static Detection of Access Anomalies in Ada95
- Burgstaller, Blieberger, et al.
- 2006
(Show Context)
Citation Context ...our prototype implementation showed that the problem sizes of real-world programs such as those from the SPEC95 benchmark suite are tractable for our symbolic analysis framework. It has been shown in =-=[9]-=- that symbolic analysis has a vast improvement potential in the area of contemporary data-flow based analyses of sequential and concurrent programs. We are therefore facing two research tiers that we ... |

2 |
Symbolic Evaluation of Imperative Programming Languages
- Burgstaller
- 2005
(Show Context)
Citation Context ...SPEC95 benchmark suite. Section 7 surveys related work. Finally, in Sect. 8 we draw our conclusions and outline future work. The proofs of the theorems stated in the paper have been made available in =-=[11]-=-. 2 Background and Notation We use N to denote the natural numbers, Z to denote the integers, and B = {true, false} to denote the truth values from Boolean algebra. The finite set of program variables... |

2 |
Tour de Spec — A Collection of Spec95 Program Paths and Associated Costs for Symbolic Evaluation
- Burgstaller, Scholz, et al.
- 2004
(Show Context)
Citation Context ...om the SPEC95 benchmark suite constitute no problem at all for symbolic analysis, and that the ancc values for 90 percent of all procedures are indeed very small. Due to space limitations we refer to =-=[12]-=- for a description of the whole range of experiments carried out on the SPEC95 benchmark suite. 7 Related Work P. and R. Cousot [16] pioneered abstract interpretation as a theory of semantic approxima... |

2 |
Advanced Symbolic Analysis for Compilers, volume 2628
- Fahringer, Scholz
- 2003
(Show Context)
Citation Context |

1 |
Eliminating Redundant Range Checks in GNAT Using Symbolic Evaluation
- Blieberger, Burgstaller
- 2003
(Show Context)
Citation Context |

1 |
Gated SAA-Based Demand-Driven Symbolic Analysis for Parallelizing Compilers
- Tu, Padua
- 1995
(Show Context)
Citation Context ...uations describing the solutions at the respective CFG nodes. In [17] a symbolic representation for contexts is introduced. Closure contexts are an extension of this algebraic structure. Tu and Padua =-=[35]-=- developed a system for computing symbolic values of expressions using a demand-driven backward analysis based on G-SSA form. Their analysis can be more efficient than our approach if local analysis i... |