## Static Program Analysis via 3-Valued Logic (2004)

### Cached

### Download Links

- [www.cs.wisc.edu]
- [www.cs.wisc.edu]
- [cag.csail.mit.edu]
- [research.cs.wisc.edu]
- [groups.csail.mit.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 19 - 3 self |

### BibTeX

@MISC{Reps04staticprogram,

author = {Thomas Reps and Mooly Sagiv and Reinhard Wilhelm},

title = {Static Program Analysis via 3-Valued Logic},

year = {2004}

}

### OpenURL

### Abstract

This paper reviews the principles behind the paradigm of "abstract interpretation via 3-valued logic," discusses recent work to extend the approach, and summarizes ongoing research aimed at overcoming remaining limitations on the ability to create programanalysis algorithms fully automatically.

### Citations

1876 | Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints - Cousot, Cousot - 1977 |

630 | Systematic design of program analysis frameworks by abstract interpretation
- COUSOT, COUSOT
- 1979
(Show Context)
Citation Context ... canonical � abstraction of is , which demonstrates that the abstract domain is capable of representing � � a more precise � -to-� abstract semantics than the transformation illustrated in Fig. 2.sIn =-=[24]-=-, it is shown that for a Galois connection definedsby abstraction function ¡ and concretization function , the best abstract transformer for a ¢ concrete ¢ transformer , ¦ denoted by , can be ¦ ¡£ ¥¤�... |

621 | Model checking and abstraction
- Clarke, Grumberg, et al.
- 1994
(Show Context)
Citation Context ...bstracted via canonical abstraction, using red ¡£¢ as the only abstraction predicate. ¤ Existential abstraction. Canonical abstraction is also related to the notion of existential abstraction used in =-=[43, 42]-=-. However, canonical abstraction ¢ yields -valued predicates and distinguishes summary nodes from non-summary nodes, whereas existential abstraction yields ¡ -valued predicates and does not distinguis... |

597 | Construction of abstract state graphs with PVS
- GRAF, SAIDI
- 1997
(Show Context)
Citation Context ...nsformer can be expressed ¦ ¡s¤�¦ ¤ ¡ as . This defines the limit of precision ¦ obtainable using a given abstract domain, but does not provide an algorithm for finding or ¢ applying . Graf and Saïdi =-=[33]-=- showed that decision procedures can be used to generate ¦ best abstract transformers for abstract domains that are finite Cartesian products of Boolean values. (The use of such domains is known as pr... |

597 | Counterexample-Guided Abstraction Refinement
- Clarke, Grumberg, et al.
(Show Context)
Citation Context ... is strictly more general than predicate abstraction. Red Green Yellow Red Go Red Red=0 (a) (b) (c) Fig. 4. (a) Transition diagram for a stoplight; (b) transition diagram abstracted via the method of =-=[42]-=- when green and yellow are mapped to go; (c) transition diagram abstracted via canonical abstraction, using red ¡£¢ as the only abstraction predicate. ¤ Existential abstraction. Canonical abstraction ... |

565 | Bandera: Extracting Finite-state Models from Java Source Code
- Corbett, Dwyer, et al.
- 2000
(Show Context)
Citation Context ...gic plus transitive closure—see footnote 7), but they are really properties shared by any verification method that is based on abstract interpretation, and hence are consequences of point (3). Points =-=(4)-=- and (5) may be equally surprising—even to many experts in the field of static analysis—but are key aspects of this approach: ¨ Point (4) has a fundamental effect on precision. In particular, our appr... |

538 | Parametric shape analysis via 3-valued logic
- Sagiv, Reps, et al.
(Show Context)
Citation Context ...uch entities has no fixed upper bound. Moreover, the nature of the relationships that need to be tracked depends on both the program being analyzed and the queries to be answered. The aim of our work =-=[17]-=- has been to create a parametric framework for program analysis that addresses these issues. A parametric framework is one that can be instantiated in different ways to create different program-analys... |

517 | Points-to analysis in almost linear time - Steensgaard - 1996 |

445 | G.: Lazy abstraction
- Henzinger, Jhala, et al.
- 2002
(Show Context)
Citation Context ...number of allocated objects and threads [38]. 4 Related Work Predicate abstraction. Canonical abstraction is sometimes confused with predicate abstraction, which has been used in a variety of systems =-=[33, 39, 6, 40]-=-. At one level, predicate abstraction and canonical abstraction use essentially the same mechanism: ¨ Predicate abstraction can be used to abstract a possibly-infinite transition system to a finite on... |

338 | Checking system rules using system-specific, programmer-written compiler extensions
- Engler, Chelf, et al.
- 2000
(Show Context)
Citation Context ...rst-order logic plus transitive closure—see footnote 7), but they are really properties shared by any verification method that is based on abstract interpretation, and hence are consequences of point =-=(3)-=-. Points (4) and (5) may be equally surprising—even to many experts in the field of static analysis—but are key aspects of this approach: ¨ Point (4) has a fundamental effect on precision. In particul... |

336 | A first step towards automated detection of buffer overrun vulnerabilities
- WAGNER, FOSTER, et al.
- 2000
(Show Context)
Citation Context ...p-allocated data structures that the program manipulates. A prototype implementation that implements this approach has been created, called TVLA (Three-Valued-Logic Analyzer) [19, 20]. Points (1) and =-=(2)-=- may seem counterintuitive, given that we work with an undecidable logic (first-order logic plus transitive closure—see footnote 7), but they are really properties shared by any verification method th... |

314 | Model Checking Java Programs Using Java PathFinder
- Havelund, Pressburger
- 2000
(Show Context)
Citation Context ...tual heap-allocated data structures that the program manipulates. A prototype implementation that implements this approach has been created, called TVLA (Three-Valued-Logic Analyzer) [19, 20]. Points =-=(1)-=- and (2) may seem counterintuitive, given that we work with an undecidable logic (first-order logic plus transitive closure—see footnote 7), but they are really properties shared by any verification m... |

265 |
A static analyzer for finding dynamic programming errors
- Bush, Pincus, et al.
(Show Context)
Citation Context ... transitive closure—see footnote 7), but they are really properties shared by any verification method that is based on abstract interpretation, and hence are consequences of point (3). Points (4) and =-=(5)-=- may be equally surprising—even to many experts in the field of static analysis—but are key aspects of this approach: ¨ Point (4) has a fundamental effect on precision. In particular, our approach is ... |

228 | M.S.: Cloning-based context-sensitive pointer alias analysis using binary decision diagrams - Whaley, Lam |

221 |
Timing assumptions and verification of finite-state concurrent systems
- Dill
- 1989
(Show Context)
Citation Context ...d canonical abstraction with a variety of previously known numeric abstractions: intervals, congruences, polyhedra [29], and various restrictions on polyhedral domains (such as difference constraints =-=[30, 31]-=- and ¡ -variable constraints [32]). These overapproximate the states that can arise in a program using sets of points in a � -dimensional space. However, when canonical abstraction is used to create b... |

196 | MOPS: An infrastructure for examining security properties of software - Chen, Wagner - 2002 |

191 | Unification-based pointer analysis with directional assignments - Das - 2000 |

166 | Symmetry and model checking
- Emerson, Sistla
- 1996
(Show Context)
Citation Context ...at hold for a given thread. The use of this naming scheme automatically discovers commonalities in the state space, but without relying on explicitly supplied symmetry properties, as in, for example, =-=[28]-=-. The analysis algorithm given in [27] builds and explores a ¢ -valued transition system on-the-fly. Unary core predicates are used to represent the program counter of each thread object; Focus is use... |

159 | Boolean and Cartesian Abstraction for Model Checking C Programs
- Ball, Podelski, et al.
(Show Context)
Citation Context ... machinery is developed to use ¢ -valued structures to define a parametric abstract domain for abstract interpretation. Predicate abstraction has also been used to define a parametric abstract domain =-=[41]-=-. Thus, an alternative comparison criterion is to consider the relationship between the two parametric abstract domains: ¨ Predicate abstraction yields a parametric abstract domain based on finite Car... |

139 |
The SLAM Toolkit
- Ball, Rajamani
(Show Context)
Citation Context ...number of allocated objects and threads [38]. 4 Related Work Predicate abstraction. Canonical abstraction is sometimes confused with predicate abstraction, which has been used in a variety of systems =-=[33, 39, 6, 40]-=-. At one level, predicate abstraction and canonical abstraction use essentially the same mechanism: ¨ Predicate abstraction can be used to abstract a possibly-infinite transition system to a finite on... |

130 | Experience with predicate abstraction
- DAS, DILL, et al.
- 1999
(Show Context)
Citation Context ...number of allocated objects and threads [38]. 4 Related Work Predicate abstraction. Canonical abstraction is sometimes confused with predicate abstraction, which has been used in a variety of systems =-=[33, 39, 6, 40]-=-. At one level, predicate abstraction and canonical abstraction use essentially the same mechanism: ¨ Predicate abstraction can be used to abstract a possibly-infinite transition system to a finite on... |

112 | TVLA: A system for implementing static analyses
- Lev-Ami, Sagiv
- 2000
(Show Context)
Citation Context ...ctly model the actual heap-allocated data structures that the program manipulates. A prototype implementation that implements this approach has been created, called TVLA (Three-Valued-Logic Analyzer) =-=[19, 20]-=-. Points (1) and (2) may seem counterintuitive, given that we work with an undecidable logic (first-order logic plus transitive closure—see footnote 7), but they are really properties shared by any ve... |

93 | Modular interprocedural pointer analysis using access paths: design, implementation, and evaluation - Cheng, Hwu - 2000 |

85 | Scalable contextsensitive flow analysis using instantiation constraints - Fahndrich, Rehof, et al. - 2000 |

79 | Verifying safety properties of concurrent Java programs using 3-valued logic
- Yahav
- 2001
(Show Context)
Citation Context ...for each procedure ¢ , and the summary transformer is used at each call site at which ¢ is called. ¡ £ ¦ ¦ �s� and ¨ denotes disjoint union. This approach creates a Checking multithreaded systems. In =-=[27]-=-, it is shown how to apply ¢ -valued logic to the problem of checking properties of multithreaded systems. In particular, [27] addresses the problem of state-space exploration for languages, such as J... |

79 | Putting static analysis to work for verification: A case study
- Lev-Ami, Reps, et al.
- 2000
(Show Context)
Citation Context ...mputing best transformers for applications that use canonical abstraction [34, 35]. Applications. Some of the problems to which ¢ the -valued-logic approach has been applied include the following: In =-=[36]-=-, TVLA was used to establish the partial correctness of bubble-sort and insert-sort routines for sorting linked lists. The abstractionrefinement method of [23] was used to extend this work to address ... |

68 | Polymorphic versus monomorphic flow-insensitive points-to analysis for C - Foster, Fahndrich, et al. - 2000 |

54 | Estimating the impact of scalable pointer analysis on optimization
- Das, Liblit, et al.
- 2001
(Show Context)
Citation Context ...se of a flow-insensitive algorithm exacerbates the problem. Consequently, most of the literature on points-to analysis leads to almost no useful information about the structure of the heap. One study =-=[16]-=- of the characteristics of the results obtained using one of the flow-insensitive points-to-analysis algorithms reports that Our experiments show that in every points-to graph, there is a single node ... |

51 | Symbolically computing most-precise abstract operations for shape analysis
- Yorsh, Reps, et al.
- 2004
(Show Context)
Citation Context ...bstraction in use. In recent work, we have made a start towards this goal. In particular, we have defined two approaches to computing best transformers for applications that use canonical abstraction =-=[34, 35]-=-. Applications. Some of the problems to which ¢ the -valued-logic approach has been applied include the following: In [36], TVLA was used to establish the partial correctness of bubble-sort and insert... |

45 | A relational approach to interprocedural shape analysis
- Jeannet, Loginov, et al.
- 2004
(Show Context)
Citation Context ... deallocated. 3 Applications and Extensions Interprocedural analysis. The application of canonical abstraction to interprocedural analysis of programs with recursion has been studied in both [25] and =-=[26]-=-. In [25], the main idea is to expose the runtime stack as an explicit “data structure” of the concrete semantics; that is, activation records are individuals, and suitable core predicates are introdu... |

35 | Finite differencing of logical formulas for static analysis. Trans. on Prog. Lang. and Syst. 6, 32. A System for Generating Abstract
- Reps, Sagiv, et al.
- 2004
(Show Context)
Citation Context ... from the known ¦ value � of in . An algorithm ¦ that ¦ uses and ’s defining ¡�¢ formula ¡ ¢ ¥�¨©¨�¨©¥ � ¤ to generate an appropriate incremental predicate-maintenance formula � � for is presented in =-=[22]-=-. ¦ The problem of automatically identifying appropriate instrumentation predicates, using a process of abstraction refinement, is addressed in [23]. In that paper, the input required to specify a pro... |

35 |
Automatic discovery of linear constraints among variables of a program
- Cousot, Halbwachs
- 1978
(Show Context)
Citation Context ...ta items that are stored in the nodes of data structures. Recent work [21] has coupled canonical abstraction with a variety of previously known numeric abstractions: intervals, congruences, polyhedra =-=[29]-=-, and various restrictions on polyhedral domains (such as difference constraints [30, 31] and ¡ -variable constraints [32]). These overapproximate the states that can arise in a program using sets of ... |

35 | Two Variables per Linear Inequality as an Abstract Domain
- Simon, King, et al.
- 2002
(Show Context)
Citation Context ...y of previously known numeric abstractions: intervals, congruences, polyhedra [29], and various restrictions on polyhedral domains (such as difference constraints [30, 31] and ¡ -variable constraints =-=[32]-=-). These overapproximate the states that can arise in a program using sets of points in a � -dimensional space. However, when canonical abstraction is used to create bounded-size representations of me... |

33 | Deriving specialized program analyses for certifying component-client conformance
- Ramalingam, Warshavsky, et al.
- 2002
(Show Context)
Citation Context ... collector operating on an arbitrary heap. In Java, once an iterator object ¡£¢ is created for a collection ¡ , ¨ ¡¤¢ may be used only as long as ¡ a “concurrent modification exception” is thrown. In =-=[37]-=-, TVLA was used to create a verification tool for establishing the absence of concurrent modification exceptions. In the area of multithreaded systems, the ¢ -valued-logic approach has been used to es... |

32 | Symbolic implementation of the best transformer
- Reps, Sagiv, et al.
- 2004
(Show Context)
Citation Context ...bstraction in use. In recent work, we have made a start towards this goal. In particular, we have defined two approaches to computing best transformers for applications that use canonical abstraction =-=[34, 35]-=-. Applications. Some of the problems to which ¢ the -valued-logic approach has been applied include the following: In [36], TVLA was used to establish the partial correctness of bubble-sort and insert... |

31 | Symbolic pointer analysis revisited - Zhu, Calman - 2004 |

29 | Binding-time analysis and the taming of C pointers - Andersen - 1993 |

26 | M.: Interprocedural shape analysis for recursive programs
- Rinetzky, Sagiv
- 2001
(Show Context)
Citation Context ...ell being deallocated. 3 Applications and Extensions Interprocedural analysis. The application of canonical abstraction to interprocedural analysis of programs with recursion has been studied in both =-=[25]-=- and [26]. In [25], the main idea is to expose the runtime stack as an explicit “data structure” of the concrete semantics; that is, activation records are individuals, and suitable core predicates ar... |

20 | A few graph-based relational numerical abstract domains
- Miné
(Show Context)
Citation Context ...d canonical abstraction with a variety of previously known numeric abstractions: intervals, congruences, polyhedra [29], and various restrictions on polyhedral domains (such as difference constraints =-=[30, 31]-=- and ¡ -variable constraints [32]). These overapproximate the states that can arise in a program using sets of points in a � -dimensional space. However, when canonical abstraction is used to create b... |

14 | Automatically verifying concurrent queue algorithms
- Yahav, Sagiv
(Show Context)
Citation Context ...g modifications made via ¡¥¢ ; otherwisescorrectness of two concurrent queue algorithms; these results were obtained without imposing any a priori bound on the number of allocated objects and threads =-=[38]-=-. 4 Related Work Predicate abstraction. Canonical abstraction is sometimes confused with predicate abstraction, which has been used in a variety of systems [33, 39, 6, 40]. At one level, predicate abs... |

5 | Abstraction refinement for 3-valued-logic analysis - Loginov, Reps, et al. - 2004 |

3 |
M.: Numeric domains with summarized dimensions. In: Tools and Algs. for the Construct. and Anal. of Syst
- Gopan, DiMaio, et al.
- 2004
(Show Context)
Citation Context ...rder of two nodes’ data values. Alternatively, numericvalued entities can be handled by combining abstractions of logical structures with previously known techniques for creating numeric abstractions =-=[21]-=-.sStructure Before ¤ unary preds. binary preds. indiv. n ¤ ¤ ¤ ¤ � ¨ © ¥ � § § § ¦ ¡ § § § ¦ § § § § ¢ § § § § £ ¤ ¥ ¤ ¤ ¤ ¤ � ¨ © ¥ � § § § § ¥ ¤ ¤ § § § ¦ ¨ ¨ ¤ § § § ¦ © � ¤ § § § ¦ � ¤ © ¤ ¤ ¤ ¤ e... |

2 |
M.: Abstraction refinement for -valued-logic analysis
- Loginov, Reps, et al.
- 2004
(Show Context)
Citation Context ...edicate-maintenance formula � � for is presented in [22]. ¦ The problem of automatically identifying appropriate instrumentation predicates, using a process of abstraction refinement, is addressed in =-=[23]-=-. In that paper, the input required to specify a program analysis consists of (i) a program, (ii) a characterization of the inputs, and (iii) a query (i.e., a formula that characterizes the intended o... |