## The octagon abstract domain (2001)

### Cached

### Download Links

- [www.di.ens.fr]
- [www.cs.wm.edu]
- [www.di.ens.fr]
- DBLP

### Other Repositories/Bibliography

Venue: | In AST 2001 in WCRE 2001, IEEE |

Citations: | 244 - 23 self |

### BibTeX

@INPROCEEDINGS{Miné01theoctagon,

author = {Antoine Miné and École Normale Supérieure},

title = {The octagon abstract domain},

booktitle = {In AST 2001 in WCRE 2001, IEEE},

year = {2001},

pages = {310--319},

publisher = {IEEE CS Press}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. This article presents the octagon abstract domain, a relational numerical abstract domain for static analysis by abstract interpretation. It allows representing conjunctions of constraints of the form ±X ± Y ≤ c where X and Y range among elements are represented using modified Difference Bound Matrices and we use a normalization algorithm loosely based on the shortest-path closure to compute canonical representations and construct best-precision abstract transfer functions. We achieve a quadratic memory cost per abstract element and a cubic worst-case time cost per abstract operation, with respect to the number of program variables. In terms of cost and precision, our domain is in between the well-known fast but imprecise interval domain and the costly polyhedron domain. We show that it is precise enough to treat interesting examples requiring relational invariants, and hence, out of the reach of the interval domain. We also present a packing strategy that allows scaling our domain up to large programs by tuning the amount of relationality. The octagon domain was incorporated into the Astrée industrialstrength static analyzer and was key in proving the absence of run-time errors in large critical embedded flight control software for Airbus planes.

### Citations

8828 | Introduction to algorithms - Cormen, Leiserson, et al. - 2001 |

1953 |
Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints
- Cousot, Cousot
- 1977
(Show Context)
Citation Context ...the full coverage of all program behaviors while relying on symbolic—as opposed to explicit—representations to achieve efficiency. In this paper, we will work in the Abstract Interpretation framework =-=[18, 20]-=- which is a general theory of the approximation of program semantics. It allows, among other applications, designing static analyzers that are able to automatically discover, at compile-time, properti... |

922 |
Interval Analysis
- Moore
- 1966
(Show Context)
Citation Context ...ct (m) where � expr � Int (X ♯ ) denotes the evaluation of the expression expr in the interval abstract domain, on the interval abstract environment X ♯ , as derived from regular interval arithmetics =-=[48]-=-. The low precision of this transfer function stems from two facts. Firstly, we do not infer any relational information of the form ±Vi ±Vj. Secondly, we do not use the existing relational information... |

658 | Systematic design of program analysis frameworks - Cousot, Cousot - 1979 |

588 | Automatic Discovery of Linear Restraints Among Variables of a Program
- Cousot, Halbwachs
- 1978
(Show Context)
Citation Context ...d Cousot [17] that discovers variable bounds ( � i Xi ∈ [ai, bi]), Karr’s domain [35] that discovers affine equalities between variables ( � � j i αijXi = βj), Cousot and Halbwachs’ polyhedron domain =-=[22]-=- for affine inequalities ( � j � i αijXi ≤ βj), Granger’s congruence domain [29] ( � i Xi ∈ article-mine.tex; 13/04/2006; 14:18; p.2s¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢s¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡s¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡s¢¡¢¡¢¡¢... |

347 |
On a routing problem
- Bellman
- 1958
(Show Context)
Citation Context ...satisfiability algorithms for conjunctions of inequalities of a restricted form. Consider, first, so-called potential constraints, that is, constraints of the form X − Y ≤ c. A core result by Bellman =-=[7]-=- is that the satisfiability of conjunctions of potential constraints in Z, Q, or R can be reduced to checking for the existence of a cycle with a strictly negative total weight in a weighted directed ... |

294 | Abstract interpretation and application to logic programs - Cousot, Cousot - 1992 |

234 | Interprocedural May-Alias analysis for pointers: Beyondk-limiting - Deutsch - 1994 |

225 |
Timing assumptions and verification of finite-state concurrent systems
- Dill
- 1989
(Show Context)
Citation Context ...works focus on satisfiability only and do not study the more complex problem of manipulating constraint conjunctions. From Bellman’s result, people from the model checking community of timed automata =-=[24, 54]-=- and timed Petri nets [40] derived a structure called Difference Bound Matrix (or DBM) allowing the manipulation of conjunctions of potential constraints. They developed algorithms to compute a canoni... |

220 | A new solution of Dijkstra’s concurrent programming problem - Lamport - 1974 |

201 | Types as Abstract Interpretations
- Cousot
- 1997
(Show Context)
Citation Context ...yses by Deutsch [23] and Venet [53], a shape analysis by Rugina [50], a string cleanness analysis by Dor et al. [25], analyses of π−calculus by Feret [26], parametric predicate abstractions by Cousot =-=[16]-=-, and even liveness analyses such as the termination analysis by Colón and Sipma [13]. There already exist several numerical abstract domains. Well-know examples include the interval domain by Cousot ... |

174 | Static determination of dynamic properties of programs - Cousot, Cousot |

161 |
Ane relationships among variables of a program
- Karr
- 1976
(Show Context)
Citation Context ...3]. There already exist several numerical abstract domains. Well-know examples include the interval domain by Cousot and Cousot [17] that discovers variable bounds ( � i Xi ∈ [ai, bi]), Karr’s domain =-=[35]-=- that discovers affine equalities between variables ( � � j i αijXi = βj), Cousot and Halbwachs’ polyhedron domain [22] for affine inequalities ( � j � i αijXi ≤ βj), Granger’s congruence domain [29] ... |

96 | Design and implementation of a special-purpose static program analyzer for safety-critical real-time embedded software
- BLANCHET, COUSOT, et al.
- 2002
(Show Context)
Citation Context ... If an interval not containing 0 is not stable, they first try to see if 0 is a stable bound instead of deciding it should be set to ±∞. A further generalisation, presented in [21] and widely used in =-=[8]-=-, is to design a widening parametrized by a finite set T ⊆ I of thresholds. Each bound is enlarged to the threshold immediately greater. We bail out to ±∞ only when we are out of thresholds. This adap... |

94 |
Abstract Debugging of Higher-Order Imperative Languages
- Bourdoncle
- 1993
(Show Context)
Citation Context ...forward and backward passes, as proposed by Cousot and Cousot in [19, §6]. Another one is to backtrack from a user-specified program behavior to its origin, such as in Bourdoncle’s abstract debugging =-=[11]-=-. 45 article-mine.tex; 13/04/2006; 14:18; p.45s46 We did not experiment with backward assignments yet. However, for the sake of completeness, we provide a few abstractions of backward assignments so t... |

90 | Méthodes itératives de construction et d'approximation de points ¿xes d'opérateurs monotones sur un treillis, analyse sémantique de programmes. Thèse d'État ès sciences mathématiques, Université scienti¿que et médicale de Grenoble - Cousot - 1978 |

83 |
A Technique for Summarizing Data Access and Its Use in Parallelism Enhancing Transformations
- Balasundaram, Kennedy
- 1989
(Show Context)
Citation Context ...bstract domain, but extended to the richer set of constraints ±X ± Y ≤ c. A first set of algorithms for the manipulation of constraints of the form ±X ± Y ≤ c was proposed by Balasundaram and Kennedy =-=[6]-=- to represent data access patterns in arrays and perform automatic loop parallelization—such constraint sets were denoted there as “simple sections”. Alas, the authors fail to propose a normal form, a... |

72 | Deciding Linear Inequalities by Computing Loop Residues - Shostak - 1981 |

68 | ARIANE 5: Flight 501 Failure, Report by the Inquiry
- Lions
- 1996
(Show Context)
Citation Context ...n software, the consequences of a bug are more dramatic, causing great financial and even human losses. An extreme example is the overflow bug that caused the failure of the Ariane 5 launcher in 1996 =-=[37]-=-. Testing, one of the most widely used techniques to ensure the correctness of programs, is not sufficient. As only a few sample program behaviors can be observed, it misses bugs. Hence the need for f... |

64 | A new numerical abstract domain based on difference-bound matrices
- Miné
- 2001
(Show Context)
Citation Context ...ent in the PhD work of Bagnara [4, Chap. 5] and Jeannet [34, §2.4.3]. It has been effectively carried out simultaneously in the work of Shaham, Kolodner, and Sagiv, in [51], and in our previous paper =-=[43]-=-. Some constructions in the present paper are reminiscent of this abstract domain, but extended to the richer set of constraints ±X ± Y ≤ c. A first set of algorithms for the manipulation of constrain... |

63 | Trace partitioning in abstract interpretation based static analyzers
- Mauborgne, Rival
- 2005
(Show Context)
Citation Context ... abstract element representation nor the abstract transfer functions. Such techniques were successfully used within the Astrée analyzer. We will not develop further this topic and refer the reader to =-=[39]-=- for more information. Other works on partitioning techniques include that of Handjieva and Tzolovski [31], and that of Bourdoncle [10]. 4.2. Forget Operator From now on and up to Sect. 4.6, included,... |

59 | Efficient Verification of Real-Time Systems: Compact Data Structures and StateSpace Reduction - Larsson, Larsen, et al. - 1997 |

58 |
The calculational design of a generic abstract interpreter
- Cousot
- 1999
(Show Context)
Citation Context ...fer function in the interval domain: {| e ≤ 0 ? |} Oct def nonrel (m) = (Oct ◦ {| e ≤ 0 ? |} Int ◦ Int)(m) ∩ Oct m where {| e ≤ 0 ? |} Int is the classical test abstraction in the interval domain—see =-=[15]-=- on how to derive test abstractions for generic nonrelational domains. Because tests only filter out environments, it is safe to keep all the constraints of the argument DBM in the result, hence the i... |

58 | Model checking timed automata
- Yovine
(Show Context)
Citation Context ...works focus on satisfiability only and do not study the more complex problem of manipulating constraint conjunctions. From Bellman’s result, people from the model checking community of timed automata =-=[24, 54]-=- and timed Petri nets [40] derived a structure called Difference Bound Matrix (or DBM) allowing the manipulation of conjunctions of potential constraints. They developed algorithms to compute a canoni... |

54 |
Static analysis of digital filters
- Feret
- 2004
(Show Context)
Citation Context ...alarms, some coming from code fragments semantically similar to those of Sect. 5. We will now focus solely on the influence of the octagon abstract domain in Astrée and refer the reader to the papers =-=[8, 9, 38, 39, 27, 28]-=- and the web-page [3] for more general informations about Astrée and the other abstract domains it includes. Floating-Point Octagons. In order to soundly abstract floating-point computations, we rely ... |

54 | Relational abstract domains for the detection of floating-point run-time errors
- Miné
- 2004
(Show Context)
Citation Context ...ar parts have been abstracted away into intervals. Finally, it is quite useful to account for rounding errors appearing when modeling floating-point expressions into real expressions, as performed in =-=[45, 46]-=-. All three techniques are used in the Astrée static analyzer [3, 9]. A class of expressions that appears frequently is that of linear expressions with interval constant coefficients: [a0, b0] + � k [... |

49 |
Static analysis of arithmetical congruences
- Granger
- 1989
(Show Context)
Citation Context ... [35] that discovers affine equalities between variables ( � � j i αijXi = βj), Cousot and Halbwachs’ polyhedron domain [22] for affine inequalities ( � j � i αijXi ≤ βj), Granger’s congruence domain =-=[29]-=- ( � i Xi ∈ article-mine.tex; 13/04/2006; 14:18; p.2s¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢s¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡s¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡s¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢ ¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢¡¢s¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡s¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡s¢¡¢¡¢¡¢... |

48 | The Octahedron Abstract Domain
- Clarisó, Cortadella
(Show Context)
Citation Context ...lready some research in this direction: the so-called Two Variables per Linear Inequality domain by Simon et al. [52] for invariants of the form αX + βY ≤ c and the octahedra domain by Clarisó et al. =-=[12]-=- for invariants of the form � i ɛiXi ≤ c, ɛi ∈ {−1, 0, 1}. Finally, further work is pursued on the Astrée project at the ENS and the École Polytechnique to extend our analyzer to other program familie... |

42 | Difference Decision Diagrams
- Møller, Lichtenberg, et al.
- 1999
(Show Context)
Citation Context ...dress these problems, several alternate data structures have been proposed, based on the concept of decision diagrams. Two examples are Clock Difference Diagrams [36] and Difference Decision Diagrams =-=[47]-=-. Despite the lack of a canonical form for both data structures, inclusion, equality, and emptiness testing algorithms are proposed. It might be interesting, from a theoretical point of view, to see i... |

41 | Data-Flow Analysis for Constraint Logic-Based Languages - Bagnara - 1997 |

41 | Cleanness checking of string manipulations in C programs via integer analysis,” in Static Analysis - Dor, Rodeh, et al. - 2001 |

39 | Beyond Finite Domains
- Jaffar, Maher, et al.
- 1994
(Show Context)
Citation Context ...an be reduced to checking for the existence of a cycle with a strictly negative total weight in a weighted directed graph. This result was then extended by Jaffar, Maher, Stuckey, Yap, and Harvey, in =-=[33, 32]-=-, to integer constraints of the form ±X ± Y ≤ c. However, these works focus on satisfiability only and do not study the more complex problem of manipulating constraint conjunctions. From Bellman’s res... |

39 | Two easy theories whose combination is hard - Pratt - 1977 |

37 |
Détermination automatique de relations linéaires véri¿ées par les variables d'un programme. Thèse de 3µeme cycle d'informatique, Université scienti¿que et médicale de
- Halbwachs
- 1979
(Show Context)
Citation Context ... hence, it is a sound abstraction of F ’s least-fixpoint. In order to design a widening for octagons, we use the same idea as for the standard widening in the interval [17] and the polyhedron domains =-=[30]-=-: we remove unstable constraints. The resulting standard octagon widening ▽Oct std is defined point-wise on DBMs as follows: (m ▽ Oct std n)ij def = � mij if mij ≥ nij +∞ otherwise More generally, any... |

37 |
Weakly Relational Numerical Abstract Domains
- Miné
- 2004
(Show Context)
Citation Context ... 45 rue d’Ulm, F-75230 Paris Cedex 05, France ∗ This paper is the journal version of an earlier conference paper [44] sharing this title. However, the present version, extracted from the author’s PhD =-=[46]-=- is extended in many ways and enriched with new experimental results. † Partially supported by the exploratory project Astrée of the Réseau National de recherche et d’innovation en Technologies Logici... |

35 | Abstract Interpretation by dynamic partitioning
- Bourdoncle
- 1992
(Show Context)
Citation Context .... We will not develop further this topic and refer the reader to [39] for more information. Other works on partitioning techniques include that of Handjieva and Tzolovski [31], and that of Bourdoncle =-=[10]-=-. 4.2. Forget Operator From now on and up to Sect. 4.6, included, all the operators and transfer functions presented on octagons will abstract strict concrete ones. To simplify our presentation, we wi... |

25 | A unit two variable per inequality integer constraint solver for constraint logic programming
- Harvey, Stuckey
- 1997
(Show Context)
Citation Context ...an be reduced to checking for the existence of a cycle with a strictly negative total weight in a weighted directed graph. This result was then extended by Jaffar, Maher, Stuckey, Yap, and Harvey, in =-=[33, 32]-=-, to integer constraints of the form ±X ± Y ≤ c. However, these works focus on satisfiability only and do not study the more complex problem of manipulating constraint conjunctions. From Bellman’s res... |

25 | Quantitative Shape Analysis
- Rugina
- 2004
(Show Context)
Citation Context ...oduce numerical quantities, and hence, are parametrized by numerical abstract domains. Well-known examples include pointer aliasing analyses by Deutsch [23] and Venet [53], a shape analysis by Rugina =-=[50]-=-, a string cleanness analysis by Dor et al. [25], analyses of π−calculus by Feret [26], parametric predicate abstractions by Cousot [16], and even liveness analyses such as the termination analysis by... |

21 | Clock difference diagrams
- Larsen, Weise, et al.
- 1999
(Show Context)
Citation Context ...f two representations is costly. To address these problems, several alternate data structures have been proposed, based on the concept of decision diagrams. Two examples are Clock Difference Diagrams =-=[36]-=- and Difference Decision Diagrams [47]. Despite the lack of a canonical form for both data structures, inclusion, equality, and emptiness testing algorithms are proposed. It might be interesting, from... |

20 | Nonuniform alias analysis of recursive data structures and arrays
- Venet
- 2002
(Show Context)
Citation Context ... instrumented semantics that introduce numerical quantities, and hence, are parametrized by numerical abstract domains. Well-known examples include pointer aliasing analyses by Deutsch [23] and Venet =-=[53]-=-, a shape analysis by Rugina [50], a string cleanness analysis by Dor et al. [25], analyses of π−calculus by Feret [26], parametric predicate abstractions by Cousot [16], and even liveness analyses su... |

13 | The arithmetic-geometric progression abstract domain
- Feret
- 2005
(Show Context)
Citation Context ...alarms, some coming from code fragments semantically similar to those of Sect. 5. We will now focus solely on the influence of the octagon abstract domain in Astrée and refer the reader to the papers =-=[8, 9, 38, 39, 27, 28]-=- and the web-page [3] for more general informations about Astrée and the other abstract domains it includes. Floating-Point Octagons. In order to soundly abstract floating-point computations, we rely ... |

13 | Astrée: Verification of absence of run-time error
- Mauborgne
- 2004
(Show Context)
Citation Context ...alarms, some coming from code fragments semantically similar to those of Sect. 5. We will now focus solely on the influence of the octagon abstract domain in Astrée and refer the reader to the papers =-=[8, 9, 38, 39, 27, 28]-=- and the web-page [3] for more general informations about Astrée and the other abstract domains it includes. Floating-Point Octagons. In order to soundly abstract floating-point computations, we rely ... |

11 |
Time petri nets for analyzing and verifying time dependent communication protocols
- Menasche, Berthomieu
- 1983
(Show Context)
Citation Context ...only and do not study the more complex problem of manipulating constraint conjunctions. From Bellman’s result, people from the model checking community of timed automata [24, 54] and timed Petri nets =-=[40]-=- derived a structure called Difference Bound Matrix (or DBM) allowing the manipulation of conjunctions of potential constraints. They developed algorithms to compute a canonical representation of DBMs... |

7 | Partitionnement Dynamique dans l’Analyse de Relations Linéaires et Application à la Vérification de Programmes Synchrones. Thèse de doctorat, Grenoble INP - Jeannet - 2000 |

6 |
Static Determination of Dynamic
- Cousot, Cousot
- 1976
(Show Context)
Citation Context ...liveness analyses such as the termination analysis by Colón and Sipma [13]. There already exist several numerical abstract domains. Well-know examples include the interval domain by Cousot and Cousot =-=[17]-=- that discovers variable bounds ( � i Xi ∈ [ai, bi]), Karr’s domain [35] that discovers affine equalities between variables ( � � j i αijXi = βj), Cousot and Halbwachs’ polyhedron domain [22] for affi... |

5 |
Abstract interpretation of mobile systems
- Feret
- 2005
(Show Context)
Citation Context ... Well-known examples include pointer aliasing analyses by Deutsch [23] and Venet [53], a shape analysis by Rugina [50], a string cleanness analysis by Dor et al. [25], analyses of π−calculus by Feret =-=[26]-=-, parametric predicate abstractions by Cousot [16], and even liveness analyses such as the termination analysis by Colón and Sipma [13]. There already exist several numerical abstract domains. Well-kn... |

5 |
The Octagon abstract domain library. http://www.di.ens.fr/~mine/oct
- Miné
(Show Context)
Citation Context ...ticle-mine.tex; 13/04/2006; 14:18; p.59s60 6. Application to the Astrée Analyzer The octagon abstract domain presented in this paper has been implemented as a freely available general-purpose library =-=[41]-=-. A simple academic analyzer using this library is included in the distribution and also available on-line [42]. More importantly, the library was incorporated into the Astrée static analyzer [8, 9, 3... |

4 | Representation of two-variable difference or sum constraint set and application to automatic program analysis - Miné - 2000 |

3 |
Mazzi E, Zaffanella E (2005) Widening operators for weakly-relational numeric abstractions
- Bagnara, PM
(Show Context)
Citation Context ... and we can use the following faster algorithm to compute n • : 1 During the final writing of the present paper, a simpler—yet still cubic—strong closure algorithm has been proposed by Bagnara et al. =-=[5]-=-. 19 article-mine.tex; 13/04/2006; 14:18; p.19s20 StrongClosure (DBM m of size 2n × 2n) for k = 1 to n { for i = 1 to 2n for j = 1 to 2n } mij ← min ( mij, m i (2k−1) + m (2k−1) j, m i (2k) + m (2k) j... |

3 |
Cleanness Checking of String
- Dor, Rodeh, et al.
- 2001
(Show Context)
Citation Context ...etrized by numerical abstract domains. Well-known examples include pointer aliasing analyses by Deutsch [23] and Venet [53], a shape analysis by Rugina [50], a string cleanness analysis by Dor et al. =-=[25]-=-, analyses of π−calculus by Feret [26], parametric predicate abstractions by Cousot [16], and even liveness analyses such as the termination analysis by Colón and Sipma [13]. There already exist sever... |