Results 1  10
of
33
Pentagons: A weakly relational abstract domain for the efficient validation of array accesses
 In SAC’08
"... We introduce Pentagons (Pntg), a weakly relational numerical abstract domain useful for the validation of array accesses in bytecode and intermediate languages (IL). This abstract domain captures properties of the form of x ∈ [a, b] ∧ x < y. It is more precise than the well known Interval domai ..."
Abstract

Cited by 26 (10 self)
 Add to MetaCart
(Show Context)
We introduce Pentagons (Pntg), a weakly relational numerical abstract domain useful for the validation of array accesses in bytecode and intermediate languages (IL). This abstract domain captures properties of the form of x ∈ [a, b] ∧ x < y. It is more precise than the well known Interval domain, but it is less precise than the Octagon domain. The goal of Pntg is to be a lightweight numerical domain useful for adaptive static analysis, where Pntg is used to quickly prove the safety of most array accesses, restricting the use of more precise (but also more expensive) domains to only a small fraction of the code. We implemented the Pntg abstract domain in Clousot, a generic abstract interpreter for.NET assemblies. Using it, we were able to validate 83 % of array accesses in the core runtime library mscorlib.dll in a little bit more than 3 minutes.
An Abstract Domain to Discover Interval Linear Equalities
"... We introduce a new abstract domain, namely the domain of Interval Linear Equalities (itvLinEqs), which generalizes the affine equality domain with interval coefficients by leveraging results from interval linear algebra. The representation of itvLinEqs is based on a row echelon system of interval l ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
We introduce a new abstract domain, namely the domain of Interval Linear Equalities (itvLinEqs), which generalizes the affine equality domain with interval coefficients by leveraging results from interval linear algebra. The representation of itvLinEqs is based on a row echelon system of interval linear equalities, which natively allows expressing classical linear relations as well as certain topologically nonconvex (even unconnected or nonclosed) properties. The row echelon form limits the expressiveness of the domain but yields polynomialtime domain operations. Interval coefficients enable a sound adaptation of itvLinEqs to floatingpoint arithmetic. itvLinEqs can be used to infer and propagate interval linear constraints, especially for programs involving uncertain or inexact data. The preliminary experimental results are encouraging: itvLinEqs can find a larger range of invariants than the affine equality domain. Moreover, itvLinEqs provides an efficient alternative to polyhedralike domains.
Refining the control structure of loops using static analysis
 IN: EMSOFT
, 2009
"... We present a simple yet useful technique for refining the control structure of loops that occur in imperative programs. Loops containing complex control flow are common in synchronous embedded controllers derived from modeling languages such as Lustre, Esterel, and Simulink/Stateflow. Our approach u ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
We present a simple yet useful technique for refining the control structure of loops that occur in imperative programs. Loops containing complex control flow are common in synchronous embedded controllers derived from modeling languages such as Lustre, Esterel, and Simulink/Stateflow. Our approach uses a set of labels to distinguish different control paths inside a given loop. The iterations of the loop are abstracted as a finite state automaton over these labels. Subsequently, we use static analysis techniques to identify infeasible iteration sequences and subtract such forbidden sequences from the initial language to obtain a refinement. In practice, the refinement of control flow sequences often simplifies the control flow patterns in the loop. We have applied the refinement technique to improve the precision of abstract interpretation in the presence of widening. Our experiments on a set of complex reactive loop benchmarks clearly show the utility of our refinement techniques. Abstraction interpretation with our refinement technique was able to verify all the properties for 10 out of the 13 benchmarks, while abstraction interpretation without refinement was able to verify only four. Other potentially useful applications include termination analysis and reverse engineering models from source code.
Abstract interpretation meets convex optimization. Submitted to Journal Symbolic of Computation
"... Abstract. Numerical static program analyses by abstract interpretation, e.g., the problem of inferring bounds for the values of numerical program variables, are faced with the problem that the abstract domains often contain infinite ascending chains. In oder to nevertheless enforce termination one ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
Abstract. Numerical static program analyses by abstract interpretation, e.g., the problem of inferring bounds for the values of numerical program variables, are faced with the problem that the abstract domains often contain infinite ascending chains. In oder to nevertheless enforce termination one traditionally applies a widening/narrowing approach that buys the guarantee for termination for loss of precision. However, recently, several interesting alternative approaches for computing numerical invariants by abstract interpretation were developed that aim at higher precision. One interesting research direction in this context is the study of strategy improvement algorithms. Such algorithms are successfully applied for solving twoplayers zerosum games. In the present paper we discuss and compare maxstrategy and minstrategy improvement algorithms that in particular can be utilized for computing numerical invariants by abstract interpretation. Our goal is to provide the intuitions behind these approaches by focussing on a particular application, namely templatebased numerical analysis. 1
A policy iteration technique for time elapse over template polyhedra
 In HSCC, volume 4981 of LNCS
, 2008
"... Abstract. We present a technique to compute overapproximations of the time trajectories of an affine hybrid system using template polyhedra. Such polyhedra are obtained by conjoining a set of inequality templates with varying constant coefficients. Given a set of template expressions, we show the e ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We present a technique to compute overapproximations of the time trajectories of an affine hybrid system using template polyhedra. Such polyhedra are obtained by conjoining a set of inequality templates with varying constant coefficients. Given a set of template expressions, we show the existence of a smallest template polyhedron that is a positive invariant w.r.t to the dynamics of the continuous variables, and hence, an overapproximation of the time trajectories. However, the least invariant is hard to compute efficiently. Therefore, we propose a policy iteration technique that iterates over the space of invariant certificates to converge onto a solution that is close to the least solution. We incorporate our ideas in our prototype tool TimePass for safety verification of affine hybrid systems, with promising results on benchmarks. 1
Generalizing the Template Polyhedral Domain
"... Template polyhedra generalize weakly relational domains by specifying arbitrary fixed linear expressions on the lefthand sides of inequalities and undetermined constants on the right. The domain operations required for analysis over template polyhedra can be computed in polynomial time using line ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Template polyhedra generalize weakly relational domains by specifying arbitrary fixed linear expressions on the lefthand sides of inequalities and undetermined constants on the right. The domain operations required for analysis over template polyhedra can be computed in polynomial time using linear programming. In this paper, we introduce the generalized template polyhedral domain that extends template polyhedra using fixed lefthand side expressions with bilinear forms involving program variables and unknown parameters to the right. We prove that the domain operations over generalized templates can be defined as the “best possible abstractions ” of the corresponding polyhedral domain operations. The resulting analysis can straddle the entire space of linear relation analysis starting from the template domain to the full polyhedral domain. We show that analysis in the generalized template domain can be performed by dualizing the join, postcondition and widening operations. We also investigate the special case of template polyhedra wherein each bilinear form has at most two parameters. For this domain, we use the special properties of two dimensional polyhedra and techniques from fractional linear programming to derive domain operations that can be implemented in polynomial time over the number of variables in the program and the size of the polyhedra. We present applications of generalized template polyhedra to strengthen previously obtained invariants by converting them into templates. We describe an experimental evaluation of an implementation over several benchmark systems.
Policy iteration within logiconumerical abstract domains
 In Proceedings of ATVA’11, 9th International Symposium on Automated Technology for Verification and Analysis, volume 6996 of Lecture Notes in Computer Science
, 2011
"... Abstract. Policy Iteration is an algorithm for the exact solving of optimization and game theory problems, formulated as equations on min max affine expressions. It has been shown that the problem of finding the least fixpoint of semantic equations on some abstract domains can be reduced to such opt ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
Abstract. Policy Iteration is an algorithm for the exact solving of optimization and game theory problems, formulated as equations on min max affine expressions. It has been shown that the problem of finding the least fixpoint of semantic equations on some abstract domains can be reduced to such optimization problems. This enables the use of Policy Iteration to solve such equations, instead of the traditional Kleene iteration that performs approximations to ensure convergence. We first show in this paper that under some conditions the concept of Policy Iteration can be integrated into numerical abstract domains in a generic way. This allows to widen considerably their applicability in static analysis. We consider here the verification of programs manipulating Boolean and numerical variables, and we provide an efficient method to integrate the concept of policy in a logiconumerical abstract domain that mixes Boolean and numerical properties. Our experiments shows the benefit of our approach compared to a naive application of Policy Iteration to such programs. 1