### Citations

2303 |
Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints. In:
- Cousot, Cousot
- 1977
(Show Context)
Citation Context ...ut whether errors can still happen in the future. More precisely, we present the following contributions: 1. We present a combination of forward and backward analysis based on abstract interpretation =-=[7]-=- of an intermediary language obtained from Java bytecode. This analysis allows us to state whether a program can still run into errors in its future. 2. We describe the implementation of the rddsa ext... |

723 | Automatic discovery of linear restraints among variables of a program.
- Cousot, Halbwachs
- 1978
(Show Context)
Citation Context ...P = ∧ m∑ Φ(i) ∑ aj,k · xj.fk ≤ ci 0≤i≤n j=1 k=1 The use of polyhedra to discover relations among variables is almost as old as abstract interpretation, it was first introduced by Cousot and Halbwachs =-=[8]-=-. Much research has been going on to provide efficient libraries [4] and more lightweight abstractions like Octagons [13]. In this chapter we will look at polyhedra from a very high level, leaving out... |

318 | The octagon abstract domain.
- Miné
- 2006
(Show Context)
Citation Context ...old as abstract interpretation, it was first introduced by Cousot and Halbwachs [8]. Much research has been going on to provide efficient libraries [4] and more lightweight abstractions like Octagons =-=[13]-=-. In this chapter we will look at polyhedra from a very high level, leaving out many of the messy details involved in obtaining a fast analysis. 457.1 Adapting the backward analysis to polyhedra Repr... |

76 | Combining unit-level symbolic execution and system-level concrete execution for testing nasa software.
- Pasareanu, Mehlitz, et al.
- 2008
(Show Context)
Citation Context ...are involved. The idea of combining concrete execution with forward symbolic execution was also used in a model checking context (also using Java PathFinder) to generate test cases by Pǎsǎreanu et al =-=[14]-=-. 9.2 Relation to dynamically deployed analysis I already used current program state together with a heap structure analysis based on rules associated with bytecode instructions. This led to the speci... |

57 | Safety checking of machine code
- Xu, Miller, et al.
(Show Context)
Citation Context ...c to come up with a loop error condition that is general enough so that every loop iteration implies it. For this, we turn to the inductioniteration method. The method was used by Xu, Miller and Reps =-=[20]-=- to find loop invariants in machine code, which is very close to the use we have in mind here. It was first introduced by Suzuki and Ishihata [17] for array bounds checking. The notation for error con... |

51 | CrystalBall: Predicting and preventing inconsistencies in deployed distributed systems.
- Yabandeh, Kneževic, et al.
- 2008
(Show Context)
Citation Context ...ed Static Analysis in Java [9], which provided many of the questions that this thesis answers. While working on heap structure, I could not reuse results of the analysis for later checks. CrystalBall =-=[21]-=- uses dynamically obtained state of a distributed system together with state exploration to predict future errors. Because distributed system allow for multiple legal executions, this information is t... |

48 | Jimple: Simplifying Java Bytecode for Analyses and Transformations.
- Vallee-Rai, Hendren
- 1998
(Show Context)
Citation Context ...not very suitable for translation, as many of these instructions are only different in what type of arguments they take. So our starting point is not Java bytecode, but the Jimple intermediate format =-=[19]-=-, which we obtain by using the Soot [18] framework on the class files that need translation. The whole translation process is outlined in figure 4-2. After a translation to Jimple, we are left with fa... |

44 |
Vijay Sundaresan. Soot - a java bytecode optimization framework
- Vallée-Rai, Co, et al.
- 1999
(Show Context)
Citation Context ...ny of these instructions are only different in what type of arguments they take. So our starting point is not Java bytecode, but the Jimple intermediate format [19], which we obtain by using the Soot =-=[18]-=- framework on the class files that need translation. The whole translation process is outlined in figure 4-2. After a translation to Jimple, we are left with far fewer cases to handle: Jimple has less... |

32 |
Rupak Majumdar, Andrey Rybalchenko, and Ru-Gang Xu. Proving non-termination
- Gupta, Henzinger
- 2008
(Show Context)
Citation Context ...ple heap structure, we did not have to resort to modeling field accesses specially. Normally, this can be done by using uninterpreted functions. The paper on Invariant synthesis for combined theories =-=[5]-=- explores how to find such invariants if uninterpreted functions are involved. The idea of combining concrete execution with forward symbolic execution was also used in a model checking context (also ... |

30 |
Pointer-induced aliasing: A problem taxonomy
- Landi, Ryder
- 1991
(Show Context)
Citation Context ...o take all these cases into account, then our program becomes far more difficult. The scenario where multiple variables may point to the same object is called 37the Aliasing problem. Landi and Ryder =-=[11]-=- present a good overview of the problem. There are various ways to reduce the number of choices we have for assignment[9], but this is not the section to talk about such matters. The analysis we perfo... |

22 | Constraint-based invariant inference over predicate abstraction. In
- Gulwani, Srivastava, et al.
- 2009
(Show Context)
Citation Context ...que to infer formulas for loops in programs given as machine code. To infer weakest preconditions, more work can be offloaded to the theorem prover than we do here. Gulwani, Srivastava and Venkatesan =-=[10]-=- encode the formulas at different program cut-points and solve for the weakest liberal precondition at method entry. With their Snugglebug tool, Chandra, Fink and Sridharan [6] presented techniques fo... |

19 |
and Kiyoshi Ishihata. Implementation of an array bound checker
- Suzuki
- 1977
(Show Context)
Citation Context ...on method. The method was used by Xu, Miller and Reps [20] to find loop invariants in machine code, which is very close to the use we have in mind here. It was first introduced by Suzuki and Ishihata =-=[17]-=- for array bounds checking. The notation for error conditions is quite different, however. The first thing we must give up to find a loop error condition is termination. Even if the error condition is... |

15 |
Enea Zaffanella. “The Parma Polyhedra Library: Toward a Complete Set of Numerical Abstractions for the Analysis and
- Bagnara, Hill
(Show Context)
Citation Context ... to discover relations among variables is almost as old as abstract interpretation, it was first introduced by Cousot and Halbwachs [8]. Much research has been going on to provide efficient libraries =-=[4]-=- and more lightweight abstractions like Octagons [13]. In this chapter we will look at polyhedra from a very high level, leaving out many of the messy details involved in obtaining a fast analysis. 45... |

9 |
Enea Zaffanella. Precise widening operators for convex polyhedra
- Bagnara, Hill, et al.
- 2005
(Show Context)
Citation Context ..... This condition assures that if we apply the widening after the convex hull when dealing with loops that we will arrive at a loop error condition after a finite number of iterations. Bagnara et al. =-=[3]-=- give a good overview of what widening techniques can be used with polyhedra. 7.3 Checking error conditions with current state Let’s suppose we obtain the program state the same way we did for formula... |

6 |
Manu Sridharan. Snugglebug: a powerful approach to weakest preconditions
- Chandra, Fink
- 2009
(Show Context)
Citation Context ...vastava and Venkatesan [10] encode the formulas at different program cut-points and solve for the weakest liberal precondition at method entry. With their Snugglebug tool, Chandra, Fink and Sridharan =-=[6]-=- presented techniques for efficient call graph generation by initially skipping over calls and then inserting method calls according to the constraints obtained. They also presented generalization 57... |

1 |
Dynamically deployed static analysis for java. Specialization project report
- Gfeller
- 2009
(Show Context)
Citation Context ...y point to the same object is called 37the Aliasing problem. Landi and Ryder [11] present a good overview of the problem. There are various ways to reduce the number of choices we have for assignment=-=[9]-=-, but this is not the section to talk about such matters. The analysis we perform will work well enough if we approximate field assignments by the sole instruction y := new(). 6.2 Constant propagation... |

1 |
Soot-scala interface
- Lhoták
- 2009
(Show Context)
Citation Context ...erent instructions. What we obtain from this transformation is a CFG containing Jimple instructions in the basic code blocks. These instructions are then further processed by the Soot Scala interface =-=[12]-=-. The transformation from a Jimple CFG to a CFG in our intermediate language takes multiple steps. Let’s outline these steps now. 4.2.1 Null pointers In Java, reference variables might also point to n... |

1 |
The javaTMvirtual machine specification. 13, 14 62 Vijay
- Sun
- 2000
(Show Context)
Citation Context ... Soot soot-scala Jimple CFG Translate to IR Assertions Implicit Jumps ... IR CFG Figure 4-2: Intermediate language translation schema 12Let’s now look at the steps required to get from Java bytecode =-=[15]-=- to a control flow graph of our intermediate language. Java bytecode consists of over 200 individual instructions operating on an operand stack. This is not very suitable for translation, as many of t... |