Checking Array Bounds by Abstract Interpretation and Symbolic Expressions

  • Étienne Payet
  • Fausto Spoto
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10900)


Array access out of bounds is a typical programming error. From the ’70s, static analysis has been used to identify where such errors actually occur at runtime, through abstract interpretation into linear constraints. However, feasibility and scalability to modern object-oriented code has not been established yet. This article builds on previous work on linear constraints and shows that the result does not scale, when polyhedra implement the linear constraints, while the more abstract zones scale to the analysis of medium-size applications. Moreover, this article formalises the inclusion of symbolic expressions in the constraints and shows that this improves its precision. Expressions are automatically selected on-demand. The resulting analysis applies to code with dynamic memory allocation and arrays held in expressions. It is sound, also in the presence of arbitrary side-effects. It is fully defined in the abstract interpretation framework and does not use any code instrumentation. Its proof of correctness, its implementation inside the commercial Julia analyzer and experiments on third-party code complete the work.


  1. 1.
    Albert, E., Arenas, P., Genaim, S., Puebla, G.: Field-sensitive value analysis by field-insensitive analysis. In: Cavalcanti, A., Dams, D.R. (eds.) FM 2009. LNCS, vol. 5850, pp. 370–386. Springer, Heidelberg (2009). Scholar
  2. 2.
    Albert, E., Arenas, P., Genaim, S., Puebla, G., Ramírez Deantes, D.V.: From object fields to local variables: a practical approach to field-sensitive analysis. In: Cousot, R., Martel, M. (eds.) SAS 2010. LNCS, vol. 6337, pp. 100–116. Springer, Heidelberg (2010). Scholar
  3. 3.
    Bagnara, R., Hill, P.M., Zaffanella, E.: The Parma Polyhedra Library: toward a complete set of numerical abstractions for the analysis and verification of hardware and software systems. Sci. Comput. Program. 72(1–2), 3–21 (2008)MathSciNetCrossRefGoogle Scholar
  4. 4.
    Bagnara, R., Hill, P.M., Zaffanella, E.: Applications of polyhedral computations to the analysis and verification of hardware and software systems. Theoret. Comput. Sci. 410(46), 4672–4691 (2009)MathSciNetCrossRefGoogle Scholar
  5. 5.
    Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Principles of Programming Languages (POPL), pp. 238–252 (1977)Google Scholar
  6. 6.
    Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: The Astrée analyzer. In: European Symposium on Programming (ESOP), pp. 21–30 (2005)CrossRefGoogle Scholar
  7. 7.
    Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Rival, X.: Why does Astrée scale up? Formal Methods Syst. Des. 35(3), 229–264 (2009)CrossRefGoogle Scholar
  8. 8.
    Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among variables of a program. In: Principles of Programming Languages (POPL), Tucson, Arizona, USA, pp. 84–96, January 1978Google Scholar
  9. 9.
    Lindholm, T., Yellin, F., Bracha, G., Buckley, A.: The Java\(^{TM}\) Virtual Machine Specification. Financial Times/Prentice Hall, Upper Saddle River (2013)Google Scholar
  10. 10.
    Miné, A.: Weakly relational numerical abstract domains. Ph.D. thesis, École Polytechnique, Paris, France (2004)Google Scholar
  11. 11.
    Miné, A.: Field-sensitive value analysis of embedded C programs with union types and pointer arithmetics. In: Languages, Compilers, and Tools for Embedded Systems (LCTES), Ottawa, Ontario, Canada, pp. 54–63 (2006)Google Scholar
  12. 12.
    Miné, A.: The octagon abstract domain. High.-Order Symbolic Comput. 19(1), 31–100 (2006)CrossRefGoogle Scholar
  13. 13.
    Nikolic, D., Spoto, F.: Reachability analysis of program variables. Trans. Program. Lang. Syst. 35(4), 14:1–14:68 (2013)CrossRefGoogle Scholar
  14. 14.
    Payet, É., Spoto, F.: Index Checking Experiments (2017).
  15. 15.
    Santino, J.: Enforcing correct array indexes with a type system. In: Foundations of Software Engineering (FSE), pp. 1142–1144. ACM, Seattle (2016)Google Scholar
  16. 16.
    Secci, S., Spoto, F.: Pair-sharing analysis of object-oriented programs. In: Hankin, C., Siveroni, I. (eds.) SAS 2005. LNCS, vol. 3672, pp. 320–335. Springer, Heidelberg (2005). Scholar
  17. 17.
    Spoto, F.: The Julia static analyzer for Java. In: Rival, X. (ed.) SAS 2016. LNCS, vol. 9837, pp. 39–57. Springer, Heidelberg (2016). Scholar
  18. 18.
    Spoto, F., Jensen, T.P.: Class analyses as abstract interpretations of trace semantics. Trans. Program. Lang. Syst. 25(5), 578–630 (2003)CrossRefGoogle Scholar
  19. 19.
    Spoto, F., Mesnard, F., Payet, É.: A termination analyzer for Java bytecode based on path-length. Trans. Program. Lang. Syst. 32(3), 8:1–8:70 (2010)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Laboratoire d’Informatique et de MathématiquesUniversité de la RéunionSaint-DenisFrance
  2. 2.Dipartimento di InformaticaUniversità di VeronaVeronaItaly

Personalised recommendations