Advertisement

Loop Summarization Using Abstract Transformers

  • Daniel Kroening
  • Natasha Sharygina
  • Stefano Tonetta
  • Aliaksei Tsitovich
  • Christoph M. Wintersteiger
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5311)

Abstract

Existing program analysis tools that implement abstraction rely on saturating procedures to compute over-approximations of fixpoints. As an alternative, we propose a new algorithm to compute an over-approximation of the set of reachable states of a program by replacing loops in the control flow graph by their abstract transformer. Our technique is able to generate diagnostic information in case of property violations, which we call leaping counterexamples. We have implemented this technique and report experimental results on a set of large ANSI-C programs using abstract domains that focus on properties related to string-buffers.

Keywords

Abstract Interpretation Abstract Domain Loop Body Galois Connection Discrimination Rate 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL, pp. 238–252 (1977)Google Scholar
  2. 2.
    Cousot, P., Halbwachs, N.: Automatic Discovery of Linear Restraints Among Variables of a Program. In: POPL, pp. 84–96 (1978)Google Scholar
  3. 3.
    Cousot, P., Cousot, R.: Comparing the Galois connection and widening/narrowing approaches to abstract interpretation. In: Bruynooghe, M., Wirsing, M. (eds.) PLILP 1992. LNCS, vol. 631, pp. 269–295. Springer, Heidelberg (1992)CrossRefGoogle Scholar
  4. 4.
    Reps, T.W., Sagiv, S., Yorsh, G.: Symbolic Implementation of the Best Transformer. In: Steffen, B., Levi, G. (eds.) VMCAI 2004. LNCS, vol. 2937, pp. 252–266. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. 5.
    Clarke, E.M., Kroening, D., Sharygina, N., Yorav, K.: Predicate abstraction of ANSI-C programs using SAT. FMSD 25, 105–127 (2004)zbMATHGoogle Scholar
  6. 6.
    Gopan, D., Reps, T.W.: Low-level library analysis and summarization. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 68–81. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  7. 7.
    Sharir, M., Pnueli, A.: Two approaches to interprocedural data flow analysis. In: Program Flow Analysis: theory and applications. Prentice-Hall, Englewood Cliffs (1981)Google Scholar
  8. 8.
    Aiken, A., Bugrara, S., Dillig, I., Dillig, T., Hackett, B., Hawkins, P.: An overview of the Saturn project. In: PASTE, pp. 43–48. ACM, New York (2007)CrossRefGoogle Scholar
  9. 9.
    Babic, D., Hu, A.J.: Calysto: scalable and precise extended static checking. In: ICSE, pp. 211–220. ACM, New York (2008)CrossRefGoogle Scholar
  10. 10.
    Jackson, D., Vaziri, M.: Finding bugs with a constraint solver. In: ISSTA, pp. 14–25 (2000)Google Scholar
  11. 11.
    Clarke, E., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 168–176. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  12. 12.
    Clarke, E., Grumberg, O., Peled, D.A.: Model checking. MIT Press, Cambridge (1999)Google Scholar
  13. 13.
    Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: POPL, pp. 269–282 (1979)Google Scholar
  14. 14.
    Graf, S., Saïdi, H.: Construction of abstract state graphs with PVS. In: Grumberg, O. (ed.) CAV 1997. LNCS, vol. 1254, pp. 72–83. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  15. 15.
    Lahiri, S.K., Ball, T., Cook, B.: Predicate abstraction via symbolic decision procedures. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 24–38. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  16. 16.
    Kroening, D., Sharygina, N.: Approximating predicate images for bit-vector logic. In: Hermanns, H., Palsberg, J. (eds.) TACAS 2006. LNCS, vol. 3920, pp. 242–256. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  17. 17.
    Lahiri, S.K., Nieuwenhuis, R., Oliveras, A.: SMT techniques for fast predicate abstraction. In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, pp. 424–437. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  18. 18.
    Cavada, R., Cimatti, A., Franzén, A., Kalyanasundaram, K., Roveri, M., Shyamasundar, R.K.: Computing predicate abstractions by integrating BDDs and SMT solvers. In: FMCAD, pp. 69–76. IEEE, Los Alamitos (2007)Google Scholar
  19. 19.
    Tarjan, R.E.: Fast algorithms for solving path problems. J. ACM 28, 594–614 (1981)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Ashcroft, E., Manna, Z.: The translation of ’go to’ programs to ’while’ programs, pp. 49–61 (1979)Google Scholar
  21. 21.
    Dor, N., Rodeh, M., Sagiv, S.: CSSV: towards a realistic tool for statically detecting all buffer overflows in C. In: PLDI, pp. 155–167 (2003)Google Scholar
  22. 22.
    Zitser, M., Lippmann, R., Leek, T.: Testing static analysis tools using exploitable buffer overflows from open source code. In: SIGSOFT FSE, pp. 97–106 (2004)Google Scholar
  23. 23.
    Ku, K., Hart, T.E., Chechik, M., Lie, D.: A buffer overflow benchmark for software model checkers. In: ASE 2007, pp. 389–392. ACM Press, New York (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Daniel Kroening
    • 1
  • Natasha Sharygina
    • 2
    • 5
  • Stefano Tonetta
    • 3
  • Aliaksei Tsitovich
    • 2
  • Christoph M. Wintersteiger
    • 4
  1. 1.Computing LaboratoryOxford UniversityUK
  2. 2.University of LuganoSwitzerland
  3. 3.Fondazione Bruno KesslerTrentoItaly
  4. 4.Computer Systems InstituteETH ZurichSwitzerland
  5. 5.School of Computer ScienceCarnegie Mellon UniversityUSA

Personalised recommendations