Advertisement

Generalizing the Template Polyhedral Domain

  • Michael A. Colón
  • Sriram Sankaranarayanan
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6602)

Abstract

Template polyhedra generalize weakly relational domains by specifying arbitrary fixed linear expressions on the left-hand sides of inequalities and undetermined constants on the right. The domain operations required for analysis over template polyhedra can be computed in polynomial time using linear programming. In this paper, we introduce the generalized template polyhedral domain that extends template polyhedra using fixed left-hand side expressions with bilinear forms involving program variables and unknown parameters to the right. We prove that the domain operations over generalized templates can be defined as the “best possible abstractions” of the corresponding polyhedral domain operations. The resulting analysis can straddle the entire space of linear relation analysis starting from the template domain to the full polyhedral domain.

We show that analysis in the generalized template domain can be performed by dualizing the join, post-condition and widening operations. We also investigate the special case of template polyhedra wherein each bilinear form has at most two parameters. For this domain, we use the special properties of two dimensional polyhedra and techniques from fractional linear programming to derive domain operations that can be implemented in polynomial time over the number of variables in the program and the size of the polyhedra. We present applications of generalized template polyhedra to strengthen previously obtained invariants by converting them into templates. We describe an experimental evaluation of an implementation over several benchmark systems.

Keywords

Bilinear Form Program Variable Linear Expression Abstract Domain Generalize Template 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Adjé, A., Gaubert, S., Goubault, E.: Coupling policy iteration with semi-definite relaxation to compute accurate numerical invariants in static analysis. In: Gordon, A.D. (ed.) ESOP 2010. LNCS, vol. 6012, pp. 23–42. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  2. 2.
    Bagnara, R., Ricci, E., Zaffanella, E., Hill, P.M.: Possibly not closed convex polyhedra and the Parma Polyhedra Library. In: Hermenegildo, M.V., Puebla, G. (eds.) SAS 2002. LNCS, vol. 2477, pp. 213–229. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  3. 3.
    Bardin, S., Finkel, A., Leroux, J., Petrucci, L.: FAST: fast accelereation of symbolic transition systems. In: Hunt Jr., W.A., Somenzi, F. (eds.) CAV 2003. LNCS, vol. 2725, pp. 118–121. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: Design and implementation of a special-purpose static program analyzer for safety-critical real-time embedded software (invited chapter). In: Mogensen, T.Æ., Schmidt, D.A., Sudborough, I.H. (eds.) The Essence of Computation. LNCS, vol. 2566, pp. 85–108. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. 5.
    Boyd, S., Vandenberghe, S.: Convex Optimization. Cambridge University Press, Cambridge (2004), http://www.stanford.edu/~boyd/cvxbook.html CrossRefzbMATHGoogle Scholar
  6. 6.
    Chatterjee, S., Lahiri, S.K., Qadeer, S., Rakamaric, Z.: A reachability predicate for analyzing low-level software. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 19–33. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  7. 7.
    Clarisó, R., Cortadella, J.: The octahedron abstract domain. Science of Computer Programming 64(1), 115–139 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Colón, M.A.: Deductive Techniques for Program Analysis. PhD thesis, Stanford University (2003)Google Scholar
  9. 9.
    Corman, T., Leiserson, C.F., Rivest, R.: Introduction to Algorithms. McGraw Hill, New York (1990)Google Scholar
  10. 10.
    Cousot, P., Cousot, R.: Static determination of dynamic properties of programs. In: Proc. ISOP 1976, Dunod, Paris, France, pp. 106–130 (1976)Google Scholar
  11. 11.
    Cousot, P., Cousot, R.: Abstract Interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL, pp. 238–252 (1977)Google Scholar
  12. 12.
    Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among the variables of a program. In: POPL 1978, pp. 84–97 (January 1978)Google Scholar
  13. 13.
    de Moura, L.M., Bjørner, N.: Z3: An efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    Ferrara, P., Logozzo, F., Fähndrich, M.: Safer unsafe code for .NET. In: OOPSLA, pp. 329–346. ACM, New York (2008)Google Scholar
  15. 15.
    Gaubert, S., Goubault, E., Taly, A., Zennou, S.: Static analysis by policy iteration on relational domains. In: De Nicola, R. (ed.) ESOP 2007. LNCS, vol. 4421, pp. 237–252. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  16. 16.
    Gawlitza, T., Seidl, H.: Precise fixpoint computation through strategy iteration. In: De Nicola, R. (ed.) ESOP 2007. LNCS, vol. 4421, pp. 300–315. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  17. 17.
    Gupta, A., Rybalchenko, A.: InvGen: An efficient invariant generator. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 634–640. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  18. 18.
    Halbwachs, N., Proy, Y.-E., Roumanoff, P.: Verification of real-time systems using linear relation analysis. Formal Methods in System Design 11(2), 157–185 (1997)CrossRefGoogle Scholar
  19. 19.
    Henzinger, T.A., Ho, P.: HyTech: The Cornell hybrid technology tool. In: Antsaklis, P.J., Kohn, W., Nerode, A., Sastry, S.S. (eds.) HS 1994. LNCS, vol. 999, pp. 265–293. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  20. 20.
    Howe, J., King, A.: Logahedra: A new weakly relational domain. In: Liu, Z., Ravn, A.P. (eds.) ATVA 2009. LNCS, vol. 5799, pp. 306–320. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  21. 21.
    Ivančić, F., Sankaranarayanan, S., Shlyakhter, I., Gupta, A.: Buffer overflow analysis using environment refinement 2009. Draft (2009)Google Scholar
  22. 22.
    Ivančić, F., Shlyakhter, I., Gupta, A., Ganai, M.K.: Model checking C programs using F-SOFT. In: ICCD, pp. 297–308. IEEE Computer Society, Los Alamitos (2005)Google Scholar
  23. 23.
    Jarvis, R.A.: On the identification of the convex hull of a finite set of points in the plane. Information Processing Letters 2(1), 18–21 (1973)CrossRefzbMATHGoogle Scholar
  24. 24.
    Jeannet, B., Miné, A.: Apron: A library of numerical abstract domains for static analysis. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 661–667. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  25. 25.
    Kanade, A., Alur, R., Ivančić, F., Ramesh, S., Sankaranarayanan, S., Sashidhar, K.: Generating and analyzing symbolic traces of Simulink/Stateflow models. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 430–445. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  26. 26.
    Logozzo, F., Fähndrich, M.: Pentagons: A weakly relational abstract domain for the efficient validation of array accesses. Sci. Comp. Prog. 75(9), 796–807 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Manna, Z., Pnueli, A.: Temporal Verification of Reactive Systems: Safety. Springer, New York (1995)CrossRefzbMATHGoogle Scholar
  28. 28.
    Miné, A.: A new numerical abstract domain based on difference-bound matrices. In: Danvy, O., Filinski, A. (eds.) PADO 2001. LNCS, vol. 2053, pp. 155–172. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  29. 29.
    Miné, A.: Symbolic methods to enhance the precision of numerical abstract domains. In: Emerson, E.A., Namjoshi, K.S. (eds.) VMCAI 2006. LNCS, vol. 3855, pp. 348–363. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  30. 30.
    Monniaux, D.: Automatic modular abstractions for template numerical constraints. Logical Methods in Computer Science 6(3) (2010)Google Scholar
  31. 31.
    Motzkin, T.S., Raiffa, H., Thompson, G.L., Thrall, R.M.: The double description method. In: Contributions to the theory of games. Annals of Mathematics Studies, vol. 2, pp. 51–73. Princeton University Press, Princeton (1953)Google Scholar
  32. 32.
    Sankaranarayanan, S., Colón, M.A., Sipma, H., Manna, Z.: Efficient strongly relational polyhedral analysis. In: Emerson, E.A., Namjoshi, K.S. (eds.) VMCAI 2006. LNCS, vol. 3855, pp. 111–125. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  33. 33.
    Sankaranarayanan, S., Ivančić, F., Gupta, A.: Program analysis using symbolic ranges. In: Riis Nielson, H., Filé, G. (eds.) SAS 2007. LNCS, vol. 4634, pp. 366–383. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  34. 34.
    Sankaranarayanan, S., Sipma, H.B., Manna, Z.: Scalable analysis of linear systems using mathematical programming. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 25–41. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  35. 35.
    Schrijver, A.: Theory of Linear and Integer Programming. Wiley, Chichester (1986)zbMATHGoogle Scholar
  36. 36.
    Simon, A.: Value-Range Analysis of C Programs: Towards Proving the Absence of Buffer Overflow Vulnerabilities. Springer, Heidelberg (2008)CrossRefzbMATHGoogle Scholar
  37. 37.
    Simon, A., King, A., Howe, J.M.: Two variables per linear inequality as an abstract domain. In: Leuschel, M. (ed.) LOPSTR 2002. LNCS, vol. 2664, pp. 71–89. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  38. 38.
    Srivastava, S., Gulwani, S.: Program verification using templates over predicate abstraction. In: PLDI 2009, pp. 223–234. ACM, New York (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Michael A. Colón
    • 1
  • Sriram Sankaranarayanan
    • 2
  1. 1.U.S. Naval Research LaboratoryWashington
  2. 2.University of ColoradoBoulder

Personalised recommendations