Advertisement

Automating Abstract Interpretation

  • Thomas Reps
  • Aditya Thakur
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9583)

Abstract

Abstract interpretation has a reputation of being a kind of “black art,” and consequently difficult to work with. This paper describes a twenty-year quest by the first author to address this issue by raising the level of automation in abstract interpretation. The most recent leg of this journey is the subject of the second author’s 2014 Ph.D. dissertation. The paper discusses several different approaches to creating correct-by-construction analyzers. Our research has allowed us to establish connections between this problem and several other areas of computer science, including automated reasoning/decision procedures, concept learning, and constraint programming.

Keywords

Abstract Interpretation Concrete State Abstract Domain Separation Logic Quantifier Elimination 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Notes

Acknowledgments

T. Reps would like to thank the many people with whom he collaborated on the work described in the paper (as well as work that motivated the work described): for shape analysis: M. Sagiv, R. Wilhelm, a long list of their former students, as well as his own former students A. Loginov and D. Gopan; for machine-code analysis: G. Balakrishnan, J. Lim, Z. Xu, B. Miller, D. Gopan, A. Thakur, E. Driscoll, A. Lal, M. Elder, T. Sharma, and researchers at GrammaTech, Inc.; for symbolic abstraction: M. Sagiv, G. Yorsh, A. Thakur, M. Elder, T. Sharma, J. Breck, and A. Miné.

The work has been supported for many years by grants and contracts from NSF, DARPA, ONR, ARL, AFOSR, HSARPA, and GrammaTech, Inc. Special thanks go to R. Wachter, F. Anger, T. Teitelbaum and A. White.

Current support comes from a gift from Rajiv and Ritu Batra; DARPA under cooperative agreement HR0011-12-2-0012; AFRL under DARPA MUSE award FA8750-14-2-0270 and DARPA STAC award FA8750-15-C-0082; and the UW-Madison Office of the Vice Chancellor for Research and Graduate Education with funding from WARF. Any opinions, findings, and conclusions or recommendations expressed in this publication are those of the authors, and do not necessarily reflect the views of the sponsoring organizations.

References

  1. 1.
    Akers Jr, S.: On a theory of Boolean functions. J. SIAM 7(4), 487–498 (1959)zbMATHGoogle Scholar
  2. 2.
    Angluin, D.: Learning regular sets from queries and counterexamples. Inf. Comput. 75(2), 87–106 (1987)zbMATHMathSciNetCrossRefGoogle Scholar
  3. 3.
    Apt, K.: The essence of constraint propagation. TCS 221, 179–210 (1999)zbMATHMathSciNetCrossRefGoogle Scholar
  4. 4.
    Arnold, G., Manevich, R., Sagiv, M., Shaham, R.: Combining shape analyses by intersecting abstractions. In: Emerson, E.A., Namjoshi, K.S. (eds.) VMCAI 2006. LNCS, vol. 3855, pp. 33–48. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Bagnara, R., Hill, P.M., Zaffanella, E.: The Parma Polyhedra Library: Toward a complete set of numerical abstractions for the analysis and verification of hardware and software systems. SCP 72(1–2), 3–21 (2008)MathSciNetGoogle Scholar
  6. 6.
    Balakrishnan, G., Reps, T.: WYSINWYX: what you see is not what you eXecute. TOPLAS 32(6), 202–213 (2010)CrossRefGoogle Scholar
  7. 7.
    Ball, T., Podelski, A., Rajamani, S.K.: Boolean and cartesian abstraction for model checking C programs. In: Margaria, T., Yi, W. (eds.) TACAS 2001. LNCS, vol. 2031, pp. 268–283. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
    Barrett, E., King, A.: Range and set abstraction using SAT. ENTCS 267(1), 17–27 (2010)Google Scholar
  9. 9.
    Beyer, D., Cimatti, A., Griggio, A., Keremoglu, M., Sebastiani, R.: Software model checking via large-block encoding. In: FMCAD (2009)Google Scholar
  10. 10.
    Beyer, D., Keremoglu, M., Wendler, P.: Predicate abstraction with adjustable-block encoding. In: FMCAD (2010)Google Scholar
  11. 11.
    Boerger, E., Staerk, R.: Abstract State Machines: A Method for High-Level System Design and Analysis. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  12. 12.
    Bogudlov, I., Lev-Ami, T., Reps, T., Sagiv, M.: Revamping TVLA: Making parametric shape analysis competitive. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 221–225. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  13. 13.
    Brauer, J., King, A.: Automatic abstraction for intervals using Boolean formulae. In: Cousot, R., Martel, M. (eds.) SAS 2010. LNCS, vol. 6337, pp. 167–183. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  14. 14.
    Bush, W., Pincus, J., Sielaff, D.: A static analyzer for finding dynamic programming errors. Softw. Pract. Experience 30, 775–802 (2000)zbMATHCrossRefGoogle Scholar
  15. 15.
    Calcagno, C., Distefano, D., O’Hearn, P.W., Yang, H.: Footprint analysis: A shape analysis that discovers preconditions. In: Riis Nielson, H., Filé, G. (eds.) SAS 2007. LNCS, vol. 4634, pp. 402–418. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  16. 16.
    Clarke, E., Kroening, D., Sharygina, N., Yorav, K.: Predicate abstraction of ANSI-C programs using SAT. FMSD 25(2–3), 125–127 (2004)Google Scholar
  17. 17.
    Cousot, P.: Verification by abstract interpretation. In: Verification Theory and Practice (2003)Google Scholar
  18. 18.
    Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL (1977)Google Scholar
  19. 19.
    Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: POPL (1979)Google Scholar
  20. 20.
    Cousot, P., Cousot, R., Mauborgne, L.: Theories, solvers and static analysis by abstract interpretation. J. ACM 59(6), Article No. 31 (2012)Google Scholar
  21. 21.
    Cousot, P., Halbwachs, N.: Automatic discovery of linear constraints among variables of a program. In: POPL (1978)Google Scholar
  22. 22.
    Cousot, P., Monerau, M.: Probabilistic abstract interpretation. In: Seidl, H. (ed.) Programming Languages and Systems. LNCS, vol. 7211, pp. 169–193. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  23. 23.
    Craig, W.: Three uses of the Herbrand-Gentzen theorem in relating model theory and proof theory. J. Symbolic Logic 22(3), 269–285 (1957)zbMATHMathSciNetCrossRefGoogle Scholar
  24. 24.
    Distefano, D., O’Hearn, P.W., Yang, H.: A local shape analysis based on separation logic. In: Hermanns, H., Palsberg, J. (eds.) TACAS 2006. LNCS, vol. 3920, pp. 287–302. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  25. 25.
    Dong, G., Su, J.: Incremental and decremental evaluation of transitive closure by first-order queries. Inf. Comp. 120, 101–106 (1995)zbMATHMathSciNetCrossRefGoogle Scholar
  26. 26.
    Elder, M., Gopan, D., Reps, T.: View-augmented abstractions. ENTCS 267(1), 43–57 (2010)Google Scholar
  27. 27.
    Elder, M., Lim, J., Sharma, T., Andersen, T., Reps, T.: Abstract domains of affine relations. TOPLAS 36(4), 1–73 (2014)CrossRefGoogle Scholar
  28. 28.
    Futamura, Y.: Partial evaluation of computation process - an approach to a compiler-compiler. Higher-Order and Symb. Comp., 12(4) (1999). Reprinted from Systems \(\cdot \) Computers \(\cdot \) Controls 2(5) (1971)Google Scholar
  29. 29.
    Gopan, D., Reps, T.: Lookahead widening. In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, pp. 452–466. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  30. 30.
    Gopan, D., Reps, T.: Guided static analysis. In: Riis Nielson, H., Filé, G. (eds.) SAS 2007. LNCS, vol. 4634, pp. 349–365. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  31. 31.
    Graf, S., Saïdi, H.: Construction of abstract state graphs with PVS. In: CAV (1997)Google Scholar
  32. 32.
    Gulwani, S., Musuvathi, M.: Cover algorithms and their combination. In: Drossopoulou, S. (ed.) ESOP 2008. LNCS, vol. 4960, pp. 193–207. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  33. 33.
    Gupta, A., Mumick, I. (eds.): Materialized Views: Techniques, Implementations, and Applications. The M.I.T. Press, Cambridge, MA (1999)Google Scholar
  34. 34.
    Jackson, D.: Software Abstractions: Logic, Language, and Analysis. The M.I.T. Press, Cambridge (2006)Google Scholar
  35. 35.
    Jeannet, B., Loginov, A., Reps, T., Sagiv, M.: A relational approach to interprocedural shape analysis. TOPLAS 32(2), 5:1–5:2 (2010)CrossRefGoogle Scholar
  36. 36.
    Johnson, S.: YACC: Yet another compiler-compiler. Technical Report Comp. Sci. Tech. Rep. 32, Bell Laboratories (1975)Google Scholar
  37. 37.
    Jones, N., Gomard, C., Sestoft, P.: Partial Evaluation and Automatic Program Generation. Prentice-Hall International (1993)Google Scholar
  38. 38.
    Karr, M.: Affine relationship among variables of a program. Acta Inf. 6, 133–151 (1976)zbMATHMathSciNetCrossRefGoogle Scholar
  39. 39.
    Kearns, M.J., Vazirani, U.V.: An Introduction to Computational Learning Theory. MIT Press, Cambridge, MA, USA (1994)Google Scholar
  40. 40.
    King, A., Søndergaard, H.: Automatic abstraction for congruences. In: Barthe, G., Hermenegildo, M. (eds.) VMCAI 2010. LNCS, vol. 5944, pp. 197–213. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  41. 41.
    Kozen, D.: Semantics of probabilistic programs. JCSS 22(3), 328–350 (1981)zbMATHMathSciNetGoogle Scholar
  42. 42.
    Lev-Ami, T., Sagiv, M.: TVLA: A system for implementing static analyses. In: Palsberg, J. (ed.) Static Analysis. LNCS, vol. 1824, pp. 280–301. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  43. 43.
    Li, Y., Albarghouthi, A., Kincaid, Z., Gurfinkel, A., Chechik, M.: Symbolic optimization with smt solvers. In: POPL (2014)Google Scholar
  44. 44.
    Lim, J., Lal, A., Reps, T.: Symbolic analysis via semantic reinterpretation. STTT 13(1), 61–87 (2011)CrossRefGoogle Scholar
  45. 45.
    Lim, J., Reps, T.: TSL: A system for generating abstract interpreters and its application to machine-code analysis. In: TOPLAS, 35(1), (2013). Article 4Google Scholar
  46. 46.
    Malmkjær, K.: Abstract Interpretation of Partial-Evaluation Algorithms. Ph.D. thesis, Dept. of Comp. and Inf. Sci., Kansas State Univ. (1993)Google Scholar
  47. 47.
    McMillan, K.: Don’t-care computation using k-clause approximation. In: IWLS (2005)Google Scholar
  48. 48.
    Miné, A.: The octagon abstract domain. In: WCRE (2001)Google Scholar
  49. 49.
    Miné, A.: A few graph-based relational numerical abstract domains. In: Hermenegildo, M.V., Puebla, G. (eds.) SAS 2002. LNCS, vol. 2477, pp. 117–132. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  50. 50.
    Miné, A., Breck, J., Reps, T.: An algorithm inspired by constraint solvers to infer inductive invariants in numeric programs. Submitted for publication (2015)Google Scholar
  51. 51.
    Mitchell, T.: Machine Learning. WCB/McGraw-Hill, Boston, MA (1997)zbMATHGoogle Scholar
  52. 52.
    Monniaux, D.: Abstract interpretation of probabilistic semantics. In: Palsberg, J. (ed.) Static Analysis. LNCS, vol. 1824, pp. 322–339. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  53. 53.
    Monniaux, D.: Automatic modular abstractions for template numerical constraints. LMCS 6(3), 4 (2010)MathSciNetGoogle Scholar
  54. 54.
    Montanari, U.: Networks of constraints: Fundamental properties and applications to picture processing. Inf. Sci. 7(2), 95–132 (1974)zbMATHMathSciNetCrossRefGoogle Scholar
  55. 55.
    Müller-Olm, M., Seidl, H.: Precise interprocedural analysis through linear algebra. In: POPL (2004)Google Scholar
  56. 56.
    Mycroft, A., Jones, N.: A relational framework for abstract interpretation. In: Programs as Data Objects (1985)Google Scholar
  57. 57.
    Mycroft, A., Jones, N.: Data flow analysis of applicative programs using minimal function graphs. In: POPL (1986)Google Scholar
  58. 58.
    Nielson, F.: Two-level semantics and abstract interpretation. TCS 69, 117–242 (1989)zbMATHMathSciNetCrossRefGoogle Scholar
  59. 59.
    Patnaik, S., Immerman, N.: Dyn-FO: A parallel, dynamic complexity class. JCSS 55(2), 199–209 (1997)MathSciNetGoogle Scholar
  60. 60.
    Pelleau, M., Miné, A., Truchet, C., Benhamou, F.: A constraint solver based on abstract domains. In: Giacobazzi, R., Berdine, J., Mastroeni, I. (eds.) VMCAI 2013. LNCS, vol. 7737, pp. 434–454. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  61. 61.
    Regehr, J., Reid, A.: HOIST: A system for automatically deriving static analyzers for embedded systems. In: ASPLOS (2004)Google Scholar
  62. 62.
    Reps, T., Horwitz, S., Sagiv, M.: Precise interprocedural dataflow analysis via graph reachability. In: POPL (1995)Google Scholar
  63. 63.
    Reps, T., Sagiv, M., Loginov, A.: Finite differencing of logical formulas for static analysis. TOPLAS 6(32), 1–55 (2010)CrossRefGoogle Scholar
  64. 64.
    Reps, T., Sagiv, M., Yorsh, G.: Symbolic implementation of the best transformer. In: Steffen, B., Levi, G. (eds.) VMCAI 2004. LNCS, vol. 2937, pp. 252–266. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  65. 65.
    Reps, T., Schwoon, S., Jha, S., Melski, D.: Weighted pushdown systems and their application to interprocedural dataflow analysis. SCP 58(1–2), 206–263 (2005)zbMATHMathSciNetGoogle Scholar
  66. 66.
    Reps, T., Thakur, A.: Through the lens of abstraction. In: HCSS (2014)Google Scholar
  67. 67.
    Reps, T., Turetsky, E., Prabhu, P.: Newtonian program analysis via tensor product. In: POPL (2016)Google Scholar
  68. 68.
    Reynolds, J.: Separation logic: A logic for shared mutable data structures. In: LICS (2002)Google Scholar
  69. 69.
    Sagiv, M., Reps, T., Wilhelm, R.: Solving shape-analysis problems in languages with destructive updating. TOPLAS 20(1), 1–50 (1998)CrossRefGoogle Scholar
  70. 70.
    Sagiv, M., Reps, T., Wilhelm, R.: Parametric shape analysis via 3-valued logic. TOPLAS 24(3), 217–298 (2002)CrossRefGoogle Scholar
  71. 71.
    Sankaranarayanan, S., Sipma, H.B., Manna, Z.: Scalable analysis of linear systems using mathematical programming. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 25–41. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  72. 72.
    Scherpelz, E., Lerner, S., Chambers, C.: Automatic inference of optimizer flow functions from semantic meanings. In: PLDI (2007)Google Scholar
  73. 73.
    Sharir, M.: Some observations concerning formal differentiation of set theoretic expressions. TOPLAS 4(2), 196–225 (1982)zbMATHMathSciNetCrossRefGoogle Scholar
  74. 74.
    Sharir, M., Pnueli, A.: Two approaches to interprocedural data flow analysis. Program Flow Analysis Theory and Applications. Prentice-Hall, Englewood Cliffs (1981)Google Scholar
  75. 75.
    Sheeran, M., Stålmarck, G.: A tutorial on Stålmarck’s proof procedure for propositional logic. Formal Methods Syst. Des. 16(1), 23–58 (2000)CrossRefGoogle Scholar
  76. 76.
    Thakur, A.: Symbolic Abstraction: Algorithms and Applications. Ph.D. thesis, Comp. Sci. Dept., Univ. of Wisconsin, Madison, WI, Aug. 2014. Technical Report (1812)Google Scholar
  77. 77.
    Thakur, A., Breck, J., Reps, T.: Satisfiability modulo abstraction for separation logic with linked lists. In: Spin Workshop (2014)Google Scholar
  78. 78.
    Thakur, A., Elder, M., Reps, T.: Bilateral algorithms for symbolic abstraction. In: Miné, A., Schmidt, D. (eds.) SAS 2012. LNCS, vol. 7460, pp. 111–128. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  79. 79.
    Thakur, A., Lal, A., Lim, J., Reps, T.: PostHat and all that: Automating abstract interpretation. ENTCS 311, 15–32 (2015)Google Scholar
  80. 80.
    Thakur, A., Lim, J., Lal, A., Burton, A., Driscoll, E., Elder, M., Andersen, T., Reps, T.: Directed proof generation for machine code. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol. 6174, pp. 288–305. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  81. 81.
    Thakur, A., Reps, T.: A generalization of Stålmarck’s method. In: SAS (2012)Google Scholar
  82. 82.
    Thakur, A., Reps, T.: A method for symbolic computation of abstract operations. In: Madhusudan, P., Seshia, S.A. (eds.) CAV 2012. LNCS, vol. 7358, pp. 174–192. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  83. 83.
    Valiant, L.G.: A theory of the learnable. Commun. ACM 27(11), 1134–1142 (1984)zbMATHCrossRefGoogle Scholar
  84. 84.
    Yahav, E.: Verifying safety properties of concurrent Java programs using 3-valued logic. In: POPL (2001)Google Scholar
  85. 85.
    Yorsh, G., Reps, T., Sagiv, M.: Symbolically computing most-precise abstract operations for shape analysis. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 530–545. Springer, Heidelberg (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  1. 1.University of WisconsinMadisonUSA
  2. 2.GrammaTech, Inc.IthacaUSA
  3. 3.Google, Inc.Mountain ViewUSA

Personalised recommendations