Static Analysis in Disjunctive Numerical Domains

  • Sriram Sankaranarayanan
  • Franjo Ivančić
  • Ilya Shlyakhter
  • Aarti Gupta
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4134)


The convexity of numerical domains such as polyhedra, octagons, intervals and linear equalities enables tractable analysis of software for buffer overflows, null pointer dereferences and floating point errors. However, convexity also causes the analysis to fail in many common cases. Powerset extensions can remedy this shortcoming by considering disjunctions of predicates. Unfortunately, analysis using powerset domains can be exponentially more expensive as compared to analysis on the base domain. In this paper, we prove structural properties of fixed points computed in commonly used powerset extensions. We show that a fixed point computed on a powerset extension is also a fixed point in the base domain computed on an “elaboration” of the program’s CFG structure. Using this insight, we build analysis algorithms that approach path sensitive static analysis algorithms by performing the fixed point computation on the base domain while discovering an “elaboration” on the fly. Using restrictions on the nature of the elaborations, we design algorithms that scale polynomially in terms of the number of disjuncts. We have implemented a light-weight static analyzer for C programs with encouraging initial results.


Abstract Interpretation Base Domain Abstract Domain Numerical Domain Outgoing Transition 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abramsky, S., Jung, A.: Domain theory. In: Handbook of Logic in Computer Science, ch. 1, vol. 3, pp. 1–168. Clarendon Press, UK (1994)Google Scholar
  2. 2.
    Bagnara, R., Hill, P.M., Zaffanella, E.: Widening operators for powerset domains. In: Steffen, B., Levi, G. (eds.) VMCAI 2004. LNCS, vol. 2937, pp. 135–148. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Bagnara, R., Ricci, E., Zaffanella, E., Hill, P.M.: Possibly Not Closed Convex Polyhedra and the Parma Polyhedra Library. In: Hermenegildo, M.V., Puebla, G. (eds.) SAS 2002. LNCS, vol. 2477, pp. 213–229. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. 4.
    Blanchet, B., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: A static analyzer for large safety-critical software. In: ACM SIGPLAN PLDI 2003, vol. 548030, pp. 196–207. ACM Press, New York (2003)Google Scholar
  5. 5.
    Clarisó, R., Cortadella, J.: The octahedron abstract domain. In: Giacobazzi, R. (ed.) SAS 2004. LNCS, vol. 3148, pp. 312–327. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  6. 6.
    Cousot, P., Cousot, R.: Static determination of dynamic properties of programs. In: Proc. Intl. Symp. on Programming, Dunod, pp. 106–130 (1976)Google Scholar
  7. 7.
    Cousot, P., Cousot, R.: Abstract Interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: ACM Principles of Programming Languages, pp. 238–252 (1977)Google Scholar
  8. 8.
    Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: Symposium on Principles of Programming Languages (POPL 1979), pp. 269–282. ACM Press, New York (1979)CrossRefGoogle Scholar
  9. 9.
    Cousot, P., Cousot, R.: Comparing the Galois connection and widening/narrowing approaches to Abstract interpretation, invited paper. In: Bruynooghe, M., Wirsing, M. (eds.) PLILP 1992. LNCS, vol. 631, pp. 269–295. Springer, Heidelberg (1992)CrossRefGoogle Scholar
  10. 10.
    Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among the variables of a program. In: ACM POPL, pp. 84–97 (January 1978)Google Scholar
  11. 11.
    Das, M., Lerner, S., Seigle, M.: ESP: Path-sensitive program verification in polynomial time. In: Proceedings of Programming Language Design and Implementation (PLDI 2002), pp. 57–68. ACM Press, New York (2002)CrossRefGoogle Scholar
  12. 12.
    Dor, N., Rodeh, M., Sagiv, M.: CSSV: Towards a realistic tool for statically detecting all buffer overflows in C. In: Proc. PLDI 2003. ACM Press, New York (2003)Google Scholar
  13. 13.
    Floyd, R.W.: Assigning meanings to programs. Proc. Symposia in Applied Mathematics 19, 19–32 (1967)MathSciNetGoogle Scholar
  14. 14.
    Giacobazzi, R., Ranzato, F.: Optimal domains for disjunctive abstract intepretation. Sci. Comput. Program 32(1-3), 177–210 (1998)CrossRefMathSciNetMATHGoogle Scholar
  15. 15.
    Halbwachs, N., Proy, Y., Roumanoff, P.: Verification of real-time systems using linear relation analysis. Formal Methods in System Design 11, 157–185 (1997)CrossRefGoogle Scholar
  16. 16.
    Handjieva, M., Tzolovski, S.: Refining static analyses by trace-based partitioning using control flow. In: Levi, G. (ed.) SAS 1998. LNCS, vol. 1503, pp. 200–214. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  17. 17.
    Hoare, C.A.R.: An axiomatic basis for computer programming. Commun. ACM 12(10), 576–580 (1969)CrossRefMATHGoogle Scholar
  18. 18.
    Ivančić, F., Gupta, A., Ganai, M.K., Kahlon, V., Wang, C., Yang, Z.: Model checking C programs using F-Soft. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 301–306. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  19. 19.
    Karr, M.: Affine relationships among variables of a program. Acta Inf. 6, 133–151 (1976)CrossRefMathSciNetMATHGoogle Scholar
  20. 20.
    Manevich, R., Sagiv, M., Ramalingam, G., Field, J.: Partially disjunctive heap abstraction. In: Giacobazzi, R. (ed.) SAS 2004. LNCS, vol. 3148, pp. 265–279. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  21. 21.
    Mauborgne, L., Rival, X.: Trace partitioning in abstract interpretation based static analyzers. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 5–20. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. 22.
    Rugina, R., Rinard, M.: Symbolic bounds analysis of pointers, array indices, and accessed memory regions. In: Proc. PLDI. ACM Press, New York (2000)Google Scholar
  23. 23.
    Sankaranarayanan, S., Colón, M.A., Sipma, H.B., Manna, Z.: Efficient strongly relational polyhedral analysis. In: Emerson, E.A., Namjoshi, K.S. (eds.) VMCAI 2006. LNCS, vol. 3855, pp. 111–125. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  24. 24.
    Sankaranarayanan, S., Sipma, H.B., Manna, Z.: Scalable analysis of linear systems using mathematical programming. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 25–41. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  25. 25.
    Simon, A., King, A., Howe, J.M.: Two variables per linear inequality as an abstract domain. In: Leuschel, M.A. (ed.) LOPSTR 2002. LNCS, vol. 2664. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  26. 26.
    Wagner, D., Foster, J., Brewer, E., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Proc. NDSS 2000, pp. 3–17. ACM Press, New York (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Sriram Sankaranarayanan
    • 1
  • Franjo Ivančić
    • 1
  • Ilya Shlyakhter
    • 1
  • Aarti Gupta
    • 1
  1. 1.NEC Laboratories AmericaPrinceton

Personalised recommendations