Abstract: We describe a program analysis for linked list programs where the abstract domain uses formulae from separation logic.

Abstract: In this paper we apply the high-level modelling language PEPA to the performance analysis of a parallel program with a pipeline skeleton which computes the Mean Value Analysis (MVA) algorithm for queueing networks.

Abstract: To learn what constitutes correct program behavior, one can start with normal behavior. We observe actual program executions to construct state machines that summarize object behavior. These state machines, called object behavior models, capture the relationships between two kinds of methods: mutators that change the state (such as add()) and inspectors that keep the state unchanged (such as isEmpty()): "A Vector object initially is in isEmpty() state; after add(), it goes into ¬isEmpty() state". Our ADABU prototype for JAVA has successfully mined models of undocumented behavior from the AspectJ compiler and the Columba email client; the models tend to be small and easily understandable.

Abstract: Static analysis of programs in weakly typed languages such as C and C++ is generally not sound because of possible memory errors due to dangling pointer references, uninitialized pointers, and array bounds overflow. We describe a compilation strategy for standard C programs that guarantees that aggressive interprocedural pointer analysis (or less precise ones), a call graph, and type information for a subset of memory, are never invalidated by any possible memory errors. We formalize our approach as a new type system with the necessary run-time checks in operational semantics and prove the correctness of our approach for a subset of C. Our semantics provide the foundation for other sophisticated static analyses to be applied to C programs with a guarantee of soundness. Our work builds on a previously published transformation called Automatic Pool Allocation to ensure that hard-to-detect memory errors (dangling pointer references and certain array bounds errors) cannot invalidate the call graph, points-to information or type information. The key insight behind our approach is that pool allocation can be used to create a run-time partitioning of memory that matches the compile-time memory partitioning in a points-to graph, and efficient checks can be used to isolate the run-time partitions. Furthermore, we show that the sound analysis information enables static checking techniques that eliminate many run-time checks. Our approach requires no source code changes, allows memory to be managedexplicitly, and does not use meta-data on pointers or individual tag bits for memory. Using several benchmark s and system codes, we show experimentally that the run-time overheads are low (less than 10% in nearly all cases and 30% in the worst case we have seen).We also show the effectiveness of static analyses in eliminating run-time checks.

Abstract: Previous symbolic software model checkers (ie, program analysis tools based on predicate abstraction, pushdown model checking and iterative counterexample-guided abstraction refinement, etc) are restricted to safety properties Terminator is the first software model checker for termination It is now being used to prove that device driver dispatch routines always return to their caller (or return counterexamples if they if they fail to terminate)

Abstract: The maintenance and evolution of critical software with high requirements for reliability is an extremely demanding, time consuming and expensive task. Errors introduced by ad-hoc changes might have disastrous effects on the system and must be prevented under all circumstances, which requires the understanding of the details of source code and system design. This paper describes Bauhaus, a comprehensive tool suite that supports program understanding and reverse engineering on all layers of abstraction, from source code to architecture.

Abstract: Despite significant progress in the theory and practice of program analysis, analysing properties of heap data has not reached the same level of maturity as the analysis of static and stack data. The spatial and temporal structure of stack and static data is well understood while that of heap data seems arbitrary and is unbounded. We devise bounded representations which summarize properties of the heap data. This summarization is based on the structure of the program which manipulates the heap. The resulting summary representations are certain kinds of graphs called access graphs. The boundedness of these representations and the monotonicity of the operations to manipulate them make it possible to compute them through data flow analysis. An important application which benefits from heap reference analysis is garbage collection, where currently liveness is conservatively approximated by reachability from program variables. As a consequence, current garbage collectors leave a lot of garbage uncollected, a fact which has been confirmed by several empirical studies. We propose the first ever end-to-end static analysis to distinguish live objects from reachable objects. We use this information to make dead objects unreachable by modifying the program. This application is interesting because it requires discovering data flow information representing complex semantics. In particular, we discover four properties of heap data: liveness, aliasing, availability, and anticipability. Together, they cover all combinations of directions of analysis (i.e. forward and backward) and confluence of information (i.e. union and intersection). Our analysis can also be used for plugging memory leaks in C/C++ languages.

Abstract: A fundamental problem in interprocedural program analyses is the need to represent and manipulate collections of large sets. Binary Decision Diagrams (BDDs) are a data structure widely used in model checking to compactly encode large state sets. In this dissertation, we develop new techniques and frameworks for applying BDDs to program analysis, and use our BDD-based analyses to gain new insight into factors influencing analysis precision. To make it feasible to express complicated, interrelated analyses using BDDs, we first present the design and implementation of JEDD, a Java language extension which adds relations implemented with BDDs as a datatype, and makes it possible to express BDD-based algorithms at a higher level than existing BDD libraries. Using JEDD, we develop PADDLE, a framework of context-sensitive points-to and call graph analyses for Java, as well as client analyses that make use of their results. PADDLE supports several variations of context-sensitive analyses, including the use of call site strings and abstract receiver object strings as abstractions of context. We use the PADDLE framework to perform an in-depth empirical study of the effect of context-sensitivity variations on the precision of interprocedural program analyses. The use of BDDs enables us to compare context-sensitive analyses on much larger, more realistic benchmarks than has been possible with traditional analysis implementations. Finally, based on the call graph computed by PADDLE, we implement, using JEDD, a novel static analysis of the cflow construct in the aspect-oriented language AspectJ. Thanks to the JEDD high-level representation, the implementation of the analysis closely mirrors its specification.

Abstract: We present a method for static program analysis that leverages tests and concrete program executions. State abstractions generalize the set of program states obtained from concrete executions. A theorem prover then checks that the generalized set of concrete states covers all potential executions and satisfies additional safety properties. Our method finds the same potential errors as the mostprecise abstract interpreter for a given abstraction and is potentially more efficient. Additionally, it provides a new way to tune the performance of the analysis by alternating between concrete execution and theorem proving. We have implemented our technique in a prototype for checking properties of C# programs.

Abstract: Summary form only given. Workload characterization relies heavily on robust and powerful tools to quickly and accurately gather and analyse large amounts of data about program executions. Valgrind is a dynamic binary instrumentation framework for building program analysis tools. Valgrind is best known for a tool, Memcheck, that finds memory errors common in C and C++ programs, but its ability to instrument every instruction and system call a program executes, and inspect every value a program manipulates, without slowing down program execution excessively, makes it an excellent platform for buildings tools suitable for workload characterization. In this tutorial, we introduce Valgrind, describing how you can use it to create powerful tools for doing profiling and trace collection, and to help characterize how workloads affect different machine aspects such as instruction set architecture, the memory hierarchy, and I/O. Valgrind provides powerful analysis tools without excessive slow-down, which allows very large workloads to be analysed easily. Valgrind is open-source (GPL) software, available on x86/Linux, AMD64/Linux, PPC32/Linux, PPC64/Linux, and work is underway to support other platforms. Valgrind tools are regularly used by the developers of many software packages, such as Firefox, OpenOffice, KDE, GNOME, MySQL, Perl, Python, PHP, Samba, RenderMan, SAS, The GIMP, Unreal Tournament, Squid, plus many scientific applications

Abstract: Tabled logic programming has emerged as an important evaluation technique of logic programs. Tabling has enabled us to construct many practical applications—program analysis and verification systems in particular—by encoding them as high-level logic programs. Tabled resolution based systems evaluate programs by memoizing subgoals (referred to as calls) and their provable instances (answers). In this thesis we address the problem of efficiently updating the memoized information in tables with respect to the changes in programs due to addition/deletion of facts/rules. Such capability of incremental maintenance of memoized information facilitates the use of tabled logic programming for scalable program analysis, where the analysis information can be updated efficiently in response to small changes to the analyzed program. Tabled resolution based systems process the addition of facts in semi-naive fashion and thus incremental by nature. We address the problem of maintaining tables for definite logic programs in response to deletion of facts/rules by maintaining an auxiliary and-or data structure called support graph. Each support in a support graph represents an immediate reason for derivation of an answer. Support graph thus maintains the dependency between answers and facts, and can be used to propagate the effect of deletion of facts/rules. We developed heuristics to reduce the over-approximation performed by existing algorithms for handling deletion. Support graph based algorithms update tables extremely fast but impose considerable space overhead for large applications. Our general solution to space-overhead problem is based on a data structure called Partial Support Graph (PSG) which keeps bounded number of supports for every answer. For a special class of programs we present a more efficient algorithm than PSG, based on a compact data structure called Symbolic Support Graph which exploits the commonality between supports. We also present an efficient algorithm for handling updates to the facts by carefully interleaving the insertion and deletion operations generated by updates. We present an incremental tabled maintenance algorithm for handling programs with negation, cuts, and aggregation operators. We demonstrate the efficiency of incremental computation to various problems such as pointer analysis, data-flow analysis, push-down model checking, parsing, dynamic programming, and XML validation.

Abstract: OOP style requires programmers to organize their code according to objects (or nouns, using natural language as a metaphor), causing a program's actions (verbs) to become scattered during implementation. We define an Action-Oriented Identifier Graph (AOIG) to reconnect the scattered actions in an OOP system. An OOP system with an AOIG will essentially support the dynamic virtual remodularization of OOP code into an Action-Oriented View. We have developed an algorithm to automatically construct an AOIG, and an implementation of the construction process. To automatically construct an AOIG, we use Natural Language Processing (NLP) techniques to process the natural language clues left by programmers in source code and comments, and we connect code segments through the actions that they perform. Using a reasonably sized program, we present several applications of an AOIG (feature location, working set recovery, and aspect mining), which demonstrate how the AOIG can be used by software engineering tools to combat the tyranny of the dominant decomposition.

Abstract: Interprocedural dataflow analysis has a large number of uses for software optimization, maintenance, testing, and verification. For software built with reusable components, the traditional approaches for whole-program analysis cannot be used directly. This paper considers component-level analysis of a main component which is built on top of a pre-existing library component. We propose an approach for computing summary information for the library and for using it to analyze the main component. The approach defines a general theoretical framework for dataflow analysis of programs built with large extensible library components, using pre-computed summary functions for library-local execution paths. Our experimental results indicate that the cost of component-level analysis could be substantially lower than the cost of the corresponding whole-program analysis, without any loss of precision. These results present a promising step towards practical analysis techniques for large-scale software systems built with reusable components.

Abstract: Hob is a program analysis system that enables the focused application of multiple analyses to different modules in the same program. In our approach, each module encapsulates one or more data structures and uses membership in abstract sets to characterize how objects participate in data structures. Each analysis verifies that the implementation of the module 1) preserves important internal data structure consistency properties and 2) correctly implements a set algebra interface that characterizes the effects of operations on the data structure. Collectively, the analyses use the set algebra to 1) characterize how objects participate in multiple data structures and to 2) enable the interanalysis communication required to verify properties that depend on multiple modules analyzed by different analyses. We implemented our system and deployed several pluggable analyses, including a flag analysis plug-in for modules in which abstract set membership is determined by a flag field in each object, a PALE shape analysis plug-in, and a theorem proving plug-in for analyzing arbitrarily complicated data structures. Our experience shows that our system can effectively 1) verify the consistency of data structures encapsulated within a single module and 2) combine analysis results from different analysis plug-ins to verify properties involving objects shared by multiple modules analyzed by different analyses

Abstract: We present an automated and configurable technique for runtime safety analysis of multithreaded programs that is able to predict safety violations from successful executions. Based on a formal specification of safety properties provided by a user, our technique enables us to automatically instrument a given program and create an observer so that the program emits relevant state update events to the observer and the observer checks these updates against the safety specification. The events are stamped with dynamic vector clocks, enabling the observer to infer a causal partial order on the state updates. All event traces that are consistent with this partial order, including the actual execution trace, are then analyzed online and in parallel. A warning is issued whenever one of these potential traces violates the specification. Our technique is scalable and can provide better coverage than conventional testing, but its coverage need not be exhaustive. In fact, one can trade off scalability and comprehensiveness: a window in the state space may be specified allowing the observer to infer some of the more likely runs; if the size of the window is 1, then only the actual execution trace is analyzed, as is the case in conventional testing; if the size of the window is ∞, then all the execution traces consistent with the actual execution trace are analyzed.

Abstract: We describe a new program-analysis framework, based on CPS and procedure-string abstractions, that can handle critical analyses which the k-CFA framework cannot. We present the main theorems concerning correctness, show an application analysis, and describe a running implementation.

Abstract: We perform host-based intrusion detection by constructing a model from a program's binary code and then restricting the program's execution by the model. We improve the effectiveness of such model-based intrusion detection systems by incorporating into the model knowledge of the environment in which the program runs, and by increasing the accuracy of our models with a new data-flow analysis algorithm for context-sensitive recovery of static data. The environment-configuration files, command-line parameters, and environment variables-constrains acceptable process execution. Environment dependencies added to a program model update the model to the current environment at every program execution. Our new static data-flow analysis associates a program's data flows with specific calling contexts that use the data. We use this analysis to differentiate system-call arguments flowing from distinct call sites in the program. Using a new average reachability measure suitable for evaluation of call-stack-based program models, we demonstrate that our techniques improve the precision of several test programs' models from 76% to 100%.

Abstract: We present an approach for statically reasoning about the behavior of Web applications that are developed using Java Servlets and JSP. Specifically, we attack the problems of guaranteeing that all output is well-formed and valid XML and ensuring consistency of XHTML form fields and session state. Our approach builds on a collection of program analysis techniques developed earlier in the JWIG and XACT projects, combined with work on balanced context-free grammars. Together, this provides the necessary foundation concerning reasoning about output streams and application control flow.

Abstract: Invited Contributions.- Weighted Pushdown Systems and Trust-Management Systems.- Parametrization and Slicing.- Automatic Verification of Parameterized Data Structures.- Parameterized Verification of ?-Calculus Systems.- Easy Parameterized Verification of Biphase Mark and 8N1 Protocols.- Evaluating the Effectiveness of Slicing for Model Reduction of Concurrent Object-Oriented Programs.- Symbolic Techniques.- New Metrics for Static Variable Ordering in Decision Diagrams.- Widening ROBDDs with Prime Implicants.- Efficient Guided Symbolic Reachability Using Reachability Expressions.- Satisfiability.- SDSAT: Tight Integration of Small Domain Encoding and Lazy Approaches in a Separation Logic Solver.- SAT-Based Software Certification.- Expressiveness + Automation + Soundness: Towards Combining SMT Solvers and Interactive Proof Assistants.- Exploration of the Capabilities of Constraint Programming for Software Verification.- Abstraction.- Counterexample-Guided Abstraction Refinement for the Analysis of Graph Transformation Systems.- Why Waste a Perfectly Good Abstraction?.- Efficient Abstraction Refinement in Interpolation-Based Unbounded Model Checking.- Approximating Predicate Images for Bit-Vector Logic.- Model Checking Algorithms.- Finitary Winning in ?-Regular Games.- Efficient Model Checking for LTL with Partial Order Snapshots.- A Local Shape Analysis Based on Separation Logic.- Program Verification.- Compositional Model Extraction for Higher-Order Concurrent Programs.- A Region Graph Based Approach to Termination Proofs.- Verifying Concurrent Message-Passing C Programs with Recursive Calls.- Automata-Based Verification of Programs with Tree Updates.- Runtime Diagnostics.- An Experimental Comparison of the Effectiveness of Control Flow Based Testing Approaches on Seeded Faults.- Exploiting Traces in Program Analysis.- Quantitative Techniques.- Model-Checking Markov Chains in the Presence of Uncertainties.- Safety Metric Temporal Logic Is Fully Decidable.- Simulation-Based Graph Similarity.- Tool Demonstrations.- PRISM: A Tool for Automatic Verification of Probabilistic Systems.- DISTRIBUTOR and BCG_MERGE: Tools for Distributed Explicit State Space Generation.- mcmas: A Model Checker for Multi-agent Systems.- MSCan - A Tool for Analyzing MSC Specifications.- Refinement.- A Practical and Complete Approach to Predicate Refinement.- Counterexample Driven Refinement for Abstract Interpretation.- Abstraction Refinement with Craig Interpolation and Symbolic Pushdown Systems.

Abstract: Pointer analysis is a critical compiler analysis used to disambiguate the indirect memory references that result from the use of pointers and pointer-based data structures. A conventional pointer analysis deduces for every pair of pointers, at any program point, whether a points-to relation between them (i) definitely exists, (ii) definitely does not exist, or (iii) maybe exists. Many compiler optimizations rely on accurate pointer analysis, and to ensure correctness cannot optimize in the maybe case. In contrast, recently-proposed speculative optimizations can aggressively exploit the maybe case, especially if the likelihood that two pointers alias can be quantified. This paper proposes a Probabilistic Pointer Analysis (PPA) algorithm that statically predicts the probability of each points-to relation at every program point. Building on simple control-flow edge profiling, our analysis is both one-level context and flow sensitive-yet can still scale to large programs including the SPEC 2000 integer benchmark suite. The key to our approach is to compute points-to probabilities through the use of linear transfer functions that are efficiently encoded as sparse matrices.We demonstrate that our analysis can provide accurate probabilities, even without edge-profile information. We also find that-even without considering probability information-our analysis provides an accurate approach to performing pointer analysis.

Abstract: We present an approach for statically reasoning about the behavior of Web applications that are developed using Java Servlets and JSP. Specifically, we attack the problems of guaranteeing that all output is well-formed and valid XML and ensuring consistency of XHTML form fields and session state. Our approach builds on a collection of program analysis techniques developed earlier in the JWIG and X ACT projects, combined with work on balanced context-free grammars. Together, this provides the necessary foundation concerning reasoning about output streams and application control flow.

Abstract: Procedures have long been the basic units of compilation in conventional optimization frameworks. However, procedures are typically formed to serve software engineering rather than optimization goals, arbitrarily constraining code transformations. Techniques, such as aggressive inlining and interprocedural optimization, have been developed to alleviate this problem, but, due to code growth and compile time issues, these can be applied only sparingly.This paper introduces the Procedure Boundary Elimination (PBE) compilation framework, which allows unrestricted whole-program optimization. PBE allows all intra-procedural optimizations and analyses to operate on arbitrary subgraphs of the program, regardless of the original procedure boundaries and without resorting to inlining. In order to control compilation time, PBE also introduces novel extensions of region formation and encapsulation. PBE enables targeted code specialization, which recovers the specialization benefits of inlining while keeping code growth in check. This paper shows that PBE attains better performance than inlining with half the code growth.

Abstract: Program understanding can be assisted by tools that match patterns in the program source. Lexical pattern matchers provide excellent performance and ease of use, but have a limited vocabulary. Syntactic matchers provide more precision, but may sacrifice performance, robustness, or power. To achieve more of the benefits of both models, we extend the pattern syntax of AWK to support matching of abstract syntax trees, as demonstrated in a tool called TAWK. Its pattern syntax is language-independent, based on abstract tree patterns. As in AWK, patterns can have associated actions, which in TAWK are written in C for generality, familiarity, and performance. The use of C is simplified by high-level libraries and dynamic linking. To allow processing of program files containing non-syntactic constructs such as textual macros, mechanisms have been designed that allow matching of ‘language-like’ macros in a syntactic fashion. We survey and apply prototypical approaches to concretely demonstrate the tradeoffs in program processing. Our results indicate that TAWK can be used to quickly and easily perform a variety of common software engineering tasks, and the extensions to accommodate non-syntactic features significantly extend the generality of syntactic matchers. Copyright © 2005 John Wiley & Sons, Ltd.

Abstract: Static Worst-Case Execution Time (WCET) analysis is a technique to derive upper bounds for the execution times of programs. Such bounds are crucial when designing and verifying real-time systems. WCET analysis needs a program flow analysis to derive constraints on the possible execution paths of the analysed program, like iteration bounds for loops and dependences between conditionals.Current WCET analysis tools typically obtain flow information through manual annotations. Better support for automatic flow analysis would eliminate much of the need for this laborious work. However, to automatically derive high-quality flow information is hard, and solution techniques with large time and space complexity are often required.In this paper we describe how to use program slicing to reduce the computational need of flow analysis methods. The slicing identifes statements and variables which are guaranteed not to influence the program flow. When these are removed, the calculation time of our different flow analyses decreases, in some cases considerably.We also show how program slicing can be used to identify the input variables and globals that control the outcome of a particular loop or conditional. This should be valuable aid when performing WCET analysis and systematic testing of large and complex real-time programs.

Abstract: Traditional static checking centers around finding bugs in programs by isolating cases where the language has been used incorrectly. These language-based checkers do not understand the semantics of software libraries, and therefore cannot be used to detect errors in the use of libraries. In this paper, we introduce STLlint, a program analysis we have implemented for the C++ Standard Template Library and similar, generic software libraries, and we present the general approach that underlies STLlint. We show that static checking of library semantics differs greatly from checking of language semantics, requiring new representations of program behavior and new algorithms. Major challenges include checking the use of generic algorithms, loop analysis for interfaces, and organizing behavioral specifications for extensibility. Copyright © 2005 John Wiley & Sons, Ltd.

Abstract: Program analysis techniques are used by software engineers to deduce and infer characteristics of software systems. Recent research has suggested that a new form of program analysis technique can be created by incorporating characteristics of experimentation into analyses. This paper reports the results of research exploring this suggestion. Building on principles and methodologies underlying the use of experimentation in other fields, we provide descriptive and operational definitions of experimental program analysis, illustrate them by example, and describe several differences between experimental program analysis and experimentation in other fields. We show how the use of an experimental program analysis paradigm can help researchers identify limitations of analysis techniques, improve existing experimental program analysis techniques, and create new experimental program analysis techniques.

Abstract: Publisher Summary This chapter presents an overview of dynamic logics and their applications with focuses on a number of core systems, and a number of central applications: program analysis, tree description, analysis of communication, and semantics of natural language. The field of dynamic logic, including its applications in various domains, is still developing. Dynamic logic started out as a way of studying various aspects of computation, mainly in traditional computational settings, with a focus on sequential transformational programs. When theoretical computer science broadened to encompass the theory of reactive systems and concurrency, dynamic logic evolved by developing systems that could handle these as well (branching time logics and it calculus). Thus, the core concepts of dynamic logic have proved to be applicable in a wide range of settings, allowing formalization of a great diversity of concepts and phenomena.

Abstract: Whether context-sensitive program analysis is more effective than context-insensitive analysis is an ongoing discussion. There is evidence that context-sensitivity matters in complex analyses like pointer analysis or program slicing. Empirical data shows that context-sensitive program slicing is more precise and under some circumstances even faster than context-insensitive program slicing. This article will add to the discussion by examining if the context itself matters, i.e. if a given context leads to more precise slices for that context. Based on some experiments, we will show that this is strongly dependent on the structure of the programs.The presented experiments require backward slices to return to call sites specified by an abstract call stack. Such call stacks can be seen as a poor man's dynamic slicing: For a concrete execution, the call stack is captured, and static slices are restricted to the captured stack. The experiments show that for recursive programs there is a large increase in precision of the restricted form of slicing compared to the unrestricted traditional slicing.The same experiments also show that a large part (more than half) of an average slice is due to called procedures.

Abstract: The relationship between abstract interpretation and partial evaluation has received considerable attention and (partial) integrations have been proposed starting from both the partial evaluation and abstract interpretation perspectives. In this work we present what we argue is the first generic algorithm for efficient and precise integration of abstract interpretation and partial evaluation from an abstract interpretation perspective. Taking as starting point state-of-the-art algorithms for context-sensitive, polyvariant abstract interpretation and (abstract) partial evaluation of logic programs, we present an algorithm which combines the best of both worlds. Key ingredients include the accurate success propagation inherent to abstract interpretation and the powerful program transformations achievable by partial deduction. In our algorithm, the calls which appear in the analysis graph are not analyzed w.r.t. the original definition of the procedure but w.r.t. specialized definitions of these procedures. Such specialized definitions are obtained by applying both unfolding and abstract executability. Also, our framework is parametric w.r.t. different control strategies and abstract domains. Different combinations of these parameters correspond to existing algorithms for program analysis and specialization. Our approach efficiently computes strictly more precise results than those achievable by each of the individual techniques. The algorithm is one of the key components of CiaoPP, the analysis and specialization system of the Ciao compiler.