Yu-Fang Chen,Vojtěch Havlena,Ondřej Lengál,Andrea Turrini

2023-03-02

Abstract:Case split is a core proof rule in current decision procedures for the theory of string constraints. Its use is the primary cause of the state space explosion in string constraint solving, since it is the only rule that creates branches in the proof tree. Moreover, explicit handling of the case split rule may cause recomputation of the same tasks in multiple branches of the proof tree. In this paper, we propose a symbolic algorithm that significantly reduces such a redundancy. In particular, we encode a string constraint as a regular language and proof rules as rational transducers. This allows us to perform similar steps in the proof tree only once, alleviating the state space explosion. We also extend the encoding to handle arbitrary Boolean combinations of string constraints, length constraints, and regular constraints. In our experimental results, we validate that our technique works in many practical cases where other state-of-the-art solvers fail to provide an answer; our Python prototype implementation solved over 50 % of string constraints that could not be solved by the other tools.

Logic in Computer Science

Yuan Xinyu,Li Ying,Deng Shuiguang,Cheng Jie

DOI: https://doi.org/10.1080/10798587.2011.10643220

2011-01-01

Abstract:The Affine partitioning framework, which unifies many useful program transforms such as unimodular transformations, loop fusion, fission, scaling, reindexing, and statement reordering, has been proved to be successful in automatic discovery of the loop-level parallelization in programs. The affine partition algorithm was improved from the aspects of compile-time and runtime efficiency in this paper. Firstly, it improves compile-time speed of affine partition algorithm by using of generalized GCD test which is a basic dependence testing algorithm. This paper proved that generalized GCD test has a strong relationship with affine partition algorithm which can improve the compiling speed of the affine partition algorithm. Secondly, a method is put forward to select an optimal solution among the infinite legal solutions of the affine partition algorithm which ensures the minimum communication volume and the simplified processor space expression. Proved by experiments, the two innovations mentioned above can promote the compile-time and runtime efficiency of the affine partition algorithm.

Meng Wu,Chao Wang

DOI: https://doi.org/10.1145/3314221.3314647

2019-06-08

Abstract:Analyzing the behavior of a program running on a processor that supports speculative execution is crucial for applications such as execution time estimation and side channel detection. Unfortunately, existing static analysis techniques based on abstract interpretation do not model speculative execution since they focus on functional properties of a program while speculative execution does not change the functionality. To fill the gap, we propose a method to make abstract interpretation sound under speculative execution. There are two contributions. First, we introduce the notion of virtual control flow to augment instructions that may be speculatively executed and thus affect subsequent instructions. Second, to make the analysis efficient, we propose optimizations to handle merges and loops and to safely bound the speculative execution depth. We have implemented and evaluated the proposed method in a static cache analysis for execution time estimation and side channel detection. Our experiments show that the new method, while guaranteed to be sound under speculative execution, outperforms state-of-the-art abstract interpretation techniques that may be unsound.

Daniel Jurjo-Rivas,Jose F. Morales,Pedro López-García,Manuel V. Hermenegildo

2024-08-19

Abstract:Variable sharing is a fundamental property in the static analysis of logic programs, since it is instrumental for ensuring correctness and increasing precision while inferring many useful program properties. Such properties include modes, determinacy, non-failure, cost, etc. This has motivated significant work on developing abstract domains to improve the precision and performance of sharing analyses. Much of this work has centered around the family of set-sharing domains, because of the high precision they offer. However, this comes at a price: their scalability to a wide set of realistic programs remains challenging and this hinders their wider adoption. In this work, rather than defining new sharing abstract domains, we focus instead on developing techniques which can be incorporated in the analyzers to address aspects that are known to affect the efficiency of these domains, such as the number of variables, without affecting precision. These techniques are inspired in others used in the context of compiler optimizations, such as expression reassociation and variable trimming. We present several such techniques and provide an extensive experimental evaluation of over 1100 program modules taken from both production code and classical benchmarks. This includes the Spectector cache analyzer, the s(CASP) system, the libraries of the Ciao system, the LPdoc documenter, the PLAI analyzer itself, etc. The experimental results are quite encouraging: we have obtained significant speed-ups, and, more importantly, the number of modules that require a timeout was cut in half. As a result, many more programs can be analyzed precisely in reasonable times.

Programming Languages

Isabella Mastroeni,Vincenzo Arceri

DOI: https://doi.org/10.4204/EPTCS.341.2

2021-09-07

Abstract:In this paper, our aim is to propose a model for code abstraction, based on abstract interpretation, allowing us to improve the precision of a recently proposed static analysis by abstract interpretation of dynamic languages. The problem we tackle here is that the analysis may add some spurious code to the string-to-execute abstract value and this code may need some abstract representations in order to make it analyzable. This is precisely what we propose here, where we drive the code abstraction by the analysis we have to perform.

Software Engineering,Programming Languages

Bertrand Jeannet,Peter Schrammel,Sriram Sankaranarayanan

DOI: https://doi.org/10.1145/2578855.2535843

2014-01-13

ACM SIGPLAN Notices

Abstract:We present abstract acceleration techniques for computing loop invariants for numerical programs with linear assignments and conditionals. Whereas abstract interpretation techniques typically over-approximate the set of reachable states iteratively, abstract acceleration captures the effect of the loop with a single, non-iterative transfer function applied to the initial states at the loop head. In contrast to previous acceleration techniques, our approach applies to any linear loop without restrictions. Its novelty lies in the use of the Jordan normal form decomposition of the loop body to derive symbolic expressions for the entries of the matrix modeling the effect of η ≥ Ο iterations of the loop. The entries of such a matrix depend on η through complex polynomial, exponential and trigonometric functions. Therefore, we introduces an abstract domain for matrices that captures the linear inequality relations between these complex expressions. This results in an abstract matrix for describing the fixpoint semantics of the loop. Our approach integrates smoothly into standard abstract interpreters and can handle programs with nested loops and loops containing conditional branches. We evaluate it over small but complex loops that are commonly found in control software, comparing it with other tools for computing linear loop invariants. The loops in our benchmarks typically exhibit polynomial, exponential and oscillatory behaviors that present challenges to existing approaches. Our approach finds non-trivial invariants to prove useful bounds on the values of variables for such loops, clearly outperforming the existing approaches in terms of precision while exhibiting good performance.

Kadiray Karakaya,Eric Bodden

2024-01-26

Abstract:Previous work has shown that one can often greatly speed up static analysis by computing data flows not for every edge in the program's control-flow graph but instead only along definition-use chains. This yields a so-called sparse static analysis. Recent work on SparseDroid has shown that specifically taint analysis can be "sparsified" with extraordinary effectiveness because the taint state of one variable does not depend on those of others. This allows one to soundly omit more flow-function computations than in the general case.

Software Engineering

Benno Stein,Bor-Yuh Evan Chang,Manu Sridharan

DOI: https://doi.org/10.1145/3648441

IF: 1.714

2024-02-15

ACM Transactions on Programming Languages and Systems

Abstract:We consider the problem of making expressive, interactive static analyzers compositional . Such a technique could help bring the power of server-based static analyses to integrated development environments (IDEs), updating their results live as the code is modified. Compositionality is key for this scenario, as it enables reuse of already-computed analysis results for unmodified code. Previous techniques for interactive static analysis either lack compositionality, cannot express arbitrary abstract domains, or are not from-scratch consistent. We present demanded summarization, the first algorithm for incremental compositional analysis in arbitrary abstract domains which guarantees from-scratch consistency. Our approach analyzes individual procedures using a recent technique for demanded analysis, computing summaries on demand for procedure calls. A dynamically-updated summary dependency graph enables precise result invalidation after program edits, and the algorithm is carefully designed to guarantee from-scratch-consistent results after edits, even in the presence of recursion and in arbitrary abstract domains. We formalize our technique and prove soundness, termination, and from-scratch consistency. An experimental evaluation of a prototype implementation on synthetic and real-world program edits provides evidence for the feasibility of this theoretical framework, showing potential for major performance benefits over non-demanded compositional analyses.

computer science, software engineering

Arieh Iserles,Karolina Kropielnicka

2024-03-22

Abstract:This paper considers computational methods that split a vector field into three components in the case when both the vector field and the split components might be unbounded. We first employ classical Taylor expansion which, after some algebra, results in an expression for a second-order splitting which, strictly speaking, makes sense only for bounded operators. Next, using an alternative approach, we derive an error expression and an error bound in the same setting which are however valid in the presence of unbounded operators.

Numerical Analysis

Yulei Sui,Xiaokang Fan,Hao Zhou,Jingling Xue

DOI: https://doi.org/10.1145/2980930.2907957

2016-01-01

Abstract:Compiler-based auto-vectorization is a promising solution to automatically generate code that makes efficient use of SIMD processors in high performance platforms and embedded systems. Two main auto-vectorization techniques, superword-level parallelism vectorization (SLP) and loop-level vectorization (LLV), require precise dependence analysis on arrays and structs in order to vectorize isomorphic scalar instructions and/or reduce dynamic dependence checks incurred at runtime.The alias analyses used in modern vectorizing compilers are either intra-procedural (without tracking inter-procedural data-flows) or inter-procedural (by using field-insensitive models, which are too imprecise in handling arrays and structs). This paper proposes an inter-procedural Loop-oriented Pointer Analysis, called LPA, for analyzing arrays and structs to support aggressive SLP and LLV optimizations. Unlike field-insensitive solutions that pre-allocate objects for each memory allocation site, our approach uses a fine-grained memory model to generate location sets based on how structs and arrays are accessed. LPA can precisely analyze arrays and nested aggregate structures to enable SIMD optimizations for large programs. By separating the location set generation as an independent concern from the rest of the pointer analysis, LPA is designed to reuse easily existing points-to resolution algorithms.We evaluate LPA using SLP and LLV, the two classic vectorization techniques on a set of 20 CPU2000/2006 benchmarks. For SLP, LPA enables it to vectorize a total of 133 more basic blocks, with an average of 12.09 per benchmark, resulting in the best speedup of 2.95% for 173.applu. For LLV, LPA has reduced a total of 319 static bound checks, with an average of 22.79 per benchmark, resulting in the best speedup of 7.18% for 177.mesa.

Liqian Chen,Renjian Li,Xueguang Wu,Ji Wang

DOI: https://doi.org/10.1016/j.scico.2014.06.004

IF: 1.039

2014-01-01

Science of Computer Programming

Abstract:We present an approach in the framework of abstract interpretation to analyze list-manipulating programs by combining shape and numerical abstractions. The analysis automatically divides a list into non-overlapping list segments according to the reachability property of pointer variables to list nodes. The list nodes in each segment are abstracted by a bit-vector wherein each bit corresponds to a pointer variable and indicates whether the nodes can be reached by that pointer variable. Moreover, for each bit-vector, we introduce an auxiliary integer variable, namely a counter variable, to record the number of nodes in the segment abstracted by that bit-vector. On this basis, we leverage the power of numerical abstractions to discover numerical relations among counter variables, so as to infer relational length properties among list segments. Furthermore, we show how our approach works for circular lists. Our approach stands out in its ability to find intricate properties that involve both shape and numerical information, which are important for checking program properties such as memory safety. A prototype is implemented and preliminary experimental results are encouraging.

Tao Sun,Zheng Wang,Geguang Pu,Xiao Yu,Zongyan Qiu,Bin Gu

DOI: https://doi.org/10.1109/QSIC.2009.53

2009-01-01

Abstract:One difficulty of automated test case generation is to deal with compositional units that brings in compositional space explosion of program states. We present a new dynamic execution framework which analyzes program behaviors dynamically for automatic test inputs generation. We utilize forward slicing to explore those functions affecting conditional predicates in program under test.The functions that do not affect the conditional predicates are not in need of being analyzed symbolically. Pointer alias analysis is adopted to make slicing in the presence of pointers more precise. A dynamic partial execution technique is proposed to accelerate the speed of searching the unit space. The proposed approach can be applied to real programs and the experiments are also very encouraging.

Gabor Horvath,Reka Kovacs,Zoltan Porkolab

2024-08-04

Abstract:Static analysis is the analysis of a program without executing it, usually carried out by an automated tool. Symbolic execution is a popular static analysis technique used both in program verification and in bug detection software. It works by interpreting the code, introducing a symbol for each value unknown at compile time (e.g. user-given inputs), and carrying out calculations symbolically. The analysis engine strives to explore multiple execution paths simultaneously, although checking all paths is an intractable problem, due to the vast number of possibilities. We focus on an error finding framework called the Clang Static Analyzer, and the infrastructure built around it named CodeChecker. The emphasis is on achieving end-to-end scalability. This includes the run time and memory consumption of the analysis, bug presentation to the users, automatic false positive suppression, incremental analysis, pattern discovery in the results, and usage in continuous integration loops. We also outline future directions and open problems concerning these tools. While a rich literature exists on program verification software, error finding tools normally need to settle for survey papers on individual techniques. In this paper, we not only discuss individual methods, but also how these decisions interact and reinforce each other, creating a system that is greater than the sum of its parts. Although the Clang Static Analyzer can only handle C-family languages, the techniques introduced in this paper are mostly language-independent and applicable to other similar static analysis tools.

Software Engineering

Patrick L. Combettes

2024-01-30

Abstract:We propose a geometric framework to describe and analyze a wide array of operator splitting methods for solving monotone inclusion problems. The initial inclusion problem, which typically involves several operators combined through monotonicity-preserving operations, is seldom solvable in its original form. We embed it in an auxiliary space, where it is associated with a surrogate monotone inclusion problem with a more tractable structure and which allows for easy recovery of solutions to the initial problem. The surrogate problem is solved by successive projections onto half-spaces containing its solution set. The outer approximation half-spaces are constructed by using the individual operators present in the model separately. This geometric framework is shown to encompass traditional methods as well as state-of-the-art asynchronous block-iterative algorithms, and its flexible structure provides a pattern to design new ones.

Optimization and Control

Yulei Sui,Xiaokang Fan,Hao Zhou,Jingling Xue

DOI: https://doi.org/10.1145/3168364

2018-01-01

Abstract:Compiler-based vectorization represents a promising solution to automatically generate code that makes efficient use of modern CPUs with SIMD extensions. Two main auto-vectorization techniques, superword-level parallelism vectorization (SLP) and loop-level vectorization (LLV), require precise dependence analysis on arrays and structs to vectorize isomorphic scalar instructions (in the case of SLP) and reduce dynamic dependence checks at runtime (in the case of LLV). The alias analyses used in modern vectorizing compilers are either intra-procedural (without tracking inter-procedural data-flows) or inter-procedural (by using field-sensitive models, which are too imprecise in handling arrays and structs). This article proposes an inter-procedural Loop-oriented Pointer Analysis for C, called Lpa, for analyzing arrays and structs to support aggressive SLP and LLV optimizations effectively. Unlike field-insensitive solutions that pre-allocate objects for each memory allocation site, our approach uses a lazy memory model to generate access-based location sets based on how structs and arrays are accessed. Lpa can precisely analyze arrays and nested aggregate structures to enable SIMD optimizations for large programs. By separating the location set generation as an independent concern from the rest of the pointer analysis, Lpa is designed so that existing points-to resolution algorithms (e.g., flow-insensitive and flow-sensitive pointer analysis) can be reused easily. We have implemented Lpa fully in the LLVM compiler infrastructure (version 3.8.0). We evaluate Lpa by considering SLP and LLV, the two classic vectorization techniques, on a set of 20 C and Fortran CPU2000/2006 benchmarks. For SLP, Lpa outperforms LLVM’s BasicAA and ScevAA by discovering 139 and 273 more vectorizable basic blocks, respectively, resulting in the best speedup of 2.95% for 173.applu. For LLV, LLVM introduces totally 551 and 652 static bound checks under BasicAA and ScevAA, respectively. In contrast, Lpa has reduced these static checks to 220, with an average of 15.7 checks per benchmark, resulting in the best speedup of 7.23% for 177.mesa.

Liqian Chen,Renjian Li,Xueguang Wu,Ji Wang

DOI: https://doi.org/10.1145/2480362.2480589

2013-01-01

Abstract:We present an approach under the framework of abstract interpretation to analyze list-manipulating programs by combining shape and numerical abstractions. The analysis automatically divides a list into non-overlapping list segments according to the reachability property of pointer variables to list nodes. The list nodes in each segment are abstracted by a bit-vector wherein each bit corresponds to a pointer variable and indicates whether the nodes can be reached by that pointer variable. Moreover, for each bit-vector, we introduce an auxiliary integer variable, namely a counter variable, to record the number of nodes in the segment abstracted by that bit-vector. On this basis, we leverage the power of numerical abstractions to discover numerical relations among counter variables, so as to infer relational length properties among list segments. Our approach stands out in its ability to find intricate properties that involve both shape and numerical information, which are important for checking program properties such as memory safety and termination. A prototype is implemented and preliminary experimental results are encouraging.

Aditya Anand,Manas Thakur

DOI: https://doi.org/10.1007/s10703-024-00458-x

2024-06-15

Formal Methods in System Design

Abstract:In spite of decades of static-analysis research behind developing precise whole-program dataflow analyses, languages that use just-in-time (JIT) compilers suffer from the imprecision of resource-bound analyses local to the scope of compilation. Recent promising approaches bridge this gap by splitting the analysis into two phases: a static phase that identifies interprocedural dependencies across program elements, and a dynamic phase that resolves those dependencies to generate final analysis results. Though this approach is capable of generating precise analysis results without incurring analysis cost in JIT compilers, such "staged analyses" lack a theoretical backing. In particular, it is unclear if one could transform a general whole-program analysis (that resolves dependencies across all program elements) to a staged one that involves evaluation of statically generated partial results later. Similarly, it would be interesting if one could generate "partial-result evaluators" in a way that can also be used to argue about their correctness. In this paper, we propose a novel model of partial analysis that addresses all these points for staged (static + dynamic) compilation systems, based on the classic theory of partial evaluation. We begin by highlighting how partial evaluation and Futamura projections are used to generate specialized program interpreters. We then describe partial analysis as the process of evaluating dependencies across program elements with respect to the statically available parts of a program, resulting into partial results . Next, we devise a strategy (by deriving a novel notion of AM projections from Futamura projections) to statically generate specialized evaluators that can process partial results using dynamic dependencies, during JIT compilation. Later, we use our proposed model to straightforwardly establish the correctness and precision properties of the idea of staging, independent of the analysis under consideration. We finally extend our model to soundly handle callbacks made from Java libraries to applications. We demonstrate the applicability of our model by showcasing examples from non-trivial Java program analyses, implementing the pipeline for one of them, and also discussing future possibilities to extend the same. We believe that our contributions in formulating this theory of partial analysis will significantly extend the usage of existing partial analyzers, as well as promote the design of new ones, for and even beyond Java.

computer science, theory & methods

Florian Sextl,Adam Rogalewicz,Tomáš Vojnar,Florian Zuleger

2024-10-31

Abstract:Biabduction-based shape analysis is a compositional verification and analysis technique that can prove memory safety in the presence of complex, linked data structures. Despite its usefulness, several open problems persist for this kind of analysis; two of which we address in this paper. On the one hand, the original analysis is path-sensitive but cannot combine safety requirements for related branches. This causes the analysis to require additional soundness checks and increases the space for the analysis to become incomplete. We extend the underlying symbolic execution and propose a framework for shared abduction where a common pre-condition is maintained for related computation branches. On the other hand, prior proposals lift loop acceleration methods from forward analysis to biabduction analysis by applying them separately on the pre- and post-condition, which can lead to imprecise or even unsound acceleration results that do not form a loop invariant. In contrast, we propose biabductive loop acceleration, which explicitly constructs and checks candidate loop invariants. For this, we also introduce a novel heuristic called shape extrapolation. This heuristic takes advantage of locality in the handling of list-like data structures (which are the most common data structures found in low-level code) and jointly accelerates pre- and post-conditions by extrapolating the related shapes. In addition to making the analysis more precise, our techniques also make biabductive analysis more efficient since they are sound in just one analysis phase. In contrast, prior techniques always require two phases (as the first phase can produce contracts that are unsound and must hence be verified). We experimentally confirm that our techniques improve on prior techniques; both in terms of precision and runtime of the analysis.

Logic in Computer Science

M. Tada,P. Pan

2007-01-01

Abstract:The collaborative structural analysis (CSA) system is capable of performing highly sophisticated structural analyses utilizing the beneficial features of existing individual structural analysis programs. This requires a time consuming static condensation procedure if adopting an implicit integration scheme. The operator splitting (OS) method, which does not request tangential stiffness, can be used to improve the system efficiency. Furthermore, the conventional OS method is not able to provide enough numerical stability particularly for the analyses considering geometrically nonlinearity, and improvement is needed. To this end, a modified OS method, which treats unbalanced forces in the current step as pseudo external forces in the immediate following step, is proposed. Introduction A collaborative structure analysis system is proposed by Tada et al (2004), which is capable of performing highly sophisticated structural analysis by utilizing the beneficial features of existing individual structural analysis programs developed by individual research. In the system, the simulated structure is divided into multiple substructures, and each substructure is analyzed by an individual program. Specifically, the host program formulates and solves the equilibrium equations or equations of motion for the entire structure, and sends boundary displacements to the corresponding station programs. The station programs run detailed analyses, and return the stiffnesses and forces associated with the degrees of freedom (DOFs) at the boundaries through a condensation procedure. The procedure is conducted step by step, and the data are exchanged through the Internet. The system has the following characteristics: 1) Multiple existing programs can be used for sophisticated structural analysis collaboratively. Flexible combinations are available for specific analysis projects according to the project characteristics and requirements. 2) Only data for analysis projects need to be exchanged over the Internet, whereas sharing source codes or running libraries of existing programs are unnecessary so that the copyrights of the programs are firmly protected. 1 Assoc. Professor, Div. of Global Architecture, Graduate School of Engineering, Osaka University, Suita City, Japan 2 JSPS Fellow, Graduate School of Engineering, Kyoto University, Kyoto City, Japan

许国山,王帅坤,吴斌,欧进萍

DOI: https://doi.org/10.6052/j.issn.1000-4750.2012.09.0681

2014-01-01

Abstract:This paper proposes the Operator-splitting(OS) method for dynamic substructure testing, and investigates the stability and effectiveness of the method. The main conclusions are as follows. 1) This paper proposes a target acceleration formulation so as to render the OS method an explicit formula for dynamic substructure testing. 2) It is shown from spectra analyses and numerical simulations that for the case of inertial specimen, this method is conditionally stable as long as the mass ratio of the experimental substructure to the numerical substructure is less than or equal to 1, while it is a unstable method if the ratio is large than 1.