Construction of abstract domains for heterogeneous properties ?

The aim of static analysis is to infer invariants about programs that are tight enough to establish semantic properties, like the absence of run-time errors. In the last decades, several branches of the static analysis of imperative programs have made significant progress, such as in the inference of numeric invariants or the computation of data structures properties (using pointer abstractions or shape analyzers). Although simultaneous inference of shape-numeric invariants is often needed, this case is especially challenging and less well explored. Notably, simultaneous shape-numeric inference raises complex issues in the design of the static analyzer itself. We study the modular construction of static analyzers, based on combinations of atomic abstract domains to describe several kinds of memory properties and value properties. Static analysis to infer heterogeneous properties. Static analysis by abstract interpretation [4] utilizes an abstraction to over-approximate (non-computable) sets of program states, using computer-representable elements, that stand for logical properties of concrete program states. As an example, for numerical properties, the interval abstract domain [4] uses constraints of the form n ≤ x and x ≤ p to describe possible values of variable x, where n, p are scalars. To construct a static analyzer capable of inferring sound approximations of program behaviors, one designs an abstract domain, which consists of an abstraction, sound post-condition operators, and join or widening operators. 1. An abstraction is defined by a set of abstract elements A and a concretization function γ : A → P(C), which maps each abstract property a into the set of concrete elements γ(a) that satisfy it. The set A of abstract elements will be assumed to be defined by a grammar of admissible logical predicates (e.g., for intervals, a(∈ A) ::= a ∧ a | n ≤ x | x ≤ p). 2. A post-condition operator is a function f : A → A which over-approximates a concrete operation f : C → C encountered in programs (as, e.g., a test). 3. Widening computes an over approximation of concrete join and enforces the termination of the analysis. This sentence is probably only understandable to someone who is totally familiar with abstract interpretation and is at a different level as the other two bullets. I think I would describe ”join” here: a function t : a× a→ a such that.... Then say in a sentence below the figure that widening is a ”special” join that ensures termination of the static analysis. -bec ? The research leading to these results has received funding from the European Research Council under the FP7 grant agreement 278673, Project MemCAD and the United States National Science Foundation under grant CCF-1055066. 2 Xavier Rival,, Bor-Yuh Evan Chang,, and Antoine Toubhans A concrete state or two Formula for abstraction given in the text Fig. 1. Heterogeneous property abstraction Link a pseudo-signature in a figure ? The combination of post-condition operators and widening operators allows to define a sound static analyzer [4]. In the following, we discuss the design of an abstraction able to handle heterogeneous properties, about both data-structures and values. Example figure with a concrete store; description of what we want to abstract Abstraction of dynamic memory properties. For instance, a memory abstract domain consists of a set of predicates describing memory regions, together with operators for the analysis of memory operations (look-ups, assignments) and widening. XISA [3, 2] relies on points-to predicates, inductive predicates and segment predicates. A simplified version of this abstraction, where the only inductive predicates and segments that are considered are lists boils down to:ion of dynamic memory properties. For instance, a memory abstract domain consists of a set of predicates describing memory regions, together with operators for the analysis of memory operations (look-ups, assignments) and widening. XISA [3, 2] relies on points-to predicates, inductive predicates and segment predicates. A simplified version of this abstraction, where the only inductive predicates and segments that are considered are lists boils down to: symbolic variables α, α′, . . . denote values and addresses m(∈M) ::= m ∗m separating conjunction of predicates | α · f 7→ α′ cell field f at address α containing value α′ | list(α) a list at address α | list(α′) =∗ list(α) a list segment starting at α and ending at α′ The XISA [3] implementation actually represents a larger set of predicates, with arbitrary inductive definitions (including trees, doubly-linked lists and others). Other analysis frameworks utilize other sets of logical properties, such as, e.g., TVLA [8], which is based on reachability predicates. Adding tracking for value properties, and departing from monolithic abstract domains. Once an abstraction has been defined for memory states, it is natural to extend it with value properties, so as to let the analysis infer constraints over both the structure of data and their values. A straightforward way to achieve this, and to add interval constraints over values is to extend the definition of abstract elements by m ::= . . . |m ∧ α ≤ n | m∧n ≤ α | . . .. However, this implies the abstract operations (post-condition operators, join and widening) have to be extended so as to deal with both structures and value properties, in the same time: therefore abstract operations are bound to become overly complex. Moreover, this approach is awkward, as it does not build upon existing abstract operations of value abstractions such as intervals [4] or octagons [7], which means it will not easily benefit from the efficient algorithms designed to infer such properties (the same also applies to the memory abstraction). Besides, it makes it harder to switch from one value abstraction to another at a later point, hence reducing the flexibility of the analysis. In the following, we advocate a modular abstract domain design, which: – separates concerns in the abstract domain designs; – reuses existing abstract domains algorithms; Construction of abstract domains for heterogeneous properties 3 – allows to tune distinct part of the abstractions independently. Such design has been extensively used in the ASTRÉE static analyzer [1], which makes intensive use of reduced product [5] among other abstract domain combination techniques [6]. This design contributed not only to the precision and efficiency of the analysis, but also to making it easier to extend [6]. Abstraction of value properties, and combined abstract domain. To achieve a modular abstract domain design, we set up a different abstract domain V that will only track value properties (and not memory layout as the previously defined M does), and define a new abstract domain S for states that combines both:ion of value properties, and combined abstract domain. To achieve a modular abstract domain design, we set up a different abstract domain V that will only track value properties (and not memory layout as the previously defined M does), and define a new abstract domain S for states that combines both: m(∈M) ::= . . . defined as before v(∈ V) ::= true | v ∧ v | α ≤ n | n ≤ α value predicates s(∈ S) ::= m ∧ v conjunction of sub-properties In essence, S defines a reduced product [5] of the memory abstraction M and value abstraction V. As such, it completely separates memory and value abstraction concerns, which makes the abstract domain fully modular [10]: indeed, both sub-components can be implemented in distinct ML modules, and S is defined as a ML functor. In practice, this functor should ensure that the symbolic variables used in the value abstraction are consistent with the memory cell contents and addresses symbols defined in the memory abstraction (thus it implements a co-fibered abstract domain [11], which essentially generalizes the notion of reduced product). Separate combination of memory abstractions. So far, we combined abstract domains capturing distinct sets of properties. Yet, this abstract domain decomposition approach can be pushed further. As an example, ASTRÉE [1] relies on a decomposition of the numerical abstract domain into simpler abstractions that handle specific sets of properties. Likewise, a similar approach can be applied to the memory abstraction part. One approach to do this is to split concrete heaps and apply distinct memory abstractions to disjoint regions [10]: m(∈M) ::= m0 ∗m1 where m0 ∈M0 ∧m1 ∈M1 m0(∈M0) ::= . . . defines a 1st memory abstract domain, e.g., for lists m1(∈M1) ::= . . . defines a 2nd memory abstract domain, e.g., for arrays This construction allows one to apply parsimoniously expensive memory abstractions to the memory regions that require them, while lighter weight abstractions can be used for simpler structures. This results in better control of the analysis complexity. A cost is that the analyzer now has to resolve memory fragments across sub-domains, and to also select which memory fragment is the most adequate to account for each memory allocation. Reduced product of memory abstractions. Likewise, one can design a reduced product [5] of memory abstract domains [9]: m(∈M) ::= m0 ∧m1 where m0 ∈M0 ∧m1 ∈M1 4 Xavier Rival,, Bor-Yuh Evan Chang,, and Antoine Toubhans Such a composed abstraction is adequate when considering overlaid data structures (such as lists or trees of objects with a common field pointing to class methods) and separates the concerns of analyzing each aspects of the structures. In turn, it imposes on the analysis the burden to let logical predicates represented in one sub-domain be usable to refine the computations done in the other sub-domain. Modular abstract domain design. A modular abstract domain significantly simplifies the design of static analyzers while offering additional flexibility and control. The cost for this benefit is the innovation needed to design these more complex and general abstract domain combinators, but this cost is quickly amortized with the ability to reuse these combinators to realize arbitrary static analyzer configurations.