Scalable Path-Sensitive Program Analysis via Dynamic Programming

Path-sensitivity improves program analysis by excluding infeasible paths and avoiding the merging of paths into a single abstraction if they exhibit different behavior. The main challenge however is that path-sensitive analysis is not scalable. In this paper, we present a symbolic execution-based framework which uses dynamic programming (DP) in order to reuse analyses arising from symbolic execution already performed. A straightforward implementation of DP, however, will allow little reuse. This is because symbolic execution repeatedly considers similar subtrees with different contexts. The first of our contributions to use a method of interpolation in order to generalize the result of symbolic execution so that it can be reused in another context. This has the effect of pruning the symbolic execution space, and is the basis of making our analysis scalable. However, interpolation introduces inaccuracy because some of the paths pruned may in fact be infeasible. We therefore introduce a technique to ensure precision by testing that a notion of witness paths that concretely demonstrate a particular analysis, and we require that pruned paths satisfy the witness criterion. In the end, we show that, in a sense defined by traditional abstract interpretation, our framework loses no accuracy beyond the abstraction that is required to close loops via their invariants. We finally demonstrate practicality of our framework by instantiating it with a driving application: static backward slicing analysis. We show that our approach can produce slices significantly smaller than a path-insensitive version scaling up to tens of thousand of lines of C code.