Typestate: A programming language concept for enhancing software reliability
IEEE Transactions on Software Engineering
Precise concrete type inference for object-oriented languages
OOPSLA '94 Proceedings of the ninth annual conference on Object-oriented programming systems, language, and applications
Precise interprocedural dataflow analysis via graph reachability
POPL '95 Proceedings of the 22nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Refining data flow information using infeasible paths
ESEC '97/FSE-5 Proceedings of the 6th European SOFTWARE ENGINEERING conference held jointly with the 5th ACM SIGSOFT international symposium on Foundations of software engineering
A static analyzer for finding dynamic programming errors
Software—Practice & Experience
Unification-based pointer analysis with directional assignments
PLDI '00 Proceedings of the ACM SIGPLAN 2000 conference on Programming language design and implementation
Demand-driven pointer analysis
Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation
Automatically validating temporal safety properties of interfaces
SPIN '01 Proceedings of the 8th international SPIN workshop on Model checking of software
The SLAM project: debugging system software via static analysis
POPL '02 Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
POPL '02 Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
ESP: path-sensitive program verification in polynomial time
PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
POPL '77 Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
POPL '80 Proceedings of the 7th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
From symptom to cause: localizing errors in counterexample traces
POPL '03 Proceedings of the 30th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Speeding Up Dataflow Analysis Using Flow-Insensitive Pointer Analysis
SAS '02 Proceedings of the 9th International Symposium on Static Analysis
Boolean and Cartesian Abstraction for Model Checking C Programs
TACAS 2001 Proceedings of the 7th International Conference on Tools and Algorithms for the Construction and Analysis of Systems
Counterexample-guided abstraction refinement for symbolic model checking
Journal of the ACM (JACM)
Proceedings of the 31st ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Software validation via scalable path-sensitive value flow analysis
ISSTA '04 Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis
Scalable error detection using boolean satisfiability
Proceedings of the 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
CMC: a pragmatic approach to model checking real code
OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Joining dataflow with predicates
Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering
Symbolic path simulation in path-sensitive dataflow analysis
PASTE '05 Proceedings of the 6th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering
Client-driven pointer analysis
SAS'03 Proceedings of the 10th international conference on Static analysis
Automatic software model checking using CLP
ESOP'03 Proceedings of the 12th European conference on Programming
What went wrong: explaining counterexamples
SPIN'03 Proceedings of the 10th international conference on Model checking software
APLAS'05 Proceedings of the Third Asian conference on Programming Languages and Systems
Trace partitioning in abstract interpretation based static analyzers
ESOP'05 Proceedings of the 14th European conference on Programming Languages and Systems
SLR: Path-Sensitive Analysis through Infeasible-Path Detection and Syntactic Language Refinement
SAS '08 Proceedings of the 15th international symposium on Static Analysis
Static Program Analysis for Java Card Applets
CARDIS '08 Proceedings of the 8th IFIP WG 8.8/11.2 international conference on Smart Card Research and Advanced Applications
On temporal path conditions in dependence graphs
Automated Software Engineering
WYSINWYX: What you see is not what you eXecute
ACM Transactions on Programming Languages and Systems (TOPLAS)
Analyzing stripped device-driver executables
TACAS'08/ETAPS'08 Proceedings of the Theory and practice of software, 14th international conference on Tools and algorithms for the construction and analysis of systems
Refinement-based CFG reconstruction from unstructured programs
VMCAI'11 Proceedings of the 12th international conference on Verification, model checking, and abstract interpretation
Programs from proofs: a PCC alternative
CAV'13 Proceedings of the 25th international conference on Computer Aided Verification
Hi-index | 0.00 |
In this paper, we present a new method for supporting abstraction refinement in path-sensitive dataflow analysis. We show how an adjustable merge criterion can be used as an interface to control the degree of abstraction. In particular, we partition the merge criterion with two sets of predicates — one related to the dataflow facts being propagated and the other related to path feasibility. These tracked predicates are then used to guide merge operations and path feasibility analysis, so that expensive computations are performed only at the right places. Refinement amounts to lazily growing the path predicate set to recover lost precision. We have implemented our refinement technique in ESP, a software validation tool for C/C++ programs. We apply ESP to validate a future version of Windows against critical security properties. Our experience suggests that applying iterative refinement to path-sensitive dataflow analysis is both effective in cutting down spurious errors and scalable enough for solving real world problems.