Abstract
Program analyses often utilize various forms of sensitivity such as context sensitivity, call-site sensitivity, and object sensitivity. These techniques all allow for more precise program analyses, that are able to compute more precise program invariants, and to verify stronger properties. Despite the fact that sensitivity techniques are now part of the standard toolkit of static analyses designers and implementers, no comprehensive frameworks allow the description of all common forms of sensitivity. As a consequence, the soundness proofs of static analysis tools involving sensitivity often rely on ad hoc formalization, which are not always carried out in an abstract interpretation framework. Moreover, this also means that opportunities to identify similarities between analysis techniques to better improve abstractions or to tune static analysis tools can easily be missed.
In this article, we present and formalize a framework for the description of sensitivity in static analysis. Our framework is based on a powerful abstract domain construction, and utilizes reduced cardinal power to tie basic abstract predicates to the properties analyses are sensitive to. We formalize this abstraction, and the main abstract operations that are needed to turn it into a generic abstract domain construction. We demonstrate that our approach can allow for a more precise description of program states, and that it can also describe a large set of sensitivity techniques, both when sensitivity criteria are static (known before the analysis) or dynamic (inferred as part of the analysis), and sensitive analysis tuning parameters. Last, we show that sensitivity techniques used in state-of-the-art static analysis tools can be described in our framework.
- Ole Agesen. 1995. The Cartesian product algorithm: Simple and precise type inference of parametric polymorphism. In Proceedings of the 9th European Conference on Object-Oriented Programming (ECOOP’95). Springer-Verlag, 2--26. Google ScholarDigital Library
- Esben Andreasen and Anders Møller. 2014. Determinacy in static analysis for jQuery. In Proceedings of the 2014 ACM International Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA’14). ACM, 17--31. Google ScholarDigital Library
- SungGyeong Bae, Hyunghun Cho, Inho Lim, and Sukyoung Ryu. 2014. SAFE<sub>WAPI</sub>: Web API misuse detector for web applications. In Proceedings of the 22nd ACM SIGSOFT Symposium and the 13th European Conference on Foundations of Software Engineering (ESEC/FSE’14). ACM, 507--517. Google ScholarDigital Library
- Bruno Blanchet, Patrick Cousot, Radhia Cousot, Jéróme Feret, Laurent Mauborgne, Antoine Miné, David Monniaux, and Xavier Rival. 2003. A static analyzer for large safety-critical software. In Proceedings of the ACM SIGPLAN SIGSOFT Conference on Programming Language Design and Implementation (PLDI’03). ACM, 196--207. Google ScholarDigital Library
- François Bourdoncle. 1992. Abstract interpretation by dynamic partitioning. Journal of Functional Programming 2, 4 (1992), 407--423.Google ScholarCross Ref
- Bor-Yuh Evan Chang and Xavier Rival. 2008. Relational inductive shape analysis. In Proceedings of the 35th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’08). 247--260. Google ScholarDigital Library
- Wai Ting Cheung, Sukyoung Ryu, and Sunghun Kim. 2016. Empirical Software Engineering 21, 2 (2016), 517--564. Google ScholarDigital Library
- Patrick Cousot. 1981. Semantic foundations of program analysis. In Program Flow Analysis: Theory and Applications. Prentice-Hall, Inc., Englewood Cliffs, New Jersey, Chapter 10, 303--342.Google Scholar
- Patrick Cousot and Radhia Cousot. 1977. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the 4th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’77). ACM, 238--252. Google ScholarDigital Library
- Patrick Cousot and Radhia Cousot. 1979. Systematic design of program analysis frameworks. In Proceedings of the 6th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’79). ACM, 269--282. Google ScholarDigital Library
- Patrick Cousot, Radhia Cousot, and Francesco Logozzo. 2011. A parametric segmentation functor for fully automatic and scalable array content analysis. In Proceedings of the 38th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’11). ACM, 105--118. Google ScholarDigital Library
- Roberto Giacobazzi and Francesco Ranzato. 1999. The reduced relative power operation on abstract domains. Theoretical Computer Science 216, 1--2 (1999), 159--211. Google ScholarDigital Library
- Roberto Giacobazzi, Francesco Ranzato, and Francesca Scozzari. 2005. Making abstract domains condensing. ACM Transactions on Computational Logic (TOCL) 6, 1 (2005), 33--60. Google ScholarDigital Library
- Roberto Giacobazzi and Francesca Scozzari. 1998. A logical model for relational abstract domains. ACM Transactions on Programming Languages and Systems (TOPLAS) 20, 5 (1998), 1067--1109. Google ScholarDigital Library
- Maria Handjieva and Stanislav Tzolovski. 1998. Refining static analyses by trace-based partitioning using control flow. In Proceedings of the 5th International Symposium on Static Analysis (SAS’98). Springer-Verlag, 200--214.Google ScholarCross Ref
- Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, and Grégoire Sutre. 2002. Lazy abstraction. In Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’02). ACM, 58--70. Google ScholarDigital Library
- IBM Research. 2003. T. J. Watson Libraries for Analysis (WALA). Retrieved August 4, 2018 from http://wala.sf.net.Google Scholar
- Bertrand Jeannet. 2003. Dynamic partitioning in linear relation analysis: Application to the verification of reactive systems. Formal Methods in System Design 23, 1 (2003), 5--37. Google ScholarDigital Library
- KAIST PLRG. 2014. SAFE: Scalable Analysis Framework for ECMAScript. Retrieved from http://safe.kaist.ac.kr.Google Scholar
- Vineeth Kashyap, Kyle Dewey, Ethan A. Kuefner, John Wagner, Kevin Gibbons, John Sarracino, Ben Wiedermann, and Ben Hardekopf. 2014. JSAI: A static analysis platform for JavaScript. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE’14). ACM. Google ScholarDigital Library
- Hongki Lee, Sooncheol Won, Joonho Jin, Junhee Cho, and Sukyoung Ryu. 2012b. SAFE: Formal specification and implementation of a scalable analysis framework for ECMAScript. In Proceedings of the International Workshop on Foundations of Object Oriented Languages (FOOL’12).Google Scholar
- Woosuk Lee, Wonchan Lee, and Kwangkeun Yi. 2012a. Sound non-statistical clustering of static analysis alarms. In Proceedings of the 13th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI’12). Springer-Verlag, 299--314. Google ScholarDigital Library
- Ana Milanova, Atanas Rountev, and Barbara G. Ryder. 2005. Parameterized object sensitivity for points-to analysis for Java. ACM Transactions on Software Engineering and Methodology (ToSEM) 14, 1 (2005), 1--41. Google ScholarDigital Library
- Anders Møller, Simon Holm Jensen, Peter Thiemann, Magnus Madsen, Matthias Diehn Ingesman, Peter Jonsson, and Esben Andreasen. 2014. TAJS: Type Analyzer for JavaScript. Retrieved from https://github.com/cs-au-dk/TAJS.Google Scholar
- Hakjoo Oh, Kihong Heo, Wonchan Lee, Woosuk Lee, and Kwangkeun Yi. 2009. Sparrow. Retrieved from http://ropas.snu.ac.kr/sparrow.Google Scholar
- Hakjoo Oh, Kihong Heo, Wonchan Lee, Woosuk Lee, and Kwangkeun Yi. 2012. Design and implementation of sparse global analyses for C-like languages. In Proceedings of the SIGPLAN Conference on Programming Language Design and Implementation (PLDI’12). ACM, 229--238. Google ScholarDigital Library
- Hakjoo Oh, Wonchan Lee, Kihong Heo, Hongseok Yang, and Kwangkeun Yi. 2014. Selective context-sensitivity guided by impact pre-analysis. In Proceedings of the SIGPLAN Conference on Programming Language Design and Implementation (PLDI’14). ACM, 475--484. Google ScholarDigital Library
- Changhee Park and Sukyoung Ryu. 2015. Scalable and precise static analysis of JavaScript applications via loop-sensitivity. In Proceedings of the European Conference on Object-Oriented Programming (ECOOP’15). Dagstuhl Publishing, 735--756.Google Scholar
- Thomas W. Reps, Susan Horwitz, and Mooly Sagiv. 1995. Precise interprocedural dataflow analysis via graph reachability. In Proceedings of the 22nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’95). ACM, 49--61. Google ScholarDigital Library
- Xavier Rival and Laurent Mauborgne. 2007. The trace partitioning abstract domain. ACM Transactions on Programming Languages and Systems (TOPLAS) 29, 5 (2007), 26. Google ScholarDigital Library
- Mooly Sagiv, Thomas Reps, and Reinhard Wilhelm. 2002. Parametric shape analysis via 3-valued logic. ACM Transactions on Programming Languages and Systems (TOPLAS) 24, 3 (2002), 217--298. Google ScholarDigital Library
- Micha Sharir and Amir Pnueli. 1981. Two approaches to interprocedural data flow analysis. In Program Flow Analysis: Theory and Applications. Prentice-Hall, Inc., Englewood Cliffs, New Jersey, Chapter 7.Google Scholar
- Olin Shivers. 1991. Control-Flow Analysis of Higher-Order Languages. Ph.D. dissertation. Carnegie Mellon University. Google ScholarDigital Library
- Yannis Smaragdakis, Martin Bravenboer, and Ondrej Lhoták. 2011. Pick your contexts well: Understanding object-sensitivity. In Proceedings of the 38th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’11). ACM, 17--30. Google ScholarDigital Library
- Arnaud Venet. 1996. Abstract cofibered domains: Application to the alias analysis of untyped programs. In Proceedings of the 3rd International Symposium on Static Analysis (SAS’96). Springer-Verlag, 366--382. Google ScholarDigital Library
Index Terms
- A Theoretical Foundation of Sensitivity in an Abstract Interpretation Framework
Recommendations
A²I: abstract² interpretation
The fundamental idea of Abstract2 Interpretation (A2I), also called meta-abstract interpretation, is to apply abstract interpretation to abstract interpretation-based static program analyses. A2I is generally meant to use abstract interpretation to ...
Complementation in abstract interpretation
Reduced product of abstract domains is a rather well-known operation for domain composition in abstract interpretation. In this article, we study its inverse operation, introducing a notion of domain complementation in abstract interpretation. ...
Control-flow analysis of function calls and returns by abstract interpretation
Abstract interpretation techniques are used to derive a control-flow analysis for a simple higher-order functional language. The analysis approximates the interprocedural control-flow of both function calls and returns in the presence of first-class ...
Comments