A Theoretical Foundation of Sensitivity in an Abstract Interpretation Framework

Authors:
Se-Won Kim

S-Core

S-Core
View Profile

,
Xavier Rival

CNRS, ENS, INRIA Paris-Rocquencourt, PSL* University

CNRS, ENS, INRIA Paris-Rocquencourt, PSL* University
View Profile

,
Sukyoung Ryu

KAIST, Yuseong-gu, Republic of Korea

KAIST, Yuseong-gu, Republic of Korea
View Profile

ACM Transactions on Programming Languages and Systems Volume 40 Issue 3Article No.: 13pp 1–44https://doi.org/10.1145/3230624

Published:09 August 2018Publication History

ACM Transactions on Programming Languages and Systems

Abstract

Program analyses often utilize various forms of sensitivity such as context sensitivity, call-site sensitivity, and object sensitivity. These techniques all allow for more precise program analyses, that are able to compute more precise program invariants, and to verify stronger properties. Despite the fact that sensitivity techniques are now part of the standard toolkit of static analyses designers and implementers, no comprehensive frameworks allow the description of all common forms of sensitivity. As a consequence, the soundness proofs of static analysis tools involving sensitivity often rely on ad hoc formalization, which are not always carried out in an abstract interpretation framework. Moreover, this also means that opportunities to identify similarities between analysis techniques to better improve abstractions or to tune static analysis tools can easily be missed.

In this article, we present and formalize a framework for the description of sensitivity in static analysis. Our framework is based on a powerful abstract domain construction, and utilizes reduced cardinal power to tie basic abstract predicates to the properties analyses are sensitive to. We formalize this abstraction, and the main abstract operations that are needed to turn it into a generic abstract domain construction. We demonstrate that our approach can allow for a more precise description of program states, and that it can also describe a large set of sensitivity techniques, both when sensitivity criteria are static (known before the analysis) or dynamic (inferred as part of the analysis), and sensitive analysis tuning parameters. Last, we show that sensitivity techniques used in state-of-the-art static analysis tools can be described in our framework.

References

Ole Agesen. 1995. The Cartesian product algorithm: Simple and precise type inference of parametric polymorphism. In Proceedings of the 9th European Conference on Object-Oriented Programming (ECOOP’95). Springer-Verlag, 2--26. Google ScholarDigital Library
Esben Andreasen and Anders Møller. 2014. Determinacy in static analysis for jQuery. In Proceedings of the 2014 ACM International Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA’14). ACM, 17--31. Google ScholarDigital Library
SungGyeong Bae, Hyunghun Cho, Inho Lim, and Sukyoung Ryu. 2014. SAFE<sub>WAPI</sub>: Web API misuse detector for web applications. In Proceedings of the 22nd ACM SIGSOFT Symposium and the 13th European Conference on Foundations of Software Engineering (ESEC/FSE’14). ACM, 507--517. Google ScholarDigital Library
Bruno Blanchet, Patrick Cousot, Radhia Cousot, Jéróme Feret, Laurent Mauborgne, Antoine Miné, David Monniaux, and Xavier Rival. 2003. A static analyzer for large safety-critical software. In Proceedings of the ACM SIGPLAN SIGSOFT Conference on Programming Language Design and Implementation (PLDI’03). ACM, 196--207. Google ScholarDigital Library
François Bourdoncle. 1992. Abstract interpretation by dynamic partitioning. Journal of Functional Programming 2, 4 (1992), 407--423.Google ScholarCross Ref
Bor-Yuh Evan Chang and Xavier Rival. 2008. Relational inductive shape analysis. In Proceedings of the 35th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’08). 247--260. Google ScholarDigital Library
Wai Ting Cheung, Sukyoung Ryu, and Sunghun Kim. 2016. Empirical Software Engineering 21, 2 (2016), 517--564. Google ScholarDigital Library
Patrick Cousot. 1981. Semantic foundations of program analysis. In Program Flow Analysis: Theory and Applications. Prentice-Hall, Inc., Englewood Cliffs, New Jersey, Chapter 10, 303--342.Google Scholar
Patrick Cousot and Radhia Cousot. 1977. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the 4th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’77). ACM, 238--252. Google ScholarDigital Library
Patrick Cousot and Radhia Cousot. 1979. Systematic design of program analysis frameworks. In Proceedings of the 6th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’79). ACM, 269--282. Google ScholarDigital Library
Patrick Cousot, Radhia Cousot, and Francesco Logozzo. 2011. A parametric segmentation functor for fully automatic and scalable array content analysis. In Proceedings of the 38th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’11). ACM, 105--118. Google ScholarDigital Library
Roberto Giacobazzi and Francesco Ranzato. 1999. The reduced relative power operation on abstract domains. Theoretical Computer Science 216, 1--2 (1999), 159--211. Google ScholarDigital Library
Roberto Giacobazzi, Francesco Ranzato, and Francesca Scozzari. 2005. Making abstract domains condensing. ACM Transactions on Computational Logic (TOCL) 6, 1 (2005), 33--60. Google ScholarDigital Library
Roberto Giacobazzi and Francesca Scozzari. 1998. A logical model for relational abstract domains. ACM Transactions on Programming Languages and Systems (TOPLAS) 20, 5 (1998), 1067--1109. Google ScholarDigital Library
Maria Handjieva and Stanislav Tzolovski. 1998. Refining static analyses by trace-based partitioning using control flow. In Proceedings of the 5th International Symposium on Static Analysis (SAS’98). Springer-Verlag, 200--214.Google ScholarCross Ref
Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, and Grégoire Sutre. 2002. Lazy abstraction. In Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’02). ACM, 58--70. Google ScholarDigital Library
IBM Research. 2003. T. J. Watson Libraries for Analysis (WALA). Retrieved August 4, 2018 from http://wala.sf.net.Google Scholar
Bertrand Jeannet. 2003. Dynamic partitioning in linear relation analysis: Application to the verification of reactive systems. Formal Methods in System Design 23, 1 (2003), 5--37. Google ScholarDigital Library
KAIST PLRG. 2014. SAFE: Scalable Analysis Framework for ECMAScript. Retrieved from http://safe.kaist.ac.kr.Google Scholar
Vineeth Kashyap, Kyle Dewey, Ethan A. Kuefner, John Wagner, Kevin Gibbons, John Sarracino, Ben Wiedermann, and Ben Hardekopf. 2014. JSAI: A static analysis platform for JavaScript. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE’14). ACM. Google ScholarDigital Library
Hongki Lee, Sooncheol Won, Joonho Jin, Junhee Cho, and Sukyoung Ryu. 2012b. SAFE: Formal specification and implementation of a scalable analysis framework for ECMAScript. In Proceedings of the International Workshop on Foundations of Object Oriented Languages (FOOL’12).Google Scholar
Woosuk Lee, Wonchan Lee, and Kwangkeun Yi. 2012a. Sound non-statistical clustering of static analysis alarms. In Proceedings of the 13th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI’12). Springer-Verlag, 299--314. Google ScholarDigital Library
Ana Milanova, Atanas Rountev, and Barbara G. Ryder. 2005. Parameterized object sensitivity for points-to analysis for Java. ACM Transactions on Software Engineering and Methodology (ToSEM) 14, 1 (2005), 1--41. Google ScholarDigital Library
Anders Møller, Simon Holm Jensen, Peter Thiemann, Magnus Madsen, Matthias Diehn Ingesman, Peter Jonsson, and Esben Andreasen. 2014. TAJS: Type Analyzer for JavaScript. Retrieved from https://github.com/cs-au-dk/TAJS.Google Scholar
Hakjoo Oh, Kihong Heo, Wonchan Lee, Woosuk Lee, and Kwangkeun Yi. 2009. Sparrow. Retrieved from http://ropas.snu.ac.kr/sparrow.Google Scholar
Hakjoo Oh, Kihong Heo, Wonchan Lee, Woosuk Lee, and Kwangkeun Yi. 2012. Design and implementation of sparse global analyses for C-like languages. In Proceedings of the SIGPLAN Conference on Programming Language Design and Implementation (PLDI’12). ACM, 229--238. Google ScholarDigital Library
Hakjoo Oh, Wonchan Lee, Kihong Heo, Hongseok Yang, and Kwangkeun Yi. 2014. Selective context-sensitivity guided by impact pre-analysis. In Proceedings of the SIGPLAN Conference on Programming Language Design and Implementation (PLDI’14). ACM, 475--484. Google ScholarDigital Library
Changhee Park and Sukyoung Ryu. 2015. Scalable and precise static analysis of JavaScript applications via loop-sensitivity. In Proceedings of the European Conference on Object-Oriented Programming (ECOOP’15). Dagstuhl Publishing, 735--756.Google Scholar
Thomas W. Reps, Susan Horwitz, and Mooly Sagiv. 1995. Precise interprocedural dataflow analysis via graph reachability. In Proceedings of the 22nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’95). ACM, 49--61. Google ScholarDigital Library
Xavier Rival and Laurent Mauborgne. 2007. The trace partitioning abstract domain. ACM Transactions on Programming Languages and Systems (TOPLAS) 29, 5 (2007), 26. Google ScholarDigital Library
Mooly Sagiv, Thomas Reps, and Reinhard Wilhelm. 2002. Parametric shape analysis via 3-valued logic. ACM Transactions on Programming Languages and Systems (TOPLAS) 24, 3 (2002), 217--298. Google ScholarDigital Library
Micha Sharir and Amir Pnueli. 1981. Two approaches to interprocedural data flow analysis. In Program Flow Analysis: Theory and Applications. Prentice-Hall, Inc., Englewood Cliffs, New Jersey, Chapter 7.Google Scholar
Olin Shivers. 1991. Control-Flow Analysis of Higher-Order Languages. Ph.D. dissertation. Carnegie Mellon University. Google ScholarDigital Library
Yannis Smaragdakis, Martin Bravenboer, and Ondrej Lhoták. 2011. Pick your contexts well: Understanding object-sensitivity. In Proceedings of the 38th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’11). ACM, 17--30. Google ScholarDigital Library
Arnaud Venet. 1996. Abstract cofibered domains: Application to the alias analysis of untyped programs. In Proceedings of the 3rd International Symposium on Static Analysis (SAS’96). Springer-Verlag, 366--382. Google ScholarDigital Library

Index Terms

A Theoretical Foundation of Sensitivity in an Abstract Interpretation Framework
1. Software and its engineering
  1. Software organization and properties
    1. Software functional properties
      1. Formal methods
        Automated static analysis

Recommendations

A²I: abstract² interpretation

The fundamental idea of Abstract² Interpretation (A²I), also called meta-abstract interpretation, is to apply abstract interpretation to abstract interpretation-based static program analyses. A²I is generally meant to use abstract interpretation to ...
Read More
Complementation in abstract interpretation

Reduced product of abstract domains is a rather well-known operation for domain composition in abstract interpretation. In this article, we study its inverse operation, introducing a notion of domain complementation in abstract interpretation. ...
Read More
Control-flow analysis of function calls and returns by abstract interpretation

Abstract interpretation techniques are used to derive a control-flow analysis for a simple higher-order functional language. The analysis approximates the interprocedural control-flow of both function calls and returns in the presence of first-class ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Programming Languages and Systems Volume 40, Issue 3
September 2018
230 pages
ISSN:0164-0925
EISSN:1558-4593
DOI:10.1145/3236464
Editor:
Andrew Myers
Cornell University, USA
Issue’s Table of Contents
Copyright © 2018 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 9 August 2018
- Accepted: 1 May 2018
- Revised: 1 April 2017
- Received: 1 April 2016
Published in toplas Volume 40, Issue 3

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Abstract interpretation
analysis framework
analysis sensitivity
program analysis
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 10
  Total Citations
  View Citations
- 385
  Total Downloads
- Downloads (Last 12 months)91
- Downloads (Last 6 weeks)9
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

A Theoretical Foundation of Sensitivity in an Abstract Interpretation Framework

ACM Transactions on Programming Languages and Systems

Abstract

References

Cited By

Index Terms

Recommendations

A²I: abstract² interpretation

Complementation in abstract interpretation

Control-flow analysis of function calls and returns by abstract interpretation