A Value Analysis for C Programs

Canet, Géraud; Cuoq, Pascal; Monate, Benjamin

doi:10.1109/scam.2009.22

Cited by 48 publications

(21 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We recall multi-threaded programs and context-bounded analysis before we give some details on the two pillars of our approach: the lazy sequentialization performed by the tool LazyCSeq [16] and the value analysis performed by the tool Frama-C [2].…”

Section: Verification Approachmentioning

confidence: 99%

Concurrent Program Verification with Lazy Sequentialization and Interval Analysis

et al. 2017

View full text Add to dashboard Cite

Abstract. Lazy sequentialization has proven to be one of the most effective techniques for concurrent program verification. The Lazy-CSeq sequentialization tool performs a "lazy" code-to-code translation from a concurrent program into an equivalent non-deterministic sequential program, i.e., it preserves the valuations of the program variables along its executions. The obtained program is then analyzed using sequential bounded model checking tools. However, the sizes of the individual states still pose problems for further scaling. We therefore use abstract interpretation to minimize the representation of the concurrent program's (shared global and thread-local) state variables. More specifically, we run the Frama-C abstract interpretation tool over the programs constructed by Lazy-CSeq to compute overapproximating intervals for all (original) state variables and then exploit CBMC's bitvector support to reduce the number of bits required to represent these in the sequentialized program. We have implemented this approach in the last release of Lazy-CSeq and demonstrate the effectiveness of this approach; in particular, we show that it leads to large performance gains for very hard verification problems.

show abstract

Section: Verification Approachmentioning

confidence: 99%

Concurrent Program Verification with Lazy Sequentialization and Interval Analysis

et al. 2017

View full text Add to dashboard Cite

show abstract

“…Frama-C [5] is an open-source, extensible, static-analysis framework for C. It features a value-analysis plug-in [2]: an abstract interpreter roughly comparable to Polyspace [10] and Astrée [1]. The value analysis uses non-relational domains adapted to the C language; it soundly detects and warns about a sizable set of C's undefined and unspecified behaviors.…”

Section: Frama-cmentioning

confidence: 99%

“…2 Indeed, LLVM ships with the Bugpoint tool 3 that automates reduction at the level of LLVM IR. The importance that compiler developers place on small test cases stems from the simple fact that manual test-case reduction is both difficult and time consuming.…”

Section: Introductionmentioning

confidence: 99%

Test-case reduction for C compiler bugs

et al. 2012

Self Cite

View full text Add to dashboard Cite

To report a compiler bug, one must often find a small test case that triggers the bug. The existing approach to automated test-case reduction, delta debugging, works by removing substrings of the original input; the result is a concatenation of substrings that delta cannot remove. We have found this approach less than ideal for reducing C programs because it typically yields test cases that are too large or even invalid (relying on undefined behavior). To obtain small and valid test cases consistently, we designed and implemented three new, domain-specific test-case reducers. The best of these is based on a novel framework in which a generic fixpoint computation invokes modular transformations that perform reduction operations. This reducer produces outputs that are, on average, more than 25 times smaller than those produced by our other reducers or by the existing reducer that is most commonly used by compiler developers. We conclude that effective program reduction requires more than straightforward delta debugging.

show abstract

“…Many existing tools can detect undefined behavior as listed in Figure 3. For example, gcc provides the -ftrapv option to insert run-time checks for signed integer overflows [42: §3.18]; IOC [11] (now part of clang's sanitizers [9]) and Kint [50] cover a more complete set of integer errors; Saturn [12] finds null pointer dereferences; several dedicated C interpreters such as kcc [14] and Frama-C [5] perform checks for undefined behavior. See Chen et al's survey [6] for a summary.…”

Section: Related Workmentioning

confidence: 99%

“…SOSP'13, Nov. [3][4][5][6]2013 The code becomes vulnerable as gcc optimizes away the second if statement [13].…”

Section: Introductionmentioning

confidence: 99%

Towards optimization-safe systems

Wang¹,

Zeldovich²,

Kaashoek³

et al. 2013

Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles

102

View full text Add to dashboard Cite

This paper studies an emerging class of software bugs called optimization-unstable code: code that is unexpectedly discarded by compiler optimizations due to undefined behavior in the program. Unstable code is present in many systems, including the Linux kernel and the Postgres database. The consequences of unstable code range from incorrect functionality to missing security checks.To reason about unstable code, this paper proposes a novel model, which views unstable code in terms of optimizations that leverage undefined behavior. Using this model, we introduce a new static checker called Stack that precisely identifies unstable code. Applying Stack to widely used systems has uncovered 160 new bugs that have been confirmed and fixed by developers.

show abstract

A Value Analysis for C Programs

Cited by 48 publications

References 1 publication

Concurrent Program Verification with Lazy Sequentialization and Interval Analysis

Concurrent Program Verification with Lazy Sequentialization and Interval Analysis

Test-case reduction for C compiler bugs

Towards optimization-safe systems

Contact Info

Product

Resources

About