Analyzing Program Analyses

GiacobazziRoberto,; LogozzoFrancesco,; RanzatoFrancesco,

doi:10.1145/2775051.2676987

Cited by 7 publications

(7 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We leave as a future work the connection with domain completion techniques [12,18,32] which, intuitively, define strategies to enrich an abstract domain with new values as long as it is not precise enough to prove a given property. The correspondence between completeness in abstract interpretation and soundness in up-to techniques can also motivate the extension of methods for proving the absence of false alarms in abstract interpretations, such as the proof system in [16], to prove soundness of corresponding up-to techniques.…”

Section: Resultsmentioning

confidence: 99%

“…Remark 5.7. Some works [16,18] have studied modularity for proofs of full-completeness of abstract domains, but always focusing on up-closures rather than on monotone maps. This example, together with the results in Section 6, shows that also for abstract domains could be convenient to decompose up-closures into smaller monotone maps.…”

Section: Proving Soundness Of Equivalence Closurementioning

confidence: 99%

“…Now, at step (4), todo is empty and, thus by (16), we have that b * ⊔ i e (R (4) ) = e(R (4) ) = R (4) . This proves that R (4) is a fixed…”

Section: Hopcroft and Karp From The Standpoint Of Abstract Interpretamentioning

confidence: 99%

See 2 more Smart Citations

Sound up-to techniques and Complete abstract domains

Bonchi

Ganty

Giacobazzi

et al. 2018

Proceedings of the 33rd Annual ACM/IEEE Symposium on Logic in Computer Science

Self Cite

View full text Add to dashboard Cite

interpretation is a method to automatically find invariants of programs or pieces of code whose semantics is given via least fixed-points. Up-to techniques have been introduced as enhancements of coinduction, an abstract principle to prove properties expressed via greatest fixed-points.While abstract interpretation is always sound by definition, the soundness of up-to techniques needs some ingenuity to be proven. For completeness, the setting is switched: up-to techniques are always complete, while abstract domains are not.In this work we show that, under reasonable assumptions, there is an evident connection between sound up-to techniques and complete abstract domains.

show abstract

Section: Resultsmentioning

confidence: 99%

Section: Proving Soundness Of Equivalence Closurementioning

confidence: 99%

See 1 more Smart Citation

Sound up-to techniques and Complete abstract domains

Bonchi

Ganty

Giacobazzi

et al. 2018

Proceedings of the 33rd Annual ACM/IEEE Symposium on Logic in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…For instance, the work by Ranzato (2013) demonstrates how completeness can be crucial for designing static analyzers for a number of common intra-procedural properties (e.g., signs, constant propagation, polyhedra domains, etc), encouraging one to reason about the completeness properties of their underlying abstract domains. Giacobazzi et al (2015) go even further, providing a proof system for showing that the result of a certain analysis on a particular given program is precise. Those works address mostly numerical properties.…”

Section: Proving Static Analyzers Completementioning

confidence: 99%

A true positives theorem for a static race detector

Gorogiannis

O’Hearn

Sergey

2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

RacerD is a static race detector that has been proven to be effective in engineering practice: it has seen thousands of data races fixed by developers before reaching production, and has supported the migration of Facebook's Android app rendering infrastructure from a single-threaded to a multi-threaded architecture. We prove a True Positives Theorem stating that, under certain assumptions, an idealized theoretical version of the analysis never reports a false positive. We also provide an empirical evaluation of an implementation of this analysis, versus the original RacerD.The theorem was motivated in the first case by the desire to understand the observation from production that RacerD was providing remarkably accurate signal to developers, and then the theorem guided further analyzer design decisions. Technically, our result can be seen as saying that the analysis computes an underapproximation of an over-approximation, which is the reverse of the more usual (over of under) situation in static analysis. Until now, static analyzers that are effective in practice but unsound have often been regarded as ad hoc; in contrast, we suggest that, in the future, theorems of this variety might be generally useful in understanding, justifying and designing effective static analyses for bug catching.RacerD is not sound in the sense of computing an over-approximation of some abstraction of executions. Over-approximations support a theorem: if the analyzer says there are no bugs, then there are none. I.e., there are no false negatives (when the program has no bugs), which is often considered as a "soundness" theorem. RacerD favours reducing false positives over false negatives. A design goal was to "detect actionable races that developers find useful and respond to" but "no need to (provably) find them all". In fact, it is very easy to generate artificial false negatives, but Blackshear et al. (2018) say that few have been reported in over a year of RacerD in production.One can react to this by saying that RacerD is simply an ad hoc, if effective, tool. But, the tool does not heuristically filter out bug reports in order to reduce false positives. It first does computations with an abstract domain, and then issues data race reports if any potential races are found according to the abstract domain. Its architecture is like that of a principled analyzer based on abstract interpretation, even though it does not satisfy the usual soundness theorem. This suggests that saying RacerD is ad hoc because it does not satisfy a standard soundness theorem is somehow missing something: It would be better if a demonstrably-effective analyzer with a principled design came with a theoretical explanation, even if partial, for its effectiveness. That is the research problem we set ourselves to solve in this work.A natural question is if it is possible to actually modify RacerD so as to make it sound, without losing its effectiveness in generating signal-actionable and useful data race reports that developers are keen to fix. RacerD's initial d...

show abstract

“…Theorem 1 shows that, at least as regards non-convex invariants, the development and use of heuristics is indeed vindicated and will continue to remain essential. Related questions of completeness of given abstraction scheme have also been examined by Giaccobazzi et al in [14,13].…”

Section: Introductionmentioning

confidence: 99%

On the Monniaux Problem in Abstract Interpretation

et al. 2019

View full text Add to dashboard Cite

The Monniaux Problem in abstract interpretation asks, roughly speaking, whether the following question is decidable: given a program P , a safety (e.g., non-reachability) specification ϕ, and an abstract domain of invariants D, does there exist an inductive invariant I in D guaranteeing that program P meets its specification ϕ. The Monniaux Problem is of course parameterised by the classes of programs and invariant domains that one considers. In this paper, we show that the Monniaux Problem is undecidable for unguarded affine programs and semilinear invariants (unions of polyhedra). Moreover, we show that decidability is recovered in the important special case of simple linear loops. Nathanaël Fijalkow, Pierre Ohlmann, and Amaury Pouly were supported by the Agence Nationale de la Recherche through the project Codys (ANR-18-CE40-0007). Joël Ouaknine was supported by ERC grant AVS-ISS (648701) and by DFG grant 389792660 as part of TRR 248 (see https://perspicuous-computing.science). James Worrell was supported by EPSRC Fellowship EP/N008197/1. arXiv:1907.08257v1 [cs.LO] 18 Jul 20191. x ∈ I; 2. AI ⊆ I; and 3. y / ∈ I.Remark 4. The proof shows that, in fixed dimension d, the decision procedure runs in polynomial time. It is worth noting that one also has decidability if A, x, and y are taken to have real-algebraic (rather than rational) entries.Let us conclude this section by briefly commenting on the important issue of convexity. At its inception, abstract interpretation had a marked preference for domains of convex invariants, of which the interval domain, the octagon domain, and of course the domain of convex polyhedra are prime examples. Convexity confers several distinct advantages, including simplicity of representation, algorithmic tractability and scalability, ease of implementation, and better termination heuristics (such as the use of widening). The central drawback of ∈ I 0 since I is an invariant for . Finally, I is stable for A since A k x ∈ I 0 , AI k = I k +1 if k < n − 1 and AI n−1 = A n I 0 ⊆ I 0 since λ n = 1 and A n J c I ⊆ I . Conversely, let I be an invariant for . We let I be the projection on J c of A k I ∩ {z | z J = λ k x J }, and claim it is an invariant for . Indeed, quite clearly A k J c x J c ∈ I and I is stable for A n J c . Now, if y J c ∈ I then it must be that y ∈ I, a contradiction.-Let J be a Jordan block of A with eigenvalue λ < 1 and such that y J = 0.If there are infinitely many integers n such that A n J c x J c = y J c , then y ∈ {A n x, n ∈ N}, so there exists no closed invariant for . Otherwise, we let n 0 ∈ N be such that y J c / ∈ {A n J c x J c , n ≥ n 0 }, and claim that is equivalent to. Let I be a semilinear invariant for . Then I = {x, Ax, . . . , A n0−1 x} ∪ {z | z J c ∈ I } is an invariant for . Conversely, let I be an invariant for . Let δ = 1 2 d(y, I) > 0, where the distance is defined according to the infinity norm on C d . Using Lemma 22 from section D, we construct a semilinear P ⊆ C J which is stable for A J , contains (A n x) J for some n, and is included in ...

show abstract

Analyzing Program Analyses

Cited by 7 publications

References 27 publications

Sound up-to techniques and Complete abstract domains

Sound up-to techniques and Complete abstract domains

A true positives theorem for a static race detector

On the Monniaux Problem in Abstract Interpretation

Contact Info

Product

Resources

About