TY - GEN
T1 - Static analysis in disjunctive numerical domains
AU - Sankaranarayanan, Sriram
AU - Ivančić, Franjo
AU - Shlyakhter, Ilya
AU - Gupta, Aarti
PY - 2006
Y1 - 2006
N2 - The convexity of numerical domains such as polyhedra, octagons, intervals and linear equalities enables tractable analysis of software for buffer overflows, null pointer dereferences and floating point errors. However, convexity also causes the analysis to fail in many common cases. Powerset extensions can remedy this shortcoming by considering disjunctions of predicates. Unfortunately, analysis using powerset domains can be exponentially more expensive as compared to analysis on the base domain. In this paper, we prove structural properties of fixed points computed in commonly used powerset extensions. We show that a fixed point computed on a powerset extension is also a fixed point in the base domain computed on an "elaboration" of the program's CFG structure. Using this insight, we build analysis algorithms that approach path sensitive static analysis algorithms by performing the fixed point computation on the base domain while discovering an "elaboration" on the fly. Using restrictions on the nature of the elaborations, we design algorithms that scale polynomially in terms of the number of disjuncts. We have implemented a light-weight static analyzer for C programs with encouraging initial results.
AB - The convexity of numerical domains such as polyhedra, octagons, intervals and linear equalities enables tractable analysis of software for buffer overflows, null pointer dereferences and floating point errors. However, convexity also causes the analysis to fail in many common cases. Powerset extensions can remedy this shortcoming by considering disjunctions of predicates. Unfortunately, analysis using powerset domains can be exponentially more expensive as compared to analysis on the base domain. In this paper, we prove structural properties of fixed points computed in commonly used powerset extensions. We show that a fixed point computed on a powerset extension is also a fixed point in the base domain computed on an "elaboration" of the program's CFG structure. Using this insight, we build analysis algorithms that approach path sensitive static analysis algorithms by performing the fixed point computation on the base domain while discovering an "elaboration" on the fly. Using restrictions on the nature of the elaborations, we design algorithms that scale polynomially in terms of the number of disjuncts. We have implemented a light-weight static analyzer for C programs with encouraging initial results.
UR - http://www.scopus.com/inward/record.url?scp=33749818050&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=33749818050&partnerID=8YFLogxK
U2 - 10.1007/11823230_2
DO - 10.1007/11823230_2
M3 - Conference contribution
AN - SCOPUS:33749818050
SN - 3540377565
SN - 9783540377566
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 3
EP - 17
BT - Static Analysis - 13th International Symposium, SAS 2006, Proceedings
PB - Springer Verlag
T2 - 13th International Symposium on Static Analysis, SAS 2006
Y2 - 29 August 2006 through 31 August 2006
ER -