Amphithéâtre - Maison Jean Kuntzmann
13 October 2014 - 15h30
Static Analysis by Abstract Interpretation and Decision Procedures (Phd Defense)
by Julien Henry from Université de Grenoble
Abstract: Dear all,
It is my pleasure to invite you to my Ph.D defense, entitled:
"Static Analysis by Abstract Interpretation and Decision Procedures"
that will take place on Monday, October 13th, 3.30pm, in the amphitheatre of Maison Jean Kuntzmann. Informations on how to access the building are available at http://mi2s.imag.fr/plans-dacces .
You are also invited to my "pot de thèse" that will follow.
Static program analysis aims at automatically determining whether a program satisfies some particular properties. For this purpose, abstract interpretation is a framework that enables the computation of invariants, i.e. properties on the variables that always hold for any program execution. The precision of these invariants depends on many parameters, in particular the abstract domain, and the iteration strategy for computing these invariants. In this thesis, we propose several improvements on the abstract interpretation framework that enhance the overall precision of the analysis.
Usually, abstract interpretation consists in computing an ascending sequence with widening, which converges towards a fixpoint which is a program invariant; then computing a descending sequence of correct solutions without widening. We describe and experiment with a method to improve a fixpoint after its computation, by starting again a new ascending/descending sequence with a smarter starting value. Abstract interpretation can also be made more precise by distinguishing paths inside loops, at the expense of possibly exponential complexity. Satisfiability modulo theories (SMT), whose efficiency has been considerably improved in the last decade, allows sparse representations of paths and sets of paths. We propose to combine this SMT representation of paths with various state-of-the-art iteration strategies to further improve the overall precision of the analysis.
We propose a second coupling between abstract interpretation and SMT in a program verification framework called Modular Path Focusing, that computes function and loop summaries by abstract interpretation in a modular fashion, guided by error paths obtained with SMT. Our framework can be used for various purposes: it can prove the unreachability of certain error program states, but can also synthesize function/loop preconditions for which these error states are unreachable.
We then describe an application of static analysis and SMT to the estimation of program worst-case execution time (WCET). We first present how to express WCET as an optimization modulo theory problem, and show that natural encodings into SMT yield formulas intractable for all current production-grade solvers. We propose an efficient way to considerably reduce the computation time of the SMT-solvers by conjoining to the formulas well chosen summaries of program portions obtained by static analysis.
We finally describe the design and the implementation of Pagai, a new static analyzer working over the LLVM compiler infrastructure, which computes numerical inductive invariants using the various techniques described in this thesis. Because of the non-monotonicity of the results of abstract interpretation with widening operators, it is difficult to conclude that some abstraction is more precise than another based on theoretical local precision results. We thus conducted extensive comparisons between our new techniques and previous ones, on a variety of open-source packages and benchmarks used in the community.
Prof. Cesare Tinelli University of Iowa, Rapporteur
Dr. Antoine Miné Ecole Normale Supérieure, Rapporteur
Dr. Hugues Cassé Université de Toulouse - IRIT, Examinateur
Prof. Roland Groz Grenoble-INP, Examinateur
Prof. Andreas Podelski University of Freiburg, Examinateur
Dr. David Monniaux CNRS - Verimag, Directeur de Thèse
Dr. Matthieu Moy Grenoble-INP - Verimag, Co-Encadrant de Thèse