Kwangkeun Yi

Proofs about a folklore let-polymorphic type inference algorithm

The Hindley/Milner let-polymorphic type inference system has two different algorithms: one is the <italic>de facto</italic>standard Algorithm <inline-equation> <f><sc>W</sc></f></inline-equation> that is bottom-up (or context-insensitive), and the other is a “folklore” algorithm that is top-down (or context-sensitive). Because the latter algorithm has not been formally presented with its soundness and completeness proofs, and its relation with the <inline-equation> <f><sc>W</sc></f></inline-equation> algorithm has not been rigorously investigated, its use in place of (or in combination with) <inline-equation> <f><sc>W</sc></f></inline-equation> is not well founded. In this article, we formally define the context-sensitive, top-down type inference algorithm (named “<inline-equation> <f><sc>M</sc></f></inline-equation>”), prove its soundness and completeness, and show a distinguishing property that <inline-equation> <f><sc>M</sc></f></inline-equation> always stops earlier than <inline-equation> <f><sc>W</sc></f></inline-equation> if the input program is ill typed. Our proofs can be seen as theoretical justifications for various type-checking strategies being used in practice.

Automatic Verification of Pointer Programs Using Grammar-Based Shape Analysis

We present a program analysis that can automatically discover the shape of complex pointer data structures. The discovered invariants are, then, used to verify the absence of safety errors in the program, or to check whether the program preserves the data consistency. Our analysis extends the shape analysis of Sagiv et al. with grammar annotations, which can precisely express the shape of complex data structures. We demonstrate the usefulness of our analysis with binomial heap construction and the Schorr-Waite tree traversal. For a binomial heap construction algorithm, our analysis returns a grammar that precisely describes the shape of a binomial heap; for the Schorr-Waite tree traversal, our analysis shows that at the end of the execution, the result is a tree and there are no memory leaks.

Automatic generation and management of interprocedural program analyses

We have designed and implemented an interprocedural program analyzer generator, called system Z. Our goal is to automate the generation and management of semantics-based interprocedural program analysis for a wide range of target languages. System Z is based on the abstract interpretation framework. The input to system Z is a high-level specification of an abstract interpreter. The output is a C code for the specified interprocedural program analyzer. The system provides a high-level command set (called projection expressions) in which the user can tune the analysis in accuracy and cost. The user writes projection expressions for selected domains; system Z takes care of the remaining things so that the generated analyzer conducts an analysis over the projected domains, which will vary in cost and accuracy according to the projections. We demonstrate the systems capabilities by experiments with a set of generated analyzers which can analyze C, FORTRAN, and SCHEME programs.

A polymorphic modal type system for lisp-like multi-staged languages

This article presents a polymorphic modal type system and its principal type inference algorithm that conservatively extend ML by all of Lisps staging constructs (the quasi-quotation system). The combination is meaningful because ML is a practical higher-order, impure, and typed language, while Lisps quasi-quotation system has long evolved complying with the demands from multi-staged programming practices. Our type system supports open code, unrestricted operations on references, intentional variable-capturing substitution as well as capture-avoiding substitution, and lifting values into code, whose combination escaped all the previous systems.

Interprocedural exception analysis for Java

Current JDK Java compiler relies too much on programmer’s specification for checking against uncaught exceptions of the input program. It is not elaborate enough to remove programmer’s unnecessary handlers (when programmer’s specifications are too many) nor suggest to programmers for specialized handlings (when programmer’s specifications are too general). We propose a static analysis of Java programs that estimates their exception flows independently of the programmer’s specifications. This analysis is designed and implemented based on set-constraint framework. Its cost-effectiveness is suggested by sparsely analyzing the program at method-level (hence reducing the number of unknowns in the flow equations). We have shown that our exception analysis can effectively detect uncaught exceptions for realistic Java programs.

Practical memory leak detector based on parameterized procedural summaries

We present a static analyzer that detects memory leaks in C programs. It achieves relatively high accuracy at a relatively low cost on SPEC2000 benchmarks and several open-source software packages, demonstrating its practicality and competitive edge against other reported analyzers: for a set of benchmarks totaling 1,777 KLOCs, it found 332 bugs with 47 additional false positives (a 12.4% false-positive ratio), and the average analysis speed was 720 LOC/sec. We separately analyze each procedures memory behavior into a summary that is used in analyzing its call sites. Each procedural summary is parameterized by the procedures call context so that it can be instantiated at different call sites. What information to capture in each procedural summary has been carefully tuned so that the summary should not lose any common memory-leak-related behaviors in real-world C programs. Because each procedure is summarized by conventional fixpoint iteration over the abstract semantics (a la abstract interpretation), the analyzer naturally handles arbitrary call cycles from direct or indirect recursive calls.

An uncaught exception analysis for Java

Current JDK Java compiler relies on programmers declarations (by throws clauses) for checking against uncaught exceptions of the input program. It is not elaborate enough to remove programmers unnecessary handlers nor suggest to programmers for specialized handlings (when programmers declarations are too broad). We propose a static analysis of Java programs that estimates their uncaught exceptions independently of the programmers declarations. This analysis is designed and implemented based on set-based framework. Its cost-effectiveness is suggested by sparsely analyzing the program at method level (hence reducing the number of unknowns in the flow equations). We have shown that our interprocedural exception analysis is more precise than JDK-style intraprocedural analysis, and also that our analysis can effectively detect uncaught exceptions for realistic Java programs.

Design and implementation of sparse global analyses for C-like languages

In this article we present a general method for achieving global static analyzers that are precise, sound, yet also scalable. Our method generalizes the sparse analysis techniques on top of the abstract interpretation framework to support relational as well as non-relational semantics properties for C-like languages. We first use the abstract interpretation framework to have a global static analyzer whose scalability is unattended. Upon this underlying sound static analyzer, we add our generalized sparse analysis techniques to improve its scalability while preserving the precision of the underlying analysis. Our framework determines what to prove to guarantee that the resulting sparse version should preserve the precision of the underlying analyzer. We formally present our framework; we present that existing sparse analyses are all restricted instances of our framework; we show more semantically elaborate design examples of sparse non-relational and relational static analyses; we present their implemen- tation results that scale to analyze up to one million lines of C programs. We also show a set of implementation techniques that turn out to be critical to economically support the sparse analysis process.

Selective context-sensitivity guided by impact pre-analysis

We present a method for selectively applying context-sensitivity during interprocedural program analysis. Our method applies context-sensitivity only when and where doing so is likely to improve the precision that matters for resolving given queries. The idea is to use a pre-analysis to estimate the impact of context-sensitivity on the main analysiss precision, and to use this information to find out when and where the main analysis should turn on or off its context-sensitivity. We formalize this approach and prove that the analysis always benefits from the pre-analysis-guided context-sensitivity. We implemented this selective method for an existing industrial-strength interval analyzer for full C. The method reduced the number of (false) alarms by 24.4%, while increasing the analysis cost by 27.8% on average. The use of the selective method is not limited to context-sensitivity. We demonstrate this generality by following the same principle and developing a selective relational analysis.

Automatic Construction of Hoare Proofs from Abstract Interpretation Results

By combining program logic and static analysis, we present an automatic approach to construct program proofs to be used in Proof-Carrying Code. We use Hoare logic in representing the proofs of program properties, and the abstract interpretation in computing the program properties. This combination automatizes proof construction; an abstract interpretation automatically estimates program properties (approximate invariants) of our interest, and our proof-construction method constructs a Hoare-proof for those approximate invariants. The proof-checking side (code consumer’s side) is insensitive to a specific static analysis; the assertions in the Hoare proofs are always first-order logic formulas for integers, into which we first compile the abstract interpreters’ results. Both the property-compilation and the proof construction refer to the standard safety conditions that are prescribed in the abstract interpretation framework. We demonstrate this approach for a simple imperative language with an example property being the integer ranges of program variables. We prove the correctness of our approach, and analyze the size complexity of the generated proofs.