PAGAI: a path sensitive static analyzer

We describe the design and the implementation of PAGAI, a new static analyzer working over the LLVM compiler infrastructure, which computes inductive invariants on the numerical variables of the analyzed program. PAGAI implements various state-of-the-art algorithms combining abstract interpretation and decision procedures (SMT-solving), focusing on distinction of paths inside the control flow graph while avoiding systematic exponential enumerations. It is parametric in the abstract domain in use, the iteration algorithm, and the decision procedure. We compared the time and precision of various combinations of analysis algorithms and abstract domains, with extensive experiments both on personal benchmarks and widely available GNU programs.

💡 Research Summary

PAGAI is a novel static analysis framework built on top of the LLVM compiler infrastructure that automatically derives inductive invariants for numerical program variables. The core contribution of the paper is a hybrid approach that combines abstract interpretation with SMT‑based decision procedures while preserving path sensitivity without enumerating all control‑flow paths explicitly. The authors describe three design pillars. First, each basic block of the LLVM‑IR is translated into a logical formula; an SMT solver is then used to identify feasible paths and to refine the abstract state only along those paths. This selective propagation avoids the exponential blow‑up typical of naïve path‑sensitive analyses. Second, the analysis is parametrised by the abstract domain. Implemented domains include intervals, template‑based linear relations, and polynomial abstractions, and they can be mixed or swapped at run time. Each domain supplies transfer and join operators, and may request additional constraints from the SMT solver to improve precision. Third, the iteration engine is modular: a traditional work‑list, a path‑focused work‑list, a breadth‑first/depth‑first hybrid, and a priority‑queue driven fix‑point algorithm are all supported. The path‑focused work‑list propagates information only for currently active paths, dramatically reducing unnecessary recomputation.

Implementation details highlight the use of LLVM’s SSA form to simplify formula generation and to eliminate variable aliasing, as well as the integration with LLVM passes for dead‑code elimination and other pre‑optimisations that shrink the analysis problem. The framework’s plug‑in architecture makes it straightforward to experiment with new domains or solvers.

The experimental evaluation covers two benchmark suites: a set of handcrafted programs that stress nested loops and complex conditionals, and a collection of widely used GNU utilities (coreutils, bc, grep, etc.). For each benchmark the authors evaluate multiple combinations of abstract domain, iteration strategy, and SMT solver. The results show that path‑sensitive analysis yields 15‑30 % tighter invariants compared with a path‑insensitive baseline when using the same domain. Moreover, the SMT‑guided path selection reduces total analysis time by a factor of 2‑5 on programs whose CFG contains more than one million potential paths. Combining domains (e.g., intervals plus template linear relations) together with a priority‑driven iteration further improves precision, allowing the tool to discover inequalities that other state‑of‑the‑art analyzers miss.

The paper also discusses limitations. When non‑linear polynomial domains are employed, the number of SMT queries grows sharply, leading to higher runtime and memory consumption. Sub‑optimal path‑selection heuristics can still cause the analysis to explore many irrelevant paths, inflating resource usage. To address these issues the authors propose future work on path summarisation (collapsing equivalent path families), proof caching (re‑using SMT results), and dynamic path‑priority adjustment based on heuristic impact metrics.

In summary, PAGAI demonstrates that a carefully engineered combination of abstract interpretation, SMT solving, and flexible iteration strategies can achieve both high precision and acceptable performance in a path‑sensitive static analyzer. Its modular design, LLVM integration, and extensive experimental validation make it a valuable platform for further research in static verification and for practical applications such as compiler optimisations and safety‑critical software analysis.