Abstract
This article addresses the verification of properties of imperative programs with recursive procedure calls, heap-allocated storage, and destructive updating of pointer-valued fields, that is, interprocedural shape analysis. The article makes three contributions.
— It introduces a new method for abstracting relations over memory configurations for use in abstract interpretation.
— It shows how this method furnishes the elements needed for a compositional approach to shape analysis. In particular, abstracted relations are used to represent the shape transformation performed by a sequence of operations, and an overapproximation to relational composition can be performed using the meet operation of the domain of abstracted relations.
— It applies these ideas in a new algorithm for context-sensitive interprocedural shape analysis. The algorithm creates procedure summaries using abstracted relations over memory configurations, and the meet-based composition operation provides a way to apply the summary transformer for a procedure P at each call site from which P is called.
The algorithm has been applied successfully to establish properties of both (i) recursive programs that manipulate lists and (ii) recursive programs that manipulate binary trees.
- Arnold, G. 2006. Specialized 3-valued logic shape analysis using structure-based refinement and loose embedding. In Proceedings of the Static Analysis Symposium (SAS'06). Lecture Notes in Computer Science, vol. 4134, Springer. Google Scholar
Digital Library
- Arnold, G., Manevich, R., Sagiv, M., and Shaham, R. 2006. Combining shape analyses by intersecting abstractions. In Proceedings of the International Conference on Verification, Model Checking and Abstract Interpretation (VMCAI'06). Lecture Notes in Computer Science, vol. 3855, Springer. Google Scholar
Digital Library
- Ball, T. and Rajamani, S. 2001. Bebop: A path-sensitive interprocedural dataflow engine. Prog. Anal. Softw. Tools Engin, 97--103. Google Scholar
Digital Library
- Berdine, J., Calcagno, C., and O'Hearn, P. W. 2005. Smallfoot: Modular automatic assertion checking with separation logic. In Proceedings of the Symposium on Formal Methods for Components and Objects (FMCO'05). Lecture Notes in Computer Science, vol. 4111, Springer, 115--137. Google Scholar
Digital Library
- Bogudlov, I., Lev-Ami, T., Reps, T., and Sagiv, M. 2007a. Revamping TVLA: Making parametric shape analysis competitive. Tech. rep. TR-2007--01-01, Tel-Aviv University, Tel-Aviv, Israel.Google Scholar
- Bogudlov, I., Lev-Ami, T., Reps, T., and Sagiv, M. 2007b. Revamping TVLA: Making parametric shape analysis competitive (tool paper). In Proceedings of the International Conference on Computer Aided Verification. Lecture Notes in Computer Science, vol. 4590, Springer. Google Scholar
Digital Library
- Bouajjani, A., Esparza, J., and Maler, O. 1997. Reachability analysis of pushdown automata: Application to model checking. In Proceedings of the International Conference on Concurrency Theory (CONCUR'97). Lecture Notes in Computer Science, vol. 1243, Springer, 135--150. Google Scholar
Digital Library
- Bouajjani, A., Esparza, J., and Touili, T. 2003. A generic approach to the static analysis of concurrent programs with procedures. In Principles of Programming Languange, ACM Press, New York, 62--73. Google Scholar
Digital Library
- Clarke, Jr., E., Grumberg, O., and Peled, D. 1999. Model Checking. The MIT Press. Google Scholar
Digital Library
- Cousot, P. and Cousot, R. 1977. Static determination of dynamic properties of recursive procedures. In Formal Descriptions of Programming Concepts, E. Neuhold, Ed. North-Holland, 237--277.Google Scholar
- Cousot, P. and Halbwachs, N. 1978. Automatic discovery of linear constraints among variables of a program. In Principles of Programming Language, ACM Press, New York, 84--96. Google Scholar
Digital Library
- Finkel, A., B. Willems, and Wolper, P. 1997. A direct symbolic approach to model checking pushdown systems. Electron. Notes Theor. Comput. Sci. 9.Google Scholar
- Gopan, D., DiMaio, F., N.Dor, Reps, T., and Sagiv, M. 2004. Numeric domains with summarized dimensions. In Tools and Algorithms for the Construction and Analysis of Systems. Lecture Notes in Computer Science, vol. 2988, Springer, 512--529.Google Scholar
Cross Ref
- Gotsman, A., Berdine, J., and Cook, B. 2006. Interprocedural shape analysis with separated heap abstractions. In Proceedings of the Static Analysis Symposium (SAS'06). Lecture Notes in Computer Science, vol. 4134, Springer, 240--260. Google Scholar
Digital Library
- Gries, D. 1981. The Science of Programming. Springer. Google Scholar
Digital Library
- Jeannet, B., Loginov, A., Reps, T., and Sagiv, M. 2004. A relational approach to interprocedural shape analysis. In Proceedings of the Static Analysis Symposium (SAS'04). Lecture Notes in Computer Science, vol. 3148, Springer.Google Scholar
- Jeannet, B. and Serwe, W. 2004. Abstracting call-stacks for interprocedural verification of imperative programs. In Proceedings of the Workshop on Algebraic Methodology and Software Technology (AMAST'04). Lecture Notes in Computer Science, vol. 3116, Springer.Google Scholar
- Knoop, J. and Steffen, B. 1992. The interprocedural coincidence theorem. In Computing Construction. Lecture Notes in Computer Science, vol. 641, Springer, 125--140. Google Scholar
Digital Library
- Lahiri, S. K. and Qadeer, S. 2008. Back to the future: Revisiting precise program verification using smt solvers. In Principles of Programming Language. ACM Press, New York. Google Scholar
Digital Library
- Lev-Ami, T., Reps, T., Sagiv, M., and Wilhelm, R. 2000. Putting static analysis to work for verification: A case study. In Proceedings of the International Symposium on Software Testing and Analysis. 26--38. Google Scholar
Digital Library
- Lev-Ami, T. and Sagiv, M. 2000. TVLA: A system for implementing static analyses. In Proceedings of the Static Analysis Symposium (SAS'00). Lecture Notes in Computer Science, vol. 1824, Springer, 280--301. Google Scholar
Digital Library
- Loginov, A. 2006. Refinement-based program verification via three-valued-logic analysis. Ph.D. thesis, Tech. rep. 1574. Computer Science Department, University of Wisconsin, Madison, WI. Google Scholar
Digital Library
- Loginov, A., Reps, T., and Sagiv, M. 2005. Abstraction refinement via inductive learning. In Proceedings of the International Conference on Computer Aided Verification. Lecture Notes in Computer Science, vol. 3576, Springer. Google Scholar
Digital Library
- Manna, Z. and Pnueli, A. 1995. Temporal Verification of Reactive Systems: Safety, Springer. Google Scholar
Digital Library
- Marron, M., Hermenegildo, M. V., Kapur, D., and Stefanovic, D. 2008. Efficient context-sensitive shape analysis with graph based heap models. In Computer Construction. Lecture Notes in Computer Science, vol. 4959, Springer, 245--259. Google Scholar
Digital Library
- Miné, A. 2006. The octagon abstract domain. Higher-Order Symb. Comput. 19, 1, 31--100. Google Scholar
Digital Library
- Møller, A. and Schwartzbach, M. I. 2001. The pointer assertion logic engine. In Programming Language Design and Implementation. 221--231. Google Scholar
Digital Library
- Reps, T., Horwitz, S., and Sagiv, M. 1995. Precise interprocedural dataflow analysis via graph reachability. In Principles of Programming Language. ACM Press, New York, 49--61. Google Scholar
Digital Library
- Reps, T., Sagiv, M., and Loginov, A. 2003. Finite differencing of logical formulas for static analysis. In Proceedings of the European Symposium on Programming. Lecture Notes in Computer Science, vol. 2618, 380--398. Google Scholar
Digital Library
- Reps, T., Schwoon, S., Jha, S., and Melski, D. 2005. Weighted pushdown systems and their application to interprocedural dataflow analysis. Sci. Comput. Program. 58, 1--2, 206--263. Google Scholar
Digital Library
- Rinetzky, N., Bauer, J., Reps, T., Sagiv, M., and Wilhelm, R. 2005a. A semantics for procedure local heaps and its abstraction. In Proceedings of the 32nd ACM SIGPLAN -- SIGACT Symposium on Principles of Programming Languages (POPL'05). Google Scholar
Digital Library
- Rinetzky, N. and Sagiv, M. 2001. Interprocedural shape analysis for recursive programs. In Computer Construction. Lecture Notes in Computer Science, vol. 2027, Springer, 133--149. Google Scholar
Digital Library
- Rinetzky, N., Sagiv, M., and Yahav, E. 2005b. Interprocedural shape analysis for cutpoint-free programs. In Proceedings of the Static Analysis Symposium (SAS'05). Lecture Notes in Computer Science, vol. 3672, Springer. Google Scholar
Digital Library
- Sagiv, M., Reps, T., and Horwitz, S. 1996. Precise interprocedural dataflow analysis with applications to constant propagation. Theor. Comput. Sci. 167, 131--170. Google Scholar
Digital Library
- Sagiv, M., Reps, T., and Wilhelm, R. 2002. Parametric shape analysis via 3-valued logic. ACM Trans. Program. Lang. Syst. 24, 3, 217--298. Google Scholar
Digital Library
- Schwoon, S. 2002. Model-checking pushdown systems. Ph.D. thesis, Technical University of Munich, Munich, Germany.Google Scholar
- Sharir, M. and Pnueli, A. 1981. Two approaches to interprocedural data flow analysis. In Program Flow Analysis: Theory and Applications, S. Muchnick and N. Jones, Eds. Prentice-Hall, Englewood Cliffs, NJ. Chapter 7, 189--234.Google Scholar
- Yorsh, G., Reps, T., and Sagiv, M. 2004. Symbolically computing most-precise abstract operations for shape analysis. In Tools and Algorithms for the Construction and Analysis of Systems. Lecture Notes in Computer Science, vol. 2988, Springer, 530--545.Google Scholar
Cross Ref
Index Terms
A relational approach to interprocedural shape analysis
Recommendations
WYSINWYX: What you see is not what you eXecute
Over the last seven years, we have developed static-analysis methods to recover a good approximation to the variables and dynamically allocated memory objects of a stripped executable, and to track the flow of values through them. The article presents ...
Parametric shape analysis via 3-valued logic
Shape analysis concerns the problem of determining "shape invariants" for programs that perform destructive updating on dynamically allocated storage. This article presents a parametric framework for shape analysis that can be instantiated in different ...
Solving shape-analysis problems in languages with destructive updating
This article concerns the static analysis of programs that perform destructive updating on heap-allocated storage. We give an algorithm that uses finite shape graphs to approximate conservatively the possible “shapes” that heap-allocated structures in a ...






Comments