Abstract
Many relational static analysis techniques for precise reasoning about heap contents perform an explicit case analysis of all possible heaps that can arise. We argue that such precise relational reasoning can be obtained in a more scalable and economical way by enforcing the memory invariant that every concrete memory location stores one unique value directly on the heap abstraction. Our technique combines the strengths of analyses for precise reasoning about heap contents with approaches that prioritize axiomatization of memory invariants, such as the theory of arrays. Furthermore, by avoiding an explicit case analysis, our technique is scalable and powerful enough to analyze real-world programs with intricate use of arrays and pointers; in particular, we verify the absence of buffer overruns, incorrect casts, and null pointer dereferences in OpenSSH (over 26,000 lines of code) after fixing 4 previously undiscovered bugs found by our system. Our experiments also show that the combination of reasoning about heap contents and enforcing existence and uniqueness invariants is crucial for this level of precision.
- }}Gopan, D., Reps, T., Sagiv, M.: A framework for numeric analysis of array operations. In: POPL, NY, USA, ACM (2005) 338--350 Google Scholar
Digital Library
- }}Jhala, R., Mcmillan, K.L.: Array abstractions from proofs. In: CAV. (2007) Google Scholar
Digital Library
- }}Halbwachs, N., Péron, M.: Discovering properties about arrays in simple programs. In: PLDI, NY, USA, ACM (2008) 339--348 Google Scholar
Digital Library
- }}Dillig, I., Dillig, T., Aiken, A.: Fluid updates: Beyond strong vs. weak updates. In: To appear in ESOP. (2010) Google Scholar
Digital Library
- }}Seghir, M., Podelski, A., Wies, T.: Abstraction Refinement for Quantified Array Assertions. In: SAS, Springer-Verlag (2009) 3 Google Scholar
Digital Library
- }}Reps, T.W., Sagiv, S., Wilhelm, R.: Static program analysis via 3-valued logic. In: CAV. Volume 3114 of Lecture Notes in Comp. Sc., Springer (2004) 15--30Google Scholar
- }}Distefano, D., O Hearn, P., Yang, H.: A local shape analysis based on separation logic. Lecture Notes in Comp. Sc. 3920 (2006) 287 Google Scholar
Digital Library
- }}Yang, H., Lee, O., Berdine, J., Calcagno, C., Cook, B., Distefano, D., O'Hearn, P.: Scalable shape analysis for systems code. CAV (2008) 385--398 Google Scholar
Digital Library
- }}Bogudlov, I., Lev-Ami, T., Reps, T., Sagiv, M.: Revamping TVLA: Making parametric shape analysis competitive. Lecture Notes in Computer Science 4590 (2007) 221 Google Scholar
Digital Library
- }}Mccarthy, J.: Towards a mathematical science of computation. In: IFIP. (1962)Google Scholar
- }}Dillig, I., Dillig, T., Aiken, A.: Sound, complete and scalable path-sensitive analysis. In: PLDI, ACM (2008) 270--280 Google Scholar
Digital Library
- }}Landi, W., Ryder, B.G.: A safe approximate algorithm for interprocedural aliasing. SIGPLAN Not. 27(7) (1992) 235--248 Google Scholar
Digital Library
- }}Gulwani, S., Musuvathi, M.: Cover algorithms. In: ESOP. (2008) 193--207 Google Scholar
Digital Library
- }}Ge, Y., de Moura, L.: Complete instantiation for quantified formulas in Satisfiabiliby Modulo Theories. In: CAV, Springer (2009) 320 Google Scholar
Digital Library
- }}Chandra, S., Reps, T.: Physical type checking for c. SIGSOFT 24(5) (1999) 66--75 Google Scholar
Digital Library
- }}Dillig, I., Dillig, T., Aiken, A.: Cuts from proofs: A complete and practical technique for solving linear inequalities over integers. In: In CAV, Springer (2009) Google Scholar
Digital Library
- }}Dillig, I., Dillig, T., Aiken, A.: Small Formulas for Large Programs: On-line Constraint Simplification in Scalable Static Analysis. In: SAS. (2010) Google Scholar
Digital Library
- }}http://www.openssh.com/: Openssh 5.3p1Google Scholar
- }}Monavich, R.: Partially Disjunctive Shape Analysis. PhD thesis, Tel Aviv University (2009)Google Scholar
- }}Lahiri, S., Qadeer, S.: Verifying properties of well-founded linked lists. In: Proceedings of the Symposium on Principles of Programming Languages. (2006) 115--126 Google Scholar
Digital Library
- }}Bradley, A., Manna, Z., Sipma, H.: What's Decidable About Arrays? Lecture notes in computer science 3855 (2006) 427 Google Scholar
Digital Library
- }}Stump, A., Barrett, C., Dill, D., Levitt, J.: A decision procedure for an extensional theory of arrays. In: IEEE Symposium on Logic in Computer Science. (2001) 29--37 Google Scholar
Digital Library
- }}Habermehl, P., Iosif, R., Vojnar, T.: What else is decidable about integer arrays? Lecture Notes in Computer Science 4962 (2008) 474 Google Scholar
Digital Library
- }}Kroening, D., Strichman, O.: Decision procedures: an algorithmic point of view. Springer-Verlag New York Inc (2008) Google Scholar
Digital Library
- }}Pugh, W.: The Omega test: a fast and practical integer programming algorithm for dependence analysis. In: ACM conference on Supercomputing. (1991) 4--13 Google Scholar
Digital Library
- }}Reynolds, J.: Separation logic: A logic for shared mutable data structures. In: 17th Annual IEEE Symposium on Logic in Computer Science. (2002) 55--74 Google Scholar
Digital Library
Index Terms
Symbolic heap abstraction with demand-driven axiomatization of memory invariants
Recommendations
Symbolic heap abstraction with demand-driven axiomatization of memory invariants
OOPSLA '10: Proceedings of the ACM international conference on Object oriented programming systems languages and applicationsMany relational static analysis techniques for precise reasoning about heap contents perform an explicit case analysis of all possible heaps that can arise. We argue that such precise relational reasoning can be obtained in a more scalable and ...
Connection Analysis: A Practical Interprocedural Heap Analysis for C
Special issue: selected papers from the eighth international workshop on languages and compilers for parallel computingThis paper presents a practical heap analysis technique, connection analysis, that can be used to disambiguate heap accesses in C programs. The technique is designed for analyzing programs that allocate many disjoint objects in the heap such as ...
Demand-driven pointer analysis
Known algorithms for pointer analysis are “global” in the sense that they perform an exhaustive analysis of a program or program component. In this paper we introduce a demand-driven approach for pointer analysis. Specifically, we describe a demand-...







Comments