skip to main content
research-article

Symbolic heap abstraction with demand-driven axiomatization of memory invariants

Published:17 October 2010Publication History
Skip Abstract Section

Abstract

Many relational static analysis techniques for precise reasoning about heap contents perform an explicit case analysis of all possible heaps that can arise. We argue that such precise relational reasoning can be obtained in a more scalable and economical way by enforcing the memory invariant that every concrete memory location stores one unique value directly on the heap abstraction. Our technique combines the strengths of analyses for precise reasoning about heap contents with approaches that prioritize axiomatization of memory invariants, such as the theory of arrays. Furthermore, by avoiding an explicit case analysis, our technique is scalable and powerful enough to analyze real-world programs with intricate use of arrays and pointers; in particular, we verify the absence of buffer overruns, incorrect casts, and null pointer dereferences in OpenSSH (over 26,000 lines of code) after fixing 4 previously undiscovered bugs found by our system. Our experiments also show that the combination of reasoning about heap contents and enforcing existence and uniqueness invariants is crucial for this level of precision.

References

  1. }}Gopan, D., Reps, T., Sagiv, M.: A framework for numeric analysis of array operations. In: POPL, NY, USA, ACM (2005) 338--350 Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. }}Jhala, R., Mcmillan, K.L.: Array abstractions from proofs. In: CAV. (2007) Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. }}Halbwachs, N., Péron, M.: Discovering properties about arrays in simple programs. In: PLDI, NY, USA, ACM (2008) 339--348 Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. }}Dillig, I., Dillig, T., Aiken, A.: Fluid updates: Beyond strong vs. weak updates. In: To appear in ESOP. (2010) Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. }}Seghir, M., Podelski, A., Wies, T.: Abstraction Refinement for Quantified Array Assertions. In: SAS, Springer-Verlag (2009) 3 Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. }}Reps, T.W., Sagiv, S., Wilhelm, R.: Static program analysis via 3-valued logic. In: CAV. Volume 3114 of Lecture Notes in Comp. Sc., Springer (2004) 15--30Google ScholarGoogle Scholar
  7. }}Distefano, D., O Hearn, P., Yang, H.: A local shape analysis based on separation logic. Lecture Notes in Comp. Sc. 3920 (2006) 287 Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. }}Yang, H., Lee, O., Berdine, J., Calcagno, C., Cook, B., Distefano, D., O'Hearn, P.: Scalable shape analysis for systems code. CAV (2008) 385--398 Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. }}Bogudlov, I., Lev-Ami, T., Reps, T., Sagiv, M.: Revamping TVLA: Making parametric shape analysis competitive. Lecture Notes in Computer Science 4590 (2007) 221 Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. }}Mccarthy, J.: Towards a mathematical science of computation. In: IFIP. (1962)Google ScholarGoogle Scholar
  11. }}Dillig, I., Dillig, T., Aiken, A.: Sound, complete and scalable path-sensitive analysis. In: PLDI, ACM (2008) 270--280 Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. }}Landi, W., Ryder, B.G.: A safe approximate algorithm for interprocedural aliasing. SIGPLAN Not. 27(7) (1992) 235--248 Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. }}Gulwani, S., Musuvathi, M.: Cover algorithms. In: ESOP. (2008) 193--207 Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. }}Ge, Y., de Moura, L.: Complete instantiation for quantified formulas in Satisfiabiliby Modulo Theories. In: CAV, Springer (2009) 320 Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. }}Chandra, S., Reps, T.: Physical type checking for c. SIGSOFT 24(5) (1999) 66--75 Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. }}Dillig, I., Dillig, T., Aiken, A.: Cuts from proofs: A complete and practical technique for solving linear inequalities over integers. In: In CAV, Springer (2009) Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. }}Dillig, I., Dillig, T., Aiken, A.: Small Formulas for Large Programs: On-line Constraint Simplification in Scalable Static Analysis. In: SAS. (2010) Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. }}http://www.openssh.com/: Openssh 5.3p1Google ScholarGoogle Scholar
  19. }}Monavich, R.: Partially Disjunctive Shape Analysis. PhD thesis, Tel Aviv University (2009)Google ScholarGoogle Scholar
  20. }}Lahiri, S., Qadeer, S.: Verifying properties of well-founded linked lists. In: Proceedings of the Symposium on Principles of Programming Languages. (2006) 115--126 Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. }}Bradley, A., Manna, Z., Sipma, H.: What's Decidable About Arrays? Lecture notes in computer science 3855 (2006) 427 Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. }}Stump, A., Barrett, C., Dill, D., Levitt, J.: A decision procedure for an extensional theory of arrays. In: IEEE Symposium on Logic in Computer Science. (2001) 29--37 Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. }}Habermehl, P., Iosif, R., Vojnar, T.: What else is decidable about integer arrays? Lecture Notes in Computer Science 4962 (2008) 474 Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. }}Kroening, D., Strichman, O.: Decision procedures: an algorithmic point of view. Springer-Verlag New York Inc (2008) Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. }}Pugh, W.: The Omega test: a fast and practical integer programming algorithm for dependence analysis. In: ACM conference on Supercomputing. (1991) 4--13 Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. }}Reynolds, J.: Separation logic: A logic for shared mutable data structures. In: 17th Annual IEEE Symposium on Logic in Computer Science. (2002) 55--74 Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Symbolic heap abstraction with demand-driven axiomatization of memory invariants

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!