Abstract
To infer complex structural invariants, shape analyses rely on expressive families of logical properties. Many such analyses manipulate abstract memory states that consist of separating conjunctions of basic predicates describing atomic blocks or summaries. Moreover, they use finite disjunctions of abstract memory states in order to account for dissimilar shapes. Disjunctions should be kept small for the sake of scalability, though precision often requires to keep additional case splits. In this context, deciding when and how to merge case splits and to replace them with summaries is critical both for the precision and for the efficiency. Existing techniques use sets of syntactic rules, which are tedious to design and prone to failure. In this paper, we design a semantic criterion to clump abstract states based on their silhouette which applies not only to the conservative union of disjuncts, but also to the weakening of separating conjunction of memory predicates into inductive summaries. Our approach allows to define union and widening operators that aim at preserving the case splits that are required for the analysis to succeed. We implement this approach in the MemCAD analyzer, and evaluate it on real-world C codes from existing libraries, including programs dealing with doubly linked lists, red-black trees and AVL-trees.
- A. Appel. Modern Compiler Implementation in C. Cambridge University Press, 2008. Google Scholar
Digital Library
- G. Arnold. Specialized 3-valued logic shape analysis using structurebased refinement and loose embedding. In SAS, pages 204–220. Springer, 2006. Google Scholar
Digital Library
- R. Bagnara, P. M. Hill, and E. Zaffanella. Widening operators for powerset domains. In VMCAI, pages 135–148. Springer, 2004.Google Scholar
- J. Berdine, C. Calcagno, and P. O’Hearn. Symbolic execution with separation logic. In APLAS, pages 52–68. Springer, 2005. Google Scholar
Digital Library
- J. Berdine, C. Calcagno, B. Cook, D. Distefano, P. O’Hearn, T. Wies, and H. Yang. Shape analysis for composite data structures. In CAV, pages 178–192. Springer, 2007. Google Scholar
Digital Library
- B. Blanchet, P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné, D. Monniaux, and X. Rival. A static analyzer for large safety-critical software. In PLDI, pages 196–207, 2003. Google Scholar
Digital Library
- A. Bouajjani, C. Drăgoi, C. Enea, and M. Sighireanu. Abstract domains for automated reasoning about list-manipulating programs with infinite data. In VMCAI, pages 1–22. Springer, 2012. Google Scholar
Digital Library
- B.-Y. E. Chang and X. Rival. Relational inductive shape analysis. In POPL, pages 247–260. ACM, 2008. Google Scholar
Digital Library
- B.-Y. E. Chang, X. Rival, and G. Necula. Shape analysis with structural invariant checkers. In SAS, pages 384–401. Springer, 2007. Google Scholar
Digital Library
- P. Cousot and R. Cousot. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In POPL, pages 238–252, 1977. Google Scholar
Digital Library
- P. Cousot and R. Cousot. Systematic design of program analysis frameworks. In POPL, pages 269–282, 1979. Google Scholar
Digital Library
- P. Cousot and R. Cousot. Abstract interpretation and application to logic programs. Journal of Logic Programming, 13(2&3):103–179, 1992. Google Scholar
Digital Library
- P. Cousot, R. Cousot, and F. Logozzo. A parametric segmentation functor for fully automatic and scalable array content analysis. In POPL, pages 105–118, 2011. Google Scholar
Digital Library
- A. Cox, B.-Y. E. Chang, and X. Rival. Automatic analysis of open objects in dynamic language programs. In SAS, pages 134–150, 2014.Google Scholar
Cross Ref
- I. Dillig, T. Dillig, and A. Aiken. Symbolic heap abstraction with demand-driven axiomatization of memory invariants. In OOPSLA, pages 397–410. ACM, 2010. Google Scholar
Digital Library
- I. Dillig, T. Dillig, and A. Aiken. Precise reasoning for programs using containers. In POPL, pages 187–200, 2011. Google Scholar
Digital Library
- D. Distefano, P. O’Hearn, and H. Yang. A local shape analysis based on separation logic. In TACAS, pages 287–302. Springer, 2006. Google Scholar
Digital Library
- K. Dudka, P. Peringer, and T. Vojnar. Predator: A practical tool for checking manipulation of dynamic data structures using separation logic. In CAV, pages 372–378. Springer, 2011. Google Scholar
Digital Library
- R. Giacobazzi and F. Ranzato. Optimal domains for disjunctive abstract interpretation. Science of Computer Programming, 32(1):177–210, 1998. Google Scholar
Digital Library
- S. Gulwani, B. McCloskey, and A. Tiwari. Lifting abstract interpreters to quantified logical domains. In POPL, pages 235–246. ACM, 2008. Google Scholar
Digital Library
- N. Halbwachs and M. Péron. Discovering properties about arrays in simple programs. In PLDI, pages 339–348, 2008. Google Scholar
Digital Library
- M. Handjieva and S. Tzolovski. Refining static analyses by trace-based partitioning using control flow. In SAS, pages 200–214. Springer, 1998.Google Scholar
- B. Jeannet, N. Halbwachs, and P. Raymond. Dynamic partitioning in analyses of numerical properties. In SAS, pages 39–50. Springer, 1999. Google Scholar
Digital Library
- M. Kawaguchi, P. Rondon, and R. Jhala. Type-based data structure verification. In PLDI, pages 304–315. ACM, 2009. Google Scholar
Digital Library
- T. Lev-Ami and S. Sagiv. TVLA: A system for implementing static analyses. In SAS, pages 280–301. Springer, 2000. Google Scholar
Digital Library
- P. Liang, O. Tripp, and M. Naik. Learning minimal abstractions. In POPL, pages 31–42. ACM, 2011. Google Scholar
Digital Library
- R. Manevich, M. Sagiv, G. Ramalingam, and J. Field. Partially disjunctive heap abstraction. In SAS, pages 265–279. Springer, 2004.Google Scholar
- H. Oh, W. Lee, K. Heo, H. Yang, and K. Yi. Selective context-sensitivity guided by impact pre-analysis. In PLDI, pages 475–484. ACM, 2014. Google Scholar
Digital Library
- H. Oh, H. Yang, and K. Yi. Learning a strategy for adapting a program analysis via bayesian optimisation. In OOPSLA, pages 572–588. ACM, 2015. Google Scholar
Digital Library
- T. Pham, M. Trinh, A. Truong, and W. Chin. Fixbag: A fixpoint calculator for quantified bag constraints. In CAV, pages 656–662. Springer, 2011. Google Scholar
Digital Library
- C. Popeea and W.-N. Chin. Inferring disjunctive postconditions. In ASIAN, pages 331–345. Springer, 2006. Google Scholar
Digital Library
- J. Reynolds. Separation logic: A logic for shared mutable data structures. In LICS, pages 55–74. IEEE, 2002. Google Scholar
Digital Library
- X. Rival and L. Mauborgne. The trace partitioning abstract domain. TOPLAS, 29(5), 2007. Google Scholar
Digital Library
- P. M. Rondon, M. Kawaguchi, and R. Jhala. Low-level liquid types. In POPL, pages 131–144. ACM, 2010. Google Scholar
Digital Library
- M. Sagiv, T. Reps, and R. Wilhelm. Parametric shape analysis via 3-valued logic. TOPLAS, 24(3):217–298, 2002. Google Scholar
Digital Library
- P. Sotin and X. Rival. Hierarchical shape abstraction of dynamic structures in static blocks. In APLAS, pages 131–147, 2012.Google Scholar
Cross Ref
- J. Walker. AVL balanced tree library, 2003. http://www. eternallyconfuzzled.com/libs/jsw_avltree.zip.Google Scholar
- H. Yang, O. Lee, J. Berdine, C. Calcagno, B. Cook, D. Distefano, and P. W. O’Hearn. Scalable shape analysis for systems code. In CAV, pages 385–398. Springer, 2008. Google Scholar
Digital Library
Index Terms
Semantic-directed clumping of disjunctive abstract states
Recommendations
Semantic-directed clumping of disjunctive abstract states
POPL '17: Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming LanguagesTo infer complex structural invariants, shape analyses rely on expressive families of logical properties. Many such analyses manipulate abstract memory states that consist of separating conjunctions of basic predicates describing atomic blocks or ...
Goal-directed weakening of abstract interpretation results
One proposal for automatic construction of proofs about programs is to combine Hoare logic and abstract interpretation. Constructing proofs is in Hoare logic. Discovering programs' invariants is done by abstract interpreters.
One problem of this ...
On the power of abstract interpretation
Increasingly sophisticated applications of static analysis make it important to precisely characterize the power of static analysis techniques. Sekar et al. recently studied the power of strictness analysis techniques and showed that strictness analysis ...







Comments