Abstract
We investigate the decidability of automatic program verification for programs that manipulate heaps, and in particular, decision procedures for proving memory safety for them. We extend recent work that identified a decidable subclass of uninterpreted programs to a class of alias-aware programs that can update maps. We apply this theory to develop verification algorithms for memory safety— determining if a heap-manipulating program that allocates and frees memory locations and manipulates heap pointers does not dereference an unallocated memory location. We show that this problem is decidable when the initial allocated heap forms a forest data-structure and when programs are streaming-coherent, which intuitively restricts programs to make a single pass over a data-structure. Our experimental evaluation on a set of library routines that manipulate forest data-structures shows that common single-pass algorithms on data-structures often fall in the decidable class, and that our decision procedure is efficient in verifying them.
Supplemental Material
- Rajeev Alur and Pavol Černý. 2011. Streaming Transducers for Algorithmic Verification of Single-pass List-processing Programs. SIGPLAN Not. 46, 1 (Jan. 2011), 599–610. Google Scholar
Digital Library
- Todd M. Austin, Scott E. Breach, and Gurindar S. Sohi. 1994. Efficient Detection of All Pointer and Array Access Errors. In Proceedings of the ACM SIGPLAN 1994 Conference on Programming Language Design and Implementation (PLDI ’94). ACM, New York, NY, USA, 290–301. Google Scholar
Digital Library
- Ittai Balaban, Amir Pnueli, and Lenore D. Zuck. 2005. Shape Analysis by Predicate Abstraction. In Proceedings of the 6th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI’05). Springer-Verlag, Berlin, Heidelberg, 164–180. Google Scholar
Digital Library
- Thomas Ball, Rupak Majumdar, Todd Millstein, and Sriram K. Rajamani. 2001. Automatic Predicate Abstraction of C Programs. In Proceedings of the ACM SIGPLAN 2001 Conference on Programming Language Design and Implementation (PLDI ’01). ACM, New York, NY, USA, 203–213. Google Scholar
Digital Library
- Sébastien Bardin, Alain Finkel, and David Nowak. 2004. Toward symbolic verification of programs handling pointers. (2004).Google Scholar
- Josh Berdine, Cristiano Calcagno, and Peter W. O’Hearn. 2004. A Decidable Fragment of Separation Logic. In Proceedings of the 24th International Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS’04). Springer-Verlag, Berlin, Heidelberg, 97–109. Google Scholar
Digital Library
- Josh Berdine, Cristiano Calcagno, and Peter W. O’Hearn. 2006. Smallfoot: Modular Automatic Assertion Checking with Separation Logic. In Formal Methods for Components and Objects, Frank S. de Boer, Marcello M. Bonsangue, Susanne Graf, and Willem-Paul de Roever (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 115–137.Google Scholar
- Ahmed Bouajjani, Marius Bozga, Peter Habermehl, Radu Iosif, Pierre Moro, and Tomáš Vojnar. 2006. Programs with Lists Are Counter Automata. In Computer Aided Verification, Thomas Ball and Robert B. Jones (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 517–531.Google Scholar
- Ahmed Bouajjani, Peter Habermehl, Pierre Moro, and Tomáš Vojnar. 2005. Verifying Programs with Dynamic 1-selectorlinked Structures in Regular Model Checking. In Proceedings of the 11th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’05). Springer-Verlag, Berlin, Heidelberg, 13–29. Google Scholar
Digital Library
- Marius Bozga and Radu Iosif. 2007. On Flat Programs with Lists. In Proceedings of the 8th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI’07). Springer-Verlag, Berlin, Heidelberg, 122–136. http://dl.acm.org/citation.cfm?id=1763048.1763061Google Scholar
Digital Library
- Aaron R. Bradley and Zohar Manna. 2007. The Calculus of Computation: Decision Procedures with Applications to Verification. Springer-Verlag, Berlin, Heidelberg.Google Scholar
Digital Library
- Cristiano Calcagno, Dino Distefano, Peter W. O’Hearn, and Hongseok Yang. 2011. Compositional Shape Analysis by Means of Bi-Abduction. J. ACM 58, 6, Article 26 (Dec. 2011), 66 pages. Google Scholar
Digital Library
- Jeremy Condit, Matthew Harren, Scott McPeak, George C. Necula, and Westley Weimer. 2003. CCured in the real world. In Proceedings of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation 2003, San Diego, California, USA, June 9-11, 2003. 232–244. Google Scholar
Digital Library
- Byron Cook, Christoph Haase, Joël Ouaknine, Matthew Parkinson, and James Worrell. 2011. Tractable Reasoning in a Fragment of Separation Logic. In Proceedings of the 22Nd International Conference on Concurrency Theory (CONCUR’11). Springer-Verlag, Berlin, Heidelberg, 235–249. http://dl.acm.org/citation.cfm?id=2040235.2040256Google Scholar
Digital Library
- John Criswell, Andrew Lenharth, Dinakar Dhurjati, and Vikram S. Adve. 2007. Secure virtual architecture: a safe execution environment for commodity operating systems. In Proceedings of the 21st ACM Symposium on Operating Systems Principles 2007, SOSP 2007, Stevenson, Washington, USA, October 14-17, 2007. 351–366. Google Scholar
Digital Library
- Nurit Dor, Michael Rodeh, and Shmuel Sagiv. 2000. Checking Cleanness in Linked Lists. In SAS.Google Scholar
- Robert W. Floyd. 1967. Assigning meanings to programs. Mathematical aspects of computer science 19, 19-32 (1967), 1. http://www.cs.ucdavis.edu/~su/teaching/ecs240- s09/readings/FloydMeaning.pdfGoogle Scholar
- Guillem Godoy and Ashish Tiwari. 2009. Invariant Checking for Programs with Procedure Calls. In Proceedings of the 16th International Symposium on Static Analysis (SAS ’09). Springer-Verlag, Berlin, Heidelberg, 326–342.Google Scholar
Digital Library
- Michael Hicks. 2014. What is memory safety?, The Programming Languages Enthusiast. http://www.pl- enthusiast.net/ 2014/07/21/memory- safety/ . Accessed: 2019-04-05.Google Scholar
- C. A. R. Hoare. 1969. An Axiomatic Basis for Computer Programming. Commun. ACM 12, 10 (Oct. 1969), 576–580. Google Scholar
Digital Library
- Trevor Jim, J Greg Morrisett, Dan Grossman, Michael W Hicks, James Cheney, and Yanling Wang. 2002. Cyclone: A Safe Dialect of C. In Proceedings of the General Track of the annual conference on USENIX Annual Technical Conference. USENIX Association, 275–288.Google Scholar
- A. Joannou, J. Woodruff, R. Kovacsics, S. W. Moore, A. Bradbury, H. Xia, R. N. M. Watson, D. Chisnall, M. Roe, B. Davis, E. Napierala, J. Baldwin, K. Gudka, P. G. Neumann, A. Mazzinghi, A. Richardson, S. Son, and A. T. Markettos. 2017. Efficient Tagged Memory. In 2017 IEEE International Conference on Computer Design (ICCD). 641–648. Google Scholar
Cross Ref
- Tal Lev-Ami and Mooly Sagiv. 2000. TVLA: A System for Implementing Static Analyses. In Static Analysis, Jens Palsberg (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 280–301.Google Scholar
- Christof Løding, P. Madhusudan, Adithya Murali, and Lucas Pe. 2019. A First Order Logic with Frames. CoRR abs/1910.09089 (2019). arXiv: 1910.09089 https://arxiv.org/abs/1901.09089Google Scholar
- Roman Manevich, E. Yahav, G. Ramalingam, and Mooly Sagiv. 2005. Predicate Abstraction and Canonical Abstraction for Singly-Linked Lists. In Verification, Model Checking, and Abstract Interpretation, Radhia Cousot (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 181–198.Google Scholar
- Umang Mathur, P. Madhusudan, and Mahesh Viswanathan. 2019a. Decidable Verification of Uninterpreted Programs. Proc. ACM Program. Lang. 3, POPL, Article 46 (Jan. 2019), 29 pages. Google Scholar
Digital Library
- Umang Mathur, P. Madhusudan, and Mahesh Viswanathan. 2019b. What’s Decidable About Program Verification Modulo Axioms? CoRR abs/1910.10889 (2019). arXiv: 1910.10889 https://arxiv.org/abs/1910.10889Google Scholar
- Umang Mathur, Adithya Murali, Paul Krogmeier, P. Madhusudan, and Mahesh Viswanathan. 2019c. Deciding Memory Safety for Single-Pass Heap-Manipulating Programs. CoRR abs/1910.00298 (2019). arXiv: 1910.00298 http://arxiv.org/abs/ 1910.00298Google Scholar
- Umang Mathur, Adithya Murali, Paul Krogmeier, P. Madhusudan, and Mahesh Viswanathan. 2019d. StreamVerif : Automata Based Verification of Uninterpreted Programs. https://github.com/umangm/streamverif .Google Scholar
- Nicholas D. Matsakis and Felix S. Klock, II. 2014. The Rust Language. In Proceedings of the 2014 ACM SIGAda Annual Conference on High Integrity Language Technology (HILT ’14). ACM, New York, NY, USA, 103–104. Google Scholar
Digital Library
- Microsoft. 2019. 70 Percent of All Security Bugs Are Memory Safety Issues. https://it.slashdot.org/story/19/02/11/2019247/ microsoft- 70- percent- of- all- security- bugs- are- memory- safety- issues . Accessed: 2019-04-05.Google Scholar
- Anders Møller and Michael I. Schwartzbach. 2001. The Pointer Assertion Logic Engine. In Proceedings of the ACM SIGPLAN 2001 Conference on Programming Language Design and Implementation (PLDI ’01). ACM, New York, NY, USA, 221–231. Google Scholar
Digital Library
- Santosh Nagarakatte, Milo M. K. Martin, and Steve Zdancewic. 2015. Everything You Want to Know About Pointer-Based Checking. In 1st Summit on Advances in Programming Languages (SNAPL 2015) (Leibniz International Proceedings in Informatics (LIPIcs)), Thomas Ball, Rastislav Bodik, Shriram Krishnamurthi, Benjamin S. Lerner, and Greg Morrisett (Eds.), Vol. 32. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, 190–208. Google Scholar
Cross Ref
- Juan Antonio Navarro Pérez and Andrey Rybalchenko. 2011. Separation Logic + Superposition Calculus = Heap Theorem Prover. In Proceedings of the 32Nd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’11). ACM, New York, NY, USA, 556–566. Google Scholar
Digital Library
- Juan Antonio Navarro Pérez and Andrey Rybalchenko. 2013. Separation Logic Modulo Theories. In Programming Languages and Systems, Chung-chieh Shan (Ed.). Springer International Publishing, Cham, 90–106.Google Scholar
- George C. Necula, Jeremy Condit, Matthew Harren, Scott McPeak, and Westley Weimer. 2005. CCured: type-safe retrofitting of legacy software. ACM Trans. Program. Lang. Syst. 27, 3 (2005), 477–526. Google Scholar
Digital Library
- George C Necula, Scott McPeak, and Westley Weimer. 2002. CCured: Type-safe retrofitting of legacy code. In ACM SIGPLAN Notices, Vol. 37. ACM, 128–139.Google Scholar
Digital Library
- Daniel Neider, Pranav Garg, P. Madhusudan, Shambwaditya Saha, and Daejun Park. 2018. Invariant Synthesis for Incomplete Verification Engines. In Tools and Algorithms for the Construction and Analysis of Systems, Dirk Beyer and Marieke Huisman (Eds.). Springer International Publishing, Cham, 232–250.Google Scholar
- Nicholas Nethercote and Julian Seward. 2007. Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation. In Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’07). ACM, New York, NY, USA, 89–100. Google Scholar
Digital Library
- Peter W. O’Hearn, John C. Reynolds, and Hongseok Yang. 2001. Local Reasoning About Programs That Alter Data Structures. In Proceedings of the 15th International Workshop on Computer Science Logic (CSL ’01). Springer-Verlag, London, UK, UK, 1–19. http://dl.acm.org/citation.cfm?id=647851.737404Google Scholar
Digital Library
- Oleksii Oleksenko, Dmitrii Kuvaiskii, Pramod Bhatotia, Pascal Felber, and Christof Fetzer. 2018. Intel MPX Explained: A Cross-layer Analysis of the Intel MPX System Stack. Proc. ACM Meas. Anal. Comput. Syst. 2, 2, Article 28 (June 2018), 30 pages. Google Scholar
Digital Library
- Ruzica Piskac, Thomas Wies, and Damien Zufferey. 2013. Automating Separation Logic Using SMT. In Proceedings of the 25th International Conference on Computer Aided Verification - Volume 8044 (CAV 2013). Springer-Verlag New York, Inc., New York, NY, USA, 773–789. Google Scholar
Cross Ref
- Ruzica Piskac, Thomas Wies, and Damien Zufferey. 2014a. Automating Separation Logic with Trees and Data. In Computer Aided Verification, Armin Biere and Roderick Bloem (Eds.). Springer International Publishing, Cham, 711–728.Google Scholar
- Ruzica Piskac, Thomas Wies, and Damien Zufferey. 2014b. GRASShopper. In Tools and Algorithms for the Construction and Analysis of Systems, Erika Ábrahám and Klaus Havelund (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 124–139.Google Scholar
- John C. Reynolds. 2002. Separation Logic: A Logic for Shared Mutable Data Structures. In Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science (LICS ’02). IEEE Computer Society, Washington, DC, USA, 55–74. http: //dl.acm.org/citation.cfm?id=645683.664578Google Scholar
Digital Library
- Grigore Rosu, Wolfram Schulte, and Traian Florin Serbanuta. 2009. Runtime Verification of C Memory Safety. In Runtime Verification (RV’09) (Lecture Notes in Computer Science), Saddek Bensalem and Doron A. Peled (Eds.), Vol. 5779. 132–152.Google Scholar
- Safe-C. 2019. Safe C Library. https://rurban.github.io/safeclib/doc/safec- 3.4/index.html . Accessed: 2019-04-05.Google Scholar
- Mooly Sagiv, Thomas Reps, and Reinhard Wilhelm. 1999. Parametric Shape Analysis via 3-valued Logic. In Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’99). ACM, New York, NY, USA, 105–118. Google Scholar
Digital Library
- Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitry Vyukov. 2012. AddressSanitizer: A Fast Address Sanity Checker. In Proceedings of the 2012 USENIX Conference on Annual Technical Conference (USENIX ATC’12). USENIX Association, Berkeley, CA, USA, 28–28. http://dl.acm.org/citation.cfm?id=2342821.2342849Google Scholar
Digital Library
- Kostya Serebryany, Evgenii Stepanov, Aleksey Shlyapnikov, Vlad Tsyrklevich, and Dmitry Vyukov. 2018. Memory Tagging and how it improves C/C++ memory safety. CoRR abs/1802.09517 (2018). arXiv: 1802.09517 http://arxiv.org/abs/1802.09517Google Scholar
- Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. 2013. SoK: Eternal War in Memory. In Proceedings of the 2013 IEEE Symposium on Security and Privacy (SP ’13). IEEE Computer Society, Washington, DC, USA, 48–62. Google Scholar
Digital Library
- The Rust Team. 2019. The Rust programming language. https://www.rust- lang.org/Google Scholar
- Robert N. M. Watson, Jonathan Woodruff, Peter G. Neumann, Simon W. Moore, Jonathan Anderson, David Chisnall, Nirav Dave, Brooks Davis, Khilan Gudka, Ben Laurie, Steven J. Murdoch, Robert Norton, Michael Roe, Stacey Son, and Munraj Vadera. 2015. CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization. In Proceedings of the 2015 IEEE Symposium on Security and Privacy (SP ’15). IEEE Computer Society, Washington, DC, USA, 20–37. Google Scholar
Digital Library
- Eran Yahav. 2001. Verifying Safety Properties of Concurrent Java Programs Using 3-valued Logic. In Proceedings of the 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’01). ACM, New York, NY, USA, 27–40. Google Scholar
Digital Library
Index Terms
Deciding memory safety for single-pass heap-manipulating programs
Recommendations
Decidable verification of uninterpreted programs
We study the problem of completely automatically verifying uninterpreted programs—programs that work over arbitrary data models that provide an interpretation for the constants, functions and relations the program uses. The verification problem asks ...
Flow sensitive-insensitive pointer analysis based memory safety for multithreaded programs
ICCSA'11: Proceedings of the 2011 international conference on Computational science and Its applications - Volume Part VThe competency of pointer analysis is crucial for many compiler optimizations, transformations, and checks like memory safety. The potential interaction between threads in multithreaded programs complicates their pointer analysis and memory-safety ...
Precise and compact modular procedure summaries for heap manipulating programs
PLDI '11: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and ImplementationWe present a strictly bottom-up, summary-based, and precise heap analysis targeted for program verification that performs strong updates to heap locations at call sites. We first present a theory of heap decompositions that forms the basis of our ...






Comments