A relational approach to interprocedural shape analysis

This article addresses the verification of properties of imperative programs with recursive procedure calls, heap-allocated storage, and destructive updating of pointer-valued fields, that is, interprocedural shape analysis. The article makes three contributions. — It introduces a new method for abstracting relations over memory configurations for use in abstract interpretation. — It shows how this method furnishes the elements needed for a compositional approach to shape analysis. In particular, abstracted relations are used to represent the shape transformation performed by a sequence of operations, and an overapproximation to relational composition can be performed using the meet operation of the domain of abstracted relations. — It applies these ideas in a new algorithm for context-sensitive interprocedural shape analysis. The algorithm creates procedure summaries using abstracted relations over memory configurations, and the meet-based composition operation provides a way to apply the summary transformer for a procedure P at each call site from which P is called. The algorithm has been applied successfully to establish properties of both (i) recursive programs that manipulate lists and (ii) recursive programs that manipulate binary trees.

[1]  Stefan Schwoon,et al.  Model checking pushdown systems , 2002 .

[2]  Pierre Wolper,et al.  A direct symbolic approach to model checking pushdown systems , 1997, INFINITY.

[3]  Gilad Arnold Specialized 3-Valued Logic Shape Analysis Using Structure-Based Refinement and Loose Embedding , 2006, SAS.

[4]  Thomas W. Reps,et al.  Revamping TVLA: Making Parametric Shape Analysis Competitive , 2007, CAV.

[5]  Helmut Seidl,et al.  Propagating Differences: An Efficient New Fixpoint Algorithm for Distributive Constraint Systems , 1998, Nord. J. Comput..

[6]  Anna Philippou,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2018, Lecture Notes in Computer Science.

[7]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[8]  David Gries,et al.  The Science of Programming , 1981, Text and Monographs in Computer Science.

[9]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[10]  Thomas W. Reps,et al.  Abstraction Refinement via Inductive Learning , 2005, CAV.

[11]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[12]  Tayssir Touili,et al.  A Generic Approach to the Static Analysis of Concurrent Programs with Procedures , 2003, Int. J. Found. Comput. Sci..

[13]  Somesh Jha,et al.  Weighted pushdown systems and their application to interprocedural dataflow analysis , 2003, Sci. Comput. Program..

[14]  Alexey Gotsman,et al.  Interprocedural Shape Analysis with Separated Heap Abstractions , 2006, SAS.

[15]  Shuvendu K. Lahiri,et al.  Back to the future: revisiting precise program verification using SMT solvers , 2008, POPL '08.

[16]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[17]  Robert Paige,et al.  Program Derivation by Fixed Point Computation , 1989, Sci. Comput. Program..

[18]  Bertrand Jeannet,et al.  Abstracting Call-Stacks for Interprocedural Verification of Imperative Programs , 2004, AMAST.

[19]  Patrick Cousot,et al.  Static Determination of Dynamic Properties of Recursive Procedures , 1977, Formal Description of Programming Concepts.

[20]  Reinhard Wilhelm,et al.  A semantics for procedure local heaps and its abstractions , 2005, POPL '05.

[21]  Alain Deutsch,et al.  On determining lifetime and aliasing of dynamically allocated data in higher-order functional specifications , 1989, POPL '90.

[22]  Javier Esparza,et al.  Reachability Analysis of Pushdown Automata: Application to Model-Checking , 1997, CONCUR.

[23]  Thomas W. Reps,et al.  Numeric Domains with Summarized Dimensions , 2004, TACAS.

[24]  Thomas W. Reps,et al.  Symbolically Computing Most-Precise Abstract Operations for Shape Analysis , 2004, TACAS.

[25]  Joonseon Ahn A Differential Evaluation of Fixpoint Iterations , 2001, APLAS.

[26]  Bernhard Steffen,et al.  The Interprocedural Coincidence Theorem , 1992, CC.

[27]  Neil D. Jones,et al.  A flexible approach to interprocedural data flow analysis and programs with recursive data structures , 1982, POPL '82.

[28]  Thomas W. Reps,et al.  Finite differencing of logical formulas for static analysis , 2010, TOPL.

[29]  Somesh Jha,et al.  Weighted pushdown systems and their application to interprocedural dataflow analysis , 2005, Sci. Comput. Program..

[30]  Noam Rinetzky,et al.  Interprocedural Shape Analysis for Recursive Programs , 2001, CC.

[31]  Bertrand Jeannet,et al.  A Relational Approach to Interprocedural Shape Analysis , 2004, SAS.

[32]  Thomas Reps,et al.  Refinement-based program verification via three-valued-logic analysis , 2006 .

[33]  Thomas W. Reps,et al.  Finite Differencing of Logical Formulas for Static Analysis , 2003, ESOP.

[34]  Deepak Kapur,et al.  Efficient Context-Sensitive Shape Analysis with Graph Based Heap Models , 2008, CC.

[35]  Thomas W. Reps,et al.  Putting static analysis to work for verification: A case study , 2000, ISSTA '00.

[36]  Kwangkeun Yi,et al.  An Improved Differential Fixpoint Iteration Method for Program Analysis , 2002, APLAS.

[37]  Shmuel Sagiv,et al.  TVLA: A System for Implementing Static Analyses , 2000, SAS.

[38]  Thomas Reps,et al.  Abstraction Refinement for 3-Valued-Logic Analysis , 2004 .

[39]  Eran Yahav,et al.  Interprocedural Shape Analysis for Cutpoint-Free Programs , 2005, SAS.

[40]  Neil D. Jones,et al.  Program Flow Analysis: Theory and Application , 1981 .

[41]  Thomas Reps,et al.  Revamping TVLA : Making Parametric Shape Analysis Competitive ( Tool Paper ) , 2007 .

[42]  Michael I. Schwartzbach,et al.  The pointer assertion logic engine , 2000, PLDI '01.

[43]  Roman Manevich,et al.  Combining Shape Analyses by Intersecting Abstractions , 2006, VMCAI.

[44]  Thomas W. Reps,et al.  Precise Interprocedural Dataflow Analysis with Applications to Constant Propagation , 1995, TAPSOFT.

[45]  Zohar Manna,et al.  Temporal Verification of Reactive Systems , 1995, Springer New York.

[46]  Antoine Miné,et al.  The octagon abstract domain , 2001, Proceedings Eighth Working Conference on Reverse Engineering.

[47]  Reinhard Wilhelm,et al.  Logical characterizations of heap abstractions , 2003, TOCL.

[48]  Bertrand Jeannet Partitionnement dynamique dans l'analyse de relations linéaires et application à la vérification de programmes synchrones , 2000 .

[49]  Bertrand Jeannet,et al.  A Relational Abstraction for Functions , 2005, SAS.

[50]  Radhia Cousot,et al.  Higher-order abstract interpretation (and application to comportment analysis generalizing strictness, termination, projection and PER analysis of functional languages) , 1994, Proceedings of 1994 IEEE International Conference on Computer Languages (ICCL'94).

[51]  Zohar Manna,et al.  Temporal verification of reactive systems - safety , 1995 .

[52]  Sriram K. Rajamani,et al.  Bebop: a path-sensitive interprocedural dataflow engine , 2001, PASTE '01.

[53]  Peter W. O'Hearn,et al.  Smallfoot: Modular Automatic Assertion Checking with Separation Logic , 2005, FMCO.