Scalable Shape Analysis for Systems Code

Pointer safety faults in device drivers are one of the leading causes of crashes in operating systems code. In principle, shape analysis tools can be used to prove the absence of this type of error. In practice, however, shape analysis is not used due to the unacceptable mixture of scalability and precision provided by existing tools. In this paper we report on a new join operation ${\sqcup\dagger}$ for the separation domain which aggressively abstracts information for scalability yet does not lead to false error reports. ${\sqcup\dagger}$ is a critical piece of a new shape analysis tool that provides an acceptable mixture of scalability and precision for industrial application. Experiments on whole Windows and Linux device drivers (firewire, pci-driver, cdrom, md, etc.) represent the first working application of shape analysis to verification of whole industrial programs.

[1]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.

[2]  Radu Rugina,et al.  Region-based shape analysis with tracked locations , 2005, POPL '05.

[3]  Reinhard Wilhelm,et al.  A semantics for procedure local heaps and its abstractions , 2005, POPL '05.

[4]  Alex K. Simpson,et al.  Computational Adequacy in an Elementary Topos , 1998, CSL.

[5]  Sriram K. Rajamani,et al.  Thorough static analysis of device drivers , 2006, EuroSys.

[6]  Shmuel Sagiv Thread-Modular Shape Analysis , 2009, VMCAI.

[7]  Shmuel Sagiv,et al.  TVLA: A System for Implementing Static Analyses , 2000, SAS.

[8]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[9]  George C. Necula,et al.  Shape Analysis with Structural Invariant Checkers , 2007, SAS.

[10]  E. Clarke,et al.  Inferring Invariants in Separation Logic for Imperative List-processing Programs , 2005 .

[11]  Peter W. O'Hearn,et al.  Symbolic Execution with Separation Logic , 2005, APLAS.

[12]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI '03.

[13]  David I. August,et al.  Shape analysis with inductive recursion synthesis , 2007, PLDI '07.

[14]  Alexey Gotsman,et al.  Interprocedural Shape Analysis with Separated Heap Abstractions , 2006, SAS.

[15]  Gilad Arnold Specialized 3-Valued Logic Shape Analysis Using Structure-Based Refinement and Loose Embedding , 2006, SAS.

[16]  Peter W. O'Hearn,et al.  Shape Analysis for Composite Data Structures , 2007, CAV.

[17]  Roman Manevich,et al.  Partially Disjunctive Heap Abstraction , 2004, SAS.

[18]  Deepak Kapur,et al.  Efficient Context-Sensitive Shape Analysis with Graph Based Heap Models , 2008, CC.

[19]  Peter W. O'Hearn,et al.  A Local Shape Analysis Based on Separation Logic , 2006, TACAS.

[20]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[21]  Brian N. Bershad,et al.  Improving the reliability of commodity operating systems , 2005, TOCS.

[22]  Peter W. O'Hearn,et al.  Local Reasoning about Programs that Alter Data Structures , 2001, CSL.

[23]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[24]  Roman Manevich,et al.  Thread Quantification for Concurrent Shape Analysis , 2008, CAV.

[25]  Junfeng Yang,et al.  An empirical study of operating systems errors , 2001, SOSP.

[26]  Roman Manevich,et al.  Heap Decomposition for Concurrent Shape Analysis , 2008, SAS.

[27]  Thomas A. Henzinger,et al.  Abstractions from proofs , 2004, POPL.