Pointer Analysis, Conditional Soundness, and Proving the Absence of Errors

It is well known that the use of points-to information can substantially improve the accuracy of a static program analysis. Commonly used algorithms for computing points-to information are known to be sound only for memory-safe programs. Thus, it appears problematic to utilize points-to information to verify the memory safety property without giving up soundness. We show that a sound combination is possible, even if the points-to information is computed separately and only conditionally sound. This result is based on a refined statement of the soundness conditions of points-to analyses and a general mechanism for composing conditionally sound analyses.

[1]  Dinakar Dhurjati,et al.  SAFECode: enforcing alias analysis for weakly typed languages , 2005, PLDI '06.

[2]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[3]  Bjarne Steensgaard,et al.  Points-to analysis in almost linear time , 1996, POPL '96.

[4]  David C. Sehr,et al.  On the importance of points-to analysis and other memory disambiguation methods for C programs , 2001, PLDI '01.

[5]  Patrick Cousot,et al.  Combination of Abstractions in the ASTRÉE Static Analyzer , 2006, ASIAN.

[6]  A. Aiken,et al.  Flow-Insensitive Points-to Analysis with Term and Set Constraints , 1997 .

[7]  Sorin Lerner,et al.  Speeding Up Dataflow Analysis Using Flow-Insensitive Pointer Analysis , 2002, SAS.

[8]  Patrick Cousot,et al.  The ASTREÉ Analyzer , 2005, ESOP.

[9]  Vikram S. Adve,et al.  Macroscopic Data Structure Analysis and Optimization , 2005 .

[10]  Bjarne Stroustrup,et al.  C++ Programming Language , 1986, IEEE Softw..

[11]  Patrick Cousot,et al.  The ASTR ´ EE Analyzer , 2005 .

[12]  Lars Ole Andersen,et al.  Program Analysis and Specialization for the C Programming Language , 2005 .

[13]  Michael Hind,et al.  Pointer analysis: haven't we solved this problem yet? , 2001, PASTE '01.

[14]  S LamMonica,et al.  Efficient context-sensitive pointer analysis for C programs , 1995 .

[15]  Satish Chandra,et al.  Searching for points-to analysis , 2002, SIGSOFT '02/FSE-10.

[16]  Sumit Gulwani,et al.  Combining abstract interpreters , 2006, PLDI '06.

[17]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[18]  Olivier Tardieu,et al.  Demand-driven pointer analysis , 2001, PLDI '01.

[19]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[20]  Michael Rodeh,et al.  CSSV: towards a realistic tool for statically detecting all buffer overflows in C , 2003, PLDI '03.

[21]  Manuvir Das,et al.  Unification-based pointer analysis with directional assignments , 2000, PLDI '00.

[22]  Monica S. Lam,et al.  Efficient context-sensitive pointer analysis for C programs , 1995, PLDI '95.

[23]  Antoine Miné Field-sensitive value analysis of embedded C programs with union types and pointer arithmetics , 2006, LCTES '06.

[24]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[25]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[26]  Sorin Lerner,et al.  Composing dataflow analyses and transformations , 2002, POPL '02.

[27]  Laurie J. Hendren,et al.  Context-sensitive interprocedural points-to analysis in the presence of function pointers , 1994, PLDI '94.