Byte-Precise Verification of Low-Level List Manipulation

We propose a new approach to shape analysis of programs with linked lists that use low-level memory operations. Such operations include pointer arithmetic, safe usage of invalid pointers, block operations with memory, reinterpretation of the memory contents, address alignment, etc. Our approach is based on a new representation of sets of heaps, which is to some degree inspired by works on separation logic with higher-order list predicates, but it is graph-based and uses a more fine-grained (byte-precise) memory model in order to support the various low-level memory operations. The approach was implemented in the Predator tool and successfully validated on multiple non-trivial case studies that are beyond the capabilities of other current fully automated shape analysis tools.

[1]  George C. Necula,et al.  Shape Analysis with Structural Invariant Checkers , 2007, SAS.

[2]  Kousha Etessami,et al.  Analysis of Recursive Game Graphs Using Data Flow Equations , 2004, VMCAI.

[3]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.

[4]  Bor-Yuh Evan Chang,et al.  Separating Shape Graphs , 2010, ESOP.

[5]  Deepak Kapur,et al.  Efficient Context-Sensitive Shape Analysis with Graph Based Heap Models , 2008, CC.

[6]  Peter W. O'Hearn,et al.  Scalable Shape Analysis for Systems Code , 2008, CAV.

[7]  Samin Ishtiaq,et al.  SLAyer: Memory Safety for Systems-Level Code , 2011, CAV.

[8]  Peter W. O'Hearn,et al.  Shape Analysis for Composite Data Structures , 2007, CAV.

[9]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[10]  Harvey Tuch Formal Verification of C Systems Code , 2009, Journal of Automated Reasoning.

[11]  Peter W. O'Hearn,et al.  On Scalable Shape Analysis , 2007 .

[12]  Peter W. O'Hearn,et al.  Beyond Reachability: Shape Abstraction in the Presence of Pointer Arithmetic , 2006, SAS.

[13]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[14]  Helmut Seidl,et al.  Shape Analysis of Low-Level C with Overlapping Structures , 2010, VMCAI.

[15]  Tomás Vojnar,et al.  Predator: A Practical Tool for Checking Manipulation of Dynamic Data Structures Using Separation Logic , 2011, CAV.

[16]  Lukás Holík,et al.  Forest Automata for Verification of Heap Manipulation , 2011, CAV.

[17]  Samin Ishtiaq,et al.  Diagnosing Abstraction Failure for Separation Logic-Based Analyses , 2012, CAV.

[18]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[19]  Dirk Beyer,et al.  Second Competition on Software Verification - (Summary of SV-COMP 2013) , 2013, TACAS.