An abstract memory functor for verified C static analyzers

Abstract interpretation provides advanced techniques to infer numerical invariants on programs. There is an abundant literature about numerical abstract domains that operate on scalar variables. This work deals with lifting these techniques to a realistic C memory model. We present an abstract memory functor that takes as argument any standard numerical abstract domain, and builds a memory abstract domain that finely tracks properties about memory contents, taking into account union types, pointer arithmetic and type casts. This functor is implemented and verified inside the Coq proof assistant with respect to the CompCert compiler memory model. Using the Coq extraction mechanism, it is fully executable and used by the Verasco C static analyzer.

[1]  Fausto Spoto,et al.  Inferring complete initialization of arrays , 2013, Theor. Comput. Sci..

[2]  Philippe Granger,et al.  Static Analysis of Linear Congruence Equalities among Variables of a Program , 1991, TAPSOFT, Vol.1.

[3]  A. Miné Weakly Relational Numerical Abstract Domains , 2004 .

[4]  Patrick Cousot,et al.  The ASTREÉ Analyzer , 2005, ESOP.

[5]  Patrick Cousot,et al.  Static determination of dynamic properties of programs , 1976 .

[6]  Tobias Nipkow,et al.  A machine-checked model for a Java-like language, virtual machine, and compiler , 2006, TOPL.

[7]  David Monniaux,et al.  Efficient Generation of Correctness Certificates for the Abstract Domain of Polyhedra , 2013, SAS.

[8]  Antoine Miné Field-sensitive value analysis of embedded C programs with union types and pointer arithmetics , 2006, LCTES '06.

[9]  Thomas W. Reps,et al.  Numeric Domains with Summarized Dimensions , 2004, TACAS.

[10]  Yves Bertot Structural Abstract Interpretation: A Formal Study Using Coq , 2008, LerNet ALFA Summer School.

[11]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[12]  David Cachera,et al.  Extracting a Data Flow Analyser in Constructive Logic , 2004, ESOP.

[13]  Philippe Granger Static analysis of arithmetical congruences , 1989 .

[14]  François Bourdoncle,et al.  Efficient chaotic iteration strategies with widenings , 1993, Formal Methods in Programming and Their Applications.

[15]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.

[16]  Tobias Nipkow,et al.  Abstract Interpretation of Annotated Commands , 2012, ITP.

[17]  Christine Paulin-Mohring,et al.  The coq proof assistant reference manual , 2000 .

[18]  David Pichardie,et al.  Formal Verification of a C Value Analysis Based on Abstract Interpretation , 2013, SAS.

[19]  Xavier Leroy,et al.  A Formally Verified Compiler Back-end , 2009, Journal of Automated Reasoning.

[20]  Michael Karr,et al.  Affine relationships among variables of a program , 1976, Acta Informatica.

[21]  Xavier Leroy,et al.  A Formally-Verified Alias Analysis , 2012, CPP.

[22]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[23]  Xavier Leroy,et al.  A Formally-Verified C Static Analyzer , 2015, POPL.

[24]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.