Semantic-directed clumping of disjunctive abstract states

To infer complex structural invariants, shape analyses rely on expressive families of logical properties. Many such analyses manipulate abstract memory states that consist of separating conjunctions of basic predicates describing atomic blocks or summaries. Moreover, they use finite disjunctions of abstract memory states in order to account for dissimilar shapes. Disjunctions should be kept small for the sake of scalability, though precision often requires to keep additional case splits. In this context, deciding when and how to merge case splits and to replace them with summaries is critical both for the precision and for the efficiency. Existing techniques use sets of syntactic rules, which are tedious to design and prone to failure. In this paper, we design a semantic criterion to clump abstract states based on their silhouette which applies not only to the conservative union of disjuncts, but also to the weakening of separating conjunction of memory predicates into inductive summaries. Our approach allows to define union and widening operators that aim at preserving the case splits that are required for the analysis to succeed. We implement this approach in the MemCAD analyzer, and evaluate it on real-world C codes from existing libraries, including programs dealing with doubly linked lists, red-black trees and AVL-trees.

[1]  Ranjit Jhala,et al.  Low-level liquid types , 2010, POPL '10.

[2]  Ranjit Jhala,et al.  Type-based data structure verification , 2009, PLDI '09.

[3]  Shmuel Sagiv,et al.  TVLA: A System for Implementing Static Analyses , 2000, SAS.

[4]  Roberto Giacobazzi,et al.  Optimal Domains for Disjunctive Abstract Intepretation , 1998, Sci. Comput. Program..

[5]  Peter W. O'Hearn,et al.  Symbolic Execution with Separation Logic , 2005, APLAS.

[6]  Peter W. O'Hearn,et al.  A Local Shape Analysis Based on Separation Logic , 2006, TACAS.

[7]  Peter W. O'Hearn,et al.  Scalable Shape Analysis for Systems Code , 2008, CAV.

[8]  Roberto Bagnara,et al.  Widening operators for powerset domains , 2005, International Journal on Software Tools for Technology Transfer.

[9]  Isil Dillig,et al.  Precise reasoning for programs using containers , 2011, POPL '11.

[10]  Xavier Rival,et al.  The trace partitioning abstract domain , 2007, TOPL.

[11]  Patrick Cousot,et al.  A parametric segmentation functor for fully automatic and scalable array content analysis , 2011, POPL '11.

[12]  Nicolas Halbwachs,et al.  Discovering properties about arrays in simple programs , 2008, PLDI '08.

[13]  Hongseok Yang,et al.  Selective context-sensitivity guided by impact pre-analysis , 2014, PLDI.

[14]  Isil Dillig,et al.  Symbolic heap abstraction with demand-driven axiomatization of memory invariants , 2010, OOPSLA.

[15]  Andrew W. Appel,et al.  Modern Compiler Implementation in ML , 1997 .

[16]  Wei-Ngan Chin,et al.  FixBag: A Fixpoint Calculator for Quantified Bag Constraints , 2011, CAV.

[17]  Nicolas Halbwachs,et al.  Dynamic Partitioning in Analyses of Numerical Properties , 1999, SAS.

[18]  Sumit Gulwani,et al.  Lifting abstract interpreters to quantified logical domains , 2008, POPL '08.

[19]  Bor-Yuh Evan Chang,et al.  Relational inductive shape analysis , 2008, POPL '08.

[20]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[21]  Patrick Cousot,et al.  Abstract Interpretation and Application to Logic Programs , 1992, J. Log. Program..

[22]  Bor-Yuh Evan Chang,et al.  Automatic Analysis of Open Objects in Dynamic Language Programs , 2014, SAS.

[23]  Tomás Vojnar,et al.  Predator: A Practical Tool for Checking Manipulation of Dynamic Data Structures Using Separation Logic , 2011, CAV.

[24]  Pascal Sotin,et al.  Hierarchical Shape Abstraction of Dynamic Structures in Static Blocks , 2012, APLAS.

[25]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI.

[26]  Mayur Naik,et al.  Learning minimal abstractions , 2011, POPL '11.

[27]  Peter W. O'Hearn,et al.  Shape Analysis for Composite Data Structures , 2007, CAV.

[28]  Roman Manevich,et al.  Partially Disjunctive Heap Abstraction , 2004, SAS.

[29]  Constantin Enea,et al.  Abstract Domains for Automated Reasoning about List-Manipulating Programs with Infinite Data , 2012, VMCAI.

[30]  George C. Necula,et al.  Shape Analysis with Structural Invariant Checkers , 2007, SAS.

[31]  Wei-Ngan Chin,et al.  Inferring Disjunctive Postconditions , 2006, ASIAN.

[32]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[33]  Hongseok Yang,et al.  Learning a strategy for adapting a program analysis via bayesian optimisation , 2015, OOPSLA.

[34]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[35]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[36]  Maria Handjieva,et al.  Refining Static Analyses by Trace-Based Partitioning Using Control Flow , 1998, SAS.

[37]  Gilad Arnold Specialized 3-Valued Logic Shape Analysis Using Structure-Based Refinement and Loose Embedding , 2006, SAS.