Practical Shape Analysis

Shape analysis is a program analysis technique used to prove that imperative programs using manual memory management will not crash. In the past, shape analysis has been applied to data structures like linked lists and binary trees. It has also been used on simplified versions of Windows device drivers. We describe techniques that allow us to apply shape analysis to data structures that occur commonly in systems code. These data structures often use arrays, hash tables, C strings, and buffers of a known size. Sometimes, memory in these data structures is managed by manual reference counting. Analyzing such code is difficult or impossible with existing shape analyses. Most difficult of all, many data structures use several of these patterns at the same time, such as a hash table pointing to reference counted objects through which a doubly linked list threads. We describe an analysis capable of handling these data structures easily and efficiently. Our technique uses abstract interpretation over the combination of two abstract domains. One, based on three-valued logic, is used for analyzing the heap. The other domain reasons about integers and set cardinality. The key feature of the combined domain is that quantified facts can be shared between the integer and heap domains. The precision we achieve is significantly greater than if either domain were used independently. Besides improvements in precision, we also describe changes that make both domains more scalable and efficient. We present the results of experiments analyzing the cache data structure of the thttpd web server, which uses a hash table, linked lists, and reference counting in a single data structure. We successfully prove the absence of memory errors in about two minutes.

[1]  Roman Manevich,et al.  Shape Analysis by Graph Decomposition , 2007, TACAS.

[2]  Reinhard Wilhelm,et al.  A semantics for procedure local heaps and its abstractions , 2005, POPL '05.

[3]  Alain Deutsch,et al.  On determining lifetime and aliasing of dynamically allocated data in higher-order functional specifications , 1989, POPL '90.

[4]  Bertrand Jeannet,et al.  A Relational Approach to Interprocedural Shape Analysis , 2004, SAS.

[5]  Sumit Gulwani,et al.  A combination framework for tracking partition sizes , 2009, POPL '09.

[6]  Reinhard Wilhelm,et al.  Logical characterizations of heap abstractions , 2003, TOCL.

[7]  Thomas W. Reps,et al.  Symbolically Computing Most-Precise Abstract Operations for Shape Analysis , 2004, TACAS.

[8]  Edmund M. Clarke,et al.  Arithmetic Strengthening for Shape Analysis , 2007, SAS.

[9]  Peter W. O'Hearn,et al.  Beyond Reachability: Shape Abstraction in the Presence of Pointer Arithmetic , 2006, SAS.

[10]  Peter W. O'Hearn,et al.  A Local Shape Analysis Based on Separation Logic , 2006, TACAS.

[11]  Pascal Van Hentenryck,et al.  Combinations of abstract domains for logic programming: open product and generic pattern construction , 2000, Sci. Comput. Program..

[12]  Thomas W. Reps,et al.  Numeric Domains with Summarized Dimensions , 2004, TACAS.

[13]  Pascal Van Hentenryck,et al.  Combinations of abstract domains for logic programming , 1994, POPL '94.

[14]  Thomas W. Reps,et al.  Revamping TVLA: Making Parametric Shape Analysis Competitive , 2007, CAV.

[15]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, SIGP.

[16]  Bor-Yuh Evan Chang,et al.  Relational inductive shape analysis , 2008, POPL '08.

[17]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[18]  Peter Lee,et al.  THOR: A Tool for Reasoning about Shape and Arithmetic , 2008, CAV.

[19]  Peter W. O'Hearn,et al.  Scalable Shape Analysis for Systems Code , 2008, CAV.

[20]  Shuvendu K. Lahiri,et al.  Back to the future: revisiting precise program verification using SMT solvers , 2008, POPL '08.

[21]  Anders Møller,et al.  The Pointer Assertion Logic Engine , 2000 .

[22]  Nicolas Halbwachs,et al.  Discovering properties about arrays in simple programs , 2008, PLDI '08.

[23]  Viktor Kuncak,et al.  Full functional verification of linked data structures , 2008, PLDI '08.

[24]  Peter W. O'Hearn,et al.  Shape Analysis for Composite Data Structures , 2007, CAV.

[25]  Roman Manevich,et al.  Partially Disjunctive Heap Abstraction , 2004, SAS.

[26]  Arnaud Venet,et al.  Automatic Analysis of Pointer Aliasing for Untyped Programs , 1999, Sci. Comput. Program..

[27]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[28]  Ahmed Bouajjani,et al.  Programs with lists are counter automata , 2011, Formal Methods Syst. Des..

[29]  Peter W. O'Hearn,et al.  Symbolic Execution with Separation Logic , 2005, APLAS.

[30]  George C. Necula,et al.  Dependent Types for Low-Level Programming , 2007, ESOP.

[31]  Thomas W. Reps,et al.  Finite differencing of logical formulas for static analysis , 2010, TOPL.

[32]  Michael Rodeh,et al.  CSSV: towards a realistic tool for statically detecting all buffer overflows in C , 2003, PLDI '03.

[33]  Antoine Miné,et al.  A New Numerical Abstract Domain Based on Difference-Bound Matrices , 2001, PADO.

[34]  Eddie Kohler,et al.  Verifying Reference Counting Implementations , 2009, TACAS.

[35]  Reinhard Wilhelm,et al.  Solving shape-analysis problems in languages with destructive updating , 1998, TOPL.

[36]  George C. Necula,et al.  Data Structure Specifications via Local Equality Axioms , 2005, CAV.

[37]  Philippe Granger,et al.  Improving the Results of Static Analyses Programs by Local Decreasing Iteration , 1992, FSTTCS.

[38]  Thomas W. Reps,et al.  A framework for numeric analysis of array operations , 2005, POPL '05.

[39]  Alain Deutsch,et al.  Interprocedural may-alias analysis for pointers: beyond k-limiting , 1994, PLDI '94.

[40]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[41]  Nils Klarlund,et al.  MONA: Monadic Second-Order Logic in Practice , 1995 .

[42]  Viktor Kuncak,et al.  An integrated proof language for imperative programs , 2009, PLDI '09.

[43]  Eran Yahav,et al.  Interprocedural Shape Analysis for Cutpoint-Free Programs , 2005, SAS.

[44]  François Bourdoncle,et al.  Efficient chaotic iteration strategies with widenings , 1993, Formal Methods in Programming and Their Applications.

[45]  Roberto Bagnara,et al.  The Parma Polyhedra Library: Toward a complete set of numerical abstractions for the analysis and verification of hardware and software systems , 2006, Sci. Comput. Program..

[46]  Gilad Arnold Specialized 3-Valued Logic Shape Analysis Using Structure-Based Refinement and Loose Embedding , 2006, SAS.

[47]  Tevfik Bultan,et al.  Automated Verification of Concurrent Linked Lists with Counters , 2002, SAS.

[48]  Adam Chlipala,et al.  Effective interactive proofs for higher-order imperative programs , 2009, ICFP.

[49]  Radu Rugina Shape Analysis Quantitative Shape Analysis , 2004, SAS.