Template-Based Verification of Heap-Manipulating Programs

We propose a shape analysis suitable for analysis engines that perform automatic invariant inference using an SMT solver. The proposed solution includes an abstract template domain that encodes the shape of the program heap based on logical formulae over bit-vectors. It is based on computing a points-to relation between pointers and symbolic addresses of abstract memory objects. Our abstract heap domain can be combined with value domains in a straightforward manner, which particularly allows us to reason about shapes and contents of heap structures at the same time. The information obtained from the analysis can be used to prove memory safety and reachability properties, expressed by user assertions, of programs manipulating dynamic data structures, mainly linked lists. The solution has been implemented in the 2LS framework and compared against state-of-the-art tools that perform the best in heap-related categories of the well-known Software Verification Competition (SV-COMP). Results show that 2LS outperforms these tools on benchmarks requiring combined reasoning about unbounded data structures and their numerical contents.

[1]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[2]  Pranav Garg,et al.  Invariant Synthesis for Incomplete Verification Engines , 2017, TACAS.

[3]  Tarek S. Abdelrahman,et al.  Efficient bottom-up heap analysis for symbolic path-based data access summaries , 2012, CGO '12.

[4]  Stephen Chong,et al.  Static Analysis of Accessed Regions in Recursive Data Structures , 2003, SAS.

[5]  ChinWei-Ngan,et al.  Automated verification of shape, size and bag properties via user-defined predicates in separation logic , 2012 .

[6]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[7]  Erika Ábrahám,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2014, Lecture Notes in Computer Science.

[8]  AbdullaParosh Aziz,et al.  Verification of heap manipulating programs with ordered data by extended forest automata , 2016 .

[9]  Peter W. O'Hearn,et al.  Scalable Shape Analysis for Systems Code , 2008, CAV.

[10]  Ahmed Bouajjani,et al.  Abstract Regular Tree Model Checking of Complex Dynamic Data Structures , 2006, SAS.

[11]  Samin Ishtiaq,et al.  SLAyer: Memory Safety for Systems-Level Code , 2011, CAV.

[12]  Tiziana Margaria,et al.  Tools and algorithms for the construction and analysis of systems: a special issue for TACAS 2017 , 2001, International Journal on Software Tools for Technology Transfer.

[13]  Lukás Holík,et al.  Forest Automata for Verification of Heap Manipulation , 2011, CAV.

[14]  Daniel Kroening,et al.  2LS for Program Analysis - (Competition Contribution) , 2016, TACAS.

[15]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[16]  Lukás Holík,et al.  Counterexample Validation and Interpolation-Based Refinement for Forest Automata , 2017, VMCAI.

[17]  Daniel Kroening,et al.  Safety Verification and Refutation by k-Invariants and k-Induction , 2015, SAS.

[18]  Dirk Beyer,et al.  CPAchecker: A Tool for Configurable Software Verification , 2009, CAV.

[19]  Nils Klarlund,et al.  Automatic verification of pointer programs using monadic second-order logic , 1997, PLDI '97.

[20]  Ruzica Piskac,et al.  Automating Separation Logic Using SMT , 2013, CAV.

[21]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[22]  Tomás Vojnar,et al.  Byte-Precise Verification of Low-Level List Manipulation , 2013, SAS.

[23]  Nikolaj Bjørner,et al.  Property-Directed Shape Analysis , 2014, CAV.

[24]  Xiaokang Qiu,et al.  Decidable logics combining heap structures and data , 2011, POPL '11.

[25]  Bor-Yuh Evan Chang,et al.  Relational inductive shape analysis , 2008, POPL '08.

[26]  Constantin Enea,et al.  On inter-procedural analysis of programs with lists and data , 2011, PLDI '11.

[27]  Jochen Hoenicke,et al.  Ultimate Automizer and the Search for Perfect Interpolants - (Competition Contribution) , 2018, TACAS.

[28]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[29]  Uday P. Khedker,et al.  Heap Abstractions for Static Analysis , 2014, ACM Comput. Surv..

[30]  Dirk Beyer,et al.  Benchmarking and Resource Measurement , 2015, SPIN.

[31]  Reinhard Wilhelm,et al.  A semantics for procedure local heaps and its abstractions , 2005, POPL '05.

[32]  Daniel Kroening,et al.  Model and Proof Generation for Heap-Manipulating Programs , 2014, ESOP.

[33]  Neil Immerman,et al.  Modular reasoning about heap paths via effectively propositional formulas , 2014, POPL.

[34]  Michael I. Schwartzbach,et al.  The pointer assertion logic engine , 2000, PLDI '01.

[35]  Bor-Yuh Evan Chang,et al.  Separating Shape Graphs , 2010, ESOP.

[36]  Neil D. Jones,et al.  A flexible approach to interprocedural data flow analysis and programs with recursive data structures , 1982, POPL '82.

[37]  Parosh Aziz Abdulla,et al.  Verification of heap manipulating programs with ordered data by extended forest automata , 2015, Acta Informatica.

[38]  Jan Strejcek,et al.  SYMBIOTIC 5: Boosted Instrumentation - (Competition Contribution) , 2018, TACAS.