Fluid Updates: Beyond Strong vs. Weak Updates

We describe a symbolic heap abstraction that unifies reasoning about arrays, pointers, and scalars, and we define a fluid update operation on this symbolic heap that relaxes the dichotomy between strong and weak updates. Our technique is fully automatic, does not suffer from the kind of state-space explosion problem partition-based approaches are prone to, and can naturally express properties that hold for non-contiguous array elements. We demonstrate the effectiveness of this technique by evaluating it on challenging array benchmarks and by automatically verifying buffer accesses and dereferences in five Unix Coreutils applications with no annotations or false alarms.

[1]  Cormac Flanagan,et al.  Predicate abstraction for software verification , 2002, POPL '02.

[2]  Barbara G. Ryder,et al.  A safe approximate algorithm for interprocedural aliasing , 1992, PLDI '92.

[3]  David A. Schmidt A calculus of logical relations for over- and underapproximating static analyses , 2007, Sci. Comput. Program..

[4]  Isil Dillig,et al.  An overview of the saturn project , 2007, PASTE '07.

[5]  Perdita Stevens,et al.  Modelling Recursive Calls with UML State Diagrams , 2003, FASE.

[6]  Sumit Gulwani,et al.  Lifting abstract interpreters to quantified logical domains , 2008, POPL '08.

[7]  Isil Dillig,et al.  Cuts from proofs: a complete and practical technique for solving linear inequalities over integers , 2009, Formal Methods Syst. Des..

[8]  Patrick Cousot,et al.  Verification by Abstract Interpretation , 2003, Verification: Theory and Practice.

[9]  Nicolas Halbwachs,et al.  Discovering properties about arrays in simple programs , 2008, PLDI '08.

[10]  Neil D. Jones,et al.  Flow analysis and optimization of LISP-like structures , 1979, POPL.

[11]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[12]  Peter W. O'Hearn,et al.  Compositional Shape Analysis by Means of Bi-Abduction , 2011, JACM.

[13]  Mark N. Wegman,et al.  Analysis of pointers and structures , 1990, SIGP.

[14]  Nachum Dershowitz,et al.  Verification: Theory and Practice , 2004, Lecture Notes in Computer Science.

[15]  Sumit Gulwani,et al.  SPEED: precise and efficient static estimation of program computational complexity , 2009, POPL '09.

[16]  Satish Chandra,et al.  Physical type checking for C , 1999, PASTE '99.

[17]  Andreas Podelski,et al.  Abstraction Refinement for Quantified Array Assertions , 2009, SAS.

[18]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.

[19]  Sumit Gulwani,et al.  Cover Algorithms and Their Combination , 2008, ESOP.

[20]  Michael Karr,et al.  Affine relationships among variables of a program , 1976, Acta Informatica.

[21]  Thomas W. Reps,et al.  A framework for numeric analysis of array operations , 2005, POPL '05.

[22]  Dong-Ho Cho,et al.  Packet-scheduling algorithm based on priority of separate buffers for unicast and multicast services , 2003 .

[23]  Patrick Cousot,et al.  Design and Implementation of a Special-Purpose Static Program Analyzer for Safety-Critical Real-Time Embedded Software , 2002, The Essence of Computation.

[24]  Andrei Voronkov,et al.  Finding Loop Invariants for Programs over Arrays Using a Theorem Prover , 2009, 2009 11th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing.

[25]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[26]  Sen-Ching S. Cheung,et al.  Peer-to-Peer Streaming with Hierarchical Network Coding , 2007, 2007 IEEE International Conference on Multimedia and Expo.

[27]  Alain Deutsch,et al.  Interprocedural may-alias analysis for pointers: beyond k-limiting , 1994, PLDI '94.

[28]  Xavier Allamigeon Non-disjunctive Numerical Domain for Array Predicate Abstraction , 2008, ESOP.

[29]  Ranjit Jhala,et al.  Array Abstractions from Proofs , 2007, CAV.