Beyond Reachability: Shape Abstraction in the Presence of Pointer Arithmetic

Previous shape analysis algorithms use a memory model where the heap is composed of discrete nodes that can be accessed only via access paths built from variables and field names, an assumption that is violated by pointer arithmetic. In this paper we show how this assumption can be removed, and pointer arithmetic embraced, by using an analysis based on separation logic. We describe an abstract domain whose elements are certain separation logic formulae, and an abstraction mechanism that automatically transits between a low-level RAM view of memory and a higher, fictional, view that abstracts from the representation of nodes and multiword linked-lists as certain configurations of the RAM. A widening operator is used to accelerate the analysis. We report experimental results obtained from running our analysis on a number of classic algorithms for dynamic memory management.

[1]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 2002, TOPL.

[2]  Amir Pnueli,et al.  Shape Analysis by Predicate Abstraction , 2005, VMCAI.

[3]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[4]  W. T. Comfort Multiword list items , 1964, CACM.

[5]  Akinori Yonezawa,et al.  Formal Verification of the Heap Manager of an Operating System Using Separation Logic , 2006, ICFEM.

[6]  Peter W. O'Hearn,et al.  A Local Shape Analysis Based on Separation Logic , 2006, TACAS.

[7]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[8]  Roman Manevich,et al.  Partially Disjunctive Heap Abstraction , 2004, SAS.

[9]  Patrick Cousot,et al.  Abstract Interpretation Frameworks , 1992, J. Log. Comput..

[10]  Peter W. O'Hearn,et al.  Smallfoot: Modular Automatic Assertion Checking with Separation Logic , 2005, FMCO.

[11]  Thomas W. Reps,et al.  Recency-Abstraction for Heap-Allocated Storage , 2006, SAS.

[12]  Thomas W. Reps,et al.  Intermediate-representation recovery from low-level code , 2006, PEPM '06.

[13]  Ahmed Bouajjani,et al.  Verifying Programs with Dynamic 1-Selector-Linked Structures in Regular Model Checking , 2005, TACAS.

[14]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[15]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[16]  Donald E. Knuth,et al.  The Art of Computer Programming, Volume I: Fundamental Algorithms, 2nd Edition , 1997 .

[17]  Eran Yahav,et al.  Predicate Abstraction and Canonical Abstraction for Singly-Linked Lists , 2005, VMCAI.

[18]  Peter W. O'Hearn,et al.  Automatic Termination Proofs for Programs with Shape-Shifting Heaps , 2006, CAV.

[19]  Patrick Cousot,et al.  The ASTREÉ Analyzer , 2005, ESOP.

[20]  Reinhard Wilhelm,et al.  Solving shape-analysis problems in languages with destructive updating , 1998, TOPL.

[21]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[22]  Brian W. Kernighan,et al.  The C Programming Language , 1978 .

[23]  E. Clarke,et al.  Inferring Invariants in Separation Logic for Imperative List-processing Programs , 2005 .

[24]  Kousha Etessami,et al.  Verifying Probabilistic Procedural Programs , 2004, FSTTCS.

[25]  Donald E. Knuth,et al.  The Art of Computer Programming: Volume IV: Fascicle 2: Generating All Tuples and Permutations , 2005 .

[26]  Bjarne Stroustrup,et al.  The C++ programming language (2nd ed.) , 1991 .

[27]  Peter W. O'Hearn,et al.  Symbolic Execution with Separation Logic , 2005, APLAS.

[28]  Hongseok Yang,et al.  Automatic Verification of Pointer Programs Using Grammar-Based Shape Analysis , 2005, ESOP.

[29]  Frank D. Valencia,et al.  Formal Methods for Components and Objects , 2002, Lecture Notes in Computer Science.

[30]  Mark N. Wegman,et al.  Analysis of pointers and structures , 1990, SIGP.

[31]  Zhong Shao,et al.  Building certified libraries for PCC: dynamic storage allocation , 2004, Sci. Comput. Program..

[32]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[33]  Joost-Pieter Katoen,et al.  Who is Pointing When to Whom? , 2004, FSTTCS.

[34]  Martin C. Rinard,et al.  Symbolic bounds analysis of pointers, array indices, and accessed memory regions , 2005, TOPL.

[35]  Alexey Gotsman,et al.  Interprocedural Shape Analysis with Separated Heap Abstractions , 2006, SAS.

[36]  Joost-Pieter Katoen,et al.  Who is Pointing When to Whom? On the Automated Verification of Linked List Structures , 2004 .

[37]  Michael Rodeh,et al.  CSSV: towards a realistic tool for statically detecting all buffer overflows in C , 2003, PLDI '03.

[38]  Donald Ervin Knuth,et al.  The Art of Computer Programming , 1968 .

[39]  Kousha Etessami,et al.  Analysis of Recursive Game Graphs Using Data Flow Equations , 2004, VMCAI.