Arithmetic Strengthening for Shape Analysis

Shape analyses are often imprecise in their numerical reasoning, whereas numerical static analyses are often largely unaware of the shape of a program's heap. In this paper we propose a lazy method of combining a shape analysis based on separation logic with an arbitrary arithmetic analysis. When potentially spurious counterexamples are reported by our shape analysis, the method constructs a purely arithmetic program whose traces over-approximate the set of counterexample traces. It then uses this arithmetic program together with the arithmetic analysis to construct a refinement for the shape analysis. Our method is aimed at proving properties that require comprehensive reasoning about heaps together with more targeted arithmetic reasoning. Given a sufficient precondition, our technique can automatically prove memory safety of programs whose error-free operation depends on a combination of shape, size, and integer invariants. We have implemented our algorithm and tested it on a number of common list routines using a variety of arithmetic analysis tools for refinement.

[1]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[2]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[3]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[4]  Sanjai Rayadurgam,et al.  Automatic abstraction for model checking software systems with interrelated numeric constraints , 2001, ESEC/FSE-9.

[5]  Antoine Miné,et al.  The octagon abstract domain , 2001, Proceedings Eighth Working Conference on Reverse Engineering.

[6]  R. Wilhelm,et al.  Parametric Shape Analysis via 3 - valued Logic TOPLAS , 2002 .

[7]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[8]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[9]  Tevfik Bultan,et al.  Automated Verification of Concurrent Linked Lists with Counters , 2002, SAS.

[10]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI '03.

[11]  Michael Rodeh,et al.  CSSV: towards a realistic tool for statically detecting all buffer overflows in C , 2003, PLDI '03.

[12]  Jean-Charles Régin,et al.  Integration of AI and OR Techniques in Constraint Programming for Combinatorial Optimization Problems , 2004, Lecture Notes in Computer Science.

[13]  Thomas W. Reps,et al.  Numeric Domains with Summarized Dimensions , 2004, TACAS.

[14]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[15]  Sundar Sarukkai,et al.  FSTTCS 2005: Foundations of Software Technology and Theoretical Computer Science, 25th International Conference, Hyderabad, India, December 15-18, 2005, Proceedings , 2005, FSTTCS.

[16]  E. Clarke,et al.  Inferring Invariants in Separation Logic for Imperative List-processing Programs , 2005 .

[17]  Henny B. Sipma,et al.  Decision Procedures for Queues with Integer Constraints , 2005, FSTTCS.

[18]  Peter W. O'Hearn,et al.  Symbolic Execution with Separation Logic , 2005, APLAS.

[19]  Sumit Gulwani,et al.  Combining abstract interpreters , 2006, PLDI '06.

[20]  Thomas A. Henzinger,et al.  Lazy Shape Analysis , 2006, CAV.

[21]  Daniel Kroening,et al.  Counterexamples with Loops for Predicate Abstraction , 2006, CAV.

[22]  Peter W. O'Hearn,et al.  Automatic Termination Proofs for Programs with Shape-Shifting Heaps , 2006, CAV.

[23]  Sumit Gulwani,et al.  Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions , 2006, ESOP.

[24]  Peter W. O'Hearn,et al.  Beyond Reachability: Shape Abstraction in the Presence of Pointer Arithmetic , 2006, SAS.

[25]  Peter W. O'Hearn,et al.  A Local Shape Analysis Based on Separation Logic , 2006, TACAS.

[26]  Alessandro Armando,et al.  Model Checking Linear Programs with Arrays , 2006, Electron. Notes Theor. Comput. Sci..

[27]  Andreas Podelski,et al.  ARMC: The Logical Choice for Software Model Checking with Abstraction Refinement , 2007, PADL.

[28]  Thomas A. Henzinger,et al.  Path invariants , 2007, PLDI '07.

[29]  Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of Constraint Logic Queries , 2007 .

[30]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.