The Omega test: a fast and practical integer programming algorithm for dependence analysis
Proceedings of the 1991 ACM/IEEE conference on Supercomputing
A safe approximate algorithm for interprocedural aliasing
PLDI '92 Proceedings of the ACM SIGPLAN 1992 conference on Programming language design and implementation
Proceedings of the 1999 ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering
Separation Logic: A Logic for Shared Mutable Data Structures
LICS '02 Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science
A Decision Procedure for an Extensional Theory of Arrays
LICS '01 Proceedings of the 16th Annual IEEE Symposium on Logic in Computer Science
A framework for numeric analysis of array operations
Proceedings of the 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Verifying properties of well-founded linked lists
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Sound, complete and scalable path-sensitive analysis
Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation
Discovering properties about arrays in simple programs
Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation
Decision Procedures: An Algorithmic Point of View
Decision Procedures: An Algorithmic Point of View
Scalable Shape Analysis for Systems Code
CAV '08 Proceedings of the 20th international conference on Computer Aided Verification
Cuts from Proofs: A Complete and Practical Technique for Solving Linear Inequalities over Integers
CAV '09 Proceedings of the 21st International Conference on Computer Aided Verification
Complete Instantiation for Quantified Formulas in Satisfiabiliby Modulo Theories
CAV '09 Proceedings of the 21st International Conference on Computer Aided Verification
Abstraction Refinement for Quantified Array Assertions
SAS '09 Proceedings of the 16th International Symposium on Static Analysis
Array abstractions from proofs
CAV'07 Proceedings of the 19th international conference on Computer aided verification
Revamping TVLA: making parametric shape analysis competitive
CAV'07 Proceedings of the 19th international conference on Computer aided verification
What else is decidable about integer arrays?
FOSSACS'08/ETAPS'08 Proceedings of the Theory and practice of software, 11th international conference on Foundations of software science and computational structures
Cover algorithms and their combination
ESOP'08/ETAPS'08 Proceedings of the Theory and practice of software, 17th European conference on Programming languages and systems
Small formulas for large programs: on-line constraint simplification in scalable static analysis
SAS'10 Proceedings of the 17th international conference on Static analysis
What's decidable about arrays?
VMCAI'06 Proceedings of the 7th international conference on Verification, Model Checking, and Abstract Interpretation
Fluid updates: beyond strong vs. weak updates
ESOP'10 Proceedings of the 19th European conference on Programming Languages and Systems
A local shape analysis based on separation logic
TACAS'06 Proceedings of the 12th international conference on Tools and Algorithms for the Construction and Analysis of Systems
QUIC graphs: relational invariant generation for containers
ECOOP'13 Proceedings of the 27th European conference on Object-Oriented Programming
Hi-index | 0.00 |
Many relational static analysis techniques for precise reasoning about heap contents perform an explicit case analysis of all possible heaps that can arise. We argue that such precise relational reasoning can be obtained in a more scalable and economical way by enforcing the memory invariant that every concrete memory location stores one unique value directly on the heap abstraction. Our technique combines the strengths of analyses for precise reasoning about heap contents with approaches that prioritize axiomatization of memory invariants, such as the theory of arrays. Furthermore, by avoiding an explicit case analysis, our technique is scalable and powerful enough to analyze real-world programs with intricate use of arrays and pointers; in particular, we verify the absence of buffer overruns, incorrect casts, and null pointer dereferences in OpenSSH (over 26,000 lines of code) after fixing 4 previously undiscovered bugs found by our system. Our experiments also show that the combination of reasoning about heap contents and enforcing existence and uniqueness invariants is crucial for this level of precision.