Beyond reachability: shape abstraction in the presence of pointer arithmetic

Authors:
Cristiano Calcagno;Dino Distefano;Peter W. O'Hearn;Hongseok Yang
Affiliations:
Imperial College, London;Queen Mary, University of London;Queen Mary, University of London;Seoul National University
Venue:
SAS'06 Proceedings of the 13th international conference on Static Analysis
Year:
2006

Citing 25
Cited 20

Analysis of pointers and structures

PLDI '90 Proceedings of the ACM SIGPLAN 1990 conference on Programming language design and implementation
Solving shape-analysis problems in languages with destructive updating

ACM Transactions on Programming Languages and Systems (TOPLAS)
Multiword list items

Communications of the ACM
Automatic discovery of linear restraints among variables of a program

POPL '78 Proceedings of the 5th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints

POPL '77 Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
Parametric shape analysis via 3-valued logic

ACM Transactions on Programming Languages and Systems (TOPLAS)
Systematic design of program analysis frameworks

POPL '79 Proceedings of the 6th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
The C Programming Language

The C Programming Language
Separation Logic: A Logic for Shared Mutable Data Structures

LICS '02 Proceedings of the 17th Annual IEEE Symposium on Logic in Computer Science
CSSV: towards a realistic tool for statically detecting all buffer overflows in C

PLDI '03 Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation
Symbolic bounds analysis of pointers, array indices, and accessed memory regions

ACM Transactions on Programming Languages and Systems (TOPLAS)
Intermediate-representation recovery from low-level code

Proceedings of the 2006 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation
Building certified libraries for PCC: dynamic storage allocation

ESOP'03 Proceedings of the 12th European conference on Programming
Smallfoot: modular automatic assertion checking with separation logic

FMCO'05 Proceedings of the 4th international conference on Formal Methods for Components and Objects
Recency-Abstraction for heap-allocated storage

SAS'06 Proceedings of the 13th international conference on Static Analysis
Interprocedural shape analysis with separated heap abstractions

SAS'06 Proceedings of the 13th international conference on Static Analysis
Symbolic execution with separation logic

APLAS'05 Proceedings of the Third Asian conference on Programming Languages and Systems
Shape analysis by predicate abstraction

VMCAI'05 Proceedings of the 6th international conference on Verification, Model Checking, and Abstract Interpretation
Predicate abstraction and canonical abstraction for singly-linked lists

VMCAI'05 Proceedings of the 6th international conference on Verification, Model Checking, and Abstract Interpretation
Automatic termination proofs for programs with shape-shifting heaps

CAV'06 Proceedings of the 18th international conference on Computer Aided Verification
Verifying programs with dynamic 1-selector-linked structures in regular model checking

TACAS'05 Proceedings of the 11th international conference on Tools and Algorithms for the Construction and Analysis of Systems
The ASTREÉ analyzer

ESOP'05 Proceedings of the 14th European conference on Programming Languages and Systems
Automatic verification of pointer programs using grammar-based shape analysis

ESOP'05 Proceedings of the 14th European conference on Programming Languages and Systems
Who is pointing when to whom?

FSTTCS'04 Proceedings of the 24th international conference on Foundations of Software Technology and Theoretical Computer Science
A local shape analysis based on separation logic

TACAS'06 Proceedings of the 12th international conference on Tools and Algorithms for the Construction and Analysis of Systems

Types, bytes, and separation logic

Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Variance analyses from invariance analyses

Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Shape analysis with inductive recursion synthesis

Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
Thread-modular shape analysis

Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation
Cyclic proofs of program termination in separation logic

Proceedings of the 35th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Scalable Specification and Reasoning: Challenges for Program Logic

Verified Software: Theories, Tools, Experiments
A combination framework for tracking partition sizes

Proceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Unifying type checking and property checking for low-level code

Proceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Formal Verification of C Systems Code

Journal of Automated Reasoning
Automatic numeric abstractions for heap-manipulating programs

Proceedings of the 37th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
A reachability predicate for analyzing low-level software

TACAS'07 Proceedings of the 13th international conference on Tools and algorithms for the construction and analysis of systems
An abstract domain for analyzing heap-manipulating low-level software

CAV'07 Proceedings of the 19th international conference on Computer aided verification
Concrete Memory Models for Shape Analysis

Electronic Notes in Theoretical Computer Science (ENTCS)
A shape analysis for non-linear data structures

SAS'10 Proceedings of the 17th international conference on Static analysis
Compositional Shape Analysis by Means of Bi-Abduction

Journal of the ACM (JACM)
Shape analysis of low-level c with overlapping structures

VMCAI'10 Proceedings of the 11th international conference on Verification, Model Checking, and Abstract Interpretation
Separating shape graphs

ESOP'10 Proceedings of the 19th European conference on Programming Languages and Systems
Formalised inductive reasoning in the logic of bunched implications

SAS'07 Proceedings of the 14th international conference on Static Analysis
Footprint analysis: a shape analysis that discovers preconditions

SAS'07 Proceedings of the 14th international conference on Static Analysis
Arithmetic strengthening for shape analysis

SAS'07 Proceedings of the 14th international conference on Static Analysis

Quantified Score

Hi-index	0.00

Visualization

Abstract

Previous shape analysis algorithms use a memory model where the heap is composed of discrete nodes that can be accessed only via access paths built from variables and field names, an assumption that is violated by pointer arithmetic. In this paper we show how this assumption can be removed, and pointer arithmetic embraced, by using an analysis based on separation logic. We describe an abstract domain whose elements are certain separation logic formulae, and an abstraction mechanism that automatically transits between a low-level RAM view of memory and a higher, fictional, view that abstracts from the representation of nodes and multiword linked-lists as certain configurations of the RAM. A widening operator is used to accelerate the analysis. We report experimental results obtained from running our analysis on a number of classic algorithms for dynamic memory management.