Results 1  10
of
163
Modular Automatic Assertion Checking with Separation Logic
, 2005
"... Separation logic is a program logic for reasoning about programs that manipulate pointer data structures. We describe a tool, Smallfoot, for checking certain lightweight separation logic specifications. The assertions describe the shapes of data structures rather than their detailed contents, and th ..."
Abstract

Cited by 160 (6 self)
 Add to MetaCart
Separation logic is a program logic for reasoning about programs that manipulate pointer data structures. We describe a tool, Smallfoot, for checking certain lightweight separation logic specifications. The assertions describe the shapes of data structures rather than their detailed contents, and this allows reasoning to be fully automatic. We illustrate what the tool can do via a sequence of examples which are oriented around novel aspects of separation logic, namely: avoidance of frame axioms (which say what a procedure does not change); embracement of “dirty” features such as memory disposal and address arithmetic; information hiding in the presence of pointers; and modular reasoning about concurrent programs.
Compositional Shape Analysis by means of BiAbduction
, 2009
"... This paper describes a compositional shape analysis, where each procedure is analyzed independently of its callers. The analysis uses an abstract domain based on a restricted fragment of separation logic, and assigns a collection of Hoare triples to each procedure; the triples provide an overapprox ..."
Abstract

Cited by 143 (17 self)
 Add to MetaCart
(Show Context)
This paper describes a compositional shape analysis, where each procedure is analyzed independently of its callers. The analysis uses an abstract domain based on a restricted fragment of separation logic, and assigns a collection of Hoare triples to each procedure; the triples provide an overapproximation of data structure usage. Compositionality brings its usual benefits – increased potential to scale, ability to deal with unknown calling contexts, graceful way to deal with imprecision – to shape analysis, for the first time. The analysis rests on a generalized form of abduction (inference of explanatory hypotheses) which we call biabduction. Biabduction displays abduction as a kind of inverse to the frame problem: it jointly infers antiframes (missing portions of state) and frames (portions of state not touched by an operation), and is the basis of a new interprocedural analysis algorithm. We have implemented
Shape analysis for composite data structures
 In CAV
, 2007
"... Abstract. We propose a shape analysis that adapts to some of the complex composite data structures found in industrial systemslevel programs. Examples of such data structures include “cyclic doublylinked lists of acyclic singlylinked lists”, “singlylinked lists of cyclic doublylinked lists with ..."
Abstract

Cited by 120 (20 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a shape analysis that adapts to some of the complex composite data structures found in industrial systemslevel programs. Examples of such data structures include “cyclic doublylinked lists of acyclic singlylinked lists”, “singlylinked lists of cyclic doublylinked lists with backpointers to head nodes”, etc. The analysis introduces the use of generic higherorder inductive predicates describing spatial relationships together with a method of synthesizing new parameterized spatial predicates which can be used in combination with the higherorder predicates. In order to evaluate the proposed approach for realistic programs we have performed experiments on examples drawn from device drivers: the analysis proved safety of the data structure manipulation of several routines belonging to an IEEE 1394 (firewire) driver, and also found several previously unknown memory safety bugs. 1
Scalable shape analysis for systems code
 In CAV
, 2008
"... Abstract. Pointer safety faults in device drivers are one of the leading causes of crashes in operating systems code. In principle, shape analysis tools can be used to prove the absence of this type of error. In practice, however, shape analysis is not used due to the unacceptable mixture of scalabi ..."
Abstract

Cited by 119 (14 self)
 Add to MetaCart
(Show Context)
Abstract. Pointer safety faults in device drivers are one of the leading causes of crashes in operating systems code. In principle, shape analysis tools can be used to prove the absence of this type of error. In practice, however, shape analysis is not used due to the unacceptable mixture of scalability and precision provided by existing tools. In this paper we report on a new join operation ⊔ † for the separation domain which aggressively abstracts information for scalability yet does not lead to false error reports. ⊔ † is a critical piece of a new shape analysis tool that provides an acceptable mixture of scalability and precision for industrial application. Experiments on whole Windows and Linux device drivers (firewire, pcidriver, cdrom, md, etc.) represent the first working application of shape analysis to verification of whole industrial programs. 1
Back to the Future  Revisiting Precise Program Verification using SMT Solvers
 POPL'08
, 2008
"... This paper takes a fresh look at the problem of precise verification of heapmanipulating programs using firstorder SatisfiabilityModuloTheories (SMT) solvers. We augment the specification logic of such solvers by introducing the Logic of Interpreted Sets and Bounded Quantification for specifying ..."
Abstract

Cited by 78 (15 self)
 Add to MetaCart
This paper takes a fresh look at the problem of precise verification of heapmanipulating programs using firstorder SatisfiabilityModuloTheories (SMT) solvers. We augment the specification logic of such solvers by introducing the Logic of Interpreted Sets and Bounded Quantification for specifying properties of heapmanipulating programs. Our logic is expressive, closed under weakest preconditions, and efficiently implementable on top of existing SMT solvers. We have created a prototype implementation of our logic over the solvers SIMPLIFY and Z3 and used our prototype to verify many programs. Our preliminary experience is encouraging; the completeness and the efficiency of the decision procedure is clearly evident in practice and has greatly improved the user experience of the verifier.
Relational Inductive Shape Analysis
 in "ACM SIGPLANSIGACT Symposium on Principles of Programming Languages
, 2008
"... Shape analyses are concerned with precise abstractions of the heap to capture detailed structural properties. To do so, they need to build and decompose summaries of disjoint memory regions. Unfortunately, many data structure invariants require relations be tracked across disjoint regions, such as i ..."
Abstract

Cited by 73 (11 self)
 Add to MetaCart
Shape analyses are concerned with precise abstractions of the heap to capture detailed structural properties. To do so, they need to build and decompose summaries of disjoint memory regions. Unfortunately, many data structure invariants require relations be tracked across disjoint regions, such as intricate numerical data invariants or structural invariants concerning back and cross pointers. In this paper, we identify issues inherent to analyzing relational structures domain for pure data properties and by usersupplied specifications of the data structure invariants to check. Particularly, it supports hybrid invariants about shape and data and features a generic mechanism for materializing summaries at the beginning, middle, or end of inductive structures. Around this domain, we build a shape analysis whose interesting components include a preanalysis on the usersupplied specifications that guides the abstract interpretation and a widening operator over the combined shape and data domain. We then demonstrate our techniques on the proof of preservation of the redblack tree invariants during insertion.
Interprocedural shape analysis with separated heap abstractions
 In SAS
, 2006
"... Abstract. We describe an interprocedural shape analysis that makes use of spatial locality (i.e. the fact that most procedures modify only a small subset of the heap) in its representation of abstract states. Instead of tracking reachability information directly and aliasing information indirectly, ..."
Abstract

Cited by 67 (9 self)
 Add to MetaCart
(Show Context)
Abstract. We describe an interprocedural shape analysis that makes use of spatial locality (i.e. the fact that most procedures modify only a small subset of the heap) in its representation of abstract states. Instead of tracking reachability information directly and aliasing information indirectly, our representation tracks reachability indirectly and aliasing state is easy because the representation exhibits spatial locality mirroring the locality that is present in the concrete semantics. The benefits of this approach include improved speed, support for programs that deallocate memory, the handling of bounded numbers of heap cutpoints, and support for cyclic and shared data structures. 1
Modular finegrained concurrency verification
"... Traditionally, concurrent data structures are protected by a single mutual exclusion lock so that only one thread may access the data structure at any time. This coarsegrained approach makes it relatively easy to reason about correctness, but it severely limits parallelism. More advanced algorithms ..."
Abstract

Cited by 60 (7 self)
 Add to MetaCart
(Show Context)
Traditionally, concurrent data structures are protected by a single mutual exclusion lock so that only one thread may access the data structure at any time. This coarsegrained approach makes it relatively easy to reason about correctness, but it severely limits parallelism. More advanced algorithms instead perform synchronisation at a finer grain. They employ sophisticated synchronisation schemes (both blocking and nonblocking) and are usually written in lowlevel languages such as C. This dissertation addresses the formal verification of such algorithms. It proposes techniques that are modular (and hence scalable), easy for programmers to use, and yet powerful enough to verify complex algorithms. In doing so, it makes two theoretical and two practical contributions to reasoning about finegrained concurrency. First, building on rely/guarantee reasoning and separation logic, it develops a new logic, RGSep, that subsumes these two logics and enables simple, modular proofs of finegrained concurrent algorithms that use complex dynamically allocated data structures and may explicitly deallocate memory. RGSep allows for ownershipbased reasoning and ownership
Array abstractions from proofs
 CAV, volume 4590 of LNCS
, 2007
"... Abstract. We present a technique for using infeasible program paths to automatically infer Range Predicates that describe properties of unbounded array segments. First, we build proofs showing the infeasibility of the paths, using axioms that precisely encode the highlevel (but informal) rules with ..."
Abstract

Cited by 57 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We present a technique for using infeasible program paths to automatically infer Range Predicates that describe properties of unbounded array segments. First, we build proofs showing the infeasibility of the paths, using axioms that precisely encode the highlevel (but informal) rules with which programmers reason about arrays. Next, we mine the proofs for Craig Interpolants which correspond to predicates that refute the particular counterexample path. By embedding the predicate inference technique within a CounterexampleGuided AbstractionRefinement (CEGAR) loop, we obtain a method for verifying datasensitive safety properties whose precision is tailored in a program and propertysensitive manner. Though the axioms used are simple, we show that the method suffices to prove a variety of arraymanipulating programs that were previously beyond automatic model checkers. 1