Results 1  10
of
33
Compositional Shape Analysis by means of BiAbduction
, 2009
"... This paper describes a compositional shape analysis, where each procedure is analyzed independently of its callers. The analysis uses an abstract domain based on a restricted fragment of separation logic, and assigns a collection of Hoare triples to each procedure; the triples provide an overapprox ..."
Abstract

Cited by 143 (17 self)
 Add to MetaCart
This paper describes a compositional shape analysis, where each procedure is analyzed independently of its callers. The analysis uses an abstract domain based on a restricted fragment of separation logic, and assigns a collection of Hoare triples to each procedure; the triples provide an overapproximation of data structure usage. Compositionality brings its usual benefits – increased potential to scale, ability to deal with unknown calling contexts, graceful way to deal with imprecision – to shape analysis, for the first time. The analysis rests on a generalized form of abduction (inference of explanatory hypotheses) which we call biabduction. Biabduction displays abduction as a kind of inverse to the frame problem: it jointly infers antiframes (missing portions of state) and frames (portions of state not touched by an operation), and is the basis of a new interprocedural analysis algorithm. We have implemented
Arithmetic Strengthening for Shape Analysis ⋆
"... Abstract. Shape analyses are often imprecise in their numerical reasoning, whereas numerical static analyses are often largely unaware of the shape of a program’s heap. In this paper we propose a lazy method of combining a shape analysis based on separation logic with an arbitrary arithmetic analysi ..."
Abstract

Cited by 47 (17 self)
 Add to MetaCart
(Show Context)
Abstract. Shape analyses are often imprecise in their numerical reasoning, whereas numerical static analyses are often largely unaware of the shape of a program’s heap. In this paper we propose a lazy method of combining a shape analysis based on separation logic with an arbitrary arithmetic analysis. When potentially spurious counterexamples are reported by our shape analysis, the method constructs a purely arithmetic program whose traces overapproximate the set of counterexample traces. It then uses this arithmetic program together with the arithmetic analysis to construct a refinement for the shape analysis. Our method is aimed at proving properties that require comprehensive reasoning about heaps together with more targeted arithmetic reasoning. Given a sufficient precondition, our technique can automatically prove memory safety of programs whose errorfree operation depends on a combination of shape, size, and integer invariants. We have implemented our algorithm and tested it on a number of common list routines using a variety of arithmetic analysis tools for refinement. 1
A reachability predicate for analyzing lowlevel software
 In Tools and Algorithms for the Construction and Analysis of Systems (TACAS
, 2007
"... Abstract. Reasoning about heapallocated data structures such as linked lists and arrays is challenging. The reachability predicate has proved to be useful for reasoning about the heap in typesafe languages where memory is manipulated by dereferencing object fields. Sound and precise analysis for s ..."
Abstract

Cited by 45 (12 self)
 Add to MetaCart
(Show Context)
Abstract. Reasoning about heapallocated data structures such as linked lists and arrays is challenging. The reachability predicate has proved to be useful for reasoning about the heap in typesafe languages where memory is manipulated by dereferencing object fields. Sound and precise analysis for such data structures becomes significantly more challenging in the presence of lowlevel pointer manipulation that is prevalent in systems software. In this paper, we give a novel formalization of the reachability predicate in the presence of internal pointers and pointer arithmetic. We have designed an annotation language for C programs that makes use of the new predicate. This language enables us to specify properties of many interesting data structures present in the Windows kernel. We present preliminary experience with a prototype verifier on a set of illustrative C benchmarks. 1
Variance analyses from invariance analyses
 In POPL
, 2007
"... All intext references underlined in blue are linked to publications on ResearchGate, letting you access and read them immediately. ..."
Abstract

Cited by 45 (13 self)
 Add to MetaCart
(Show Context)
All intext references underlined in blue are linked to publications on ResearchGate, letting you access and read them immediately.
Unifying Type Checking and property checking for lowlevel code
, 2009
"... We present a unified approach to type checking and property checking for lowlevel code. Type checking for lowlevel code is challenging because type safety often depends on complex, programspecific invariants that are difficult for traditional type checkers to express. Conversely, property checking ..."
Abstract

Cited by 43 (15 self)
 Add to MetaCart
(Show Context)
We present a unified approach to type checking and property checking for lowlevel code. Type checking for lowlevel code is challenging because type safety often depends on complex, programspecific invariants that are difficult for traditional type checkers to express. Conversely, property checking for lowlevel code is challenging because it is difficult to write concise specifications that distinguish between locations in an untyped program’s heap. We address both problems simultaneously by implementing a type checker for lowlevel code as part of our property checker. We present a lowlevel formalization of a C program’s heap and its types that can be checked with an SMT solver, and we provide a decision procedure for checking type safety. Our type system is flexible enough to support a combination of nominal and structural subtyping for C, on a perstructure basis. We discuss several case studies that demonstrate the ability of this tool to express and check complex type invariants in lowlevel C code, including several small Windows device drivers.
Automatic Numeric Abstractions for HeapManipulating Programs
, 2010
"... We present a logic for relating heapmanipulating programs to numeric abstractions. These numeric abstractions are expressed as simple imperative programs over integer variables and have the property that termination and safety of the numeric program ensures termination and safety of the original, h ..."
Abstract

Cited by 31 (2 self)
 Add to MetaCart
(Show Context)
We present a logic for relating heapmanipulating programs to numeric abstractions. These numeric abstractions are expressed as simple imperative programs over integer variables and have the property that termination and safety of the numeric program ensures termination and safety of the original, heapmanipulating program. We have implemented an automated version of this abstraction process and present experimental results for programs involving a variety of data structures.
An abstract domain for analyzing heapmanipulating lowlevel software
 In CAV
, 2007
"... Abstract. We describe an abstract domain for representing useful invariants of heapmanipulating programs (in presence of recursive data structures and pointer arithmetic) written in languages like C or lowlevel code. This abstract domain allows representation of must and may equalities among point ..."
Abstract

Cited by 21 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We describe an abstract domain for representing useful invariants of heapmanipulating programs (in presence of recursive data structures and pointer arithmetic) written in languages like C or lowlevel code. This abstract domain allows representation of must and may equalities among pointer expressions. Pointer expressions contain existentially or universally quantified integer variables guarded by some base domain constraint. We allow quantification of a special form, namely ∃ ∀ quantification, to balance expressiveness with efficient automated deduction. The existential quantification is over some dummy nonprogram variables, which are automatically made explicit by our analysis to express useful program invariants. The universal quantifier is used to express properties of collections of memory locations. Our abstract interpreter domain. We present initial experimental results demonstrating the effectiveness of this abstract domain on some common coding patterns. 1
Cyclic proofs of program termination in separation logic. Forthcoming
"... We propose a novel approach to proving the termination of heapmanipulating programs, which combines separation logic with cyclic proof within a Hoarestyle proof system. Judgements in this system express (guaranteed) termination of the program when started from a given line in the program and in a s ..."
Abstract

Cited by 21 (6 self)
 Add to MetaCart
We propose a novel approach to proving the termination of heapmanipulating programs, which combines separation logic with cyclic proof within a Hoarestyle proof system. Judgements in this system express (guaranteed) termination of the program when started from a given line in the program and in a state satisfying a given precondition, which is expressed as a formula of separation logic. The proof rules of our system are of two types: logical rules that operate on preconditions; and symbolic execution rules that capture the effect of executing program commands. Our logical preconditions employ inductively defined predicates to describe heap properties, and proofs in our system are cyclic proofs: cyclic derivations in which some inductive predicate is unfolded infinitely often along every infinite path, thus allowing us to discard all infinite paths in the proof by an infinite descent argument. Moreover, the use of this soundness condition enables us to avoid the explicit construction and use of ranking functions for termination. We also give a completeness result for our system, which is relative in that it relies upon completeness of a proof system for logical implications in separation logic. We give examples illustrating our approach, including one example for which the corresponding ranking function is nonobvious: termination of the classical algorithm for inplace reversal of a (possibly cyclic) linked list.
Footprint analysis: A shape analysis that discovers preconditions
 In SAS
, 2007
"... Abstract. Existing shape analysis algorithms infer descriptions of data structures at program points, starting from a given precondition. We describe an analysis that does not require any preconditions. It works by attempting to infer a description of only the cells that might be accessed, following ..."
Abstract

Cited by 20 (6 self)
 Add to MetaCart
(Show Context)
Abstract. Existing shape analysis algorithms infer descriptions of data structures at program points, starting from a given precondition. We describe an analysis that does not require any preconditions. It works by attempting to infer a description of only the cells that might be accessed, following the footprint idea in separation logic. The analysis allows us to establish a true Hoare triple for a piece of code, independently of the context in which it occurs and without a wholeprogram analysis. We present experimental results for a range of typical listprocessing algorithms, as well as for code fragments from a Windows device driver. 1
Foundations for decision problems in separation logic with general inductive predicates
 In Proc. FoSSaCS 2014
, 2014
"... Abstract. We establish foundational results on the computational complexity of deciding entailment in Separation Logic with general inductive predicates whose underlying base language allows for pure formulas, pointers and existentially quantified variables. We show that entailment is in general u ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We establish foundational results on the computational complexity of deciding entailment in Separation Logic with general inductive predicates whose underlying base language allows for pure formulas, pointers and existentially quantified variables. We show that entailment is in general undecidable, and ExpTimehard in a fragment recently shown to be decidable by Iosif et al. Moreover, entailment in the base language is ΠP2complete, the upper bound even holds in the presence of list predicates. We additionally show that entailment in essentially any fragment of Separation Logic allowing for general inductive predicates is intractable even when strong syntactic restrictions are imposed. 1