Results 1  10
of
47
Compositional Shape Analysis by means of BiAbduction
, 2009
"... This paper describes a compositional shape analysis, where each procedure is analyzed independently of its callers. The analysis uses an abstract domain based on a restricted fragment of separation logic, and assigns a collection of Hoare triples to each procedure; the triples provide an overapprox ..."
Abstract

Cited by 87 (16 self)
 Add to MetaCart
This paper describes a compositional shape analysis, where each procedure is analyzed independently of its callers. The analysis uses an abstract domain based on a restricted fragment of separation logic, and assigns a collection of Hoare triples to each procedure; the triples provide an overapproximation of data structure usage. Compositionality brings its usual benefits – increased potential to scale, ability to deal with unknown calling contexts, graceful way to deal with imprecision – to shape analysis, for the first time. The analysis rests on a generalized form of abduction (inference of explanatory hypotheses) which we call biabduction. Biabduction displays abduction as a kind of inverse to the frame problem: it jointly infers antiframes (missing portions of state) and frames (portions of state not touched by an operation), and is the basis of a new interprocedural analysis algorithm. We have implemented
Scalable shape analysis for systems code
 In CAV
, 2008
"... Abstract. Pointer safety faults in device drivers are one of the leading causes of crashes in operating systems code. In principle, shape analysis tools can be used to prove the absence of this type of error. In practice, however, shape analysis is not used due to the unacceptable mixture of scalabi ..."
Abstract

Cited by 85 (10 self)
 Add to MetaCart
Abstract. Pointer safety faults in device drivers are one of the leading causes of crashes in operating systems code. In principle, shape analysis tools can be used to prove the absence of this type of error. In practice, however, shape analysis is not used due to the unacceptable mixture of scalability and precision provided by existing tools. In this paper we report on a new join operation ⊔ † for the separation domain which aggressively abstracts information for scalability yet does not lead to false error reports. ⊔ † is a critical piece of a new shape analysis tool that provides an acceptable mixture of scalability and precision for industrial application. Experiments on whole Windows and Linux device drivers (firewire, pcidriver, cdrom, md, etc.) represent the first working application of shape analysis to verification of whole industrial programs. 1
Full functional verification of linked data structures
 In ACM Conf. Programming Language Design and Implementation (PLDI
, 2008
"... We present the first verification of full functional correctness for a range of linked data structure implementations, including mutable lists, trees, graphs, and hash tables. Specifically, we present the use of the Jahob verification system to verify formal specifications, written in classical high ..."
Abstract

Cited by 79 (17 self)
 Add to MetaCart
We present the first verification of full functional correctness for a range of linked data structure implementations, including mutable lists, trees, graphs, and hash tables. Specifically, we present the use of the Jahob verification system to verify formal specifications, written in classical higherorder logic, that completely capture the desired behavior of the Java data structure implementations (with the exception of properties involving execution time and/or memory consumption). Given that the desired correctness properties include intractable constructs such as quantifiers, transitive closure, and lambda abstraction, it is a challenge to successfully prove the generated verification conditions. Our Jahob verification system uses integrated reasoning to split each verification condition into a conjunction of simpler subformulas, then apply a diverse collection of specialized decision procedures,
Relational Inductive Shape Analysis
 in "ACM SIGPLANSIGACT Symposium on Principles of Programming Languages
, 2008
"... Shape analyses are concerned with precise abstractions of the heap to capture detailed structural properties. To do so, they need to build and decompose summaries of disjoint memory regions. Unfortunately, many data structure invariants require relations be tracked across disjoint regions, such as i ..."
Abstract

Cited by 53 (6 self)
 Add to MetaCart
Shape analyses are concerned with precise abstractions of the heap to capture detailed structural properties. To do so, they need to build and decompose summaries of disjoint memory regions. Unfortunately, many data structure invariants require relations be tracked across disjoint regions, such as intricate numerical data invariants or structural invariants concerning back and cross pointers. In this paper, we identify issues inherent to analyzing relational structures domain for pure data properties and by usersupplied specifications of the data structure invariants to check. Particularly, it supports hybrid invariants about shape and data and features a generic mechanism for materializing summaries at the beginning, middle, or end of inductive structures. Around this domain, we build a shape analysis whose interesting components include a preanalysis on the usersupplied specifications that guides the abstract interpretation and a widening operator over the combined shape and data domain. We then demonstrate our techniques on the proof of preservation of the redblack tree invariants during insertion.
Footprint analysis: A shape analysis that discovers preconditions
 In SAS
, 2007
"... Abstract. Existing shape analysis algorithms infer descriptions of data structures at program points, starting from a given precondition. We describe an analysis that does not require any preconditions. It works by attempting to infer a description of only the cells that might be accessed, following ..."
Abstract

Cited by 18 (6 self)
 Add to MetaCart
Abstract. Existing shape analysis algorithms infer descriptions of data structures at program points, starting from a given precondition. We describe an analysis that does not require any preconditions. It works by attempting to infer a description of only the cells that might be accessed, following the footprint idea in separation logic. The analysis allows us to establish a true Hoare triple for a piece of code, independently of the context in which it occurs and without a wholeprogram analysis. We present experimental results for a range of typical listprocessing algorithms, as well as for code fragments from a Windows device driver. 1
Automatic Parallelization with Separation Logic
"... Abstract. We present a separation logic framework which can express properties of memory separation between different points in a program. We describe an algorithm based on this framework for determining independences between statements in a program which can be used for parallelization. 1 ..."
Abstract

Cited by 17 (2 self)
 Add to MetaCart
Abstract. We present a separation logic framework which can express properties of memory separation between different points in a program. We describe an algorithm based on this framework for determining independences between statements in a program which can be used for parallelization. 1
Sharing Analysis of Arrays, Collections, and Recursive Structures
, 2008
"... Precise modeling of the program heap is fundamental for understanding the behavior of a program, and is thus of significant interest for many optimization applications. One of the fundamental properties of the heap that can be used in a range of optimization techniques is the sharing relationships b ..."
Abstract

Cited by 16 (11 self)
 Add to MetaCart
Precise modeling of the program heap is fundamental for understanding the behavior of a program, and is thus of significant interest for many optimization applications. One of the fundamental properties of the heap that can be used in a range of optimization techniques is the sharing relationships between the elements in an array or collection. If an analysis can determine that the memory locations pointed to by different entries of an array (or collection) are disjoint, then in many cases loops that traverse the array can be vectorized or transformed into a threadparallel version. This paper introduces several novel sharing properties over the concrete heap and corresponding abstractions to represent them. In conjunction with an existing shape analysis technique, these abstractions allow us to precisely resolve the sharing relations in a wide range of heap structures (arrays, collections, recursive data structures, composite heap structures) in a computationally efficient manner. The effectiveness of the approach is evaluated on a set of challenge problems from the JOlden and SPECjvm98 suites. Sharing information obtained from the analysis is used to achieve substantial threadlevel parallel speedups.
Efficient contextsensitive shape analysis with graph based heap models
 In Compiler Construction (CC
, 2008
"... Abstract. The performance of heap analysis techniques has a significant impact on their utility in an optimizing compiler. Most shape analysis techniques perform interprocedural dataflow analysis in a contextsensitive manner, which can result in analyzing each procedure body many times (causing sig ..."
Abstract

Cited by 14 (5 self)
 Add to MetaCart
Abstract. The performance of heap analysis techniques has a significant impact on their utility in an optimizing compiler. Most shape analysis techniques perform interprocedural dataflow analysis in a contextsensitive manner, which can result in analyzing each procedure body many times (causing significant increases in runtime even if the analysis results are memoized). To improve the effectiveness of memoization (and thus speed up the analysis) project/extend operations are used to remove portions of the heap model that cannot be affected by the called procedure (effectively reducing the number of different contexts that a procedure needs to be analyzed with). This paper introduces project/extend operations that are capable of accurately modeling properties that are important when analyzing nontrivial programs (sharing, nullity information, destructive recursive functions, and composite data structures). The techniques we introduce are able to handle these features while significantly improving the effectiveness of memoizing analysis results (and thus improving analysis performance). Using a range of well known benchmarks (many of which have not been successfully analyzed using other existing shape analysis methods) we demonstrate that our approach results in significant improvements in both accuracy and efficiency over a baseline analysis. 1
Cyclic proofs of program termination in separation logic. Forthcoming
"... We propose a novel approach to proving the termination of heapmanipulating programs, which combines separation logic with cyclic proof within a Hoarestyle proof system. Judgements in this system express (guaranteed) termination of the program when started from a given line in the program and in a s ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
We propose a novel approach to proving the termination of heapmanipulating programs, which combines separation logic with cyclic proof within a Hoarestyle proof system. Judgements in this system express (guaranteed) termination of the program when started from a given line in the program and in a state satisfying a given precondition, which is expressed as a formula of separation logic. The proof rules of our system are of two types: logical rules that operate on preconditions; and symbolic execution rules that capture the effect of executing program commands. Our logical preconditions employ inductively defined predicates to describe heap properties, and proofs in our system are cyclic proofs: cyclic derivations in which some inductive predicate is unfolded infinitely often along every infinite path, thus allowing us to discard all infinite paths in the proof by an infinite descent argument. Moreover, the use of this soundness condition enables us to avoid the explicit construction and use of ranking functions for termination. We also give a completeness result for our system, which is relative in that it relies upon completeness of a proof system for logical implications in separation logic. We give examples illustrating our approach, including one example for which the corresponding ranking function is nonobvious: termination of the classical algorithm for inplace reversal of a (possibly cyclic) linked list.
Counterexampleguided focus
 In POPL
, 2010
"... The automated inference of quantified invariants is considered one of the next challenges in software verification. The question of the right precisionefficiency tradeoff for the corresponding program analyses here boils down to the question of the right treatment of disjunction below and above the ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
The automated inference of quantified invariants is considered one of the next challenges in software verification. The question of the right precisionefficiency tradeoff for the corresponding program analyses here boils down to the question of the right treatment of disjunction below and above the universal quantifier. In the closely related setting of shape analysis one uses the focus operator in order to adapt the treatment of disjunction (and thus the efficiencyprecision tradeoff) to the individual program statement. One promising research direction is to design parameterized versions of the focus operator which allow the user to finetune the focus operator not only to the individual program statements but also to the specific verification task. We carry this research direction one step further. We finetune the focus operator to each individual step of the analysis (for a specific verification task). This finetuning must be done automatically. Our idea is to use counterexamples for this purpose. We realize this idea in a tool that automatically infers quantified invariants for the verification of a variety of heapmanipulating programs.