Abstract. Pointer safety faults in device drivers are one of the leading causes of crashes in operating systems code. In principle, shape analysis tools can be used to prove the absence of this type of error. In practice, however, shape analysis is not used due to the unacceptable mixture of scalability and precision provided by existing tools. In this paper we report on a new join operation ⊔ † for the separation domain which aggressively abstracts information for scalability yet does not lead to false error reports. ⊔ † is a critical piece of a new shape analysis tool that provides an acceptable mixture of scalability and precision for industrial application. Experiments on whole Windows and Linux device drivers (firewire, pcidriver, cdrom, md, etc.) represent the first working application of shape analysis to verification of whole industrial programs. 1

This paper describes a compositional shape analysis, where each procedure is analyzed independently of its callers. The analysis uses an abstract domain based on a restricted fragment of separation logic, and assigns a collection of Hoare triples to each procedure; the triples provide an over-approximation of data structure usage. Compositionality brings its usual benefits – increased potential to scale, ability to deal with unknown calling contexts, graceful way to deal with imprecision – to shape analysis, for the first time. The analysis rests on a generalized form of abduction (inference of explanatory hypotheses) which we call bi-abduction. Biabduction displays abduction as a kind of inverse to the frame problem: it jointly infers anti-frames (missing portions of state) and frames (portions of state not touched by an operation), and is the basis of a new interprocedural analysis algorithm. We have implemented

This paper describes a compositional shape analysis, where each procedure is analyzed independently of its callers. The analysis uses an abstract domain based on a restricted fragment of separation logic, and assigns a collection of Hoare triples to each procedure; the triples provide an over-approximation of data structure usage. Compositionality brings its usual benefits – increased potential to scale, ability to deal with unknown calling contexts, graceful way to deal with imprecision – to shape analysis, for the first time. The analysis rests on a generalized form of abduction (inference of explanatory hypotheses) which we call bi-abduction. Biabduction displays abduction as a kind of inverse to the frame problem: it jointly infers anti-frames (missing portions of state) and frames (portions of state not touched by an operation), and is the basis of a new interprocedural analysis algorithm. We have implemented

Interprocedural program analysis is often performed by computing procedure summaries. While possible, computing adequate summaries is difficult, particularly in the presence of recursive procedures. In this paper, we propose a complementary framework for interprocedural analysis based on a direct abstraction of the calling context. Specifically, our approach exploits the inductive structure of a calling context by treating it directly as a stack of activation records. We then build an abstraction based on separation logic with inductive definitions. A key element of this abstract domain is the use of parameters to refine the meaning of such call stack summaries and thus express relations across activation records and with the heap. In essence, we define an abstract interpretation-based analysis framework for recursive programs that permits a fluid per call site abstraction of the call stack—much like how shape analyzers enable a fluid per program point abstraction of the heap.

Abstract. This paper introduces a general purpose method, write invariant properties, for improving the precision of heap analysis techniques at a minimal computational cost. This method is specifically focused on eliminating the imprecision introduced when program states from multiple call paths are merged at call sites when using partially call-context sensitive interprocedural analysis techniques. The concept of write invariant properties allows the recovery of many important classes of information such as collection sizes, null pointer properties and object allocation sites. The concept of write invariant properties is based on the identification of heap object properties that are invariant during a method call provided certain parts of various objects are unmodified. By using a heap domain that can track this write information during the analysis we can extract the information for a given write invariant property at call entry and then, at the return of the call, we can assert that these properties must still hold (provided the required parts of the object are not modified). This paper presents a definition for write invariant properties in the concrete heap, translates this definition in a form usable in the abstract heap domain and integrates this into a basic partially call-sensitive analysis framework. 1

Abstract. The computational cost and precision of a shape style heap analysis is highly dependent on the way method calls are handled. This paper introduces a new approach to analyzing method calls that leverages the fundamental object-oriented programming concepts of encapsulation and invariants. The analysis consists of a novel partial context-sensitivity heuristic and a new take on cutpoints that, in practice, provide large improvements in interprocedural analysis performance while having minimal impacts on the precision of the results. The interprocedural analysis has been implemented for.Net bytecode and an existing abstract heap model. Using this implementation we evaluate both the runtime cost and the precision of the results on a number of well known benchmarks and real-world programs. Our experimental evaluations show that, despite the use of partial context sensitivity heuristics, the static analysis is able to precisely approximate the ideal analysis results. Further, the results show that the interprocedural analysis heuristics and the approach to cutpoints used in this work are critical in enabling the analysis of large real-world programs, over 30K bytecodes in less than 65 seconds and using less than 130 MB of memory, and which could not be analyzed with previous approaches. 1

Abstract. Precise modeling of the structure of the heap and how objects are shared between various arrays or data structures is fundamental to understanding the behavior of a program. This paper introduces a novel higher order relation, reference set dominance, which subsumes the concept of aliasing and enables existing shape analysis techniques to, efficiently and accurately, model many types of containment properties without the use of explicit quantification or specialized logics for containers/sets. We extend an existing shape analysis to model the concept of reference set dominance. This concept allows the analysis to track a number of important relations (must =, and must ⊆) between the sets of objects that are the targets of two given sets of references (variables or pointers). In combination with shape properties, an analysis that tracks reference dominance information can precisely reason about sharing properties on the heap (are the contents of one array a subset of another array?), and how sharing influences the results of destructive updates (does modifying all the objects in one array imply that all the objects in another array are modified as well?). Precisely and efficiently reasoning about these kinds of sharing properties has been beyond the abilities of previous analyses. We show that shape analysis augmented with dominance information is able to precisely model sharing for a large range of data structures in real programs and in contrast to more expressive proposals based on logic languages (e.g., extensions of first-order predicate logic with transitive closure), dominance properties can be efficiently implemented in a shape analyzer. 1

This paper addresses the verification of properties of imperative programs with recursive procedure calls, heap-allocated storage, and destructive updating of pointer-valued fields—i.e.,interprocedural shape analysis. The paper makes three contributions: — It introduces a new method for abstracting relations over memory configurations for use in abstract interpretation. — It shows how this method furnishes the elements needed for a compositional approach to shape analysis. In particular, abstracted relations are used to represent the shape transformation performed by a sequence of operations, and an over-approximation to relational composition can be performed using the meet operation of the domain of abstracted relations. — It applies these ideas in a new algorithm for context-sensitive interprocedural shape analysis. The algorithm creates procedure summaries using abstracted relations over memory configurations, and the meet-based composition operation provides a way to apply the summary transformer for a procedure P at each call site from which P is called. The algorithm has been applied successfully to establish properties of both (i) recursive programs that manipulate lists, and (ii) recursive programs that manipulate binary trees.

When analyzing a program via an abstract interpretation framework we would like to analyze the program in a context-sensitive interprocedural manner. Analyzing the program in a manner that considers interprocedural flow can lead to much more accurate results than local or context-insensitive analyses. However, the computational cost (both time and memory consumption) associated with context-sensitive interprocedural analysis techniques makes them infeasible for all but very small programs or simple domains. This paper presents several novel, domain independent, heuristics for reducing the cost of analyzing a program in a contextsensitive manner while having a small impact on the precision of the results. The heuristics are motivated by observations about fundamental properties of software design and the semantics of iterative dataflow analysis. We validate the effectiveness of the heuristics via experimental evaluation which shows both good scalability and high precision of the results.

Abstract—Persistence is a widely used technique which allows the objects that represent the results of lengthy computations to outlive the process that creates it, in order to considerably speed up subsequent program executions. We observe that conventional persistence techniques usually do not consider the application contexts of the persistence operations, where not all of the object states are necessary to be persisted. Leveraging this observation, we have designed and implemented a framework called Pert, which first performs static program analysis to estimate the actual usage of the persisted object, given the context of its usage in the program. The Pert runtime uses the statically computed information to make efficiently tailoring decisions to prune the redundant and unused object states during the persistence operations. Our evaluation result shows that the Pert-based optimization can speedup the conventional persistence operations by 1 to 45 times. The amount of persisted data is also dramatically reduced, as the result of the application-aware tailoring. Index Terms—Object persistence, program analysis, performance optimization.