## Parametric Shape Analysis via 3-Valued Logic (2001)

To express the property "program variables x and y are not may-aliases", we write the formula 8v : :(x(v)sy(v)): (2) 1.1.2 Shape Analysis via Three-Valued Logic We use Kleene's three-valued logic [Kle87] (which has a third truth value that signifies "unknown") to create a shape-analysis algorithm automatically from a specification. Kleene's logic is useful for shape analysis because we only have part...

(Show Context)
applied at any step (e.g., right after focus and before [[st]]) and may improve precision. It is worthwhile noting that both focus and coerce are semantic-reduction operations (originally defined in [CC79]). That is, they convert a set of three-valued structures into a more precise set of structures that describe the same set of stores. This property, together with the correctness of the structure tran...

(Show Context)
A common feature of these algorithms is that they represent multiple run-time locations by a single "shape-node", often called summary-nodes [CWZ90]. One way of looking at these algorithms is that "shape graphs" are indirect representations of store invariants. 1.1 Main Results This paper presents a parametric framework for shape analysis. Differ...

(Show Context)
The three structures that result from the first abstract execution of st 4 by the improved abstract-interpretation method of Section 5. traversed. (Thus, Section 5 generalizes the algorithm of [SRW96].) As we will see in Section 5, this allows us to determine the correct shape descriptors for the data structures used in the reverse program. To perform a more precise abstract interpretation of prog...

garbage element)? garbage collection r x (v) Is v (transitively) reachable from pointer separating disjoint [SRW98, p.38] variable x? data structures c(v) Is v on a directed cycle? reference counting [JM81] c f:b (v) Does a field-f dereference from v, followed doubly-linked lists [HHN92, PCK93] by a field-b deference, yield v? c b:f (v) Does a field-b dereference from v, followed doubly-linked lists [HH...

Such invariants are useful for sharpening the results obtained from a tool like LClint, which predicts memory-usage bugs [Eva96], and for program optimization (e.g., to improve memory locality [LM96]). In the past two decades, many "shape-analysis" algorithms have been developed that can automatically identify shape invariants in some programs that manipulate heap-allocated storage [JM81, JM82, L...

(Show Context)
Such invariants are useful for sharpening the results obtained from a tool like LClint, which predicts memory-usage bugs [Eva96], and for program optimization (e.g., to improve memory locality [LM96]). In the past two decades, many "shape-analysis" algorithms have been developed that can automatically identify shape invariants...

The special cyclicity predicates c f:b and c b:f are used to capture doubly-linked lists, in which forward and backward field dereferences cancel each other. This idea was introduced in [HHN92] and also used in [PCK93]. In the general case, a program uses a number of different struct types. The core vocabulary is then defined as follows: C def = fsel j sel 2 Selg [ fx j x 2 PVarg [ fsmg; (1...

These invariants are usually not preserved by the execution of individual program statements, and it is challenging to prove that invariants are reestablished once a sequence of operations is finished [Hoa75]. Such invariants are useful for sharpening the results obtained from a tool like LClint, which predicts memory-usage bugs [Eva96], and for program optimization (e.g., to improve memory locality [LM96...

Kleene's semantics of three-valued logic is monotonic in the information order (see Table 1 and Definition 3.4). The values 0, 1, and 1=2 form a mathematical structure known as a bi-lattice, e.g., [Gin88], as shown in Figure 4. A bi-lattice has two orderings: the logical order and the information order. The logical order is the one used in Table 1: that is,sandsare meet and join in the logical order (...

To perform a more precise abstract interpretation of programs, we have to be able to materialize new nodes from summary nodes as the program's data structures are traversed. Plevyak et al. [PCK93] introduced a way to do materialization for straight-line code, and Sagiv et al. [SRW98] developed a way to do this in the presence of loops and recursion. However, these analyses are hard to understa...

