## Parametric Shape Analysis via 3-Valued Logic (1999)

### Cached

### Download Links

- [www.cs.wisc.edu]
- [www.cs.colorado.edu]
- [www.cs.wisc.edu]
- [www.cs.wisc.edu]
- [www.cs.tau.ac.il]
- [www.cs.utsa.edu]
- [rw4.cs.uni-saarland.de]
- [www.cs.wisc.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 587 - 74 self |

### BibTeX

@MISC{Sagiv99parametricshape,

author = {Mooly Sagiv and Thomas Reps and Reinhard Wilhelm},

title = {Parametric Shape Analysis via 3-Valued Logic},

year = {1999}

}

### Years of Citing Articles

### OpenURL

### Abstract

Shape Analysis concerns the problem of determining "shape invariants"...

### Citations

2020 | Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints - Cousot, Cousot - 1977 |

1539 | A Discipline of Programming - Dijkstra - 1976 |

855 | Mobile Ambients - Cardelli, Gordon - 1998 |

766 |
Introduction to metamathematics
- Kleene
- 1952
(Show Context)
Citation Context ...?n. To express the property "program variables x and y are not may-aliases", we write the formula 8v : :(x(v)sy(v)): (2) 1.1.2 Shape Analysis via Three-Valued Logic We use Kleene's three-val=-=ued logic [Kle87] (which ha-=-s a third truth value that signifies "unknown") to create a shape-analysis algorithm automatically from a specification. Kleene's logic is useful for shape analysis because we only have part... |

671 | Systematic design of program analysis frameworks, in "Conference
- COUSOT, COUSOT
- 1979
(Show Context)
Citation Context ... applied at any step (e.g., right after focus and before [[st]]) and may improve precision. It is worthwhile noting that both focus and coerce are semantic-reduction operations (originally defined in =-=[CC79]-=-). That is, they convert a set of three-valued structures into a more precise set of structures that describe the same set of stores. This property, together with the correctness of the structure tran... |

669 | Counterexample-guided abstraction refinement - CLARKE, GRUMBERG, et al. - 2000 |

651 | H.: Construction of abstract state graphs with PVS - Graf, Saïdi - 1997 |

499 | The Science Of Programming - GRIES - 1981 |

396 | Analysis of pointers and structures
- Chase, Wegman, et al.
- 1990
(Show Context)
Citation Context ...82, LH88, HPR89, CWZ90, Str92, AW93, PCK93, Wan94, SRW98]. A common feature of these algorithms is that they represent multiple run-time locations by a single "shape-node", often called summ=-=ary-nodes [CWZ90]. One way -=-of looking at these algorithms is that "shape graphs" are indirect representations of store invariants. 1.1 Main Results This paper presents a parametric framework for shape analysis. Differ... |

303 | Solving shape-analysis problems in languages with destructive updating
- Sagiv, Reps, et al.
- 1996
(Show Context)
Citation Context ...ure 3: The three structures that result from the first abstract execution of st 4 by the improved abstract-interpretation method of Section 5. traversed. (Thus, Section 5 generalizes the algorithm of =-=[SRW96]-=-.) As we will see in Section 5, this allows us to determine the correct shape descriptors for the data structures used in the reverse program. To perform a more precise abstract interpretation of prog... |

292 | Descriptive Complexity - Immerman - 1999 |

240 | Interprocedural may-alias analysis for pointers: Beyond k-limiting - Deutsch - 1994 |

209 | Flow analysis and optimization of lisp-like structures
- Jones, Muchnick
- 1979
(Show Context)
Citation Context ...garbage element)? garbage collection r x (v) Is v (transitively) reachable from pointer separating disjoint [SRW98, p.38] variable x? data structures c(v) Is v on a directed cycle? reference counting =-=[JM81]-=- c f:b (v) Does a field-f dereference from v, followed doubly-linked lists [HHN92, PCK93] by a field-b deference, yield v? c b:f (v) Does a field-b dereference from v, followed doubly-linked lists [HH... |

191 | Compiler-based prefetching for recursive data structures
- Luk, Mowry
- 1996
(Show Context)
Citation Context ...oa75]. Such invariants are useful for sharpening the results obtained from a tool like LClint, which predicts memory-usage bugs [Eva96], and for program optimization (e.g., to improve memory locality =-=[LM96]). In the -=-past two decades, many "shape-analysis" algorithms have been developed that can automatically identify shape invariants in some programs that manipulate heap-allocated storage [JM81, JM82, L... |

183 | Efficient Model Checking - Emerson, Lei - 1986 |

167 | Static detection of dynamic memory errors
- Evans
- 1996
(Show Context)
Citation Context ...nvariants are reestablished once a sequence of operations is finished [Hoa75]. Such invariants are useful for sharpening the results obtained from a tool like LClint, which predicts memory-usage bugs =-=[Eva96], and for -=-program optimization (e.g., to improve memory locality [LM96]). In the past two decades, many "shape-analysis" algorithms have been developed that can automatically identify shape invariants... |

167 | Parallelizing programs with recursive data structures - Hendren, Nicolau - 1990 |

163 | Detecting conflicts between structure accesses - Larus, Hilfinger - 1988 |

163 | Abstract interpretation: A uni lattice model for static analysis of programs by construction of approximations of - Cousot, Cousot - 1977 |

148 | Dependence analysis for pointer variables - Horwitz, Pfeier, et al. - 1989 |

139 | Experience with predicate abstraction - Das, D, et al. - 1999 |

120 | TVLA: A System for Implementing Static Analyses - Lev-Ami, Sagiv - 2000 |

108 | Pointer-induced aliasing: A problem classification - Landi, Ryder - 1991 |

106 | A flexible approach to interprocedural data flow analysis and programs with recursive data structures - Jones, Muchnick - 1982 |

88 | Abstractions for recursive pointer data structures: Improving analysis and transformations of imperative languages
- HENDREN, HUMMEL, et al.
- 1992
(Show Context)
Citation Context ...fficient. ffl The special cyclicity predicates c f:b and c b:f are used to capture doubly-linked lists, in which forward and backward field dereferences cancel each other. This idea was introduced in =-=[HHN92]-=- and also used in [PCK93]. In the general case, a program uses a number of different struct types. The core vocabulary is then defined as follows: C def = fsel j sel 2 Selg [ fx j x 2 PVarg [ fsmg; (1... |

82 | Verifying safety properties of concurrent Java programs using 3-valued logic - Yahav - 2001 |

81 | Putting static analysis to work for verification: A case study - Lev-Ami, Reps, et al. - 2000 |

77 | Shape types - Fradet, Metayer - 1997 |

75 | A storeless model of aliasing and its abstractions using finite representations of right-regular equivalence relations - DEUTSCH - 1992 |

70 |
Notes on data structuring
- Hoare
- 1972
(Show Context)
Citation Context ...hese invariants are usually not preserved by the execution of individual program statements, and it is challenging to prove that invariants are reestablished once a sequence of operations is finished =-=[Hoa75]-=-. Such invariants are useful for sharpening the results obtained from a tool like LClint, which predicts memory-usage bugs [Eva96], and for program optimization (e.g., to improve memory locality [LM96... |

66 | A program verifier - King - 1971 |

59 | Automatic Verification of Pointer Programs Using Monadic Second-order Logic - Jensen, Jørgensen, et al. |

57 | Multivalued Logics: A Uniform Approach to Inference
- GINSBERG
- 1988
(Show Context)
Citation Context ... 2 Kleene's semantics of three-valued logic is monotonic in the information order (see Table 1 and Definition 3.4). The values 0, 1, and 1=2 form a mathematical structure known as a bi-lattice, e.g., =-=[Gin88]-=-, as shown in Figure 4. A bi-lattice has two orderings: the logical order and the information order. The logical order is the one used in Table 1: that is,sandsare meet and join in the logical order (... |

53 | A Course - Bell, Machover - 1977 |

49 | Dyn-FO: A parallel, dynamic complexity class - Patnaik, Immerman - 1997 |

43 | Shape analysis for mobile ambients - Nielson, Nielson - 2000 |

40 | Incremental and decremental evaluation of transitive closure by firstorder queries - Dong, Su - 1995 |

39 | A decidable logic for describing linked data structures - Benedikt, Reps, et al. - 1999 |

38 | Analysis of dynamic structures for efficient parallel execution
- Plevyak, Chien, et al.
- 1993
(Show Context)
Citation Context ...e program. To perform a more precise abstract interpretation of programs, we have to be able to materialize new nodes from summary nodes as the program's data structures are traversed. Plevyak et al. =-=[PCK93]-=- introduced a way to do materialization for straight-line code, and Sagiv et al. [SRW98] developed a way to do this in the presence of loops and recursion. However, these analyses are hard to understa... |

38 | Tvla: A framework for kleene based static analysis - Lev-Ami, Sagiv - 2000 |

27 | Counterexample-guided abstraction re - Clarke, Grumberg, et al. - 2000 |

26 | An interactive program verifier - Deutsch - 1973 |

25 | Compile-time debugging of C programs working on trees - Elgaard, Møller, et al. - 2000 |

18 | A logic-based approach to data flow analysis - Sagiv, Francez, et al. - 1990 |

15 | A Lattice for Abstract Interpretation of Dynamic (LISP-like - Stransky - 1990 |

13 | Analysis of Recursive Types in an Imperative Language - Wang - 1994 |

13 | Arity bounds in first-order incremental evaluation and definition of polynomial time database queries - Dong, Su - 1998 |

11 | Recursive data structures. Int - Hoare - 1975 |

11 | A approach to interprocedural data analysis and programs with recursive data structures - Jones, Muchnick - 1982 |

11 | Detecting con between structure accesses - Larus, Hil - 1988 |