Article

Abstraction for shape analysis with fast and precise transformers

Authors:

Mooly SagivAuthors Info & Claims

CAV'06: Proceedings of the 18th international conference on Computer Aided Verification

Pages 547 - 561

https://doi.org/10.1007/11817963_49

Published: 17 August 2006 Publication History

Abstract

This paper addresses the problem of proving safety properties of imperative programs manipulating dynamically allocated data structures using destructive pointer updates. We present a new abstraction for linked data structures whose underlying graphs do not contain cycles. The abstraction is simple and allows us to decide reachability between dynamically allocated heap cells.

We present an efficient algorithm that computes the effect of low level heap mutations in the most precise way. The algorithm does not rely on the usage of a theorem prover. In particular, the worst case complexity of computing a single successor abstract state is O(V logV) where V is the number of program variables. The overall number of successor abstract states can be exponential in V. A prototype of the algorithm was implemented and is shown to be fast.

Our method also handles programs with “simple cycles” such as cyclic singly-linked lists, (cyclic) doubly-linked lists, and trees with parent pointers. Moreover, we allow programs which temporarily violate these restrictions as long as they are restored in loop boundaries.

References

[1]

I. Balaban, A. Pnueli, and L. D. Zuck. Shape analysis by predicate abstraction. In VMCAI, pages 164-180, 2005.

Digital Library

[2]

J. Bingham and Z. Rakamaric. A logic and decision procedure for predicate abstraction of heap-manipulating programs. Tech. Rep. TR-2005-19, Dept. of Comp. Sci., Univ. of BC, Canada, 2005.

Digital Library

[3]

G. Bruns and P. Godefroid. Generalized model checking: Reasoning about partial state spaces. In CONCUR, pages 168-182, 2000.

Digital Library

[4]

P. Cousot and R. Cousot. Systematic design of program analysis frameworks. In Symp. on Princ. of Prog. Lang., pages 269-282, New York, NY, 1979. ACM Press.

Digital Library

[5]

D. Distefano, P.W. O'Hearn, and H. Yang. A local shape analysis based on separation logic. In TACAS, pages 287-302, 2006.

Digital Library

[6]

R. Ghiya and L. Hendren. Putting pointer analysis to work. In Symp. on Princ. of Prog. Lang., New York, NY, 1998. ACM Press.

Digital Library

[7]

S. Graf and H. Saïdi. Construction of abstract state graphs with PVS. In CAV, 1997.

Digital Library

[8]

L. Hendren. Parallelizing Programs with Recursive Data Structures. PhD thesis, Cornell Univ., Ithaca, NY, Jan 1990.

Digital Library

[9]

N. Immerman, A. Rabinovich, T. Reps, M. Sagiv, and G. Yorsh. Verification via structure simulation. In Proc. Computer-Aided Verif., pages 281-294, 2004.

[10]

N.D. Jones and S.S. Muchnick. Flow analysis and optimization of Lisp-like structures. In S.S. Muchnick and N.D. Jones, editors, Program Flow Analysis: Theory and Applications, chapter 4, pages 102-131. Prentice-Hall, Englewood Cliffs, NJ, 1981.

[11]

N. Klarlund and A. Møller. MONA Version 1.4 User Manual. BRICS Notes Series NS-01-1, Dept. of Comp. Sci., Univ. of Aarhus, January 2001.

[12]

S. K. Lahiri and S. Qadeer. Verifying properties of well-founded linked lists. In POPL, 2006.

Digital Library

[13]

O. Lee, H. Yang, and K. Yi. Automatic verification of pointer programs using grammar-based shape analysis. In ESOP, pages 124-140, 2005.

Digital Library

[14]

T. Lev-Ami, N. Immerman, T. W. Reps, M. Sagiv, S. Srivastava, and G. Yorsh. Simulating reachability using first-order logic with applications to verification of linked data structures. In CADE, pages 99-115, 2005.

Digital Library

[15]

T. Lev-Ami, N. Immerman, and M. Sagiv. Fast and precise abstraction for shape analysis. Technical Report TR-2006-01-001221, Tel-Aviv Univ., 2006. Available at http://www.cs.tau.ac.il/~tla/2006/papers/TR-2006-01-001221.pdf.

[16]

T. Lev-Ami and M. Sagiv. TVLA: A system for implementing static analyses. In Static Analysis Symp., pages 280-301, 2000.

Digital Library

[17]

R. Manevich, M. Sagiv, G. Ramalingam, and J. Field. Partially disjunctive heap abstraction. In SAS, pages 265-279, 2004.

[18]

R. Manevich, E. Yahav, G. Ramalingam, and M. Sagiv. Predicate abstraction and canonical abstraction for singly-linked lists. In VMCAI, pages 181-198, 2005.

Digital Library

[19]

T. Reps, A. Loginov, and M. Sagiv. Semantic minimization of 3-valued propositional formulae. In LICS, pages 40-54, 2002.

Digital Library

[20]

Cananda Sable Research Group, McGill University. Soot: a java optimization framework. Available at: http://www.sable.mcgill.ca/soot/.

[21]

M. Sagiv, T. Reps, and R. Wilhelm. Parametric shape analysis via 3-valued logic. Trans. on Prog. Lang. and Syst., 2002.

Digital Library

[22]

G. Yorsh, T. Reps, and M. Sagiv. Symbolically computing most-precise abstract operations for shape analysis. In TACAS, pages 530-545, 2004

Cited By

Kanvar VKhedker U(2017)"What's in a name?" going beyond allocation site names in heap analysisACM SIGPLAN Notices10.1145/3156685.309226752:9(92-103)Online publication date: 18-Jun-2017
https://dl.acm.org/doi/10.1145/3156685.3092267
Kanvar VKhedker UKirsch CTitzer B(2017)"What's in a name?" going beyond allocation site names in heap analysisProceedings of the 2017 ACM SIGPLAN International Symposium on Memory Management10.1145/3092255.3092267(92-103)Online publication date: 18-Jun-2017
https://dl.acm.org/doi/10.1145/3092255.3092267
Karbyshev ABjørner NItzhaky SRinetzky NShoham S(2017)Property-Directed Inference of Universal Invariants or Proving Their AbsenceJournal of the ACM10.1145/302218764:1(1-33)Online publication date: 29-Mar-2017
https://dl.acm.org/doi/10.1145/3022187
Show More Cited By

Recommendations

Fast and precise points-to analysis

Many software engineering applications require points-to analysis. These client applications range from optimizing compilers to integrated program development environments (IDEs) and from testing environments to reverse-engineering tools. Moreover, ...
Precise shape analysis using field sensitivity

We present a static shape analysis technique to infer the shapes of the heap structures created by a program at run time. Our technique is field sensitive in that it uses field information to compute the shapes. The shapes of the heap structures are ...
Precise flow-insensitive may-alias analysis is NP-hard

Determining aliases is one of the foundamental static analysis problems, in part because the precision with which this problem is solved can affect the precision of other analyses such as live variables, available expressions, and constant propagation. ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

CAV'06: Proceedings of the 18th international conference on Computer Aided Verification

August 2006

563 pages

ISBN:354037406X

Editors:
Thomas Ball
Microsoft Research, Redmond, WA,
,
Robert B. Jones
Intel Corporation, RA2-459, 2501 W. 229th Avenue, Hillsboro, OR,

Sponsors

INTEL: Intel Corporation
NEC
Cadence Design Systems
Microsoft Research: Microsoft Research
IBM: IBM

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 17 August 2006

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

21
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 10 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Kanvar VKhedker U(2017)"What's in a name?" going beyond allocation site names in heap analysisACM SIGPLAN Notices10.1145/3156685.309226752:9(92-103)Online publication date: 18-Jun-2017
https://dl.acm.org/doi/10.1145/3156685.3092267
Kanvar VKhedker UKirsch CTitzer B(2017)"What's in a name?" going beyond allocation site names in heap analysisProceedings of the 2017 ACM SIGPLAN International Symposium on Memory Management10.1145/3092255.3092267(92-103)Online publication date: 18-Jun-2017
https://dl.acm.org/doi/10.1145/3092255.3092267
Karbyshev ABjørner NItzhaky SRinetzky NShoham S(2017)Property-Directed Inference of Universal Invariants or Proving Their AbsenceJournal of the ACM10.1145/302218764:1(1-33)Online publication date: 29-Mar-2017
https://dl.acm.org/doi/10.1145/3022187
Itzhaky SBjØrner NReps TSagiv MThakur A(2014)Property-Directed Shape AnalysisProceedings of the 16th International Conference on Computer Aided Verification - Volume 855910.1007/978-3-319-08867-9_3(35-51)Online publication date: 18-Jul-2014
https://dl.acm.org/doi/10.1007/978-3-319-08867-9_3
Calcagno CDistefano DO’Hearn PYang H(2011)Compositional Shape Analysis by Means of Bi-AbductionJournal of the ACM10.1145/2049697.204970058:6(1-66)Online publication date: 1-Dec-2011
https://dl.acm.org/doi/10.1145/2049697.2049700
Podelski AWies T(2010)Counterexample-guided focusACM SIGPLAN Notices10.1145/1707801.170633045:1(249-260)Online publication date: 17-Jan-2010
https://dl.acm.org/doi/10.1145/1707801.1706330
Podelski AWies THermenegildo MPalsberg J(2010)Counterexample-guided focusProceedings of the 37th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages10.1145/1706299.1706330(249-260)Online publication date: 17-Jan-2010
https://dl.acm.org/doi/10.1145/1706299.1706330
Marron MMajumdar RStefanovic DKapur D(2010)Shape analysis with reference set relationsProceedings of the 11th international conference on Verification, Model Checking, and Abstract Interpretation10.1007/978-3-642-11319-2_19(247-262)Online publication date: 17-Jan-2010
https://dl.acm.org/doi/10.1007/978-3-642-11319-2_19
Calcagno CDistefano DO'Hearn PYang H(2009)Compositional shape analysis by means of bi-abductionACM SIGPLAN Notices10.1145/1594834.148091744:1(289-300)Online publication date: 21-Jan-2009
https://dl.acm.org/doi/10.1145/1594834.1480917
Calcagno CDistefano DO'Hearn PYang HShao ZPierce B(2009)Compositional shape analysis by means of bi-abductionProceedings of the 36th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages10.1145/1480881.1480917(289-300)Online publication date: 21-Jan-2009
https://dl.acm.org/doi/10.1145/1480881.1480917
Show More Cited By

View Options

View options

Figures

Tables

Media

View Table of Conten