C-2PO: A Weakly Relational Pointer Domain: “These Are Not the Memory Cells You Are Looking For”
Pages 2 - 9
Abstract
Pointer analysis is foundational for statically analyzing real-world programs. We present C-2PO — a weakly relational domain for C programs, which tracks must-equalities and -disequalities between pointer expressions. This domain captures address arithmetic and its confinement to single memory objects, both core concepts in C. We implement the domain in Goblint and provide a preliminary evaluation. For 95% of SV-COMP tasks, the slowdown incurred by adding C-2PO is below a factor of 3. To measure precision, we instrumented coreutil programs with assertions computed by C-2PO. For an existing non-relational pointer analysis, 80% of the assertions are out of reach.
References
[1]
Lars Ole Andersen. 1994. Program Analysis and Specialization for the C Programming Language. University of Copenhagen. Copenhagen, Denmark.
[2]
Dirk Beyer. 2024. State of the Art in Software Verification and Witness Validation: SV-COMP 2024. In TACAS 2024 (LNCS, Vol. 14572). Springer, 299–329. https://doi.org/10.1007/978-3-031-57256-2_15
[3]
David Bühler, André Maroneze, and Valentin Perrelle. 2024. Abstract Interpretation with the Eva Plug-in. Springer International Publishing, Cham. 131–186. isbn:978-3-031-55608-1 https://doi.org/10.1007/978-3-031-55608-1_3
[4]
Bor-Yuh Evan Chang, Cezara Dragoi, Roman Manevich, Noam Rinetzky, and Xavier Rival. 2020. Shape Analysis. FTPL, 6, 1-2 (2020), 1–158. https://doi.org/10.1561/2500000037
[5]
Kamil Dudka, Petr Peringer, and Tomás Vojnar. 2013. Byte-Precise Verification of Low-Level List Manipulation. In SAS 2013 (LNCS, Vol. 7935). Springer, 215–237. https://doi.org/10.1007/978-3-642-38856-9_13
[6]
Rebecca Ghidini, Michael Schwarz, Julian Erhard, and Helmut Seidl. 2024. C-2PO: A Weakly Relational Pointer Domain. https://doi.org/10.5281/zenodo.13589540
[7]
Zuxing Gu, Jiecheng Wu, Jiaxiang Liu, Min Zhou, and Ming Gu. 2019. An Empirical Study on API-Misuse Bugs in Open-Source C Programs. In COMPSAC 2019. IEEE, 11–20. https://doi.org/10.1109/COMPSAC.2019.00012
[8]
Sumit Gulwani, Ashish Tiwari, and George C. Necula. 2004. Join Algorithms for the Theory of Uninterpreted Functions. In FSTTCS 2004 (LNCS, Vol. 3328). Springer, 311–323. https://doi.org/10.1007/978-3-540-30538-5_26
[9]
Hugo Illous, Matthieu Lemerre, and Xavier Rival. 2021. A relational shape abstract domain. FMSD, 57, 3 (2021), 343–400. https://doi.org/10.1007/S10703-021-00366-4
[10]
Vineet Kahlon, Yu Yang, Sriram Sankaranarayanan, and Aarti Gupta. 2007. Fast and Accurate Static Data-Race Detection for Concurrent Programs. In CAV 2007 (LNCS, Vol. 4590). Springer, 226–239. https://doi.org/10.1007/978-3-540-73368-3_26
[11]
Jörg Kreiker, Helmut Seidl, and Vesal Vojdani. 2010. Shape Analysis of Low-Level C with Overlapping Structures. In VMCAI 2010 (LNCS, Vol. 5944). Springer, 214–230. https://doi.org/10.1007/978-3-642-11319-2_17
[12]
Daniel Kroening, Daniel Poetzl, Peter Schrammel, and Björn Wachter. 2016. Sound static deadlock analysis for C/Pthreads. In ASE 2016. ACM, 379–390. https://doi.org/10.1145/2970276.2970309
[13]
Matthieu Lemerre, Xavier Rival, Olivier Nicole, and Hugo Illous. 2024. Advanced Memory and Shape Analyses. Springer International Publishing, Cham. 487–520. isbn:978-3-031-55608-1 https://doi.org/10.1007/978-3-031-55608-1_11
[14]
Antoine Miné. 2001. The Octagon Abstract Domain. In WCRE 2001. IEEE Computer Society, 310. https://doi.org/10.1109/WCRE.2001.957836
[15]
Antoine Miné. 2006. Field-sensitive value analysis of embedded C programs with union types and pointer arithmetics. In LCTES 2006. ACM, 54–63. https://doi.org/10.1145/1134650.1134659
[16]
Raphaël Monat, Abdelraouf Ouadjaout, and Antoine Miné. 2021. A Multilanguage Static Analysis of Python Programs with Native C Extensions. In SAS 2021 (LNCS, Vol. 12913). Springer, 323–345. https://doi.org/10.1007/978-3-030-88806-0_16
[17]
Charles Gregory Nelson. 1980. Techniques for program verification. Ph. D. Dissertation. Stanford University.
[18]
Peter W. O’Hearn. 2019. Separation logic. Commun. ACM, 62, 2 (2019), 86–95. https://doi.org/10.1145/3211968
[19]
Simmo Saan, Julian Erhard, Michael Schwarz, Stanimir Bozhilov, Karoliine Holter, Sarah Tilscher, Vesal Vojdani, and Helmut Seidl. 2024. Goblint: Abstract Interpretation for Memory Safety and Termination - (Competition Contribution). In TACAS 2024 (LNCS, Vol. 14572). Springer, 381–386. https://doi.org/10.1007/978-3-031-57256-2_25
[20]
Helmut Seidl, Julian Erhard, Michael Schwarz, and Sarah Tilscher. 2024. 2-Pointer Logic. In Taming the Infinities of Concurrency - Festschrift for Javier Esparza’s 60th Birthday (LNCS, Vol. 14660). Springer, 281–307. https://doi.org/10.1007/978-3-031-56222-8_16
[21]
Helmut Seidl, Julian Erhard, Sarah Tilscher, and Michael Schwarz. 2024. Non-numerical weakly relational domains. STTT, 06, 1–16. https://doi.org/10.1007/s10009-024-00755-0
[22]
Yannis Smaragdakis and George Balatsouras. 2015. Pointer Analysis. FTPL, 2, 1 (2015), 1–69. https://doi.org/10.1561/2500000014
[23]
Bjarne Steensgaard. 1996. Points-to Analysis in Almost Linear Time. In POPL 1996. ACM Press, 32–41. https://doi.org/10.1145/237721.237727
[24]
Max Willsey, Chandrakana Nandi, Yisu Remy Wang, Oliver Flatt, Zachary Tatlock, and Pavel Panchekha. 2021. egg: Fast and extensible equality saturation. Proc. ACM Program. Lang., 5, POPL (2021), 1–29. https://doi.org/10.1145/3434304
Index Terms
- C-2PO: A Weakly Relational Pointer Domain: “These Are Not the Memory Cells You Are Looking For”
Recommendations
Precise null-pointer analysis
In Java, C or C++, attempts to dereference the null value result in an exception or a segmentation fault. Hence, it is important to identify those program points where this undesired behaviour might occur or prove the other program points (and possibly ...
A relational approach to interprocedural shape analysis
This article addresses the verification of properties of imperative programs with recursive procedure calls, heap-allocated storage, and destructive updating of pointer-valued fields, that is, interprocedural shape analysis. The article makes three ...
Pushdown control-flow analysis for free
POPL '16Traditional control-flow analysis (CFA) for higher-order languages introduces spurious connections between callers and callees, and different invocations of a function may pollute each other's return flows. Recently, three distinct approaches have been ...
Comments
Information & Contributors
Information
Published In
October 2024
41 pages
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
In-Cooperation
- SIGAda: SIGAda
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 17 October 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- DFG
- Shota Rustaveli National Science Foundation of Georgia
Conference
NSAD '24
Sponsor:
NSAD '24: 10th ACM SIGPLAN International Workshop on Numerical and Symbolic Abstract Domains
October 22, 2024
CA, Pasadena, USA
Upcoming Conference
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 116Total Downloads
- Downloads (Last 12 months)116
- Downloads (Last 6 weeks)38
Reflects downloads up to 28 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in