Journal of Automated Reasoning

, Volume 58, Issue 1, pp 33–65 | Cite as

Automatically Proving Termination and Memory Safety for Programs with Pointer Arithmetic

  • Thomas Ströder
  • Jürgen Giesl
  • Marc Brockschmidt
  • Florian Frohn
  • Carsten Fuhs
  • Jera Hensel
  • Peter Schneider-Kamp
  • Cornelius Aschermann
Article

Abstract

While automated verification of imperative programs has been studied intensively, proving termination of programs with explicit pointer arithmetic fully automatically was still an open problem. To close this gap, we introduce a novel abstract domain that can track allocated memory in detail. We use it to automatically construct a symbolic execution graph that over-approximates all possible runs of a program and that can be used to prove memory safety. This graph is then transformed into an integer transition system, whose termination can be proved by standard techniques. We implemented this approach in the automated termination prover AProVE and demonstrate its capability of analyzing C programs with pointer arithmetic that existing tools cannot handle.

Keywords

LLVM C programs Termination Memory Safety Symbolic Execution 

References

  1. 1.
    Albarghouthi, A., Li, Y., Gurfinkel, A., Chechik, M.: Ufo: A framework for abstraction- and interpolation-based software verification. In: Proceedings of CAV’12Google Scholar
  2. 2.
    Albert, E., Arenas, P., Codish, M., Genaim, S., Puebla, G., Zanardini, D.: Termination analysis of Java Bytecode. In: Proceedings of FMOODS’08Google Scholar
  3. 3.
  4. 4.
    Berdine, J., Cook, B., Distefano, D., O’Hearn, P.W.: Automatic termination proofs for programs with shape-shifting heaps. In: Proceedings of CAV’06Google Scholar
  5. 5.
    Berdine, J., Chawdhary, A., Cook, B., Distefano, D., O’Hearn, P.W.: Variance analyses from invariance analyses. In: Proceedings of POPL’07Google Scholar
  6. 6.
    Berdine, J., Cook, B., Ishtiaq, S.: SLAyer: Memory safety for systems-level code. In: Proceedings of CAV’11Google Scholar
  7. 7.
    Bertot, Y., Castéran, P.: Coq Art. Springer, 2004Google Scholar
  8. 8.
    Blanqui, F., Koprowski, A.: CoLoR: A Coq library on well-founded rewrite relations and its application to the automated verification of termination certificates. Math. Struct. Comput. Sci. 4, 827–859 (2011)MathSciNetCrossRefMATHGoogle Scholar
  9. 9.
    Bodin, M., Jensen, T., Schmitt, A.: Certified abstract interpretation with pretty-big-step semantics. In: Proceedings of CPP’15Google Scholar
  10. 10.
    Bouajjani, A., Bozga, M., Habermehl, P., Iosif, R., Moro, P., Vojnar, T.: Programs with lists are counter automata. Formal Methods Syst. Design 38(2), 158–192 (2011)CrossRefMATHGoogle Scholar
  11. 11.
    Brockschmidt, M., Otto, C., von Essen, C., Giesl, J.: Termination graphs for Java Bytecode. In: Verification, Induction, Termination Analysis, LNAI 6463, (2010)Google Scholar
  12. 12.
    Brockschmidt, M., Otto, C., Giesl, J.: Modular termination proofs of recursive Java Bytecode programs by term rewriting. In: Proceedings of RTA’11Google Scholar
  13. 13.
    Brockschmidt, M., Ströder, T., Otto, C., Giesl, J.: Automated detection of non-termination and NullPointerExceptions for Java Bytecode. In: Proceedings of FoVeOOS’11Google Scholar
  14. 14.
    Brockschmidt, M., Musiol, R., Otto, C., Giesl, J.: Automated termination proofs for Java programs with cyclic data. In: Proceedings of CAV’12Google Scholar
  15. 15.
    Brockschmidt, M., Cook, B., Fuhs, C.: Better termination proving through cooperation. In: Proceedings of CAV’13Google Scholar
  16. 16.
    Brotherston, J., Gorogiannis, N.: Cyclic abduction of inductively defined safety and termination preconditions. In: Proceedings of SAS’14Google Scholar
  17. 17.
    Cachera, D., Pichardie, D.: A certified denotational abstract interpreter. In: Proceedings of ITP’10Google Scholar
  18. 18.
    Cadar, C., Dunbar, D., Engler, D.R.: KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of OSDI’08Google Scholar
  19. 19.
    Calcagno, C., Distefano, D., O’Hearn, P.W., Yang, H.: Beyond reachability: Shape abstraction in the presence of pointer arithmetic. In: Proceedings of SAS’06Google Scholar
  20. 20.
    Calcagno, C., Distefano, D., O’Hearn, P.W., Yang, H.: Space invading systems code. In: Proceedings of LOPSTR’08Google Scholar
  21. 21.
    Calcagno, C., Distefano, D.: Infer: An automatic program verifier for memory safety of C programs. In: Proceedings of NFM’11Google Scholar
  22. 22.
    Chen, H.Y., David, C., Kroening, D., Schrammel, P., Wächter, N.: Synthesising interprocedural bit-precise termination proofs. In: Proceedings of ASE’15Google Scholar
  23. 23.
    Clang compiler. http://clang.llvm.org
  24. 24.
    Clarke, E.M., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement for symbolic model checking. J. ACM 50(5), 752–794 (2003)MathSciNetCrossRefMATHGoogle Scholar
  25. 25.
    Contejean, E., Courtieu, P., Forest, J., Pons, O., Urbain, X.: Automated certified proofs with CiME3. In: Proceedings of RTA’11Google Scholar
  26. 26.
    Cook, B., Podelski, A., Rybalchenko, A.: Abstraction refinement for termination. In: Proceedings of SAS’05Google Scholar
  27. 27.
    Cook, B., Podelski, A., Rybalchenko, A.: Termination proofs for systems code. In: Proceedings of PLDI’06Google Scholar
  28. 28.
    Cook, B., Podelski, A., Rybalchenko, A.: Summarization for termination: no return!. Formal Methods Syst. Design 35(3), 369–387 (2009)CrossRefMATHGoogle Scholar
  29. 29.
    Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among variables of a program. In: Proceedings of POPL’78Google Scholar
  30. 30.
    David, C., Kroening, D., Lewis, M.: Unrestricted termination and non-termination arguments for bit-vector programs. In: Proceedings of ESOP’15Google Scholar
  31. 31.
    de Moura, L., Bjørner, N.: Z3: An efficient SMT solver. In: Proceedings of TACAS’08Google Scholar
  32. 32.
    D’Silva, V., Urban, C.: Conflict-driven conditional termination. In: Proceedings of CAV’15Google Scholar
  33. 33.
    Dudka, K., Peringer, P., Vojnar, T.: Predator: A shape analyzer based on symbolic memory graphs (competition contribution). In: Proceedings of TACAS’14Google Scholar
  34. 34.
    Dutertre, B., de Moura, L.: The Yices SMT solver. Tool paper at http://yices.csl.sri.com/tool-paper.pdf
  35. 35.
    Falke, S., Kapur, D., Sinz. C.: Termination analysis of C programs using compiler intermediate languages. In: Proceedings of RTA’11Google Scholar
  36. 36.
    Falke, S., Merz, F., Sinz, C.: LLBMC: Improved bounded model checking of C using LLVM (competition contribution). In: Proceedings of TACAS’13Google Scholar
  37. 37.
    Fuhs, C., Giesl, J., Plücker, M., Schneider-Kamp, P., Falke, S.: Proving termination of integer term rewriting. In: Proceedings of RTA’09Google Scholar
  38. 38.
    Giesl, J., Brockschmidt, M., Emmes, F., Frohn, F., Fuhs, C., Otto, C., Plücker, M., Schneider-Kamp, P., Ströder, T., Swiderski, S., Thiemann, R.: Proving termination of programs automatically with AProVE. In: Proceedings of IJCAR’14Google Scholar
  39. 39.
    Gonnord, L., Monniaux, D., Radanne, G.: Synthesis of ranking functions using extremal counterexamples. In: Proceedings of PLDI’15Google Scholar
  40. 40.
    Gulwani, S., Tiwari, A.: An abstract domain for analyzing heap-manipulating low-level software. In: Proceedings of CAV’07Google Scholar
  41. 41.
    Habermehl, P., Iosif, R., Rogalewicz, A., Vojnar, T.: Proving termination of tree manipulating programs. In: Proceedings of ATVA’07Google Scholar
  42. 42.
    Harris, W.R., Lal, A., Nori, A., Rajamani, S.K.: Alternation for termination. In: Proceedings of SAS’10Google Scholar
  43. 43.
    Heizmann, M., Hoenicke, J., Leike, J., Podelski, A.: Linear ranking for linear lasso programs. In: Proceedings of ATVA’13Google Scholar
  44. 44.
    Hensel, J., Giesl, J., Frohn, F., Ströder, T.: Proving termination of programs with bitvector arithmetic by symbolic execution. In: Proceedings of SEFM’16Google Scholar
  45. 45.
    Iosif, R., Rogalewicz, A.: Automata-based termination proofs. Comput. Inf. 32(4), 739–775 (2013)MathSciNetMATHGoogle Scholar
  46. 46.
    Jourdan, J.-H., Laporte, V., Blazy, S., Leroy, X., Pichardie, D.: A formally-verified C static analyzer. In: Proceedings of POPL’15Google Scholar
  47. 47.
    Kop, C., Nishida, N.: Automatic constrained rewriting induction towards verifying procedural programs. In: Proceedings of APLAS’14Google Scholar
  48. 48.
    Kop, C., Nishida, N.: Constrained Term Rewriting tooL. In: Proceedings of LPAR’15Google Scholar
  49. 49.
    Kroening, D., Sharygina, N., Tsitovich, A., Wintersteiger, C. M.: Termination analysis with compositional transition invariants. In: Proceedings of CAV’10Google Scholar
  50. 50.
    Larraz, D., Oliveras, A., Rodríguez-Carbonell, E., Rubio A.: Proving termination of imperative programs using Max-SMT. In: Proceedings of FMCAD’13Google Scholar
  51. 51.
    Lattner, C., Adve V.S.: LLVM: A compilation framework for lifelong program analysis & transformation. In: Proceedings of CGO’04Google Scholar
  52. 52.
    Le, T.C., Qin, S., Chin, W.: Termination and non-termination specification inference. In: Proceedings of PLDI’15Google Scholar
  53. 53.
    LLVM reference manual. http://llvm.org/docs/LangRef.html
  54. 54.
    Löwe, S., Mandrykin, M., Wendler, P.: CPAchecker with sequential combination of explicit-value analyses and predicate analyses (competition contribution). In: Proceedings of TACAS’14Google Scholar
  55. 55.
    Magill, S.: Instrumentation Analysis: An Automated Method for Producing Numeric Abstractions of Heap-Manipulating Programs. Ph.D. thesis, CMU, Pittsburgh, PA (2010). Available at http://www.cs.cmu.edu/~smagill/papers/thesis.pdf
  56. 56.
    Magill, S., Tsai, M., Lee, P., Tsay, Y.: Automatic numeric abstractions for heap-manipulating programs. In: Proceedings of POPL’10Google Scholar
  57. 57.
    Miné, A.: The octagon abstract domain. Higher-Order and Symbolic Computation 19(1), 31–100 (2006)MathSciNetCrossRefMATHGoogle Scholar
  58. 58.
    Moy, Y., Marché, C.: Modular inference of subprogram contracts for safety checking. J. Symb. Comput., 45(11), 2010Google Scholar
  59. 59.
    Nieuwenhuis, R., Oliveras, A., Tinelli, C.: Solving SAT and SAT modulo theories: From an abstract Davis–Putnam–Logemann–Loveland procedure to DPLL(T). J. ACM, 53(6), 2006Google Scholar
  60. 60.
    Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL - A Proof Assistant for Higher-Order Logic. Springer, 2002Google Scholar
  61. 61.
    O’Hearn, P., Reynolds, J., Yang, H.: Local reasoning about programs that alter data structures. In: Proceedings of CSL’01Google Scholar
  62. 62.
  63. 63.
    Otto, C., Brockschmidt, M., von Essen, C., Giesl, J.: Automated termination analysis of Java Bytecode by term rewriting. In: Proceedings of RTA’10Google Scholar
  64. 64.
    Podelski, A., Rybalchenko, A.: ARMC: The logical choice for software model checking with abstraction refinement. In: Proceedings of PADL’07Google Scholar
  65. 65.
    Reps, T.W., Horwitz, S., Sagiv, S.: Precise interprocedural dataflow analysis via graph reachability. In: Proceedings of POPL’95Google Scholar
  66. 66.
    Spoto, F., Mesnard, F., Payet, É.: A termination analyser for Java Bytecode based on path-length. ACM TOPLAS, 32(3), 2010Google Scholar
  67. 67.
    Ströder, T., Giesl, J., Brockschmidt, M., Frohn, F., Fuhs, C., Hensel, J., Schneider-Kamp, P.: Proving termination and memory safety for programs with pointer arithmetic. In: Proceedings of IJCAR’14Google Scholar
  68. 68.
    Ströder, T., Aschermann, C., Frohn, F., Hensel, J., Giesl, J.: AProVE: Termination and memory safety of C programs (competition contribution). In: Proceedings of TACAS’15Google Scholar
  69. 69.
    Thiemann, R., Sternagel, C.: Certification of termination proofs using CeTA. In: Proceedings of TPHOLs’09Google Scholar
  70. 70.
    Tsitovich, A., Sharygina, N., Wintersteiger, C.M., Kroening, D.: Loop summarization and termination analysis. In: Proceedings of TACAS’11Google Scholar
  71. 71.
    Urban, C., Gurfinkel, A., Kahsai, T.: Synthesizing ranking functions from bits and pieces. In: Proceedings of TACAS’16Google Scholar
  72. 72.
  73. 73.
    Zhao, J., Nagarakatte, S., Martin, M.M.K., Zdancewic, S.: Formalizing the LLVM IR for verified program transformations. In: Proceedings of POPL’12Google Scholar

Copyright information

© Springer Science+Business Media Dordrecht 2016

Authors and Affiliations

  • Thomas Ströder
    • 1
  • Jürgen Giesl
    • 1
  • Marc Brockschmidt
    • 2
  • Florian Frohn
    • 1
  • Carsten Fuhs
    • 3
  • Jera Hensel
    • 1
  • Peter Schneider-Kamp
    • 4
  • Cornelius Aschermann
    • 1
  1. 1.LuFG Informatik 2RWTH Aachen UniversityAachenGermany
  2. 2.Microsoft Research CambridgeCambridgeUK
  3. 3.Department of Computer Science and Information SystemsBirkbeck, University of LondonLondonUK
  4. 4.Department of Mathematics and Computer ScienceUniversity of Southern DenmarkOdenseDenmark

Personalised recommendations