Beyond Reachability: Shape Abstraction in the Presence of Pointer Arithmetic

  • Cristiano Calcagno
  • Dino Distefano
  • Peter W. O’Hearn
  • Hongseok Yang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4134)


Previous shape analysis algorithms use a memory model where the heap is composed of discrete nodes that can be accessed only via access paths built from variables and field names, an assumption that is violated by pointer arithmetic. In this paper we show how this assumption can be removed, and pointer arithmetic embraced, by using an analysis based on separation logic. We describe an abstract domain whose elements are certain separation logic formulae, and an abstraction mechanism that automatically transits between a low-level RAM view of memory and a higher, fictional, view that abstracts from the representation of nodes and multiword linked-lists as certain configurations of the RAM. A widening operator is used to accelerate the analysis. We report experimental results obtained from running our analysis on a number of classic algorithms for dynamic memory management.


Symbolic Execution Abstract Domain Pointer Arithmetic Separation Logic Free List 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Balaban, I., Pnueli, A., Zuck, L.D.: Shape Analysis by Predicate Abstraction. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 164–180. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    Balakrishnan, G., Reps, T.: Recency-Abstraction for Heap-Allocated Storage. In: Yi, K. (ed.) SAS 2006. LNCS, vol. 4134, pp. 221–239. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Berdine, J., Calcagno, C., O’Hearn, P.W.: Symbolic execution with separation logic. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 52–68. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  4. 4.
    Berdine, J., Calcagno, C., O’Hearn, P.W.: Smallfoot: Modular automatic assertion checking with separation logic. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2005. LNCS, vol. 4111, pp. 115–137. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Berdine, J., Cook, B., Distefano, D., O’Hearn, P.W.: Automatic termination proofs for programs with shape-shifting heaps. In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, pp. 386–400. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  6. 6.
    Bouajjani, A., Habermehl, P., Moro, P., Vojnar, T.: Verifying programs with dynamic 1-selector-linked structures in regular model checking. In: Halbwachs, N., Zuck, L.D. (eds.) TACAS 2005. LNCS, vol. 3440, pp. 13–29. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. 7.
    Chase, D., Wegman, M., Zadeck, F.: Analysis of pointers and structures. In: PLDI, pp. 296–310 (1990)Google Scholar
  8. 8.
    Comfort, W.T.: Multiword list items. CACM 7(6), 357–362 (1964)MATHGoogle Scholar
  9. 9.
    Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: 4th POPL, pp. 238–252 (1977)Google Scholar
  10. 10.
    Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: 6th POPL, pp. 269–282 (1979)Google Scholar
  11. 11.
    Cousot, P., Cousot, R.: Abstract interpretation frameworks. J. Log. Comput. 2(4), 511–547 (1992)CrossRefMathSciNetMATHGoogle Scholar
  12. 12.
    Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: The ASTREÉ analyzer. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 21–30. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  13. 13.
    Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among variables of a program. In: 5th POPL, pp. 84–96 (1978)Google Scholar
  14. 14.
    Distefano, D., Katoen, J.-P., Rensink, A.: Who is pointing when to whom? On the automated verification of linked list structures. In: Lodaya, K., Mahajan, M. (eds.) FSTTCS 2004. LNCS, vol. 3328, pp. 250–262. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  15. 15.
    Distefano, D., O’Hearn, P.W., Yang, H.: A local shape analysis based on separation logic. In: Hermanns, H., Palsberg, J. (eds.) TACAS 2006. LNCS, vol. 3920, pp. 287–302. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  16. 16.
    Dor, N., Rodeh, M., Sagiv, M.: Towards a realistic tool for statically detecting all buffer overflows in C. In: PLDI, pp. 155–167 (2003)Google Scholar
  17. 17.
    Eo, H., Yi, K., Eom, H.: Differential fixpoint iteration with subtraction for non-distributive program analysis (submitted, 2006)Google Scholar
  18. 18.
    Gotsman, A., Berdine, J., Cook, B.: Interprocedural shape analysis with separated heap abstractions. In: Yi, K. (ed.) SAS 2006. LNCS, vol. 4134, pp. 240–260. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  19. 19.
    Kernighan, B.W., Ritchie, D.M.: The C Programming Language, 2nd edn. Prentice-Hall, New Jersey (1988)Google Scholar
  20. 20.
    Knuth, D.E.: The Art of Computer Programming, 2nd edn. Fundamental Algorithms, vol. I. Addison-Wesley, Reading (1973)Google Scholar
  21. 21.
    Lee, O., Yang, H., Yi, K.: Automatic verification of pointer programs using grammar-based shape analysis. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 124–140. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. 22.
    Magill, S., Nanevski, A., Clarke, E., Lee, P.: Inferring invariants in Separation Logic for imperative list-processing programs. In: 3rd SPACE Workshop (2006)Google Scholar
  23. 23.
    Manevich, R., Sagiv, M., Ramalingam, G., Field, J.: Partially disjunctive heap abstraction. In: Giacobazzi, R. (ed.) SAS 2004. LNCS, vol. 3148, pp. 265–279. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  24. 24.
    Manevich, R., Yahav, E., Ramalingam, G., Sagiv, M.: Predicate abstraction and canonical abstraction for singly-linked lists. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 181–198. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  25. 25.
    Marti, N., Affeldt, R., Yonezawa, A.: Verification of the heap manager of an operating system using separation logic. In: 3rd SPACE Workshop (2006)Google Scholar
  26. 26.
    Reps, T., Balakrishnan, G., Lim, J.: Intermediate-representation recovery from low-level code. In: PEPM 2006, pp. 100–111 (2006)Google Scholar
  27. 27.
    Reynolds, J.C.: Separation logic: A logic for shared mutable data structures. In: 17th LICS, pp. 55–74 (2002)Google Scholar
  28. 28.
    Xavier Rival. Personal communication (2005)Google Scholar
  29. 29.
    Rugina, R., Rinard, M.: Symbolic bounds analysis of pointers, array indices, and accessed memory regions. ACM TOPLAS 27(2), 185–235 (2005)CrossRefGoogle Scholar
  30. 30.
    Sagiv, M., Reps, T., Wilhelm, R.: Solving shape-analysis problems in languages with destructive updating. ACM TOPLAS 20(1), 1–50 (1998)CrossRefGoogle Scholar
  31. 31.
    Sagiv, M., Reps, T., Wilhelm, R.: Parametric shape analysis via 3valued logic. ACM TOPLAS 24(3), 217–298 (2002)CrossRefGoogle Scholar
  32. 32.
    Wagner, D., Foster, J., Brewer, E., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Proceedings of NDSS (2000)Google Scholar
  33. 33.
    Yu, D., Hamid, N.A., Shao, Z.: Building certified libraries for PCC: Dynamic storage allocation. In: Degano, P. (ed.) ESOP 2003. LNCS, vol. 2618, pp. 363–379. Springer, Heidelberg (2003)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Cristiano Calcagno
    • 1
  • Dino Distefano
    • 2
  • Peter W. O’Hearn
    • 2
    • 3
  • Hongseok Yang
    • 4
  1. 1.Imperial CollegeLondon
  2. 2.Queen Mary, University of London 
  3. 3.Microsoft ResearchCambridge
  4. 4.Seoul National University 

Personalised recommendations