Generating Abstract Graph-Based Procedure Summaries for Pointer Programs

  • Christina Jansen
  • Thomas Noll
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8571)


The automated analysis and verification of pointer-manipulating programs operating on a heap is a challenging task. It requires abstraction techniques for dealing with complex program behaviour and unbounded state spaces that arise from both dynamic data structures and recursive procedures. In previous work it was shown that hyperedge replacement grammars provide an intuitive and versatile concept for defining and implementing such abstractions.

Here we extend this approach towards a modular way of reasoning about programs with (possibly recursive) procedures featuring local variables. We propose an interprocedural dataflow analysis to automatically derive procedure contracts, i.e., graph transformations that concisely capture the overall effect of a procedure. Besides its modularity, another advantage of this analysis is that it relieves us from explicitly modelling the call stack on the heap, i.e., heap and control abstraction are clearly separated. The former can now be specified by simple and intuitive hyperedge replacement grammars describing the data structures only, while the latter is realised by automatically generated procedure contracts.


Hypergraphs Hyperedge Replacement Grammars Heap Abstraction Procedure Contracts Interprocedural Dataflow Analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bornat, R., Calcagno, C., O’Hearn, P., Parkinson, M.: Permission accounting in separation logic. In: POPL 2005, pp. 259–270. ACM (2005)Google Scholar
  2. 2.
    Boyland, J.: Checking interference with fractional permissions. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 55–72. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Dodds, M., Plump, D.: From hyperedge replacement to separation logic and back. In: Proc. Doctoral Symp. at the Int. Conf. on Graph Transformation, ICGT 2008. Electronic Communications of the EASST, vol. 16 (2009)Google Scholar
  4. 4.
    Fradet, P., Caugne, R., Métayer, D.L.: Static detection of pointer errors: An axiomatisation and a checking algorithm. In: Riis Nielson, H. (ed.) ESOP 1996. LNCS, vol. 1058, pp. 125–140. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  5. 5.
    Gotsman, A., Berdine, J., Cook, B.: Interprocedural shape analysis with separated heap abstractions. In: Yi, K. (ed.) SAS 2006. LNCS, vol. 4134, pp. 240–260. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  6. 6.
    Gotsman, A., Berdine, J., Cook, B., Sagiv, M.: Thread-modular shape analysis. In: Proc. ACM SIGPLAN Conf. on Programming Language Design and Implementation, PLDI 2007, pp. 266–277. ACM Press (2007)Google Scholar
  7. 7.
    Güldali, B., Mlynarski, M., Wübbeke, A., Engels, G.: Model-based system testing using visual contracts. In: 35th Euromicro Conf. on Software Engineering and Advanced Applications (SEAA 2009), pp. 121–124 (August 2009)Google Scholar
  8. 8.
    Haack, C., Huisman, M., Hurlin, C.: Permission-based separation logic for multithreaded Java programs. Nieuwsbrief van de Nederlandse Vereniging voor Theoretische Informatica 15, 13–23 (2011)Google Scholar
  9. 9.
    Heinen, J., Barthels, H., Jansen, C.: Juggrnaut – an abstract JVM. In: Beckert, B., Damiani, F., Gurov, D. (eds.) FoVeOOS 2011. LNCS, vol. 7421, pp. 142–159. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  10. 10.
    Heinen, J., Noll, T., Rieger, S.: Juggrnaut: Graph grammar abstraction for unbounded heap structures. In: Proc. 3rd Int. Workshop on Harnessing Theories for Tool Support in Software. ENTCS, vol. 266, pp. 93–107. Elsevier (2010)Google Scholar
  11. 11.
    Iosif, R., Rogalewicz, A., Simacek, J.: The tree width of separation logic with recursive definitions. In: Bonacina, M.P. (ed.) CADE 2013. LNCS (LNAI), vol. 7898, pp. 21–38. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  12. 12.
    Jansen, C., Göbe, F., Noll, T.: Generating inductive predicates for symbolic execution of pointer-manipulating programs (submitted, 2014)Google Scholar
  13. 13.
    Jansen, C., Heinen, J., Katoen, J.-P., Noll, T.: A local Greibach normal form for hyperedge replacement grammars. In: Dediu, A.-H., Inenaga, S., Martín-Vide, C. (eds.) LATA 2011. LNCS, vol. 6638, pp. 323–335. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  14. 14.
    Knoop, J., Steffen, B.: The interprocedural coincidence theorem. In: Pfahler, P., Kastens, U. (eds.) CC 1992. LNCS, vol. 641, pp. 125–140. Springer, Heidelberg (1992)CrossRefGoogle Scholar
  15. 15.
    Kreiker, J., Reps, T., Rinetzky, N., Sagiv, M., Wilhelm, R., Yahav, E.: Interprocedural shape analysis for effectively cutpoint-free programs. In: Voronkov, A., Weidenbach, C. (eds.) Ganzinger Festschrift. LNCS, vol. 7797, pp. 414–445. Springer, Heidelberg (2013)Google Scholar
  16. 16.
    Noll, T.G., Rieger, S.: Verifying dynamic pointer-manipulating threads. In: Cuellar, J., Sere, K. (eds.) FM 2008. LNCS, vol. 5014, pp. 84–99. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  17. 17.
    Plump, D.: Checking graph-transformation systems for confluence. ECEASST 26 (2010)Google Scholar
  18. 18.
    Reps, T., Horwitz, S., Sagiv, M.: Precise interprocedural dataflow analysis via graph reachability. In: Proc. 22nd ACM SIGPLAN-SIGACT Symp. on Principles of Programming Languages, POPL 1995, pp. 49–61. ACM Press (1995)Google Scholar
  19. 19.
    Rinetzky, N., Sagiv, M.: Interprocedural shape analysis for recursive programs. In: Wilhelm, R. (ed.) CC 2001. LNCS, vol. 2027, pp. 133–149. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  20. 20.
    Rinetzky, N., Sagiv, M., Yahav, E.: Interprocedural shape analysis for cutpoint-free programs. In: Hankin, C., Siveroni, I. (eds.) SAS 2005. LNCS, vol. 3672, pp. 284–302. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  21. 21.
    Sagiv, S., Reps, T.W., Horwitz, S.: Precise interprocedural dataflow analysis with applications to constant propagation. In: Mosses, P.D., Nielsen, M. (eds.) TAPSOFT 1995. LNCS, vol. 915, pp. 651–665. Springer, Heidelberg (1995)Google Scholar
  22. 22.
    Sharir, M., Pnueli, A.: Two approaches to interprocedural data flow analysis. In: Program Flow Analysis: Theory and Applications, pp. 189–233. Prentice-Hall (1981)Google Scholar
  23. 23.
    Yorsh, G., Yahav, E., Chandra, S.: Generating precise and concise procedure summaries. In: Proc. 35th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2008, pp. 221–234. ACM Press (2008)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Christina Jansen
    • 1
  • Thomas Noll
    • 1
  1. 1.Software Modeling and Verification GroupRWTH Aachen UniversityGermany

Personalised recommendations