Skip to main content
SpringerLink
Log in

Beyond Reachability: Shape Abstraction in the Presence of Pointer Arithmetic

  • Conference paper
Static Analysis (SAS 2006)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 4134))

Included in the following conference series:

Abstract

Previous shape analysis algorithms use a memory model where the heap is composed of discrete nodes that can be accessed only via access paths built from variables and field names, an assumption that is violated by pointer arithmetic. In this paper we show how this assumption can be removed, and pointer arithmetic embraced, by using an analysis based on separation logic. We describe an abstract domain whose elements are certain separation logic formulae, and an abstraction mechanism that automatically transits between a low-level RAM view of memory and a higher, fictional, view that abstracts from the representation of nodes and multiword linked-lists as certain configurations of the RAM. A widening operator is used to accelerate the analysis. We report experimental results obtained from running our analysis on a number of classic algorithms for dynamic memory management.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Balaban, I., Pnueli, A., Zuck, L.D.: Shape Analysis by Predicate Abstraction. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 164–180. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  2. Balakrishnan, G., Reps, T.: Recency-Abstraction for Heap-Allocated Storage. In: Yi, K. (ed.) SAS 2006. LNCS, vol. 4134, pp. 221–239. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  3. Berdine, J., Calcagno, C., O’Hearn, P.W.: Symbolic execution with separation logic. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 52–68. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  4. Berdine, J., Calcagno, C., O’Hearn, P.W.: Smallfoot: Modular automatic assertion checking with separation logic. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2005. LNCS, vol. 4111, pp. 115–137. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  5. Berdine, J., Cook, B., Distefano, D., O’Hearn, P.W.: Automatic termination proofs for programs with shape-shifting heaps. In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, pp. 386–400. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  6. Bouajjani, A., Habermehl, P., Moro, P., Vojnar, T.: Verifying programs with dynamic 1-selector-linked structures in regular model checking. In: Halbwachs, N., Zuck, L.D. (eds.) TACAS 2005. LNCS, vol. 3440, pp. 13–29. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  7. Chase, D., Wegman, M., Zadeck, F.: Analysis of pointers and structures. In: PLDI, pp. 296–310 (1990)

    Google Scholar 

  8. Comfort, W.T.: Multiword list items. CACM 7(6), 357–362 (1964)

    MATH  Google Scholar 

  9. Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: 4th POPL, pp. 238–252 (1977)

    Google Scholar 

  10. Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: 6th POPL, pp. 269–282 (1979)

    Google Scholar 

  11. Cousot, P., Cousot, R.: Abstract interpretation frameworks. J. Log. Comput. 2(4), 511–547 (1992)

    Article  MathSciNet  MATH  Google Scholar 

  12. Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: The ASTREÉ analyzer. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 21–30. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  13. Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among variables of a program. In: 5th POPL, pp. 84–96 (1978)

    Google Scholar 

  14. Distefano, D., Katoen, J.-P., Rensink, A.: Who is pointing when to whom? On the automated verification of linked list structures. In: Lodaya, K., Mahajan, M. (eds.) FSTTCS 2004. LNCS, vol. 3328, pp. 250–262. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  15. Distefano, D., O’Hearn, P.W., Yang, H.: A local shape analysis based on separation logic. In: Hermanns, H., Palsberg, J. (eds.) TACAS 2006. LNCS, vol. 3920, pp. 287–302. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  16. Dor, N., Rodeh, M., Sagiv, M.: Towards a realistic tool for statically detecting all buffer overflows in C. In: PLDI, pp. 155–167 (2003)

    Google Scholar 

  17. Eo, H., Yi, K., Eom, H.: Differential fixpoint iteration with subtraction for non-distributive program analysis (submitted, 2006)

    Google Scholar 

  18. Gotsman, A., Berdine, J., Cook, B.: Interprocedural shape analysis with separated heap abstractions. In: Yi, K. (ed.) SAS 2006. LNCS, vol. 4134, pp. 240–260. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  19. Kernighan, B.W., Ritchie, D.M.: The C Programming Language, 2nd edn. Prentice-Hall, New Jersey (1988)

    Google Scholar 

  20. Knuth, D.E.: The Art of Computer Programming, 2nd edn. Fundamental Algorithms, vol. I. Addison-Wesley, Reading (1973)

    Google Scholar 

  21. Lee, O., Yang, H., Yi, K.: Automatic verification of pointer programs using grammar-based shape analysis. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 124–140. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  22. Magill, S., Nanevski, A., Clarke, E., Lee, P.: Inferring invariants in Separation Logic for imperative list-processing programs. In: 3rd SPACE Workshop (2006)

    Google Scholar 

  23. Manevich, R., Sagiv, M., Ramalingam, G., Field, J.: Partially disjunctive heap abstraction. In: Giacobazzi, R. (ed.) SAS 2004. LNCS, vol. 3148, pp. 265–279. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  24. Manevich, R., Yahav, E., Ramalingam, G., Sagiv, M.: Predicate abstraction and canonical abstraction for singly-linked lists. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 181–198. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  25. Marti, N., Affeldt, R., Yonezawa, A.: Verification of the heap manager of an operating system using separation logic. In: 3rd SPACE Workshop (2006)

    Google Scholar 

  26. Reps, T., Balakrishnan, G., Lim, J.: Intermediate-representation recovery from low-level code. In: PEPM 2006, pp. 100–111 (2006)

    Google Scholar 

  27. Reynolds, J.C.: Separation logic: A logic for shared mutable data structures. In: 17th LICS, pp. 55–74 (2002)

    Google Scholar 

  28. Xavier Rival. Personal communication (2005)

    Google Scholar 

  29. Rugina, R., Rinard, M.: Symbolic bounds analysis of pointers, array indices, and accessed memory regions. ACM TOPLAS 27(2), 185–235 (2005)

    Article  Google Scholar 

  30. Sagiv, M., Reps, T., Wilhelm, R.: Solving shape-analysis problems in languages with destructive updating. ACM TOPLAS 20(1), 1–50 (1998)

    Article  Google Scholar 

  31. Sagiv, M., Reps, T., Wilhelm, R.: Parametric shape analysis via 3valued logic. ACM TOPLAS 24(3), 217–298 (2002)

    Article  Google Scholar 

  32. Wagner, D., Foster, J., Brewer, E., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: Proceedings of NDSS (2000)

    Google Scholar 

  33. Yu, D., Hamid, N.A., Shao, Z.: Building certified libraries for PCC: Dynamic storage allocation. In: Degano, P. (ed.) ESOP 2003. LNCS, vol. 2618, pp. 363–379. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Imperial College, London

    Cristiano Calcagno

  2. Queen Mary, University of London,  

    Dino Distefano & Peter W. O’Hearn

  3. Microsoft Research, Cambridge

    Peter W. O’Hearn

  4. Seoul National University,  

    Hongseok Yang

Authors
  1. Cristiano Calcagno
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dino Distefano
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Peter W. O’Hearn
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hongseok Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Seoul National University, P.O. Box, Korea

    Kwangkeun Yi

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Calcagno, C., Distefano, D., O’Hearn, P.W., Yang, H. (2006). Beyond Reachability: Shape Abstraction in the Presence of Pointer Arithmetic. In: Yi, K. (eds) Static Analysis. SAS 2006. Lecture Notes in Computer Science, vol 4134. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11823230_13

Download citation

  • DOI: https://doi.org/10.1007/11823230_13

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-37756-6

  • Online ISBN: 978-3-540-37758-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation