Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Analysis Algorithm
Extensions and Limitations
Experimental Evaluation
Related Work
Conclusion
References

Shape analysis with structural invariant checkers

Profile image of Bor-Yuh Evan ChangBor-Yuh Evan Chang

2007

https://doi.org/10.1007/978-3-540-74061-2_24
visibility

description

25 pages

link

1 file

Abstract

Developer-supplied data structure specifications are important to shape analyses, as they tell the analysis what information should be tracked in order to obtain the desired shape invariants. We observe that data structure checking code (eg, used in testing or dynamic analysis) provides shape information that can also be used in static analysis. In this paper, we propose a lightweight, automatic shape analysis based on these developer-supplied structural invariant checkers.

Related papers

Interprocedural shape analysis
Noam Rinetzky

2000

A shape-analysis algorithm statically analyzes a program to determine information about the heap-allocated data structures that the program manipulates. The analysis algorithm is conservative, i.e., the discovered information is true for every input. The information can be used to understand, verify, optimize, or parallelize programs. For example, it can be utilized to check at compile-time for the absence of certain types of memory management errors, such as memory leakage or dereference of null pointers. Current shape analysis algorithms encounter severe didifficulties when faced with programs composed of procedures, in particular recursive ones. Also, these algorithms are hard to scale. We present a novel algorithm for interprocedural shape analysis of programs manipulating linked lists. Our algorithm analyzes programs invoking recursive procedures more precisely than any existing algorithm we know of. For example, it can verify the absence of memory leaks in many recursive programs, which is beyond the scope of existing algorithms. A prototype of the algorithm was implemented. It handles programs manipulating linked lists written in a subset of C. Our algorithm handles arbitrary list-manipulating programs. However, in practice, the analyzer might run out of space. We suggest a technique that improves the space (and time) requirements of our algorithm for nonrecursive programs that manipulate several disjoint data structures. We look at this technique as a first step in an effort to scale shape analysis. In addition, we propose an even more efficient solution for programs that modify their heap-allocated data structures only using a fixed set of interface procedures.

View PDFchevron_right
Shape analysis in the absence of pointers and structure
Matthew Might

2010

Abstract. Shape analyses (Chase et al. 1990, Sagiv et al. 2002) discover properties of dynamic and/or mutable structures. We ask,“Is there an equivalent to shape analysis for purely functional programs, and if so, what 'shapes' does it discover?” By treating binding environments as dynamically allocated structures, by treating bindings as addresses, and by treating value environments as heaps, we argue that we can analyze the “shape” of higher-order functions.

View PDFchevron_right
Symbolically Computing Most-Precise Abstract Operations for Shape Analysis
Thomas Reps

Lecture Notes in Computer Science, 2004

Shape analysis concerns the problem of determining "shape invariants" for programs that perform destructive updating on dynamically allocated storage. This paper presents a new algorithm that takes as input an abstract value (a 3-valued logical structure describing some set of concrete stores X) and a precondition p, and computes the most-precise abstract value for the stores in X that satisfy p. This algorithm solves several open problems in shape analysis: (i) computing the most-precise abstract value of a set of concrete stores specified by a logical formula; (ii) computing best transformers for atomic program statements and conditions; (iii) computing best transformers for loop-free code fragments (i.e., blocks of atomic program statements and conditions); (iv) performing interprocedural shape analysis using procedure specifications and assume-guarantee reasoning; and (v) computing the most-precise overapproximation of the meet of two abstract values.

View PDFchevron_right
CLASS INVARIANT SHAPE ANALYSIS
Cindy Rubio

2004

View PDFchevron_right
A Shape Analysis for Non-linear Data Structures
Javier Blanco

Lecture Notes in Computer Science, 2010

We present a terminating shape analysis based on Separation Logic for programs that manipulate non-linear data structures such as trees and graphs. The analysis automatically calculates concise invariants for loops, with a level of precision depending on the manipulations applied on each program variable. We report experimental results obtained from running a prototype that implements our analysis on a variety of examples.

View PDFchevron_right
Data Structures and Algorithms for Ef cient Shape Analysis
R. Manevich

Shape analysis concerns the problem of determining shape invariants for programs that perform destructive updating on dynamically allocated storage. TVLA (Three-Valued Logic Analysis)

View PDFchevron_right
A Formal Presentation of Shape Analysis graphs and operations
Maria Angeles Gonzalez Navarro

Usually, we use the tuple plc =< x, n >, which we name concrete pointer link, to represent this binary relation. The set of all pointer links is named P Lc.

View PDFchevron_right
Revamping TVLA: Making Parametric Shape Analysis Competitive
Thomas Reps

Lecture Notes in Computer Science, 2007

TVLA is a parametric framework for shape analysis that can be easily instantiated to create different kinds of analyzers for checking properties of programs that use linked data structures. We report on dramatic improvements in TVLA's performance, which make the cost of parametric shape analysis comparable to that of the most efficient specialized shape-analysis tools (which restrict the class of data structures and programs analyzed) without sacrificing TVLA's parametricity. The improvements were obtained by employing well-known techniques from the database community to reduce the cost of extracting information from shape descriptors and performing abstract interpretation of program statements and conditions. Compared to the prior version of TVLA, we obtained as much as 50-fold speedup.

View PDFchevron_right
Shape Analysis by Graph Decomposition
R. Manevich, Josh Berdine

Lecture Notes in Computer Science, 2007

Programs commonly maintain multiple linked data structures. Correlations between multiple data structures may often be nonexistent or irrelevant to verifying that the program satisfies certain safety properties or invariants. In this paper, we show how this independence between different (singly-linked) data structures can be utilized to perform shape analysis and verification more efficiently. We present a new abstraction based on decomposing graphs into sets of subgraphs, and show that, in practice, this new abstraction leads to very little loss of precision, while yielding substantial improvements to efficiency.

View PDFchevron_right

References (21)

  1. Gilad Arnold. Specialized 3-valued logic shape analysis using structure- based refinement and loose embedding. In Static Analysis Symposium (SAS), pages 204-220, 2006.
  2. BCC + 07] Josh Berdine, Cristiano Calcagno, Byron Cook, Dino Distefano, Peter W. O'Hearn, Thomas Wies, and Hongseok Yang. Shape analysis for composite data structures. In Conference on Computer-Aided Verification (CAV), 2007.
  3. Patrick Cousot and Radhia Cousot. Abstract interpretation: A unified lat- tice model for static analysis of programs by construction or approxima- tion of fixpoints. In Symposium on Principles of Programming Languages (POPL), pages 238-252, 1977.
  4. Sigmund Cherem and Radu Rugina. Maintaining doubly-linked list invari- ants in shape analysis with local reasoning. In Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI), 2007.
  5. Dino Distefano, Peter W. O'Hearn, and Hongseok Yang. A local shape analysis based on separation logic. In Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), pages 287-302, 2006.
  6. Brian Hackett and Radu Rugina. Region-based shape analysis with tracked locations. In Symposium on Principles of Programming Languages (POPL), pages 310-323, 2005.
  7. Tal Lev-Ami, Thomas W. Reps, Shmuel Sagiv, and Reinhard Wilhelm. Putting static analysis to work for verification: A case study. In Interna- tional Symposium on Software Testing and Analysis (ISSTA), pages 26-38, 2000.
  8. Alexey Loginov, Thomas W. Reps, and Mooly Sagiv. Automated veri- fication of the Deutsch-Schorr-Waite tree-traversal algorithm. In Static Analysis Symposium (SAS), pages 261-279, 2006.
  9. Oukseh Lee, Hongseok Yang, and Kwangkeun Yi. Automatic verification of pointer programs using grammar-based shape analysis. In European Symposium on Programming (ESOP), pages 124-140, 2005.
  10. Scott McPeak and George C. Necula. Data structure specifications via local equality axioms. In Conference on Computer-Aided Verification (CAV), pages 476-490, 2005.
  11. Stephen Magill, Aleksandar Nanevski, Edmund Clarke, and Peter Lee. Inferring invariants in separation logic for imperative list-processing pro- grams. In Workshop on Semantics, Program Analysis, and Computing Environments for Memory Management (SPACE), 2006.
  12. Laurent Mauborgne and Xavier Rival. Trace partitioning in abstract inter- pretation based static analyzers. In European Symposium on Programming (ESOP), pages 5-20, 2005.
  13. Anders Møller and Michael I. Schwartzbach. The pointer assertion logic engine. In Conference on Programming Language Design and Implemen- tation (PLDI), pages 221-231, 2001.
  14. Roman Manevich, Shmuel Sagiv, Ganesan Ramalingam, and John Field. Partially disjunctive heap abstraction. In Static Analysis Symposium (SAS), pages 265-279, 2004.
  15. George C. Necula, Scott McPeak, Shree Prakash Rahul, and Westley Weimer. CIL: Intermediate language and tools for analysis and trans- formation of C programs. In Conference on Compiler Construction (CC), pages 213-228, 2002.
  16. Frances Perry, Limin Jia, and David Walker. Expressing heap-shape con- tracts in linear logic. In Conference on Generative Programming and Com- ponent Engineering (GPCE), pages 101-110, 2006.
  17. William Pugh. Skip lists: A probabilistic alternative to balanced trees. Commun. ACM, 33(6):668-676, 1990.
  18. John C. Reynolds. Separation logic: A logic for shared mutable data structures. In Symposium on Logic in Computer Science (LICS), pages 55-74, 2002.
  19. Shmuel Sagiv, Thomas W. Reps, and Reinhard Wilhelm. Parametric shape analysis via 3-valued logic. ACM Trans. Program. Lang. Syst., 24(3):217- 298, 2002.
  20. WKL + 06] Thomas Wies, Viktor Kuncak, Patrick Lam, Andreas Podelski, and Mar- tin C. Rinard. Field constraint analysis. In Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI), pages 157-173, 2006.
  21. Eran Yahav and G. Ramalingam. Verifying safety properties using sep- aration and heterogeneous abstractions. In Conference on Programming Language Design and Implementation (PLDI), pages 25-34, 2004.

Related papers

Lightweight Shape Analysis Based on Physical Types
Xavier Rival

Lecture Notes in Computer Science, 2022

To understand and detect possible errors in programs manipulating memory, static analyses of various levels of precision have been introduced, yet it remains hard to capture both information about the byte-level layout and precise global structural invariants. Classical pointer analyses struggle with the latter, whereas advanced shape analyses incur a higher computational cost. In this paper, we propose a new memory analysis by abstract interpretation that summarizes the heap by means of a type invariant, using a novel kind of physical types, which express the byte-level layout of values in memory. In terms of precision and expressiveness, our abstraction aims at a middle point between typical pointer analyses and shape analyses, hence the lightweight shape analysis name. We pair this summarizing abstraction with a retained and staged points-to predicates abstraction which refines information about the memory regions that are in use, hereby allowing strong updates without introducing disjunctions. We show that this combination of abstractions suffices to verify spatial memory safety and non-trivial structural invariants in the presence of low-level constructs such as pointer arithmetic and dynamic memory allocation, on both C and binary code.

View PDFchevron_right
Automated verification of shape and size properties via separation logic
Shengchao Qin

Verification, Model Checking, and …, 2007

Despite their popularity and importance, pointer-based programs remain a major challenge for program verification. In this paper, we propose an automated verification system that is concise, precise and expressive for ensuring the safety of pointer-based programs. Our approach uses user-definable shape predicates to allow programmers to describe a wide range of data structures with their associated size properties. To support automatic verification, we design a new entailment checking procedure that can handle well-founded inductive predicates using unfold/fold reasoning. We have proven the soundness and termination of our verification system, and have built a prototype system.

View PDFchevron_right
Modular Construction of Shape-Numeric Analyzers
Bor-Yuh Evan Chang

Electronic Proceedings in Theoretical Computer Science, 2013

The aim of static analysis is to infer invariants about programs that are precise enough to establish semantic properties, such as the absence of run-time errors. Broadly speaking, there are two major branches of static analysis for imperative programs. Pointer and shape analyses focus on inferring properties of pointers, dynamically-allocated memory, and recursive data structures, while numeric analyses seek to derive invariants on numeric values. Although simultaneous inference of shapenumeric invariants is often needed, this case is especially challenging and is not particularly well explored. Notably, simultaneous shape-numeric inference raises complex issues in the design of the static analyzer itself. In this paper, we study the construction of such shape-numeric, static analyzers. We set up an abstract interpretation framework that allows us to reason about simultaneous shape-numeric properties by combining shape and numeric abstractions into a modular, expressive abstract domain. Such a modular structure is highly desirable to make its formalization and implementation easier to do and get correct. To achieve this, we choose a concrete semantics that can be abstracted step-by-step, while preserving a high level of expressiveness. The structure of abstract operations (i.e., transfer, join, and comparison) follows the structure of this semantics. The advantage of this construction is to divide the analyzer in modules and functors that implement abstractions of distinct features.

View PDFchevron_right
Shape Analysis
Noam Rinetzky

Foundations and Trends® in Programming Languages, 2020

View PDFchevron_right
Creative Commons Attribution License. Modular Construction of Shape-Numeric Analyzers
Bor-Yuh Evan Chang

2016

The aim of static analysis is to infer invariants about programs that are precise enough to establish semantic properties, such as the absence of run-time errors. Broadly speaking, there are two major branches of static analysis for imperative programs. Pointer and shape analyses focus on inferring properties of pointers, dynamically-allocated memory, and recursive data structures, while numeric analyses seek to derive invariants on numeric values. Although simultaneous inference of shape-numeric invariants is often needed, this case is especially challenging and is not particularly well explored. Notably, simultaneous shape-numeric inference raises complex issues in the design of the static analyzer itself. In this paper, we study the construction of such shape-numeric, static analyzers. We set up an abstract interpretation framework that allows us to reason about simultaneous shape-numeric proper-ties by combining shape and numeric abstractions into a modular, expressive abstract ...

View PDFchevron_right

Cited by

Verification of Heap Manipulating Programs with Ordered Data by Extended Forest Automata
quy trinh

Lecture Notes in Computer Science, 2013

We present a general framework for verifying programs with complex dynamic linked data structures whose correctness depends on ordering relations between stored data values. The underlying formalism of our framework is that of forest automata (FA), which has previously been developed for verification of heap-manipulating programs. We extend FA by constraints between data elements associated with nodes of the heaps represented by FA, and we present extended versions of all operations needed for using the extended FA in a fullyautomated verification approach, based on abstract interpretation. We have implemented our approach as an extension of the Forester tool and successfully applied it to a number of programs dealing with data structures such as various forms of singly-and doubly-linked lists, binary search trees, as well as skip lists.

View PDFchevron_right
Fragment Abstraction for Concurrent Shape Analysis
quy trinh

Programming Languages and Systems, 2018

A major challenge in automated verification is to develop techniques that are able to reason about fine-grained concurrent algorithms that consist of an unbounded number of concurrent threads, which operate on an unbounded domain of data values, and use unbounded dynamically allocated memory. Existing automated techniques consider the case where shared data is organized into singly-linked lists. We present a novel shape analysis for automated verification of fine-grained concurrent algorithms that can handle heap structures which are more complex than just singly-linked lists, in particular skip lists and arrays of singly linked lists, while at the same time handling an unbounded number of concurrent threads, an unbounded domain of data values (including timestamps), and an unbounded shared heap. Our technique is based on a novel shape abstraction, which represents a set of heaps by a set of fragments. A fragment is an abstraction of a pair of heap cells that are connected by a pointer field. We have implemented our approach and applied it to automatically verify correctness, in the sense of linearizability, of most linearizable concurrent implementations of sets, stacks, and queues, which employ singly-linked lists, skip lists, or arrays of singlylinked lists with timestamps, which are known to us in the literature.

View PDFchevron_right
Separating Shape Graphs
Bor-Yuh Evan Chang

Lecture Notes in Computer Science, 2010

Detailed memory models that expose individual fields are necessary to precisely analyze code that makes use of low-level aspects such as, pointers to fields and untagged unions. Yet, higher-level representations that collect fields into records are often used because they are typically more convenient and efficient in modeling the program heap. In this paper, we present a shape graph representation of memory that exposes individual fields while largely retaining the convenience of an object-level model. This representation has a close connection to particular kinds of formulas in separation logic. Then, with this representation, we show how to extend the Xisa shape analyzer for low-level aspects, including pointers to fields, C-style nested structures and unions, malloc and free, and array values, with minimal changes to the core algorithms (e.g., materialization and summarization).

View PDFchevron_right
Modular Construction of Shape-Numeric Analyzers
Bor-Yuh Evan Chang

Electronic Proceedings in Theoretical Computer Science, 2013

The aim of static analysis is to infer invariants about programs that are precise enough to establish semantic properties, such as the absence of run-time errors. Broadly speaking, there are two major branches of static analysis for imperative programs. Pointer and shape analyses focus on inferring properties of pointers, dynamically-allocated memory, and recursive data structures, while numeric analyses seek to derive invariants on numeric values. Although simultaneous inference of shapenumeric invariants is often needed, this case is especially challenging and is not particularly well explored. Notably, simultaneous shape-numeric inference raises complex issues in the design of the static analyzer itself. In this paper, we study the construction of such shape-numeric, static analyzers. We set up an abstract interpretation framework that allows us to reason about simultaneous shape-numeric properties by combining shape and numeric abstractions into a modular, expressive abstract domain. Such a modular structure is highly desirable to make its formalization and implementation easier to do and get correct. To achieve this, we choose a concrete semantics that can be abstracted step-by-step, while preserving a high level of expressiveness. The structure of abstract operations (i.e., transfer, join, and comparison) follows the structure of this semantics. The advantage of this construction is to divide the analyzer in modules and functors that implement abstractions of distinct features.

View PDFchevron_right
Reduced Product Combination of Abstract Domains for Shapes
Bor-Yuh Evan Chang

Lecture Notes in Computer Science, 2013

Real-world data structures are often enhanced with additional pointers capturing alternative paths through a basic inductive skeleton (e.g., back pointers, head pointers). From the static analysis point of view, we must obtain several interlocking shape invariants. At the same time, it is well understood in abstract interpretation design that supporting a separation of concerns is critically important to designing powerful static analyses. Such a separation of concerns is often obtained via a reduced product on a case-by-case basis. In this paper, we lift this idea to abstract domains for shape analyses, introducing a domain combination operator for memory abstractions. As an example, we present simultaneous separating shape graphs, a product construction that combines instances of separation logic-based shape domains. The key enabler for this construction is a static analysis on inductive data structure definitions to derive relations between the skeleton and the alternative paths. From the engineering standpoint, this construction allows each component to reason independently about different aspects of the data structure invariant and then separately exchange information via a reduction operator. From the usability standpoint, we enable describing a data structure invariant in terms of several inductive definitions that hold simultaneously.

View PDFchevron_right
580 California St., Suite 400
San Francisco, CA, 94104
© 2025 Academia. All rights reserved