Skip to main content
Springer Nature Link
Log in

Under-Approximating Memory Abstractions

  • Conference paper
  • First Online:
Static Analysis (SAS 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14995))

Included in the following conference series:

  • 99 Accesses

Abstract

This work presents a sound backward analysis for sufficient pre-conditions inference in C programs, by abstract interpretation. It utilizes the under-approximation abstract operators studied by Milanese and Miné [32, 35] for a purely numeric subset of C, and extends them to support the C memory model. Pointer dereferences are handled with the cell abstraction [34] and dynamic memory allocations with the recency abstraction [3]. A direct usage of the abstract operators proposed in these previous works in an under-approximation framework is not possible as either internally they rely on over-approximated operators (e.g., cell removal) or an extension to this framework is not straightforward (e.g., under-approximating join). In this work we propose new operators that are under-approximating, and on top of this we design a backward semantics. The analysis is implemented in the MOPSA analyzer and its performance is assessed in detection of sufficient pre-conditions for runtime errors in 13,261 C tasks from NIST Juliet test suite [5].

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    More formally: \(\rho [v \mapsto x] \triangleq \lambda w. {\left\{ \begin{array}{ll} x & \text {if } v = w \\ \rho (w) & \text {otherwise} \end{array}\right. }\).

  2. 2.

    Pointer arithmetic is supported too. For instance \(\langle V,o \rangle + i = \langle V,o+i\rangle \).

  3. 3.

    For the sake of brevity, we omit the handling of runtime errors such as use-after-free or double free, but they are handled in the implementation.

References

  1. Ascari, F., Bruni, R., Gori, R.: Limits and difficulties in the design of under-approximation abstract domains. In: FoSSaCS 2022. LNCS, vol. 13242, pp. 21–39. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-99253-8_2

    Chapter  MATH  Google Scholar 

  2. Bagnara, R., Hill, P.M., Zaffanella, E.: Exact join detection for convex polyhedra and other numerical abstractions. Comput. Geom. 43(5), 453–473 (2010). https://doi.org/10.1016/j.comgeo.2009.09.002

    Article  MathSciNet  MATH  Google Scholar 

  3. Balakrishnan, G., Reps, T.: Recency-abstraction for heap-allocated storage. In: Yi, K. (ed.) SAS 2006. LNCS, vol. 4134, pp. 221–239. Springer, Heidelberg (2006). https://doi.org/10.1007/11823230_15

    Chapter  MATH  Google Scholar 

  4. Balatsouras, G., Smaragdakis, Y.: Structure-sensitive points-to analysis for C and C++. In: Rival, X. (ed.) SAS 2016. LNCS, vol. 9837, pp. 84–104. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53413-7_5

    Chapter  Google Scholar 

  5. Black, P.E.: Juliet 1.3 test suite: changes from 1.2. US department of commerce, national institute of standards and technology (2018). https://samate.nist.gov/SARD/test-suites/112

  6. Bourdoncle, F.: Abstract debugging of higher-order imperative languages. In: Proceedings of the ACM SIGPLAN 1993 Conference on Programming Language Design and Implementation, p. 46–55. PLDI 1993, Association for Computing Machinery, New York, NY, USA (1993). https://doi.org/10.1145/155090.155095

  7. Bruni, R., Giacobazzi, R., Gori, R., Ranzato, F.: A correctness and incorrectness program logic. J. ACM 70(2) (2023). https://doi.org/10.1145/3582267

  8. Calcagno, C., Distefano, D.: Infer: an automatic program verifier for memory safety of C programs. In: Bobaru, M., Havelund, K., Holzmann, G.J., Joshi, R. (eds.) NFM 2011. LNCS, vol. 6617, pp. 459–465. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20398-5_33

    Chapter  MATH  Google Scholar 

  9. Calcagno, C., Distefano, D., O’Hearn, P., Yang, H.: Space invading systems code. In: Hanus, M. (ed.) LOPSTR 2008. LNCS, vol. 5438, pp. 1–3. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00515-2_1

    Chapter  MATH  Google Scholar 

  10. Calcagno, C., Distefano, D., O’Hearn, P.W., Yang, H.: Compositional shape analysis by means of bi-abduction. J. ACM 58(6) (2011). https://doi.org/10.1145/2049697.2049700

  11. Chang, B.Y.E., Rival, X.: Relational inductive shape analysis. In: Proceedings of the 35th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 247–260. POPL 2008, Association for Computing Machinery, New York, NY, USA (2008). https://doi.org/10.1145/1328438.1328469

  12. Chang, B.-Y.E., Rival, X., Necula, G.C.: Shape analysis with structural invariant checkers. In: Nielson, H.R., Filé, G. (eds.) SAS 2007. LNCS, vol. 4634, pp. 384–401. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74061-2_24

    Chapter  MATH  Google Scholar 

  13. Cousot, P.: Principles of Abstract Interpretation. The MIT Press, Cambridge (2021)

    MATH  Google Scholar 

  14. Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proceedings of the 4th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pp. 238–252. POPL 1977, Association for Computing Machinery, New York, NY, USA (1977). https://doi.org/10.1145/512950.512973

  15. Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: Proceedings of the 6th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pp. 269–282. POPL 1979, Association for Computing Machinery, New York, NY, USA (1979). https://doi.org/10.1145/567752.567778

  16. Cousot, P., Cousot, R.: Abstract interpretation and application to logic programs. J. Logic Program. 13(2), 103–179 (1992). https://doi.org/10.1016/0743-1066(92)90030-7

    Article  MathSciNet  MATH  Google Scholar 

  17. Cousot, P., Cousot, R.: Refining model checking by abstract interpretation. Autom. Softw. Eng. 6(1), 69–95 (1999). https://doi.org/10.1023/A:1008649901864

    Article  MATH  Google Scholar 

  18. Cousot, P., Cousot, R., Logozzo, F.: Precondition inference from intermittent assertions and application to contracts on collections. In: Jhala, R., Schmidt, D. (eds.) VMCAI 2011. LNCS, vol. 6538, pp. 150–168. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-18275-4_12

    Chapter  MATH  Google Scholar 

  19. Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among variables of a program. In: Proceedings of the 5th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pp. 84–96. POPL 1978, Association for Computing Machinery, New York, NY, USA (1978). https://doi.org/10.1145/512760.512770

  20. Floyd, R.W.: Assigning meanings to programs, pp. 65–81. Springer Netherlands, Dordrecht (1993). https://doi.org/10.1007/978-94-011-1793-7_4

  21. Giet, J., Ridoux, F., Rival, X.: A product of shape and sequence abstractions. In: Hermenegildo, M.V., Morales, J.F. (eds.) Static Analysis, pp. 310–342. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-44245-2_15

  22. Gopan, D., DiMaio, F., Dor, N., Reps, T., Sagiv, M.: Numeric domains with summarized dimensions. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 512–529. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24730-2_38

    Chapter  MATH  Google Scholar 

  23. Gurfinkel, A., Navas, J.A.: A context-sensitive memory model for verification of C/C++ programs. In: Ranzato, F. (ed.) SAS 2017. LNCS, vol. 10422, pp. 148–168. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66706-5_8

    Chapter  MATH  Google Scholar 

  24. Hind, M.: Pointer analysis: haven’t we solved this problem yet? In: Proceedings of the 2001 ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering, pp. 54–61. PASTE 2001, Association for Computing Machinery, New York, NY, USA (2001). https://doi.org/10.1145/379605.379665

  25. Hoare, C.A.R.: An axiomatic basis for computer programming. Commun. ACM 12(10), 576–580 (1969). https://doi.org/10.1145/363235.363259

    Article  MATH  Google Scholar 

  26. Journault, M., Miné, A., Monat, R., Ouadjaout, A.: Combinations of reusable abstract domains for a multilingual static analyzer. In: Chakraborty, S., Navas, J.A. (eds.) VSTTE 2019. LNCS, vol. 12031, pp. 1–18. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-41600-3_1

    Chapter  Google Scholar 

  27. Journault, M., Miné, A., Ouadjaout, A.: Modular static analysis of string manipulations in C programs. In: Podelski, A. (ed.) SAS 2018. LNCS, vol. 11002, pp. 243–262. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-99725-4_16

    Chapter  MATH  Google Scholar 

  28. Lattner, C., Lenharth, A., Adve, V.: Making context-sensitive points-to analysis with heap cloning practical for the real world. In: Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 278–289. PLDI 2007, Association for Computing Machinery, New York, NY, USA (2007). https://doi.org/10.1145/1250734.1250766

  29. Le, Q.L., Raad, A., Villard, J., Berdine, J., Dreyer, D., O’Hearn, P.W.: Finding real bugs in big programs with incorrectness logic. Proc. ACM Program. Lang. 6(OOPSLA1) (2022). https://doi.org/10.1145/3527325

  30. Lev-Ami, T., Sagiv, M., Reps, T., Gulwani, S.: Backward analysis for inferring quantified preconditions (2007)

    Google Scholar 

  31. Li, H., Rival, X., Chang, B.-Y.E.: Shape analysis for unstructured sharing. In: Blazy, S., Jensen, T. (eds.) SAS 2015. LNCS, vol. 9291, pp. 90–108. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48288-9_6

    Chapter  MATH  Google Scholar 

  32. Milanese, M., Miné, A.: Generation of violation witnesses by under-approximating abstract interpretation. In: Dimitrova, R., Lahav, O., Wolff, S. (eds.) Verification, Model Checking, and Abstract Interpretation, pp. 50–73. Springer, Cham (2024). https://doi.org/10.1007/978-3-031-50524-9_3

  33. Milanese, M., Miné, A.: Artifact of paper: “Under-approximating Memory Abstractions" (2024). https://doi.org/10.5281/zenodo.11217437

  34. Miné, A.: Field-sensitive value analysis of embedded c programs with union types and pointer arithmetics. In: Proceedings of the 2006 ACM SIGPLAN/SIGBED Conference on Language, Compilers, and Tool Support for Embedded Systems, pp. 54–63. LCTES 2006, Association for Computing Machinery, New York, NY, USA (2006). https://doi.org/10.1145/1134650.1134659

  35. Miné, A.: Backward under-approximations in numeric abstract domains to automatically infer sufficient program conditions. Sci. Comput. Program. 93, 154–182 (2014). https://doi.org/10.1016/j.scico.2013.09.014. special Issue on Invariant Generation

    Article  MATH  Google Scholar 

  36. Moy, Y.: Sufficient preconditions for modular assertion checking. In: Logozzo, F., Peled, D.A., Zuck, L.D. (eds.) VMCAI 2008. LNCS, vol. 4905, pp. 188–202. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78163-9_18

    Chapter  MATH  Google Scholar 

  37. O’Hearn, P.W.: Incorrectness logic. Proc. ACM Program. Lang. 4(POPL) (2019). https://doi.org/10.1145/3371078

  38. Ouadjaout, A., Miné, A.: A library modeling language for the static analysis of C programs. In: Pichardie, D., Sighireanu, M. (eds.) SAS 2020. LNCS, vol. 12389, pp. 223–247. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-65474-0_11

    Chapter  MATH  Google Scholar 

  39. Raad, A., Berdine, J., Dang, H.-H., Dreyer, D., O’Hearn, P., Villard, J.: Local reasoning about the presence of bugs: incorrectness separation logic. In: Lahiri, S.K., Wang, C. (eds.) CAV 2020. LNCS, vol. 12225, pp. 225–252. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-53291-8_14

    Chapter  Google Scholar 

  40. Remil, N.M., Urban, C., Miné, A.: Automatic detection of vulnerable variables for CTL properties of programs. In: Bjorner, N., Heule, M., Voronkov, A. (eds.) Proceedings of 25th Conference on Logic for Programming, Artificial Intelligence and Reasoning. EPiC Series in Computing, vol. 100, pp. 116–126. EasyChair (2024). https://doi.org/10.29007/dnpx, https://easychair.org/publications/paper/n5Rq

  41. Reynolds, J.: Separation logic: a logic for shared mutable data structures. In: Proceedings 17th Annual IEEE Symposium on Logic in Computer Science, pp. 55–74 (2002). https://doi.org/10.1109/LICS.2002.1029817

  42. Rival, X.: https://www.di.ens.fr/~rival/memcad.html

  43. Schmidt, D.A.: A calculus of logical relations for over- and underapproximating static analyses. Sci. Comput. Program. 64(1), 29–53 (2007). https://doi.org/10.1016/j.scico.2006.03.008, special issue on the 11th Static Analysis Symposium - SAS 2004

  44. Steensgaard, B.: Points-to analysis by type inference of programs with structures and unions. In: Proceedings of the 6th International Conference on Compiler Construction, pp. 136–150. CC 1996, Springer, Heidelberg (1996). https://doi.org/10.5555/647473.727458

  45. Steensgaard, B.: Points-to analysis in almost linear time. In: Proceedings of the 23rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 32–41. POPL 1996, Association for Computing Machinery, New York, NY, USA (1996). https://doi.org/10.1145/237721.237727

  46. Urban, C., Ueltschi, S., Müller, P.: Abstract interpretation of CTL properties. In: Podelski, A. (ed.) SAS 2018. LNCS, vol. 11002, pp. 402–422. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-99725-4_24

    Chapter  MATH  Google Scholar 

  47. de Vries, E., Koutavas, V.: Reverse hoare logic. In: Barthe, G., Pardo, A., Schneider, G. (eds.) SEFM 2011. LNCS, vol. 7041, pp. 155–171. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24690-6_12

    Chapter  MATH  Google Scholar 

  48. Wang, W., Barrett, C., Wies, T.: Partitioned memory models for program analysis. In: Bouajjani, A., Monniaux, D. (eds.) VMCAI 2017. LNCS, vol. 10145, pp. 539–558. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52234-0_29

    Chapter  MATH  Google Scholar 

Download references

Acknowledgments

This work was supported by the SECUREVAL project. The SECUREVAL project was funded by the “France 2030” government investment plan managed by the French National Research Agency, under the reference ANR-22-PECY-0005.

Author information

Authors and Affiliations

  1. Sorbonne Université, CNRS, LIP6, 75005, Paris, France

    Marco Milanese & Antoine Miné

Authors
  1. Marco Milanese
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Antoine Miné
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Marco Milanese .

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Arizona, Tucson, AZ, USA

    Roberto Giacobazzi

  2. IMDEA Software Institute, Pozuelo de Alarcon, Madrid, Spain

    Alessandra Gorla

Rights and permissions

Reprints and permissions

Copyright information

© 2025 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Milanese, M., Miné, A. (2025). Under-Approximating Memory Abstractions. In: Giacobazzi, R., Gorla, A. (eds) Static Analysis. SAS 2024. Lecture Notes in Computer Science, vol 14995. Springer, Cham. https://doi.org/10.1007/978-3-031-74776-2_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-74776-2_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-74775-5

  • Online ISBN: 978-3-031-74776-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics