Abstract
Scalability is a key challenge in static analysis. For imperative languages like C, the approach taken for modeling memory can play a significant role in scalability. In this paper, we explore a family of memory models called partitioned memory models which divide memory up based on the results of a points-to analysis. We review Steensgaard’s original and field-sensitive points-to analyses as well as Data Structure Analysis (DSA), and introduce a new cell-based points-to analysis which more precisely handles heap data structures and type-unsafe operations like pointer arithmetic and pointer casting. We give experimental results on benchmarks from the software verification competition using the program verification framework in Cascade. We show that a partitioned memory model using our cell-based points-to analysis outperforms models using other analyses.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
A formal presentation of the semantics of the partitioned memory model is presented in [28].
- 2.
We borrow this term from Miné [19], but use it in a different context. Miné aimed to build a cell-based abstract domain for value analysis, while we target a cell-based points-to analysis.
- 3.
They can be handled using a straightforward adaptation of Steensgaard’s approach.
- 4.
Cascade placed 3rd in the Heap Data Structures category of SV-COMP 2016 [4].
- 5.
We used a context-insensitive version of DSA to make a fair comparison because the other analyses are also context-insensitive. Context sensitivity could be added to any of them, improving the results.
References
Andersen, L.O.: Program analysis and specialization for the C programming language. Ph.D. thesis, University of Copenhagen, May 1994
Balatsouras, G., Smaragdakis, Y.: Structure-sensitive points-to analysis for C and C++. In: Static Analysis Symposium (SAS) (2016)
Barrett, C., Stump, A., Tinelli, C.: The SMT-LIB standard - version 2.0. In: Proceedings of the 8th International Workshop on Satisfiability Modulo Theories (SMT) (2010)
Beyer, D.: Reliable and reproducible competition results with benchexec and witnesses (reported on SV-COMP 2016). In: Tools and Algorithms for the Construction and Analysis of Systems (TACAS) (2016)
Böhme, S., Moskal, M.: Heaps, data structures: a challenge for automated provers. In: Conference on Automated Deduction (CADE) (2011)
Burstall, R.M.: Some techniques for proving correctness of programs which alter data structures. Mach. Intell. 7, 23–50 (1972)
Clarke, E., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs. In: Tools and Algorithms for the Construction and Analysis of Systems (TACAS) (2004)
Cohen, E., Moskal, M., Tobies, S., Schulte, W.: A precise yet efficient memory model for C. Electron. Notes Theor. Comput. Sci. (ENTCS) 254, 85–103 (2009)
Condit, J., Hackett, B., Lahiri, S.K., Qadeer, S.: Unifying type checking and property checking for low-level code. In: Principles of Programming Languages (POPL) (2009)
Conway, C.L., Dams, D., Namjoshi, K.S., Barrett, C.: Pointer analysis, conditional soundness, and proving the absence of errors. In: Static Analysis Symposium (SAS) (2008)
Cuoq, P., Kirchner, F., Kosmatov, N., Prevosto, V., Signoles, J., Yakobowski, B.: Frama-C a software analysis perspective. In: Software Engineering and Formal Methods (SEFM) (2012)
Foster, J.S., Fähndrich, M., Aiken, A.: Flow-insensitive points-to analysis with term and set constraints. Technical report CSD-97-964, University of California, Berkeley (1997)
Gurfinkel, A., Kahsai, T., Komuravelli, A., Navas, J.A.: The SeaHorn verification framework. In: Computer Aided Verification (CAV) (2015)
Hind, M.: Pointer analysis: haven’t we solved this problem yet? In: Program Analysis for Software Tools and Engineering (PASTE) (2001)
Lahiri, S.K., Qadeer, S.: Back to the future: revisiting precise program verification using SMT solvers. In: Principles of Programming Languages (POPL) (2008)
Lahiri, S.K., Qadeer, S., Rakamarić, Z.: Static and precise detection of concurrency errors in systems code using SMT solvers. In: Computer Aided Verification (CAV) (2009)
Lal, A., Qadeer, S.: Powering the static driver verifier using Corral. In: Foundations of Software Engineering (FSE) (2014)
Lattner, C., Lenharth, A., Adve, V.: Making context-sensitive points-to analysis with heap cloning practical for the real world. In: Programming Language Design and Implementation (PLDI) (2007)
Miné, A.: Field-sensitive value analysis of embedded C programs with union types and pointer arithmetics. In: Language, Compilers, and Tool Support for Embedded Systems (LCTES) (2006)
Morse, J., Ramalho, M., Cordeiro, L., Nicole, D., Fischer, B.: ESBMC 1.22 (competition contribution). In: Tools and Algorithms for the Construction and Analysis of Systems (TACAS) (2014)
Necula, G.C., McPeak, S., Weimer, W.: CCured: type-safe retrofitting of legacy code. In: Principles of Programming Languages (POPL) (2002)
Pearce, D.J., Kelly, P.H.J., Hankin, C.: Efficient field-sensitive pointer analysis for C. In: Program Analysis for Software Tools and Engineering (PASTE) (2004)
Pearce, D.J., Kelly, P.H.J., Hankin, C.: Efficient field-sensitive pointer analysis of C. ACM Trans. Program. Lang. Syst. 30(1), 4 (2007)
Rakamarić, Z., Emmi, M.: SMACK: decoupling source language details from verifier implementations. In: Computer Aided Verification (CAV) (2015)
Rakamarić, Z., Hu, A.J.: A scalable memory model for low-level code. In: Verification, Model Checking, and Abstract Interpretation (VMCAI) (2009)
Steensgaard, B.: Points-to analysis by type inference of programs with structures and unions. In: Compiler Construction (CC) (1996)
Steensgaard, B.: Points-to analysis in almost linear time. In: Principles of Programming Languages (POPL) (1996)
Wang, W.: Partition memory models for program analysis. Ph.D. thesis, New York University, May 2016
Wang, W., Barrett, C., Wies, T.: Cascade 2.0. In: Verification, Model Checking, and Abstract Interpretation (VMCAI) (2014)
Yong, S.H., Horwitz, S., Reps, T.: Pointer analysis for programs with structures and casting. In: Programming Language Design and Implementation (PLDI) (1999)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Wang, W., Barrett, C., Wies, T. (2017). Partitioned Memory Models for Program Analysis. In: Bouajjani, A., Monniaux, D. (eds) Verification, Model Checking, and Abstract Interpretation. VMCAI 2017. Lecture Notes in Computer Science(), vol 10145. Springer, Cham. https://doi.org/10.1007/978-3-319-52234-0_29
Download citation
DOI: https://doi.org/10.1007/978-3-319-52234-0_29
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-52233-3
Online ISBN: 978-3-319-52234-0
eBook Packages: Computer ScienceComputer Science (R0)