Skip to main content
SpringerLink
Log in

A Context-Sensitive Memory Model for Verification of C/C++ Programs

  • Conference paper
  • First Online:
Book cover Static Analysis (SAS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 10422))

Included in the following conference series:

Abstract

Verification of low-level C/C++ requires a precise memory model that supports type unions, pointer arithmetic, and casts. We present a new memory model that splits memory into a finite set of disjoint regions based on a pointer analysis. The main contribution is a field-, array- and context-sensitive pointer analysis tailored to verification. We have implemented our memory model for the LLVM bitcode and used it on a C++ case study and on SV-COMP benchmarks. Our results suggests that our model can reduce verification time by producing a finer-grained partitioning in presence of function calls.

This material is based upon work supported by the Defense Advanced Research Projects Agency (DARPA) and Space and Naval Warfare Systems Center Pacific (SSC Pacific) under Contract No. N66001-15-C-4061. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the DARPA or SSC Pacific. This work has been also supported in part by NSF grant 1528153.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Logic-based verifiers require to generate verification conditions in a side-effect free form so that they can be solved by SMT solvers. In this paper, we focus on how to provide precise points-to information to produce a sound translation to such a form. The syntax and semantics of the language and construction of VCs are beyond the scope of this paper. We refer readers to e.g., [11, 18] and their references for details.

  2. 2.

    It is publicly available at https://github.com/seahorn/sea-dsa.

  3. 3.

    For simplicity, we choose not to modify the definition of a concrete object to include its size.

  4. 4.

    For simplicity, we assume in Fig. 8 all cells have zero offsets.

  5. 5.

    In fact, we only need to consider cells that can be modified. Our implementation considers this optimization.

  6. 6.

    The pointer analysis is available from https://github.com/seahorn/sea-dsa.

  7. 7.

    Accessed https://github.com/sosy-lab/sv-benchmarks with sha 879e141f11348e49591738d3e11793b36546a2d5.

  8. 8.

    CASS is owned NASA and is not publicly available. It is 13,460 LOC (excluding blanks/comments).

  9. 9.

    How to instrument effectively a program for proving memory safety is beyond the scope of this paper. SeaHorn provides several LLVM bitcode transformations that insert assertions such that the transformed bitcode is free of buffer overflows if all assertions hold. For our experiments, we used one that stores non-deterministically the offset and size of a pointer. This instrumentation is simple and relies on the solver to resolve the non-determinism to make sure all pointers are properly checked.

  10. 10.

    https://frama-c.com/.

  11. 11.

    Frama-C provides another plugin called VC for C programs, complementary to Jessie, with three different memory models: Hoare (unsound with pointers), Typed based on Burstall’s model that does not support casts, and Byte which is a byte-level memory model.

References

  1. Data Structure Analysis (DSA) implementation. https://github.com/seahorn/llvm-dsa

  2. SeaHorn Verification Framework. http://seahorn.github.io/

  3. Andersen, L.O.: Program analysis and specialization for the C Programming language. Technical report (1994)

    Google Scholar 

  4. Balatsouras, G., Smaragdakis, Y.: Structure-sensitive points-to analysis for C and C++. In: Rival, X. (ed.) SAS 2016. LNCS, vol. 9837, pp. 84–104. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53413-7_5

    Chapter  Google Scholar 

  5. Burstall, R.M.: Some techniques for proving correctness of programs which alter data structures. In: Machine Intelligence (1972)

    Google Scholar 

  6. Chatterjee, S., Lahiri, S.K., Qadeer, S., Rakamarić, Z.: A reachability predicate for analyzing low-level software. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 19–33. Springer, Heidelberg (2007). doi:10.1007/978-3-540-71209-1_4

    Chapter  Google Scholar 

  7. Clarke, E., Kroening, D., Lerda, F.: A tool for checking ANSI-C Programs. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 168–176. Springer, Heidelberg (2004). doi:10.1007/978-3-540-24730-2_15

    Chapter  Google Scholar 

  8. Cohen, E., Moskal, M., Tobies, S., Schulte, W.: A precise yet efficient memory model for C. Electr. Notes Theor. Comput. Sci. 254, 85–103 (2009)

    Article  Google Scholar 

  9. Condit, J., Hackett, B., Lahiri, S.K., Qadeer, S.: Unifying type checking and property checking for low-level code. In: POPL, pp. 302–314 (2009)

    Google Scholar 

  10. Cordeiro, L., Fischer, B., Marques-Silva, J.: SMT-based bounded model checking for embedded ANSI-C software. IEEE Trans. Softw. Eng. 38(4), 957–974 (2012)

    Article  Google Scholar 

  11. Gurfinkel, A., Kahsai, T., Komuravelli, A., Navas, J.A.: The SeaHorn verification framework. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 343–361. Springer, Cham (2015). doi:10.1007/978-3-319-21690-4_20

    Chapter  Google Scholar 

  12. Hubert, T., Marche, C.: Separation analysis for deductive verification. In: HAV (2007)

    Google Scholar 

  13. Komuravelli, A., Gurfinkel, A., Chaki, S., Clarke, E.M.: Automatic abstraction in SMT-based unbounded software model checking. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 846–862. Springer, Heidelberg (2013). doi:10.1007/978-3-642-39799-8_59

    Chapter  Google Scholar 

  14. Lattner, C., Adve, V.S.: LLVM: a compilation framework for lifelong program analysis & transformation. In: CGO, pp. 75–88 (2004)

    Google Scholar 

  15. Lattner, C., Adve, V.S.: Automatic pool allocation: improving performance by controlling data structure layout in the heap. In: PLDI, pp. 129–142 (2005)

    Google Scholar 

  16. Miné, A.: Field-sensitive value analysis of embedded C programs with union types and pointer arithmetics. In: LCTES, pp. 54–63 (2006)

    Google Scholar 

  17. Moy, Y.: Automatic modular static safety checking for C Programs. Ph.D. thesis, Université Paris-Sud (2009)

    Google Scholar 

  18. Rakamarić, Z., Emmi, M.: SMACK: decoupling source language details from verifier implementations. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 106–113. Springer, Cham (2014). doi:10.1007/978-3-319-08867-9_7

    Google Scholar 

  19. Rakamarić, Z., Hu, A.J.: A scalable memory model for low-level code. In: Jones, N.D., Müller-Olm, M. (eds.) VMCAI 2009. LNCS, vol. 5403, pp. 290–304. Springer, Heidelberg (2008). doi:10.1007/978-3-540-93900-9_24

    Chapter  Google Scholar 

  20. Venet, A.: A scalable nonuniform pointer analysis for embedded programs. In: Giacobazzi, R. (ed.) SAS 2004. LNCS, vol. 3148, pp. 149–164. Springer, Heidelberg (2004). doi:10.1007/978-3-540-27864-1_13

    Chapter  Google Scholar 

  21. Wang, W., Barrett, C., Wies, T.: Partitioned memory models for program analysis. In: Bouajjani, A., Monniaux, D. (eds.) VMCAI 2017. LNCS, vol. 10145, pp. 539–558. Springer, Cham (2017). doi:10.1007/978-3-319-52234-0_29

    Chapter  Google Scholar 

  22. Wang, W., Barrett, C., Wies, T.: Cascade 2.0. In: McMillan, K.L., Rival, X. (eds.) VMCAI 2014. LNCS, vol. 8318, pp. 142–160. Springer, Heidelberg (2014). doi:10.1007/978-3-642-54013-4_9

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Waterloo, Waterloo, Canada

    Arie Gurfinkel

  2. SRI International, Menlo Park, USA

    Jorge A. Navas

Authors
  1. Arie Gurfinkel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jorge A. Navas
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jorge A. Navas .

Editor information

Editors and Affiliations

  1. Dipartimento di Matematica, University of Padova, Padua, Italy

    Francesco Ranzato

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Gurfinkel, A., Navas, J.A. (2017). A Context-Sensitive Memory Model for Verification of C/C++ Programs. In: Ranzato, F. (eds) Static Analysis. SAS 2017. Lecture Notes in Computer Science(), vol 10422. Springer, Cham. https://doi.org/10.1007/978-3-319-66706-5_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-66706-5_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-66705-8

  • Online ISBN: 978-3-319-66706-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation