Skip to main content
Springer Nature Link
Log in

Statically Inferring Complex Heap, Array, and Numeric Invariants

  • Conference paper
Static Analysis (SAS 2010)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 6337))

Included in the following conference series:

  • 919 Accesses

Abstract

We describe Deskcheck, a parametric static analyzer that is able to establish properties of programs that manipulate dynamically allocated memory, arrays, and integers. Deskcheck can verify quantified invariants over mixed abstract domains, e.g., heap and numeric domains. These domains need only minor extensions to work with our domain combination framework.

The technique used for managing the communication between domains is reminiscent of the Nelson-Oppen technique for combining decision procedures, in that the two domains share a common predicate language to exchange shared facts. However, whereas the Nelson-Oppen technique is limited to a common predicate language of shared equalities, the technique described in this paper uses a common predicate language in which shared facts can be quantified predicates expressed in first-order logic with transitive closure.

We explain how we used Deskcheck to establish memory safety of the thttpd web server’s cache data structure, which uses linked lists, a hash table, and reference counting in a single composite data structure. Our work addresses some of the most complex data-structure invariants considered in the shape-analysis literature.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Arnold, G.: Specialized 3-valued logic shape analysis using structure-based refinement and loose embedding. In: Yi, K. (ed.) SAS 2006. LNCS, vol. 4134, pp. 204–220. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  2. Berdine, J., Calcagno, C., Cook, B., Distefano, D., O’Hearn, P., Wies, T., Yang, H.: Shape analysis for composite data structures. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 178–192. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  3. Bouajjani, A., Bozga, M., Habermehl, P., Iosif, R., Moro, P., Vojnar, T.: Programs with lists are counter automata. In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, pp. 517–531. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  4. Clarke, E., Talupur, M., Veith, H.: Proving Ptolemy right: The environment abstraction framework for model checking concurrent systems. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 33–47. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  5. Cortesi, A., Charlier, B.L., Hentenryck, P.V.: Combinations of abstract domains for logic programming. SCP 38(1-3), 27–71 (2000)

    MATH  Google Scholar 

  6. Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: POPL, pp. 269–282 (1979)

    Google Scholar 

  7. DeLine, R., Leino, K.: BoogiePL: A typed procedural language for checking object-oriented programs. Technical Report MSR-TR-2005-70, Microsoft Research (2005)

    Google Scholar 

  8. Deutsch, A.: Interprocedural alias analysis for pointers: Beyond k-limiting. In: PLDI, pp. 230–241 (1994)

    Google Scholar 

  9. Distefano, D., O’Hearn, P., Yang, H.: A local shape analysis based on separation logic. In: Hermanns, H., Palsberg, J. (eds.) TACAS 2006. LNCS, vol. 3920, pp. 287–302. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  10. Dor, N., Rodeh, M., Sagiv, M.: CSSV: towards a realistic tool for statically detecting all buffer overflows in C. In: PLDI, pp. 155–167 (2003)

    Google Scholar 

  11. Emmi, M., Jhala, R., Kohler, E., Majumdar, R.: Verifying reference counting implementations. In: TACAS (2009)

    Google Scholar 

  12. Gopan, D., DiMaio, F., Dor, N., Reps, T., Sagiv, M.: Numeric domains with summarized dimensions. In: Jensen, K., Podelski, A. (eds.) TACAS 2004. LNCS, vol. 2988, pp. 512–529. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  13. Granger, P.: Improving the results of static analyses programs by local decreasing iteration. In: Shyamasundar, R.K. (ed.) FSTTCS 1992. LNCS, vol. 652, Springer, Heidelberg (1992)

    Google Scholar 

  14. Gulwani, S., Lev-Ami, T., Sagiv, M.: A combination framework for tracking partition sizes. In: POPL, pp. 239–251 (2009)

    Google Scholar 

  15. Gulwani, S., Tiwari, A.: Combining abstract interpreters. In: PLDI (2006)

    Google Scholar 

  16. Jeannet, B., Gopan, D., Reps, T.: A relational abstraction for functions. In: Hankin, C., Siveroni, I. (eds.) SAS 2005. LNCS, vol. 3672, pp. 186–202. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  17. Magill, S., Berdine, J., Clarke, E., Cook, B.: Arithmetic strengthening for shape analysis. In: Riis Nielson, H., Filé, G. (eds.) SAS 2007. LNCS, vol. 4634, pp. 419–436. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  18. McCloskey, B.: Deskcheck 1.0, http://www.cs.berkeley.edu/~billm/deskcheck

  19. Miné, A.: A new numerical abstract domain based on difference-bound matrices. In: Danvy, O., Filinski, A. (eds.) PADO 2001. LNCS, vol. 2053, pp. 155–172. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  20. Nelson, G., Oppen, D.: Simplification by cooperating decision procedures. TOPLAS 1(2), 245–257 (1979)

    Article  MATH  Google Scholar 

  21. Nguyen, H., David, C., Qin, S., Chin, W.-N.: Automated verification of shape and size properties via separation logic. In: Cook, B., Podelski, A. (eds.) VMCAI 2007. LNCS, vol. 4349, pp. 251–266. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  22. Poskanzer, J.: thttpd - tiny/turbo/throttling http server, http://acme.com/software/thttpd/

  23. Reps, T., Sagiv, M., Yorsh, G.: Symbolic implementation of the best transformer. In: Steffen, B., Levi, G. (eds.) VMCAI 2004. LNCS, vol. 2937, pp. 252–266. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  24. Sagiv, M., Reps, T., Wilhelm, R.: Parametric shape analysis via 3-valued logic. TOPLAS 24(3), 217–298 (2002)

    Article  Google Scholar 

  25. Zee, K., Kuncak, V., Rinard, M.: Full functional verification of linked data structures. In: ACM Conf. Programming Language Design and Implementation, PLDI (2008)

    Google Scholar 

  26. Zee, K., Kuncak, V., Rinard, M.: An integrated proof language for imperative programs. In: PLDI, pp. 338–351 (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of California, Berkeley, CA, USA

    Bill McCloskey

  2. University of Wisconsin, Madison, WI, USA

    Thomas Reps

  3. GrammaTech, Inc., Ithaca, NY, USA

    Thomas Reps

  4. Tel-Aviv University, Tel-Aviv, Israel

    Mooly Sagiv

  5. Stanford University, Stanford, CA, USA

    Mooly Sagiv

Authors
  1. Bill McCloskey
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Thomas Reps
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mooly Sagiv
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Départment d’Informatique, École normale supérieure, rue d’Ulm 45, 75230, Paris cedex, France

    Radhia Cousot

  2. ELIAUS-DALI Laboratory, Université de Perpignan Via Domitia, 52, avenue Paul Alduy, 66860, Perpignan cedex, France

    Matthieu Martel

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

McCloskey, B., Reps, T., Sagiv, M. (2010). Statically Inferring Complex Heap, Array, and Numeric Invariants. In: Cousot, R., Martel, M. (eds) Static Analysis. SAS 2010. Lecture Notes in Computer Science, vol 6337. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15769-1_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-15769-1_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-15768-4

  • Online ISBN: 978-3-642-15769-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics