Abstract
We present a static program analysis for overlaid data structures such that a node in the structure includes links for multiple data structures and these links are intended to be used at the same time. These overlaid data structures are frequently used in systems code, in order to impose multiple types of indexing structures over the same set of nodes. Our analysis implements two main ideas. The first is to run multiple sub-analyses that track information about non-overlaid data structures, such as lists. The second idea is to control the communication among the sub-analyses using ghost states and ghost instructions. The purpose of this control is to achieve a high level of efficiency by allowing only necessary information to be transferred among sub-analyses and at as few program points as possible. Our analysis has been successfully applied to prove the memory safety of the Linux deadline IO scheduler and AFS server.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
Concretely, \(\varphi(\texttt{q1t},\hspace{-0.2pt}\texttt{c},\alpha)\) is \(\exists uvwxy.\hspace{-0.2pt}\ \mathsf {tseg}(\texttt{q1t},\hspace{-0.2pt}0,\hspace{-0.2pt}\texttt{c},\hspace{-0.2pt}u)_{\alpha}\texttt{c}{\,{\mapsto }\,}\{\texttt{p}{:}u,\hspace{-0.2pt}\texttt{l}{:}v,\hspace{-0.2pt}\texttt{r}{:}x\}_{\alpha}* \mathsf {tseg}(v,\hspace{-0.2pt}\texttt{c},\hspace{-0.2pt} 0,w)_{\alpha} * \mathsf {tseg}(x,\texttt {c},0,y)_{\alpha}\) where \(\mathsf {tseg}\) is a tree segment predicate explained in Sect. 5.
Formally, \(\varphi* \mathsf {tseg}(a,b,c,\_)\) is an abbreviation for \(\exists d.\varphi* \mathsf {tseg}(a,b,c,d)\) for a fresh d.
References
Arnold G, Manevich R, Sagiv M, Shaham R (2006) Combining shape analyses by intersecting abstractions. In: Proc of the international conference on verification, model checking, and abstract interpretation, pp 33–48
Ball T, Levin V, Rajamani SK (2011) A decade of software model checking with SLAM. Commun ACM 54(7):68–76
Ball T, Podelski A, Rajamani S (2001) Boolean and Cartesian abstraction for model checking C programs. In: Proc of the tools and algorithms for the construction and analysis of systems, pp 268–283
Blanchet B, Cousot P, Cousot R, Feret J, Mauborgne L, Miné A, Monniaux D, Rival X (2003) A static analyzer for large safety-critical software. In: Proc of the ACM Conference on programming language design and implementation, pp 196–207
Calcagno C, Distefano D, O’Hearn P, Yang H (2009) Compositional shape analysis by means of bi-abduction. In: Proc of the ACM symposium on principles of programming languages, pp 289–300
Cherini R, Rearte L, Blanco J (2010) A shape analysis for non-linear data structures. In: Proc of the international static analysis symposium, pp 201–217
Cousot P, Cousot R (1979) Systematic design of program analysis frameworks. In: Proc of the ACM symposium on principles of programming languages, pp 269–282
Distefano D, O’Hearn P, Yang H (2006) A local shape analysis based on separation logic. In: Proc of the tools and algorithms for the construction and analysis of systems, pp 287–302
Hawkins P, Aiken A, Fisher K (2010) Reasoning about shared mutable data structures. Manuscript
Hawkins P, Aiken A, Fisher K, Rinard M, Sagiv M (2010) Data structure fusion. In: Proc of the Asian symposium on programming languages and systems, pp 204–221
Kreiker J, Seidl H, Vojdani V (2010) Shape analysis of low-level C with overlapping structures. In: Proc of the international conference on verification, model checking, and abstract interpretation, pp 214–230
Kuncak V, Lam P, Zee K, Rinard M (2006) Modular pluggable analyses for data structure consistency. IEEE Trans Softw Eng 32(12):988–1005
Lee O, Yang H, Petersen R (2011) Program analysis for overlaid data structures. In: Proc of the international conference on computer aided verification, pp 592–608
Reps T, Horwitz S, Sagiv S (1995) Precise interprocedural dataflow analysis via graph reachability. In: Proc of the ACM symposium on principles of programming languages, pp 49–61
Reynolds JC (2002) Separation logic: a logic for shared mutable data structures. In: Proc. of the IEEE symposium on logic in computer science, pp 55–74
Sagiv M, Reps T, Wilhelm R (2002) Parametric shape analysis via 3-valued logic. ACM Trans Program Lang Syst 24(3):217–298
Yang H, Lee O, Berdine J, Calcagno C, Cook B, Distefano D, O’Hearn P (2008) Scalable shape analysis for systems code. In: Proc of the international conference on computer aided verification, pp 285–398
Author information
Authors and Affiliations
Corresponding author
Additional information
We want to thank Gilad Arnold, Patrick Cousot, Peter Hawkins, Peter O’Hearn, Martin Rinard, Noam Rinetzky, Xavier Rival, and John Wickerson for helpful comments. This work was supported by EPSRC, and Lee by the Engineering Research Center of Excellence Program of Korea Ministry of Education, Science and Technology (MEST)/National Research Foundation of Korea (NRF) (Grant 2012-0000465).
Rights and permissions
About this article
Cite this article
Lee, O., Yang, H. & Petersen, R. A divide-and-conquer approach for analysing overlaid data structures. Form Methods Syst Des 41, 4–24 (2012). https://doi.org/10.1007/s10703-012-0151-7
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10703-012-0151-7