A Relational Approach to Interprocedural Shape Analysis

DOI: 10.1007/978-3-540-27864-1_19

ABSTRACT This paper addresses the verification of properties of imperative programs with recursive procedure calls, heap-allocated
storage, and destructive updating of pointer-valued fields – i.e., interprocedural shape analysis. It presents a way to harness some previously known approaches to interprocedural dataflow analysis – which in past work
have been applied only to much less rich settings – for interprocedural shape analysis.

  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: We present a proof system for reasoning about data structures. The specification language models memory explicitly as an array, and models pointers and data elements uniformly as integers, used here as an abstraction of a machine word. There are three distinguishing features: the use of recursive definitions, the use of set variables representing explicit footprints in order to implement the concept of separation, and finally, the language can express the strongest postcondition of a loop-free program. This provides a basis for im-plementing a Floyd-Hoare-style program verifier which generates verification conditions for an external theorem prover. We then present a prover in the form of inference rules that are systematically applied. We argue that a large class of verification conditions can thus be automatically proven. The prover comprises two main parts in order to reason about the interplay between re-cursive definitions, arrays, sets and integers. In the first, recursive definitions are disposed by means of an unfolding process termi-nated by a concept of induction. Second, the remaining nonrecur-sive formulas are reduced into purely integer formulas, which we can finally dispense with using a standard system.
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In this paper we present a new heap abstraction that seeks to strike a balance be-tween the use of non-local (transitive) properties to gain precision and exploiting heap-locality. The abstraction represents the heap as an (evolving) tree of heap-components, with only a single heap-component being accessible at any time. The representation is tailored to yield several benefits: (a) It localizes the effect of heap mutation, enabling more efficient processing of heap mutations; (b) The represen-tation is more space-efficient as it permits heap-components with isomorphic con-tents to use a shared representation; (c) It enables a more precise identification of the "input heap" to a procedure, increasing the reuse of summaries in a tabulation-based interprocedural analysis, making it more efficient. Furthermore, based on our new abstraction, an analysis can compute parameterized summaries which can be re-used for analyzing clients of instantiations of the generic data-structures.
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Heap-manipulating programs allow flexible manipulations over dynamically allocated, shared, and mutable heap cells via pointers that point to not only linked data structures but also their pointer fields. Therefore, memory leak detection for these programs requires precise field-sensitive pointer alias information, which make the problem more challenging. In this paper, we present a field and context sensitive algorithm for detecting memory leaks in heap-manipulating programs. First, we propose a modular heap abstraction based on member-access distances and alias bit-vector domain as the escape model of each procedure, Then, based on procedural summaries characterized by this modular heap abstraction, an efficient context-sensitive memory leak detection is proposed in an on-demand way. Experimental evaluation about a set of large C benchmark programs shows that the proposed approach is scalable with satisfied precision as expected.
    Proceedings of the 2012 19th Asia-Pacific Software Engineering Conference - Volume 01; 12/2012

Full-text (4 Sources)

Available from
May 31, 2014