4,166 research outputs found
Modular verification of procedure equivalence in the presence of memory allocation
For most high level languages, two procedures are equivalent if they transform a pair of isomorphic stores to isomorphic stores. How- ever, tools for modular checking of such equivalence impose a stronger check where isomorphism is strengthened to equality of stores. This re- sults in the inability to prove many interesting program pairs with re- cursion and dynamic memory allocation. In this work, we present RIE, a methodology to modularly establish equivalence of procedures in the presence of memory allocation, cyclic data structures and recursion. Our technique addresses the need for find- ing witnesses to isomorphism with angelic allocation, supports reasoning about equivalent procedures calls when the stores are only locally iso- morphic, and reasoning about changes in the order of procedure calls. We have implemented RIE by encoding it in the Boogie program verifier. We describe the encoding and prove its soundness
Heap Abstractions for Static Analysis
Heap data is potentially unbounded and seemingly arbitrary. As a consequence,
unlike stack and static memory, heap memory cannot be abstracted directly in
terms of a fixed set of source variable names appearing in the program being
analysed. This makes it an interesting topic of study and there is an abundance
of literature employing heap abstractions. Although most studies have addressed
similar concerns, their formulations and formalisms often seem dissimilar and
some times even unrelated. Thus, the insights gained in one description of heap
abstraction may not directly carry over to some other description. This survey
is a result of our quest for a unifying theme in the existing descriptions of
heap abstractions. In particular, our interest lies in the abstractions and not
in the algorithms that construct them.
In our search of a unified theme, we view a heap abstraction as consisting of
two features: a heap model to represent the heap memory and a summarization
technique for bounding the heap representation. We classify the models as
storeless, store based, and hybrid. We describe various summarization
techniques based on k-limiting, allocation sites, patterns, variables, other
generic instrumentation predicates, and higher-order logics. This approach
allows us to compare the insights of a large number of seemingly dissimilar
heap abstractions and also paves way for creating new abstractions by
mix-and-match of models and summarization techniques.Comment: 49 pages, 20 figure
The Meaning of Memory Safety
We give a rigorous characterization of what it means for a programming
language to be memory safe, capturing the intuition that memory safety supports
local reasoning about state. We formalize this principle in two ways. First, we
show how a small memory-safe language validates a noninterference property: a
program can neither affect nor be affected by unreachable parts of the state.
Second, we extend separation logic, a proof system for heap-manipulating
programs, with a memory-safe variant of its frame rule. The new rule is
stronger because it applies even when parts of the program are buggy or
malicious, but also weaker because it demands a stricter form of separation
between parts of the program state. We also consider a number of pragmatically
motivated variations on memory safety and the reasoning principles they
support. As an application of our characterization, we evaluate the security of
a previously proposed dynamic monitor for memory safety of heap-allocated data.Comment: POST'18 final versio
On the Complexity of the Equivalence Problem for Probabilistic Automata
Checking two probabilistic automata for equivalence has been shown to be a
key problem for efficiently establishing various behavioural and anonymity
properties of probabilistic systems. In recent experiments a randomised
equivalence test based on polynomial identity testing outperformed
deterministic algorithms. In this paper we show that polynomial identity
testing yields efficient algorithms for various generalisations of the
equivalence problem. First, we provide a randomized NC procedure that also
outputs a counterexample trace in case of inequivalence. Second, we show how to
check for equivalence two probabilistic automata with (cumulative) rewards. Our
algorithm runs in deterministic polynomial time, if the number of reward
counters is fixed. Finally we show that the equivalence problem for
probabilistic visibly pushdown automata is logspace equivalent to the
Arithmetic Circuit Identity Testing problem, which is to decide whether a
polynomial represented by an arithmetic circuit is identically zero.Comment: technical report for a FoSSaCS'12 pape
- …