51 research outputs found
Structural Analysis: Shape Information via Points-To Computation
This paper introduces a new hybrid memory analysis, Structural Analysis,
which combines an expressive shape analysis style abstract domain with
efficient and simple points-to style transfer functions. Using data from
empirical studies on the runtime heap structures and the programmatic idioms
used in modern object-oriented languages we construct a heap analysis with the
following characteristics: (1) it can express a rich set of structural, shape,
and sharing properties which are not provided by a classic points-to analysis
and that are useful for optimization and error detection applications (2) it
uses efficient, weakly-updating, set-based transfer functions which enable the
analysis to be more robust and scalable than a shape analysis and (3) it can be
used as the basis for a scalable interprocedural analysis that produces precise
results in practice.
The analysis has been implemented for .Net bytecode and using this
implementation we evaluate both the runtime cost and the precision of the
results on a number of well known benchmarks and real world programs. Our
experimental evaluations show that the domain defined in this paper is capable
of precisely expressing the majority of the connectivity, shape, and sharing
properties that occur in practice and, despite the use of weak updates, the
static analysis is able to precisely approximate the ideal results. The
analysis is capable of analyzing large real-world programs (over 30K bytecodes)
in less than 65 seconds and using less than 130MB of memory. In summary this
work presents a new type of memory analysis that advances the state of the art
with respect to expressive power, precision, and scalability and represents a
new area of study on the relationships between and combination of concepts from
shape and points-to analyses
Footprints in Local Reasoning
Local reasoning about programs exploits the natural local behaviour common in
programs by focussing on the footprint - that part of the resource accessed by
the program. We address the problem of formally characterising and analysing
the footprint notion for abstract local functions introduced by Calcagno, O
Hearn and Yang. With our definition, we prove that the footprints are the only
essential elements required for a complete specification of a local function.
We formalise the notion of small specifications in local reasoning and show
that for well-founded resource models, a smallest specification always exists
that only includes the footprints, and also present results for the
non-well-founded case. Finally, we use this theory of footprints to investigate
the conditions under which the footprints correspond to the smallest safe
states. We present a new model of RAM in which, unlike the standard model, the
footprints of every program correspond to the smallest safe states, and we also
identify a general condition on the primitive commands of a programming
language which guarantees this property for arbitrary models.Comment: LMCS 2009 (FOSSACS 2008 special issue
Modular Construction of Shape-Numeric Analyzers
The aim of static analysis is to infer invariants about programs that are
precise enough to establish semantic properties, such as the absence of
run-time errors. Broadly speaking, there are two major branches of static
analysis for imperative programs. Pointer and shape analyses focus on inferring
properties of pointers, dynamically-allocated memory, and recursive data
structures, while numeric analyses seek to derive invariants on numeric values.
Although simultaneous inference of shape-numeric invariants is often needed,
this case is especially challenging and is not particularly well explored.
Notably, simultaneous shape-numeric inference raises complex issues in the
design of the static analyzer itself.
In this paper, we study the construction of such shape-numeric, static
analyzers. We set up an abstract interpretation framework that allows us to
reason about simultaneous shape-numeric properties by combining shape and
numeric abstractions into a modular, expressive abstract domain. Such a modular
structure is highly desirable to make its formalization and implementation
easier to do and get correct. To achieve this, we choose a concrete semantics
that can be abstracted step-by-step, while preserving a high level of
expressiveness. The structure of abstract operations (i.e., transfer, join, and
comparison) follows the structure of this semantics. The advantage of this
construction is to divide the analyzer in modules and functors that implement
abstractions of distinct features.Comment: In Proceedings Festschrift for Dave Schmidt, arXiv:1309.455
The Tree Width of Separation Logic with Recursive Definitions
Separation Logic is a widely used formalism for describing dynamically
allocated linked data structures, such as lists, trees, etc. The decidability
status of various fragments of the logic constitutes a long standing open
problem. Current results report on techniques to decide satisfiability and
validity of entailments for Separation Logic(s) over lists (possibly with
data). In this paper we establish a more general decidability result. We prove
that any Separation Logic formula using rather general recursively defined
predicates is decidable for satisfiability, and moreover, entailments between
such formulae are decidable for validity. These predicates are general enough
to define (doubly-) linked lists, trees, and structures more general than
trees, such as trees whose leaves are chained in a list. The decidability
proofs are by reduction to decidability of Monadic Second Order Logic on graphs
with bounded tree width.Comment: 30 pages, 2 figure
Deciding Entailments in Inductive Separation Logic with Tree Automata
Separation Logic (SL) with inductive definitions is a natural formalism for
specifying complex recursive data structures, used in compositional
verification of programs manipulating such structures. The key ingredient of
any automated verification procedure based on SL is the decidability of the
entailment problem. In this work, we reduce the entailment problem for a
non-trivial subset of SL describing trees (and beyond) to the language
inclusion of tree automata (TA). Our reduction provides tight complexity bounds
for the problem and shows that entailment in our fragment is EXPTIME-complete.
For practical purposes, we leverage from recent advances in automata theory,
such as inclusion checking for non-deterministic TA avoiding explicit
determinization. We implemented our method and present promising preliminary
experimental results
Shape Analysis via Monotonic Abstraction
We propose a new formalism for reasoning about dynamic memory heaps, using monotonic abstraction and symbolic backward reachability analysis. We represent the heaps as graphs, and introduce an ordering on these graphs. This enables us to represent the violation of a given safety property as the reachability of a finitely representable set of bad graphs. We also describe how to symbolically compute the reachable states in the transition system induced by a program
Efficient Context-Sensitive Shape Analysis with Graph Based Heap Models
The performance of heap analysis techniques has a significant impact on their utility in an optimizing compiler.Most shape analysis techniques perform interprocedural dataflow analysis in a context-sensitive manner, which can result in analyzing each procedure body many times (causing significant increases in runtime even if the analysis results are memoized). To improve the effectiveness of memoization (and thus speed up the analysis) project/extend operations are used to remove portions of the heap model that cannot be affected by the called procedure (effectively reducing the number of different contexts that a procedure needs to be analyzed with). This paper introduces project/extend operations that are capable of accurately modeling properties that are important when analyzing non-trivial programs (sharing, nullity information, destructive recursive functions, and composite data structures). The techniques we introduce are able to handle these features while significantly improving the effectiveness of memoizing analysis results (and thus improving analysis performance). Using a range of well known benchmarks (many of which have not been successfully analyzed using other existing shape analysis methods) we demonstrate that our approach results in significant improvements in both accuracy and efficiency over a baseline analysis
Foundations for decision problems in separation logic with general inductive predicates
Abstract. We establish foundational results on the computational com-plexity of deciding entailment in Separation Logic with general induc-tive predicates whose underlying base language allows for pure formulas, pointers and existentially quantified variables. We show that entailment is in general undecidable, and ExpTime-hard in a fragment recently shown to be decidable by Iosif et al. Moreover, entailment in the base language is Î P2-complete, the upper bound even holds in the presence of list predicates. We additionally show that entailment in essentially any fragment of Separation Logic allowing for general inductive predicates is intractable even when strong syntactic restrictions are imposed.
- …