Hostname: page-component-78c5997874-8bhkd Total loading time: 0 Render date: 2024-11-10T12:49:04.375Z Has data issue: false hasContentIssue false
  • English
  • Français

Shape Neutral Analysis of Graph-based Data-structures

Published online by Cambridge University Press:  10 August 2018

GREGORY J. DUCK ,
JOXAN JAFFAR  and
ROLAND H. C. YAP
GREGORY J. DUCK
Affiliation:
Department of Computer Science, National University of Singapore (e-mail: gregory@comp.nus.edu.sg, joxan@comp.nus.edu.sg, ryap@comp.nus.edu.sg)
JOXAN JAFFAR
Affiliation:
Department of Computer Science, National University of Singapore (e-mail: gregory@comp.nus.edu.sg, joxan@comp.nus.edu.sg, ryap@comp.nus.edu.sg)
ROLAND H. C. YAP
Affiliation:
Department of Computer Science, National University of Singapore (e-mail: gregory@comp.nus.edu.sg, joxan@comp.nus.edu.sg, ryap@comp.nus.edu.sg)
Rights & Permissions [Opens in a new window]

Abstract

Core share and HTML view are not available for this content. However, as you have access to this content, a full PDF is available via the ‘Save PDF’ action button.

Malformed data-structures can lead to runtime errors such as arbitrary memory access or corruption. Despite this, reasoning over data-structure properties for low-level heap manipulating programs remains challenging. In this paper we present a constraint-based program analysis that checks data-structure integrity, w.r.t. given target data-structure properties, as the heap is manipulated by the program. Our approach is to automatically generate a solver for properties using the type definitions from the target program. The generated solver is implemented using a Constraint Handling Rules (CHR) extension of built-in heap, integer and equality solvers. A key property of our program analysis is that the target data-structure properties are shape neutral, i.e., the analysis does not check for properties relating to a given data-structure graph shape, such as doubly-linked-lists versus trees. Nevertheless, the analysis can detect errors in a wide range of data-structure manipulating programs, including those that use lists, trees, DAGs, graphs, etc. We present an implementation that uses the Satisfiability Modulo Constraint Handling Rules (SMCHR) system. Experimental results show that our approach works well for real-world C programs.

Keywords

Constraint Handling RulesSatisfiability Modulo Constraint Handling RulesSatisfiability Modulo TheoriesProgram AnalysisData-structuresMemory Errors
Type
Original Article
Information
Theory and Practice of Logic Programming , Volume 18 , Special Issue 3-4: 34th International Conference on Logic Programming , July 2018 , pp. 470 - 483
Copyright
Copyright © Cambridge University Press 2018 

References

Berdine, J., Calcagno, C., Cook, B., Distefano, D., O'Hearn, P., Wies, T., and Yang, H. 2007. Shape Analysis for Composite Data Structures. In Computer Aided Verification. Springer.Google Scholar
Berdine, J., Calcagno, C. and O'Hearn, P. 2005. SmallFoot: Modular Automatic Assertion Checking with Separation Logic. In Formal Methods for Components and Objects. Springer.Google Scholar
Berdine, J., Cook, B., and Ishtiaq, S. 2011. SLAyer: Memory Safety for Systems-level Code. In Computer Aided Verification. Springer.Google Scholar
Boehm, H. and Weiser, M. 1988. Garbage Collection in an Uncooperative Environment. Software Practice and Experience 18, 9.Google Scholar
Distefano, D., O'Hearn, P., and Yang, H. 2006. A Local Shape Analysis Based on Separation Logic. In Tools and Algorithms for the Construction and Analysis of Systems. Springer.Google Scholar
Duck, G. 2012. SMCHR: Satisfiability Modulo Constraint Handling Rules. Theory and Practice of Logic Programming 12, 4–5, 601618.Google Scholar
Duck, G. 2013. Satisfiability Modulo Constraint Handling Rules (Extended Abstract). In International Joint Conference on Artificial Intelligence. AAAI.Google Scholar
Duck, G., Jaffar, J., and Koh, N. 2013. Constraint-based Program Reasoning with Heaps and Separation. In Constraint Programming. Springer.Google Scholar
Duck, G. and Yap, R. 2016. Heap Bounds Protection with Low Fat Pointers. In Compiler Construction. ACM.Google Scholar
Duck, G., Yap, R., and Cavallaro, L. 2017. Stack Bounds Protection with Low Fat Pointers. In Network and Distributed System Security Symposium. The Internet Society.Google Scholar
Dudka, K., Peringer, P., and Vojnar, T. 2011. Predator: A Practical Tool for Checking Manipulation of Dynamic Data Structures Using Separation Logic. In Computer Aided Verification. Springer.Google Scholar
Dudka, K., Peringer, P., and Vojnar, T. 2013. Byte-Precise Verification of Low-Level List Manipulation. In Static Analysis. Springer.Google Scholar
Frühwirth, T. 1998. Theory and Practice of Constraint Handling Rules. Journal of Logic Programming 37.Google Scholar
Frühwirth, T. 2009. Constraint Handling Rules. Cambridge University Press.Google Scholar
Hinze, R. and Paterson, R. 2006. Finger Trees: A Simple General-purpose Data Structure. Journal of Functional Programming 16, 2.Google Scholar
Jacobs, B., Smans, J., Philippaerts, P., Vogels, F., Penninckx, W., and Piessens, F. 2011. VeriFast: a Powerful, Sound, Predictable, Fast Verifier for C and Java. In NASA Formal methods. Springer.Google Scholar
Kroening, D. and Tautschnig, M. 2014. CBMC: C Bounded Model Checker. In Tools and Algorithms for the Construction and Analysis of Systems. Springer.Google Scholar
LLVM 2018. http://llvm.org.Google Scholar
Matthews, J., Moore, J., Ray, S., and Vroon, D. 2006. Verification Condition Generation Via Theorem Proving. In Logic for Programming, Artificial Intelligence, and Reasoning. Springer.Google Scholar
Merz, F., Falke, S., and Sinz, C. 2012. LLBMC: Bounded Model Checking of C and C++ Programs Using a Compiler IR. In Verified Software: Theories, Tools, Experiments. Springer.Google Scholar
Reynolds, J. 2002. Separation Logic: A Logic for Shared Mutable Data Objects. In Logic in Computer Science. IEEE.Google Scholar