Abstract
Abstraction and abstract interpretation are key tools for automatically verifying properties of systems. One of the major challenges in abstract interpretation is how to obtain abstractions that are precise enough to provide useful information, and yet abstract enough to allow efficient computation. A related challenge is how to conservatively extract useful information from an abstract value.
This is a survey paper on a parametric abstract domain called canonical abstraction, which was motivated by the problem of shape analysis — i.e., the problem of determining “shape invariants” for programs that perform destructive updating on dynamically allocated storage.
We discuss three conservative methods from extracting information from abstract values: the first method is obtained using the Kleene interpretation of the query formula; this method is simple and very efficient, but is not very precise. The second method is the most precise, but requires the use of a theorem prover. The third method achieves precision close to the second method with tolerable costs, but requires some additional information from the designers of the abstraction.
We discuss the canonical-abstraction domain, and show the properties of programs that have been verified by the domain.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
TVLA system. “http://www.cs.tau.ac.il/~TVLA/”.
Andersen, L. O. (1993). Binding-time analysis and the taming of C pointers. In Part. Eval. and Semantics-Based Prog. Manip., pages 47–58.
Arnold, G. (2004). Combining heap analyses by intersecting abstractions. Master’s thesis, Tel Aviv University.
Ball, T., Majumdar, R., Millstein, T., and Rajamani, S. (2001). Automatic predicate abstraction of C programs. In Prog. Lang. Design and Impl., NewYork, NY. ACM Press.
Ball, T. and Rajamani, S. (2001). The SLAM toolkit. In Int. Conf. on Computer Aided Verif., volume 2102 of Lec. Notes in Comp. Sci., pages 260–264.
Bush, W., Pincus, J., and Sielaff, D. (2000). A static analyzer for finding dynamic programming errors. Software-Practice&Experience, 30:775–802.
Chase, D., Wegman, M., and Zadeck, F. (1990). Analysis of pointers and structures. In Prog. Lang. Design and Impl., pages 296–310, New York, NY. ACM Press.
Chen, H. and Wagner, D. (2002). MOPS: An infrastructure for examining security properties of software. In Conf. on Comp. and Commun. Sec., pages 235–244.
Cheng, B.-C. and Hwu, W. (2000). Modular interprocedural pointer analysis using access paths: Design, implementation, and evaluation. In Prog. Lang. Design and Impl., pages 57–69.
Clarke, E., Grumberg, O., Jha, S., Lu, Y., and Veith, H. (2000). Counterexample-guided abstraction refinement. In Int. Conf. on Computer Aided Verif., pages 154–169.
Clarke, E., Grumberg, O., and Long, D. (1994). Model checking and abstraction. Trans. on Prog. Lang. and Syst., 16(5):1512–1542.
Corbett, J., Dwyer, M., Hatcliff, J., Laubach, S., Pasareanu, C., Robby, and Zheng, H. (2000). Bandera: Extracting finite-state models from Java source code. In Int. Conf. on Softw. Eng., pages 439–448.
Cousot, P. and Cousot, R. (1977). Abstract interpretation: A unified lattice model for static analysis of programs by construction of approximation of fixed points. In Princ. of Prog. Lang., pages 238–252.
Cousot, P. and Cousot, R. (1979). Systematic design of program analysis frameworks. In Princ. of Prog. Lang., pages 269–282.
Das, M. (2000). Unification-based pointer analysis with directional assignments. In Prog. Lang. Design and Impl., pages 35–46.
Deutsch, A. (1994). Interprocedural may-alias analysis for pointers: Beyond k-limiting. In Prog. Lang. Design and Impl., pages 230–241, New York, NY. ACM Press.
Engler, D., Chelf, B., Chou, A., and Hallem, S. (2000). Checking system rules using system-specific, programmer-written compiler extensions. In Op. Syst. Design and Impl., pages 1–16.
Fähndrich, M., Rehof, J., and Das, M. (2000). Scalable context-sensitive flow analysis using instantiation constraints. In Prog. Lang. Design and Impl., pages 253–263.
Foster, J., Fähndrich, M., and Aiken, A. (2000). Polymorphic versus monomorphic flow-insensitive points-to analysis for C. In Static Analysis Symp., pages 175–198.
Ginsberg, M. (1988). Multivalued logics: A uniform approach to inference in artificial intelligence. Comp. Intell., 4:265–316.
Gopan, D., DiMaio, F., N. Dor, Reps, T., and Sagiv, M. (2004). Numeric domains with summarized dimensions. In Tools and Algs. for the Construct. and Anal. of Syst., pages 512–529.
Gopan, D., Reps, T., and Sagiv, M. (2005). Numeric analysis of array operations. In Princ. of Prog. Lang.
Graf, S. and Saïdi, H. (1997). Construction of abstract state graphs with PVS. In Int. Conf. on Computer Aided Verif., volume 1254 of Lec. Notes in Comp. Sci., pages 72–83.
Havelund, K. and Pressburger, T. (2000). Model checking Java programs using Java PathFinder. Softw. Tools for Tech. Transfer, 2(4).
Jeannet, B., Loginov, A., Reps, T., and Sagiv, M. (2004). A relational approach to interprocedural shape analysis. In Static Analysis Symp. Springer.
Jones, N. and Muchnick, S. (1982). A flexible approach to interprocedural data flow analysis and programs with recursive data structures. In Princ. of Prog. Lang., pages 66–74, New York, NY. ACM Press.
Landi, W. and Ryder, B. (1991). Pointer induced aliasing: A problem classification. In Princ. of Prog. Lang., pages 93–103, New York, NY. ACM Press.
Lev-Ami, T. (2000). TVLA: A framework for Kleene based static analysis. Master’s thesis, Tel-Aviv University, Tel-Aviv, Israel.
Lev-Ami, T., Reps, T., Sagiv, M., and Wilhelm, R. (2000). Putting static analysis to work for verification: A case study. In Int. Symp. on Softw. Testing and Analysis, pages 26–38.
Lev-Ami, T. and Sagiv, M. (2000). TVLA: A system for implementing static analyses. In Static Analysis Symp., pages 280–301.
Loginov, A., Reps, T., and Sagiv, M. (2004). Abstraction refinement for 3-valued-logic analysis. Submitted for publication.
Manevich, R., Ramalingam, G., Field, J., Goyal, D., and Sagiv, M. (2002). Compactly representing first-order structures for static analysis. In Static Analysis Symp., pages 196–212.
Manevich, R., Sagiv, M., Ramalingam, G., and Field, J. (2004). Partially disjunctive heap abstraction. In Proceedings of the 11th International Symposium, SAS 2004, volume 3148 of Lecture Notes in Computer Science, pages 265–279. Springer.
Manevich, R., Yahav, E., Ramalingam, G., and Sagiv, M. (2005). Predicate abstraction and canonical abstraction for singly-linked lists. In Proceedings of the 6th International Conference on Verification, Model Checking and Abstract Interpretation, VMCAI 2005, Lecture Notes in Computer Science. Springer.
M. Das, Liblit, B., Fähndrich, M., and Rehof, J. (2001). Estimating the impact of scalable pointer analysis on optimization. In Static Analysis Symp., pages 260–278.
Ramalingam, G., Warshavsky, A., Field, J., Goyal, D., and Sagiv, M. (2002). Deriving specialized program analyses for certifying component-client conformance. In Prog. Lang. Design and Impl., pages 83–94.
Reps, T., Sagiv, M., and Loginov, A. (2003). Finite differencing of logical formulas for static analysis. In European Symp. On Programming, pages 380–398.
Rinetskey, N. and Sagiv, M. (2001). Interprocedural shape analysis for recursive programs. In Wilhelm, R., editor, Comp. Construct., volume 2027 of LNCS, pages 133–149. Springer-Verlag.
Rinetzky, N., Bauer, J., Reps, T., Sagiv, M., and Wilhelm, R. (2005). A semantics for procedure local heaps and its abstractions. In Princ. of Prog. Lang.
Rinetzky, N., Sagiv, M., and Yahav, E. (2004). Computing procedure summaries exploiting heap-locality. Tech. Rep. XXX, Tel Aviv Uni. Available at “http://www.cs.tau.ac.il/~maon”.
Sagiv, M., Reps, T., and Wilhelm, R. (1998). Solving shape-analysis problems in languages with destructive updating. Trans. on Prog. Lang. and Syst., 20(1):1–50.
Sagiv, M., Reps, T., and Wilhelm, R. (2002). Parametric shape analysis via 3-valued logic. Trans. on Prog. Lang. and Syst., 24(3):217–298.
Shaham, R., Yahav, E., Kolodner, E., and Sagiv, M. (2003). Establishing local temporal heap safety properties with applications to compile-time memory management. In Proc. of Static Analysis Symposium (SAS’03), volume 2694 of LNCS, pages 483–503. Springer.
Steensgaard, B. (1996). Points-to analysis in almost-linear time. In Princ. of Prog. Lang., pages 32–41.
Wagner, D., Foster, J., Brewer, E., and Aiken, A. (2000). A first step towards automated detection of buffer overrun vulnerabilities. In Network and Dist. Syst. Security.
Whaley, J. and Lam, M. (2004). Cloning-based context-sensitive pointer alias analyses using binary decision diagrams. In Prog. Lang. Design and Impl.
Yahav, E. (2001). Verifying safety properties of concurrent Java programs using 3-valued logic. In Princ. of Prog. Lang., pages 27–40.
Yahav, E. and Ramalingam, G. (2004). Verifying safety properties using separation and heterogeneous abstractions. In Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation, pages 25–34. ACM Press.
Yahav, E., Reps, T., Sagiv, M., and Wilhelm, R. (2003). Verifying temporal heap properties specified via evolution logic. In Proc. of the 12th European Symposium on Programming, ESOP 2003, volume 2618 of LNCS.
Yahav, E. and Sagiv, M. (2003). Automatically verifying concurrent queue algorithms. In Workshop on Software Model Checking.
2003] Yorsh, G. (2003). Logical characterizations of heap abstractions. Master’s thesis, Tel Aviv University.
Yorsh, G., Reps, T., and Sagiv, M. (2004). Symbolically computing most-precise abstract operations for shape analysis. In Tools and Algs. for the Construct. and Anal. of Syst., pages 530–545.
Zhu, J. and Calman, S. (2004). Symbolic pointer analysis revisited. In Prog. Lang. Design and Impl.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer
About this paper
Cite this paper
Sagiv, M., Reps, T.W., Wilhelm, R., Yahav, E. (2005). On the Utility of Canonical Abstraction. In: Broy, M., Grünbauer, J., Harel, D., Hoare, T. (eds) Engineering Theories of Software Intensive Systems. NATO Science Series, vol 195. Springer, Dordrecht. https://doi.org/10.1007/1-4020-3532-2_8
Download citation
DOI: https://doi.org/10.1007/1-4020-3532-2_8
Publisher Name: Springer, Dordrecht
Print ISBN: 978-1-4020-3530-2
Online ISBN: 978-1-4020-3532-6
eBook Packages: Computer ScienceComputer Science (R0)