Towards Shape Analysis for Device Drivers
Shape analysis algorithms statically infer deep properties of the runtime heap, such as whether a variable points to a cyclic or acyclic linked list. Unfortunately, there are unsolved problems that make it difficult for shape analyses being to be used for real-world programs. The problems include: performance of the analysis; dealing with low-level language features; and supporting complex data-structures used in real-world programs, without sacrificing precision or performance of the analysis.
In this talk, I will present work on shape analysis for Windows device drivers based on separation logic formulae. Device drivers basically use linked lists, but complex varieties of linked list unlike those usually studied in shape analysis. I will explain the nature of those structures, which open problems matter most for our analysis, and how we approach some of those problems. In particular, I will describe how higher-order predicates let us succinctly describe a variety of data structures, and how discovery of parameters to higher-order predicates allows an analysis that is not tied to specific structures.