Template-Based Verification of Heap-Manipulating Programs

Abstract: We propose a shape analysis suitable for analysis engines that perform automatic invariant inference using an SMT solver. The proposed solution includes an abstract template domain that encodes the shape of the program heap based on logical formulae over bit-vectors. It is based on computing a points-to relation between pointers and symbolic addresses of abstract memory objects. Our abstract heap domain can be combined with value domains in a straightforward manner, which particularly allows us to reason about… Show more

“…The 2019 and 2020 competition versions of 2LS feature product and power abstract domain combinations supporting invariant inference for programs manipulating shape and content of dynamic data structures [4]. Moreover, the 2020 version came with further enhancements for handling advanced features of memory allocation and made a step towards a support of generic abstract domain combinations.…”

“…Memory model In our memory model, we represent dynamically allocated objects by so-called abstract dynamic objects. Each such object is an abstraction of a number of concrete dynamic objects allocated by the same malloc call [4].…”

“…Shape Domain For analysing the shape of the heap, we use an improved version of the shape domain that we introduced in 2018 [5]. The domain over-approximates the points-to relation between pointers and symbolic addresses of memory objects in the analysed program: for each pointer-typed variable and each pointer-typed field of an abstract dynamic object p, we compute the set of all addresses that p may point to [4].…”

“…Since both domains have the form of a template formula, we simply use them side-by-side in a product domain combinationthe resulting formula is a conjunction of the two template formulae [4]. This combination allows 2LS to infer, e.g., invariants describing an unbounded singly-linked list whose nodes contain values between 1 and 10.…”

“…We require a symbolic path to express which loops were executed at least once. This allows us to distinguish situations when an abstract dynamic object does not represent any really allocated object and hence the invariant for such abstract dynamic object is not valid [4].…”

2LS: Heap Analysis and Memory Safety

“…The 2019 and 2020 competition versions of 2LS feature product and power abstract domain combinations supporting invariant inference for programs manipulating shape and content of dynamic data structures [4]. Moreover, the 2020 version came with further enhancements for handling advanced features of memory allocation and made a step towards a support of generic abstract domain combinations.…”

“…Memory model In our memory model, we represent dynamically allocated objects by so-called abstract dynamic objects. Each such object is an abstraction of a number of concrete dynamic objects allocated by the same malloc call [4].…”

“…Shape Domain For analysing the shape of the heap, we use an improved version of the shape domain that we introduced in 2018 [5]. The domain over-approximates the points-to relation between pointers and symbolic addresses of memory objects in the analysed program: for each pointer-typed variable and each pointer-typed field of an abstract dynamic object p, we compute the set of all addresses that p may point to [4].…”

“…Since both domains have the form of a template formula, we simply use them side-by-side in a product domain combinationthe resulting formula is a conjunction of the two template formulae [4]. This combination allows 2LS to infer, e.g., invariants describing an unbounded singly-linked list whose nodes contain values between 1 and 10.…”

“…We require a symbolic path to express which loops were executed at least once. This allows us to distinguish situations when an abstract dynamic object does not represent any really allocated object and hence the invariant for such abstract dynamic object is not valid [4].…”

2LS: Heap Analysis and Memory Safety

Compositional Verification of Heap-Manipulating Programs Through Property-Guided Learning

2LS: Arrays and Loop Unwinding