Parametric shape analysis via 3-valued logic

Sagiv, Mooly; Reps, Thomas; Wilhelm, Reinhard

doi:10.1145/292540.292552

Cited by 336 publications

(270 citation statements)

References 17 publications

(26 reference statements)

Supporting

Mentioning

268

Contrasting

Unclassified

Order By: Relevance

“…These properties are more similar to the kind of properties that shape analysis techniques (e.g. Balaban et al, 2005;Sagiv et al, 1998Sagiv et al, , 2002 target. However, those techniques aim at proving a property of a program, while our technique provides a lightweight analysis geared at finding bugs.…”

Section: Discussionmentioning

confidence: 80%

Inferring specifications to detect errors in code

Taghdiri

2006

Autom Softw Eng

View full text Add to dashboard Cite

A new technique is presented to statically check a given procedure against a user-provided property. The method requires no annotations; it automatically infers a context-dependent specification for each procedure call, so that only as much information about a procedure is used as is needed to analyze its caller. Specifications are inferred iteratively. Empty specifications are initially used to over-approximate the effects of all procedure calls; these are later refined in response to spurious counterexamples. When the analysis terminates, any remaining counterexample is guaranteed to be valid. However, since the heap is finitized, the absence of a counterexample does not guarantee the validity of the given property in general.

show abstract

Section: Discussionmentioning

confidence: 80%

Inferring specifications to detect errors in code

Taghdiri

2006

Autom Softw Eng

View full text Add to dashboard Cite

show abstract

“…For shape analysis, many other formalisms than FAs have been used, including, e.g., separation logic and various related graph formalisms [10,14,21,29], other logics [18,26], automata [8], or graph grammars [16]. Compared with FAs, these approaches typically handle less general heap structures (often restricted to various classes of lists) [14,29], they are less automated (requiring the user to specify loop invariants [18] or at least inductive definitions of the involved data structures [10,16,21]), or less scalable [8].…”

Section: Related Workmentioning

confidence: 99%

Verification of heap manipulating programs with ordered data by extended forest automata

et al. 2015

View full text Add to dashboard Cite

We present a general framework for verifying programs with complex dynamic linked data structures whose correctness depends on ordering relations between stored data values. The underlying formalism of our framework is that of forest automata (FA), which has previously been developed for verification of heap-manipulating programs. We extend FA with constraints between data elements associated with nodes of the heaps represented by FA, and we present extended versions of all operations needed for using the extended FA in a fully-automated verification approach, based on abstract interpretation. We have implemented our approach as an extension of the Forester tool and successfully applied it This paper is an extended version of a paper published in the proceedings of ATVA'13.

show abstract

“…Shape analysis (Ghiya and Hendren 1996;Sagiv et al 1999;Kuncak et al 2006;Bogudlov et al 2007;Zee et al 2008) is a static analysis technique that discovers and verifies properties of linked, dynamically allocated data structures. It is typically used at compile time to find software bugs or to verify high-level correctness properties of programs.…”

Section: Related Workmentioning

confidence: 99%

Scalable data structure detection and classification for C/C++ binaries

2015

View full text Add to dashboard Cite

Many existing techniques for reversing data structures in C/C++ binaries are limited to low-level programming constructs, such as individual variables or structs. Unfortunately, without detailed information about a program's pointer structures, forensics and reverse engineering are exceedingly hard. To fill this gap, we propose MemPick, a tool that detects and classifies high-level data structures used in stripped binaries. By analyzing how links between memory objects evolve throughout the program execution, it distinguishes between many commonly used data structures, such as singly-or doubly-linked lists, many types of trees (e.g., AVL, red-black trees, B-trees), and graphs. We evaluate the technique on 10 real world applications, 4 file system implementations and 16 popular libraries. The results show that MemPick can identify the data structures with high accuracy.

show abstract

Parametric shape analysis via 3-valued logic

Cited by 336 publications

References 17 publications

Inferring specifications to detect errors in code

Inferring specifications to detect errors in code

Verification of heap manipulating programs with ordered data by extended forest automata

Scalable data structure detection and classification for C/C++ binaries

Contact Info

Product

Resources

About