String Abstraction for Model Checking of C Programs

Abstract: Automatic abstraction is a powerful software verification technique. In this paper, we elaborate an abstract domain for C strings, that is, null-terminated arrays of characters. We describe the abstract semantics of basic string operations and prove their soundness with regards to previously established concrete semantics of those operations. In addition to a selection of string functions from the standard C library, we provide semantics for character access and update, enabling automatic lifting of arbitrary … Show more

“…This paper is a revised and extended version of [4,5]. We introduce M-String, a new abstract domain tailored for the analysis of strings in C, whose elements:…”

“…Consider the split segmentation abstract predicate m = ([0, 0] 'a' [2,5], ∅) where C is the constant propagation domain for characters and B the interval domain. m approximates character arrays certainly containing a string of interest which is actually a sequence of 'a', whose length goes from 2 to 5, followed by a null character, e.g., "aa\0" and "aaaaa\0".…”

“…Let ([0, 0] a * [5,7], [6,8] br * [13,14]) and ([0, 0] a * [3,3], ∅) be two abstract elements in M, such that B is the interval domain over array indexes and C is the prefix domain over string values. Precisely, ([0, 0] a * [5,7], [6,8] br * [13,14]) approximates all the characters arrays with as string of interest any string starting with the character 'a' whose length goes from 5 to 7, followed by the null character and any string starting with ''br'' whose length goes from 5 to 8. On the other hand, ([0, 0] a * [3,3], ∅) abstracts all the array of chars with string of interest equal to a string, of length 3, starting with a .…”

“…m 1 , µ(m 2 ),[3,5] m 2 ) = µ(m 1 ) where: • [[low m 1 ]]ρ = [[low m 1 ]]ρ = 0 and [[high m 1 ]]ρ = [[high m 1 ]]ρ = Lexicographic comparison of concrete character array values. Function: comparison(µ(m 1 ), µ(m 2 )) Input: two concrete character array values µ(m 1 ), µ(m 2 ) ∈ M such that: • both N m 1 and N m 2 are different from the emptyset and,…”

Abstracting Strings for Model Checking of C Programs

“…This paper is a revised and extended version of [4,5]. We introduce M-String, a new abstract domain tailored for the analysis of strings in C, whose elements:…”

“…Consider the split segmentation abstract predicate m = ([0, 0] 'a' [2,5], ∅) where C is the constant propagation domain for characters and B the interval domain. m approximates character arrays certainly containing a string of interest which is actually a sequence of 'a', whose length goes from 2 to 5, followed by a null character, e.g., "aa\0" and "aaaaa\0".…”

“…Let ([0, 0] a * [5,7], [6,8] br * [13,14]) and ([0, 0] a * [3,3], ∅) be two abstract elements in M, such that B is the interval domain over array indexes and C is the prefix domain over string values. Precisely, ([0, 0] a * [5,7], [6,8] br * [13,14]) approximates all the characters arrays with as string of interest any string starting with the character 'a' whose length goes from 5 to 7, followed by the null character and any string starting with ''br'' whose length goes from 5 to 8. On the other hand, ([0, 0] a * [3,3], ∅) abstracts all the array of chars with string of interest equal to a string, of length 3, starting with a .…”

“…m 1 , µ(m 2 ),[3,5] m 2 ) = µ(m 1 ) where: • [[low m 1 ]]ρ = [[low m 1 ]]ρ = 0 and [[high m 1 ]]ρ = [[high m 1 ]]ρ = Lexicographic comparison of concrete character array values. Function: comparison(µ(m 1 ), µ(m 2 )) Input: two concrete character array values µ(m 1 ), µ(m 2 ) ∈ M such that: • both N m 1 and N m 2 are different from the emptyset and,…”

Abstracting Strings for Model Checking of C Programs

Relational String Abstract Domains

String Abstract Domains and Their Combination