Static Analysis of Heap-manipulating Low-level software Sumit GulwaniAshish Tiwari MSR, Redmond SRI International.

Static Analysis of Heap-manipulating Low-level

software

Sumit Gulwani Ashish Tiwari MSR, Redmond SRI

International

2

Related Work

• Alias/Pointer Analysis [Work done in early 90s]– Must/May equalities– Considered not expressive enough

• Shape Analysis [Work that followed]– Fancy predicates – Need to provide transfer functions for each of

them

• This work– Must/May equalities extended with quantifiers

(Provides expressiveness of an infinite class of predicates and avoids the need of providing transfer functions)

3

Example 1

9i: List(x,i,next) Æ 8j: (0·j<i) )

Array(x!nextj!data, 4*(x!nextj!len))

struct List { int Len, *Data; List* Next; }

ListOfPtrArray(struct List* x) { for (y := x; ynull; y := y!next)

t := ?; y!len := t; y!data = malloc(4t); for (y := x; ynull; y := y!next) for (z :=0; z < y!len; z := z+1)

y!data!(4z) := ….;

Invariant required after first loop for proving memory safety

4

Example 2

struct List { int Data; List* Next; }

List2Array(struct List* x) { n := 0; for (y := x; ynull; y := y!next)

n := n+1; A := malloc(4n); y:= x; for (k := 0; k < n; k++)

A!(4k) := y!data; y := y!next; return A;

Prog. Point

Invariant

1 9 i: List(x,i,next)

2 9 i: List(x,i,next),

0·n<i, y=x!nextn

3 List(x,n,next)

4 List(x,n.next), Array(A,4n)

5 List(x,n.next), Array(A,4n)

8 j: (0·j<n) ) A!(4j) = x!nextj!data

1

2

3

4

5

5

Outline

• Abstract Domain

• Implies Algorithm

• Join Algorithm

• Meet Algorithm

• PostAssignment Algorithm

6

Abstract Domain

9V: Cons Æ Must Æ May

Must := true | Must Æ 8V: (Cons ) e1=e2)

May := true | May Æ 8V: (Cons ) e1 » e2)

e := y | c | e1 § e2 |ce | e1 ! e2e3 | valid | null

Cons represent constraints over the base abstract domain, eg. Combination of linear arithmetic and uninterpreted functions

7

Expressiveness

List(x,i,next) ´ i ¸ 0 Æ x!nexti = null Æ 8 j: (0·j<i) ) Valid(x!nextj)

Valid(e) ´ e!w=valid

Array(x,k) ´ 8 j: (0·j<k) ) Valid(x+j)

8

Abstract Interpreter

Join Node Conditional Node

pTrue False

F

F1 F2

F2

F

F1

F = Join(F1,F2) F1 = Meet(F, p)

F2 = Meet(F,:p)

Statement s

F’

F

Assignment Node

F = Post(F’,s)

Where s may be:

x := e

*x := e

x := malloc(e)

free(x)

9

Implies Algorithm

Implies(F1, F2) returns 1 only if F1 ) F2

KeyIdea for checking F ) e1=e2

Check if e2 2 MustAliases(e1,F)

KeyIdea for checking F ) e1 e2

Check if : (e2 2 MayAliases(e1,F))

10

MustAliases and MayAliases

F1: x = x!nextj

F2: 8i: (0·i·j) ) x!nexti = x!nexti+1!prev

MustAliasesKeyIdea: Apply k quantifier instantiationsMustAliases(x,F1) = { x!nextj, x!next2j }

MustAliases(x,F2) =

11

MustAliases and MayAliases

F1: x = x!nextj

F2: 8j: (0·i·j) ) x!nexti=x!nexti+1!prev

MustAliasesKeyIdea: Apply k quantifier instantiationsMustAliases(x,F1) = { x!nextj, x!next2j }

MustAliases(x,F2) = { x!next!prev,

x!next!prev!next!prev }

12

MustAliases and MayAliases

F1: x = x!nextj

F2: 8j: (0·i·j) ) x!nexti=x!nexti+1!prev

MustAliasesKeyIdea: Apply k instantiations of each equalityMustAliases(x,F1) = { x!nextj, x!next2j }

MustAliases(x,F2) = { x!next!prev,

x!next!prev!next!prev }MayAliasesKeyIdea: Represent aliases by expressions of size kMayAliases(x,F1) = { x!nextt | t¸j }

MayAliases(x,F2) =

13

MustAliases and MayAliases

F1: x = x!nextj

F2: 8j: (0·i·j) ) x!nexti=x!nexti+1!prev

MustAliasesKeyIdea: Apply k instantiations of each equalityMustAliases(x,F1) = { x!nextj, x!next2j }

MustAliases(x,F2) = { x!next!prev,

x!next!prev!next!prev }MayAliasesKeyIdea: Represent aliases by expressions of size kMayAliases(x,F1) = { x!nextt | t¸j }

MayAliases(x,F2) = { x!(next|prev)t | t¸0 }

14

Join Algorithm

Join(F1, F2) returns an overapproximation of F1 Ç F2

Example 1Input 1: i=1 Æ A[0]=0 Input 2: i=2 Æ A[0]=0 Æ A[1]=1Output: 8 j: (0·j<i) ) A[j]=j

Example 2Let S(k) ´ Array(x!nextk!data, x!nextk!len)Input 1: y=x!next Æ S(0)Input 2: y=x!next2 Æ S(0) Æ S(1)Output: 9i: 1·i·2 Æ y=x!nexti Æ 8j: (0·j<i) ) S(j)

15

Join Algorithm: Key Idea

Input 1: y=x!next Æ S(0)Input 2: y=x!next2 Æ S(0) Æ S(1)

After Normalization, we get:Input 1: 9i: i=1 Æ y=x!nexti Æ 8j: (0·j<1) ) S(j)Input 2: 9i: i=2 Æ y=x!nexti Æ 8j: (0·j<2) ) S(j)

Now we use the following rule:Join (9V: E1 Æ 8U: C1)S, 9V: E2 Æ 8U: C2)S) =

9V: E3 Æ 8U: C3)S

where E3 = Join(E1, E2)

C3 = Underapproximation of C1ÆC2

16

Join Algorithm: Key Idea

Input 1: y=x!next Æ S(0)Input 2: y=x!next2 Æ S(0) Æ S(1)

After Normalization, we get:Input 1: 9i: i=1 Æ y=x!nexti Æ 8j: (0·j<1) ) S(j)Input 2: 9i: i=2 Æ y=x!nexti Æ 8j: (0·j<2) ) S(j)

Now we use the following rule:Join (9V: E1 Æ 8U: C1)S, 9V: E2 Æ 8U: C2)S) =

9V: E3 Æ 8U: C3)S

where E3 = Join(E1, E2)

C3 = Underapproximation of (E1)C1 Æ E2)C2)

17

Meet Algorithm

Meet(F,p) returns an overapproximation of F Æ pKeyIdea: Reason about interaction between

equalities & disequalities

Example 1 Input 1: 9 i: len·i Æ List(x,i,next) Æ y=x!nextlen

Input 2: y=nullOutput: 9 i: len=i Æ List(x,i,next) Æ y=x!nextlen

Example 2 Input 1: 9 i: len·i Æ List(x,i,next) Æ y=x!nextlen

Input 2: ynullOutput: 9 i: len<i Æ List(x,i,next) Æ y=x!nextlen

18

PostAssignment Algorithm

Input 1: List(y,i,next) Æ List(result,j,next) Æ y+next=x Æ *x=tmpInput 2: *x := resultOutput: List(tmp,i-1,next) Æ List(result,j,next) Æ y+next=x Æ *x=result

null

result

null

y

tmp

Post(F, s) returns an overapproximation of the strongest postcondition of F w.r.t. s

KeyIdea: Transitive Closure; Invalidate Must; Invalidate May; Add new fact

19

Experiments

Program Base Constraint Domain Required

Property Discovered (apart from memory safety)

Precondition provided

List2Array Generalized Difference Constraints

Corresponding array & list elements are same

Input is a list

ListReverse Generalized Difference Constraints

Reversed list has length 100

Input is a list of size 100

ArrayPtrArray Generalized Difference Constraints + Uninterpreted Functions

Input array has length Len (where Len is also an input)

20

Related Work

• Alias/Pointer Analysis [Work done in early 90s]– Must/May equalities– Considered not expressive enough

• Shape Analysis [Work that followed]– Fancy predicates – Need to provide transfer functions for each of

them

• This work– Must/May equalities extended with quantifiers

(Provides expressiveness of an infinite class of predicates and avoids the need of providing transfer functions)

21

Conclusion and Future Work

• Quantified abstract domain for pointer analysis– Expressive enough to reason rich properties– Amenable to automated deduction

• Extend analysis to inter-procedural setting

• Add disjunction and richer quantification support in abstract domain