Article

Field-sensitive value analysis of embedded C programs with union types and pointer arithmetics

Author:
Antoine Miné

École Normale Supérieure, Paris, France

École Normale Supérieure, Paris, France
View Profile

LCTES '06: Proceedings of the 2006 ACM SIGPLAN/SIGBED conference on Language, compilers, and tool support for embedded systemsJune 2006Pages 54–63https://doi.org/10.1145/1134650.1134659

Published:14 June 2006Publication History

LCTES '06: Proceedings of the 2006 ACM SIGPLAN/SIGBED conference on Language, compilers, and tool support for embedded systems

Pages 54–63

ABSTRACT

We propose a memory abstraction able to lift existing numerical static analyses to C programs containing union types, pointer casts, and arbitrary pointer arithmetics. Our framework is that of a combined points-to and data-value analysis. We abstract the contents of compound variables in a field-sensitive way, whether these fields contain numeric or pointer values, and use stock numerical abstract domains to find an overapproximation of all possible memory states---with the ability to discover relationships between variables. A main novelty of our approach is the dynamic mapping scheme we use to associate a flat collection of abstract cells of scalar type to the set of accessed memory locations, while taking care of byte-level aliases---i.e., C variables with incompatible types allocated in overlapping memory locations. We do not rely on static type information which can be misleading in C programs as it does not account for all the uses a memory zone may be put to.Our work was incorporated within the Astrée static analyzer that checks for the absence of run-time-errors in embedded, safety-critical, numerical-intensive software. It replaces the former memory domain limited to well-typed, union-free, pointer-cast free data-structures. Early results demonstrate that this abstraction allows analyzing a larger class of C programs, without much cost overhead.

References

AT&T and The Santa Cruz Operation Inc. System V application binary interface, 1997.]]Google Scholar
G. Balakrishnan and T. Reps. Analyzing memory accesses in x86 executables. In CC 2004, number 2985 in LNCS, pages 5--23. Springer, 2004.]]Google ScholarCross Ref
B. Blanchet, P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné, D. Monniaux, and X. Rival. A static analyzer for large safety-critical software. In ACM PLDI'03, volume 548030, pages 196--207. ACM Press, 2003.]] Google ScholarDigital Library
P. Cousot. Verification by abstract interpretation. In Verification: Theory and Practice: Essays Dedicated to Zohar Manna on the Occasion of His 64th Birthday, volume 2772, pages 243--268. Springer, 2003.]]Google Scholar
P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In ACM POPL'77, pages 238--252. ACM Press, 1977.]] Google ScholarDigital Library
P. Cousot and R. Cousot. Abstract interpretation frameworks. Journal of Logic and Computation, 2(4):511--547, 1992.]]Google ScholarCross Ref
N. Dor, M. Rodeh, and M. Sagiv. Cleanness checking of string manipulations in C programs via integer analysis. In SAS'01, volume 2126 of LNCS. Springer, 2001.]] Google ScholarDigital Library
J.-L. Lions et al. ARIANE 5, flight 501 failure, report by the inquiry board, 1996.]]Google Scholar
J. Feret. Static analysis of digital filters. In ESOP'04, volume 2986 of LNCS. Springer, 2004.]]Google Scholar
D. Gopan, F. DiMaio, N. Dor, T. Reps, and M. Sagiv. Numeric domains with summarized dimensions. In TACAS 2004, LNCS, pages 512--529. Springer, 2004.]]Google ScholarCross Ref
P. Granger. Static analysis of arithmetical congruences. In International Journal of Computer Mathematics, volume 30, pages 165--190, 1989.]]Google ScholarCross Ref
M. Hind. Pointer analysis: Haven't we solved this problem yet? In PASTE'01, pages 54--61. ACM Press, 2001.]] Google ScholarDigital Library
IEEE Computer Society. IEEE standard for binary floating-point arithmetic. Technical report, ANSI/IEEE Std. 745-1985, 1985.]]Google Scholar
International Organisation for Standardization. Programming languages -- C. Technical report, ISO/IEC 9899:1999, 1999.]]Google Scholar
A. Miné. The octagon abstract domain. In AST 2001 in WCRE 2001, IEEE, pages 310--319. IEEE CS Press, 2001.]] Google ScholarDigital Library
A. Miné. Relational abstract domains for the detection of floating-point run-time errors. In ESOP'04, volume 2986 of LNCS, pages 3--17. Springer, 2004.]]Google Scholar
G. Necula, S. McPeak, and W. Weimer. CCured: type-safe retrofitting of legacy code. In POPL'02, pages 128--139. ACM Press, 2002.]] Google ScholarDigital Library
A. Pioli and M. Hind. Combining interprocedural pointer analysis and conditional constant propagation. Technical Report 99-103, IBM, 1999.]]Google Scholar
R. Rugina and M. Rinard. Symbolic bounds analysis of pointers, array indices, and accessed memory regions. In PLDI'00, pages 182--195. ACM Press, 2000.]] Google ScholarDigital Library
M. Sagiv, T. Reps, and R. Wilhelm. Parametric shape analysis via 3-valued logic. TOPLAS, 24(3), 2002.]] Google ScholarDigital Library
M. Siff, S. Chandra, T. Ball, K. Kunchithapadam, and T. Reps. Coping with type casts in C. In ESEC/FSE'99, pages 180--198. Springer.]] Google ScholarDigital Library
B. Steensgaard. Points-to analysis by type inference of programs with structures and unions. In CC'96, volume 1060 of LNCS, pages 136--150. Springer, 1996.]] Google ScholarDigital Library
A. Venet. A scalable nonuniform pointer analysis for embedded programs. In SAS'04, number 3148 in LNCS, pages 149--164. Springer, 2004.]]Google Scholar
J. Whaley and M. Lam. An efficient inclusion-based points-to analysis for strictly-typed languages. In SAS'02, volume 2477, pages 180--195. Springer.]] Google ScholarDigital Library
R. Wilson and M. Lam. Efficient context-sensitive pointer analysis for C programs. In PLDI'95, pages 1--12. ACM Press, 1995.]] Google ScholarDigital Library
S. Yong and S. Horwitz. Pointer-range analysis. In SAS'04, number 3148 in LNCS, pages 133--148. Springer, 2004.]]Google Scholar
S. Yong, S. Horwitz, and T. Reps. Pointer analysis for programs with structures and casting. In PLDI'99, pages 91--103. ACM Press, 1999.]] Google ScholarDigital Library

Recommendations

Field-sensitive value analysis of embedded C programs with union types and pointer arithmetics
Proceedings of the 2006 LCTES Conference

We propose a memory abstraction able to lift existing numerical static analyses to C programs containing union types, pointer casts, and arbitrary pointer arithmetics. Our framework is that of a combined points-to and data-value analysis. We abstract ...
Read More
Combining range and inequality information for pointer disambiguation

Pentagons is an abstract domain invented by Logozzo and Fhndrich to validate array accesses in low-level programming languages. This algebraic structure provides a cheap less-than check, which builds a partial order between the integer variables used in ...
Read More
Refinement-based context-sensitive points-to analysis for Java
Proceedings of the 2006 PLDI Conference

We present a scalable and precise context-sensitive points-to analysis with three key properties: (1) filtering out of unrealizable paths, (2) a context-sensitive heap abstraction, and (3) a context-sensitive call graph. Previous work [21] has shown ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
LCTES '06: Proceedings of the 2006 ACM SIGPLAN/SIGBED conference on Language, compilers, and tool support for embedded systems
June 2006
220 pages
ISBN:159593362X
DOI:10.1145/1134650
General Chair:
Mary Jane Irwin
Pennsylvania State University, USA
,
Program Chair:
Koen De Bosschere
Ghent University, Belgium
ACM SIGPLAN Notices Volume 41, Issue 7
Proceedings of the 2006 LCTES Conference
July 2006
208 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/1159974
Issue’s Table of Contents
Copyright © 2006 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 14 June 2006
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
abstract interpretation
critical software
numerical analysis
points-to analysis
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate116of438submissions,26%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 75
  Total Citations
  View Citations
- 688
  Total Downloads
- Downloads (Last 12 months)28
- Downloads (Last 6 weeks)3
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Field-sensitive value analysis of embedded C programs with union types and pointer arithmetics

LCTES '06: Proceedings of the 2006 ACM SIGPLAN/SIGBED conference on Language, compilers, and tool support for embedded systems

ABSTRACT

References

Cited By

Recommendations

Field-sensitive value analysis of embedded C programs with union types and pointer arithmetics

Combining range and inequality information for pointer disambiguation

Refinement-based context-sensitive points-to analysis for Java