Oukseh Lee

Scalable Shape Analysis for Systems Code

Pointer safety faults in device drivers are one of the leading causes of crashes in operating systems code. In principle, shape analysis tools can be used to prove the absence of this type of error. In practice, however, shape analysis is not used due to the unacceptable mixture of scalability and precision provided by existing tools. In this paper we report on a new join operation

Proofs about a folklore let-polymorphic type inference algorithm

{\sqcup\dagger}

Automatic Verification of Pointer Programs Using Grammar-Based Shape Analysis

for the separation domain which aggressively abstracts information for scalability yet does not lead to false error reports.

A practical string analyzer by the widening approach

{\sqcup\dagger}

Program analysis for overlaid data structures

is a critical piece of a new shape analysis tool that provides an acceptable mixture of scalability and precision for industrial application. Experiments on whole Windows and Linux device drivers (firewire, pci-driver, cdrom, md, etc.) represent the first working application of shape analysis to verification of whole industrial programs.

A proof method for the corectness of modularized OCFA

The Hindley/Milner let-polymorphic type inference system has two different algorithms: one is the <italic>de facto</italic>standard Algorithm <inline-equation> <f><sc>W</sc></f></inline-equation> that is bottom-up (or context-insensitive), and the other is a “folklore” algorithm that is top-down (or context-sensitive). Because the latter algorithm has not been formally presented with its soundness and completeness proofs, and its relation with the <inline-equation> <f><sc>W</sc></f></inline-equation> algorithm has not been rigorously investigated, its use in place of (or in combination with) <inline-equation> <f><sc>W</sc></f></inline-equation> is not well founded. In this article, we formally define the context-sensitive, top-down type inference algorithm (named “<inline-equation> <f><sc>M</sc></f></inline-equation>”), prove its soundness and completeness, and show a distinguishing property that <inline-equation> <f><sc>M</sc></f></inline-equation> always stops earlier than <inline-equation> <f><sc>W</sc></f></inline-equation> if the input program is ill typed. Our proofs can be seen as theoretical justifications for various type-checking strategies being used in practice.

Automatic extraction of semantic relationships from images using ontologies and SVM classifiers

We present a program analysis that can automatically discover the shape of complex pointer data structures. The discovered invariants are, then, used to verify the absence of safety errors in the program, or to check whether the program preserves the data consistency. Our analysis extends the shape analysis of Sagiv et al. with grammar annotations, which can precisely express the shape of complex data structures. We demonstrate the usefulness of our analysis with binomial heap construction and the Schorr-Waite tree traversal. For a binomial heap construction algorithm, our analysis returns a grammar that precisely describes the shape of a binomial heap; for the Schorr-Waite tree traversal, our analysis shows that at the end of the execution, the result is a tree and there are no memory leaks.

Proofs of a set of hybrid let-polymorphic type inference algorithms

The static determination of approximated values of string expressions has many potential applications. For instance, approximated string values may be used to check the validity and security of generated strings, as well as to collect the useful string properties. Previous string analysis efforts have been focused primarily on the maxmization of the precision of regular approximations of strings. These methods have not been completely satisfactory due to the difficulties in dealing with heap variables and context sensitivity. In this paper, we present an abstract-interpretation-based solution that employs a heuristic widening method. The presented solution is implemented and compared to JSA. In most cases, our solution gives results as precise as those produced by previous methods, and it makes the additional contribution of easily dealing with heap variables and context sensitivity in a very natural way. We anticipate the employment of our method in practical applications.

Experiments on the effectiveness of an automatic insertion of memory reuses into ML-like programs

We call a data structure overlaid, if a node in the structure includes links for multiple data structures and these links are intended to be used at the same time. In this paper, we present a static program analysis for overlaid data structures. Our analysis implements two main ideas. The first is to run multiple sub-analyses that track information about non-overlaid data structures, such as lists. Each sub-analysis infers shape properties of only one component of an overlaid data structure, but the results of these sub-analyses are later combined to derive the desired safety properties about the whole overlaid data structure. The second idea is to control the communication among the sub-analyses using ghost states and ghost instructions. The purpose of this control is to achieve a high level of efficiency by allowing only necessary information to be transferred among sub-analyses and at as few program points as possible. Our analysis has been successfully applied to prove the memory safety of the Linux deadline IO scheduler and AFS server.

A divide-and-conquer approach for analysing overlaid data structures

This article is about our Þndings when we tried to derive a modular version from a whole-program control-sow analysis (CFA). Deriving a modular version from a whole-program kCFA makes the resulting analysis polyvariant at modulelevel. Hence the correctness of its modularized version cannot be proven in general with respect to the original kCFA. A convenient stepping-stone to prove the correctness of a modularized version is a whole-program kCFA that is polyvariant at module-level. Because CFA is a basis of almost all analyses for higher-order programs, our result can be seen as a general hint of using the module-variant whole-program analysis in order to ease the correctness proof for a modularized version. Our work can also be seen as a formal investigation, for CFA, of the folklore that modularization improves the analysis accuracy.