Shmuel Sagiv

TVLA: A System for Implementing Static Analyses

We present TVLA (Three-Valued-Logic Analyzer). TVLA is a “YACC”-like framework for automatically constructing static-analysis algorithms from an operational semantics, where the operational semantics is specified using logical formulae. TVLA has been implemented in Java and was successfully used to perform shape analysis on programs manipulating linked data structures (singly and doubly linked lists), to prove safety properties of Mobile Ambients, and to verify the partial correctness of several sorting programs.

Cleanness Checking of String Manipulations in C Programs via Integer Analysis

All practical C programs use structures, arrays, and/or strings. At runtime, such objects are mapped into consecutive memory locations, hereafter referred to as buffers. Many software defects are caused by buffer overflow -- unintentional access to memory outside the intended object. Stringma nipulation is a major source of such defects. Accordingto the FUZZ study, they are the cause of most UNIX failures. We present a new algorithm for statically detecting buffer overflow defects caused by string manipulations in C programs. In many programs, our algorithm is capable of precisely handling destructive memory updates, even in the presence of overlapping pointer variables which reference the same buffer at different offsets. Thus, our algorithm can uncover defects which go undetected by previous works. We reduce the problem of checkings tring manipulation to that of analyzing integer variables. A prototype of the algorithm has been implemented and applied to statically uncover defects in real C applications, i.e., errors which occur on some inputs to the program. The applications were selected without a priori knowledge of the number of string manipulation errors. A significant number of string manipulation errors were found in every application, further indicating the extensiveness of such errors. We are encouraged by the fact that our algorithm reports very few false alarms, i.e., warnings on errors that never occur at runtime.

Automatic Removal of Array Memory Leaks in Java

Current garbage collection (GC) techniques do not (and in general cannot) collect all the garbage that a program produces. This may lead to a performance slowdown and to programs running out of memory space. In this paper, we present a practical algorithm for statically detecting memory leaks occurring in arrays of objects in a garbage collected environment. No previous algorithm exists. The algorithm is conservative, i.e., it never detects a leak on a piece of memory that is subsequently used by the program, although it may fail to identify some leaks. The presence of the detected leaks is exposed to the garbage collector, thus allowing GC to collect more storage. We have instrumented the Java virtual machine to measure the effect of memory leaks in arrays. Our initial experiments indicate that this problem occurs in many Java applications. Our measurements of heap size show improvement on some example programs.

Checking Cleanness in Linked Lists

A new algorithm is presented that automatically uncovers memory errors such as NULL pointers dereference and memory leaks in C programs. The algorithm is conservative, i.e., it can never miss an error but may report “false alarms”. When applied to several intricate C programs manipulating singly linked lists, the new algorithm yields more accurate results, does not report any false alarm and usually runs even faster and consumes less space than a less precise algorithm.

Precise Interprocedural Dataflow Analysis with Applications to Constant Propagation

This paper concerns interprocedural dataflow-analysis problems in which the dataflow information at a program point is represented by an environment (i.e., a mapping from symbols to values), and the effect of a program operation is represented by a distributive environment transformer. We present an efficient dynamic-programming algorithm that produces precise solutions.

Interprocedural Shape Analysis for Recursive Programs

A shape-analysis algorithm statically analyzes a program to determine information about the heap-allocated data structures that the program manipulates. The results can be used to optimize, understand, debug, or verify programs. Existing algorithms are quite imprecise in the presence of recursive procedure calls. This is unfortunate, since recursion provides a natural way to manipulate linked data structures. We present a novel technique for shape analysis of recursive programs. An algorithm based on our technique has been implemented. It handles programs manipulating linked lists written in a subset of C. The algorithm is significantly more precise than existing algorithms. For example, it can verify the absence of memory leaks in many recursive programs; this is beyond the capabilities of existing algorithms.

A Kleene Analysis of Mobile Ambients

We show how a program analysis technique originally developed for C-like pointer structures can be adapted to analyse the hierarchical structure of processes in the ambient calculus. The technique is based on modeling the semantics of the language in a two-valued logic; by reinterpreting the logical formulae in Kleenes three-valued logic we obtain an analysis allowing us to reason about may as well as must properties. The correctness of the approach follows from a general Embedding Theorem for Kleenes logic; furthermore embeddings allow us to reduce the size of structures so as to control the time and space complexity of the analysis.

Building a bridge between pointer aliases and program dependences

In this paper we present a surprisingly simple reduction of the program dependence problem to the may-alias problem. While both problems are undecidable, providing a bridge between them has great practical importance. Program dependence information is used extensively in compiler optimizations, automatic program parallelizations, code scheduling in super-scalar machines, and in software engineering tools such as code slicers. When working with languages that support pointers and references, these systems are forced to make very conservative assumptions. This leads to many superfluous program dependences and limits compiler performance and the usability of software engineering tools. Fortunately, there are many algorithms for computing conservative approximations to the may-alias problem. The reduction has the important property of always computing conservative program dependences when used with a conservative may-alias algorithm. We believe that the simplicity of the reduction and the fact that it takes linear time may make it practical for realistic applications.

A Logic-Based Approach to Data Flow Analysis Problem

A new uniform formalism for tracking static properties of programs is presented. The formalism annotates each point in a program with static assertions, i.e., assertions which hold independently of the specific execution path leading to this point.

Resolving circularity in attribute grammars with applications to data flow analysis (preliminary version)

Circular attribute grammars appear in many data flow analysis problems. As one way of making the notion useful, an automatic translation of circular attribute grammars to equivalent non-circular attribute grammars is presented. It is shown that for circular attribute grammars that arise in many data flow analysis problems, the translation does not increase the asymptotic complexity of the semantic equations. Therefore, the translation may be used in conjunction with any evaluator generator to automate the development of efficient data flow analysis algorithms. As a result, the integration of such algorithms with other parts of a compiler becomes easier.