Field-sensitive value analysis of embedded C programs with union types and pointer arithmetics

We propose a memory abstraction able to lift existing numerical static analyses to C programs containing union types, pointer casts, and arbitrary pointer arithmetics. Our framework is that of a combined points-to and data-value analysis. We abstract the contents of compound variables in a field-sensitive way, whether these fields contain numeric or pointer values, and use stock numerical abstract domains to find an overapproximation of all possible memory states---with the ability to discover relationships between variables. A main novelty of our approach is the dynamic mapping scheme we use to associate a flat collection of abstract cells of scalar type to the set of accessed memory locations, while taking care of byte-level aliases---i.e., C variables with incompatible types allocated in overlapping memory locations. We do not rely on static type information which can be misleading in C programs as it does not account for all the uses a memory zone may be put to.Our work was incorporated within the Astrée static analyzer that checks for the absence of run-time-errors in embedded, safety-critical, numerical-intensive software. It replaces the former memory domain limited to well-typed, union-free, pointer-cast free data-structures. Early results demonstrate that this abstraction allows analyzing a larger class of C programs, without much cost overhead.

• Publication year

  2006

• Venue

  ACM SIGPLAN Conference on Languages, Compilers, and Tools for Embedded Systems

• Publication date

  2006-07-12

• Fields of study

  Computer Science

• Identifiers
  DOI 10.1145/1134650.1134659arXiv cs/0703074
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• Verification : theory and practice : essays dedicated to Zohar Manna on the occasion of his 64th birthday

  2004cited by this paper
• Relational Abstract Domains for the Detection of Floating-Point Run-Time Errors

  2004cited by this paper
• Static Analysis of Digital Filters

  2004cited by this paper
• A Scalable Nonuniform Pointer Analysis for Embedded Programs

  2004influential reference
• Pointer-Range Analysis

  2004cited by this paper
• Numeric Domains with Summarized Dimensions

  2004cited by this paper
• Analyzing Memory Accesses in x86 Executables

  2004cited by this paper
• A static analyzer for large safety-critical software

  2003influential reference
• Verification by Abstract Interpretation

  2003influential reference
• CCured: type-safe retrofitting of legacy code

  2002influential reference
• An Efficient Inclusion-Based Points-To Analysis for Strictly-Typed Languages

  2002cited by this paper
• Cleanness Checking of String Manipulations in C Programs via Integer Analysis

  2001cited by this paper
• The octagon abstract domain

  2001cited by this paper
• Pointer analysis: haven't we solved this problem yet?

  2001influential reference
• Symbolic bounds analysis of pointers, array indices, and accessed memory regions

  2000cited by this paper
• Parametric shape analysis via 3-valued logic

  1999cited by this paper
• Combining Interprocedural Pointer Analysis and Conditional Constant Propagation

  1999cited by this paper
• Coping with type casts in C

  1999cited by this paper
• Pointer analysis for programs with structures and casting

  1999cited by this paper
• ARIANE 5 Flight 501 Failure: Report by the Enquiry Board

  1996cited by this paper
• Efficient context-sensitive pointer analysis for c programs

  1995cited by this paper
• Efficient context-sensitive pointer analysis for C programs

  1995influential reference
• Abstract Interpretation Frameworks

  1992cited by this paper
• Static analysis of arithmetical congruences

  1989cited by this paper
• IEEE Standard for Binary Floating Point Arithmetic

  1985cited by this paper
• Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints

  1977influential reference

• Mopsa-C with Trace Partitioning and Autosuggestions (Competition Contribution)

  2025cites this paper
• Abstraction of memory block manipulations by symbolic loop folding

  2025cites this paper
• C-2PO: A Weakly Relational Pointer Domain: “These Are Not the Memory Cells You Are Looking For”

  2024cites this paper
• Avoiding Instruction-Centric Microarchitectural Timing Channels Via Binary-Code Transformations

  2024cites this paper
• A Dependent Nominal Physical Type System for Static Analysis of Memory in Low Level Code

  2024cites this paper
• Mopsa-C: Improved Verification for C Programs, Simple Validation of Correctness Witnesses (Competition Contribution)

  2024cites this paper
• Structure-Sensitive Pointer Analysis for Multi-structure Objects

  2024cites this paper
• Multi-structure Objects Points-to Analysis

  2023cites this paper
• Memory Simulations, Security and Optimization in a Verified Compiler

  2023cites this paper
• Mopsa-C: Modular Domains and Relational Abstract Interpretation for C Programs (Competition Contribution)

  2023cites this paper
• Static Analysis of Endian Portability by Abstract Interpretation

  2021cites this paper
• Analysis

  2021cites this paper
• Abstract Interpretation of LLVM with a Region-Based Memory Model

  2021cites this paper
• References/Bibliography

  2021cites this paper
• Automatically Tailoring Abstract Interpretation to Custom Usage Scenarios

  2021cites this paper
• A Multilanguage Static Analysis of Python Programs with Native C Extensions

  2021cites this paper
• Abstracting Strings for Model Checking of C Programs

  2020cites this paper
• Numeric domains meet algebraic data types

  2020cites this paper
• Sharing Ghost Variables in a Collection of Abstract Domains

  2020influential citation
• Verified Software. Theories, Tools, and Experiments: 11th International Conference, VSTTE 2019, New York City, NY, USA, July 13–14, 2019, Revised Selected Papers

  2020cites this paper
• Automatically Proving Microkernels Free from Privilege Escalation from their Executable

  2020cites this paper
• Automatically Tailoring Static Analysis to Custom Usage Scenarios

  2020cites this paper
• Modular analysis of numerical properties by abstract interpretation

  2020cites this paper
• A Library Modeling Language for the Static Analysis of C Programs

  2020cites this paper
• No Crash, No Exploit: Automated Verification of Embedded Kernels

  2020cites this paper
• Precise and modular static analysis by abstract interpretation for the automatic proof of program soundness and contracts inference. (Analyse statique modulaire précise par interprétation abstraite pour la preuve automatique de correction de programmes et pour l'inférence de contrats)

  2019cites this paper
• Static Analysis of Binary Code with Memory Indirections Using Polyhedra

  2019cites this paper
• Combinations of Reusable Abstract Domains for a Multilingual Static Analyzer

  2019cites this paper
• Fast and Precise Handling of Positive Weight Cycles for Field-Sensitive Pointer Analysis

  2019cites this paper
• Simple and precise static analysis of untrusted Linux kernel extensions

  2019cites this paper
• Habilitation à Diriger des Recherches Xavier Rival Domaines Abstraits pour l ’ Analyse Statique de Programmes Manipulant des Structures de Données Complexes Abstract Domains for the Static Analysis of Programs Manipulating Complex Data Structures

  2019influential citation
• Verifying constant-time implementations by abstract interpretation

  2018cites this paper
• Checking Array Bounds by Abstract Interpretation and Symbolic Expressions

  2018cites this paper
• Anonymous On-line Communication Between Program Analyses ( Regular paper )

  2018cites this paper
• Design of a Modular Platform for Static Analysis

  2018cites this paper
• Exploiting Pointer Analysis in Memory Models for Deductive Verification

  2018cites this paper
• Techniques for formal modelling and verification on dynamic memory allocators. (Techniques de modélisation et de vérification formelles des allocateurs de mémoire dynamiques)

  2018cites this paper
• Modular Static Analysis of String Manipulations in C Programs

  2018influential citation
• From Low-Level to High-Level Programs Deliverable

  2017cites this paper
• Structuring an Abstract Interpreter through Value and State Abstractions:EVA, an Evolved Value Analysis for Frama-C. (Structurer un interpréteur abstrait au moyen d'abstractions de valeurs et d'états :Eva, une analyse de valeur évoluée pour Frama-C)

  2017cites this paper
• Static Analysis for Low Level Programs Deliverable D2-1

  2017cites this paper
• Structuring Abstract Interpreters Through State and Value Abstractions

  2017cites this paper
• Recovering structural information for better static analysis

  2017cites this paper
• Tutorial on Static Inference of Numeric

  2017cites this paper
• Thread-modular static analysis for relaxed memory models

  2017influential citation
• Detecting Strict Aliasing Violations in the Wild

  2017cites this paper
• A Context-Sensitive Memory Model for Verification of C/C++ Programs

  2017cites this paper
• Abstract Interpretation using a Language of Symbolic Approximation

  2017cites this paper
• Partitioned Memory Models for Program Analysis

  2017influential citation
• Low-cost memory analyses for efficient compilers

  2017cites this paper
• A generic framework for heap and value analyses of object-oriented programming languages

  2016cites this paper
• Taking Static Analysis to the Next Level: Proving the Absence of Run-Time Errors and Data Races with Astrée

  2016cites this paper
• Hierarchical Shape Abstraction for Analysis of Free List Memory Allocators

  2016cites this paper
• Structure-Sensitive Points-To Analysis for C and C++

  2016cites this paper
• Static analysis by abstract interpretation of functional properties of device drivers in TinyOS

  2016influential citation
• An abstract memory functor for verified C static analyzers

  2016influential citation
• Verified static analyzes for low-level languages

  2015cites this paper
• On the Veri cation of SCOOP Programs

  2015cites this paper
• Adaptable Static Analysis of Executables for proving the Absence of Vulnerabilities

  2015cites this paper
• Framework for Static Analysis of PHP Applications

  2015cites this paper
• Anonymous On-line Communication Between Program Analyses

  2015cites this paper
• On the verification of SCOOP programs

  2015cites this paper
• Generic Combination of Heap and Value Analyses in Abstract Interpretation

  2014cites this paper
• Conditional termination of loops over heap-allocated data

  2014cites this paper
• An Abstract Domain Combinator for Separately Conjoining Memory Abstractions

  2014cites this paper
• Modularly Combining Numeric Abstract Domains with Points-to Analysis, and a Scalable Static Numeric Analyzer for Java

  2014cites this paper
• Global Sparse Analysis Framework

  2014cites this paper
• Expression-Based Aliasing for OO-languages

  2014cites this paper
• Lifting Numerical Abstract Domains to Heap-manipulating Programs

  2013cites this paper
• Heap space analysis for garbage collected languages

  2013cites this paper
• Advanced Topics in Resource Analysis: Certification, Incrementality, Concurrency and Array-Sensitivity

  2013cites this paper
• Static analysis of numerical properties in the presence of pointers. (Analyse statique de propriétés numériques en présence de pointeurs)

  2013cites this paper
• Rapport de stage : Analyse sémantique des tableaux, des structures et des pointeurs

  2013cites this paper
• Static analysis by abstract interpretation of concurrent programs. (Analyse statique par interprétation abstraite de programmes concurrents)

  2013cites this paper
• Reduced Product Combination of Abstract Domains for Shapes

  2013cites this paper
• Formal Verification of a C Value Analysis Based on Abstract Interpretation

  2013influential citation
• Field-Sensitive Pointer Analysis for C Programs with Integer/Pointer Conversions

  2013cites this paper
• THÈSE / UNIVERSITÉ DE RENNES 1 sous le sceau de l'Université Européenne de Bretagne pour le grade de DOCTEUR DE L'UNIVERSITÉ DE RENNES 1 Mention : Informatique Ecole doctorale MATISSE présentée par

  2013cites this paper
• Analyse des pointeurs pour le langage C

  2013cites this paper
• Inferring Numeric Invariants by Abstract Interpretation

  2013cites this paper
• What Are Numerical Abstract Domains ?

  2012cites this paper
• Abstract Domains for Bit-Level Machine Integer and Floating-point Operations

  2012cites this paper
• Cost analysis of object-oriented bytecode programs

  2012cites this paper
• Habilitation à diriger des recherches

  2012influential citation
• Specification Inference and Invariant Generation : A Machine Learning Perspective

  2012cites this paper
• Theories, solvers and static analysis by abstract interpretation

  2012cites this paper
• Toward a Verified Software Toolchain for Java

  2012cites this paper
• Incremental resource usage analysis

  2012cites this paper
• DOCTEUR DE L'ÉCOLE POLYTECHNIQUE

  2012cites this paper
• Formal Verification by Abstract Interpretation

  2012cites this paper
• Static Analysis of Run-Time Errors in Embedded Real-Time Parallel C Programs

  2012cites this paper
• Expression data flow graph: precise flow-sensitive pointer analysis for C programs

  2011cites this paper
• Precise Interprocedural Analysis in the Presence of Pointers to the Stack

  2011cites this paper
• Precise Static Analysis of Binaries by Extracting Relational Information

  2011cites this paper
• A Precise Memory Model for Operating System Code Verification

  2011cites this paper
• Task-level analysis for a language with async/finish parallelism

  2011cites this paper
• The Reduced Product of Abstract Domains and the Combination of Decision Procedures

  2011cites this paper
• Arithmetisation of the Heap

  2011cites this paper
• Modular verification of shared-memory concurrent system software

  2011cites this paper
• Modular y Sensible a los Campos de C´ odigo de Byte Java

  2011cites this paper