Towards Shape Analysis for Device Drivers

1
Towards Shape Analysis for Device Drivers

• Hongseok Yang
• (Queen Mary, University of London)
• (Joint work with Josh Berdine, Cristiano
  Calcagno, Byron Cook, Dino Distefano, Peter
  OHearn and Thomas Wies)

2
Dream

• Do deep shape analysis for real programs
  (i.e., programs of 100K LOC).

1. Memory safety
2. Absence of leaks
3. Race freedom
4. Reponsiveness

3
void XXX_CancelIrp(PDEVICE_OBJECT DeviceObject,
PIRP Irp)

• void XXX_CancelIrp(PDEVICE_OBJECT DeviceObject,
  PIRP Irp)
• PRESET_IRP ResetIrp,temp,tempnext
• PDEVICE_EXTENSION de
• KeAcquireSpinLock(de-gtResetSpinLock, Irql)
• ResetIrp (PRESET_IRP)de-gtFlink2
• while (ResetIrp !NULL)
• if (ResetIrp-gtIrp Irp)
• temp (PRESET_IRP)de
• tempnext temp-gtFlink2
• while (tempnext ! ResetIrp)
• temp tempnext tempnext
  temp-gtFlink2
• temp-gtFlink2 ResetIrp-gtFlink2
• free(ResetIrp)
• break

KeAcquireSpinLock(de-gtResetSpinLock, Irql)

• Pb 1 Extreme local analysis
• Tied to OS kernel
• Expensive shape analysis

KeReleaseSpinLock(de-gtResetSpinLock, Irql)
IoCompleteRequest(Irp, IO_NO_INCREMENT)
4

• void XXX_CancelIrp(PDEVICE_OBJECT DeviceObject,
  PIRP Irp)
• PRESET_IRP ResetIrp,temp,tempnext
• PDEVICE_EXTENSION de
• KeAcquireSpinLock(de-gtResetSpinLock, Irql)
• ResetIrp (PRESET_IRP)de-gtFlink2
• while (ResetIrp !NULL)
• if (ResetIrp-gtIrp Irp)
• temp (PRESET_IRP)de
• tempnext temp-gtFlink2
• while (tempnext ! ResetIrp)
• temp tempnext tempnext
  temp-gtFlink2
• temp-gtFlink2 ResetIrp-gtFlink2
• free(ResetIrp)
• break

5

• Pb1 Extreme local analysis
• A part of code in isolation.
• No preconditions.
• Only the memory footprint of the part.

• void XXX_CancelIrp(PDEVICE_OBJECT DeviceObject,
  PIRP Irp)
• PRESET_IRP ResetIrp,temp,tempnext
• PDEVICE_EXTENSION de
• KeAcquireSpinLock(de-gtResetSpinLock, Irql)
• ResetIrp (PRESET_IRP)de-gtFlink2
• while (ResetIrp !NULL)
• if (ResetIrp-gtIrp Irp)
• temp (PRESET_IRP)de
• tempnext temp-gtFlink2
• while (tempnext ! ResetIrp)
• temp tempnext tempnext
  temp-gtFlink2
• temp-gtFlink2 ResetIrp-gtFlink2
• free(ResetIrp)
• break

6

• void XXX_CancelIrp(PDEVICE_OBJECT DeviceObject,
  PIRP Irp)
• PRESET_IRP ResetIrp,temp,tempnext
• PDEVICE_EXTENSION de
• KeAcquireSpinLock(de-gtResetSpinLock, Irql)
• ResetIrp (PRESET_IRP)de-gtFlink2
• while (ResetIrp !NULL)
• if (ResetIrp-gtIrp Irp)
• temp (PRESET_IRP)de
• tempnext temp-gtFlink2
• while (tempnext ! ResetIrp)
• temp tempnext tempnext
  temp-gtFlink2
• temp-gtFlink2 ResetIrp-gtFlink2
• free(ResetIrp)
• break

typedef struct DEVICE_OBJECT DEVICE_EXTENSION
DeviceExtension DEVICE_OBJECT,
PDEVICE_OBJECT
Pb 2 Challenging Data Structures
typedef struct DEVICE_OBJECT
StackDeviceObject DEVICE_OBJECT
PortDeviceObject DEVICE_OBJECT
PhysicalDeviceObject ADDRESS_DATA
Flink1 RESET_IRP Flink2 CROM_DATA
Flink3 DETACH_DATA Flink4
RESOURCE_DATA Flink5 DEVICE_EXTENSION,
PDEVICE_EXTENSION
7

• Drawn by Dino Distefano

8

• void XXX_CancelIrp(PDEVICE_OBJECT DeviceObject,
  PIRP Irp)
• PRESET_IRP ResetIrp,temp,tempnext
• PDEVICE_EXTENSION de
• KeAcquireSpinLock(de-gtResetSpinLock, Irql)
• ResetIrp (PRESET_IRP)de-gtFlink2
• while (ResetIrp !NULL)
• if (ResetIrp-gtIrp Irp)
• temp (PRESET_IRP)de
• tempnext temp-gtFlink2
• while (tempnext ! ResetIrp)
• temp tempnext tempnext
  temp-gtFlink2
• temp-gtFlink2 ResetIrp-gtFlink2
• free(ResetIrp)
• break

typedef struct DRIVER_CANCEL
(CancelRoutine)() IRP, PIRP
KeAcquireSpinLock(de-gtResetSpinLock, Irql)
Pb 3 Concurrency
KeReleaseSpinLock(de-gtResetSpinLock, Irql)
9
Status of Separation-logic based Shape Analysis
(London/Cambridge)

• Problem 1 Extreme local analysis
• Extreme local shape analysis
• Calcagno, Distefano, OHearn, Yang
• Problem 2 Challenging data structures
• Adaptive shape analysis
• Berdine, Calcagno, Disetafano, Cook, Wies,
  OHearn, Yang
• Problem 3 Concurrency
• Thread-modular shape analysis
• Gotsman, Berdine, Cook, Sagiv

10
Extreme Local Shape Analysis

• Analyze a part of code in isolation.
• No preconditions.
• Only the memory footprint of the part.

11

• void XXX_CancelIrp(PDEVICE_OBJECT DeviceObject,
  PIRP Irp)
• PRESET_IRP ResetIrp,temp,tempnext
• PDEVICE_EXTENSION de
• KeAcquireSpinLock(de-gtResetSpinLock, Irql)
• ResetIrp (PRESET_IRP)de-gtFlink2
• while (ResetIrp !NULL)
• if (ResetIrp-gtIrp Irp)
• temp (PRESET_IRP)de
• tempnext temp-gtFlink2
• while (tempnext ! ResetIrp)
• temp tempnext tempnext
  temp-gtFlink2
• temp-gtFlink2 ResetIrp-gtFlink2
• free(ResetIrp)
• break

12
(de aD Flink2 x0) ls (RESET_IRP,Flink2) (x0,0)

• void XXX_CancelIrp(PDEVICE_OBJECT DeviceObject,
  PIRP Irp)
• PXXX_RESET_IRP XXXResetIrp,temp,tempnext
• PDEVICE_EXTENSION deviceExtension
• KeAcquireSpinLock(deviceExtension-gtResetSpinLoc
  k, Irql)
• ResetIrp (PRESET_IRP)de-gtFlink2
• while (ResetIrp !NULL)
• if (ResetIrp-gtIrp Irp)
• temp (PRESET_IRP)de
• tempnext temp-gtFlink2
• while (tempnext ! ResetIrp)
• temp tempnext tempnext
  temp-gtFlink2
• temp-gtFlink2 ResetIrp-gtFlink2
• free(ResetIrp)
• break

(de aD Flink2 x0) ls (RESET_IRP,Flink2) (x0,de)
(de aD Flink2 x0) ls (RESET_IRP,Flink2) (x0,de)
(de aD Flink2 de)
(de aD Flink2 x0) ls (RESET_IRP,Flink2)
(x0,x1) (x1aR IrpIrp)
typedef struct RESET_IRP Flink2 IRP
Irp RESET_IRP, PRESET_IRP
typedef struct RESET_IRP Flink2
DEVICE_EXTENSION
13
(de aD Flink2 x0) ls (RESET_IRP,Flink2) (x0,0)

• void XXX_CancelIrp(PDEVICE_OBJECT DeviceObject,
  PIRP Irp)
• PXXX_RESET_IRP XXXResetIrp,temp,tempnext
• PDEVICE_EXTENSION deviceExtension
• KeAcquireSpinLock(deviceExtension-gtResetSpinLoc
  k, Irql)
• ResetIrp (PRESET_IRP)de-gtFlink2
• while (ResetIrp !NULL)
• if (ResetIrp-gtIrp Irp)
• temp (PRESET_IRP)de
• tempnext temp-gtFlink2
• while (tempnext ! ResetIrp)
• temp tempnext tempnext
  temp-gtFlink2
• temp-gtFlink2 ResetIrp-gtFlink2
• free(ResetIrp)
• break

(de a Flink2 x0) ls (RESET_IRP,Flink2) (x0,de)
(de a Flink2 x0) ls (RESET_IRP,Flink2) (x0,de)
(de aD Flink2 de)
(de aD Flink2 x0) ls (RESET_IRP,Flink2)
(x0,x1) (x1aR IrpIrp)
de aD Flink2 de
typedef struct RESET_IRP Flink2 IRP
Irp RESET_IRP, PRESET_IRP
typedef struct RESET_IRP Flink2
DEVICE_EXTENSION
14
(de aD Flink2 x0) ls (RESET_IRP,Flink2) (x0,0)

• void XXX_CancelIrp(PDEVICE_OBJECT DeviceObject,
  PIRP Irp)
• PXXX_RESET_IRP XXXResetIrp,temp,tempnext
• PDEVICE_EXTENSION deviceExtension
• KeAcquireSpinLock(deviceExtension-gtResetSpinLoc
  k, Irql)
• ResetIrp (PRESET_IRP)de-gtFlink2
• while (ResetIrp !NULL)
• if (ResetIrp-gtIrp Irp)
• temp (PRESET_IRP)de
• tempnext temp-gtFlink2
• while (tempnext ! ResetIrp)
• temp tempnext tempnext
  temp-gtFlink2
• temp-gtFlink2 ResetIrp-gtFlink2
• free(ResetIrp)
• break

(de a Flink2 x0) ls (RESET_IRP,Flink2) (x0,de)
(de a Flink2 x0) ls (RESET_IRP,Flink2) (x0,de)
(de aD Flink2 de)
(de aD Flink2 x0) ls (RESET_IRP,Flink2)
(x0,x1) (x1aR IrpIrp)
de aD Flink2 de Æ de ResetIrp
typedef struct RESET_IRP Flink2 IRP
Irp RESET_IRP, PRESET_IRP
typedef struct RESET_IRP Flink2
DEVICE_EXTENSION
15
(de aD Flink2 x0) ls (RESET_IRP,Flink2) (x0,0)

• void XXX_CancelIrp(PDEVICE_OBJECT DeviceObject,
  PIRP Irp)
• PXXX_RESET_IRP XXXResetIrp,temp,tempnext
• PDEVICE_EXTENSION deviceExtension
• KeAcquireSpinLock(deviceExtension-gtResetSpinLoc
  k, Irql)
• ResetIrp (PRESET_IRP)de-gtFlink2
• while (ResetIrp !NULL)
• if (ResetIrp-gtIrp Irp)
• temp (PRESET_IRP)de
• tempnext temp-gtFlink2
• while (tempnext ! ResetIrp)
• temp tempnext tempnext
  temp-gtFlink2
• temp-gtFlink2 ResetIrp-gtFlink2
• free(ResetIrp)
• break

(de a Flink2 x0) ls (RESET_IRP,Flink2) (x0,de)
(de a Flink2 x0) ls (RESET_IRP,Flink2) (x0,de)
(de aD Flink2 de)
(de aD Flink2 x0) ls (RESET_IRP,Flink2)
(x0,x1) (x1aR IrpIrp)
de aD Flink2 de Æ de ResetIrp
typedef struct RESET_IRP Flink2 IRP
Irp RESET_IRP, PRESET_IRP
typedef struct RESET_IRP Flink2
DEVICE_EXTENSION
16
(de aD Flink2 x0) ls (RESET_IRP,Flink2) (x0,0)

• void XXX_CancelIrp(PDEVICE_OBJECT DeviceObject,
  PIRP Irp)
• PXXX_RESET_IRP XXXResetIrp,temp,tempnext
• PDEVICE_EXTENSION deviceExtension
• KeAcquireSpinLock(deviceExtension-gtResetSpinLoc
  k, Irql)
• ResetIrp (PRESET_IRP)de-gtFlink2
• while (ResetIrp !NULL)
• if (ResetIrp-gtIrp Irp)
• temp (PRESET_IRP)de
• tempnext temp-gtFlink2
• while (tempnext ! ResetIrp)
• temp tempnext tempnext
  temp-gtFlink2
• temp-gtFlink2 ResetIrp-gtFlink2
• free(ResetIrp)
• break

(de a Flink2 x0) ls (RESET_IRP,Flink2) (x0,de)
(de a Flink2 x0) ls (RESET_IRP,Flink2) (x0,de)
(de aD Flink2 de)
(de aD Flink2 x0) ls (RESET_IRP,Flink2)
(x0,x1) (x1aR IrpIrp)
de aD Flink2 de Æ de ResetIrp
ERROR No IRP Field in DEVICE_EXTENSION
typedef struct RESET_IRP Flink2 IRP
Irp RESET_IRP, PRESET_IRP
typedef struct RESET_IRP Flink2
DEVICE_EXTENSION
17
Extreme Local Shape Analysis
list t while (x!0) t x x
x-gtnext free(t)

Trace Generation
assert(x!0) tx xx-gtnext free(x) assert(x0)

assert(x!0) tx xx-gtnext free(x) assert(x!0
) tx xx-gtnext free(x) assert(x0)
Footprint Computation
18
Extreme Local Shape Analysis
list t while (x!0) t x x
x-gtnext free(t)

Trace Generation
assert(x!0) tx xx-gtnext free(x) assert(x0)

assert(x!0) tx xx-gtnext free(x) assert(x!0
) tx xx-gtnext free(x) assert(x0)
Footprint Computation
19
Extreme Local Shape Analysis
P0
P1
list t while (x!0) t x x
x-gtnext free(t)

Trace Generation
assert(x!0) tx xx-gtnext free(x) assert(x0)

assert(x!0) tx xx-gtnext free(x) assert(x!0
) tx xx-gtnext free(x) assert(x0)
Footprint Computation
20
Extreme Local Shape Analysis
P3
P2
P0
P1
list t while (x!0) t x x
x-gtnext free(t)

Trace Generation
assert(x!0) tx xx-gtnext free(x) assert(x0)

assert(x!0) tx xx-gtnext free(x) assert(x!0
) tx xx-gtnext free(x) assert(x0)
Footprint Computation
Abstract preconditions
21
Extreme Local Shape Analysis
P2,P3,,Pn
P3
P2
P0
P1
list t while (x!0) t x x
x-gtnext free(t)

Trace Generation
assert(x!0) tx xx-gtnext free(x) assert(x0)

assert(x!0) tx xx-gtnext free(x) assert(x!0
) tx xx-gtnext free(x) assert(x0)
I1,I2,,Im
Footprint Computation
Abstract preconditions
Q1,Q2,,Qk
SpaceInvader
22
Extreme Local Shape Analysis

Trace Generation
Sound precondition Footprint only
Footprint Computation
Abstract preconditions
SpaceInvader
23
Separation Logic

• xay, ls (y,z)
• xay ls (y,z), emp
• 9y. z!0 Æ va Æ xay ls (y,z)

x
y
z
y
y
z
x
24
Variable Convention

• Program variables x,y,z,t,v,w
• Ghost (or auxiliary) variables a,b,c,d,.
• Primed variables x,y,z,t,v,w
• 9 w,w1.
• x!0 Æ za Æ w!w1 Æ xaw ls (w,w1)
  yaw1

25
Symbolic Heaps

• Separation logic formulas of the form
• (x!0 Æ za Æ w!w1) Æ (xaw ls (w,w1)
  yaw1)
• SH Set of all symbolic heaps
• GhostSH Set of sym. heaps with ghost vars only

26
Footprint Computation

• Foot Trace x SH ! GhostSH x SH
• Correctness
• If Foot(C,P)(P0,Q0), then PP0CQ0 holds in
  Sep. Log.

Q0
P0
P
C
27
Footprint Computation

• Foot Trace x SH ! GhostSH x SH
• Correctness
• If Foot(C,P)(P0,Q0), then PP0CQ0 holds in
  Sep. Log.

Foot(tx-gtnext, xaÆemp) (aab, xaÆtbÆaab)
xa Æ empaab tx-gtnext xa Æ tb Æ aab
28
Footprint Computation

• Foot Trace x SH ! GhostSH x SH
• Correctness
• If Foot(C,P)(P0,Q0), then PP0CQ0 holds in
  Sep. Log.

29
Footprint Computation

• Foot Trace x SH ! GhostSH x SH
• Correctness
• If Foot(C,P)(P0,Q0), then PP0CQ0 holds in
  Sep. Log.
• Foot(free(x),PEaF) (emp,P) if (PEaF)
  Ex

Foot(free(x), xa Æ aa0) (emp, xa Æ
emp)
30
Footprint Computation

• Foot Trace x SH ! GhostSH x SH
• Correctness
• If Foot(C,P)(P0,Q0), then PP0CQ0 holds in
  Sep. Log.
• Foot(free(x),PEaF) (emp,P) if (PEaF)
  Ex
• Foot(free(x),P) (aab,P) if P
  xa, fresh b

Rewrite x to some ghost variable.
Foot(free(x), xa Æ emp) (aab, xa Æ
emp)
31
Footprint Computation

• Foot Trace x SH ! GhostSH x SH
• Correctness
• If Foot(C,P)(P0,Q0), then PP0CQ0 holds in
  Sep. Log.
• Foot(free(x),PEaF) (emp,P) if (PEaF)
  Ex
• Foot(free(x),P) (aab,P) if P
  xa, fresh b
• Foot(free(x),P) (false,P)
  otherwise

Foot(free(x), emp) (false, emp)
! (xa b, emp)
32
Footprint Computation

• Foot Trace x SH ! GhostSH x SH
• Correctness
• If Foot(C,P)(P0,Q0), then PP0CQ0 holds in
  Sep. Log.

33
Footprint Computation

• Foot Trace x SH ! GhostSH x SH
• Correctness
• If Foot(C,P)(P0,Q0), then PP0CQ0 holds in
  Sep. Log.
• Foot(AC,P) let (P0,Q0)Foot(A,P) and
  (P1,Q1)Foot(C,Q0)
• in (P0P1, Q1)
  

Q1
P1
P1
Q0
A
C
P0
P
34
Footprint Computation

• Foot Trace x SH ! GhostSH x SH
• Correctness
• If Foot(C,P)(P0,Q0), then PP0CQ0 holds in
  Sep. Log.
• Foot(AC,P) let (P0,Q0)Foot(A,P) and
  (P1,Q1)Foot(C,Q0)
• in (P0P1, Q1)
  

Foot(free(x)free(y), xa Æ yb Æ emp)
(aac bad, xa Æ yb Æ emp)
35
Footprint Computation

• Foot Trace x SH ! GhostSH x SH
• Correctness
• If Foot(C,P)(P0,Q0), then PP0CQ0 holds in
  Sep. Log.

36
Footprint Computation

• Foot Trace x SH ! GhostSH x SH
• Correctness
• If Foot(C,P)(P0,Q0), then PP0CQ0 holds in
  Sep. Log.
• Algorithm Given a trace C. Supp FPV(C) x.
• P (xa Æ emp)
• (P0,Q0) Foot(C, P)
• return (P P0)

37
List Disposal

• list t
• while (x!0)
• t x
• x x-gtnext
• free(t)

x
0
38
List Disposal

• list t
• while (x!0)
• t x
• x x-gtnext
• free(t)

x
0
39
List Disposal

• list t
• while (x!0)
• t x
• x x-gtnext
• free(t)

t
x
0
40
List Disposal

• list t
• while (x!0)
• t x
• x x-gtnext
• free(t)

t
x
0
41
List Disposal

• list t
• while (x!0)
• t x
• x x-gtnext
• free(t)

t
x
0
42
Footprint Computation

• list t
• while (x!0)
• t x
• x x-gtnext
• free(t)

43
Footprint Computation
Discovered Precondition xa Æ emp

• list t
• while (x!0)
• t x
• x x-gtnext
• free(t)

xa Æ emp
44
Footprint Computation
Discovered Precondition xa Æ a!0 Æ emp

• list t
• while (x!0)
• t x
• x x-gtnext
• free(t)

xa Æ emp
xa Æ a!0 Æ emp
45
Footprint Computation
Discovered Precondition xa Æ a!0 Æ emp

• list t
• while (x!0)
• t x
• x x-gtnext
• free(t)

xa Æ emp
xa Æ a!0 Æ emp
xa Æ a!0 Æ ta Æ emp
46
Footprint Computation
Discovered Precondition xa Æ a!0 Æ emp
aab

• list t
• while (x!0)
• t x
• x x-gtnext
• free(t)

xa Æ emp
xa Æ a!0 Æ emp
xa Æ a!0 Æ ta Æ emp
xb Æ a!0 Æ ta Æ emp aab
47
Footprint Computation
Discovered Precondition xa Æ a!0 Æ emp
aab

• list t
• while (x!0)
• t x
• x x-gtnext
• free(t)

xa Æ emp
xa Æ a!0 Æ emp
xa Æ a!0 Æ ta Æ emp
xb Æ a!0 Æ ta Æ emp aab
xb Æ a!0 Æ ta Æ emp
48
Footprint Computation
Discovered Precondition xa Æ a!0 Æ b!0
Æ emp aab

• list t
• while (x!0)
• t x
• x x-gtnext
• free(t)

xa Æ emp
xa Æ a!0 Æ emp
xb Æ a!0 Æ ta Æ b!0 Æ emp
xa Æ a!0 Æ ta Æ emp
xb Æ a!0 Æ ta Æ emp aab
xb Æ a!0 Æ ta Æ emp
49
Footprint Computation
Discovered Precondition xa Æ a!0 Æ b!0
Æ emp aab

• list t
• while (x!0)
• t x
• x x-gtnext
• free(t)

xa Æ emp
xa Æ a!0 Æ emp
xb Æ a!0 Æ ta Æ b!0 Æ emp
xa Æ a!0 Æ ta Æ emp
xb Æ a!0 Æ tb Æ b!0 Æ emp
xb Æ a!0 Æ ta Æ emp aab
xb Æ a!0 Æ ta Æ emp
50
Footprint Computation
Discovered Precondition xa Æ a!0 Æ b!0
Æ emp aab bac

• list t
• while (x!0)
• t x
• x x-gtnext
• free(t)

xa Æ emp
xa Æ a!0 Æ emp
xb Æ a!0 Æ ta Æ b!0 Æ emp
xa Æ a!0 Æ ta Æ emp
xb Æ a!0 Æ tb Æ b!0 Æ emp
xb Æ a!0 Æ ta Æ emp aab
xc Æ a!0 Æ tb Æ b!0 Æ emp bac
xb Æ a!0 Æ ta Æ emp
51
Footprint Computation
Discovered Precondition xa Æ a!0 Æ b!0
Æ emp aab bac

• list t
• while (x!0)
• t x
• x x-gtnext
• free(t)

xa Æ emp
xa Æ a!0 Æ emp
xb Æ a!0 Æ ta Æ b!0 Æ emp
xa Æ a!0 Æ ta Æ emp
xb Æ a!0 Æ tb Æ b!0 Æ emp
xb Æ a!0 Æ ta Æ emp aab
xc Æ a!0 Æ tb Æ b!0 Æ emp bac
xb Æ a!0 Æ ta Æ emp
xc Æ a!0 Æ tb Æ b!0 Æ emp
52
Footprint Computation
Discovered Precondition xa Æ a!0 Æ b!0 Æ
c0 Æ emp aab bac

• list t
• while (x!0)
• t x
• x x-gtnext
• free(t)

xa Æ emp
xa Æ a!0 Æ emp
xb Æ a!0 Æ ta Æ b!0 Æ emp
xa Æ a!0 Æ ta Æ emp
xb Æ a!0 Æ tb Æ b!0 Æ emp
xb Æ a!0 Æ ta Æ emp aab
xc Æ a!0 Æ tb Æ b!0 Æ emp bac
xb Æ a!0 Æ ta Æ emp
xc Æ a!0 Æ tb Æ b!0 Æ emp
xc Æ a! 0 Æ tb Æ b!0 Æ c0 Æ emp
53
Abstraction

• Abs SH ! CanonicalSH
• Existentially quantify ghost vars.
• Substitute away equalities dE.
• Drop disequalities.
• Apply list abstraction.

Discovered Precondition xa Æ a!0 Æ b!0 Æ
c0 Æ emp aab bac
54
Abstraction

• Abs SH ! CanonicalSH
• Existentially quantify ghost vars.
• Substitute away equalities dE.
• Drop disequalities.
• Apply list abstraction.

Discovered Precondition xa Æ a!0 Æ b!0 Æ
c0 Æ emp aab bac
Discovered Precondition xa Æ a!0 Æ b!0
Æ c0 Æ emp aab bac
55
Abstraction

• Abs SH ! CanonicalSH
• Existentially quantify ghost vars.
• Substitute away equalities dE.
• Drop disequalities.
• Apply list abstraction.

Discovered Precondition xa Æ a!0 Æ b!0 Æ
c0 Æ emp aab bac
Discovered Precondition xa Æ a!0 Æ b!0
Æ c0 Æ emp aab bac
Discovered Precondition x!0 Æ
b!0 Æ emp xab ba0
56
Abstraction

• Abs SH ! CanonicalSH
• Existentially quantify ghost vars.
• Substitute away equalities dE.
• Drop disequalities.
• Apply list abstraction.

Discovered Precondition xa Æ a!0 Æ b!0 Æ
c0 Æ emp aab bac
Discovered Precondition xa Æ a!0 Æ b!0
Æ c0 Æ emp aab bac
Discovered Precondition x!0 Æ
b!0 Æ emp xab ba0
Discovered Precondition emp xab ba0
57
Abstraction

• Abs SH ! CanonicalSH
• Existentially quantify ghost vars.
• Substitute away equalities dE.
• Drop disequalities.
• Apply list abstraction.

Discovered Precondition xa Æ a!0 Æ b!0 Æ
c0 Æ emp aab bac
Discovered Precondition xa Æ a!0 Æ b!0
Æ c0 Æ emp aab bac
Discovered Precondition x!0 Æ
b!0 Æ emp xab ba0
Discovered Precondition emp xab ba0
Discovered Precondition ls (x,0)
58
SpaceInvader
Precondition ls (x, 0)

• list t
• while (x!0)
• t x
• x x-gtnext
• free(t)

Fixpoint Computation
Postcondition x0 Æ emp
59
Backward Footprint Computation
list t while (x!0) t x x x-gtnext
free(t)
Backward assert(x!0) t x x
x-gtnext free(t) assert(x0)
Forward assert(x!0) t x x
x-gtnext free(t) assert(x0)
60
Frame Rule and Correctness of Footprint
Computation
Sound because of Frame Rule in Sep. Log.
PP0AQ0 PP0P1AQ0P1
Q0P1CQ PP0P1ACQ

• Foot Trace x SH ! GhostSH x SH
• Correctness
• If Foot(C,P)(P0,Q0), then PP0CQ0 holds in
  Sep. Log.
• Foot(AC,P) let (P0,Q0)Foot(A,P) and
  (P1,Q1)Foot(C,Q0)
• in (P0P1, Q1)
  

Q1
P1
P1
Q0
A
C
P0
P
61
Experiments with Firewire Device Driver
Function LOC Time Result
F1 32 0.07 Alarm Real Err
F2 87 0.04 Yes
F3 130 0.43 Yes
F4 198 0.31 Yes
F5 (loop 1) 325 40.75 Yes
F5 (loop 2) 46 2.83 Yes
F5 (loop 3) 221 0.45 Yes
F5 (loop 4) 170 gt 10 min ???
F5 (loop 5) 59 0.036 Yes

• MacBook, 2GH Intel Core Duo. 2GB Mem. All fn
  calls are inlined.

62
Future Direction

1. Weaving analysis results.
2. Good abstraction for footprints.
3. Better shape abstraction.

63
Footprint Computation

• Foot Trace x SH ! GhostSH x SH
• Correctness
• If Foot(C,P)(P0,Q0), then PP0CQ0 holds in
  Sep. Log.
• Foot(assert(x!0),P) (a!0 Æ emp, a!0 Æ P)
  if P xa

64
Footprint Computation

• Foot Trace x SH ! GhostSH x SH
• Correctness
• If Foot(C,P)(P0,Q0), then PP0CQ0 holds in
  Sep. Log.
• Foot(assert(x!0),P) (a!0 Æ emp, a!0ÆP)
  if P xa
• Foot(assert(x!0),P) (false, P)
  otherwise