Shape Neutral Analysis of Graph-based Data-structures

TL;DR

This paper introduces a shape-neutral, constraint-based program analysis that verifies data-structure integrity in low-level heap-manipulating programs, regardless of specific data-structure shapes, using automatically generated solvers.

Contribution

It presents a novel shape-neutral analysis approach that automatically generates solvers for data-structure properties, applicable to various data structures in low-level programs.

Findings

Effective in detecting errors across diverse data structures

Works well on real-world C programs

Shape neutrality allows broad applicability

Abstract

Malformed data-structures can lead to runtime errors such as arbitrary memory access or corruption. Despite this, reasoning over data-structure properties for low-level heap manipulating programs remains challenging. In this paper we present a constraint-based program analysis that checks data-structure integrity, w.r.t. given target data-structure properties, as the heap is manipulated by the program. Our approach is to automatically generate a solver for properties using the type definitions from the target program. The generated solver is implemented using a Constraint Handling Rules (CHR) extension of built-in heap, integer and equality solvers. A key property of our program analysis is that the target data-structure properties are shape neutral, i.e., the analysis does not check for properties relating to a given data-structure graph shape, such as doubly-linked-lists versus trees. Nevertheless, the analysis can detect errors in a wide range of data-structure manipulating programs, including those that use lists, trees, DAGs, graphs, etc. We present an implementation that uses the Satisfiability Modulo Constraint Handling Rules (SMCHR) system. Experimental results show that our approach works well for real-world C programs.