Deciding Memory Safety for Single-Pass Heap-Manipulating Programs
This work addresses memory safety verification for programmers and developers dealing with heap-manipulating code, representing an incremental extension of prior decidable subclasses.
The paper tackles the problem of automatically verifying memory safety for heap-manipulating programs, showing that this problem is decidable for programs that operate on forest data-structures and are streaming-coherent, with experimental results indicating efficient verification of common single-pass algorithms.
We investigate the decidability of automatic program verification for programs that manipulate heaps, and in particular, decision procedures for proving memory safety for them. We extend recent work that identified a decidable subclass of uninterpreted programs to a class of alias-aware programs that can update maps. We apply this theory to develop verification algorithms for memory safety--- determining if a heap-manipulating program that allocates and frees memory locations and manipulates heap pointers does not dereference an unallocated memory location. We show that this problem is decidable when the initial allocated heap forms a forest data-structure and when programs are streaming-coherent, which intuitively restricts programs to make a single pass over a data-structure. Our experimental evaluation on a set of library routines that manipulate forest data-structures shows that common single-pass algorithms on data-structures often fall in the decidable class, and that our decision procedure is efficient in verifying them.