Space Invading Systems Code

Space Invader is a static analysis tool that aims to perform accurate, automatic verification of the way that programs use pointers. It uses separation logic assertions [10,11] to describe states, and works by performing a proof search, using abstract interpretation to enable convergence. As well as having roots in separation logic, Invader draws on the fundamental work of Sagiv et. al. on shape analysis [12]. It is complementary to other tools – e.g., SLAM [1], Blast [8], ASTRÉE [6] – that use abstract interpretation for verification, but that use coarse or limited models of the heap. Space Invader began life as a theoretical prototype working on a toy language [7], which was itself an outgrowth of a previous toy-language tool [3]. Then, in May of 2006, spurred by discussions with Byron Cook, we decided to move beyond our toy languages and challenge programs, and test our ideas against realworld systems code, starting with a Windows device driver, and then moving on to various open-source programs. (Some of our work has been done jointly with Josh Berdine and Cook at Microsoft Research Cambridge, and a related analysis tool, SLAyer, is in development there.) As of the summer of 2008, Space Invader has proven pointer safety (no null or dangling pointer dereferences, or leaks) in several entire industrial programs of up to 10K LOC, and more partial properties of larger codes. There have been three key innovations driven by the problems encountered with real-world code.