Program Analysis via 3-Valued Logic

Program Analysisvia 3-Valued Logic Thomas Reps University of Wisconsin Joint work with Mooly Sagiv (Tel-Aviv) and Reinhard Wilhelm (Univ. of Saarbruecken)

Program Analysisvia 3-Valued Logic Thomas Reps University of Wisconsin Joint work with Mooly Sagiv (Tel-Aviv) and Reinhard Wilhelm (Univ. of Saarbrücken)

t y NULL 1 2 3 NULL x Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; }

t y 1 2 3 NULL x Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; }

Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL 1 2 3 NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

t y x Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; }

t y NULL x Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; }

NULL Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x Materialization

Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

Original Problem: Shape Analysis • Characterize dynamically allocated data • x points to an acyclic list, cyclic list, tree, dag, etc. • data-structure invariants • Identify may-alias relationships • Establish “disjointedness” properties • x and y point to structures that do not share cells

Why is Shape Analysis Difficult? • Destructive updating through pointers • pnext = q • Produces complicated aliasing relationships • Dynamic storage allocation • No bound on the size of run-time data structures • Data-structure invariants typically only hold at the beginning and end of operations • Need to verify that data-structure invariants are re-established

Formal: Summary node x Formalizing “. . .” Informal: x

Applications: Software Tools • Static detection of memory errors (cleanness) • dereferencing NULL pointers • dereferencing dangling pointers • memory leaks • Static detection of logical errors • Is a shape invariant restored? • What is in the heap? • list? doubly-linked list? tree? DAG? • disjoint? intertwined?

Properties of reverse(x) • On entry: x points to an acyclic list • On exit: y points to an acyclic list • On exit: x == NULL • On each iteration, x and y point to disjoint acyclic lists • All the pointer dereferences are safe • No memory leaks

Detection of Malicious Code • De-obfuscate usage of dynamically allocated memory • Undesirable information flows • Buffer-overrun attacks • Actions performed to conceal virus activity (??) • [To advertise here, call 608-262-2091]

Program Analysis via 3-Valued Logic