Download
static program analysis via three valued logic n.
Skip this Video
Loading SlideShow in 5 Seconds..
Static Program Analysis via Three-Valued Logic PowerPoint Presentation
Download Presentation
Static Program Analysis via Three-Valued Logic

Static Program Analysis via Three-Valued Logic

122 Vues Download Presentation
Télécharger la présentation

Static Program Analysis via Three-Valued Logic

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Static Program Analysisvia Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)

  2. Full Employmentfor Verification Experts Analysis must track numeric information • A sailor on the U.S.S. Yorktown entered a 0 into a data field in a kitchen-inventory program. That caused the database to overflow and crash all LAN consoles and miniature remote terminal units. • The Yorktown was dead in the water for about two hours and 45 minutes.

  3. need to track values other than 0 x = 3; y = 1/(x-3); x = 3; px = &x; y = 1/(*px-3); need to track pointers x = 3; p = (int*)malloc(sizeof int); *p = x; q = p; y = 1/(*q-3); need to track heap-allocated storage

  4. a e b c 1 f d a=&e p p q q 2 r1 r1 b=a a e q q b p p c r2 r2 a f 3 d e c=&f b s1 s1 c r1 r1 f p p d q s2 s2 q a r2 r2 *b=c s3 e s3 4 b c f d a r1 s1 e r1 s1 d=*a b q p q 5 p c r2 s2 a f e d r2 s2 b c f d Flow-SensitivePoints-To Analysis p = &q; p = q; p = *q; *p = q;

  5. 1 1 a a=&e a=&e e b 2 2 c b=a b=a f 1 5 2 d 3 3 c=&f c=&f 3 4 *b=c *b=c 4 4 d=*a d=*a 5 5 a a a a a a e e e e e e b b b b b b c c c c c c f f f f f f d d d d d d Flow-InsensitivePoints-ToAnalysis

  6. Shape Analysis[Jones and Muchnick 1981] • Characterize dynamically allocated data • Identify may-alias relationships • x points to an acyclic list, cyclic list, tree, dag, … • “disjointedness” properties • x and y point to structures that do not share cells • show that data-structure invariants hold • Account for destructive updates through pointers

  7. Applications: Software Tools • Static detection of memory errors • dereferencing NULL pointers • dereferencing dangling pointers • memory leaks • Static detection of logical errors • Is a data-structure invariant restored?

  8. Applications: Code Optimization • Parallelization • Operate in parallel on disjoint structures • Software prefetching • “Compile-time garbage collection” • Insert storage-reclamation operations • Eliminate or move “checking code”

  9. Why is Shape Analysis Difficult? • Destructive updating through pointers • pnext = q • Produces complicated aliasing relationships • Dynamic storage allocation • No bound on the size of run-time data structures • Data-structure invariants typically only hold at the beginning and end of operations • Want to verify that data-structure invariants are re-established

  10. t y NULL 1 2 3 NULL x Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; }

  11. t y NULL 1 2 3 NULL x Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; }

  12. t y 1 2 3 NULL x Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; }

  13. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL 1 2 3 NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  14. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL 1 2 3 NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  15. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL 1 2 3 NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  16. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL 1 2 3 NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  17. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL 1 2 3 NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  18. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL 1 2 3 NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  19. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL 1 2 3 NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  20. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL 1 2 3 NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  21. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL 1 2 3 NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  22. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL 1 2 3 NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  23. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL 1 2 3 NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  24. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL 1 2 3 NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  25. t y x Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; }

  26. t y NULL x Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; }

  27. NULL Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  28. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  29. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x Materialization

  30. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  31. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  32. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  33. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  34. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  35. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  36. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  37. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  38. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  39. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  40. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  41. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  42. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  43. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  44. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  45. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  46. Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; t y NULL List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } x

  47. t NULL y x t NULL y x t NULL y x t NULL y x Idea for a List Abstraction represents

  48. x != NULL t y t y NULL NULL y t y t x x t = y NULL x x y t y t t y y = x NULL NULL x x x y t y t x = xnext y t NULL NULL x x y y t t ynext = t y y t t x NULL NULL y t NULL NULL x x x x return y x

  49. Properties of reverse(x) • On entry, x points to an acyclic list • On each iteration, x & y point to disjoint acyclic lists • All the pointer dereferences are safe • No memory leaks • On exit, y points to an acyclic list • On exit, x == NULL • All cells reachable from y on exit were reachable • from x on entry, and vice versa • On exit, the order between neighbors in the y-list • is opposite to their order in the x-list on entry

  50. A ‘Yacc’ for Shape Analysis: TVLA • Parametric framework • Some instantiations  known analyses • Other instantiations  new analyses • Applications beyond shape analysis • Partial correctness of sorting algorithms • Safety of mobile code • Deadlock detection in multi-threaded programs • Partial correctness of mark-and-sweep gc alg. • Correct usage of Java iterators