Advanced Heap Analysis Techniques for Program Verification

schedule n.w
1 / 104
Embed
Share

Explore advanced techniques like shape analysis and static analysis in Soot and LLVM for identifying and preventing errors in programs with pointers and dynamic data structures. Learn from experts at Tel-Aviv University, Universität des Saarlandes, and other renowned institutions. Dive deep into compile-time verification and interesting properties of heap manipulation programs, including preventing null dereference and memory leaks. Discover examples and insights into rotating lists efficiently and improving program correctness.

  • Heap Analysis
  • Program Verification
  • Static Analysis
  • Compile-Time Verification
  • Advanced Techniques
rayaanacharya
mckendree_a Follow

Uploaded on | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics

  2. Compile-Time Verification of Properties of Heap Intensive Programs Mooly Sagiv Thomas Reps Reinhard Wilhelm http://www.cs.tau.ac.il/~TVLA http://www.cs.tau.ac.il/~msagiv/toplas02.pdf

  3. . . . and also Tel-Aviv University G. Arnold I. Bogudlov G. Erez N. Dor T. Lev-Ami R. Manevich R. Shaham A. Rabinovich N. Rinetzky E. Yahav G. Yorsh A. Warshavsky Universit t des Saarlandes J rg Bauer Ronald Biber University of Wisconsin F. DiMaio D. Gopan A. Loginov IBM Research J. Field H. Kolodner M. Rodeh Microsoft Research G. Ramalingam University of Massachusetts N. Immerman B. Hesse The Technical University of Denmark H.R. Nielson F. Nielson Weizmann Institute/NYU A. Pnueli Inria B. Jeannet

  4. Shape Analysis Determine the possible shapes of a dynamically allocated data structure at given program point Relevant questions: Does x.next point to a shared element? Does a variable point p to an allocated element every time p is dereferenced Does a variable point to an acyclic list? Does a variable point to a doubly-linked list? ? Can a procedure create a memory-leak

  5. Problem Programs with pointers and dynamically allocated data structures are error prone Automatically prove correctness Identify subtle bugs at compile time

  6. Interesting Properties of Heap Manipulating Programs No null dereference No memory leaks Preservation of data structure invariant Correct API usage Partial correctness Total correctness

  7. Example first n n n last rotate(List first, List last) { if ( first != NULL) { last next = first; first = first next; last = last next; last next = NULL; } } first n n n last n first n n n last n first last n n n n first last n n n

  8. Interesting Properties rotate(List first, List last) { if ( first != NULL) { last next = first; first = first next; last = last next; last next = NULL; } } No null-de references

  9. Interesting Properties rotate(List first, List last) { if ( first != NULL) { last next = first; first = first next; last = last next; last next = NULL; } } No null-de references No memory leaks

  10. Interesting Properties rotate(List first, List last) { if ( first != NULL) { last next = first; first = first next; last = last next; last next = NULL; } } No null-de references No memory leaks Returns an acyclic linked list Partially correct

  11. Partial Correctness List InsertSort(List x) { List r, pr, rn, l, pl; r = x; pr = NULL; while (r != NULL) { l = x; rn = r n; pl = NULL; while (l != r) { if (l data > r data) { pr n = rn; r n = l; if (pl == NULL) x = r; else pl n = r; r = pr; break; } pl = l; l = l n; } pr = r; r = rn; } return x; } typedef struct list_cell { int data; struct list_cell *n; } *List;

  12. Partial Correctness List quickSort(List p, List q) { if(p==q || q == NULL) return p; List h = partition(p,q); List x = p n; p n = NULL; List low = quickSort(h, p); List high = quickSort(x, NULL); p n = high; return low; }

  13. Challenges Specification Desired properties Program Semantics Automatic Verification Program Semantics Desired properties Undecidable even for simple programs and prooperties

  14. Plan Concrete Interpretation of Heap Canonical Heap Abstraction Abstract Interpretation using Canonical Abstraction The TVLA system Applications Techniques for scaling

  15. Logical Structures (Labeled Graphs) Nullary relation symbols Unary relation symbols Binary relation symbols FOTC over TC, express logical structure properties Logical Structures provide meaning for relations A set of individuals (nodes) U Interpretation of relation symbols in P p0() {0,1} p1(v) {0,1} p2(u,v) {0,1} Fixed

  16. Representing Stores as Logical Structures Locations Individuals Program variables Unary relations Fields Binary relations Example U = {u1, u2, u3, u4, u5} x = {u1}, p = {u3} n = {<u1, u2>, <u2, u3>, <u3, u4>, <u4, u5>} x u1 1 u2 0 u3 0 u4 0 u5 0 u5 p 0 0 1 0 0 n u1 u2 u3 u4 u5 u1 u2 u3 u4 u5 0 1 0 0 0 1 0 0 0 0 0 0 0 0 0 u1 u2 u3 u4 0 0 1 0 0 0 0 0 1 0 n n n n u1 u2 u3 u4 u5 x p

  17. Example: List Creation typedef struct node { int val; struct node *next; } *List; List create ( ) { List x, t; x = NULL; while ( ) do { t = malloc(); t next=x; x = t ;} return x; } No null dereferences No memory leaks Returns acyclic list

  18. Example: Concrete Interpretation x = NULL n n n t t t empty x x x F T n t =malloc(..); t t t x x n n t next=x; n t t t x x n x = t n n t t x t x x return x

  19. Concrete Interpretation Rules Statement Update formula x =NULL x (v)= 0 x= malloc() x (v) = IsNew(v) x=y x (v)= y(v) x=y next x (v)= w: y(w) n(w, v) x next=y n (v, w) = (x(v) ? y(w) : n(v, w))

  20. Invariants No garbage v: {x PVar} w: x(w) n*(w, v) Acyclic list(x) v, w: x(v) n*(v, w) n+(w, w) Reverse (x) v, w, r: x(v) n*(v, w) n(w, r) n (r, w)

  21. Example: Abstract Interpretation x = NULL n n t t t empty x x n x F T n n t =malloc(..); t t t t n x x x n n n t next=x; n t t t t n x x x n x = t n n t t x t t n x x n x return x

  22. 3-Valued Logical Structures A set of individuals (nodes) U Relation meaning Interpretation of relation symbols in P p0() {0,1, 1/2} p1(v) {0,1, 1/2} p2(u,v) {0,1, 1/2} A join semi-lattice: 0 1 = 1/2

  23. Canonical Abstraction () Partition the individuals into equivalence classes based on the values of their unary relations Every individual is mapped into its equivalence class Collapse relations via pS(u 1, ..., u k) = {pB(u1, ..., uk) | f(u1)=u 1, ..., f(uk)=u k) } At most 2A abstract individuals

  24. Canonical Abstraction x = NULL; n n while ( ) do { u2 u1 x u3 t = malloc(); t t next=x; x = t n } u2,3 u1 x t n

  25. Canonical Abstraction x = NULL; n n while ( ) do { u2 u1 x u3 t = malloc(); t t next=x; n x = t n } u2,3 u1 x t n

  26. Canonical Abstraction and Equality Summary nodes may represent more than one element (In)equality need not be preserved under abstraction Explicitly record equality Summary nodes are nodes with eq(u, u)=1/2

  27. Canonical Abstraction and Equality eq eq x = NULL; eq n n eq while ( ) do { u2 u1 x u3 t = malloc(); t eq eq t next=x; eq eq eq x = t n } u2,3 u2,3 u1 x t n

  28. Canonical Abstraction x = NULL; n n while ( ) do { u2 u1 x u3 t = malloc(); t t next=x; x = t n } u2,3 u1 x t n

  29. Canonical Abstraction Partition the individuals into equivalence classes based on the values of their unary relations Every individual is mapped into its equivalence class Collapse relations via pS(u 1, ..., u k) = {pB(u1, ..., uk) | f(u1)=u 1, ..., f(u k)=uk) } At most 2A abstract individuals

  30. Canonical Abstraction x = NULL; n n while ( ) do { u2 u1 x u3 t = malloc(); t t next=x; x = t n } u2,3 u1 x t n

  31. Limitations Information on summary nodes is lost

  32. Increasing Precision Global invariants User-supplied, or consequence of the semantics of the programming language Naturally expressed in FOTC Record extra information in the concrete interpretation Tunes the abstraction Refines the concretization

  33. Cyclicity relation c[x]() = v1,v2: x(v1) n*(v1,v2) n+(v2, v2) c[x]()=0 u2 u1 x un n n n t n u2..n u1 x c[x]()=0 t n

  34. Cyclicity relation c[x]() = v1,v2: x(v1) n*(v1,v2) n+(v2, v2) n c[x]()=1 u2 u1 x un n n n t n u2..n u1 x c[x]()=1 t n

  35. Heap Sharing relation is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2 is(v)=0 is(v)=0 is(v)=0 u2 u1 x un n n n t n u2..n u1 x t n is(v)=0 is(v)=0

  36. Heap Sharing relation is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2 is(v)=0 is(v)=1 is(v)=0 u2 u1 x un n n n t n n n n u2 u1 x u3..n t n is(v)=0 is(v)=1 is(v)=0

  37. Concrete Interpretation Rules Statement Update formula x =NULL x (v)= 0 x= malloc() x (v) = IsNew(v) is (v) =is(v) IsNew(v) x (v)= y(v) x=y x=y next x (v)= w: y(w) n(w, v) x next=NULL n (v, w) = x(v) n(v, w) is (v) = is(v) v1, v2: n(v1, v) x(v1) n(v2, v) x(v2) eq(v1, v2)

  38. Reachability relation t[n](v1, v2) = n*(v1,v2) t[n] t[n] t[n] ... u2 u1 x un n n n t[n] t t[n] t[n] t[n] n u2..n u1 x t n t[n] t[n]

  39. List Segments u1 u2 u3 u4 u5 u6 u7 u8 n n n n n n n x y u1 u5 u2,3,4,6,7,8 n n x y

  40. Reachability from a variable r[n,y](v) = w: y(w) n*(w, v) r[n,y]=0 r[n,y]=0 r[n,y]=0 r[n,y]=1 r[n,y]=1 r[n,y]=1 u1 u2 u3 u4 u5 u6 u7 u8 n n n n n n n x y u1 u5 u2,3,4 u6,7,8 n n n x y

  41. Additional Instrumentation relations inOrder(v) = w: n(v, w) data(v) data(w) cfb(v) = w: f(v, w) b(w, v) tree(v) dag(v) Weakest Precondition [Ramalingam, PLDI 02] Learned via Inductive Logic Programming [Loginov, CAV 05] Counterexample guided refinement

  42. Instrumentation (Summary) Refines the abstraction is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2 Adds global invariants is(v) v1,v2: n(v1,v) n(v2,v) v1 v2 (S#)={S : S , (S)=S#} But requires update-formulas (generated automatically in TVLA2)

  43. Abstract Interpretation Best Transformers Kleene Evaluation Kleene Evaluation + semantic reduction Focus Based Transformers

  44. Best Transformer Transformer (x = xn) yx yx xy ... inverse canonical Evaluate update formulas x x y y x ... x y canonical abstraction y

  45. Then a Miracle Occurs

  46. Boolean Connectives [Kleene] 0 0 0 0 0 1/2 0 1/2 1/2 1 0 1/2 1 1/2 1 0 0 0 1/2 1/2 1/2 1 1 1 1 1 1/2 1 1/2 1

  47. Boolean Connectives [Kleene] 0 0 0 0 0 1/2 0 1/2 1/2 1 0 1/2 1 1/2 1 0 0 0 1/2 1/2 1/2 1 1 1 1 1 1/2 1 1/2 1

  48. Embedding A logical structure B can be embedded into a structure S via an onto function f (B f S) if the basic relations are preserved, i.e., pB(u1, .., uk) pS(f(u1), ..., f(uk)) S is a tight embedding of B with respect to f if: S does not lose unnecessary information, i.e., pS(u#1, .., u#k) = {pB (u1 ..., uk) | f(u1)=u#1, ..., f(uk)=u#k} Canonical Abstraction is a tight embedding

  49. Embedding and Concretization Two natural choices B 1(S) if B can be embedded into S via an onto function f (B f S) B 2(S) if S is a tight embedding of B

  50. Embedding Theorem Assume B f S, pB(u1, .., uk) pS(f(u1), ..., f(uk)) Then every formula is preserved: If = 1 in S, then = 1 in B If = 0 in S, then = 0 in B If = 1/2 in S, then could be 0 or 1 in B

Related


No related presentations.

More Related Content