Download presentation

Presentation is loading. Please wait.

Published byJoseph Bailey Modified over 3 years ago

1
Static Analysis of Heap-manipulating Low-level software Sumit GulwaniAshish Tiwari MSR, Redmond SRI International

2
1 Related Work Alias/Pointer Analysis [Work done in early 90s] –Must/May equalities –Considered not expressive enough Shape Analysis [Work that followed] –Fancy predicates –Need to provide transfer functions for each of them This work –Must/May equalities extended with quantifiers (Provides expressiveness of an infinite class of predicates and avoids the need of providing transfer functions)

3
2 Example 1 9 i: List(x,i,next) Æ 8 j: (0 · j < i) ) Array(x ! next j ! data, 4*(x ! next j ! len)) struct List { int Len, *Data; List* Next; } ListOfPtrArray(struct List* x) { for (y := x; y null; y := y ! next) t := ?; y ! len := t; y ! data = malloc(4t); for (y := x; y null; y := y ! next) for (z :=0; z < y ! len; z := z+1) y ! data ! (4z) := ….; Invariant required after first loop for proving memory safety

4
3 Example 2 struct List { int Data; List* Next; } List2Array(struct List* x) { n := 0; for (y := x; y null; y := y ! next) n := n+1; A := malloc(4n); y:= x; for (k := 0; k < n; k++) A ! (4k) := y ! data; y := y ! next; return A; Prog. Point Invariant 1 9 i: List(x,i,next) 2 9 i: List(x,i,next), 0 · n*
*

5
4 Outline Abstract Domain Implies Algorithm Join Algorithm Meet Algorithm PostAssignment Algorithm

6
5 Abstract Domain 9 V: Cons Æ Must Æ May Must := true | Must Æ 8 V: (Cons ) e 1 =e 2 ) May := true | May Æ 8 V: (Cons ) e 1 » e 2 ) e := y | c | e 1 § e 2 |ce | e 1 ! e 2 e 3 | valid | null Cons represent constraints over the base abstract domain, eg. Combination of linear arithmetic and uninterpreted functions

7
6 Expressiveness List(x,i,next) ´ i ¸ 0 Æ x ! next i = null Æ 8 j: (0 · j < i) ) Valid(x ! next j ) Valid(e) ´ e ! w=valid Array(x,k) ´ 8 j: (0 · j < k) ) Valid(x+j)

8
7 Abstract Interpreter Join Node Conditional Node p True False F F1F1 F2F2 F2F2 F F1F1 F = Join(F 1,F 2 ) F 1 = Meet(F, p) F 2 = Meet(F, : p) Statement s F F Assignment Node F = Post(F,s) Where s may be: x := e *x := e x := malloc(e) free(x)

9
8 Implies Algorithm Implies(F 1, F 2 ) returns 1 only if F 1 ) F 2 KeyIdea for checking F ) e 1 =e 2 Check if e 2 2 MustAliases(e 1,F) KeyIdea for checking F ) e 1 e 2 Check if : (e 2 2 MayAliases(e 1,F))

10
9 MustAliases and MayAliases F 1 : x = x ! next j F 2 : 8 i: (0 · i · j) ) x ! next i = x ! next i+1 ! prev MustAliases KeyIdea: Apply k quantifier instantiations MustAliases(x,F 1 ) = { x ! next j, x ! next 2j } MustAliases(x,F 2 ) =

11
10 MustAliases and MayAliases F 1 : x = x ! next j F 2 : 8 j: (0 · i · j) ) x ! next i =x ! next i+1 ! prev MustAliases KeyIdea: Apply k quantifier instantiations MustAliases(x,F 1 ) = { x ! next j, x ! next 2j } MustAliases(x,F 2 ) = { x ! next ! prev, x ! next ! prev ! next ! prev }

12
11 MustAliases and MayAliases F 1 : x = x ! next j F 2 : 8 j: (0 · i · j) ) x ! next i =x ! next i+1 ! prev MustAliases KeyIdea: Apply k instantiations of each equality MustAliases(x,F 1 ) = { x ! next j, x ! next 2j } MustAliases(x,F 2 ) = { x ! next ! prev, x ! next ! prev ! next ! prev } MayAliases KeyIdea: Represent aliases by expressions of size k MayAliases(x,F 1 ) = { x ! next t | t ¸ j } MayAliases(x,F 2 ) =

13
12 MustAliases and MayAliases F 1 : x = x ! next j F 2 : 8 j: (0 · i · j) ) x ! next i =x ! next i+1 ! prev MustAliases KeyIdea: Apply k instantiations of each equality MustAliases(x,F 1 ) = { x ! next j, x ! next 2j } MustAliases(x,F 2 ) = { x ! next ! prev, x ! next ! prev ! next ! prev } MayAliases KeyIdea: Represent aliases by expressions of size k MayAliases(x,F 1 ) = { x ! next t | t ¸ j } MayAliases(x,F 2 ) = { x ! (next|prev) t | t ¸ 0 }

14
13 Join Algorithm Join(F 1, F 2 ) returns an overapproximation of F 1 Ç F 2 Example 1 Input 1: i=1 Æ A[0]=0 Input 2: i=2 Æ A[0]=0 Æ A[1]=1 Output: 8 j: (0 · j < i) ) A[j]=j Example 2 Let S(k) ´ Array(x ! next k ! data, x ! next k ! len) Input 1: y=x ! next Æ S(0) Input 2: y=x ! next 2 Æ S(0) Æ S(1) Output: 9 i: 1 · i · 2 Æ y=x ! next i Æ 8 j: (0 · j < i) ) S(j)

15
14 Join Algorithm: Key Idea Input 1: y=x ! next Æ S(0) Input 2: y=x ! next 2 Æ S(0) Æ S(1) After Normalization, we get: Input 1: 9 i: i=1 Æ y=x ! next i Æ 8 j: (0 · j < 1) ) S(j) Input 2: 9 i: i=2 Æ y=x ! next i Æ 8 j: (0 · j < 2) ) S(j) Now we use the following rule: Join ( 9 V: E 1 Æ 8 U: C 1 ) S, 9 V: E 2 Æ 8 U: C 2 ) S) = 9 V: E 3 Æ 8 U: C 3 ) S where E 3 = Join(E 1, E 2 ) C 3 = Underapproximation of C 1 Æ C 2

16
15 Join Algorithm: Key Idea Input 1: y=x ! next Æ S(0) Input 2: y=x ! next 2 Æ S(0) Æ S(1) After Normalization, we get: Input 1: 9 i: i=1 Æ y=x ! next i Æ 8 j: (0 · j < 1) ) S(j) Input 2: 9 i: i=2 Æ y=x ! next i Æ 8 j: (0 · j < 2) ) S(j) Now we use the following rule: Join ( 9 V: E 1 Æ 8 U: C 1 ) S, 9 V: E 2 Æ 8 U: C 2 ) S) = 9 V: E 3 Æ 8 U: C 3 ) S where E 3 = Join(E 1, E 2 ) C 3 = Underapproximation of (E 1 ) C 1 Æ E 2 ) C 2 )

17
16 Meet Algorithm Meet(F,p) returns an overapproximation of F Æ p KeyIdea: Reason about interaction between equalities & disequalities Example 1 Input 1: 9 i: len · i Æ List(x,i,next) Æ y=x ! next len Input 2: y=null Output: 9 i: len=i Æ List(x,i,next) Æ y=x ! next len Example 2 Input 1: 9 i: len · i Æ List(x,i,next) Æ y=x ! next len Input 2: y null Output: 9 i: len < i Æ List(x,i,next) Æ y=x ! next len

18
17 PostAssignment Algorithm Input 1: List(y,i,next) Æ List(result,j,next) Æ y+next=x Æ *x=tmp Input 2: *x := result Output: List(tmp,i-1,next) Æ List(result,j,next) Æ y+next=x Æ *x=result null result null y tmp Post(F, s) returns an overapproximation of the strongest postcondition of F w.r.t. s KeyIdea: Transitive Closure; Invalidate Must; Invalidate May; Add new fact

19
18 Experiments ProgramBase Constraint Domain Required Property Discovered (apart from memory safety) Precondition provided List2ArrayGeneralized Difference Constraints Corresponding array & list elements are same Input is a list ListReverseGeneralized Difference Constraints Reversed list has length 100 Input is a list of size 100 ArrayPtrArrayGeneralized Difference Constraints + Uninterpreted Functions Input array has length Len (where Len is also an input)

20
19 Related Work Alias/Pointer Analysis [Work done in early 90s] –Must/May equalities –Considered not expressive enough Shape Analysis [Work that followed] –Fancy predicates –Need to provide transfer functions for each of them This work –Must/May equalities extended with quantifiers (Provides expressiveness of an infinite class of predicates and avoids the need of providing transfer functions)

21
20 Conclusion and Future Work Quantified abstract domain for pointer analysis –Expressive enough to reason rich properties –Amenable to automated deduction Extend analysis to inter-procedural setting Add disjunction and richer quantification support in abstract domain

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google