1/25 Pointer Logic Changki PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision Procedure

2/25 Pointer Logic Changki PSWLAB Why pointer logic?  A pointer is a program variable whose sole purpose is to refer to some other program construct.  Other program construct - variable, procedures, or another pointer  A Pointer is useful but common source of programming errors.  Aliasing  Null pointer dereference error

3/25 Pointer Logic Changki PSWLAB Table of Contents  Introduction  Pointer logic  Modeling Heap-Allocated Data Structures  A Decision Procedure  Conclusion

4/25 Pointer Logic Changki PSWLAB Memory model  The implementation of pointer relies on the fact that the memory cells of a computer have addresses, i.e., each cell has a unique number.  Definition 1. Memory model  A memory model describes the assumptions that are made about the way memory cells are addressed. We assume that the architecture provides a continuous, uniform address space. Each address corresponds to a memory cell that is able to store one data word. A memory valuation M: A  D is a mapping from a set of address A into the domain D of data words.

5/25 Pointer Logic Changki PSWLAB Memory layout  The compiler assigns a particular memory location to each static variable.  The mapping is called memory layout.  Definition 2. Memory layout  A memory layout L: V  A is a mapping from each variable v ∊ V to an address a ∊ A, where V denote the set of variables and A denote the set of addresses.  Memory layout is nonoverlapping which means that the memory locations of the statically allocated variables are distinct.  How about dynamic memory allocation?

6/25 Pointer Logic Changki PSWLAB Dynamic memory allocation  Dynamic data structures are created at the run time of the program.  A runtime library maintains a list of the memory regions that are unused.  A function, which is part of this library, allocates a region of given size and returns a pointer to the beginning of the region. ( malloc(), …)  The memory layout changes during the runtime of the program.  The lifetime of a dynamic object is the time between its allocation and its deallocation.

7/25 Pointer Logic Changki PSWLAB Analysis of programs with pointers  Aliasing  a situation in which a data location in memory can be accessed through different symbolic names in the program.  Modifying the data through one name implicitly modifies the values associated to all aliased names, which is not expected by the programmer.  Dereferencing  a situation which a pointer doesn’t point to a proper object.  Example

8/25 Pointer Logic Changki PSWLAB Table of Contents  Introduction  Pointer logic  Modeling Heap-Allocated Data Structures  A Decision Procedure  Conclusion

9/25 Pointer Logic Changki PSWLAB Syntax  The syntax of a formula in pointer logic is defined by the following rules:  pointer-identifier is of pointer type  identifier is of integers or an array of integers

10/25 Pointer Logic Changki PSWLAB Semantics (1/2)  Define the semantics by referring to  memory layout L  L: V  A is a mapping from each variable v ∊ V to an address a ∊ A  memory valuation M  M: A  D, mapping from a set of address A into the domain D of data words  Pointer logic formulas are predicates on M, L pairs and the definition of semantics uses a reduction to integer arithmetic and array logic.  We treat M and L as array types.

11/25 Pointer Logic Changki PSWLAB Semantics (2/2)  Definition 3. Semantics of pointer logic  Let L P denote the set of pointer logic expressions, and let L D denote the set of expressions permitted by the logic for the data words.  The function [⋅] is defined [⋅] : L P  L D for e ∊ L P. The function [e] is defined recursively. The expression e ∊ L P is valid if and only if [e] is valid.

12/25 Pointer Logic Changki PSWLAB Example  a is an array identifier.  The semantic definition of the expression expands as follows:  Last equation is obviously valid, and thus so is original expression.

13/25 Pointer Logic Changki PSWLAB Table of Contents  Introduction  Pointer logic  Modeling Heap-Allocated Data Structures  A Decision Procedure  Conclusion

14/25 Pointer Logic Changki PSWLAB Lists (1/2)  The simplest dynamically allocated data structure is the linked list.  Structure type  contains fields for a next pointer and the data.  So, How to model linked list in pointer logic formulas?

15/25 Pointer Logic Changki PSWLAB Lists (2/2)  We need to model the field for a next pointer.  Recursive definition  We need to add the property that the last element of the acyclic list should point a NULL.  Add another definition

16/25 Pointer Logic Changki PSWLAB Table of Contents  Introduction  Pointer logic  Modeling Heap-Allocated Data Structures  A Decision Procedure  Conclusion

17/25 Pointer Logic Changki PSWLAB Applying the semantic translation  The semantic translation  assigns meaning to the pointer logic formulas  gives rise to a simple decision procedure  The formula generated by semantic translation contain  array read operator (recall that memory layout L and memory valuation M are considered as array read operation)  linear arithmetic for the index.  equality over the type for modeling the contents of the memory cells  Decision procedure for pointer logic 1. Apply the semantic translation to a pointer formula to obtain a formula in the combined logic of linear arithmetic and array. 2. Pass the formula to the decision procedure for the combined logic.

18/25 Pointer Logic Changki PSWLAB Examples  We want to check validity of following pointer logic formula:  The semantic translation expands as follows:  A decision procedure for array logic and equality logic easily concludes that the formula above is valid.

19/25 Pointer Logic Changki PSWLAB Pure variables (1/2)  Sometimes the semantic translation can place an undue burden on the underlying decision procedure, as illustrated by the following example:  A decision procedure for array logic and equality logic is certainly able to deduce that the original formula is valid.  Therefore, the semantic translation process is not required in this kind of situation.

20/25 Pointer Logic Changki PSWLAB  Definition 4. Pure variables  Given a formula with a set of variables V, let denote the subset of ’s variables that are not used within an argument of the “ & ” operator within. These variables are called pure.  Definition 5. [∙] P  A new translation function [e] P is identical to the definition [e] unless e denotes a variable. The new definition is: Pure variables (2/2)

21/25 Pointer Logic Changki PSWLAB Example  This no longer burdens the decision procedure for array logic:

22/25 Pointer Logic Changki PSWLAB Reachability predicate (1/2)  Definition 6.  This stands for the pointer that is obtained by starting from q and following the field f, n times:  Definition 7. reachability predicate,  We call a predicate as reachability predicate which satisfies following two conditions:  There exists some n such that q is reachable from p by following f for n times.  x is not reachable in fewer than n steps from p following f. 

23/25 Pointer Logic Changki PSWLAB Reachability predicate (2/2)  We say that a formula is a reachability predicate formula if it contains the reachability predicate.  Reachability predicate formulas often have quantifiers, which make decision problems much harder.  There is no automatic decision procedure for a logic that includes a reachability predicate.

24/25 Pointer Logic Changki PSWLAB Table of Contents  Introduction  Pointer logic  Modeling Heap-Allocated Data Structures  A Decision Procedure  Conclusion

25/25 Pointer Logic Changki PSWLAB Conclusion  The semantic translation not only assigns meaning to the pointer logic formulas, but also gives rise to a simple decision procedure.  Deciding pointer logic including reachability predicate is still an open problem.