Partitioned Memory Models for Program Analysis

Transcription

1 Partitioned Memory Models for Program Analysis Wei Wang 1 Clark Barrett 2 Thomas Wies 3 1 Google 2 Stanford University 3 New York University January 13, 2017 Wei Wang Partitioned Memory Models January 13, / 17

2 SMT-based Program Analysis Source Code SAT/UNSAT φ Formula SMT Solver Property Timeout Key challenge: scalability. Goal: reduce the size of the formula φ. Wei Wang Partitioned Memory Models January 13, / 17

3 Flat Model: Models Memory with A Single Byte Array 1 int a; 2 3 void foo() { 4 int b = &a; 5 b = 0xFFFF; 6 char c = (char ) b; 7 c = 0x0; 8 assert(a!= 0xFFFF); 9 } M 1 = M 0 [b..b+3 := a] M 2 = M 1 [a..a+3 := 0xFFFF] M 3 = M 2 [c..c+3 := a] M 4 = M 3 [a := 0x0] M 4 [a..a+3]!= 0xFFFF // Pass! Wei Wang Partitioned Memory Models January 13, / 17

4 Flat Model: Models Memory with A Single Byte Array 1 int a; 2 3 void foo() { 4 int b = &a; 5 b = 0xFFFF; 6 char c = (char ) b; 7 c = 0x0; 8 assert(a!= 0xFFFF); 9 } M 1 = M 0 [b..b+3 := a] M 2 = M 1 [a..a+3 := 0xFFFF] M 3 = M 2 [c..c+3 := a] M 4 = M 3 [a := 0x0] M 4 [a..a+3]!= 0xFFFF // Pass! The depth of nested stores: 4. Disjointness predicates: disjoint(p, q) = p + size(p) q q + size(q) p Wei Wang Partitioned Memory Models January 13, / 17

5 Flat Model: Models Memory with A Single Byte Array 1 int a; 2 3 void foo() { 4 int b = &a; 5 b = 0xFFFF; 6 char c = (char ) b; 7 c = 0x0; 8 assert(a!= 0xFFFF); 9 } M 1 = M 0 [b..b+3 := a] M 2 = M 1 [a..a+3 := 0xFFFF] M 3 = M 2 [c..c+3 := a] M 4 = M 3 [a := 0x0] M 4 [a..a+3]!= 0xFFFF // Pass! The depth of nested stores: 4. Disjointness predicates: disjoint(a, b) disjoint(b, c) disjoint(c, a) Wei Wang Partitioned Memory Models January 13, / 17

6 Burstall Model: Splits Memory with Type Information 1 int a; 2 3 void foo() { 4 int b = &a; 5 b = 0xFFFF; 6 char c = (char ) b; 7 c = 0x0; 8 assert(a!= 0xFFFF); 9 } char* c *c char int* b a, *b int M int M int M char M char Wei Wang Partitioned Memory Models January 13, / 17

7 Burstall Model: Splits Memory with Type Information 1 int a; 2 3 void foo() { 4 int b = &a; 5 b = 0xFFFF; 6 char c = (char ) b; 7 c = 0x0; 8 assert(a!= 0xFFFF); 9 } char* c *c char int* b a, *b int M int 1 = M int 0 [b..b+3 := a] 1 = M int 0 [a..a+3 := 0xFFFF] M int M char 1 = M char 0 [c..c+3 := a] M char 1 = M char 0 [a := 0x0] Wei Wang Partitioned Memory Models January 13, / 17

8 Burstall Model: Splits Memory with Type Information 1 int a; 2 3 void foo() { 4 int b = &a; 5 b = 0xFFFF; 6 char c = (char ) b; 7 c = 0x0; 8 assert(a!= 0xFFFF); 9 } char* c *c char int* b a, *b int M int 1 = M int 0 [b..b+3 := a] 1 = M int 0 [a..a+3 := 0xFFFF] M int M char 1 = M char 0 [c..c+3 := a] M char 1 = M char 0 [a := 0x0] M int 1 [a..a+3]!= 0xFFFF Wei Wang Partitioned Memory Models January 13, / 17

9 Burstall Model: Splits Memory with Type Information 1 int a; 2 3 void foo() { 4 int b = &a; 5 b = 0xFFFF; 6 char c = (char ) b; 7 c = 0x0; 8 assert(a!= 0xFFFF); 9 } char* c *c char int* b a, *b int 1 = M int 0 [a..a+3 := 0xFFFF] M int M int 1 [a..a+3]!= 0xFFFF // Failed! Maximum depth of nested stores: 1. Disjointness predicates: 0. Wei Wang Partitioned Memory Models January 13, / 17

10 Partitioned Model: Splits Memory with Alias Information 1 int a; 2 3 void foo() { 4 int b = &a; 5 b = 0xFFFF; 6 char c = (char ) b; 7 c = 0x0; 8 assert(a!= 0xFFFF); 9 } τ 1 τ 2 b c a, *b, *c τ 3 M τ1 M τ3 M τ2 Wei Wang Partitioned Memory Models January 13, / 17

11 Partitioned Model: Splits Memory with Alias Information 1 int a; 2 3 void foo() { 4 int b = &a; 5 b = 0xFFFF; 6 char c = (char ) b; 7 c = 0x0; 8 assert(a!= 0xFFFF); 9 } τ 1 τ 2 b c a, *b, *c τ 3 M τ1 1 = M τ1 0 [b..b+3 := a] M τ3 1 = M τ3 0 [a..a+3 := 0xFFFF] M τ2 1 = M τ2 0 [c..c+3 := a] M τ3 2 = M τ3 [a := 0x0] 1 M τ3 2 [a..a+3]!= 0xFFFF // Passed! Wei Wang Partitioned Memory Models January 13, / 17

12 Partitioned Model: Splits Memory with Alias Information 1 int a; 2 3 void foo() { 4 int b = &a; 5 b = 0xFFFF; 6 char c = (char ) b; 7 c = 0x0; 8 assert(a!= 0xFFFF); 9 } τ 1 τ 2 b c a, *b, *c τ 3 M τ1 1 = M τ1 0 [b..b+3 := a] M τ3 1 = M τ3 0 [a..a+3 := 0xFFFF] M τ2 1 = M τ2 0 [c..c+3 := a] M τ3 2 = M τ3 [a := 0x0] 1 M τ3 2 [a..a+3]!= 0xFFFF // Passed! Maximum depth of nested stores: 2. Disjointness predicates: 0. Wei Wang Partitioned Memory Models January 13, / 17

13 Points-to Analysis in Partitioned Memory Models Points-to analysis Determine the set of locations that a pointer may point to at runtime. Points-to graph: nodes are sets of aliased program expressions; edges are the points-to relations. Wei Wang Partitioned Memory Models January 13, / 17

14 Points-to Analysis in Partitioned Memory Models Points-to analysis Determine the set of locations that a pointer may point to at runtime. Principle: the points-to relation must be a function. Each node has a single successor to determine the memory array for modeling a pointer dereference. Unification-based points-to analyses [Steensgaard POPL 96]. Wei Wang Partitioned Memory Models January 13, / 17

15 Points-to Analysis in Partitioned Memory Models Points-to analysis Determine the set of locations that a pointer may point to at runtime. Rationale: the scalability of a partitioned memory model depends on the precision of a points-to analysis. Field-sensitivity: tracks individual record fields separately. Wei Wang Partitioned Memory Models January 13, / 17

16 [Steensgaard CC 96] Field-Sensitive Steensgaard s Analysis Performs a field-sensitive analysis on static records but NOT on heap data structures. 1 typedef struct list { 2 struct list prev, next; 3 int32 data; 4 } list; 5 6 list foo(int32 undef) { 7 list k1 = malloc(sizeof(list)); 8 list k2 = malloc(sizeof(list)); 9 10 list p = undef < 0? 11 &k1 >next : &k2 >prev; 12 return p; 13 } Wei Wang Partitioned Memory Models January 13, / 17

17 [Steensgaard CC 96] Field-Sensitive Steensgaard s Analysis Performs a field-sensitive analysis on static records but NOT on heap data structures. 1 typedef struct list { 2 struct list prev, next; 3 int32 data; 4 } list; 5 6 list foo(int32 undef) { 7 list k1 = malloc(sizeof(list)); 8 list k2 = malloc(sizeof(list)); 9 10 list p = undef < 0? 11 &k1 >next : &k2 >prev; 12 return p; 13 } Wei Wang Partitioned Memory Models January 13, / 17

18 [Lattner PLDI 08] Data Structure Based Points-to Analysis Supports a conservative field-sensitive analysis on heap data structures, by tracking their type information and data layouts. 1 typedef struct list { 2 struct list prev, next; 3 int32 data; 4 } list; 5 6 list foo(int32 undef) { 7 list k1 = malloc(sizeof(list)); 8 list k2 = malloc(sizeof(list)); 9 10 list p = undef < 0? 11 &k1 >next : &k2 >prev; 12 return p; 13 } Wei Wang Partitioned Memory Models January 13, / 17

19 [Lattner PLDI 08] Data Structure Based Points-to Analysis Supports a conservative field-sensitive analysis on heap data structures, by tracking their type information and data layouts. 1 typedef struct list { 2 struct list prev, next; 3 int32 data; 4 } list; 5 6 list foo(int32 undef) { 7 list k1 = malloc(sizeof(list)); 8 list k2 = malloc(sizeof(list)); 9 10 list p = undef < 0? 11 &k1 >next : &k2 >prev; 12 return p; 13 } Wei Wang Partitioned Memory Models January 13, / 17

20 [Lattner PLDI 08] Data Structure Based Points-to Analysis Supports a conservative field-sensitive analysis on heap data structures, by tracking their type information and data layouts. 1 typedef struct list { 2 struct list prev, next; 3 int32 data; 4 } list; 5 6 list foo(int32 undef) { 7 list k1 = malloc(sizeof(list)); 8 list k2 = malloc(sizeof(list)); 9 10 list p = undef < 0? 11 &k1 >next : &k2 >prev; 12 return p; 13 } k1 k2 <0:12, list>, <4:16, list> list* list* list*, int p int32 16 Wei Wang Partitioned Memory Models January 13, / 17

21 [Lattner PLDI 08] Data Structure Based Points-to Analysis Limitation: performs the merging process at the object level rather than at the field level, invalid alias relationships are introduced. 1 typedef struct list { 2 struct list prev, next; 3 int32 data; 4 } list; 5 6 list foo(int32 undef) { 7 list k1 = malloc(sizeof(list)); 8 list k2 = malloc(sizeof(list)); 9 10 list p = undef < 0? 11 &k1 >next : &k2 >prev; 12 return p; 13 } k1 k2 <0:12, list>, <4:16, list> list* list* list*, int p int32 16 Wei Wang Partitioned Memory Models January 13, / 17

22 Cell-Based Points-to Analysis Cell-based field-sensitive points-to graph (CFS graph) Cell is a generalization of an alias group. A points-to edge α β: the points-to relation from cell α to β. A contains edge α i,j β: cell α contains cell β with an offset interval [i, j) (0,4) x (4,8) 0x.. Figure: A singly-linked list with one element. Wei Wang Partitioned Memory Models January 13, / 17

23 Cell-Based Points-to Analysis: Precision In CFS graph, the aliased fields are merged into a single cell with contains edges from two record cells, while other unaliased fields are kept separate. 1 typedef struct list { 2 struct list prev, next; 3 int32 data; 4 } list; 5 6 list foo(int32 undef) { 7 list k1 = malloc(sizeof(list)); 8 list k2 = malloc(sizeof(list)); 9 10 list p = undef < 0? 11 &k1 >next : &k2 >prev; 12 return p; 13 } k1 list (0,4) (4,8) (8,12) list* list* int32 &k1->next k2 list (0,4) (4,8) (8,12) list* list* int32 &k2->prev Wei Wang Partitioned Memory Models January 13, / 17

24 Cell-Based Points-to Analysis: Precision In CFS graph, the aliased fields are merged into a single cell with contains edges from two record cells, while other unaliased fields are kept separate. 1 typedef struct list { 2 struct list prev, next; 3 int32 data; 4 } list; 5 6 list foo(int32 undef) { 7 list k1 = malloc(sizeof(list)); 8 list k2 = malloc(sizeof(list)); 9 10 list p = undef < 0? 11 &k1 >next : &k2 >prev; 12 return p; 13 } (0,4) (8,12) (4,8) (0,4) (4,8) (8,12) Wei Wang Partitioned Memory Models January 13, / 17

25 Cell-Based Points-to Analysis: Access Size Tracking Tracking the access size of alias group can further reduce formula complexity. Cell size: each cell α is associated with a size in N. Initially, each cell has a numeric size. If two cells with different sizes are merged, the size of the result cell is. Cell size parameterized memory array: if size(α) =, the memory array M α is an array of bytes; if size(α) = n N, the memory array M α is an array of n-byte elements. Wei Wang Partitioned Memory Models January 13, / 17

26 Cell-Based Points-to Analysis: Fields Alias Type-unsafe operations (e.g. pointer casts, pointer arithmetics, union types) may introduce fields alias. Two fields are aliased: if they are contained in the same record with the same offset interval; if they are contained in the same record with overlapped offset intervals and both are non-record fields. Wei Wang Partitioned Memory Models January 13, / 17

27 Cell-Based Points-to Analysis: Fields Alias Contains edges can discover field alias with following properties: reflexive: α 0,s α, if size(α) N; transitivity: if α 1 i1,j 1 α 2 and α 2 i2,j 2 α 3, then α 1 i1+i 2,i 1+j 2 α 3 ; anti-symmetric: if α 1 i1,j 1 α 2 and α 2 i2,j 2 α 1, then α 1 = α 2 ; linearity: if α 1 i1,j 1 α 2 and α 1 i2,j 2 α 3, then α 2 i2 i 1,j 2 i 1 α 3 if i 1 i 2 < j 2 j 1. Wei Wang Partitioned Memory Models January 13, / 17

28 Cell-Based Points-to Analysis: Union Type For nested record in a union, two nested fields are aliased only if their offset intervals overlap. 1 typedef struct dlist { 2 struct dlist prev, next; 3 int32 data; 4 } dlist; 5 6 typedef struct slist { 7 struct slist next; 8 int64 data; 9 } slist; union { 12 slist s; dlist d; 13 } ulist; ulist (0,12) (0,12) slist dlist (0,4) (4,12) (0,4) (4,8) (8,12) slist* int64 dlist* dlist* int32 Wei Wang Partitioned Memory Models January 13, / 17

29 Cell-Based Points-to Analysis: Union Type For nested record in a union, two nested fields are aliased only if their offset intervals overlap. 1 typedef struct dlist { 2 struct dlist prev, next; 3 int32 data; 4 } dlist; 5 6 typedef struct slist { 7 struct slist next; 8 int64 data; 9 } slist; union { 12 slist s; dlist d; 13 } ulist; (0,12) (0,12) (0,4) (4,12) (0,4) (4,8) (8,12) Wei Wang Partitioned Memory Models January 13, / 17

30 Cell-Based Points-to Analysis: Union Type For nested record in a union, two nested fields are aliased only if their offset intervals overlap. 1 typedef struct dlist { 2 struct dlist prev, next; 3 int32 data; 4 } dlist; 5 6 typedef struct slist { 7 struct slist next; 8 int64 data; 9 } slist; union { 12 slist s; dlist d; 13 } ulist; (0,12) (0,12) (0,4) (4,12) (0,4) (4,8) (8,12) Wei Wang Partitioned Memory Models January 13, / 17

31 Cell-Based Points-to Analysis: Pointer Casting Pointer casting creates an alternative view. To model this, a fresh cell is added to the CFS graph representing the new view. 1 typedef struct dlist { 2 struct dlist prev, next; 3 } dlist; 4 5 dlist bar(int32 undef) { 6 list p = foo(undef); 7 dlist q = (dlist ) p; 8 q >next = 0; 9 return q; 10 } k1 list k2 list (0,4) (8,12) (4,8) (0,4) (4,8) (8,12) list* int32 list* list* int32 p Wei Wang Partitioned Memory Models January 13, / 17

32 Cell-Based Points-to Analysis: Pointer Casting Pointer casting creates an alternative view. To model this, a fresh cell is added to the CFS graph representing the new view. 1 typedef struct dlist { 2 struct dlist prev, next; 3 } dlist; 4 5 dlist bar(int32 undef) { 6 list p = foo(undef); 7 dlist q = (dlist ) p; 8 q >next = 0; 9 return q; 10 } k1 q k2 list (4,12) (0,8) list dlist* (0,4) (8,12) (4,8) (0,4) (4,8) (8,12) list* int32 list* list* int32 &k1->data p &k2->next Wei Wang Partitioned Memory Models January 13, / 17

33 Cell-Based Points-to Analysis: Pointer Casting Pointer casting creates an alternative view. To model this, a fresh cell is added to the CFS graph representing the new view. 1 typedef struct dlist { 2 struct dlist prev, next; 3 } dlist; 4 5 dlist bar(int32 undef) { 6 list p = foo(undef); 7 dlist q = (dlist ) p; 8 q >next = 0; 9 return q; 10 } list* p (0,4) k1 list (0,4) list* q dlist* int32 list* k2 list (4,12) (0,8) (8,12) (4,8) q->next int32 Wei Wang Partitioned Memory Models January 13, / 17

34 Cell-Based Points-to Analysis: Pointer Arithmetic In CFS graph, any cell pointed to by operands of a pointer arithmetic expression is collapsed all outer record and inner field cells are merged into a single cell. k1 k2 1 list buz(int32 undef) { 2 list p = foo(undef); 3 (p + undef) = 0; 4 return p; 5 } list list (0,4) (8,12) (4,8) (0,4) (4,8) (8,12) list* int32 list* list* int32 p Wei Wang Partitioned Memory Models January 13, / 17

35 Cell-Based Points-to Analysis: Pointer Arithmetic In CFS graph, any cell pointed to by operands of a pointer arithmetic expression is collapsed all outer record and inner field cells are merged into a single cell. 1 list buz(int32 undef) { 2 list p = foo(undef); 3 (p + undef) = 0; 4 return p; 5 } (0,4) (8,12) (4,8) (0,4) (4,8) (8,12) Wei Wang Partitioned Memory Models January 13, / 17

36 Cell-Based Points-to Analysis: Pointer Arithmetic In CFS graph, any cell pointed to by operands of a pointer arithmetic expression is collapsed all outer record and inner field cells are merged into a single cell. 1 list buz(int32 undef) { 2 list p = foo(undef); 3 (p + undef) = 0; 4 return p; 5 } k1 p int32 list* list k2 p+undef Wei Wang Partitioned Memory Models January 13, / 17

37 Experimental Result Comparison of memory models in Cascade HeapReach(81) HeapMemSafety(190) False(25) True(56) False(83) True(107) #solved time(s) ptsto(s) #solved time(s) ptsto(s) #solved time(s) ptsto(s) #solved time(s) ptsto(s) Flat St-fi St-fs DSA-local CFS Timeout is 850 seconds. SV-COMP 2016 benchmarks with category HeapReach and HeapMemSafety. Wei Wang Partitioned Memory Models January 13, / 17

38 Experimental Result Comparison of memory models in Cascade TO TO TO TO 500s 500s 500s 500s St-fi 300s CFS 300s CFS 300s CFS 300s 0s 0s 300s 500s TO 0s 0s 300s 500s TO 0s 0s 300s 500s TO 0s 0s 300s 500s TO Flat St-fi St-fs DSA-local Timeout is 850 seconds. SV-COMP 2016 benchmarks with category HeapReach and HeapMemSafety. Wei Wang Partitioned Memory Models January 13, / 17