Partitioned Memory Models for Program Analysis
|
|
- Clement Sims
- 6 years ago
- Views:
Transcription
1 Partitioned Memory Models for Program Analysis Wei Wang 1 Clark Barrett 2 Thomas Wies 3 1 Google 2 Stanford University 3 New York University January 13, 2017 Wei Wang Partitioned Memory Models January 13, / 17
2 SMT-based Program Analysis Source Code SAT/UNSAT φ Formula SMT Solver Property Timeout Key challenge: scalability. Goal: reduce the size of the formula φ. Wei Wang Partitioned Memory Models January 13, / 17
3 Flat Model: Models Memory with A Single Byte Array 1 int a; 2 3 void foo() { 4 int b = &a; 5 b = 0xFFFF; 6 char c = (char ) b; 7 c = 0x0; 8 assert(a!= 0xFFFF); 9 } M 1 = M 0 [b..b+3 := a] M 2 = M 1 [a..a+3 := 0xFFFF] M 3 = M 2 [c..c+3 := a] M 4 = M 3 [a := 0x0] M 4 [a..a+3]!= 0xFFFF // Pass! Wei Wang Partitioned Memory Models January 13, / 17
4 Flat Model: Models Memory with A Single Byte Array 1 int a; 2 3 void foo() { 4 int b = &a; 5 b = 0xFFFF; 6 char c = (char ) b; 7 c = 0x0; 8 assert(a!= 0xFFFF); 9 } M 1 = M 0 [b..b+3 := a] M 2 = M 1 [a..a+3 := 0xFFFF] M 3 = M 2 [c..c+3 := a] M 4 = M 3 [a := 0x0] M 4 [a..a+3]!= 0xFFFF // Pass! The depth of nested stores: 4. Disjointness predicates: disjoint(p, q) = p + size(p) q q + size(q) p Wei Wang Partitioned Memory Models January 13, / 17
5 Flat Model: Models Memory with A Single Byte Array 1 int a; 2 3 void foo() { 4 int b = &a; 5 b = 0xFFFF; 6 char c = (char ) b; 7 c = 0x0; 8 assert(a!= 0xFFFF); 9 } M 1 = M 0 [b..b+3 := a] M 2 = M 1 [a..a+3 := 0xFFFF] M 3 = M 2 [c..c+3 := a] M 4 = M 3 [a := 0x0] M 4 [a..a+3]!= 0xFFFF // Pass! The depth of nested stores: 4. Disjointness predicates: disjoint(a, b) disjoint(b, c) disjoint(c, a) Wei Wang Partitioned Memory Models January 13, / 17
6 Burstall Model: Splits Memory with Type Information 1 int a; 2 3 void foo() { 4 int b = &a; 5 b = 0xFFFF; 6 char c = (char ) b; 7 c = 0x0; 8 assert(a!= 0xFFFF); 9 } char* c *c char int* b a, *b int M int M int M char M char Wei Wang Partitioned Memory Models January 13, / 17
7 Burstall Model: Splits Memory with Type Information 1 int a; 2 3 void foo() { 4 int b = &a; 5 b = 0xFFFF; 6 char c = (char ) b; 7 c = 0x0; 8 assert(a!= 0xFFFF); 9 } char* c *c char int* b a, *b int M int 1 = M int 0 [b..b+3 := a] 1 = M int 0 [a..a+3 := 0xFFFF] M int M char 1 = M char 0 [c..c+3 := a] M char 1 = M char 0 [a := 0x0] Wei Wang Partitioned Memory Models January 13, / 17
8 Burstall Model: Splits Memory with Type Information 1 int a; 2 3 void foo() { 4 int b = &a; 5 b = 0xFFFF; 6 char c = (char ) b; 7 c = 0x0; 8 assert(a!= 0xFFFF); 9 } char* c *c char int* b a, *b int M int 1 = M int 0 [b..b+3 := a] 1 = M int 0 [a..a+3 := 0xFFFF] M int M char 1 = M char 0 [c..c+3 := a] M char 1 = M char 0 [a := 0x0] M int 1 [a..a+3]!= 0xFFFF Wei Wang Partitioned Memory Models January 13, / 17
9 Burstall Model: Splits Memory with Type Information 1 int a; 2 3 void foo() { 4 int b = &a; 5 b = 0xFFFF; 6 char c = (char ) b; 7 c = 0x0; 8 assert(a!= 0xFFFF); 9 } char* c *c char int* b a, *b int 1 = M int 0 [a..a+3 := 0xFFFF] M int M int 1 [a..a+3]!= 0xFFFF // Failed! Maximum depth of nested stores: 1. Disjointness predicates: 0. Wei Wang Partitioned Memory Models January 13, / 17
10 Partitioned Model: Splits Memory with Alias Information 1 int a; 2 3 void foo() { 4 int b = &a; 5 b = 0xFFFF; 6 char c = (char ) b; 7 c = 0x0; 8 assert(a!= 0xFFFF); 9 } τ 1 τ 2 b c a, *b, *c τ 3 M τ1 M τ3 M τ2 Wei Wang Partitioned Memory Models January 13, / 17
11 Partitioned Model: Splits Memory with Alias Information 1 int a; 2 3 void foo() { 4 int b = &a; 5 b = 0xFFFF; 6 char c = (char ) b; 7 c = 0x0; 8 assert(a!= 0xFFFF); 9 } τ 1 τ 2 b c a, *b, *c τ 3 M τ1 1 = M τ1 0 [b..b+3 := a] M τ3 1 = M τ3 0 [a..a+3 := 0xFFFF] M τ2 1 = M τ2 0 [c..c+3 := a] M τ3 2 = M τ3 [a := 0x0] 1 M τ3 2 [a..a+3]!= 0xFFFF // Passed! Wei Wang Partitioned Memory Models January 13, / 17
12 Partitioned Model: Splits Memory with Alias Information 1 int a; 2 3 void foo() { 4 int b = &a; 5 b = 0xFFFF; 6 char c = (char ) b; 7 c = 0x0; 8 assert(a!= 0xFFFF); 9 } τ 1 τ 2 b c a, *b, *c τ 3 M τ1 1 = M τ1 0 [b..b+3 := a] M τ3 1 = M τ3 0 [a..a+3 := 0xFFFF] M τ2 1 = M τ2 0 [c..c+3 := a] M τ3 2 = M τ3 [a := 0x0] 1 M τ3 2 [a..a+3]!= 0xFFFF // Passed! Maximum depth of nested stores: 2. Disjointness predicates: 0. Wei Wang Partitioned Memory Models January 13, / 17
13 Points-to Analysis in Partitioned Memory Models Points-to analysis Determine the set of locations that a pointer may point to at runtime. Points-to graph: nodes are sets of aliased program expressions; edges are the points-to relations. Wei Wang Partitioned Memory Models January 13, / 17
14 Points-to Analysis in Partitioned Memory Models Points-to analysis Determine the set of locations that a pointer may point to at runtime. Principle: the points-to relation must be a function. Each node has a single successor to determine the memory array for modeling a pointer dereference. Unification-based points-to analyses [Steensgaard POPL 96]. Wei Wang Partitioned Memory Models January 13, / 17
15 Points-to Analysis in Partitioned Memory Models Points-to analysis Determine the set of locations that a pointer may point to at runtime. Rationale: the scalability of a partitioned memory model depends on the precision of a points-to analysis. Field-sensitivity: tracks individual record fields separately. Wei Wang Partitioned Memory Models January 13, / 17
16 [Steensgaard CC 96] Field-Sensitive Steensgaard s Analysis Performs a field-sensitive analysis on static records but NOT on heap data structures. 1 typedef struct list { 2 struct list prev, next; 3 int32 data; 4 } list; 5 6 list foo(int32 undef) { 7 list k1 = malloc(sizeof(list)); 8 list k2 = malloc(sizeof(list)); 9 10 list p = undef < 0? 11 &k1 >next : &k2 >prev; 12 return p; 13 } Wei Wang Partitioned Memory Models January 13, / 17
17 [Steensgaard CC 96] Field-Sensitive Steensgaard s Analysis Performs a field-sensitive analysis on static records but NOT on heap data structures. 1 typedef struct list { 2 struct list prev, next; 3 int32 data; 4 } list; 5 6 list foo(int32 undef) { 7 list k1 = malloc(sizeof(list)); 8 list k2 = malloc(sizeof(list)); 9 10 list p = undef < 0? 11 &k1 >next : &k2 >prev; 12 return p; 13 } Wei Wang Partitioned Memory Models January 13, / 17
18 [Lattner PLDI 08] Data Structure Based Points-to Analysis Supports a conservative field-sensitive analysis on heap data structures, by tracking their type information and data layouts. 1 typedef struct list { 2 struct list prev, next; 3 int32 data; 4 } list; 5 6 list foo(int32 undef) { 7 list k1 = malloc(sizeof(list)); 8 list k2 = malloc(sizeof(list)); 9 10 list p = undef < 0? 11 &k1 >next : &k2 >prev; 12 return p; 13 } Wei Wang Partitioned Memory Models January 13, / 17
19 [Lattner PLDI 08] Data Structure Based Points-to Analysis Supports a conservative field-sensitive analysis on heap data structures, by tracking their type information and data layouts. 1 typedef struct list { 2 struct list prev, next; 3 int32 data; 4 } list; 5 6 list foo(int32 undef) { 7 list k1 = malloc(sizeof(list)); 8 list k2 = malloc(sizeof(list)); 9 10 list p = undef < 0? 11 &k1 >next : &k2 >prev; 12 return p; 13 } Wei Wang Partitioned Memory Models January 13, / 17
20 [Lattner PLDI 08] Data Structure Based Points-to Analysis Supports a conservative field-sensitive analysis on heap data structures, by tracking their type information and data layouts. 1 typedef struct list { 2 struct list prev, next; 3 int32 data; 4 } list; 5 6 list foo(int32 undef) { 7 list k1 = malloc(sizeof(list)); 8 list k2 = malloc(sizeof(list)); 9 10 list p = undef < 0? 11 &k1 >next : &k2 >prev; 12 return p; 13 } k1 k2 <0:12, list>, <4:16, list> list* list* list*, int p int32 16 Wei Wang Partitioned Memory Models January 13, / 17
21 [Lattner PLDI 08] Data Structure Based Points-to Analysis Limitation: performs the merging process at the object level rather than at the field level, invalid alias relationships are introduced. 1 typedef struct list { 2 struct list prev, next; 3 int32 data; 4 } list; 5 6 list foo(int32 undef) { 7 list k1 = malloc(sizeof(list)); 8 list k2 = malloc(sizeof(list)); 9 10 list p = undef < 0? 11 &k1 >next : &k2 >prev; 12 return p; 13 } k1 k2 <0:12, list>, <4:16, list> list* list* list*, int p int32 16 Wei Wang Partitioned Memory Models January 13, / 17
22 Cell-Based Points-to Analysis Cell-based field-sensitive points-to graph (CFS graph) Cell is a generalization of an alias group. A points-to edge α β: the points-to relation from cell α to β. A contains edge α i,j β: cell α contains cell β with an offset interval [i, j) (0,4) x (4,8) 0x.. Figure: A singly-linked list with one element. Wei Wang Partitioned Memory Models January 13, / 17
23 Cell-Based Points-to Analysis: Precision In CFS graph, the aliased fields are merged into a single cell with contains edges from two record cells, while other unaliased fields are kept separate. 1 typedef struct list { 2 struct list prev, next; 3 int32 data; 4 } list; 5 6 list foo(int32 undef) { 7 list k1 = malloc(sizeof(list)); 8 list k2 = malloc(sizeof(list)); 9 10 list p = undef < 0? 11 &k1 >next : &k2 >prev; 12 return p; 13 } k1 list (0,4) (4,8) (8,12) list* list* int32 &k1->next k2 list (0,4) (4,8) (8,12) list* list* int32 &k2->prev Wei Wang Partitioned Memory Models January 13, / 17
24 Cell-Based Points-to Analysis: Precision In CFS graph, the aliased fields are merged into a single cell with contains edges from two record cells, while other unaliased fields are kept separate. 1 typedef struct list { 2 struct list prev, next; 3 int32 data; 4 } list; 5 6 list foo(int32 undef) { 7 list k1 = malloc(sizeof(list)); 8 list k2 = malloc(sizeof(list)); 9 10 list p = undef < 0? 11 &k1 >next : &k2 >prev; 12 return p; 13 } (0,4) (8,12) (4,8) (0,4) (4,8) (8,12) Wei Wang Partitioned Memory Models January 13, / 17
25 Cell-Based Points-to Analysis: Access Size Tracking Tracking the access size of alias group can further reduce formula complexity. Cell size: each cell α is associated with a size in N. Initially, each cell has a numeric size. If two cells with different sizes are merged, the size of the result cell is. Cell size parameterized memory array: if size(α) =, the memory array M α is an array of bytes; if size(α) = n N, the memory array M α is an array of n-byte elements. Wei Wang Partitioned Memory Models January 13, / 17
26 Cell-Based Points-to Analysis: Fields Alias Type-unsafe operations (e.g. pointer casts, pointer arithmetics, union types) may introduce fields alias. Two fields are aliased: if they are contained in the same record with the same offset interval; if they are contained in the same record with overlapped offset intervals and both are non-record fields. Wei Wang Partitioned Memory Models January 13, / 17
27 Cell-Based Points-to Analysis: Fields Alias Contains edges can discover field alias with following properties: reflexive: α 0,s α, if size(α) N; transitivity: if α 1 i1,j 1 α 2 and α 2 i2,j 2 α 3, then α 1 i1+i 2,i 1+j 2 α 3 ; anti-symmetric: if α 1 i1,j 1 α 2 and α 2 i2,j 2 α 1, then α 1 = α 2 ; linearity: if α 1 i1,j 1 α 2 and α 1 i2,j 2 α 3, then α 2 i2 i 1,j 2 i 1 α 3 if i 1 i 2 < j 2 j 1. Wei Wang Partitioned Memory Models January 13, / 17
28 Cell-Based Points-to Analysis: Union Type For nested record in a union, two nested fields are aliased only if their offset intervals overlap. 1 typedef struct dlist { 2 struct dlist prev, next; 3 int32 data; 4 } dlist; 5 6 typedef struct slist { 7 struct slist next; 8 int64 data; 9 } slist; union { 12 slist s; dlist d; 13 } ulist; ulist (0,12) (0,12) slist dlist (0,4) (4,12) (0,4) (4,8) (8,12) slist* int64 dlist* dlist* int32 Wei Wang Partitioned Memory Models January 13, / 17
29 Cell-Based Points-to Analysis: Union Type For nested record in a union, two nested fields are aliased only if their offset intervals overlap. 1 typedef struct dlist { 2 struct dlist prev, next; 3 int32 data; 4 } dlist; 5 6 typedef struct slist { 7 struct slist next; 8 int64 data; 9 } slist; union { 12 slist s; dlist d; 13 } ulist; (0,12) (0,12) (0,4) (4,12) (0,4) (4,8) (8,12) Wei Wang Partitioned Memory Models January 13, / 17
30 Cell-Based Points-to Analysis: Union Type For nested record in a union, two nested fields are aliased only if their offset intervals overlap. 1 typedef struct dlist { 2 struct dlist prev, next; 3 int32 data; 4 } dlist; 5 6 typedef struct slist { 7 struct slist next; 8 int64 data; 9 } slist; union { 12 slist s; dlist d; 13 } ulist; (0,12) (0,12) (0,4) (4,12) (0,4) (4,8) (8,12) Wei Wang Partitioned Memory Models January 13, / 17
31 Cell-Based Points-to Analysis: Pointer Casting Pointer casting creates an alternative view. To model this, a fresh cell is added to the CFS graph representing the new view. 1 typedef struct dlist { 2 struct dlist prev, next; 3 } dlist; 4 5 dlist bar(int32 undef) { 6 list p = foo(undef); 7 dlist q = (dlist ) p; 8 q >next = 0; 9 return q; 10 } k1 list k2 list (0,4) (8,12) (4,8) (0,4) (4,8) (8,12) list* int32 list* list* int32 p Wei Wang Partitioned Memory Models January 13, / 17
32 Cell-Based Points-to Analysis: Pointer Casting Pointer casting creates an alternative view. To model this, a fresh cell is added to the CFS graph representing the new view. 1 typedef struct dlist { 2 struct dlist prev, next; 3 } dlist; 4 5 dlist bar(int32 undef) { 6 list p = foo(undef); 7 dlist q = (dlist ) p; 8 q >next = 0; 9 return q; 10 } k1 q k2 list (4,12) (0,8) list dlist* (0,4) (8,12) (4,8) (0,4) (4,8) (8,12) list* int32 list* list* int32 &k1->data p &k2->next Wei Wang Partitioned Memory Models January 13, / 17
33 Cell-Based Points-to Analysis: Pointer Casting Pointer casting creates an alternative view. To model this, a fresh cell is added to the CFS graph representing the new view. 1 typedef struct dlist { 2 struct dlist prev, next; 3 } dlist; 4 5 dlist bar(int32 undef) { 6 list p = foo(undef); 7 dlist q = (dlist ) p; 8 q >next = 0; 9 return q; 10 } list* p (0,4) k1 list (0,4) list* q dlist* int32 list* k2 list (4,12) (0,8) (8,12) (4,8) q->next int32 Wei Wang Partitioned Memory Models January 13, / 17
34 Cell-Based Points-to Analysis: Pointer Arithmetic In CFS graph, any cell pointed to by operands of a pointer arithmetic expression is collapsed all outer record and inner field cells are merged into a single cell. k1 k2 1 list buz(int32 undef) { 2 list p = foo(undef); 3 (p + undef) = 0; 4 return p; 5 } list list (0,4) (8,12) (4,8) (0,4) (4,8) (8,12) list* int32 list* list* int32 p Wei Wang Partitioned Memory Models January 13, / 17
35 Cell-Based Points-to Analysis: Pointer Arithmetic In CFS graph, any cell pointed to by operands of a pointer arithmetic expression is collapsed all outer record and inner field cells are merged into a single cell. 1 list buz(int32 undef) { 2 list p = foo(undef); 3 (p + undef) = 0; 4 return p; 5 } (0,4) (8,12) (4,8) (0,4) (4,8) (8,12) Wei Wang Partitioned Memory Models January 13, / 17
36 Cell-Based Points-to Analysis: Pointer Arithmetic In CFS graph, any cell pointed to by operands of a pointer arithmetic expression is collapsed all outer record and inner field cells are merged into a single cell. 1 list buz(int32 undef) { 2 list p = foo(undef); 3 (p + undef) = 0; 4 return p; 5 } k1 p int32 list* list k2 p+undef Wei Wang Partitioned Memory Models January 13, / 17
37 Experimental Result Comparison of memory models in Cascade HeapReach(81) HeapMemSafety(190) False(25) True(56) False(83) True(107) #solved time(s) ptsto(s) #solved time(s) ptsto(s) #solved time(s) ptsto(s) #solved time(s) ptsto(s) Flat St-fi St-fs DSA-local CFS Timeout is 850 seconds. SV-COMP 2016 benchmarks with category HeapReach and HeapMemSafety. Wei Wang Partitioned Memory Models January 13, / 17
38 Experimental Result Comparison of memory models in Cascade TO TO TO TO 500s 500s 500s 500s St-fi 300s CFS 300s CFS 300s CFS 300s 0s 0s 300s 500s TO 0s 0s 300s 500s TO 0s 0s 300s 500s TO 0s 0s 300s 500s TO Flat St-fi St-fs DSA-local Timeout is 850 seconds. SV-COMP 2016 benchmarks with category HeapReach and HeapMemSafety. Wei Wang Partitioned Memory Models January 13, / 17
Partitioned Memory Models for Program Analysis
Partitioned Memory Models for Program Analysis Wei Wang 1, Clark Barrett 2, and Thomas Wies 1 1 New York University 2 Stanford University Abstract. Scalability is a key challenge in static analysis. For
More informationA Context-Sensitive Memory Model for Verification of C/C++ Programs
A Context-Sensitive Memory Model for Verification of C/C++ Programs Arie Gurfinkel and Jorge A. Navas University of Waterloo and SRI International SAS 17, August 30th, 2017 Gurfinkel and Navas (UWaterloo/SRI)
More informationCascade 2.0. C static analysis tool with an SMT backend. Wei Wang, Clark Barrett, Thomas Wies
Cascade 2.0 C static analysis tool with an SMT backend Wei Wang, Clark Barrett, Thomas Wies htt://cascade.cims.nyu.edu Overview Memory models Flat memory model Burstall memory model Partition memory model
More informationHierarchical Shape Abstraction of Dynamic Structures in Static Blocks
Hierarchical Shape Abstraction of Dynamic Structures in Static Blocks Pascal Sotin and Xavier Rival INRIA 4 novembre 2013 P. Sotin, X. Rival (INRIA) Hierarchical Shape Abstraction 4 novembre 2013 1 / 29
More informationModular Heap Abstraction-Based Memory Leak Detection for Heap-Manipulating Programs
Modular Heap Abstraction-Based Memory Leak Detection for Heap-Manipulating Programs Longming Dong Ji Wang Liqian Chen National University of Defense Technology, Changsha, China 05/12/2012 APSEC 2012 L
More informationPointers. Chapter 8. Decision Procedures. An Algorithmic Point of View. Revision 1.0
Pointers Chapter 8 Decision Procedures An Algorithmic Point of View D.Kroening O.Strichman Revision 1.0 Outline 1 Introduction Pointers and Their Applications Dynamic Memory Allocation Analysis of Programs
More informationContext-Sensitive Pointer Analysis. Recall Context Sensitivity. Partial Transfer Functions [Wilson et. al. 95] Emami 1994
Context-Sensitive Pointer Analysis Last time Flow-insensitive pointer analysis Today Context-sensitive pointer analysis Emami invocation graphs Partial Transfer Functions The big picture Recall Context
More informationStructure Array Copy Optimization
Structure Array Copy Optimization 1. Objective Modern programming language use structure to gather relative datum, in some of the program, only part of the structure is accessed. If the size of accessed
More informationSlicing and Scope-Bounded Verification with Polymorphic Region and Effect Inference
Slicing and Scope-Bounded Verification with Polymorphic Region and Effect Inference Mikhail Mandrykin ISP RAS ISP RAS, September 26th, 2018 ISP RAS, September 26th, 2018 1 / 26 Contents 1 Motivation 2
More informationC Programming, Autumn 2013, Exercises for the Second Week
C Programming, Autumn 2013, Exercises for the Second Week Notice: Remember that you can find information about a standard C library function by writing man 3 function_name in the terminal, or by going
More informationLecture 14 Pointer Analysis
Lecture 14 Pointer Analysis Basics Design Options Pointer Analysis Algorithms Pointer Analysis Using BDDs Probabilistic Pointer Analysis [ALSU 12.4, 12.6-12.7] Phillip B. Gibbons 15-745: Pointer Analysis
More informationCS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis
CS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis Radu Rugina 8 Sep 2005 Pointer Analysis Informally: determine where pointers (or references) in the program may
More informationOOPLs - call graph construction. Example executed calls
OOPLs - call graph construction Compile-time analysis of reference variables and fields Problem: how to resolve virtual function calls? Need to determine to which objects (or types of objects) a reference
More informationLecture 27. Pros and Cons of Pointers. Basics Design Options Pointer Analysis Algorithms Pointer Analysis Using BDDs Probabilistic Pointer Analysis
Pros and Cons of Pointers Lecture 27 Pointer Analysis Basics Design Options Pointer Analysis Algorithms Pointer Analysis Using BDDs Probabilistic Pointer Analysis Many procedural languages have pointers
More informationLecture 20 Pointer Analysis
Lecture 20 Pointer Analysis Basics Design Options Pointer Analysis Algorithms Pointer Analysis Using BDDs Probabilistic Pointer Analysis (Slide content courtesy of Greg Steffan, U. of Toronto) 15-745:
More informationAlias Analysis. Last time Interprocedural analysis. Today Intro to alias analysis (pointer analysis) CS553 Lecture Alias Analysis I 1
Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer analysis) CS553 Lecture Alias Analysis I 1 Aliasing What is aliasing? When two expressions denote the same mutable
More informationLecture 16 Pointer Analysis
Pros and Cons of Pointers Lecture 16 Pointer Analysis Basics Design Options Pointer Analysis Algorithms Pointer Analysis Using BDDs Probabilistic Pointer Analysis Many procedural languages have pointers
More informationBottom-up Context-Sensitive Pointer Analysis for Java
Bottom-up Context-Sensitive Pointer Analysis for Java Yu Feng, Xinyu Wang, Isil Dillig and Thomas Dillig UT Austin 1 What is this talk about? Pointer analysis Given a program variable v, what are the heap
More informationAlias Analysis & Points-to Analysis. Hwansoo Han
Alias Analysis & Points-to Analysis Hwansoo Han May vs. Must Information May information The information is true on some path through a CFG Must information The information is true on all paths through
More informationVERIFYING CONCURRENT C PROGRAMS WITH VCC, BOOGIE AND Z3
VERIFYING CONCURRENT C PROGRAMS WITH VCC, BOOGIE AND Z3 VCC VCC stands for Verifying C Compiler developed in cooperation between RiSE group at MSR Redmond and EMIC a sound C verifier supporting: concurrency
More informationMaking Context-sensitive Points-to Analysis with Heap Cloning Practical For The Real World
Making Context-sensitive Points-to Analysis with Heap Cloning Practical For The Real World Chris Lattner Apple Andrew Lenharth UIUC Vikram Adve UIUC What is Heap Cloning? Distinguish objects by acyclic
More informationSystem Software Assignment 1 Runtime Support for Procedures
System Software Assignment 1 Runtime Support for Procedures Exercise 1: Nested procedures Some programming languages like Oberon and Pascal support nested procedures. 1. Find a run-time structure for such
More informationMemory and Addresses. Pointers in C. Memory is just a sequence of byte-sized storage devices.
Memory and Addresses Memory is just a sequence of byte-sized storage devices. 1 The bytes are assigned numeric addresses, starting with zero, just like the indexing of the cells of an array. It is the
More informationCSolve: Verifying C With Liquid Types
CSolve: Verifying C With Liquid Types Patrick Rondon, Alexander Bakst, Ming Kawaguchi, and Ranjit Jhala University of California, San Diego {prondon, abakst, mwookawa, jhala@cs.ucsd.edu Abstract. We present
More informationVerification of Low-Level List Manipulation (work in progress)
Verification of Low-Level List Manipulation (work in progress) Kamil Dudka 1,2 Petr Peringer 1 Tomáš Vojnar 1 1 FIT, Brno University of Technology, Czech Republic 2 Red Hat Czech, Brno, Czech Republic
More informationShape Analysis. CS252r Spring 2011
Shape Analysis CS252r Spring 2011 Outline Motivation for shape analysis Three-valued logic Region-based with tracked locations 2 Shape analysis [Wilhelm, Sagiv, and Reps, CC 2000] Shape analysis: static
More informationA Framework for Safe Automatic Data Reorganization
Compiler Technology A Framework for Safe Automatic Data Reorganization Shimin Cui (Speaker), Yaoqing Gao, Roch Archambault, Raul Silvera IBM Toronto Software Lab Peng Peers Zhao, Jose Nelson Amaral University
More informationProgramming in C - Part 2
Programming in C - Part 2 CPSC 457 Mohammad Reza Zakerinasab May 11, 2016 These slides are forked from slides created by Mike Clark Where to find these slides and related source code? http://goo.gl/k1qixb
More informationStructures, Unions Alignment, Padding, Bit Fields Access, Initialization Compound Literals Opaque Structures Summary. Structures
Structures Proseminar C Grundlagen und Konzepte Michael Kuhn Research Group Scientific Computing Department of Informatics Faculty of Mathematics, Informatics und Natural Sciences University of Hamburg
More informationGCC Internals Alias analysis
GCC Internals Alias analysis Diego Novillo dnovillo@google.com November 2007 Overview GIMPLE represents alias information explicitly Alias analysis is just another pass Artificial symbols represent memory
More informationShort Notes of CS201
#includes: Short Notes of CS201 The #include directive instructs the preprocessor to read and include a file into a source code file. The file name is typically enclosed with < and > if the file is a system
More informationCS201 - Introduction to Programming Glossary By
CS201 - Introduction to Programming Glossary By #include : The #include directive instructs the preprocessor to read and include a file into a source code file. The file name is typically enclosed with
More informationStatic Program Analysis Part 9 pointer analysis. Anders Møller & Michael I. Schwartzbach Computer Science, Aarhus University
Static Program Analysis Part 9 pointer analysis Anders Møller & Michael I. Schwartzbach Computer Science, Aarhus University Agenda Introduction to points-to analysis Andersen s analysis Steensgaards s
More informationCPSC 3740 Programming Languages University of Lethbridge. Data Types
Data Types A data type defines a collection of data values and a set of predefined operations on those values Some languages allow user to define additional types Useful for error detection through type
More informationLoop-Oriented Array- and Field-Sensitive Pointer Analysis for Automatic SIMD Vectorization
Loop-Oriented Array- and Field-Sensitive Pointer Analysis for Automatic SIMD Vectorization Yulei Sui, Xiaokang Fan, Hao Zhou and Jingling Xue School of Computer Science and Engineering The University of
More informationHandling Loops in Bounded Model Checking of C Programs via k-induction
Software Tools for Technology Transfer manuscript No. (will be inserted by the editor) Handling Loops in Bounded Model Checking of C Programs via k-induction Mikhail Y. R. Gadelha, Hussama I. Ismail, and
More informationData Representation and Storage
Data Representation and Storage Learning Objectives Define the following terms (with respect to C): Object Declaration Definition Alias Fundamental type Derived type Use size_t, ssize_t appropriately Use
More informationCCured. One-Slide Summary. Lecture Outline. Type-Safe Retrofitting of C Programs
CCured Type-Safe Retrofitting of C Programs [Necula, McPeak,, Weimer, Condit, Harren] #1 One-Slide Summary CCured enforces memory safety and type safety in legacy C programs. CCured analyzes how you use
More informationProgramming Methodology
Spring 2009 Variables 2 Topics Components of a variable Name Assignment l value and r value Scope & Life time Arrays Constant variables Programming language constructs 3 types statements blocks procedures/functions
More informationData Representation and Storage. Some definitions (in C)
Data Representation and Storage Learning Objectives Define the following terms (with respect to C): Object Declaration Definition Alias Fundamental type Derived type Use pointer arithmetic correctly Explain
More informationCSE 431S Type Checking. Washington University Spring 2013
CSE 431S Type Checking Washington University Spring 2013 Type Checking When are types checked? Statically at compile time Compiler does type checking during compilation Ideally eliminate runtime checks
More informationData Storage. August 9, Indiana University. Geoffrey Brown, Bryce Himebaugh 2015 August 9, / 19
Data Storage Geoffrey Brown Bryce Himebaugh Indiana University August 9, 2016 Geoffrey Brown, Bryce Himebaugh 2015 August 9, 2016 1 / 19 Outline Bits, Bytes, Words Word Size Byte Addressable Memory Byte
More informationAdvanced Set Representation Methods
Advanced Set Representation Methods AVL trees. 2-3(-4) Trees. Union-Find Set ADT DSA - lecture 4 - T.U.Cluj-Napoca - M. Joldos 1 Advanced Set Representation. AVL Trees Problem with BSTs: worst case operation
More informationLecture Notes on Common Subexpression Elimination
Lecture Notes on Common Subexpression Elimination 15-411: Compiler Design Frank Pfenning Lecture 18 October 29, 2015 1 Introduction Copy propagation allows us to have optimizations with this form: l :
More informationA Propagation Engine for GCC
A Propagation Engine for GCC Diego Novillo Red Hat Canada dnovillo@redhat.com May 1, 2005 Abstract Several analyses and transformations work by propagating known values and attributes throughout the program.
More informationCS61C Midterm Review on C & Memory Management
CS61C Midterm Review on C & Memory Management Fall 2006 Aaron Staley Some material taken from slides by: Michael Le Navtej Sadhal Overview C Array and Pointer Goodness! Memory Management The Three Three
More informationA program execution is memory safe so long as memory access errors never occur:
A program execution is memory safe so long as memory access errors never occur: Buffer overflows, null pointer dereference, use after free, use of uninitialized memory, illegal free Memory safety categories
More informationSymbolic Memory with Pointers
Symbolic Memory with Pointers Marek Trtík 1, and Jan Strejček 2 1 VERIMAG, Grenoble, France Marek.Trtik@imag.fr 2 Faculty of Informatics, Masaryk University, Brno, Czech Republic strejcek@fi.muni.cz Abstract.
More informationStatic Type Checking. Static Type Checking. The Type Checker. Type Annotations. Types Describe Possible Values
The Type Checker Compilation 2007 The type checker has several tasks: determine the types of all expressions check that values and variables are used correctly resolve certain ambiguities by transformations
More informationSE352b: Roadmap. SE352b Software Engineering Design Tools. W3: Programming Paradigms
SE352b Software Engineering Design Tools W3: Programming Paradigms Feb. 3, 2005 SE352b, ECE,UWO, Hamada Ghenniwa SE352b: Roadmap CASE Tools: Introduction System Programming Tools Programming Paradigms
More informationConfigurable Software Model Checking
Configurable Software Model Checking CPAchecker Dirk Beyer Dirk Beyer 1 / 26 Software Verification C Program int main() { int a = foo(); int b = bar(a); } assert(a == b); Verification Tool TRUE i.e., specification
More informationLecture Notes: Pointer Analysis
Lecture Notes: Pointer Analysis 15-819O: Program Analysis Jonathan Aldrich jonathan.aldrich@cs.cmu.edu Lecture 9 1 Motivation for Pointer Analysis In programs with pointers, program analysis can become
More informationAgenda. The main body and cout. Fundamental data types. Declarations and definitions. Control structures
The main body and cout Agenda 1 Fundamental data types Declarations and definitions Control structures References, pass-by-value vs pass-by-references The main body and cout 2 C++ IS AN OO EXTENSION OF
More informationSystems Programming and Computer Architecture ( )
Systems Group Department of Computer Science ETH Zürich Systems Programming and Computer Architecture (252-0061-00) Timothy Roscoe Herbstsemester 2016 1 4: Pointers Computer Architecture and Systems Programming
More informationAlias Analysis for Intermediate Code
Alias Analysis for Intermediate Code Sanjiv K. Gupta Naveen Sharma System Software Group HCL Technologies, Noida, India 201 301 {sanjivg,naveens@noida.hcltech.com Abstract Most existing alias analysis
More informationCUTE: A Concolic Unit Testing Engine for C
CUTE: A Concolic Unit Testing Engine for C Koushik Sen Darko Marinov Gul Agha University of Illinois Urbana-Champaign Goal Automated Scalable Unit Testing of real-world C Programs Generate test inputs
More informationTransparent Pointer Compression for Linked Data Structures
Transparent Pointer Compression for Linked Data Structures lattner@cs.uiuc.edu Vikram Adve vadve@cs.uiuc.edu June 12, 2005 MSP 2005 http://llvm.cs.uiuc.edu llvm.cs.uiuc.edu/ Growth of 64-bit computing
More informationVerifying C & C++ with ESBMC
Verifying C & C++ with ESBMC Denis A Nicole dan@ecs.soton.ac.uk CyberSecuritySoton.org [w] @CybSecSoton [fb & tw] ESBMC ESBMC, the Efficient SMT-Based Context-Bounded Model Checker was originally developed
More informationTracking Pointers with Path and Context Sensitivity for Bug Detection in C Programs. {livshits,
Tracking Pointers with Path and Context Sensitivity for Bug Detection in C Programs {livshits, lam}@cs.stanford.edu 2 Background Software systems are getting bigger Harder to develop Harder to modify Harder
More informationCompilation 2012 Static Type Checking
Compilation 2012 Jan Midtgaard Michael I. Schwartzbach Aarhus University The Type Checker The type checker has several tasks: determine the types of all expressions check that values and variables are
More informationPointers, Dynamic Data, and Reference Types
Pointers, Dynamic Data, and Reference Types Review on Pointers Reference Variables Dynamic Memory Allocation The new operator The delete operator Dynamic Memory Allocation for Arrays 1 C++ Data Types simple
More informationDept. of Computer and Information Science (IDA) Linköpings universitet Sweden
Dept. of Computer and Information Science (IDA) Linköpings universitet Sweden Structures Unions Endianness Bit field Bit manipulation Collections of related variables (aggregates) under one name Can contain
More informationDesign Issues. Subroutines and Control Abstraction. Subroutines and Control Abstraction. CSC 4101: Programming Languages 1. Textbook, Chapter 8
Subroutines and Control Abstraction Textbook, Chapter 8 1 Subroutines and Control Abstraction Mechanisms for process abstraction Single entry (except FORTRAN, PL/I) Caller is suspended Control returns
More informationAlias Analysis for Intermediate Code
Alias Analysis for Intermediate Code Sanjiv K. Gupta Naveen Sharma System Software Group HCL Technologies, Noida, India 201 301 {sanjivg,naveens}@noida.hcltech.com Abstract Most existing alias analysis
More informationNames, Scope, and Bindings
Names, Scope, and Bindings COMS W4115 Prof. Stephen A. Edwards Spring 2007 Columbia University Department of Computer Science What s In a Name? Name: way to refer to something else variables, functions,
More informationData Structure Analysis: A Fast and Scalable Context-Sensitive Heap Analysis
Data Structure Analysis: A Fast and Scalable Context-Sensitive Heap Analysis Chris Lattner Vikram Adve University of Illinois at Urbana-Champaign {lattner,vadve}@cs.uiuc.edu ABSTRACT In our recent work,
More informationComputer Architecture and Organization. Instruction Sets: Addressing Modes and Formats
Computer Architecture and Organization Instruction Sets: Addressing Modes and Formats Addressing Modes Immediate Direct Indirect Register Register Indirect Displacement (Indexed) Stack Immediate Addressing
More informationType Checking. Prof. James L. Frankel Harvard University
Type Checking Prof. James L. Frankel Harvard University Version of 7:10 PM 27-Feb-2018 Copyright 2018, 2016, 2015 James L. Frankel. All rights reserved. C Types C Types Type Category Type Category Type
More informationStorage in Programs. largest. address. address
Storage in rograms Almost all operand storage used by programs is provided by memory. Even though registers are more efficiently accessed by instructions, there are too few registers to hold the stored
More informationCO444H. Ben Livshits. Datalog Pointer analysis
CO444H Ben Livshits Datalog Pointer analysis 1 Call Graphs Class analysis: Given a reference variable x, what are the classes of the objects that x refers to at runtime? We saw CHA and RTA Deal with polymorphic/virtual
More informationData Structure Analysis: A Fast and Scalable Context-Sensitive Heap Analysis
Data Structure Analysis: A Fast and Scalable Context-Sensitive Heap Analysis Chris Lattner Vikram Adve University of Illinois at Urbana-Champaign {lattner,vadve}@cs.uiuc.edu ABSTRACT Our recent work has
More informationC Language, Token, Keywords, Constant, variable
C Language, Token, Keywords, Constant, variable A language written by Brian Kernighan and Dennis Ritchie. This was to be the language that UNIX was written in to become the first "portable" language. C
More informationClass Information ANNOUCEMENTS
Class Information ANNOUCEMENTS Third homework due TODAY at 11:59pm. Extension? First project has been posted, due Monday October 23, 11:59pm. Midterm exam: Friday, October 27, in class. Don t forget to
More informationEmbedded Software Verification Challenges and Solutions. Static Program Analysis
Embedded Software Verification Challenges and Solutions Static Program Analysis Chao Wang chaowang@nec-labs.com NEC Labs America Princeton, NJ ICCAD Tutorial November 11, 2008 www.nec-labs.com 1 Outline
More informationReference Analyses. VTA - Variable Type Analysis
Reference Analyses Variable Type Analysis for Java Related points-to analyses for C Steengaard Andersen Field-sensitive points-to for Java Object-sensitive points-to for Java Other analysis approaches
More informationCS558 Programming Languages Winter 2018 Lecture 4a. Andrew Tolmach Portland State University
CS558 Programming Languages Winter 2018 Lecture 4a Andrew Tolmach Portland State University 1994-2018 Pragmatics of Large Values Real machines are very efficient at handling word-size chunks of data (e.g.
More informationPointer Analysis. Outline. Points-to Analysis as a Graph Problem. Points-to Analysis as a Graph Problem. Points-to Analysis as a Graph Problem
Pointer Analysis,,,, Rupesh Nasre. b { } CS6843 Program Analysis IIT Madras Jan 2014 4 Outline Introduction Pointer analysis as a DFA problem Design decisions,,,, Andersen's analysis, Steensgaard's analysis
More informationHierarchical Pointer Analysis for Distributed Programs
Hierarchical Pointer Analysis for Distributed Programs Amir Kamil Computer Science Division, University of California, Berkeley kamil@cs.berkeley.edu April 14, 2006 1 Introduction Many distributed, parallel
More informationData Types. Every program uses data, either explicitly or implicitly to arrive at a result.
Every program uses data, either explicitly or implicitly to arrive at a result. Data in a program is collected into data structures, and is manipulated by algorithms. Algorithms + Data Structures = Programs
More informationProcess Layout, Function Calls, and the Heap
Process Layout, Function Calls, and the Heap CS 6 Spring 20 Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed, Matthias Vallentin January 9, 20 / 5 2 / 5 Outline Process Layout Function Calls The Heap
More informationG Programming Languages - Fall 2012
G22.2110-003 Programming Languages - Fall 2012 Lecture 4 Thomas Wies New York University Review Last week Control Structures Selection Loops Adding Invariants Outline Subprograms Calling Sequences Parameter
More informationUnifying Type Checking and Property Checking for Low-Level Code
Unifying Type Checking and Property Checking for Low-Level Code Jeremy Condit Microsoft Research jcondit@microsoft.com Brian Hackett Stanford University bhackett@cs.stanford.edu Shuvendu K. Lahiri Microsoft
More informationRefinement-Based Context-Sensitive Points-To Analysis for Java
Refinement-Based Context-Sensitive Points-To Analysis for Java Manu Sridharan, Rastislav Bodík UC Berkeley PLDI 2006 1 What Does Refinement Buy You? Increased scalability: enable new clients Memory: orders
More informationBlock-wise abstract interpretation by combining abstract domains with SMT
Block-wise abstract interpretation by combining abstract domains with SMT Jiahong Jiang, Liqian Chen, Xueguang Wu, Ji Wang National University of Defense Technology, China 01/16/2017 VMCAI 2017 Overview
More informationCharacter Set. The character set of C represents alphabet, digit or any symbol used to represent information. Digits 0, 1, 2, 3, 9
Character Set The character set of C represents alphabet, digit or any symbol used to represent information. Types Uppercase Alphabets Lowercase Alphabets Character Set A, B, C, Y, Z a, b, c, y, z Digits
More informationCprE 288 Introduction to Embedded Systems Exam 1 Review. 1
CprE 288 Introduction to Embedded Systems Exam 1 Review http://class.ece.iastate.edu/cpre288 1 Overview of Today s Lecture Announcements Exam 1 Review http://class.ece.iastate.edu/cpre288 2 Announcements
More informationSymbolic Heap Abstraction with Demand- Driven Axiomatization of Memory Invariants
Symbolic Heap Abstraction with Demand- Driven Axiomatization of Memory Invariants Isil Dillig Department of Computer Science Stanford University isil@cs.stanford.edu Thomas Dillig Department of Computer
More informationDemand-Driven Alias Analysis for C
Demand-Driven Alias Analysis for C Xin Zheng and Radu Rugina Computer Science Department Cornell University Ithaca, NY 14853 {xinz, rugina}@cs.cornell.edu July 2007 Abstract This paper presents a demand-driven,
More informationHomework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08
Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08 For your solutions you should submit a hard copy; either hand written pages stapled together or a print out of a typeset document
More informationProcess Layout and Function Calls
Process Layout and Function Calls CS 6 Spring 07 / 8 Process Layout in Memory Stack grows towards decreasing addresses. is initialized at run-time. Heap grow towards increasing addresses. is initialized
More informationCode Generation. Dragon: Ch (Just part of it) Holub: Ch 6.
Code Generation Dragon: Ch 7. 8. (Just part of it) Holub: Ch 6. Compilation Processes Again Choice of Intermediate Code Representation (IR) IR examples Parse tree Three address code (e.g., x := y op z)
More informationDynamic Data Structures. CSCI 112: Programming in C
Dynamic Data Structures CSCI 112: Programming in C 1 It s all about flexibility In the programs we ve made so far, the compiler knows at compile time exactly how much memory to allocate for each variable
More informationFrom IMP to Java. Andreas Lochbihler. parts based on work by Gerwin Klein and Tobias Nipkow ETH Zurich
From IMP to Java Andreas Lochbihler ETH Zurich parts based on work by Gerwin Klein and Tobias Nipkow 2015-07-14 1 Subtyping 2 Objects and Inheritance 3 Multithreading 1 Subtyping 2 Objects and Inheritance
More informationReview of the C Programming Language for Principles of Operating Systems
Review of the C Programming Language for Principles of Operating Systems Prof. James L. Frankel Harvard University Version of 7:26 PM 4-Sep-2018 Copyright 2018, 2016, 2015 James L. Frankel. All rights
More informationGenerating Small Countermodels. Andrew Reynolds Intel August 30, 2012
Generating Small Countermodels using SMT Andrew Reynolds Intel August 30, 2012 Acknowledgements Intel Corporation AmitGoel, Sava Krstic University of Iowa Cesare Tinelli, Francois Bobot New York University
More informationC Praktikum. Advanced Pointers. Eugen Betke, Nathanael Hübbe, Michael Kuhn, Jakob Lüttgau, Jannek Squar
C Praktikum Advanced Pointers Eugen Betke, Nathanael Hübbe, Michael Kuhn, Jakob Lüttgau, Jannek Squar 2018-11-26 Warning This is a dive under the hood. We will see, and hopefully understand many details
More informationAnalysis of Object-oriented Programming Languages
Analysis of Object-oriented Programming Languages Dr. Barbara G. Ryder Rutgers University http://www.cs.rutgers.edu/~ryder http://prolangs.rutgers.edu/ OOAnalysis, Dagstuhl 2/03, BG Ryder 1 Outline Why
More informationAlias Analysis in LLVM
Alias Analysis in LLVM by Sheng-Hsiu Lin Presented to the Graduate and Research Committee of Lehigh University in Candidacy for the Degree of Master of Science in Computer Science Lehigh University May
More informationNames, Scope, and Bindings
Names, Scope, and Bindings COMS W4115 Prof. Stephen A. Edwards Fall 2007 Columbia University Department of Computer Science What s In a Name? Name: way to refer to something else variables, functions,
More informationProgram Flow. Instructions and Memory. Why are these 16 bits? C code. Memory. a = b + c. Machine Code. Memory. Assembly Code.
Instructions and Memory C code Why are these 16 bits? a = b + c Assembly Code ldr r0, [sp, #4] ldr adds r1, [sp] r0, r0, r1 str r0, [sp, #8] Machine Code 09801 09900 01840 09002 Memory 0 0 0 0 0 0 0 1
More information