Shape Analysis. CS252r Spring 2011
|
|
- John Fox
- 6 years ago
- Views:
Transcription
1 Shape Analysis CS252r Spring 2011
2 Outline Motivation for shape analysis Three-valued logic Region-based with tracked locations 2
3 Shape analysis [Wilhelm, Sagiv, and Reps, CC 2000] Shape analysis: static program analyses for reasoning about properties of the heap Kinds of questions: Null pointers: Is pointer expression maybe null at program point? May-Alias: Can two pointer expressions reference same heap cell? Must-alias: two pointer expression always reference same heap cell Sharing: is there more than one pointer expression referencing a heap cell? Reachability: is the heap cell reachable from a specific variable? any variable? Disjointness: Do two data structures have any common elements? Cyclicity: Can a heap cell be part of a cycle? Program understanding, debugging, and verification 3
4 Shape analysis Shape analysis is flow-sensitive Computes for each point in program a finite, conservative representation of the heap-allocated data structures that could arise when a path to the program point is executed Finite representation means must be approximate E.g., generally lose info about lengths of lists, depths of trees 4
5 Shape Analysis via 3-valued logic [Sagiv, Reps, Wilhelm, POPL 99] Framework for shape analysis Instantiate by specifying predicates about the heap In concrete execution, these predicates are either true or false In static analysis, approximate the predicates using 3- valued logic True, False, Don t know 5
6 3-valued logic And OR
7 3-valued logic And 0 ½ ½ 0 ½ ½ 1 0 ½ 1 OR 0 ½ ½ 1 ½ ½ ½
8 Individuals and Predicates Universe of individuals U u U represents is an abstract location Represents one or more concrete locations Each concrete location is represented by exactly one abstract location Some predicates pointed-to-by-variable-x(u) Abbreviated to x(u), means that stack variable x points to a concrete location represented by u pointer-component-f-points-to(u 1, u 2 ) Abbreviated to f(u 1, u 2 ), means a concrete object rep. by u 1 has field f that points to concrete object rep by u 2 sm(u) u is summary node, i.e., represents more than 1 concrete location 8
9 Meaning of predicates U,ι is a 3-valued structure U is universe of individuals ι gives valuation to predicates ι : p:pred U arity(p) {0, ½, 1} A 3-valued structure represents zero or more concrete states If formula φ evaluates in U,ι to 1, then φ holds in every concrete store U,ι represents If formula φ evaluates in U,ι to 0, then φ never holds in any concrete store U,ι represents If formula φ evaluates in U,ι to ½, then we don t know anything about φ in any concrete store U,ι represents 9
10 Graphical representation /* 1ist.h */ typedef struct node { struct node *n; int data; } *List; /* reverse.c */ #include 1ist.h List reversetlist x> { List y, t; assert (acyclic-list (x1 > ; y=null; while (x!= NULL) { t = y; y = x; x = x->n; y-h = t; 1 return y; 1 S Structure unary predicates: indiv. x y t sm is so binary predicates:! unary predicates: binary unary predicates: predicates: Graphical Representation Figure 2: The three-valued logical structures that describe all possible acyclic inputs to reverse. 10
11 Graphical representation /* 1ist.h */ typedef struct node { struct node *n; int data; } *List; /* reverse.c */ #include 1ist.h List reversetlist x> { List y, t; assert (acyclic-list (x1 > ; y=null; while (x!= NULL) { t = y; y = x; x = x->n; y-h = t; 1 return y; 1 S Structure unary predicates: indiv. x y t sm is so binary predicates:! unary predicates: binary unary predicates: predicates: Graphical Representation Figure 2: The three-valued logical structures that describe all possible acyclic inputs to reverse. 11
12 Updating formula Key idea: track state of formula at each program point. Just like dataflow unary predicates: statement 1 formula structure that arises just after statement _... st1: y = NULL; y (v) = 0 st2: t = y; t (v) = Y(V) stg: y = x; Y (V) = 4u) st4: x = x->n; z (v) = 3Vl : Z(Q) A n(w1, v) 12 (Ol,212) = (n(v1,vz) A -y(w)) v (Y(W) A t(v2)) sts: y-al = t; is (w) = is(v) A 3Vl,D2 : V (t(v) A 3~1 : n(w, v) A y(w )) Ul # 212 An(v1,v) A7qv2,v) A -y(w) A -y(vz) > : :; 12
13 Updating formula sts: y-al = t; 12 (Ol,212) = (n(v1,vz) A -y(w)) v (Y(W) A t(v2)) is (w) = stz: t = y; t (v) = Y(V) st3: y = x; Y (V) = dv> is(v) A 3Vl,D2 : V (t(v) A 3~1 : n(w, v) A y(w )) Ul # 212 An(v1,v) A7qv2,v) A -y(w) A -y(vz) > : x s*,_.._, st4: x = x->n; z (v) = 3Vl : z(q) A n(v1, v) sts: y-al = t; I n v1,v2 ) = (?z(vl, v2) A -y(v1)) v (y(w) A t(v2)) is (v) = VI #aan(vl,v)an(w,v) is(v) A 3~1,212 : ( A-y(w) A -7y(v2) V (t(v) A 31 : n(w,~) A -y(w)) > st2: t = y; t (v) = Y(V) st3: y = x; Y (V) = 4V) st4: x = x->n; st5: y-h = t; z (w) = 3Vl : 2?(Q) A n(m, tj) n (m, ~2) = (n(vl, ~2) A my) V (y(w) A t(w)) is (v) = is(v) A 3~1, v2 : V (t(v) A 3~1 : n(w,v) A l!/(w)) ( ~1 # ~2 An(w,v) An(vz,v) A ly(m) A T&Z) > I 2011 igure Stephen 3: The Chong, first Harvard three University iterations of the abstract interpretation of reverse (7 via I the simplified framework described in Section 4). is 13
14 Instrumentation predicates Consider formula φ(v) = v 1,v 2 : n(v 1,v) n(v 2, v) v 1 v 2 There are at least two different objects pointing to v What does φ(u) evaluate to, for shape graph above? With v 1 = u 1, v 2 =u, we have n(u 1,u) n(u, u) u 1 u ½ ½ 1 ½ Implies that tail of linked list might be shared But this is not the case for a linked list! 14
15 Instrumentation predicates Maintain precision by using instrumentation predicates predicate is(u) represents truth of predicate for nodes represented by abstract location Is Shared is(u)=0 implies that S 2 can only represent acyclic lists unary predicates: 15
16 Other useful instrumentation predicates 1 Pred. I Intended Meaning I Puruose I Ref.] qq-- TX(v) 44 Cf.6 (v> Cb.f (v) Do two or more fields of heap elements point to v? Is v (transitively) reachable from pointer variable x? Is v reachable from some pointer variable (i.e., is v a non-garbage element)? Is v on a directed cycle? Does a field-f dereference from v, followed by a field-b dereference, yield v? Does a field-b dereference from v, followed by a field-f dereference, yield v? lists *and trees separating disjoint data structures compile-time garbage collection ref. counting WI [ll] doubly-linked [7], lists [I61 doubly-linked [7], lists [16] 16
17 Focus for precision Once the value of a formula is ½, it can be easy to lose precision. stg: y = x; Y (V) = 4u) st4: x = x->n; z (v) = 3Vl : Z(Q) A n(w1, v) Focusing may allow us to maintain precision Key idea: if update formula evaluates to ½, try instantiating it to 0 and 1 Focus attention on each of the possible cases May need to make sure rest of structure is consistent 17
18 Focus example.. 4 ; input struct. s5 a focus formulae {$+(2)) = 31 : 2(w) A n(tj1, v), &qv) = y(v), cp; yv> = t(v)} focused struct. %f,o &4(u) = 0 %f,l pg4 (u) = 1 S&f,2 cp:t (u) = 1 & (21) = 0..m. x,,_@ 4d x,y_@_r x,y_o~~-_:::::::::~.~ update t t pct4(v) PO; 4(v) $4 4(v) formulae t t (PL4(v) cp:4 (v) t cp; 4 (211, v2) 31 : 2(Vl) A n(v1, v)ly(v) It(v) lis(v) m(v) jtz(v1, v2) output struct. ss,o,o SS,o,l X s5,0,2 X y+@ j& 0-A...?a *...: i ). 0 (I,:;:;,::r b 0,: y-u1 Y n, u.1 coerced struct. St?,0 &,l X se,2 y+@ 4& 0-A n Y- Ul U y-o-q..?l@ Figure 5: The first application of the improved transformer for statement st4: x = x->n in reverse. 18
19 Focus example.. 4 ; input struct. s5 a focus formulae {$+(2)) = 31 : 2(w) A n(tj1, v), &qv) = y(v), cp; yv> = t(v)} focused struct. %f,o &4(u) = 0 %f,l pg4 (u) = 1 S&f,2 cp:t (u) = 1 & (21) = 0..m. x,,_@ 4d x,y_@_r x,y_o~~-_:::::::::~.~ update t t pct4(v) PO; 4(v) $4 4(v) formulae t t (PL4(v) cp:4 (v) t cp; 4 (211, v2) 31 : 2(Vl) A n(v1, v)ly(v) It(v) lis(v) m(v) jtz(v1, v2) output struct. ss,o,o SS,o,l X s5,0,2 X y+@ j& 0-A...?a *...: i ). 0 (I,:;:;,::r b 0,: y-u1 Y n, u.1 coerced struct. St?,0 &,l X se,2 y+@ 4& 0-A n Y- Ul U y-o-q..?l@ Figure 5: The first application of the improved transformer for statement st4: x = x->n in reverse. 19
20 Region-based shape analysis with tracked locations Hackett and Rugina, POPL 05 Key idea: reason about one location at a time Allows a decomposition of a state into a set of tracked locations Reason about each tracked location independently of others Better scalability, compact representation, context-sensitive analysis No need to merge abstractions, or keep multiple abstractions of entire heap Easier on-demand and incremental algorithms 20
21 Memory regions Analysis builds on top of a region analysis Each region represents a set of concrete locations Each concrete location represented by exactly one region Points-to relation over regions must be sound Can use a variety of region analyses E.g., flow-sensitive or insensitive In paper, they use a flow-insensitive, context-sensitive analysis that uses an intra-procedural unification-based analysis, and uses procedure summaries for an interprocedural analysis 21
22 Configurations and shape abstractions A configuration is (i, (e +, e - )) i is index, a function from regions to {0,,k, } i(r) = How many locations in r point to tracked location means k+1 e + is hit set: expressions that definitely refer to tracked location e - is miss set: expressions that definitely do not refer to tracked location A shape abstraction is a set of configurations at most one configuration for each index each concrete location should be represented by at least one configuration Treat shape abstraction as partial function from indexes to hit/miss sets 22
23 Example 1: typedef struct list { 2: struct list *n; 3: int data; 4: } List; 5: 6: List *splice(list *x, List *y) { 7: List *t = NULL; 8: List *z = y; 9: while(x!= NULL) { 10: t = x; 11: x = t->n; 12: t->n = y->n; 13: y->n = t; 14: y = y->n->n; 15: } 16: return z; 17: } t x z y Example concrete input t x z y Corresponding output Region Shape Component Points-to Configurations Configurations Component for input memory for output memory T X Z Y n L (X 1, {x}, ) (Y 1, {y}, ) (L 1,, ) (Z 1, {z}, ) (T 1 L 1, {t}, ) (Y 1 L 1, {y}, ) (L 1,, ) 23
24 Intra-procedural analysis (a 1 a 2 )(i) = 8 < : a 1 (i) if i dom(a 2 ) a 2 (i) if i dom(a 1 ) a 1 (i) a 2 (i) if i dom(a 1 ) dom(a 2 ) where (e + 1,e 1 ) (e+ 2,e 2 )=(e+ 1 e+ 2,e 1 e 2 ) and (e +,e )=(e +,e ) =(e +,e ) For all s S asgn,s a S alloc,s e S entry,i I : [JOIN] [TRANSF] Res( s) i = F s pred(s) Res(s ) i Res(s ) i = F i I ([s](ρ, (i, Res( s) i ))) i [ALLOC] Res(s a ) i a h a, where [s a ] gen (ρ) =(i a,h a ) [ENTRY] Res( s e ) i a o i 24
25 Splice example 8: z = y; Y 1 X 1 L 1 9: while (x!= NULL) Y 1 Z 1 X 1 L 1 10: t = x; Y 1 Z 1 Z 1 X 1 T 1 L 1 L 1 Y 1 L 1 Y 1 T 1 L 1 11: x = t->n; 12: t->n = y->n; 13: y->n = t; Y 1 Z 1 Y 1 Z 1 Y 1 Z 1 Z 1 Z 1 Z 1 X 1 T 1 T 1 T 1 L 2 tn yn L 1 L 1 tn L 1 tn yn Y 1 L 1 Y 1 L 1 tn Y 1 L 1 tn yn Y 1 L 2 tn yn X 1 L 1 tn X 1 L 1 tn yn X 1 X 1 Y 1 L 1 tn X 1 Y 1 L 1 tn yn X 1 Y 1 Loop 14: y = y->n->n; Y 1 Z 1 Z 1 T 1 L 1 yn L 1 yn Y 1 L 1 yn X 1 X 1 Y 1 Z 1 T 1 L 1 Y 1 T 1 L 1 L 1 Y 1 L 1 X 1 16: return z; Z 1 L 1 Figure 5: Shape analysis results for splice. Boxes represent configurations and edges show how the state of the tracked location changes during the execution. We only show field access expressions in the hit and miss sets. We use the abbreviations: tn t->n and yn y->n, and we indicate miss expressions using overlines. For readability, back edges from configurations at the end of the loop to the corresponding configurations at the beginning of the loop are omitted. 25
26 Transfer function for assign [e o e 1 ](ρ, (i, (e +,e ))) : case (D [e 0 ](ρ, (i, (e +,e ))), D [e 1 ](ρ, (i, (e +,e )))) of (v 0 {, +}, v 1 {, +}) assign(e 0,e 1, ρ,i,e +,e,v 0 =+,v 1 =+) (?, v 1 {+, }) assign(e 0,e 1, ρ,i,e + {e 0 },e, true,v 1 =+) assign(e 0,e 1, ρ,i,e +,e {e 0 }, false,v 1 =+) (v 0 {, +},?) assign(e 0,e 1, ρ,i,e + {e 1 },e,v 0 =+, true) assign(e 0,e 1, ρ,i,e +,e {e 1 },v 0 =+, false) (?,?) assign(e 0,e 1, ρ,i,e + {e 0,e 1 },e, true, true) assign(e 0,e 1, ρ,i,e + {e 0 },e {e 1 }, true, false) assign(e 0,e 1, ρ,i,e + {e 1 },e {e 0 }, false, true) assign(e 0,e 1, ρ,i,e +,e {e 0,e 1 }, false, false) Figure 10: Transfer function for assignments [e 0 e 1 ]. assign(e 0,e 1, ρ,i,e +,e,b 0,b 1 ): 1 r = L[e 0 ](ρ) 2 if (b 0 b 1 ) then 3 if (i(r) k) then S i = { i[r i(r) 1] } 4 else S i = { i[r k], i[r ] } 5 else if ( b 0 b 1 ) then 6 if (i(r) <k) then S i = { i[r i(r)+1]} 7 else S i = { i[r ] } 8 else S i = { i } 9 10 e + n = {e e + S[e] v (ρ,r) (S [e] l (ρ,r) b 1 )} 11 e n = {e e S[e] v (ρ,r) (S [e] l (ρ,r) b 1 )} if (S [e 0 ] l (ρ,r) b 1 ) then e + n = {e 0 } 14 if (S [e 0 ] l (ρ,r) b 1 ) then e n = {e 0 } if (S [e 0 ] l (ρ,r) S [e 1 ] l (ρ,r)) then 17 e + n = (e + n [ e 0 / e 1 ] E p ) e n = ( e n [ e 0 / e 1 ] E p ) 20 e n = {e e n i S i.i (L[e]ρ) =0} return (S i, (e + n,e n )) Figure 11: Helper function assign. 26
27 Interprocedural analysis Context-sensitive interprocedural analysis A context for a procedure is a single configuration, output is a set of contexts Fine granularity helps scalability Less redundant computation Allows incremental analysis E.g., now calling splice with a cyclic list - Just one new configuration: L 2 z x y t 27
28 Uses and limitations Can be used for memory error detection Double frees, dangling pointer access, memory leak Spurious configurations Configuration that represents concrete states that cannot occur at runtime Better decision procedure would help Complex structural invariants e.g., double linked lists Sensitive to how program is written e.g., x = t->n vs x = x->n treated differently, since analysis doesn t know x = t Exponential 28
29 Verification vs. inference Separation logic has shown a lot of success at verifying programs that destructively update heap To what extent can separation logic be used in inference of heap properties? 29
Region-Based Shape Analysis with Tracked Locations
Region-Based Shape Analysis with Tracked Locations Brian Hackett and Radu Rugina Computer Science Department Cornell University Ithaca, NY 14853 {bwh6,rugina}@cs.cornell.edu Abstract This paper proposes
More informationPutting Static Analysis to Work for Verification
Putting Static Analysis to Work for Verification A Case Study Tomasz Dudziak Based on a paper by T. Lev-Ami, T. Reps, M. Sagiv, and R. Wilhelm 23 June 2010 Topic Goal A very capable shape analysis that
More informationAutomatic Assume/Guarantee Reasoning for Heap-Manipulating Programs (Ongoing Work)
Automatic Assume/Guarantee Reasoning for Heap-Manipulating Programs (Ongoing Work) Greta Yorsh a Alexey Skidanov a Thomas Reps b Mooly Sagiv a a School of Comp. Sci., Tel-Aviv Univ., {gretay,skidanov,msagiv}@post.tau.ac.il
More informationEffectively-Propositional Modular Reasoning about Reachability in Linked Data Structures CAV 13, POPL 14 Shachar Itzhaky
Effectively-Propositional Modular Reasoning about Reachability in Linked Data Structures CAV 13, POPL 14 Shachar Itzhaky Anindya Banerjee Neil Immerman Ori Lahav Aleks Nanevski Mooly Sagiv http://www.cs.tau.ac.il/~shachar/afwp.html
More informationCS 4120 Lecture 31 Interprocedural analysis, fixed-point algorithms 9 November 2011 Lecturer: Andrew Myers
CS 4120 Lecture 31 Interprocedural analysis, fixed-point algorithms 9 November 2011 Lecturer: Andrew Myers These notes are not yet complete. 1 Interprocedural analysis Some analyses are not sufficiently
More informationPartitioned Memory Models for Program Analysis
Partitioned Memory Models for Program Analysis Wei Wang 1 Clark Barrett 2 Thomas Wies 3 1 Google 2 Stanford University 3 New York University January 13, 2017 Wei Wang Partitioned Memory Models January
More informationLecture 14. No in-class files today. Homework 7 (due on Wednesday) and Project 3 (due in 10 days) posted. Questions?
Lecture 14 No in-class files today. Homework 7 (due on Wednesday) and Project 3 (due in 10 days) posted. Questions? Friday, February 11 CS 215 Fundamentals of Programming II - Lecture 14 1 Outline Static
More informationA Context-Sensitive Memory Model for Verification of C/C++ Programs
A Context-Sensitive Memory Model for Verification of C/C++ Programs Arie Gurfinkel and Jorge A. Navas University of Waterloo and SRI International SAS 17, August 30th, 2017 Gurfinkel and Navas (UWaterloo/SRI)
More informationThe Pointer Assertion Logic Engine
The Pointer Assertion Logic Engine [PLDI 01] Anders Mφller Michael I. Schwartzbach Presented by K. Vikram Cornell University Introduction Pointer manipulation is hard Find bugs, optimize code General Approach
More informationLecture 14 Pointer Analysis
Lecture 14 Pointer Analysis Basics Design Options Pointer Analysis Algorithms Pointer Analysis Using BDDs Probabilistic Pointer Analysis [ALSU 12.4, 12.6-12.7] Phillip B. Gibbons 15-745: Pointer Analysis
More informationStatic Program Analysis Part 9 pointer analysis. Anders Møller & Michael I. Schwartzbach Computer Science, Aarhus University
Static Program Analysis Part 9 pointer analysis Anders Møller & Michael I. Schwartzbach Computer Science, Aarhus University Agenda Introduction to points-to analysis Andersen s analysis Steensgaards s
More informationLecture 27. Pros and Cons of Pointers. Basics Design Options Pointer Analysis Algorithms Pointer Analysis Using BDDs Probabilistic Pointer Analysis
Pros and Cons of Pointers Lecture 27 Pointer Analysis Basics Design Options Pointer Analysis Algorithms Pointer Analysis Using BDDs Probabilistic Pointer Analysis Many procedural languages have pointers
More informationLecture 20 Pointer Analysis
Lecture 20 Pointer Analysis Basics Design Options Pointer Analysis Algorithms Pointer Analysis Using BDDs Probabilistic Pointer Analysis (Slide content courtesy of Greg Steffan, U. of Toronto) 15-745:
More informationTVLA: A SYSTEM FOR GENERATING ABSTRACT INTERPRETERS*
TVLA: A SYSTEM FOR GENERATING ABSTRACT INTERPRETERS* Tal Lev-Ami, Roman Manevich, and Mooly Sagiv Tel Aviv University {tla@trivnet.com, {rumster,msagiv}@post.tau.ac.il} Abstract TVLA (Three-Valued-Logic
More informationAn Introduction to Heap Analysis. Pietro Ferrara. Chair of Programming Methodology ETH Zurich, Switzerland
An Introduction to Heap Analysis Pietro Ferrara Chair of Programming Methodology ETH Zurich, Switzerland Analisi e Verifica di Programmi Universita Ca Foscari, Venice, Italy Outline 1. Recall of numerical
More informationLecture 16 Pointer Analysis
Pros and Cons of Pointers Lecture 16 Pointer Analysis Basics Design Options Pointer Analysis Algorithms Pointer Analysis Using BDDs Probabilistic Pointer Analysis Many procedural languages have pointers
More informationModular Heap Abstraction-Based Memory Leak Detection for Heap-Manipulating Programs
Modular Heap Abstraction-Based Memory Leak Detection for Heap-Manipulating Programs Longming Dong Ji Wang Liqian Chen National University of Defense Technology, Changsha, China 05/12/2012 APSEC 2012 L
More informationInterprocedural Analysis. CS252r Fall 2015
Interprocedural Analysis CS252r Fall 2015 Procedures So far looked at intraprocedural analysis: analyzing a single procedure Interprocedural analysis uses calling relationships among procedures Enables
More informationCompiler Structure. Data Flow Analysis. Control-Flow Graph. Available Expressions. Data Flow Facts
Compiler Structure Source Code Abstract Syntax Tree Control Flow Graph Object Code CMSC 631 Program Analysis and Understanding Fall 2003 Data Flow Analysis Source code parsed to produce AST AST transformed
More informationVerifying Data Structure Invariants in Device Drivers
Verifying Data Structure Invariants in Device Drivers Scott McPeak (smcpeak@cs) George Necula (necula@cs) Chess Review May 10, 2004 Berkeley, CA Motivation Want to verify programs that use pointers Need
More informationOverview 3-Valued Logic Concrete semantics Abstract Analysis Analysis with Focus-Coerce Take Aways. Shape Analysis. Deepak D Souza
Shape Analysis Deepak D Souza Department of Computer Science and Automation Indian Institute of Science, Bangalore. 6 January 26 Outline Overview 2 3-Valued Logic 3 Concrete semantics 4 Abstract Analysis
More informationAn Efficient Storeless Heap Abstraction Using SSA Form
An Efficient Storeless Heap Abstraction Using SSA Form Nomair A. Naeem Ondřej Lhoták D. R. Cheriton School of Computer Science University of Waterloo, Canada {nanaeem,olhotak}@uwaterloo.ca Abstract Precise,
More informationRun-time Environments -Part 3
Run-time Environments -Part 3 Y.N. Srikant Computer Science and Automation Indian Institute of Science Bangalore 560 012 NPTEL Course on Compiler Design Outline of the Lecture Part 3 What is run-time support?
More informationThe Rule of Constancy(Derived Frame Rule)
The Rule of Constancy(Derived Frame Rule) The following derived rule is used on the next slide The rule of constancy {P } C {Q} {P R} C {Q R} where no variable assigned to in C occurs in R Outline of derivation
More informationHoare logic. A proof system for separation logic. Introduction. Separation logic
Introduction Hoare logic Lecture 6: Examples in separation logic In the previous lecture, we saw how reasoning about pointers in Hoare logic was problematic, which motivated introducing separation logic.
More informationLecture Notes: Pointer Analysis
Lecture Notes: Pointer Analysis 15-819O: Program Analysis Jonathan Aldrich jonathan.aldrich@cs.cmu.edu Lecture 9 1 Motivation for Pointer Analysis In programs with pointers, program analysis can become
More informationVerifying the Safety of Security-Critical Applications
Verifying the Safety of Security-Critical Applications Thomas Dillig Stanford University Thomas Dillig 1 of 31 Why Program Verification? Reliability and security of software is a huge problem. Thomas Dillig
More informationCS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis
CS711 Advanced Programming Languages Pointer Analysis Overview and Flow-Sensitive Analysis Radu Rugina 8 Sep 2005 Pointer Analysis Informally: determine where pointers (or references) in the program may
More informationProgram Static Analysis. Overview
Program Static Analysis Overview Program static analysis Abstract interpretation Data flow analysis Intra-procedural Inter-procedural 2 1 What is static analysis? The analysis to understand computer software
More informationCompiler Construction
Compiler Construction Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ss-16/cc/ Recap: Static Data Structures Outline of Lecture 18 Recap:
More informationRegion Analysis for Imperative Languages
Region Analysis for Imperative Languages Radu Rugina and Sigmund Cherem Computer Science Department Cornell University Ithaca, NY 14853 {rugina,siggi}@cs.cornell.edu Abstract This paper presents a region
More informationCUTE: A Concolic Unit Testing Engine for C
CUTE: A Concolic Unit Testing Engine for C Koushik Sen Darko Marinov Gul Agha University of Illinois Urbana-Champaign Goal Automated Scalable Unit Testing of real-world C Programs Generate test inputs
More informationRun-time Environments - 3
Run-time Environments - 3 Y.N. Srikant Computer Science and Automation Indian Institute of Science Bangalore 560 012 NPTEL Course on Principles of Compiler Design Outline of the Lecture n What is run-time
More informationSendmail crackaddr - Static Analysis strikes back
Sendmail crackaddr - Static Analysis strikes back Bogdan Mihaila Technical University of Munich, Germany December 6, 2014 Name Lastname < name@mail.org > ()()()()()()()()()... ()()() 1 / 25 Abstract Interpretation
More informationCompiler Construction
Compiler Construction Lecture 18: Code Generation V (Implementation of Dynamic Data Structures) Thomas Noll Lehrstuhl für Informatik 2 (Software Modeling and Verification) noll@cs.rwth-aachen.de http://moves.rwth-aachen.de/teaching/ss-14/cc14/
More informationA program execution is memory safe so long as memory access errors never occur:
A program execution is memory safe so long as memory access errors never occur: Buffer overflows, null pointer dereference, use after free, use of uninitialized memory, illegal free Memory safety categories
More informationCalling Context Abstraction with Shapes
Calling Context Abstraction with Shapes Xavier Rival INRIA/ENS Paris Bor-Yuh Evan Chang 張博聿 U of Colorado, Boulder National Taiwan University December 17, 2010 Work to Appear in POPL 2011 Programming Languages
More informationStatic Analysis of Accessed Regions in Recursive Data Structures
Static Analysis of Accessed Regions in Recursive Data Structures Stephen Chong and Radu Rugina Computer Science Department Cornell University Ithaca, NY 14853 schong,rugina @cs.cornell.edu Abstract. This
More informationLecture Notes: Pointer Analysis
Lecture Notes: Pointer Analysis 17-355/17-665/17-819: Program Analysis (Spring 2019) Jonathan Aldrich aldrich@cs.cmu.edu 1 Motivation for Pointer Analysis In the spirit of extending our understanding of
More informationStatic Analysis Basics II
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Static Analysis Basics
More informationNo model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine
No model may be available Programmer Software Abstractions Tests Coverage Code Abhik Roychoudhury CS 5219 National University of Singapore Testing Debug Today s lecture Abstract model (Boolean pgm.) Desirable
More informationStatic Program Analysis CS701
Static Program Analysis CS701 Thomas Reps [Based on notes taken by Aditya Venkataraman on Oct 6th, 2015] Abstract This lecture introduces the area of static program analysis. We introduce the topics to
More informationWhy Global Dataflow Analysis?
Why Global Dataflow Analysis? Answer key questions at compile-time about the flow of values and other program properties over control-flow paths Compiler fundamentals What defs. of x reach a given use
More informationStatic Program Analysis
Static Program Analysis Thomas Noll Software Modeling and Verification Group RWTH Aachen University https://moves.rwth-aachen.de/teaching/ss-18/spa/ Preliminaries Outline of Lecture 1 Preliminaries Introduction
More informationCOS 320. Compiling Techniques
Topic 5: Types COS 320 Compiling Techniques Princeton University Spring 2016 Lennart Beringer 1 Types: potential benefits (I) 2 For programmers: help to eliminate common programming mistakes, particularly
More informationManual Allocation. CS 1622: Garbage Collection. Example 1. Memory Leaks. Example 3. Example 2 11/26/2012. Jonathan Misurda
Manual llocation Dynamic memory allocation is an obvious necessity in a programming environment. S 1622: Garbage ollection Many programming languages expose some functions or keywords to manage runtime
More informationLecture 18 Restoring Invariants
Lecture 18 Restoring Invariants 15-122: Principles of Imperative Computation (Spring 2018) Frank Pfenning In this lecture we will implement heaps and operations on them. The theme of this lecture is reasoning
More informationAutomatic Inference of Reference Count Invariants. David Detlefs Sun Microsystems Laboratories SPACE Jan. 2004
Automatic Inference of Reference Count Invariants David Detlefs Sun Microsystems Laboratories SPACE Jan. 2004 1 Goal of this Work A form of compile-time GC. Escape analysis: Region inference: Mostly short-lived
More informationRuntime Checking for Program Verification Systems
Runtime Checking for Program Verification Systems Karen Zee, Viktor Kuncak, and Martin Rinard MIT CSAIL Tuesday, March 13, 2007 Workshop on Runtime Verification 1 Background Jahob program verification
More informationPredator: A Practical Tool for Checking Manipulation of Dynamic Data Structures Using Separation Logic
Predator: A Practical Tool for Checking Manipulation of Dynamic Data Structures Using Separation Logic FIT BUT Technical Report Series Kamil Dudka, Petr Peringer, and Tomáš Vojnar Technical Report No.
More informationRuntime. The optimized program is ready to run What sorts of facilities are available at runtime
Runtime The optimized program is ready to run What sorts of facilities are available at runtime Compiler Passes Analysis of input program (front-end) character stream Lexical Analysis token stream Syntactic
More information(3-2) Basics of a Stack. Instructor - Andrew S. O Fallon CptS 122 (January 26, 2018) Washington State University
(3-2) Basics of a Stack Instructor - Andrew S. O Fallon CptS 122 (January 26, 2018) Washington State University What is a Stack? A finite sequence of nodes, where only the top node may be accessed Insertions
More informationCSE 501 Midterm Exam: Sketch of Some Plausible Solutions Winter 1997
1) [10 pts] On homework 1, I asked about dead assignment elimination and gave the following sample solution: 8. Give an algorithm for dead assignment elimination that exploits def/use chains to work faster
More information4/24/18. Overview. Program Static Analysis. Has anyone done static analysis? What is static analysis? Why static analysis?
Overview Program Static Analysis Program static analysis Abstract interpretation Static analysis techniques 2 What is static analysis? The analysis to understand computer software without executing programs
More informationStatic Analysis and Dataflow Analysis
Static Analysis and Dataflow Analysis Static Analysis Static analyses consider all possible behaviors of a program without running it. 2 Static Analysis Static analyses consider all possible behaviors
More information1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.
1. true / false By a compiler we mean a program that translates to code that will run natively on some machine. 2. true / false ML can be compiled. 3. true / false FORTRAN can reasonably be considered
More informationHeap, Variables, References, and Garbage. CS152. Chris Pollett. Oct. 13, 2008.
Heap, Variables, References, and Garbage. CS152. Chris Pollett. Oct. 13, 2008. Outline. Dynamic Allocation. Variables and Constants. Aliases and Problems. Garbage. Introduction. On Wednesday, we were talking
More informationIntro to C: Pointers and Arrays
Lecture 4 Computer Science 61C Spring 2017 January 25th, 2017 Intro to C: Pointers and Arrays 1 Administrivia Teaching Assistants: Let s try that again. Lectures are recorded. Waitlist/Concurrent Enrollment
More informationAlias Analysis. Last time Interprocedural analysis. Today Intro to alias analysis (pointer analysis) CS553 Lecture Alias Analysis I 1
Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer analysis) CS553 Lecture Alias Analysis I 1 Aliasing What is aliasing? When two expressions denote the same mutable
More informationHierarchical Shape Abstraction of Dynamic Structures in Static Blocks
Hierarchical Shape Abstraction of Dynamic Structures in Static Blocks Pascal Sotin and Xavier Rival INRIA 4 novembre 2013 P. Sotin, X. Rival (INRIA) Hierarchical Shape Abstraction 4 novembre 2013 1 / 29
More informationTypes and Type Inference
CS 242 2012 Types and Type Inference Notes modified from John Mitchell and Kathleen Fisher Reading: Concepts in Programming Languages, Revised Chapter 6 - handout on Web!! Outline General discussion of
More informationEstablishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham a, Eran Yahav b, Elliot K. Kolodner a, Mooly Sagiv b a IBM Haifa Research Lab, University
More informationLecture 10 Notes Linked Lists
Lecture 10 Notes Linked Lists 15-122: Principles of Imperative Computation (Spring 2016) Frank Pfenning, Rob Simmons, André Platzer 1 Introduction In this lecture we discuss the use of linked lists to
More informationMaking Context-sensitive Points-to Analysis with Heap Cloning Practical For The Real World
Making Context-sensitive Points-to Analysis with Heap Cloning Practical For The Real World Chris Lattner Apple Andrew Lenharth UIUC Vikram Adve UIUC What is Heap Cloning? Distinguish objects by acyclic
More informationCS 241 Honors Memory
CS 241 Honors Memory Ben Kurtovic Atul Sandur Bhuvan Venkatesh Brian Zhou Kevin Hong University of Illinois Urbana Champaign February 20, 2018 CS 241 Course Staff (UIUC) Memory February 20, 2018 1 / 35
More informationVariables, Memory and Pointers
Variables, Memory and Pointers A variable is a named piece of memory The name stands in for the memory address int num; Variables, Memory and Pointers When a value is assigned to a variable, it is stored
More informationAdvanced C Programming
Advanced C Programming Compilers Sebastian Hack hack@cs.uni-sb.de Christoph Weidenbach weidenbach@mpi-inf.mpg.de 20.01.2009 saarland university computer science 1 Contents Overview Optimizations Program
More informationStatic Heap Analysis for Automatic Parallelization
Static Heap Analysis for Automatic Parallelization Mark Marron, Deepak Kapur, Darko Stefanovic, and Manuel Hermenegildo University of New Mexico Albuquerque, NM 87131, USA, {marron, kapur, darko, herme}@cs.unm.edu
More informationFlow Analysis. Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM
Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful Reading: Sections 1.1-1.5, 2.1 Data-flow analysis (DFA) A framework for statically proving facts about program
More informationA Combination Framework for Tracking Partition Sizes (Full Version)
A Combination Framework for Tracking Partition Sizes (Full Version) Sumit Gulwani Microsoft Research sumitg@microsoft.com Tal Lev-Ami Tel-Aviv University tla@post.tau.ac.il Mooly Sagiv Tel-Aviv University
More informationInterprocedural Analysis with Data-Dependent Calls. Circularity dilemma. A solution: optimistic iterative analysis. Example
Interprocedural Analysis with Data-Dependent Calls Circularity dilemma In languages with function pointers, first-class functions, or dynamically dispatched messages, callee(s) at call site depend on data
More informationAPA Interprocedural Dataflow Analysis
APA Interprocedural Dataflow Analysis Jurriaan Hage e-mail: J.Hage@uu.nl homepage: http://www.cs.uu.nl/people/jur/ Department of Information and Computing Sciences, Universiteit Utrecht May 1, 2014 The
More informationAnalysis of Pointers and Structures
RETROSPECTIVE: Analysis of Pointers and Structures David Chase, Mark Wegman, and Ken Zadeck chase@naturalbridge.com, zadeck@naturalbridge.com, wegman@us.ibm.com Historically our paper was important because
More informationLecture Notes on Garbage Collection
Lecture Notes on Garbage Collection 15-411: Compiler Design André Platzer Lecture 20 1 Introduction In the previous lectures we have considered a programming language C0 with pointers and memory and array
More informationLecture 10 Notes Linked Lists
Lecture 10 Notes Linked Lists 15-122: Principles of Imperative Computation (Summer 1 2015) Frank Pfenning, Rob Simmons, André Platzer 1 Introduction In this lecture we discuss the use of linked lists to
More informationDynamic Data Structures (II)
Lecture 23 Dynamic Data Structures (II) CptS 121 Summer 2016 Armen Abnousi Data Structure Data structures are different ways of organizing data in computer We design new data structures to make the programs
More informationREFERENCES, POINTERS AND STRUCTS
REFERENCES, POINTERS AND STRUCTS Problem Solving with Computers-I https://ucsb-cs16-sp17.github.io/ Pointer assignment 2 int *p1, *p2, x; p1 = &x; p2 = p1; Q: Which of the following pointer diagrams best
More informationA Combination Framework for Tracking Partition Sizes
A Combination Framework for Tracking Partition Sizes Sumit Gulwani Microsoft Research sumitg@microsoft.com Tal Lev-Ami Tel-Aviv University tla@post.tau.ac.il Mooly Sagiv Tel-Aviv University msagiv@post.tau.ac.il
More informationPredator: A Practical Tool for Checking Manipulation of Dynamic Data Structures Using Separation Logic
Predator: A Practical Tool for Checking Manipulation of Dynamic Data Structures Using Separation Logic Kamil Dudka, Petr Peringer, and Tomáš Vojnar FIT, Brno University of Technology, Czech Republic Abstract.
More informationHarvard School of Engineering and Applied Sciences CS 152: Programming Languages
Harvard School of Engineering and Applied Sciences CS 152: Programming Languages Lecture 21 Tuesday, April 15, 2014 1 Static program analyses For the last few weeks, we have been considering type systems.
More informationPrinciples of Program Analysis. Lecture 1 Harry Xu Spring 2013
Principles of Program Analysis Lecture 1 Harry Xu Spring 2013 An Imperfect World Software has bugs The northeast blackout of 2003, affected 10 million people in Ontario and 45 million in eight U.S. states
More informationName, Scope, and Binding. Outline [1]
Name, Scope, and Binding In Text: Chapter 3 Outline [1] Variable Binding Storage bindings and lifetime Type bindings Type Checking Scope Lifetime vs. Scope Referencing Environments N. Meng, S. Arthur 2
More informationIntroduction to Shape and Pointer Analysis
Introduction to Shape and Pointer Analsis CS 502 Lecture 11 10/30/08 Some slides adapted from Nielson, Nielson, Hankin Principles of Program Analsis Analsis of the Heap Thus far, we have focussed on control
More informationPointers. Chapter 8. Decision Procedures. An Algorithmic Point of View. Revision 1.0
Pointers Chapter 8 Decision Procedures An Algorithmic Point of View D.Kroening O.Strichman Revision 1.0 Outline 1 Introduction Pointers and Their Applications Dynamic Memory Allocation Analysis of Programs
More informationProgramming Languages and Compilers Qualifying Examination. Answer 4 of 6 questions.1
Programming Languages and Compilers Qualifying Examination Monday, September 19, 2016 Answer 4 of 6 questions.1 GENERAL INSTRUCTIONS 1. Answer each question in a separate book. 2. Indicate on the cover
More informationTypes and Type Inference
Types and Type Inference Mooly Sagiv Slides by Kathleen Fisher and John Mitchell Reading: Concepts in Programming Languages, Revised Chapter 6 - handout on the course homepage Outline General discussion
More informationC Review. MaxMSP Developers Workshop Summer 2009 CNMAT
C Review MaxMSP Developers Workshop Summer 2009 CNMAT C Syntax Program control (loops, branches): Function calls Math: +, -, *, /, ++, -- Variables, types, structures, assignment Pointers and memory (***
More informationCS 61C: Great Ideas in Computer Architecture C Pointers. Instructors: Vladimir Stojanovic & Nicholas Weaver
CS 61C: Great Ideas in Computer Architecture C Pointers Instructors: Vladimir Stojanovic & Nicholas Weaver http://inst.eecs.berkeley.edu/~cs61c/sp16 1 Agenda Pointers Arrays in C 2 Address vs. Value Consider
More informationA classic tool: slicing. CSE503: Software Engineering. Slicing, dicing, chopping. Basic ideas. Weiser s approach. Example
A classic tool: slicing CSE503: Software Engineering David Notkin University of Washington Computer Science & Engineering Spring 2006 Of interest by itself And for the underlying representations Originally,
More informationInferring Invariants in Separation Logic for Imperative List-processing Programs
Inferring Invariants in Separation Logic for Imperative List-processing Programs Stephen Magill Carnegie Mellon University smagill@cs.cmu.edu Aleksandar Nanevski Harvard University aleks@eecs.harvard.edu
More informationStatic Analysis of List-Manipulating Programs via Bit-Vectors and Numerical Abstractions
Static Analysis of List-Manipulating Programs via Bit-Vectors and Numerical Abstractions Liqian Chen 1,2 Renjian Li 1 Xueguang Wu 1 Ji Wang 1 1 National University of Defense Technology, Changsha, China
More informationG Programming Languages - Fall 2012
G22.2110-003 Programming Languages - Fall 2012 Lecture 2 Thomas Wies New York University Review Last week Programming Languages Overview Syntax and Semantics Grammars and Regular Expressions High-level
More information6. Pointers, Structs, and Arrays. 1. Juli 2011
1. Juli 2011 Einführung in die Programmierung Introduction to C/C++, Tobias Weinzierl page 1 of 50 Outline Recapitulation Pointers Dynamic Memory Allocation Structs Arrays Bubble Sort Strings Einführung
More informationDynamic Allocation in C
Dynamic Allocation in C C Pointers and Arrays 1 The previous examples involved only targets that were declared as local variables. For serious development, we must also be able to create variables dynamically,
More informationA Simple SQL Injection Pattern
Lecture 12 Pointer Analysis 1. Motivation: security analysis 2. Datalog 3. Context-insensitive, flow-insensitive pointer analysis 4. Context sensitivity Readings: Chapter 12 A Simple SQL Injection Pattern
More informationClass Information ANNOUCEMENTS
Class Information ANNOUCEMENTS Third homework due TODAY at 11:59pm. Extension? First project has been posted, due Monday October 23, 11:59pm. Midterm exam: Friday, October 27, in class. Don t forget to
More informationStatic Analysis with Goanna
Static Analysis with Goanna Model checking for large code bases Ansgar Fehnker About Us R&D spin-out redlizards.com 5 years technology research Funded and backed by NICTA 1 Mistakes are made Even good
More informationStructure of Programming Languages Lecture 10
Structure of Programming Languages Lecture 10 CS 6636 4536 Spring 2017 CS 6636 4536 Lecture 10: Classes... 1/23 Spring 2017 1 / 23 Outline 1 1. Types Type Coercion and Conversion Type Classes, Generics,
More informationCompilers. 8. Run-time Support. Laszlo Böszörmenyi Compilers Run-time - 1
Compilers 8. Run-time Support Laszlo Böszörmenyi Compilers Run-time - 1 Run-Time Environment A compiler needs an abstract model of the runtime environment of the compiled code It must generate code for
More informationLearning from Executions
Learning from Executions Dynamic analysis for program understanding and software engineering Michael D. Ernst and Jeff H. Perkins November 7, 2005 Tutorial at ASE 2005 Outline What is dynamic analysis?
More information