TVLA for System Code Jörg KreikerHelmut SeidlVesal Vojdani TU Munich Dagstuhl, July 2009

Motivation i i-1 i+1 data queue list data queue list data queue list data queue list garbage struct node { t data; struct hlist_node list; struct list_head queue; } cleanup queue active objects

Motivation i i-1 i+1 data queue list data queue list data queue list data queue list garbage struct hlist_node { struct hlist_node *next; struct hlist_node **pprev; } cleanup queue active objects

Motivation i i-1 i+1 data queue list garbage data queue list data queue list data queue list cleanup queue active objects overlapping, embedded records UP (container_of, offset) pointers to pointer &x->s, &x, *x = y, …

Motivation i i-1 i+1 data queue list data queue list data queue list data queue list garbage cleanup queue active objects inspired by race detecion properties: privatization: make data thread-local cleanup queue needs no lock unless there are two reachability with and without UP

Fine-grained memory model TVLA – node : record – edge : dereferenced pointer-valued component Fine-grained model – node : record component – edge : dereferencing – predicates: Var + Sel + * – predicate transformers only for *

Example standard list (3 elements) hlist_node node next *** x * ** *** pprev next pprev x list queue data next pprev next prev

TVLA example indirect element deletion for (lpp = &x; *lpp != NULL; lpp = &(*lpp)->next) if ((*lpp)->data % 13 == 0) { *lpp = (*lpp)->next; break; } next *** x

Coarse-grained model TVLA – node : record – edge : dereferenced pointer-valued component Fine-grained model – node : record component – edge : dereferencing Coarse-grained – one node per struct – edge : dereference + source + target component – predicates : Var[π] + *[π1, π2]

Example fine: coarse: data queue list data queue list data queue list *[first,list] *[list.next,list] *[list.pprev,list.next]

TVLA example delete element from hlist next *** pprev next pprev x n = t->next; p = t->prev; *p = n; if (n) n->prev = p;

Some related work Calcagno et al: Beyond Reachability: Shape Abstraction in the Presence of Pointer Arithmetic, SAS 2006 Berdine et al: Shape Analysis for Composite Data Structures, CAV 2007 Yang et al: Scalable Shape Analysis for Systems Code, CAV 2008 Chatterjee et al: A Reachability Predicate for Analyzing Low-Level Software, TACAS 2007 Gulwani, Tiwari: An Abstract Domain for Analyzing Heap-Manipulating Low-Level Software, CAV 2007 Gulwani et al: A Combination Framework for Tracking Partition Sizes, POPL 2009

Conclusion fine/coarse: – reachability with/without UP – Case study: one or two lists visible conservative add-on, exploit existing knowledge useful for subtle race detection able to deal with – Overlapping, embedded records – Deep sharing and update – UP – &x->s, *x = y, …