Static Analysis of Heap-manipulating Low-level software Sumit GulwaniAshish Tiwari MSR, Redmond SRI International.

Slides:



Advertisements
Similar presentations
A Framework for describing recursive data structures Kenneth Roe Scott Smith.
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Constraint-based Invariant Inference over Predicate Abstraction Sumit Gulwani Ramarathnam Venkatesan Microsoft Research, Redmond Saurabh Srivastava University.
Dynamic Allocation and Linked Lists. Dynamic memory allocation in C C uses the functions malloc() and free() to implement dynamic allocation. malloc is.
Dynamic memory allocation
Data Structure Lecture-3 Prepared by: Shipra Shukla Assistant Professor Kaziranga University.
 Pointers, Arrays, Destructors Is this random stuff or are these somehow connected?
Dynamic Memory Allocation in C.  What is Memory What is Memory  Memory Allocation in C Memory Allocation in C  Difference b\w static memory allocation.
Automated Verification with HIP and SLEEK Asankhaya Sharma.
SPEED: Precise & Efficient Static Estimation of Symbolic Computational Complexity Sumit Gulwani MSR Redmond TexPoint fonts used in EMF. Read the TexPoint.
Introduction to Programming Lecture 15. In Today’s Lecture Pointers and Arrays Manipulations Pointers and Arrays Manipulations Pointers Expression Pointers.
Chapter 6 Data Types
Dynamic Memory Allocation (also see pointers lectures) -L. Grewe.
Data Structures Using C++1 Chapter 3 Pointers and Array-Based Lists.
Chapter Fourteen Strings Revisited. Strings A string is an array of characters A string is a pointer to a sequence of characters A string is a complete.
Pointer, malloc and realloc 1. Name entered was 6 char, not enough space to put null terminator 2 Array of char.
Growing Arrays in C By: Victoria Tielebein CS 265- Spring 2011.
Agenda  Review: pointer & array  Relationship between pointer & array  Dynamic memory allocation.
1 Objectives ❏ To understand the relationship between arrays and pointers ❏ To understand the design and concepts behind pointer arithmetic ❏ To write.
Memory allocation CSE 2451 Matt Boggus. sizeof The sizeof unary operator will return the number of bytes reserved for a variable or data type. Determine:
Informática II Prof. Dr. Gustavo Patiño MJ
1 Motivation Dynamically allocated storage and pointers are an essential programming tools –Object oriented –Modularity –Data structure But –Error prone.
1 Pointers, Dynamic Data, and Reference Types Review on Pointers Reference Variables Dynamic Memory Allocation –The new operator –The delete operator –Dynamic.
Introduction to C Programming CE Lecture 19 Linear Linked Lists.
Stacks CS-240 & CS-341 Dick Steflik. Stacks Last In, First Out operation - LIFO As items are added they are chronologically ordered, items are removed.
Patrick M. Rondon, Ming Kawaguchi, Ranjit Jhala University of California, San Diego.
Dynamic Allocation and Linked Lists. Dynamic memory allocation in C C uses the functions malloc() and free() to implement dynamic allocation. malloc is.
1 Procedural Concept The main program coordinates calls to procedures and hands over appropriate data as parameters.
Week 9 Part 2 Kyle Dewey. Overview Announcement More with structs and memory Assertions Exam #2 Course review.
C++ Programming: Program Design Including Data Structures, Fourth Edition Chapter 13: Pointers, Classes, Virtual Functions, and Abstract Classes.
C++ Programming: From Problem Analysis to Program Design, Fourth Edition Chapter 14: Pointers, Classes, Virtual Functions, and Abstract Classes.
By: Pashootan Vaezipoor Path Invariant Simon Fraser University – Spring 09.
Lecture 13 Static vs Dynamic Memory Allocation
Stack and Heap Memory Stack resident variables include:
Dynamic Memory Allocation The process of allocating memory at run time is known as dynamic memory allocation. C does not Inherently have this facility,
Pointers review Let a variable aa be defined as ‘int *aa;’, what is stored in aa? Let a variable aa be defined as ‘int ** aa;’ what is stored in aa? Why.
C++ Memory Overview 4 major memory segments Key differences from Java
C++ Data Types Structured array struct union class Address pointer reference Simple IntegralFloating char short int long enum float double long double.
Chapter 9 Pointers and Dynamic Arrays (9.1). Pointers A variables which holds the memory address for a variable of a specific type. Call-by-Reference.
1 Dynamic Memory Allocation –The need –malloc/free –Memory Leaks –Dangling Pointers and Garbage Collection Today’s Material.
Dynamic Memory Allocation. Domain A subset of the total domain name space. A domain represents a level of the hierarchy in the Domain Name Space, and.
Pointers in C++. 7a-2 Pointers "pointer" is a basic type like int or double value of a pointer variable contains the location, or address in memory, of.
Chapter 12: Pointers, Classes, Virtual Functions, and Abstract Classes.
UFS003C3 Lecture 15 Data type in C & C++ Using the STL.
+ Dynamic memory allocation. + Introduction We often face situations in programming where the data is dynamics in nature. Consider a list of customers.
© Janice Regan, CMPT 128, February CMPT 128: Introduction to Computing Science for Engineering Students Pointers.
One-dimensional arrays and strings: Chapter 6, Slide 1 The concept of array - an extension of the basic model of memory:
P OINTERS A pointer is an address All data is stored in memory in some location that is indexed with an address Can refer to variables by name or by memory.
ENEE150 – 0102 ANDREW GOFFIN Dynamic Memory. Dynamic vs Static Allocation Dynamic  On the heap  Amount of memory chosen at runtime  Can change allocated.
By Anand George SourceLens.org Copyright. All rights reserved. Content Owner - Meera R (meera at sourcelens.org)
© Copyright 1992–2004 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. Linked Lists Outline Introduction Self-Referential Structures.
More Pointers in C Computer Organization I 1 August 2009 © McQuain, Feng & Ribbens Allocating Arrays Dynamically You allocate an array by.
Chapter 12: Pointers, Classes, Virtual Functions, Abstract Classes, and Lists.
Memory Management in Java Mr. Gerb Computer Science 4.
“Success consists of going from failure to failure without loss of enthusiasm.” Winston Churchill.
You learned how to declare pointer variables how to store the address of a variable into a pointer variable of the same type as the variable how to manipulate.
Introduction to Programming
CSCI206 - Computer Organization & Programming
Clear1 and Clear2 clear1(int array[], int size) { int i; for (i = 0; i < size; i += 1) array[i] = 0; } clear2(int *array, int size) {
CSC 253 Lecture 8.
التأهيل التربوي المملكة العربية السعودية جامعة الملك عبدالعزيز
CSC 253 Lecture 8.
Review & Lab assignments
TUTORIAL 11 CS 137 F18 November 27th.
Dynamic Memory CSCE 121.
How Memory Leaks Work with Memory Diagram
Pointers, Dynamic Data, and Reference Types
SPL – PS2 C++ Memory Handling.
CSE 303 Concepts and Tools for Software Development
Data Structures & Programming
Presentation transcript:

Static Analysis of Heap-manipulating Low-level software Sumit GulwaniAshish Tiwari MSR, Redmond SRI International

1 Related Work Alias/Pointer Analysis [Work done in early 90s] –Must/May equalities –Considered not expressive enough Shape Analysis [Work that followed] –Fancy predicates –Need to provide transfer functions for each of them This work –Must/May equalities extended with quantifiers (Provides expressiveness of an infinite class of predicates and avoids the need of providing transfer functions)

2 Example 1 9 i: List(x,i,next) Æ 8 j: (0 · j < i) ) Array(x ! next j ! data, 4*(x ! next j ! len)) struct List { int Len, *Data; List* Next; } ListOfPtrArray(struct List* x) { for (y := x; y null; y := y ! next) t := ?; y ! len := t; y ! data = malloc(4t); for (y := x; y null; y := y ! next) for (z :=0; z < y ! len; z := z+1) y ! data ! (4z) := ….; Invariant required after first loop for proving memory safety

3 Example 2 struct List { int Data; List* Next; } List2Array(struct List* x) { n := 0; for (y := x; y null; y := y ! next) n := n+1; A := malloc(4n); y:= x; for (k := 0; k < n; k++) A ! (4k) := y ! data; y := y ! next; return A; Prog. Point Invariant 1 9 i: List(x,i,next) 2 9 i: List(x,i,next), 0 · n<i, y=x ! next n 3 List(x,n,next) 4 List(x,n.next), Array(A,4n) 5 8 j: (0 · j<n) ) A ! (4j) = x ! next j ! data

4 Outline Abstract Domain Implies Algorithm Join Algorithm Meet Algorithm PostAssignment Algorithm

5 Abstract Domain 9 V: Cons Æ Must Æ May Must := true | Must Æ 8 V: (Cons ) e 1 =e 2 ) May := true | May Æ 8 V: (Cons ) e 1 » e 2 ) e := y | c | e 1 § e 2 |ce | e 1 ! e 2 e 3 | valid | null Cons represent constraints over the base abstract domain, eg. Combination of linear arithmetic and uninterpreted functions

6 Expressiveness List(x,i,next) ´ i ¸ 0 Æ x ! next i = null Æ 8 j: (0 · j < i) ) Valid(x ! next j ) Valid(e) ´ e ! w=valid Array(x,k) ´ 8 j: (0 · j < k) ) Valid(x+j)

7 Abstract Interpreter Join Node Conditional Node p True False F F1F1 F2F2 F2F2 F F1F1 F = Join(F 1,F 2 ) F 1 = Meet(F, p) F 2 = Meet(F, : p) Statement s F F Assignment Node F = Post(F,s) Where s may be: x := e *x := e x := malloc(e) free(x)

8 Implies Algorithm Implies(F 1, F 2 ) returns 1 only if F 1 ) F 2 KeyIdea for checking F ) e 1 =e 2 Check if e 2 2 MustAliases(e 1,F) KeyIdea for checking F ) e 1 e 2 Check if : (e 2 2 MayAliases(e 1,F))

9 MustAliases and MayAliases F 1 : x = x ! next j F 2 : 8 i: (0 · i · j) ) x ! next i = x ! next i+1 ! prev MustAliases KeyIdea: Apply k quantifier instantiations MustAliases(x,F 1 ) = { x ! next j, x ! next 2j } MustAliases(x,F 2 ) =

10 MustAliases and MayAliases F 1 : x = x ! next j F 2 : 8 j: (0 · i · j) ) x ! next i =x ! next i+1 ! prev MustAliases KeyIdea: Apply k quantifier instantiations MustAliases(x,F 1 ) = { x ! next j, x ! next 2j } MustAliases(x,F 2 ) = { x ! next ! prev, x ! next ! prev ! next ! prev }

11 MustAliases and MayAliases F 1 : x = x ! next j F 2 : 8 j: (0 · i · j) ) x ! next i =x ! next i+1 ! prev MustAliases KeyIdea: Apply k instantiations of each equality MustAliases(x,F 1 ) = { x ! next j, x ! next 2j } MustAliases(x,F 2 ) = { x ! next ! prev, x ! next ! prev ! next ! prev } MayAliases KeyIdea: Represent aliases by expressions of size k MayAliases(x,F 1 ) = { x ! next t | t ¸ j } MayAliases(x,F 2 ) =

12 MustAliases and MayAliases F 1 : x = x ! next j F 2 : 8 j: (0 · i · j) ) x ! next i =x ! next i+1 ! prev MustAliases KeyIdea: Apply k instantiations of each equality MustAliases(x,F 1 ) = { x ! next j, x ! next 2j } MustAliases(x,F 2 ) = { x ! next ! prev, x ! next ! prev ! next ! prev } MayAliases KeyIdea: Represent aliases by expressions of size k MayAliases(x,F 1 ) = { x ! next t | t ¸ j } MayAliases(x,F 2 ) = { x ! (next|prev) t | t ¸ 0 }

13 Join Algorithm Join(F 1, F 2 ) returns an overapproximation of F 1 Ç F 2 Example 1 Input 1: i=1 Æ A[0]=0 Input 2: i=2 Æ A[0]=0 Æ A[1]=1 Output: 8 j: (0 · j < i) ) A[j]=j Example 2 Let S(k) ´ Array(x ! next k ! data, x ! next k ! len) Input 1: y=x ! next Æ S(0) Input 2: y=x ! next 2 Æ S(0) Æ S(1) Output: 9 i: 1 · i · 2 Æ y=x ! next i Æ 8 j: (0 · j < i) ) S(j)

14 Join Algorithm: Key Idea Input 1: y=x ! next Æ S(0) Input 2: y=x ! next 2 Æ S(0) Æ S(1) After Normalization, we get: Input 1: 9 i: i=1 Æ y=x ! next i Æ 8 j: (0 · j < 1) ) S(j) Input 2: 9 i: i=2 Æ y=x ! next i Æ 8 j: (0 · j < 2) ) S(j) Now we use the following rule: Join ( 9 V: E 1 Æ 8 U: C 1 ) S, 9 V: E 2 Æ 8 U: C 2 ) S) = 9 V: E 3 Æ 8 U: C 3 ) S where E 3 = Join(E 1, E 2 ) C 3 = Underapproximation of C 1 Æ C 2

15 Join Algorithm: Key Idea Input 1: y=x ! next Æ S(0) Input 2: y=x ! next 2 Æ S(0) Æ S(1) After Normalization, we get: Input 1: 9 i: i=1 Æ y=x ! next i Æ 8 j: (0 · j < 1) ) S(j) Input 2: 9 i: i=2 Æ y=x ! next i Æ 8 j: (0 · j < 2) ) S(j) Now we use the following rule: Join ( 9 V: E 1 Æ 8 U: C 1 ) S, 9 V: E 2 Æ 8 U: C 2 ) S) = 9 V: E 3 Æ 8 U: C 3 ) S where E 3 = Join(E 1, E 2 ) C 3 = Underapproximation of (E 1 ) C 1 Æ E 2 ) C 2 )

16 Meet Algorithm Meet(F,p) returns an overapproximation of F Æ p KeyIdea: Reason about interaction between equalities & disequalities Example 1 Input 1: 9 i: len · i Æ List(x,i,next) Æ y=x ! next len Input 2: y=null Output: 9 i: len=i Æ List(x,i,next) Æ y=x ! next len Example 2 Input 1: 9 i: len · i Æ List(x,i,next) Æ y=x ! next len Input 2: y null Output: 9 i: len < i Æ List(x,i,next) Æ y=x ! next len

17 PostAssignment Algorithm Input 1: List(y,i,next) Æ List(result,j,next) Æ y+next=x Æ *x=tmp Input 2: *x := result Output: List(tmp,i-1,next) Æ List(result,j,next) Æ y+next=x Æ *x=result null result null y tmp Post(F, s) returns an overapproximation of the strongest postcondition of F w.r.t. s KeyIdea: Transitive Closure; Invalidate Must; Invalidate May; Add new fact

18 Experiments ProgramBase Constraint Domain Required Property Discovered (apart from memory safety) Precondition provided List2ArrayGeneralized Difference Constraints Corresponding array & list elements are same Input is a list ListReverseGeneralized Difference Constraints Reversed list has length 100 Input is a list of size 100 ArrayPtrArrayGeneralized Difference Constraints + Uninterpreted Functions Input array has length Len (where Len is also an input)

19 Related Work Alias/Pointer Analysis [Work done in early 90s] –Must/May equalities –Considered not expressive enough Shape Analysis [Work that followed] –Fancy predicates –Need to provide transfer functions for each of them This work –Must/May equalities extended with quantifiers (Provides expressiveness of an infinite class of predicates and avoids the need of providing transfer functions)

20 Conclusion and Future Work Quantified abstract domain for pointer analysis –Expressive enough to reason rich properties –Amenable to automated deduction Extend analysis to inter-procedural setting Add disjunction and richer quantification support in abstract domain

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.