Presentation is loading. Please wait.

Presentation is loading. Please wait.

Towards Shape Analysis for Device Drivers Hongseok Yang (Queen Mary, University of London) (Joint work with Josh Berdine, Cristiano Calcagno, Byron Cook,

Published byYasmine Whittum Modified over 10 years ago

Similar presentations

Presentation on theme: "Towards Shape Analysis for Device Drivers Hongseok Yang (Queen Mary, University of London) (Joint work with Josh Berdine, Cristiano Calcagno, Byron Cook,"— Presentation transcript:

1 Towards Shape Analysis for Device Drivers Hongseok Yang (Queen Mary, University of London) (Joint work with Josh Berdine, Cristiano Calcagno, Byron Cook, Dino Distefano, Peter OHearn and Thomas Wies)

2 Dream Do deep shape analysis for real programs (i.e., programs of ~ 100K LOC). 1.Memory safety 2.Absence of leaks 3.Race freedom 4.Reponsiveness

3 void XXX_CancelIrp(PDEVICE_OBJECT DeviceObject, PIRP Irp) { ……… PRESET_IRP ResetIrp,temp,tempnext; PDEVICE_EXTENSION de; ……… KeAcquireSpinLock(&de->ResetSpinLock, &Irql); ResetIrp = (PRESET_IRP)de->Flink2; while (ResetIrp !=NULL) { if (ResetIrp->Irp == Irp) { temp = (PRESET_IRP)de; tempnext = temp->Flink2; while (tempnext != ResetIrp) { temp = tempnext; tempnext = temp->Flink2; } temp->Flink2 = ResetIrp->Flink2; free(ResetIrp); break; } else if (ResetIrp->Flink2 == (PRESET_IRP)de) break; else ResetIrp = (PRESET_IRP)ResetIrp->Flink2; } KeReleaseSpinLock(&de->ResetSpinLock, Irql); …… IoCompleteRequest(Irp, IO_NO_INCREMENT); } void XXX_CancelIrp(PDEVICE_OBJECT DeviceObject, PIRP Irp ) Pb 1: Extreme local analysis Tied to OS kernel Expensive shape analysis KeReleaseSpinLock(&de->ResetSpinLock, Irql); KeAcquireSpinLock(&de->ResetSpinLock, &Irql); IoCompleteRequest(Irp, IO_NO_INCREMENT);

4 void XXX_CancelIrp(PDEVICE_OBJECT DeviceObject, PIRP Irp) { ……… PRESET_IRP ResetIrp,temp,tempnext; PDEVICE_EXTENSION de; ……… KeAcquireSpinLock(&de->ResetSpinLock, &Irql); ResetIrp = (PRESET_IRP)de->Flink2; while (ResetIrp !=NULL) { if (ResetIrp->Irp == Irp) { temp = (PRESET_IRP)de; tempnext = temp->Flink2; while (tempnext != ResetIrp) { temp = tempnext; tempnext = temp->Flink2; } temp->Flink2 = ResetIrp->Flink2; free(ResetIrp); break; } else if (ResetIrp->Flink2 == (PRESET_IRP)de) break; else ResetIrp = (PRESET_IRP)ResetIrp->Flink2; } KeReleaseSpinLock(&de->ResetSpinLock, Irql); …… IoCompleteRequest(Irp, IO_NO_INCREMENT); }

5 void XXX_CancelIrp(PDEVICE_OBJECT DeviceObject, PIRP Irp) { ……… PRESET_IRP ResetIrp,temp,tempnext; PDEVICE_EXTENSION de; ……… KeAcquireSpinLock(&de->ResetSpinLock, &Irql); ResetIrp = (PRESET_IRP)de->Flink2; while (ResetIrp !=NULL) { if (ResetIrp->Irp == Irp) { temp = (PRESET_IRP)de; tempnext = temp->Flink2; while (tempnext != ResetIrp) { temp = tempnext; tempnext = temp->Flink2; } temp->Flink2 = ResetIrp->Flink2; free(ResetIrp); break; } else if (ResetIrp->Flink2 == (PRESET_IRP)de) break; else ResetIrp = (PRESET_IRP)ResetIrp->Flink2; } KeReleaseSpinLock(&de->ResetSpinLock, Irql); …… IoCompleteRequest(Irp, IO_NO_INCREMENT); } Pb1 : Extreme local analysis A part of code in isolation. No preconditions. Only the memory footprint of the part.

6 void XXX_CancelIrp(PDEVICE_OBJECT DeviceObject, PIRP Irp) { ……… PRESET_IRP ResetIrp,temp,tempnext; PDEVICE_EXTENSION de; ……… KeAcquireSpinLock(&de->ResetSpinLock, &Irql); ResetIrp = (PRESET_IRP)de->Flink2; while (ResetIrp !=NULL) { if (ResetIrp->Irp == Irp) { temp = (PRESET_IRP)de; tempnext = temp->Flink2; while (tempnext != ResetIrp) { temp = tempnext; tempnext = temp->Flink2; } temp->Flink2 = ResetIrp->Flink2; free(ResetIrp); break; } else if (ResetIrp->Flink2 == (PRESET_IRP)de) break; else ResetIrp = (PRESET_IRP)BusResetIrp->Flink2; } KeReleaseSpinLock(&de->ResetSpinLock, Irql); …… IoCompleteRequest(Irp, IO_NO_INCREMENT); } Pb 2: Challenging Data Structures typedef struct { DEVICE_OBJECT* StackDeviceObject; DEVICE_OBJECT* PortDeviceObject; DEVICE_OBJECT* PhysicalDeviceObject; … ADDRESS_DATA* Flink1; RESET_IRP* Flink2; CROM_DATA* Flink3; DETACH_DATA* Flink4; RESOURCE_DATA* Flink5; } DEVICE_EXTENSION, *PDEVICE_EXTENSION; typedef struct DEVICE_OBJECT { … DEVICE_EXTENSION* DeviceExtension; … } DEVICE_OBJECT, *PDEVICE_OBJECT;

7 Drawn by Dino Distefano

8 void XXX_CancelIrp(PDEVICE_OBJECT DeviceObject, PIRP Irp) { ……… PRESET_IRP ResetIrp,temp,tempnext; PDEVICE_EXTENSION de; ……… KeAcquireSpinLock(&de->ResetSpinLock, &Irql); ResetIrp = (PRESET_IRP)de->Flink2; while (ResetIrp !=NULL) { if (ResetIrp->Irp == Irp) { temp = (PRESET_IRP)de; tempnext = temp->Flink2; while (tempnext != ResetIrp) { temp = tempnext; tempnext = temp->Flink2; } temp->Flink2 = ResetIrp->Flink2; free(ResetIrp); break; } else if (ResetIrp->Flink2 == (PRESET_IRP)de) break; else ResetIrp = (PRESET_IRP)BusResetIrp->Flink2; } KeReleaseSpinLock(&de->ResetSpinLock, Irql); …… IoCompleteRequest(Irp, IO_NO_INCREMENT); } Pb 3: Concurrency KeReleaseSpinLock(&de->ResetSpinLock, Irql); KeAcquireSpinLock(&de->ResetSpinLock, &Irql); typedef struct { … DRIVER_CANCEL (*CancelRoutine)(…); … } IRP, *PIRP;

9 Status of Separation-logic based Shape Analysis (London/Cambridge) Problem 1: Extreme local analysis Extreme local shape analysis [Calcagno, Distefano, OHearn, Yang] Problem 2: Challenging data structures Adaptive shape analysis [Berdine, Calcagno, Disetafano, Cook, Wies, OHearn, Yang] Problem 3: Concurrency Thread-modular shape analysis [Gotsman, Berdine, Cook, Sagiv]

10 Extreme Local Shape Analysis Analyze a part of code in isolation. No preconditions. Only the memory footprint of the part.

11 void XXX_CancelIrp(PDEVICE_OBJECT DeviceObject, PIRP Irp) { ……… PRESET_IRP ResetIrp,temp,tempnext; PDEVICE_EXTENSION de; ……… KeAcquireSpinLock(&de->ResetSpinLock, &Irql); ResetIrp = (PRESET_IRP)de->Flink2; while (ResetIrp !=NULL) { if (ResetIrp->Irp == Irp) { temp = (PRESET_IRP)de; tempnext = temp->Flink2; while (tempnext != ResetIrp) { temp = tempnext; tempnext = temp->Flink2; } temp->Flink2 = ResetIrp->Flink2; free(ResetIrp); break; } else if (ResetIrp->Flink2 == (PRESET_IRP)de) break; else ResetIrp = (PRESET_IRP)BusResetIrp->Flink2; } KeReleaseSpinLock(&de->ResetSpinLock, Irql); …… IoCompleteRequest(Irp, IO_NO_INCREMENT); }

12 void XXX_CancelIrp(PDEVICE_OBJECT DeviceObject, PIRP Irp) { ……… PXXX_RESET_IRP XXXResetIrp,temp,tempnext; PDEVICE_EXTENSION deviceExtension; ……… KeAcquireSpinLock(&deviceExtension->ResetSpinLock, &Irql); ResetIrp = (PRESET_IRP)de->Flink2; while (ResetIrp !=NULL) { if (ResetIrp->Irp == Irp) { temp = (PRESET_IRP)de; tempnext = temp->Flink2; while (tempnext != ResetIrp) { temp = tempnext; tempnext = temp->Flink2; } temp->Flink2 = ResetIrp->Flink2; free(ResetIrp); break; } else if (ResetIrp->Flink2 == (PRESET_IRP)de) break; else ResetIrp = (PRESET_IRP)BusResetIrp->Flink2; } KeReleaseSpinLock(&deviceExtension->ResetSpinLock, Irql); …… IoCompleteRequest(Irp, IO_NO_INCREMENT); } (de D Flink2: x 0 ) * ls (RESET_IRP,Flink2) (x 0,de) typedef struct { RESET_IRP* Flink2; IRP* Irp; … } RESET_IRP, *PRESET_IRP; typedef struct { RESET_IRP* Flink2; … } DEVICE_EXTENSION; (de D Flink2: x 0 ) * ls (RESET_IRP,Flink2) (x 0,x 1 ) * (x 1 R Irp:Irp) (de D Flink2: x 0 ) * ls (RESET_IRP,Flink2) (x 0,0) (de D Flink2: x 0 ) * ls (RESET_IRP,Flink2) (x 0,de)(de D Flink2: de)

13 void XXX_CancelIrp(PDEVICE_OBJECT DeviceObject, PIRP Irp) { ……… PXXX_RESET_IRP XXXResetIrp,temp,tempnext; PDEVICE_EXTENSION deviceExtension; ……… KeAcquireSpinLock(&deviceExtension->ResetSpinLock, &Irql); ResetIrp = (PRESET_IRP)de->Flink2; while (ResetIrp !=NULL) { if (ResetIrp->Irp == Irp) { temp = (PRESET_IRP)de; tempnext = temp->Flink2; while (tempnext != ResetIrp) { temp = tempnext; tempnext = temp->Flink2; } temp->Flink2 = ResetIrp->Flink2; free(ResetIrp); break; } else if (ResetIrp->Flink2 == (PRESET_IRP)de) break; else ResetIrp = (PRESET_IRP)BusResetIrp->Flink2; } KeReleaseSpinLock(&deviceExtension->ResetSpinLock, Irql); …… IoCompleteRequest(Irp, IO_NO_INCREMENT); } (de Flink2: x 0 ) * ls (RESET_IRP,Flink2) (x 0,de) typedef struct { RESET_IRP* Flink2; IRP* Irp; … } RESET_IRP, *PRESET_IRP; typedef struct { RESET_IRP* Flink2; … } DEVICE_EXTENSION; (de D Flink2: x 0 ) * ls (RESET_IRP,Flink2) (x 0,x 1 ) * (x 1 R Irp:Irp) (de D Flink2: x 0 ) * ls (RESET_IRP,Flink2) (x 0,0) (de Flink2: x 0 ) * ls (RESET_IRP,Flink2) (x 0,de)(de D Flink2: de) de D Flink2: de

14 void XXX_CancelIrp(PDEVICE_OBJECT DeviceObject, PIRP Irp) { ……… PXXX_RESET_IRP XXXResetIrp,temp,tempnext; PDEVICE_EXTENSION deviceExtension; ……… KeAcquireSpinLock(&deviceExtension->ResetSpinLock, &Irql); ResetIrp = (PRESET_IRP)de->Flink2; while (ResetIrp !=NULL) { if (ResetIrp->Irp == Irp) { temp = (PRESET_IRP)de; tempnext = temp->Flink2; while (tempnext != ResetIrp) { temp = tempnext; tempnext = temp->Flink2; } temp->Flink2 = ResetIrp->Flink2; free(ResetIrp); break; } else if (ResetIrp->Flink2 == (PRESET_IRP)de) break; else ResetIrp = (PRESET_IRP)BusResetIrp->Flink2; } KeReleaseSpinLock(&deviceExtension->ResetSpinLock, Irql); …… IoCompleteRequest(Irp, IO_NO_INCREMENT); } (de Flink2: x 0 ) * ls (RESET_IRP,Flink2) (x 0,de) typedef struct { RESET_IRP* Flink2; IRP* Irp; … } RESET_IRP, *PRESET_IRP; typedef struct { RESET_IRP* Flink2; … } DEVICE_EXTENSION; (de D Flink2: x 0 ) * ls (RESET_IRP,Flink2) (x 0,x 1 ) * (x 1 R Irp:Irp) (de D Flink2: x 0 ) * ls (RESET_IRP,Flink2) (x 0,0) (de Flink2: x 0 ) * ls (RESET_IRP,Flink2) (x 0,de)(de D Flink2: de) de D Flink2: de Æ de = ResetIrp

15 void XXX_CancelIrp(PDEVICE_OBJECT DeviceObject, PIRP Irp) { ……… PXXX_RESET_IRP XXXResetIrp,temp,tempnext; PDEVICE_EXTENSION deviceExtension; ……… KeAcquireSpinLock(&deviceExtension->ResetSpinLock, &Irql); ResetIrp = (PRESET_IRP)de->Flink2; while (ResetIrp !=NULL) { if (ResetIrp->Irp == Irp) { temp = (PRESET_IRP)de; tempnext = temp->Flink2; while (tempnext != ResetIrp) { temp = tempnext; tempnext = temp->Flink2; } temp->Flink2 = ResetIrp->Flink2; free(ResetIrp); break; } else if (ResetIrp->Flink2 == (PRESET_IRP)de) break; else ResetIrp = (PRESET_IRP)BusResetIrp->Flink2; } KeReleaseSpinLock(&deviceExtension->ResetSpinLock, Irql); …… IoCompleteRequest(Irp, IO_NO_INCREMENT); } (de Flink2: x 0 ) * ls (RESET_IRP,Flink2) (x 0,de) typedef struct { RESET_IRP* Flink2; IRP* Irp; … } RESET_IRP, *PRESET_IRP; typedef struct { RESET_IRP* Flink2; … } DEVICE_EXTENSION; (de D Flink2: x 0 ) * ls (RESET_IRP,Flink2) (x 0,x 1 ) * (x 1 R Irp:Irp) (de D Flink2: x 0 ) * ls (RESET_IRP,Flink2) (x 0,0) (de Flink2: x 0 ) * ls (RESET_IRP,Flink2) (x 0,de)(de D Flink2: de) de D Flink2: de Æ de = ResetIrp

16 void XXX_CancelIrp(PDEVICE_OBJECT DeviceObject, PIRP Irp) { ……… PXXX_RESET_IRP XXXResetIrp,temp,tempnext; PDEVICE_EXTENSION deviceExtension; ……… KeAcquireSpinLock(&deviceExtension->ResetSpinLock, &Irql); ResetIrp = (PRESET_IRP)de->Flink2; while (ResetIrp !=NULL) { if (ResetIrp->Irp == Irp) { temp = (PRESET_IRP)de; tempnext = temp->Flink2; while (tempnext != ResetIrp) { temp = tempnext; tempnext = temp->Flink2; } temp->Flink2 = ResetIrp->Flink2; free(ResetIrp); break; } else if (ResetIrp->Flink2 == (PRESET_IRP)de) break; else ResetIrp = (PRESET_IRP)BusResetIrp->Flink2; } KeReleaseSpinLock(&deviceExtension->ResetSpinLock, Irql); …… IoCompleteRequest(Irp, IO_NO_INCREMENT); } (de Flink2: x 0 ) * ls (RESET_IRP,Flink2) (x 0,de) typedef struct { RESET_IRP* Flink2; IRP* Irp; … } RESET_IRP, *PRESET_IRP; typedef struct { RESET_IRP* Flink2; … } DEVICE_EXTENSION; (de D Flink2: x 0 ) * ls (RESET_IRP,Flink2) (x 0,x 1 ) * (x 1 R Irp:Irp) (de D Flink2: x 0 ) * ls (RESET_IRP,Flink2) (x 0,0) (de Flink2: x 0 ) * ls (RESET_IRP,Flink2) (x 0,de)(de D Flink2: de) de D Flink2: de Æ de = ResetIrp ERROR: No IRP Field in DEVICE_EXTENSION

17 Extreme Local Shape Analysis Trace Generation Footprint Computation list t*; while (x!=0) { t = x; x = x->next; free(t); } assert(x!=0); t=x; x=x->next; free(x); assert(x=0); assert(x!=0); t=x; x=x->next; free(x); assert(x!=0); t=x; x=x->next; free(x); assert(x=0);

18 Extreme Local Shape Analysis Trace Generation Footprint Computation list t*; while (x!=0) { t = x; x = x->next; free(t); } assert(x!=0); t=x; x=x->next; free(x); assert(x=0); assert(x!=0); t=x; x=x->next; free(x); assert(x!=0); t=x; x=x->next; free(x); assert(x=0);

19 Extreme Local Shape Analysis Trace Generation Footprint Computation list t*; while (x!=0) { t = x; x = x->next; free(t); } assert(x!=0); t=x; x=x->next; free(x); assert(x=0); assert(x!=0); t=x; x=x->next; free(x); assert(x!=0); t=x; x=x->next; free(x); assert(x=0); P0P0 P1P1

20 Extreme Local Shape Analysis Trace Generation Footprint Computation list t*; while (x!=0) { t = x; x = x->next; free(t); } assert(x!=0); t=x; x=x->next; free(x); assert(x=0); assert(x!=0); t=x; x=x->next; free(x); assert(x!=0); t=x; x=x->next; free(x); assert(x=0); P0P0 P1P1 Abstract preconditions P2P2 P3P3

21 Extreme Local Shape Analysis Trace Generation Footprint Computation list t*; while (x!=0) { t = x; x = x->next; free(t); } assert(x!=0); t=x; x=x->next; free(x); assert(x=0); assert(x!=0); t=x; x=x->next; free(x); assert(x!=0); t=x; x=x->next; free(x); assert(x=0); P0P0 P1P1 Abstract preconditions P2P2 P3P3 SpaceInvader {P 2,P 3,…,P n } {Q 1,Q 2,…,Q k } {I 1,I 2,…,I m }

22 Extreme Local Shape Analysis Trace Generation Footprint Computation Abstract preconditions SpaceInvader Sound precondition Footprint only

23 Separation Logic x y, ls (y,z) x y * ls (y,z), emp 9 y. z!=0 Æ v=a Æ x y * ls (y,z) x y yz yz x

24 Variable Convention Program variables: x,y,z,t,v,w Ghost (or auxiliary) variables: a,b,c,d,…. Primed variables: x,y,z,t,v,w 9 w,w 1. x!=0 Æ z=a Æ w!=w 1 Æ x w * ls (w,w 1 ) * y w 1

25 Symbolic Heaps Separation logic formulas of the form: (x!=0 Æ z=a Æ w!=w 1 ) Æ (x w * ls (w,w 1 ) * y w 1 ) SH = Set of all symbolic heaps GhostSH = Set of sym. heaps with ghost vars only

26 Footprint Computation Foot : Trace x SH ! GhostSH x SH Correctness: If Foot(C,P)=(P 0,Q 0 ), then {P*P 0 }C{Q 0 } holds in Sep. Log. Q0Q0 P P0P0 C

27 Footprint Computation Foot : Trace x SH ! GhostSH x SH Correctness: If Foot(C,P)=(P 0,Q 0 ), then {P*P 0 }C{Q 0 } holds in Sep. Log. Foot(t=x->next, x=a Æ emp) = (a b, x=a Æ t=b Æ a b) {x=a Æ emp*a b} t=x->next {x=a Æ t=b Æ a b}

28 Footprint Computation Foot : Trace x SH ! GhostSH x SH Correctness: If Foot(C,P)=(P 0,Q 0 ), then {P*P 0 }C{Q 0 } holds in Sep. Log.

29 Footprint Computation Foot : Trace x SH ! GhostSH x SH Correctness: If Foot(C,P)=(P 0,Q 0 ), then {P*P 0 }C{Q 0 } holds in Sep. Log. Foot(free(x),P*E F) = (emp,P) if (P*E F) ` E=x Foot(free(x), x=a Æ a 0) = (emp, x=a Æ emp)

30 Footprint Computation Foot : Trace x SH ! GhostSH x SH Correctness: If Foot(C,P)=(P 0,Q 0 ), then {P*P 0 }C{Q 0 } holds in Sep. Log. Foot(free(x),P*E F) = (emp,P) if (P*E F) ` E=x Foot(free(x),P) = (a b,P) if P ` x=a, fresh b Rewrite x to some ghost variable. Foot(free(x), x=a Æ emp) = (a b, x=a Æ emp)

31 Footprint Computation Foot : Trace x SH ! GhostSH x SH Correctness: If Foot(C,P)=(P 0,Q 0 ), then {P*P 0 }C{Q 0 } holds in Sep. Log. Foot(free(x),P*E F) = (emp,P) if (P*E F) ` E=x Foot(free(x),P) = (a b,P) if P ` x=a, fresh b Foot(free(x),P) = (false,P) otherwise Foot(free(x), emp) = (false, emp) != (x b, emp)

32 Footprint Computation Foot : Trace x SH ! GhostSH x SH Correctness: If Foot(C,P)=(P 0,Q 0 ), then {P*P 0 }C{Q 0 } holds in Sep. Log.

33 Footprint Computation Foot : Trace x SH ! GhostSH x SH Correctness: If Foot(C,P)=(P 0,Q 0 ), then {P*P 0 }C{Q 0 } holds in Sep. Log. Foot(A;C,P) = let (P 0,Q 0 )=Foot(A,P) and (P 1,Q 1 )=Foot(C,Q 0 ) in (P 0 *P 1, Q 1 ) P Q1Q1 P0P0 Q0Q0 P1P1 A C P1P1

34 Footprint Computation Foot : Trace x SH ! GhostSH x SH Correctness: If Foot(C,P)=(P 0,Q 0 ), then {P*P 0 }C{Q 0 } holds in Sep. Log. Foot(A;C,P) = let (P 0,Q 0 )=Foot(A,P) and (P 1,Q 1 )=Foot(C,Q 0 ) in (P 0 *P 1, Q 1 ) Foot(free(x);free(y), x=a Æ y=b Æ emp) = (a c * b d, x=a Æ y=b Æ emp)

35 Footprint Computation Foot : Trace x SH ! GhostSH x SH Correctness: If Foot(C,P)=(P 0,Q 0 ), then {P*P 0 }C{Q 0 } holds in Sep. Log.

36 Footprint Computation Foot : Trace x SH ! GhostSH x SH Correctness: If Foot(C,P)=(P 0,Q 0 ), then {P*P 0 }C{Q 0 } holds in Sep. Log. Algorithm : Given a trace C. Supp FPV(C) = {x}. P := (x=a Æ emp); (P 0,Q 0 ) := Foot(C, P); return (P * P 0 );

37 List Disposal list t*; while (x!=0) { t = x; x = x->next; free(t); } x 0

38 List Disposal list t*; while (x!=0) { t = x; x = x->next; free(t); } x 0

39 List Disposal list t*; while (x!=0) { t = x; x = x->next; free(t); } x 0 t

40 List Disposal list t*; while (x!=0) { t = x; x = x->next; free(t); } x 0 t

41 List Disposal list t*; while (x!=0) { t = x; x = x->next; free(t); } x 0 t

42 Footprint Computation list t*; while (x!=0) { t = x; x = x->next; free(t); }

43 Footprint Computation list t*; while (x!=0) { t = x; x = x->next; free(t); } Discovered Precondition: x=a Æ emp x=a Æ emp

44 Footprint Computation list t*; while (x!=0) { t = x; x = x->next; free(t); } Discovered Precondition: x=a Æ a!=0 Æ emp x=a Æ emp x=a Æ a!=0 Æ emp

45 Footprint Computation list t*; while (x!=0) { t = x; x = x->next; free(t); } Discovered Precondition: x=a Æ a!=0 Æ emp x=a Æ emp x=a Æ a!=0 Æ emp x=a Æ a!=0 Æ t=a Æ emp

46 Footprint Computation list t*; while (x!=0) { t = x; x = x->next; free(t); } Discovered Precondition: x=a Æ a!=0 Æ emp * a b x=a Æ emp x=a Æ a!=0 Æ emp x=a Æ a!=0 Æ t=a Æ emp x=b Æ a!=0 Æ t=a Æ emp * a b

47 Footprint Computation list t*; while (x!=0) { t = x; x = x->next; free(t); } Discovered Precondition: x=a Æ a!=0 Æ emp * a b x=a Æ emp x=a Æ a!=0 Æ emp x=a Æ a!=0 Æ t=a Æ emp x=b Æ a!=0 Æ t=a Æ emp x=b Æ a!=0 Æ t=a Æ emp * a b

48 Footprint Computation list t*; while (x!=0) { t = x; x = x->next; free(t); } Discovered Precondition: x=a Æ a!=0 Æ b!=0 Æ emp * a b x=b Æ a!=0 Æ t=a Æ emp x=a Æ emp x=a Æ a!=0 Æ emp x=a Æ a!=0 Æ t=a Æ emp x=b Æ a!=0 Æ t=a Æ emp * a b x=b Æ a!=0 Æ t=a Æ b!=0 Æ emp

49 Footprint Computation list t*; while (x!=0) { t = x; x = x->next; free(t); } Discovered Precondition: x=a Æ a!=0 Æ b!=0 Æ emp * a b x=b Æ a!=0 Æ t=a Æ emp x=a Æ emp x=a Æ a!=0 Æ emp x=a Æ a!=0 Æ t=a Æ emp x=b Æ a!=0 Æ t=a Æ emp * a b x=b Æ a!=0 Æ t=a Æ b!=0 Æ emp x=b Æ a!=0 Æ t=b Æ b!=0 Æ emp

50 Footprint Computation list t*; while (x!=0) { t = x; x = x->next; free(t); } Discovered Precondition: x=a Æ a!=0 Æ b!=0 Æ emp * a b * b c x=b Æ a!=0 Æ t=a Æ emp x=a Æ emp x=a Æ a!=0 Æ emp x=a Æ a!=0 Æ t=a Æ emp x=b Æ a!=0 Æ t=a Æ emp * a b x=b Æ a!=0 Æ t=a Æ b!=0 Æ emp x=b Æ a!=0 Æ t=b Æ b!=0 Æ emp x=c Æ a!=0 Æ t=b Æ b!=0 Æ emp * b c

51 Footprint Computation list t*; while (x!=0) { t = x; x = x->next; free(t); } Discovered Precondition: x=a Æ a!=0 Æ b!=0 Æ emp * a b * b c x=b Æ a!=0 Æ t=a Æ emp x=a Æ emp x=a Æ a!=0 Æ emp x=a Æ a!=0 Æ t=a Æ emp x=b Æ a!=0 Æ t=a Æ emp * a b x=b Æ a!=0 Æ t=a Æ b!=0 Æ emp x=b Æ a!=0 Æ t=b Æ b!=0 Æ emp x=c Æ a!=0 Æ t=b Æ b!=0 Æ emp * b c x=c Æ a!=0 Æ t=b Æ b!=0 Æ emp

52 Footprint Computation list t*; while (x!=0) { t = x; x = x->next; free(t); } Discovered Precondition: x=a Æ a!=0 Æ b!=0 Æ c=0 Æ emp * a b * b c x=c Æ a!= 0 Æ t=b Æ b!=0 Æ c=0 Æ emp x=b Æ a!=0 Æ t=a Æ emp x=a Æ emp x=a Æ a!=0 Æ emp x=a Æ a!=0 Æ t=a Æ emp x=b Æ a!=0 Æ t=a Æ emp * a b x=b Æ a!=0 Æ t=a Æ b!=0 Æ emp x=b Æ a!=0 Æ t=b Æ b!=0 Æ emp x=c Æ a!=0 Æ t=b Æ b!=0 Æ emp * b c x=c Æ a!=0 Æ t=b Æ b!=0 Æ emp

53 Abstraction Discovered Precondition: x=a Æ a!=0 Æ b!=0 Æ c=0 Æ emp * a b * b c Abs : SH ! CanonicalSH 1.Existentially quantify ghost vars. 2.Substitute away equalities d=E. 3.Drop disequalities. 4.Apply list abstraction.

54 Abstraction Discovered Precondition: x=a Æ a!=0 Æ b!=0 Æ c=0 Æ emp * a b * b c Abs : SH ! CanonicalSH 1.Existentially quantify ghost vars. 2.Substitute away equalities d=E. 3.Drop disequalities. 4.Apply list abstraction. Discovered Precondition: x=a Æ a!=0 Æ b!=0 Æ c=0 Æ emp * a b * b c

55 Abstraction Discovered Precondition: x=a Æ a!=0 Æ b!=0 Æ c=0 Æ emp * a b * b c Abs : SH ! CanonicalSH 1.Existentially quantify ghost vars. 2.Substitute away equalities d=E. 3.Drop disequalities. 4.Apply list abstraction. Discovered Precondition: x=a Æ a!=0 Æ b!=0 Æ c=0 Æ emp * a b * b c Discovered Precondition: x!=0 Æ b!=0 Æ emp * x b * b 0

56 Abstraction Discovered Precondition: x=a Æ a!=0 Æ b!=0 Æ c=0 Æ emp * a b * b c Abs : SH ! CanonicalSH 1.Existentially quantify ghost vars. 2.Substitute away equalities d=E. 3.Drop disequalities. 4.Apply list abstraction. Discovered Precondition: x=a Æ a!=0 Æ b!=0 Æ c=0 Æ emp * a b * b c Discovered Precondition: x!=0 Æ b!=0 Æ emp * x b * b 0 Discovered Precondition: emp * x b * b 0

57 Abstraction Discovered Precondition: x=a Æ a!=0 Æ b!=0 Æ c=0 Æ emp * a b * b c Abs : SH ! CanonicalSH 1.Existentially quantify ghost vars. 2.Substitute away equalities d=E. 3.Drop disequalities. 4.Apply list abstraction. Discovered Precondition: x=a Æ a!=0 Æ b!=0 Æ c=0 Æ emp * a b * b c Discovered Precondition: x!=0 Æ b!=0 Æ emp * x b * b 0 Discovered Precondition: emp * x b * b 0 Discovered Precondition: ls (x,0)

58 SpaceInvader list t*; while (x!=0) { t = x; x = x->next; free(t); } Precondition: ls (x, 0) Postcondition: x=0 Æ emp Fixpoint Computation

59 Backward Footprint Computation list t*; while (x!=0) { t = x; x = x->next; free(t); } Backward: assert(x!=0); t = x; x = x->next; free(t); assert(x=0); Forward: assert(x!=0); t = x; x = x->next; free(t); assert(x=0);

60 Frame Rule and Correctness of Footprint Computation Foot : Trace x SH ! GhostSH x SH Correctness: If Foot(C,P)=(P 0,Q 0 ), then {P*P 0 }C{Q 0 } holds in Sep. Log. Foot(A;C,P) = let (P 0,Q 0 )=Foot(A,P) and (P 1,Q 1 )=Foot(C,Q 0 ) in (P 0 *P 1, Q 1 ) P Q1Q1 P0P0 Q0Q0 P1P1 A C P1P1 Sound because of Frame Rule in Sep. Log. {P*P 0 }A{Q 0 } {P*P 0 *P 1 }A{Q 0 *P 1 } {Q 0 *P 1 }C{Q} {P*P 0 *P 1 }A;C{Q}

61 Experiments with Firewire Device Driver MacBook, 2GH Intel Core Duo. 2GB Mem. All fn calls are inlined. FunctionLOCTimeResult F1320.07AlarmReal Err F2870.04Yes F31300.43Yes F41980.31Yes F5 (loop 1)32540.75Yes F5 (loop 2)462.83Yes F5 (loop 3)2210.45Yes F5 (loop 4)170> 10 min??? F5 (loop 5)590.036Yes

62 Future Direction 1.Weaving analysis results. 2.Good abstraction for footprints. 3.Better shape abstraction.

63 Footprint Computation Foot : Trace x SH ! GhostSH x SH Correctness: If Foot(C,P)=(P 0,Q 0 ), then {P*P 0 }C{Q 0 } holds in Sep. Log. Foot(assert(x!=0),P) = (a!=0 Æ emp, a!=0 Æ P) if P ` x=a

64 Footprint Computation Foot : Trace x SH ! GhostSH x SH Correctness: If Foot(C,P)=(P 0,Q 0 ), then {P*P 0 }C{Q 0 } holds in Sep. Log. Foot(assert(x!=0),P) = (a!=0 Æ emp, a!=0 Æ P) if P ` x=a Foot(assert(x!=0),P) = (false, P) otherwise

Download ppt "Towards Shape Analysis for Device Drivers Hongseok Yang (Queen Mary, University of London) (Joint work with Josh Berdine, Cristiano Calcagno, Byron Cook,"

Similar presentations

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,
Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.

Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.
A Framework for describing recursive data structures Kenneth Roe Scott Smith.

A Framework for describing recursive data structures Kenneth Roe Scott Smith.
Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
The Static Driver Verifier Research Platform

The Static Driver Verifier Research Platform
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Memory Management Chapter FourteenModern Programming Languages, 2nd ed.1.

Memory Management Chapter FourteenModern Programming Languages, 2nd ed.1.
LIST PROCESSING.

LIST PROCESSING.
Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula May 10, 2007 OSQ Retreat.

Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula May 10, 2007 OSQ Retreat.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 10.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 10.
Automated Verification with HIP and SLEEK Asankhaya Sharma.

Automated Verification with HIP and SLEEK Asankhaya Sharma.
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.

De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
1 Termination and shape-shifting heaps Byron Cook Microsoft Research, Cambridge Joint work with Josh Berdine, Dino Distefano, and.

1 Termination and shape-shifting heaps Byron Cook Microsoft Research, Cambridge Joint work with Josh Berdine, Dino Distefano, and.
Techniques for proving programs with pointers A. Tikhomirov.

Techniques for proving programs with pointers A. Tikhomirov.
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
© 2009 Microsoft Corporation. All rights reserved. Automatic Verification of Heap Manipulation using Separation Logic Josh Berdine with thanks to Byron.

© 2009 Microsoft Corporation. All rights reserved. Automatic Verification of Heap Manipulation using Separation Logic Josh Berdine with thanks to Byron.
TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A AAA A A A AA A Proving that non-blocking algorithms don't block.

TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A AAA A A A AA A Proving that non-blocking algorithms don't block.
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.

Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research.

Α ϒ ʎ …… Reachability Modulo Theories Akash Lal Shaz Qadeer, Shuvendu Lahiri Microsoft Research.

Similar presentations

Ads by Google