Download presentation
Presentation is loading. Please wait.
1
TVLA for System Code Jörg KreikerHelmut SeidlVesal Vojdani TU Munich Dagstuhl, July 2009
2
Motivation i i-1 i+1 data queue list data queue list data queue list data queue list garbage struct node { t data; struct hlist_node list; struct list_head queue; } cleanup queue active objects
3
Motivation i i-1 i+1 data queue list data queue list data queue list data queue list garbage struct hlist_node { struct hlist_node *next; struct hlist_node **pprev; } cleanup queue active objects
4
Motivation i i-1 i+1 data queue list garbage data queue list data queue list data queue list cleanup queue active objects overlapping, embedded records UP (container_of, offset) pointers to pointer &x->s, &x, *x = y, …
5
Motivation i i-1 i+1 data queue list data queue list data queue list data queue list garbage cleanup queue active objects inspired by race detecion properties: privatization: make data thread-local cleanup queue needs no lock unless there are two reachability with and without UP
6
Fine-grained memory model TVLA – node : record – edge : dereferenced pointer-valued component Fine-grained model – node : record component – edge : dereferencing – predicates: Var + Sel + * – predicate transformers only for *
7
Example standard list (3 elements) hlist_node node next *** x * ** *** pprev next pprev x list queue data next pprev next prev
8
TVLA example indirect element deletion for (lpp = &x; *lpp != NULL; lpp = &(*lpp)->next) if ((*lpp)->data % 13 == 0) { *lpp = (*lpp)->next; break; } next *** x
9
Coarse-grained model TVLA – node : record – edge : dereferenced pointer-valued component Fine-grained model – node : record component – edge : dereferencing Coarse-grained – one node per struct – edge : dereference + source + target component – predicates : Var[π] + *[π1, π2]
![Coarse-grained model TVLA – node : record – edge : dereferenced pointer-valued component Fine-grained model – node : record component – edge : dereferencing Coarse-grained – one node per struct – edge : dereference + source + target component – predicates : Var[π] + *[π1, π2]](http://images.slideplayer.com./6/1608508/slides/slide_9.jpg "Coarse-grained model TVLA – node : record – edge : dereferenced pointer-valued component Fine-grained model – node : record component – edge : dereferencing Coarse-grained – one node per struct – edge : dereference + source + target component – predicates : Var[π] + *[π1, π2]")
10
Example fine: coarse: data queue list data queue list data queue list *[first,list] *[list.next,list] *[list.pprev,list.next]
![Example fine: coarse: data queue list data queue list data queue list *[first,list] *[list.next,list] *[list.pprev,list.next]](http://images.slideplayer.com./6/1608508/slides/slide_10.jpg "Example fine: coarse: data queue list data queue list data queue list *[first,list] *[list.next,list] *[list.pprev,list.next]")
11
TVLA example delete element from hlist next *** pprev next pprev x n = t->next; p = t->prev; *p = n; if (n) n->prev = p;
12
Some related work Calcagno et al: Beyond Reachability: Shape Abstraction in the Presence of Pointer Arithmetic, SAS 2006 Berdine et al: Shape Analysis for Composite Data Structures, CAV 2007 Yang et al: Scalable Shape Analysis for Systems Code, CAV 2008 Chatterjee et al: A Reachability Predicate for Analyzing Low-Level Software, TACAS 2007 Gulwani, Tiwari: An Abstract Domain for Analyzing Heap-Manipulating Low-Level Software, CAV 2007 Gulwani et al: A Combination Framework for Tracking Partition Sizes, POPL 2009
13
Conclusion fine/coarse: – reachability with/without UP – Case study: one or two lists visible conservative add-on, exploit existing knowledge useful for subtle race detection able to deal with – Overlapping, embedded records – Deep sharing and update – UP – &x->s, *x = y, …
Similar presentations
