Presentation is loading. Please wait.

Presentation is loading. Please wait.

1/25 Pointer Logic Changki PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision Procedure.

Published byGodfrey Sparks Modified over 9 years ago

Similar presentations

Presentation on theme: "1/25 Pointer Logic Changki PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision Procedure."— Presentation transcript:

1 1/25 Pointer Logic Changki Hong @ PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision Procedure

2 2/25 Pointer Logic Changki Hong @ PSWLAB Why pointer logic?  A pointer is a program variable whose sole purpose is to refer to some other program construct.  Other program construct - variable, procedures, or another pointer  A Pointer is useful but common source of programming errors.  Aliasing  Null pointer dereference error

3 3/25 Pointer Logic Changki Hong @ PSWLAB Table of Contents  Introduction  Pointer logic  Modeling Heap-Allocated Data Structures  A Decision Procedure  Conclusion

4 4/25 Pointer Logic Changki Hong @ PSWLAB Memory model  The implementation of pointer relies on the fact that the memory cells of a computer have addresses, i.e., each cell has a unique number.  Definition 1. Memory model  A memory model describes the assumptions that are made about the way memory cells are addressed. We assume that the architecture provides a continuous, uniform address space. Each address corresponds to a memory cell that is able to store one data word. A memory valuation M: A  D is a mapping from a set of address A into the domain D of data words.

5 5/25 Pointer Logic Changki Hong @ PSWLAB Memory layout  The compiler assigns a particular memory location to each static variable.  The mapping is called memory layout.  Definition 2. Memory layout  A memory layout L: V  A is a mapping from each variable v ∊ V to an address a ∊ A, where V denote the set of variables and A denote the set of addresses.  Memory layout is nonoverlapping which means that the memory locations of the statically allocated variables are distinct.  How about dynamic memory allocation?

6 6/25 Pointer Logic Changki Hong @ PSWLAB Dynamic memory allocation  Dynamic data structures are created at the run time of the program.  A runtime library maintains a list of the memory regions that are unused.  A function, which is part of this library, allocates a region of given size and returns a pointer to the beginning of the region. ( malloc(), …)  The memory layout changes during the runtime of the program.  The lifetime of a dynamic object is the time between its allocation and its deallocation.

7 7/25 Pointer Logic Changki Hong @ PSWLAB Analysis of programs with pointers  Aliasing  a situation in which a data location in memory can be accessed through different symbolic names in the program.  Modifying the data through one name implicitly modifies the values associated to all aliased names, which is not expected by the programmer.  Dereferencing  a situation which a pointer doesn’t point to a proper object.  Example

8 8/25 Pointer Logic Changki Hong @ PSWLAB Table of Contents  Introduction  Pointer logic  Modeling Heap-Allocated Data Structures  A Decision Procedure  Conclusion

9 9/25 Pointer Logic Changki Hong @ PSWLAB Syntax  The syntax of a formula in pointer logic is defined by the following rules:  pointer-identifier is of pointer type  identifier is of integers or an array of integers

10 10/25 Pointer Logic Changki Hong @ PSWLAB Semantics (1/2)  Define the semantics by referring to  memory layout L  L: V  A is a mapping from each variable v ∊ V to an address a ∊ A  memory valuation M  M: A  D, mapping from a set of address A into the domain D of data words  Pointer logic formulas are predicates on M, L pairs and the definition of semantics uses a reduction to integer arithmetic and array logic.  We treat M and L as array types.

11 11/25 Pointer Logic Changki Hong @ PSWLAB Semantics (2/2)  Definition 3. Semantics of pointer logic  Let L P denote the set of pointer logic expressions, and let L D denote the set of expressions permitted by the logic for the data words.  The function [⋅] is defined [⋅] : L P  L D for e ∊ L P. The function [e] is defined recursively. The expression e ∊ L P is valid if and only if [e] is valid.

12 12/25 Pointer Logic Changki Hong @ PSWLAB Example  a is an array identifier.  The semantic definition of the expression expands as follows:  Last equation is obviously valid, and thus so is original expression.

13 13/25 Pointer Logic Changki Hong @ PSWLAB Table of Contents  Introduction  Pointer logic  Modeling Heap-Allocated Data Structures  A Decision Procedure  Conclusion

14 14/25 Pointer Logic Changki Hong @ PSWLAB Lists (1/2)  The simplest dynamically allocated data structure is the linked list.  Structure type  contains fields for a next pointer and the data.  So, How to model linked list in pointer logic formulas?

15 15/25 Pointer Logic Changki Hong @ PSWLAB Lists (2/2)  We need to model the field for a next pointer.  Recursive definition  We need to add the property that the last element of the acyclic list should point a NULL.  Add another definition

16 16/25 Pointer Logic Changki Hong @ PSWLAB Table of Contents  Introduction  Pointer logic  Modeling Heap-Allocated Data Structures  A Decision Procedure  Conclusion

17 17/25 Pointer Logic Changki Hong @ PSWLAB Applying the semantic translation  The semantic translation  assigns meaning to the pointer logic formulas  gives rise to a simple decision procedure  The formula generated by semantic translation contain  array read operator (recall that memory layout L and memory valuation M are considered as array read operation)  linear arithmetic for the index.  equality over the type for modeling the contents of the memory cells  Decision procedure for pointer logic 1. Apply the semantic translation to a pointer formula to obtain a formula in the combined logic of linear arithmetic and array. 2. Pass the formula to the decision procedure for the combined logic.

18 18/25 Pointer Logic Changki Hong @ PSWLAB Examples  We want to check validity of following pointer logic formula:  The semantic translation expands as follows:  A decision procedure for array logic and equality logic easily concludes that the formula above is valid.

19 19/25 Pointer Logic Changki Hong @ PSWLAB Pure variables (1/2)  Sometimes the semantic translation can place an undue burden on the underlying decision procedure, as illustrated by the following example:  A decision procedure for array logic and equality logic is certainly able to deduce that the original formula is valid.  Therefore, the semantic translation process is not required in this kind of situation.

20 20/25 Pointer Logic Changki Hong @ PSWLAB  Definition 4. Pure variables  Given a formula with a set of variables V, let denote the subset of ’s variables that are not used within an argument of the “ & ” operator within. These variables are called pure.  Definition 5. [∙] P  A new translation function [e] P is identical to the definition [e] unless e denotes a variable. The new definition is: Pure variables (2/2)

21 21/25 Pointer Logic Changki Hong @ PSWLAB Example  This no longer burdens the decision procedure for array logic:

22 22/25 Pointer Logic Changki Hong @ PSWLAB Reachability predicate (1/2)  Definition 6.  This stands for the pointer that is obtained by starting from q and following the field f, n times:  Definition 7. reachability predicate,  We call a predicate as reachability predicate which satisfies following two conditions:  There exists some n such that q is reachable from p by following f for n times.  x is not reachable in fewer than n steps from p following f. 

23 23/25 Pointer Logic Changki Hong @ PSWLAB Reachability predicate (2/2)  We say that a formula is a reachability predicate formula if it contains the reachability predicate.  Reachability predicate formulas often have quantifiers, which make decision problems much harder.  There is no automatic decision procedure for a logic that includes a reachability predicate.

24 24/25 Pointer Logic Changki Hong @ PSWLAB Table of Contents  Introduction  Pointer logic  Modeling Heap-Allocated Data Structures  A Decision Procedure  Conclusion

25 25/25 Pointer Logic Changki Hong @ PSWLAB Conclusion  The semantic translation not only assigns meaning to the pointer logic formulas, but also gives rise to a simple decision procedure.  Deciding pointer logic including reachability predicate is still an open problem.

Download ppt "1/25 Pointer Logic Changki PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision Procedure."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
CHP-5 LinkedList.

CHP-5 LinkedList.
Symbol Table.

Symbol Table.
Intermediate Code Generation

Intermediate Code Generation
Overview of Previous Lesson(s) Over View  Front end analyzes a source program and creates an intermediate representation from which the back end generates.

Overview of Previous Lesson(s) Over View  Front end analyzes a source program and creates an intermediate representation from which the back end generates.
The Assembly Language Level

The Assembly Language Level
Kernighan/Ritchie: Kelley/Pohl:

Kernighan/Ritchie: Kelley/Pohl:
Chapter 5: Elementary Data Types Properties of types and objects –Data objects, variables and constants –Data types –Declarations –Type checking –Assignment.

Chapter 5: Elementary Data Types Properties of types and objects –Data objects, variables and constants –Data types –Declarations –Type checking –Assignment.
Compiler Construction

Compiler Construction
1 Pointers A pointer variable holds an address We may add or subtract an integer to get a different address. Adding an integer k to a pointer p with base.

1 Pointers A pointer variable holds an address We may add or subtract an integer to get a different address. Adding an integer k to a pointer p with base.
Chapter 9. 2 Objectives You should be able to describe: Addresses and Pointers Array Names as Pointers Pointer Arithmetic Passing Addresses Common Programming.

Chapter 9. 2 Objectives You should be able to describe: Addresses and Pointers Array Names as Pointers Pointer Arithmetic Passing Addresses Common Programming.
Pointers Pointer - A pointer is a derived data type; that is it is a data type built from one of the standard types. Its value is any of the addresses.

Pointers Pointer - A pointer is a derived data type; that is it is a data type built from one of the standard types. Its value is any of the addresses.
Pointers. Addresses in Memory When a variable is declared, enough memory to hold a value of that type is allocated for it at an unused memory location.

Pointers. Addresses in Memory When a variable is declared, enough memory to hold a value of that type is allocated for it at an unused memory location.
Copyright © 2008 Pearson Addison-Wesley. All rights reserved. Chapter 9 Pointers and Dynamic Arrays.

Copyright © 2008 Pearson Addison-Wesley. All rights reserved. Chapter 9 Pointers and Dynamic Arrays.
The environment of the computation Declarations introduce names that denote entities. At execution-time, entities are bound to values or to locations:

The environment of the computation Declarations introduce names that denote entities. At execution-time, entities are bound to values or to locations:
Review on pointers and dynamic objects. Memory Management  Static Memory Allocation  Memory is allocated at compiling time  Dynamic Memory  Memory.

Review on pointers and dynamic objects. Memory Management  Static Memory Allocation  Memory is allocated at compiling time  Dynamic Memory  Memory.
1 Type Type system for a programming language = –set of types AND – rules that specify how a typed program is allowed to behave Why? –to generate better.

1 Type Type system for a programming language = –set of types AND – rules that specify how a typed program is allowed to behave Why? –to generate better.
1 Pointers, Dynamic Data, and Reference Types Review on Pointers Reference Variables Dynamic Memory Allocation –The new operator –The delete operator –Dynamic.

1 Pointers, Dynamic Data, and Reference Types Review on Pointers Reference Variables Dynamic Memory Allocation –The new operator –The delete operator –Dynamic.
1 Chapter 9 Pointers. 2 Topics 8.1 Getting the Address of a Variable 8.2 Pointer Variables 8.3 Relationship Between Arrays and Pointers 8.4 Pointer Arithmetic.

1 Chapter 9 Pointers. 2 Topics 8.1 Getting the Address of a Variable 8.2 Pointer Variables 8.3 Relationship Between Arrays and Pointers 8.4 Pointer Arithmetic.
Pointers Applications

Pointers Applications

Similar presentations

Ads by Google