1/25 Pointer Logic Changki Hong @ PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision...
-
Upload
godfrey-sparks -
Category
Documents
-
view
215 -
download
1
Transcript of 1/25 Pointer Logic Changki Hong @ PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision...
1/25 Pointer Logic Changki Hong @ PSWLAB
Pointer Logic
Daniel Kroening and Ofer StrichmanDecision Procedure
2/25 Pointer Logic Changki Hong @ PSWLAB
Why pointer logic? A pointer is a program variable whose sole
purpose is to refer to some other program construct. Other program construct - variable, procedures, or
another pointer
A Pointer is useful but common source of pro-gramming errors. Aliasing Null pointer dereference error
3/25 Pointer Logic Changki Hong @ PSWLAB
Table of Contents
Introduction Pointer logic Modeling Heap-Allocated Data Struc-
tures A Decision Procedure Conclusion
4/25 Pointer Logic Changki Hong @ PSWLAB
Memory model The implementation of pointer relies on the
fact that the memory cells of a computer have addresses, i.e., each cell has a unique num-ber.
Definition 1. Memory model A memory model describes the assumptions that are
made about the way memory cells are addressed. We as-sume that the architecture provides a continuous, uniform address space. Each address corresponds to a memory cell that is able to store one data word. A memory valua-tion M: A D is a mapping from a set of address A into the domain D of data words.
5/25 Pointer Logic Changki Hong @ PSWLAB
Memory layout The compiler assigns a particular memory location
to each static variable. The mapping is called memory layout.
Definition 2. Memory layout A memory layout L: V A is a mapping from each vari-
able v ∊ V to an address a ∊ A, where V denote the set of variables and A denote the set of addresses.
Memory layout is nonoverlapping which means that the memory locations of the statically allocated variables are distinct.
How about dynamic memory allocation?
6/25 Pointer Logic Changki Hong @ PSWLAB
Dynamic memory allocation Dynamic data structures are created at the run
time of the program. A runtime library maintains a list of the memory re-
gions that are unused. A function, which is part of this library, allocates a re-
gion of given size and returns a pointer to the begin-ning of the region. ( malloc(), …)
The memory layout changes during the runtime of the program.
The lifetime of a dynamic object is the time between its allocation and its deallocation.
7/25 Pointer Logic Changki Hong @ PSWLAB
Analysis of programs with pointers Aliasing
a situation in which a data location in memory can be accessed through different symbolic names in the pro-gram. Modifying the data through one name implicitly modifies the
values associated to all aliased names, which is not expected by the programmer.
Dereferencing a situation which a pointer doesn’t point to a proper ob-
ject. Example
8/25 Pointer Logic Changki Hong @ PSWLAB
Table of Contents
Introduction Pointer logic Modeling Heap-Allocated Data Struc-
tures A Decision Procedure Conclusion
9/25 Pointer Logic Changki Hong @ PSWLAB
Syntax The syntax of a formula in pointer logic is defined
by the following rules:
pointer-identifier is of pointer type identifier is of integers or an array of integers
10/25 Pointer Logic Changki Hong @ PSWLAB
Semantics (1/2) Define the semantics by referring to
memory layout L L: V A is a mapping from each variable v ∊ V to an address a ∊
A
memory valuation M M: A D, mapping from a set of address A into the domain D of
data words
Pointer logic formulas are predicates on M, L pairs and the definition of semantics uses a reduction to integer arithmetic and array logic. We treat M and L as array types.
11/25 Pointer Logic Changki Hong @ PSWLAB
Semantics (2/2) Definition 3. Semantics of pointer logic
Let LP denote the set of pointer logic expressions, and let LD denote the set of expressions permitted by the logic for the data words.
The function [⋅] is defined [⋅] : LP LD for e ∊ LP. The func-tion [e] is defined recursively. The expression e∊ LP is valid if and only if [e] is valid.
12/25 Pointer Logic Changki Hong @ PSWLAB
Example
a is an array identifier. The semantic definition of the expression expands
as follows:
Last equation is obviously valid, and thus so is original expression.
]1[)1)((&* aa
13/25 Pointer Logic Changki Hong @ PSWLAB
Table of Contents
Introduction Pointer logic Modeling Heap-Allocated Data Struc-
tures A Decision Procedure Conclusion
14/25 Pointer Logic Changki Hong @ PSWLAB
Lists (1/2) The simplest dynamically allocated data structure
is the linked list. Structure type contains fields for a next pointer and the data.
So, How to model linked list in pointer logic formu-las?
15/25 Pointer Logic Changki Hong @ PSWLAB
Lists (2/2) We need to model the field for a next pointer.
Recursive definition
We need to add the property that the last element of the acyclic list should point a NULL. Add another definition
1for )1,(_ ),( _
, )0,( _
inipelemlistipelemlist
ppelemlist
NULLlpelemlistlplist ),( _ ),(
16/25 Pointer Logic Changki Hong @ PSWLAB
Table of Contents
Introduction Pointer logic Modeling Heap-Allocated Data Struc-
tures A Decision Procedure Conclusion
17/25 Pointer Logic Changki Hong @ PSWLAB
Applying the semantic translation The semantic translation
assigns meaning to the pointer logic formulas gives rise to a simple decision procedure The formula generated by semantic translation contain
array read operator (recall that memory layout L and memory valua-tion M are considered as array read operation)
linear arithmetic for the index. equality over the type for modeling the contents of the memory cells
Decision procedure for pointer logic1. Apply the semantic translation to a pointer formula to ob-
tain a formula in the combined logic of linear arithmetic and array.
2. Pass the formula to the decision procedure for the com-bined logic.
i
i
18/25 Pointer Logic Changki Hong @ PSWLAB
Examples We want to check validity of following pointer
logic formula:
The semantic translation expands as follows:
A decision procedure for array logic and equality logic easily concludes that the formula above is valid.
1* 1& pxxp
1]]][[[ 1]][[ ][]][[
1* 1 &
1* 1 &
1* 1&
pLMMxLMxLpLM
pxxp
pxxp
pxxp
19/25 Pointer Logic Changki Hong @ PSWLAB
Pure variables (1/2) Sometimes the semantic translation can place an
undue burden on the underlying decision proce-dure, as illustrated by the following example:
A decision procedure for array logic and equality logic is certainly able to deduce that the original formula is valid.
Therefore, the semantic translation process is not re-quired in this kind of situation.
]][[]][[ ]][[]][[
xLMyLMyLMxLM
xyyx
xyyx
20/25 Pointer Logic Changki Hong @ PSWLAB
Definition 4. Pure variables Given a formula with a set of variables V, let
denote the subset of ’s variables that are not used within an argument of the “&” operator within . These variables are called pure.
Definition 5. [∙]P A new translation function [e]P is identical to the defini-
tion [e] unless e denotes a variable . The new definition is:
Pure variables (2/2)
VP )(
)(P
)(\ ]][[][
)( ][
PVvforvLMv
PvforvP
vP
21/25 Pointer Logic Changki Hong @ PSWLAB
Example This no longer burdens the decision procedure for
array logic:
xyyx
PP
P
xyyx
xyyx
22/25 Pointer Logic Changki Hong @ PSWLAB
Reachability predicate (1/2) Definition 6.
This stands for the pointer that is obtained by starting from q and following the field f, n times:
Definition 7. reachability predicate, We call a predicate as reachability predicate which sat-
isfies following two conditions: There exists some n such that q is reachable from p by follow-
ing f for n times. x is not reachable in fewer than n steps from p following f.
)(follow qfn
fqq
qqfn
fn
f
)(follow)(follow
)(follow
1
0
23/25 Pointer Logic Changki Hong @ PSWLAB
Reachability predicate (2/2) We say that a formula is a reachability predicate
formula if it contains the reachability predicate. Reachability predicate formulas often have quantifiers,
which make decision problems much harder. There is no automatic decision procedure for a logic
that includes a reachability predicate.
24/25 Pointer Logic Changki Hong @ PSWLAB
Table of Contents
Introduction Pointer logic Modeling Heap-Allocated Data Struc-
tures A Decision Procedure Conclusion
25/25 Pointer Logic Changki Hong @ PSWLAB
Conclusion The semantic translation not only assigns
meaning to the pointer logic formulas, but also gives rise to a simple decision procedure.
Deciding pointer logic including reachability predicate is still an open problem.