1 / 39

Techniques for proving programs with pointers

Techniques for proving programs with pointers. A. Tikhomirov. Why is it important?. Every program works not only with stack but stores intermediate data in heap and use pointers to operate with heap. Common program verification techniques couldn’t work with pointers and heap.

nizana
Download Presentation

Techniques for proving programs with pointers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Techniques for proving programs with pointers A. Tikhomirov

  2. Why is it important? • Every program works not only with stack but stores intermediate data in heap and use pointers to operate with heap. • Common program verification techniques couldn’t work with pointers and heap.

  3. John C. Reynolds, Peter O’Hearn Separation Logic

  4. Fail using Hoare Logic • Structure of Hoare Logic assignment judgment couldn't work with heap. int x = 5; int *y = &x; // *y = 5 x = 3; // *y = 3 Hoare logic doesn’t specify holding of *y FAIL

  5. Separation Logic • Representing the Heap • Assertions empty heap singleton heap separating conjunction separating implication

  6. Separation Logic • Asserts that x points to an adjacent pair of cells containing u, v (x stores address αand the heap maps αinto u and (α +1) into v)

  7. Singleton heap • Reference pointer to some cell • Asserts that x points to an adjacent pair of sells containing 1 and y.

  8. Separating conjunction • The separating conjunction constructs a heap property from two disjoint heaps

  9. Logical conjunction • Could be ambiguous in heap, x and y could be aliases ,or disjoint.

  10. Lists • List representation

  11. Frame rule • Frame rule: This rule holds as long as free variables in s not mentioned in R.

  12. Allocation • Allocation rule (local): • Allocation rule (global):

  13. Deallocation • Dispose rule (local): • Dispose rule (global):

  14. Heap write (mutation) • Mutation forward rule (local): • Mutation forward rule (global):

  15. Examples of Operational Semantics Store: [x:3, y:40, z:17] Heap: empty • Allocation x := cons(y, z) • Heap lookup y := [x+1] • Mutation [x + 1] := 3 • Deallocation dispose(x+1) Store: [x:37, y:40, z:17] Heap: [37:40, 38:17] Store: [x:37, y:17, z:17] Heap: [37:40, 38:17] Store: [x:37, y:17, z:17] Heap: [37:40, 38:3] Store: [x:37, y:17, z:17] Heap: [37:40]

  16. Example: Swap • Function in which the contents of two heap cells are swapped: t1 := [v1] t2 := [v2] [v1] := t2 [v2] := t1

  17. Example: Swap void swap (int* v1, int* v2) { t1:= [v1] t2 := [v2] [v1] := t2 [v2] := t1 } // {v1 > v1’ * v2 > v2’} // {t1 = v1’ & v1 > v1’ * v2 > v2’} // {t1 = v1’ & t2 = v2’ & v1 > v1’ * v2 > v2’} // {t1 = v1’ & t2 = v2’ & v1 > v2’ * v2 > v2’} // {t1 = v1’ & t2 = v2’ & v1 > v2’ * v2 > v1’}

  18. Example: Doubly Indirect References • Mutating the value of a double indirect reference (a pointer to a pointer):

  19. Example: Doubly Indirect References void write (int** p, int v) { t:= [p] [t] := v } // {p > w * w > —} // {p > w} Frame rule – begin // {t = w & p > w} Mutation // {t = w & p > w * w > —} Frame rule — end // {t = w & w > —} Frame rule — begin // {t = w & w > v} Mutation // {t = W & p > w * w > v} Frame rule — end // {p > w * w > v} Remove extra stack assertion

  20. Example: Doubly Indirect References • Attempting to aggressively apply Frame rule to entire block would result in a stuck proof. void write (int** p, int v) { // {p > w * w > —} // {p > w} Frame rule – begin t:= [p] // {t = w & p > w} Mutation [t] := v // {??} Stuck – no mapping for w // {t = W & p > w * w > v} Frame rule — end }

  21. Example: DeleteTree // {tree(t)} void deleteTree (t) { local i,j; if (t != nil) { i = [t] j = [t+1] deleteTree(j) deleteTree(i) dispose(t) } } // {tree(t) ^ t != nil} // {∃x,y.t > (x,y) * tree(x) * tree(y)} // {t > (i,j) * tree(i) * tree(j)} // {t > (i,j) * tree(i)} // {t > (i,j) * nil} // {emp} // {emp}

  22. Example: List reverse // {list(x)} list reverse (x) { y = nil; while (x != nil) { t := [x]; x := [y]; y := x; x := t; } return y; } // {list(x) * list(y)} // {x != nil ^ list(x) * list(y)} // {x > t ^ list(t) * list(y)} // {x > y ^ list(x) * list(y)} // {list(t) * list(x)} // {list(t) * list(y)} // {list(x) * list(y)} // {x = nil ^ list(x) * list(y)} // {list(y)}

  23. Conclusion • Extension of Hoare logic • Could use verification tools, that work with Hoare logic • For automatic proving • Assertions • Pre and post-conditions

  24. Reinhard Wilhelm, MoolySagiv, Thomas Reps Shape ANALYSIS

  25. Shape Analysis • Somewhat constrained view of programs • Static code analysis • Program verification

  26. Destructive Reverse

  27. Input to reverse • (a) lists of length at least 2 • (b) list of length 1

  28. Input to reverse • List structure of size from 0 to 4

  29. Graph interpretation • Rectangle box containing p represent pointer variable p • Ovals – abstract locations • solid – represents exactly one heap cell • dotted – represent one or more heap cells • Edge – label c between locations m and m’ • solid – c component of mwill point to m’ • dotted - c component of mmay point to m’

  30. 3-value logic • solid means “always holds” • absent means “never hold” • dotted means “don’t know”

  31. Execution states • (a) – shape arise before executing x=x->n • (b) & – (c) after executing x=x->n on shape (a)

  32. Insert algorithm • The same list structure

  33. Execution States (1) y = x; while (y->n != NULL) {y = y->n}

  34. Execution States (2) • t = malloc(); • t -> data = n

  35. Execution States (3) • e = y->n;

  36. Execution States (4) • t->n = NULL; • t->n = e;

  37. Execution States (5) • y->n = NULL;

  38. Execution States (6) • y->n = t;

  39. Conclusion • Code analysis • NULL-pointers; • May-Alias; • Must-Alias; • Sharing; • Reachability; • Disjointness; • Cyclicity; • Shape;

More Related