Download
1 / 37
370 likes | 551 Views
Beyond Reachability: Shape Abstraction in the presence of Pointer Arithmetic. Hongseok Yang (Queen Mary, University of London) (Joint work with Dino Distefano, Cristiano Calcagno and Peter O’Hearn). Dream.
E N D
Beyond Reachability: Shape Abstraction in the presence of Pointer Arithmetic Hongseok Yang (Queen Mary, University of London) (Joint work with Dino Distefano, Cristiano Calcagno and Peter O’Hearn)
Dream Automatically verify the memory safety of systems code, such as device derivers and memory managers. Challenges: • Pointer arithmetic. • Scalability. • Concurrency.
Our Analyzer • Handles programs for dynamic memory management. • Experimental results (Pentium 1.6GHz,512MB) Found a hidden assumption of the K&R memory manager. These are “fixed” versions. Proved memory safety and even partial correctness.
Hidden Assumption in K&R Malloc/Free Heap Global Vars Stack 0 220
Hidden Assumption in K&R Malloc/Free Heap Global Vars Stack 0 220
Hidden Assumption in K&R Malloc/Free Heap Global Vars Stack 0 220
Hidden Assumption in K&R Malloc/Free Heap Global Vars Stack 0 220
Hidden Assumption in K&R Malloc/Free Heap Stack Global Vars 0 220
Sample Analysis Result Program: ans = malloc_bestfit_acyclic(n); Precondition: n¸2 Æ mls(freep,0) Postcondition: (ans=0 Æ n¸2 Æ mls(freep,0)) Ç (n¸2 Æ nd(ans,q’,n) * mls(freep,0)) Ç (n¸2 Æ nd(ans,q’,n) * mls(freep,q’) * mls(q’,0))
Rice Theorem Determining any nontrivial property of programs is not decidable.
Multiword Lists 15 3 18 3 24 5 nil 2 15 lp 18 24 Link Field Size Field
Coalescing p = lp; while (p!=0) { local q = *p; if (p + *(p+1) == q) { *(p+1) = *(p+1) + *(q+1); *p = *q; } else { p = q; } } 15 3 18 3 24 5 nil 2 5 15 18 24 p
Coalescing p = lp; while (p!=0) { local q = *p; if (p + *(p+1) == q) { *(p+1) = *(p+1) + *(q+1); *p = *q; } else { p = q; } } 15 3 18 3 24 5 nil 2 5 15 18 24 p
Coalescing p = lp; while (p!=0) { local q = *p; if (p + *(p+1) == q) { *(p+1) = *(p+1) + *(q+1); *p = *q; } else { p = q; } } 15 3 18 3 24 5 nil 2 5 15 18 24 p q
Coalescing p = lp; while (p!=0) { local q = *p; if (p + *(p+1) == q) { *(p+1) = *(p+1) + *(q+1); *p = *q; } else { p = q; } } 15 3 18 3 24 5 nil 2 5 15 18 24 p q
Coalescing p = lp; while (p!=0) { local q = *p; if (p + *(p+1) == q) { *(p+1) = *(p+1) + *(q+1); *p = *q; } else { p = q; } } 15 3 18 8 24 5 nil 2 5 15 18 24 p q
Coalescing p = lp; while (p!=0) { local q = *p; if (p + *(p+1) == q) { *(p+1) = *(p+1) + *(q+1); *p = *q; } else { p = q; } } 15 3 24 8 24 5 nil 2 5 15 18 24 p q
Coalescing p = lp; while (p!=0) { local q = *p; if (p + *(p+1) == q) { *(p+1) = *(p+1) + *(q+1); *p = *q; } else { p = q; } } 15 3 24 8 nil 2 5 15 24 p
Coalescing p = lp; while (p!=0) { local q = *p; if (p + *(p+1) == q) { *(p+1) = *(p+1) + *(q+1); *p = *q; } else { p = q; } } Nodeful High-level View Nodeless Low-level View Nodeful High-level View Complex numerical relationships are used only for reconstructing a high-level view. 15 3 24 8 nil 2 5 15 24 p=0
Separation Logic • blk(p+2,p+5) • nd(p,q,5) =def (pq) * (p+15) * blk(p+2,p+5) • mls(p,q) p+2 p+5 p p+5 q 5 q p 3 4 2
Program Analysis Collecting, approximate execution of programs that always terminates. x:1,y:2 x:2,y:4 x:+,y:+ x:+,y:+ while(x < y) { x = x+1; } x:+,y:+,x<y x:+,y:+ x:+,y:+ x:2,y:2 x:4,y:4 x:+,y:+,x>=y
Our Analysis Nodeless View: P(SymH) Nodeful View: P(CanSymH) while(B) { C; } nd(x,y,z) * mls(y,0) {Q1, Q2, … ,Qn} Rearrangement {T1,T2,…,Tn} Sym. Execution y=x+z Æ x y*x+1 z*blk(x+2,0)*mls(y,0) Abstraction { T’1,T’2,…,T’m} {Q’1, Q’2, … ,Q’m}
Our Analysis Nodeless View: P(SymH) Nodeful View: P(CanSymH) while(B) { C; } {Q1, Q2, … ,Qn} {T1,T2,…,Tn} { T’1,T’2,…,T’m} {Q’1, Q’2, … ,Q’m}
Abstraction Function Abs Abs : SymH ! CanSymH • Package all nodes. • Drop numerical relationships. • Combine two connected multiword lists. (5 · x+x Æ p+3=z’) Æ (p q’ * p+1 3 * blk(p+2,z’) * mls(q’,0))
Abstraction Function Abs Abs : SymH ! CanSymH • Package all nodes. • Drop numerical relationships. • Combine two connected multiword lists. (5 · x+x Æ p+3=z’) Æ (nd(p,q’,3) * mls(q’,0))
Abstraction Function Abs Abs : SymH ! CanSymH • Package all nodes. • Drop numerical relationships. • Combine two connected multiword lists. (5 · x+x Æ p+3=z’) Æ (nd(p,q’,3) * mls(q’,0))
Abstraction Function Abs Abs : SymH ! CanSymH • Package all nodes. • Drop numerical relationships. • Combine two connected multiword lists. (nd(p,q’,3) * mls(q’,0))
Abstraction Function Abs Abs : SymH ! CanSymH • Package all nodes. • Drop numerical relationships. • Combine two connected multiword lists. (nd(p,q’,3) * mls(q’,0))
Abstraction Function Abs Abs : SymH ! CanSymH • Package all nodes. • Drop numerical relationships. • Combine two connected multiword lists. mls(p,0)
Coalescing … mls(lp,p) * mls(p,0) while (p!=0){local q=p*; if (p + *(p+1) == q) { *(p+1) = *(p+1) + *(q+1); *p = *q; } else { p = *p; } } p!=0 Æ mls(lp,p) * p q,s’ * blk(p+2,p+s’) * mls(q,0) p!=0 Æp+s’=qÆ mls(lp,p)*p q,s’ * blk(p+2,p+s’) * mls(q,0) p!=0Æp+s’=qÆmls(lp,p)* pq,s’+t’ * blk(p+2,p+s’) *qr’,t’*blk(q+2,q+t’)*mls(r’,0) p!=0Æp+s’=qÆmls(lp,p)*pr’,s’+t’*blk(p+2,p+s’)*qr’,t’*blk(q+2,q+t’)*mls(r’,0) p!=0Æp+s’=qÆmls(lp,p)*pr’,s’+t’*blk(p+2,p+s’)*qr’,t’*blk(q+2,q+t’)*mls(r’,0)
Coalescing … mls(lp,p) * mls(p,0) while (p!=0){local q=p*; if (p + *(p+1) == q) { *(p+1) = *(p+1) + *(q+1); *p = *q; } else { p = *p; } } p!=0 Æ mls(lp,p) * p q,s’ * blk(p+2,p+s’) * mls(q,0) p!=0 Æp+s’=qÆ mls(lp,p)*p q,s’ * blk(p+2,p+s’) * mls(q,0) p!=0Æp+s’=qÆmls(lp,p)* pq,s’+t’ * blk(p+2,p+s’) *qr’,t’*blk(q+2,q+t’)*mls(r’,0) p!=0Æp+s’=qÆmls(lp,p)*pr’,s’+t’*blk(p+2,p+s’)*qr’,t’*blk(q+2,q+t’)*mls(r’,0) p!=0Æp+s’=q’Æmls(lp,p)*pr’,s’+t’*blk(p+2,p+s’)*q’r’,t’*blk(q’+2,q’+t’)*mls(r’,0)
Coalescing … mls(lp,p) * mls(p,0) while (p!=0){local q=p*; if (p + *(p+1) == q) { *(p+1) = *(p+1) + *(q+1); *p = *q; } else { p = *p; } } p!=0 Æ mls(lp,p) * p q,s’ * blk(p+2,p+s’) * mls(q,0) p!=0 Æp+s’=qÆ mls(lp,p)*p q,s’ * blk(p+2,p+s’) * mls(q,0) p!=0Æp+s’=qÆmls(lp,p)* pq,s’+t’ * blk(p+2,p+s’) *qr’,t’*blk(q+2,q+t’)*mls(r’,0) p!=0Æp+s’=qÆmls(lp,p)*pr’,s’+t’*blk(p+2,p+s’)*qr’,t’*blk(q+2,q+t’)*mls(r’,0) p!=0Æp+s’=q’Æmls(lp,p)*pr’,s’+t’*blk(p+2,p+s’)*nd(q’,r’,t’) *mls(r’,0)
Coalescing … mls(lp,p) * mls(p,0) while (p!=0){local q=p*; if (p + *(p+1) == q) { *(p+1) = *(p+1) + *(q+1); *p = *q; } else { p = *p; } } p!=0 Æ mls(lp,p) * p q,s’ * blk(p+2,p+s’) * mls(q,0) p!=0 Æp+s’=qÆ mls(lp,p)*p q,s’ * blk(p+2,p+s’) * mls(q,0) p!=0Æp+s’=qÆmls(lp,p)* pq,s’+t’ * blk(p+2,p+s’) *qr’,t’*blk(q+2,q+t’)*mls(r’,0) p!=0Æp+s’=qÆmls(lp,p)*pr’,s’+t’*blk(p+2,p+s’)*qr’,t’*blk(q+2,q+t’)*mls(r’,0) p!=0Æp+s’=q’Æmls(lp,p)*nd(p,r’,s’+t’)* *mls(r’,0)
Coalescing … mls(lp,p) * mls(p,0) while (p!=0){local q=p*; if (p + *(p+1) == q) { *(p+1) = *(p+1) + *(q+1); *p = *q; } else { p = *p; } } p!=0 Æ mls(lp,p) * p q,s’ * blk(p+2,p+s’) * mls(q,0) p!=0 Æp+s’=qÆ mls(lp,p)*p q,s’ * blk(p+2,p+s’) * mls(q,0) p!=0Æp+s’=qÆmls(lp,p)* pq,s’+t’ * blk(p+2,p+s’) *qr’,t’*blk(q+2,q+t’)*mls(r’,0) p!=0Æp+s’=qÆmls(lp,p)*pr’,s’+t’*blk(p+2,p+s’)*qr’,t’*blk(q+2,q+t’)*mls(r’,0) mls(lp,p)*nd(p,r’,s’+t’)* *mls(r’,0)
Coalescing … mls(lp,p) * mls(p,0) while (p!=0){local q=p*; if (p + *(p+1) == q) { *(p+1) = *(p+1) + *(q+1); *p = *q; } else { p = *p; } } p!=0 Æ mls(lp,p) * p q,s’ * blk(p+2,p+s’) * mls(q,0) p!=0 Æp+s’=qÆ mls(lp,p)*p q,s’ * blk(p+2,p+s’) * mls(q,0) p!=0Æp+s’=qÆmls(lp,p)* pq,s’+t’ * blk(p+2,p+s’) *qr’,t’*blk(q+2,q+t’)*mls(r’,0) p!=0Æp+s’=qÆmls(lp,p)*pr’,s’+t’*blk(p+2,p+s’)*qr’,t’*blk(q+2,q+t’)*mls(r’,0) mls(lp,p)*mls(p,0)
Soundness Analysis results can be compiled into separation-logic proofs.
Conclusion: Analysis Design • Pick a class of target programs. • Observe properties of target programs. • Design a computable approximate semantics
