130 likes | 278 Views
TVLA for System Code. J ö rg Kreiker Helmut Seidl Vesal Vojdani TU Munich Dagstuhl , July 2009. Motivation. i-1. data. data. data. data. active objects. i. l ist. l ist. l ist. l ist. c leanup queue. queue. queue. queue. queue. i+1. struct node { t data;
E N D
TVLA for System Code JörgKreikerHelmut SeidlVesalVojdani TU Munich Dagstuhl, July 2009
Motivation i-1 data data data data active objects i list list list list cleanup queue queue queue queue queue i+1 struct node { t data; structhlist_node list; structlist_head queue; } garbage
Motivation i-1 data data data data active objects i list list list list cleanup queue queue queue queue queue i+1 structhlist_node { structhlist_node *next; structhlist_node **pprev; } garbage
Motivation i-1 data data data data active objects i list list list list cleanup queue queue queue queue queue i+1 • overlapping, embedded records • UP (container_of, offset) • pointers to pointer • &x->s, &x, *x = y, … garbage
Motivation i-1 data data data data active objects i list list list list cleanup queue queue queue queue queue i+1 • inspired by race detecion • properties: • privatization: make data thread-local • cleanup queue needs no lock • unless there are two • reachability with and without UP garbage
Fine-grained memory model • TVLA • node : record • edge : dereferenced pointer-valued component • Fine-grained model • node : record component • edge : dereferencing • predicates: Var + Sel + * • predicate transformers only for *
Example • standard list (3 elements) • hlist_node • node * * * next next x next * * * next next x next pprev pprev pprev * * * list next pprev queue data next prev
TVLA example • indirect element deletion for (lpp = &x; *lpp != NULL; lpp = &(*lpp)->next) if ((*lpp)->data % 13 == 0) { *lpp = (*lpp)->next; break; } * * * next next x next
Coarse-grained model • TVLA • node : record • edge : dereferenced pointer-valued component • Fine-grained model • node : record component • edge : dereferencing • Coarse-grained • one node per struct • edge : dereference + source + target component • predicates : Var[π] + *[π1, π2]
Example • fine: • coarse: data data data list list list queue queue queue *[list.next,list] *[list.next,list] *[first,list] *[list.pprev,list.next] *[list.pprev,list.next]
TVLA example • delete element from hlist n = t->next; p = t->prev; *p = n; if (n) n->prev = p; next next pprev pprev pprev * * * next x
Some related work • Calcagno et al: Beyond Reachability: Shape Abstraction in the Presence of Pointer Arithmetic, SAS 2006 • Berdine et al: Shape Analysis for Composite Data Structures, CAV 2007 • Yang et al: Scalable Shape Analysis for Systems Code, CAV 2008 • Chatterjee et al: A Reachability Predicate for Analyzing Low-Level Software, TACAS 2007 • Gulwani, Tiwari: An Abstract Domain for Analyzing Heap-Manipulating Low-Level Software, CAV 2007 • Gulwani et al: A Combination Framework for Tracking Partition Sizes, POPL 2009
Conclusion • fine/coarse: • reachability with/without UP • Case study: one or two lists visible • conservative add-on, exploit existing knowledge • useful for subtle race detection • able to deal with • Overlapping, embedded records • Deep sharing and update • UP • &x->s, *x = y, …