FINE-GRAINED MEMORY OBJECT REPRESENTATION IN SYMBOLIC EXECUTION - PowerPoint PPT Presentation

ASE 2019 FINE-GRAINED MEMORY OBJECT REPRESENTATION IN SYMBOLIC EXECUTION MARTIN NOWACK M.NOWACK@IMPERIAL.AC.UK

PROGRAMS MEMORY REPRESENTATION char * a = malloc(1024); int32 i = 10; a[i]++; if (i != 12345) { a[i-2] = a[i] * 2; } else { a[i+2] = a[i] - 2; } SYMBOLIC EXECUTION

char * a = malloc(1024); int32 i = 10; a[i]++; if (i != 12345) { a[i-2] = a[i] * 2; } else { a[i+2] = a[i] - 2; }

char * a = malloc(1024); int32 i = 10; a[i]++; if (i != 12345) { a[i-2] = a[i] * 2; } else { a[i+2] = a[i] - 2; } A I MALLOC(1024)

(DYNAMIC) SYMBOLIC EXECUTION char * a = malloc(1024); char * a = malloc(1024); int32 i = 10; int32 i = symbolic ; a[i]++; a[i]++; if (i != 12345) if (i != 12345) { { a[i-2] = a[i] * 2; a[i-2] = a[i] * 2; } else { } else { a[i+2] = a[i] - 2; a[i+2] = a[i] - 2; } }

STATE - A SIMPLIFIED VIEW ▸ Path Constraints ▸ Registers (i.e., program counter) ▸ Allocated Memory ▸ Stack-local Memory ▸ Heap

THE MANY STATES …

GOAL •Scale symbolic execution •Avoid premature termination of states •Sort/Reason about states

STATE OF THE ART Copy on Write (CoW) MALLOC(1024)

MALLOC(1024) 0 0 1 1 2 2 3 3 4 4 5 5 6 6 7 7 0 0 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 store(2, 7)

HANDLING SYMBOLICS 0 1 2 3 4 5 6 7 0 0 7 0 0 0 0 0 0 store(2, 7) store(sym, 7) load(5)

FINE-GRAINED MEMORY OBJECT REPRESENTATION

INSIGHT I: CHANGES ARE (OFTEN) SMALL; SHARE COMMON PARTS

INSIGHT II: CHANGES ARE (OFTEN) LOCAL AND OF SIMILAR TYPE

EVERYTHING IS A LAYER BASICS

EXAMPLE SCENARIO MALLOC(1024) ? ? ? ? ? S1 S2 0 0 0 0 0 S3 A Z

OPTIMISATIONS

OPTIMISATION MALLOC(1024) INDEX-BASED ACCESS Oldest ? ? ? ? ? 0 0 0 0 0 A Most recent load(2) -> A load(1) -> 0

OPTIMISATION MALLOC(1024) IN-PLACE UPDATE ? ? ? ? ? 0 0 0 0 0 A B write(2,B)

OPTIMISATION MALLOC(1024) CONDITIONAL UPDATE ? ? ? ? ? 0 0 0 0 0 write(1,0)

TEXT MALLOC(1024) LAYER INVALIDATION 0 0 0 0 0 S3 A A B B 0 D D E E S1 write(2,0)

TEXT HANDLING SYMBOLIC INDICES 3 2 A 5 2 (SYM1, 5); (SYM2; A) Symbolic index layer 7 2 5

IMPLEMENTATION

OPTIMISATION LAYER TYPES Allocated Space MALLOC(1024) ~ 10 byte ? ? ? ? ? Initialised bytes 5 4 3 2 1 sizeof() * 1bit A A Map: index -> value

EVALUATION

BENCHMARKS vs. MEMORY GNU Coreutils Search Breadth-First Depth-First Strategies Random + Target Uncovered

RQ1: CHANGES IN EXECUTION TIME

WALLTIME - DEPTH FIRST SEARCH KLEE Memory 40 30 Walltime (min) 20 10 0 Application

WALLTIME - BREADTH FIRST SEARCH KLEE Memory 40 30 Walltime (min) 20 10 0 Application

RQ2: CHANGES IN MEMORY CONSUMPTION

MEMORY USAGE - DEPTH FIRST SEARCH KLEE Memory 300 Memory Usage (MB) 225 150 75 0 Application

MEMORY USAGE - BREADTH FIRST SEARCH KLEE Memory 5000 Memory Usage (MB) 3750 2500 1250 0 Application

SUMMARY THIS RESEARCH HAS BEEN SUPPORTED BY: UK EPSRC VIA GRANT EP/ N007166/1, EP/R011605/1

TEXT OBJECT STATE HASHING HS := I 1 ⊕ V 1 ⊕ … ⊕ I n ⊕ V n HS prev 0 , 0 , 0 , 0 HS := HS prev ⊕ 0 ⊕ A A DIFFERENT STRUCTURE - SAME SEMANTIC (HS 2 == HS) A , A , A , A HS 2 := … 0 , 0 , , 0

FINE-GRAINED MEMORY OBJECT REPRESENTATION IN SYMBOLIC EXECUTION - PowerPoint PPT Presentation

ASE 2019 FINE-GRAINED MEMORY OBJECT REPRESENTATION IN SYMBOLIC EXECUTION MARTIN NOWACK M.NOWACK@IMPERIAL.AC.UK PROGRAMS MEMORY REPRESENTATION char * a = malloc(1024); int32 i = 10; a[i]++; if (i != 12345) { a[i-2] = a[i] * 2; } else {

Fine-grained Transaction Scheduling in Replicated Databases via Symbolic Execution Pedro

Hypercolumns for Object Segmentation and Fine-grained Localization Bharath Hariharan, Pablo

Fine-grained Image Recognition Lei Wang VILA group School of Computing and Information

PartNet: A Large-Scale Benchmark for Fine-Grained and Hierarchical Part-Level 3D Object

Fine-Grained Geographic Communication (Geocast) Nexus Workshop Frank Drr 23.07.2003 1

Shreds: Fine-grained Execution Units with S R D H E S Private Memory Yaohui Chen,

Finding Four-Leaf Clovers: A Benchmark for Fine-Grained Object Localization Gustavo Prez * ,

Squall: Fine-Grained Live Reconfiguration for Partitioned Main Memory Databases AARON J. ELMORE,

Communicating State Transition Systems for Fine-Grained Concurrent Resources Aleksandar Nanevski

Mechanized Verification of Fine-grained Concurrent Programs Ilya Sergey Aleks Nanevski

Parts of Speech More Fine-Grained Classes More

Fine Grained Access Control Fine-Grained Access Control Fine Grained Access Control

Fine-grained Visual Analysis: From Classification to Retrieval Yi-Zhe Song SketchX Lab, CVSSP,

3D Object Representations for Fine-Grained Categorization Jonathan Krause, Michael Stark, Jia

Dynamic Fine-Grained Scheduling for Energy-Efficient Main-Memory Queries Iraklis Psaroudakis

TRILL Fine Grained Labeling Donald Eastlake 3 rd Huawei

Addressing Inter-Class Similarity in Fine-Grained Visual Classification Abhimanyu Dubey

Fine-Grained Power Modeling for Smartphones Using System Call Tracing Based on paper and

On the Correctness Criteria of Fine-Grained Access Control in Relational Databases Qihua Wang,

Fine-Grained Access Control Fine Grained Access Control Fine-grained access control examples:

Fine Grained Coordinated Parallelism in a Real World Application Mohammad Rezaei, PhD June 2012

Mesos A Platform for Fine-Grained Resource Sharing in the

Enhancing Fine- Grained Parallelism Loop vectorization, Loop distribution, Scalar expansion

Fine-Grained Tracking of Grid Infections Ashish Gehani SRI Basim Baig, Salman Mahmood, Dawood