From Pointer Systems to Counter Systems using Shape Analysis Arnaud - PowerPoint PPT Presentation

From Pointer Systems to Counter Systems using Shape Analysis Arnaud Sangnier EDF R&D, LSV, ENS Cachan & CNRS joint work with: S´ ebastien Bardin, Alain Finkel, Etienne Lozes LSV, ENS Cachan & CNRS ACI S´ ecurit´ e Informatique - 13th March 2006 1

Motivation (I) Cheking safety properties on systems manipulating dynamic linked lists List reverse(List x) { List y,t; void deleteAll(List x) { y =NULL; List elem; while (x!=NULL) { while (x!=NULL) { t=y; elem=x; y=x; x=x->n; x=x->n; elem->n=NULL; y->n=t; free(elem); t=NULL; } } } return y; } 2 Introduction

Motivation (II) We manipulate pointer variables + memory heap Memory heap = collection of memory cells A memory cell contains : data or address x 2 1 3 NULL data address 3 Introduction

Motivation (III) Properties Absence of memory violation (Segmentation fault) Absence of memory leak Qualitative properties on the memory heap (shape analysis) Ex: The reverse function returns an acyclic list. Quantitative properties on the memory heap Ex: The reverse function returns a list of the same size as the input list. 4 Introduction

Existing tools TVLA [Sagiv, Reps, Wilhelm 2002] Abstract interpretation The user has to provide control predicates PALE [Moller, Schwartzbach 2001] Models the heap with a decidable monadic second order logic The user has to annotate the program Smallfoot [Berdine, Calcagno, O’Hearn 2005] Checks separation logic specifications 5 Introduction

Symbolic methods [Bardin, Finkel, Nowak 2004] Symbolic representation of the memory heap using graphs Were looking for an acceleration technique [Bouajjani, Habermehl, Moro, Vojnar 2005] Abstract regular model checking Regular expressions represent the memory heap [Bozga, Iosif 2005] Alias logic with counters 6 Introduction

Our contribution Modeling the memory heap using counters Translate the actions of the program into actions on the counters Propose a two-step analysis procedure 7 Introduction

Outline Models 1 Symbolic Computation 2 Translation 3 Analysis 4 Conclusion 5 8 Introduction

Models and Systems A system model M = ( D , G , A ) where D is an infinite set of data G ⊆ 2 D is a set of guards A ⊆ D D is a set of actions A system A system S = ( Q , δ ) in M = ( D , G , A ) with Q is a finite set of control states δ ⊂ Q × G × A × Q is a transition relation. Semantics of a system A transition system TS ( S ) = ( Q × D , → ) where →⊆ ( Q × D ) 2 is defined as ( q , d ) → ( q ′ , d ′ ) iff ∃ g , a such that ( q , g , a , q ′ ) ∈ δ , d ∈ g and a ( d ) = d ′ 9 Models

Modeling the memory heap Memory graph ( N , next , var ) [BFN 04] N is a finite set of nodes with { z , p , r } ⊂ N next : N → N is a function such that : next − 1 ( { r } ) = { z , p , r } var : N → 2 V is such that { var ( n ) } n ∈ N forms a partition of the set of pointer variables V { x } n 2 { y } n 1 N = { n 1 , n 2 , z , p , r } next ( n 1 ) = next ( n 2 ) = z { t } p z var ( n 1 ) = { y } , var ( n 2 ) = { x } , var ( p ) = { t } r 10 Models

Pointer systems The pointer model Data are memory graphs Syntax of guards : g ::= True | IsNull ( x ) | ¬ IsNull ( x ) | ... Syntax of actions : a ::= x := E | x . s := E | x := new | free ( x ) | nop where E is either null , or x or x . s . 11 Models

A pointer system The program deleteAll that deletes all the elements of a list IsNull ( x ) ֒ → nop 1 5 void deleteAll(List x) { List elem; ¬ IsNull ( x ) ֒ → elem := x while (x!=NULL) { 2 elem=x; x=x->n; free ( elem ) x := x . s elem->n=NULL; 3 free(elem); } elem . s := null } 4 12 Models

Deciding memory problems Definition [Memory violation] A memory graph has a memory violation if var ( r ) � = ∅ Definition [Memory leakage] A memory graph has a memory leakage if N contains at least one node not reachable from a node labeled by a variable. Theorem [BFN 04] The reachability of memory leakage and of memory violation are undecidable problems for pointer systems with at least 3 pointer variables. 13 Models

Counter systems The counter model ; Data are vectors of N K ( K is a finite set of counters) Guards are Presburger formulae interpreted in N K Actions are linear functions in N K We can use the tool FAST ([Bardin, Finkel, Leroux, Petrucci 2003]) to analyze counter systems: Symbolic verification of counter system terminates often in practice 14 Models

Outline Models 1 Symbolic Computation 2 Translation 3 Analysis 4 Conclusion 5 15 Symbolic Computation

Memory shapes { x } { y } p { t } z r Memory graph 16 Symbolic Computation

Memory shapes Compression of irrelevant nodes { x } { y } p { t } z r Memory graph 16 Symbolic Computation

Memory shapes Compression of irrelevant nodes { x } { x } { y } { y } p { t } p { t } z z r r Memory graph Memory shape 16 Symbolic Computation

Memory shapes Compression of irrelevant nodes Labeling with strictly positive counters { x } { x } k 1 { y } { y } k 2 p { t } p { t } z z r r Memory graph Memory shape 16 Symbolic Computation

Memory shapes Compression of irrelevant nodes Labeling with strictly positive counters { x } { x } k 1 { y } { y } k 2 p { t } p { t } z z k 1 = 2 k 2 = 1 r r Memory graph Memory shape A memory shape + a counter valuation = a unique memory graph (without memory leakage) 16 Symbolic Computation

Memory shapes Compression of irrelevant nodes Labeling with strictly positive counters Two special memory shapes: MemLeak and SegF { x } { x } k 1 { y } { y } k 2 p { t } p { t } z z k 1 = 2 k 2 = 1 r r Memory graph Memory shape A memory shape + a counter valuation = a unique memory graph (without memory leakage) 16 Symbolic Computation

Properties of memory shapes We consider a finite set of pointer variables V . Number of counters The number of counters in a memory shape is bounded by 2 . | V | . Number of memory shapes The number of memory shapes built over V is bounded by 2 . | V | (3 . | V | ) . Equality test Testing equality of two memory shapes can be done in linear time. 17 Symbolic Computation

Symbolic computation on memory shapes (I) Effect of the action x . s := y on the memory shape MS 1 { x } k3 k1 k2 { y } z N p N r N MS 1 18 Symbolic Computation

Symbolic computation on memory shapes (I) Effect of the action x . s := y on the memory shape MS 1 { x } k3 k1 z N p N { x } { y } k 3 = 1? k3 k1 k2 { y } z N p N r N [ k 1 := k 2 + k 1, k 2 := 0] r N MS 1 18 Symbolic Computation

Symbolic computation on memory shapes (I) Effect of the action x . s := y on the memory shape MS 1 { x } k3 k1 z N p N { x } { y } k 3 = 1? k3 k1 k2 { y } z N p N r N [ k 1 := k 2 + k 1, k 2 := 0] r N MS 1 k 3 > 1? MemLeak 18 Symbolic Computation

Symbolic computation on memory shapes (II) The symbolic function TEST Decides whether a memory shape satisfies a pointer guard (ie all the underlying memory graphs for any valuation satisfy it). The symbolic function POST Produces, from a given memory shape and a pointer action, the set { ( φ i , f i , MS i ) } of all possible issues (the φ i ’s are Presburger formulae and the f i ’s are linear functions) 19 Symbolic Computation

Outline Models 1 Symbolic Computation 2 Translation 3 Analysis 4 Conclusion 5 20 Translation

Building of the counter system To each control state of the counter system we associate a memory shape and a control state of the pointer system IsNull ( x ) ֒ → nop 1 5 A 1 ¬ IsNull ( x ) ֒ → elem := x k = 1? 2 B 2 C 3 D 4 E 1 F 5 free ( elem ) x := x . s l = 1?[ l := 0] k > 1?[ l := 1, k := k − 1] 3 G 3 elem . s := null l > 1? H 4 I 1 4 21 Translation

Building of the counter system To each control state of the counter system we associate a memory shape and a control state of the pointer system IsNull ( x ) ֒ → nop 1 5 A 1 ¬ IsNull ( x ) ֒ → elem := x k = 1? 2 B 2 C 3 D 4 E 1 F 5 free ( elem ) x := x . s l = 1?[ l := 0] k > 1?[ l := 1, k := k − 1] 3 G 3 elem . s := null l > 1? H 4 I 1 4 { x } k { elem } { t } z p r 21 Translation

Building of the counter system To each control state of the counter system we associate a memory shape and a control state of the pointer system IsNull ( x ) ֒ → nop 1 5 A 1 ¬ IsNull ( x ) ֒ → elem := x k = 1? 2 B 2 C 3 D 4 E 1 F 5 free ( elem ) x := x . s l = 1?[ l := 0] k > 1?[ l := 1, k := k − 1] 3 G 3 elem . s := null l > 1? H 4 I 1 4 { elem } { x } k { t } z p r 21 Translation

Building of the counter system To each control state of the counter system we associate a memory shape and a control state of the pointer system IsNull ( x ) ֒ → nop 1 5 A 1 ¬ IsNull ( x ) ֒ → elem := x k = 1? 2 B 2 C 3 D 4 E 1 F 5 free ( elem ) x := x . s l = 1?[ l := 0] k > 1?[ l := 1, k := k − 1] 3 G 3 elem . s := null l > 1? H 4 I 1 4 { elem } k { x } { t } z p r 21 Translation

Building of the counter system To each control state of the counter system we associate a memory shape and a control state of the pointer system IsNull ( x ) ֒ → nop 1 5 A 1 ¬ IsNull ( x ) ֒ → elem := x k = 1? 2 B 2 C 3 D 4 E 1 F 5 free ( elem ) x := x . s l = 1?[ l := 0] k > 1?[ l := 1, k := k − 1] 3 G 3 elem . s := null l > 1? H 4 I 1 4 l { x } { elem } k { t } z p r 21 Translation