shape analysis via symbolic memory graphs and conversion
play

Shape Analysis via Symbolic Memory Graphs and Conversion from - PowerPoint PPT Presentation

May 10, 2023 •16 likes •516 views

Shape Analysis via Symbolic Memory Graphs and Conversion from Pointers to Containers Kamil Dudka Luk a s Hol k Petr Peringer Marek Trt k Tom a s Vojnar Brno University of Technology, Czech Republic Dagstuhl, 2/11/2015

  1. Shape Analysis via Symbolic Memory Graphs and Conversion from Pointers to Containers Kamil Dudka Luk´ aˇ s Hol´ ık Petr Peringer Marek Trt´ ık Tom´ aˇ s Vojnar Brno University of Technology, Czech Republic Dagstuhl, 2/11/2015

  2. Shape Analysis via Symbolic Memory Graphs [Dudka, Peringer, V., SAS’13] Dudka, Hol´ ık, Peringer, Trt´ ık, Vojnar SMGs for going from Pointers to Containers 2 / 25

  3. 2+ DLS size (ptr), Symbolic Memory Graphs (SMGs) An example of a kernel-style linked list used in Linux: list_head custom_record hfo nfo pfo next next next ... prev prev prev Dudka, Hol´ ık, Peringer, Trt´ ık, Vojnar SMGs for going from Pointers to Containers 3 / 25

  4. Symbolic Memory Graphs (SMGs) An example of a kernel-style linked list used in Linux: list_head custom_record hfo nfo pfo next next next ... prev prev prev An SMG describing the data structure above: 0,reg 0,ptr hfo,fst nfo,ptr 2+ DLS pfo,ptr hfo,lst size (ptr), ptr Dudka, Hol´ ık, Peringer, Trt´ ık, Vojnar SMGs for going from Pointers to Containers 3 / 25

  5. Symbolic Memory Graphs (SMGs) An example of a kernel-style linked list used in Linux: list_head custom_record hfo nfo pfo next next next ... prev prev prev An SMG describing the data structure above: 0,reg 0,ptr hfo,fst nfo,ptr 2+ DLS pfo,ptr hfo,lst size (ptr), ptr SMGs are directed graphs consisting of: ◮ objects (allocated space) and values (addresses, integers), ◮ has-value and points-to edges. Dudka, Hol´ ık, Peringer, Trt´ ık, Vojnar SMGs for going from Pointers to Containers 3 / 25

  6. SMGs: Labelling of Objects (1/2) 0,reg 0,ptr hfo,fst nfo,ptr 2+ DLS pfo,ptr hfo,lst size (ptr), ptr Objects are further divided into: ◮ regions, i.e., individual blocks of memory, ◮ optional regions, i.e., a region or NULL, ◮ doubly-linked list segments (DLSs), ◮ singly-linked list segments (SLSs), Each object has some (constant) size in bytes and a validity flag. Dudka, Hol´ ık, Peringer, Trt´ ık, Vojnar SMGs for going from Pointers to Containers 4 / 25

  7. SMGs: Labelling of Objects (2/2) Each DLS is given by a head, next, and prev field offset. list_head custom_record hfo nfo pfo next next next ... prev prev prev DLSs can be of length: ◮ N + for any N ≥ 0 or ◮ 0 or 1. Dudka, Hol´ ık, Peringer, Trt´ ık, Vojnar SMGs for going from Pointers to Containers 5 / 25

  8. SMGs: Labelling of Objects (2/2) Each DLS is given by a head, next, and prev field offset. list_head custom_record hfo nfo pfo next next next ... prev prev prev DLSs can be of length: ◮ N + for any N ≥ 0 or ◮ 0 or 1. Nodes of DLSs can point to objects that are: ◮ shared: each node points to the same object, or ◮ nested: each node points to a separate copy of the object. • Implemented by tagging objects by their nesting level. Dudka, Hol´ ık, Peringer, Trt´ ık, Vojnar SMGs for going from Pointers to Containers 5 / 25

  9. SMGs: Has-Value and Points-To Edges Memory SMG region 1 region 2 region 1 region 2 o ff set 1 , ptr o ff set 2 , reg o ff set 1 o ff set 2 a 1 size =size 1 size 2 size =size 2 size 1 a 1 has-value points-to edge edge Has-value edges – from objects to values, labelled by: ◮ field offset, ◮ type of the value stored in the field. Dudka, Hol´ ık, Peringer, Trt´ ık, Vojnar SMGs for going from Pointers to Containers 6 / 25

  10. SMGs: Has-Value and Points-To Edges Memory SMG region 1 region 2 region 1 region 2 o ff set 1 , ptr o ff set 2 , reg o ff set 1 o ff set 2 a 1 size =size 1 size 2 size =size 2 size 1 a 1 has-value points-to edge edge Has-value edges – from objects to values, labelled by: ◮ field offset, ◮ type of the value stored in the field. Points-to edges – from values (addresses) to objects, labelled by: ◮ target offset, ◮ target specifier: first/last/each node of a DLS, • specifier each node: used for back-links from nested objects. Dudka, Hol´ ık, Peringer, Trt´ ık, Vojnar SMGs for going from Pointers to Containers 6 / 25

  11. SMGs: Join Operator Traverses two SMGs and tries to join simultaneously encountered objects. Dudka, Hol´ ık, Peringer, Trt´ ık, Vojnar SMGs for going from Pointers to Containers 7 / 25

  12. SMGs: Join Operator Traverses two SMGs and tries to join simultaneously encountered objects. Objects being joined must be locally compatible (same size, nesting level, DLS linking offsets, ...). Dudka, Hol´ ık, Peringer, Trt´ ık, Vojnar SMGs for going from Pointers to Containers 7 / 25

  13. SMGs: Join Operator Traverses two SMGs and tries to join simultaneously encountered objects. Objects being joined must be locally compatible (same size, nesting level, DLS linking offsets, ...). DLSs join with regions or DLSs. Dudka, Hol´ ık, Peringer, Trt´ ık, Vojnar SMGs for going from Pointers to Containers 7 / 25

  14. SMGs: Join Operator Traverses two SMGs and tries to join simultaneously encountered objects. Objects being joined must be locally compatible (same size, nesting level, DLS linking offsets, ...). DLSs join with regions or DLSs. If the above fails, try to insert a DLS of length 0+ into one of the SMGs. Dudka, Hol´ ık, Peringer, Trt´ ık, Vojnar SMGs for going from Pointers to Containers 7 / 25

  15. SMGs: Entailment Checking The join of SMGs is re-used: G 1 ⊑ G 2 tested by computing G 1 ⊔ G 2 while checking that G 1 consists of less general objects. 2+ 0+ 1+ 0+ Dudka, Hol´ ık, Peringer, Trt´ ık, Vojnar SMGs for going from Pointers to Containers 8 / 25

  16. SMGs: Abstraction Collapsing uninterrupted sequences of compatible objects (same size, nesting level, field offsets, ...) into DLSs. Uses join of the sub-SMGs under the nodes to be collapsed to see whether they are compatible too. 0+ 0+ 0+ 1+ 0+ Distinguishes cases of shared and private sub-SMGs. Heuristic control of the choice of sequences to collapse: ◮ ratio of loss of precision and number of collapsed objects. Dudka, Hol´ ık, Peringer, Trt´ ık, Vojnar SMGs for going from Pointers to Containers 9 / 25

  17. Predator : An Analyser Based on SMGs

  18. Predator: An Overview An analyser based on SMGs. In addition to the basic features of SMGs, with a (partial) support of: ◮ pointer arithmetics, address alignment, ◮ interval-based pointers, interval-sized objects, ◮ block operations, re-intepretation of nullified blocks. Verification of low-level system code (such as Linux kernel) that manipulates dynamic data structures. Proving absence of memory safety errors (invalid dereferences, buffer overruns, memory leaks, ...). Implemented as an open source GCC plug-in: http://www.fit.vutbr.cz/research/groups/verifit/tools/predator Dudka, Hol´ ık, Peringer, Trt´ ık, Vojnar SMGs for going from Pointers to Containers 11 / 25

  19. From Pointers to (List) Containers [Dudka, Hol´ ık, Peringer, Trt´ ık, V., VMCAI’16]

  20. From Pointers to Containers: The Goal typedef struct SNode { int x; struct SNode *f; struct SNode *b; } Node; # define NEW(T) (T*)malloc( sizeof (T)) 1 Node *h=0, *t=0; list<Node> L; 2 while (nondet()) { while (nondet()) { 3 Node *p=NEW(Node); Node *p=L.push_back(); 4 if (h==NULL) 5 h=p; 6 else 7 t->f=p; 8 p->f=NULL; 9 p->x=0; p->x=0; 10 p->b=t; 11 t=p; 12 } } ... ... 13 while (t) { while (!L.empty()) 14 Node *p=t->b; L.pop_back(); 15 if (p) p->n=NULL; 16 else h=NULL; 17 free(t); 18 t=p; 19 } Dudka, Hol´ ık, Peringer, Trt´ ık, Vojnar SMGs for going from Pointers to Containers 13 / 25

  21. From Pointers to Containers: Motivation Recognition of containers and container operations has many applications: automatic parallelization, profiling and optimization, fault tolerance, program signatures for detection of plagiarism or malware, program understanding, debugging and automatic bug finding, Dudka, Hol´ ık, Peringer, Trt´ ık, Vojnar SMGs for going from Pointers to Containers 14 / 25

  22. From Pointers to Containers: Motivation Recognition of containers and container operations has many applications: automatic parallelization, profiling and optimization, fault tolerance, program signatures for detection of plagiarism or malware, program understanding, debugging and automatic bug finding, simplification of program verification, ◮ separation of pointer and non-pointer analyses. Dudka, Hol´ ık, Peringer, Trt´ ık, Vojnar SMGs for going from Pointers to Containers 14 / 25

  23. From Pointers to Containers: Motivation Recognition of containers and container operations has many applications: automatic parallelization, profiling and optimization, fault tolerance, program signatures for detection of plagiarism or malware, program understanding, debugging and automatic bug finding, simplification of program verification, ◮ separation of pointer and non-pointer analyses. So far done via unsound dynamic approaches, possibly with human help. Dudka, Hol´ ık, Peringer, Trt´ ık, Vojnar SMGs for going from Pointers to Containers 14 / 25

Recommend

Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2.

Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2.

Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2. CPAchecker and Symbolic Memory Graphs 3. Abstractions of Symbolic Memory Graphs 4. Using counterexample guided abstraction refinement with Symbolic

412 views • 24 slides
Symbolic Memory Graphs invariant and corresponding optimizations for SMGCPA Anton Vasilyev

Symbolic Memory Graphs invariant and corresponding optimizations for SMGCPA Anton Vasilyev

Symbolic Memory Graphs invariant and corresponding optimizations for SMGCPA Anton Vasilyev Ivannikov Institute for System Programming of the RAS Symbolic Memory Graph void main() { S t a c k void *array; # 1 : v o i d m a i n

289 views • 16 slides
Symbolic Shape Analysis Thomas Wies University of Freiburg, Germany Motivation class

Symbolic Shape Analysis Thomas Wies University of Freiburg, Germany Motivation class

Symbolic Shape Analysis Thomas Wies University of Freiburg, Germany Motivation class SortedList { private static Node f i r s t ; public static specvar content / : : : objset ; vardefs v = n u l l next &quot; content ==

939 views • 65 slides
LARGE DISPLACEMENT ANALYSIS OF SHAPE MEMORY ALLOY FIBER REINFORCED LAMINATE COMPOSITE H. Cho*

LARGE DISPLACEMENT ANALYSIS OF SHAPE MEMORY ALLOY FIBER REINFORCED LAMINATE COMPOSITE H. Cho*

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS LARGE DISPLACEMENT ANALYSIS OF SHAPE MEMORY ALLOY FIBER REINFORCED LAMINATE COMPOSITE H. Cho* Satellite Technology Research Center, KAIST, Daejeon, South Korea. * Corresponding author

611 views • 4 slides
Shape Analysis Tal Zelmanovich Seminar in automatic tools for analyzing programs with dynamic

Shape Analysis Tal Zelmanovich Seminar in automatic tools for analyzing programs with dynamic

Shape Analysis Tal Zelmanovich Seminar in automatic tools for analyzing programs with dynamic memory 2013/2014B Subjects Introducing shape analysis TVLA method Cutpoint-free method Separation logic method Conclusion &amp;

1.38k views • 70 slides
Computer Vision Statistical Shape Analysis Shape Shape is the geometric information that

Computer Vision Statistical Shape Analysis Shape Shape is the geometric information that

Computer Vision Statistical Shape Analysis Shape Shape is the geometric information that remains when translation, rotation, and scale are factored out. Landmark points. D'Arcy Thompson. David George Kendall Fred Bookstein.

248 views • 9 slides
ANALYSIS OF THE MECHANICAL BEHAVIOUR OF MAGNETO SHAPE MEMORY POLYMERS UNDER MAGNETIC FIELD H. Park

ANALYSIS OF THE MECHANICAL BEHAVIOUR OF MAGNETO SHAPE MEMORY POLYMERS UNDER MAGNETIC FIELD H. Park

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS ANALYSIS OF THE MECHANICAL BEHAVIOUR OF MAGNETO SHAPE MEMORY POLYMERS UNDER MAGNETIC FIELD H. Park 1 , W.-R. Yu 1 *, C.-H. Ahn 1 , P. Harrison 2 , Z. Guo 3 1 Department of Materials Science and

87 views • 4 slides
Symbolic data analysis Symbolic data analysis Clustering of large data sets of mixed units

Symbolic data analysis Symbolic data analysis Clustering of large data sets of mixed units

Symbolic data analysis V. Batagelj Symbolic data analysis Symbolic data analysis Clustering of large data sets of mixed units Clustering and optimization Leaders method Vladimir Batagelj Agglomerative method Examples IMFM Ljubljana

871 views • 33 slides
Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps

Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps

Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps Symbolic Stamps Hui Xu, Guoyong Shi and Xiaopeng Li School of Microelectronics, Shanghai Jiao Tong Univ. Shanghai, China Presentation at Asia

655 views • 36 slides
Symbolic Computation of Latency for Dataflow Graphs Adnan Bouakaz Pascal Fradet Alain Girault

Symbolic Computation of Latency for Dataflow Graphs Adnan Bouakaz Pascal Fradet Alain Girault

Symbolic Computation of Latency for Dataflow Graphs Adnan Bouakaz Pascal Fradet Alain Girault SYNCHRON International Workshop, Bamberg December 7th, 2016 Introduction Outline Introduction 1 Application model Scheduling policy Symbolic

793 views • 37 slides
Speculations on possible brain substrates of symbolic processing and structured I/O from memory

Speculations on possible brain substrates of symbolic processing and structured I/O from memory

Speculations on possible brain substrates of symbolic processing and structured I/O from memory Adam Marblestone CS 379c Stanford 2019 (slides based on pre-DeepMind work, much of it with Ken Hayworth) A tentative high-level template for AI

542 views • 33 slides
Transient Analysis Lightning Phenomena HV Transient Analysis Classes and shape of overvoltages

Transient Analysis Lightning Phenomena HV Transient Analysis Classes and shape of overvoltages

Chapter 8 Overvoltage Phenomenon &amp; HV Transient Analysis Lightning Phenomena HV Transient Analysis Classes and shape of overvoltages and standard voltage shape Analysis of overvoltages in power system includes a study of their:

1.04k views • 35 slides
Signatures in Shape Analysis Nikolas Tapia (WIAS/TU Berlin) joint with E. Celledoni &amp; P . E.

Signatures in Shape Analysis Nikolas Tapia (WIAS/TU Berlin) joint with E. Celledoni &amp; P . E.

Signatures in Shape Analysis Nikolas Tapia (WIAS/TU Berlin) joint with E. Celledoni &amp; P . E. Lystad FG6 (NTNU) Weierstra-Institut fr angewandte Analysis und Stochastik August 27, 2019 Shape Analysis: Practical Setup The problem is to

481 views • 20 slides
FINE-GRAINED MEMORY OBJECT REPRESENTATION IN SYMBOLIC EXECUTION MARTIN NOWACK

FINE-GRAINED MEMORY OBJECT REPRESENTATION IN SYMBOLIC EXECUTION MARTIN NOWACK

ASE 2019 FINE-GRAINED MEMORY OBJECT REPRESENTATION IN SYMBOLIC EXECUTION MARTIN NOWACK M.NOWACK@IMPERIAL.AC.UK PROGRAMS MEMORY REPRESENTATION char * a = malloc(1024); int32 i = 10; a[i]++; if (i != 12345) { a[i-2] = a[i] * 2; } else {

412 views • 37 slides
Shape Co-analysis and constrained clustering Daniel Cohen-Or Tel-Aviv University 1 High-level

Shape Co-analysis and constrained clustering Daniel Cohen-Or Tel-Aviv University 1 High-level

Shape Co-analysis and constrained clustering Daniel Cohen-Or Tel-Aviv University 1 High-level Shape analysis [Mehra et al. 08] [Fu et al. 08] [Kalograkis et al. 10] Shape abstraction Upright orientation Learning segmentation [Kim et al.

1.03k views • 81 slides
Pulse Shape Analysis A/E for GERDA experiment Outline : Motivation Pulse Shape

Pulse Shape Analysis A/E for GERDA experiment Outline : Motivation Pulse Shape

Pulse Shape Analysis A/E for GERDA experiment Outline : Motivation Pulse Shape Discrimination for GERDA BEGes Systematic uncertainty on PSA Outlook &amp; Summary Heng-Ye Liao photo o by *EvrWccn Wccn for the GERDA collaboration

188 views • 18 slides
CS711 Advanced Programming Languages Shape Analysis With Tracked Locations Radu Rugina 22 Sep

CS711 Advanced Programming Languages Shape Analysis With Tracked Locations Radu Rugina 22 Sep

CS711 Advanced Programming Languages Shape Analysis With Tracked Locations Radu Rugina 22 Sep 2005 Shape Analysis with Local Reasoning All previous abstractions: Describe the entire heap at once Makes inter-procedural analysis

544 views • 30 slides
Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan

Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan

Symbolic String Verification: Combining String Analysis and Size Analysis Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan Oscar H. Ibarra Deptartment of Computer Science University of California

477 views • 36 slides
1 Baysian networks for decision analysis The TV show problem as a BN Problems More than

1 Baysian networks for decision analysis The TV show problem as a BN Problems More than

Several names Decision graphs Decision trees Influence diagrams Decision graphs I A certain kind of strictly symmetric decision trees Decisions and utilities No forgetting assumption LIMIDs Limited Memory

596 views • 6 slides
NEW ADVANCES IN SYMBOLIC DATA ANALYSIS and SPATIAL CLASSIFICATION. Edwin Diday Paris Dauphine

NEW ADVANCES IN SYMBOLIC DATA ANALYSIS and SPATIAL CLASSIFICATION. Edwin Diday Paris Dauphine

NEW ADVANCES IN SYMBOLIC DATA ANALYSIS and SPATIAL CLASSIFICATION. Edwin Diday Paris Dauphine University Remembering Suzanne WINSBERG This talk is dedicated to her OUTLINE PART 1: SYMBOLIC DATA ANALYSIS The two levels of

1.29k views • 89 slides
1 Baysian networks for decision analysis The TV show problem as a BN Problems Choice 1

1 Baysian networks for decision analysis The TV show problem as a BN Problems Choice 1

Several names Decision graphs Decision trees Influence diagrams Decision graphs I A certain kind of strictly symmetric decision trees Decisions and utilities No forgetting assumption LIMIDs Limited Memory

185 views • 6 slides
SymEngine Symbolic Executjon of OpenCL Kernels Alberto Magni Optjmize code for GPUs Optjmize

SymEngine Symbolic Executjon of OpenCL Kernels Alberto Magni Optjmize code for GPUs Optjmize

SymEngine Symbolic Executjon of OpenCL Kernels Alberto Magni Optjmize code for GPUs Optjmize Memory Accesses 2 GPU Memory Transactjons Coalesced Access GPU Core 1 Load Request = 4 Bytes per Thread 128 Bytes L1 32 Threads GPU Memory

593 views • 15 slides
Symbolic local Fourier Analysis Veronika Pillwein RISC Challenges in 21st Century Experimental

Symbolic local Fourier Analysis Veronika Pillwein RISC Challenges in 21st Century Experimental

Symbolic local Fourier Analysis Veronika Pillwein RISC Challenges in 21st Century Experimental Mathematical Computation, July 2125, 2014, ICERM, Brown University Symbolic local Fourier Analysis (and some Special Functions Inequalities)

1.21k views • 82 slides
Isogeometric Shape Optimization: A brief introduction about shape sensitivity analysis and search

Isogeometric Shape Optimization: A brief introduction about shape sensitivity analysis and search

Isogeometric Shape Optimization: A brief introduction about shape sensitivity analysis and search direction normalization Wang Zhenpei NUS 2018 3 23 GAMES Webinar 2018 (37) on IGA Wang Zhenpei (NUS) Isogeometric Shape

566 views • 53 slides

More recommend