tvla for system code
Download
Skip this Video
Download Presentation
TVLA for System Code

Loading in 2 Seconds...

play fullscreen
1 / 13

TVLA for System Code - PowerPoint PPT Presentation


  • 112 Views
  • Uploaded on

TVLA for System Code. J ö rg Kreiker Helmut Seidl Vesal Vojdani TU Munich Dagstuhl , July 2009. Motivation. i-1. data. data. data. data. active objects. i. l ist. l ist. l ist. l ist. c leanup queue. queue. queue. queue. queue. i+1. struct node { t data;

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' TVLA for System Code' - talasi


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
tvla for system code

TVLA for System Code

JörgKreikerHelmut SeidlVesalVojdani

TU Munich

Dagstuhl, July 2009

motivation
Motivation

i-1

data

data

data

data

active objects

i

list

list

list

list

cleanup queue

queue

queue

queue

queue

i+1

struct node {

t data;

structhlist_node list;

structlist_head queue;

}

garbage

motivation1
Motivation

i-1

data

data

data

data

active objects

i

list

list

list

list

cleanup queue

queue

queue

queue

queue

i+1

structhlist_node {

structhlist_node *next;

structhlist_node **pprev;

}

garbage

motivation2
Motivation

i-1

data

data

data

data

active objects

i

list

list

list

list

cleanup queue

queue

queue

queue

queue

i+1

  • overlapping, embedded records
  • UP (container_of, offset)
  • pointers to pointer
  • &x->s, &x, *x = y, …

garbage

motivation3
Motivation

i-1

data

data

data

data

active objects

i

list

list

list

list

cleanup queue

queue

queue

queue

queue

i+1

  • inspired by race detecion
  • properties:
    • privatization: make data thread-local
    • cleanup queue needs no lock
    • unless there are two
  • reachability with and without UP

garbage

fine grained memory model
Fine-grained memory model
  • TVLA
    • node : record
    • edge : dereferenced pointer-valued component
  • Fine-grained model
    • node : record component
    • edge : dereferencing
    • predicates: Var + Sel + *
    • predicate transformers only for *
example
Example
  • standard list (3 elements)
  • hlist_node
  • node

*

*

*

next

next

x

next

*

*

*

next

next

x

next

pprev

pprev

pprev

*

*

*

list

next

pprev

queue

data

next

prev

tvla example
TVLA example
  • indirect element deletion

for (lpp = &x; *lpp != NULL; lpp = &(*lpp)->next)

if ((*lpp)->data % 13 == 0) {

*lpp = (*lpp)->next;

break;

}

*

*

*

next

next

x

next

coarse grained model
Coarse-grained model
  • TVLA
    • node : record
    • edge : dereferenced pointer-valued component
  • Fine-grained model
    • node : record component
    • edge : dereferencing
  • Coarse-grained
    • one node per struct
    • edge : dereference + source + target component
    • predicates : Var[π] + *[π1, π2]
example1
Example
  • fine:
  • coarse:

data

data

data

list

list

list

queue

queue

queue

*[list.next,list]

*[list.next,list]

*[first,list]

*[list.pprev,list.next]

*[list.pprev,list.next]

tvla example1
TVLA example
  • delete element from hlist

n = t->next;

p = t->prev;

*p = n;

if (n) n->prev = p;

next

next

pprev

pprev

pprev

*

*

*

next

x

some r elated work
Some related work
  • Calcagno et al: Beyond Reachability: Shape Abstraction in the Presence of Pointer Arithmetic, SAS 2006
  • Berdine et al: Shape Analysis for Composite Data Structures, CAV 2007
  • Yang et al: Scalable Shape Analysis for Systems Code, CAV 2008
  • Chatterjee et al: A Reachability Predicate for Analyzing Low-Level Software, TACAS 2007
  • Gulwani, Tiwari: An Abstract Domain for Analyzing Heap-Manipulating Low-Level Software, CAV 2007
  • Gulwani et al: A Combination Framework for Tracking Partition Sizes, POPL 2009
conclusion
Conclusion
  • fine/coarse:
    • reachability with/without UP
    • Case study: one or two lists visible
  • conservative add-on, exploit existing knowledge
  • useful for subtle race detection
  • able to deal with
    • Overlapping, embedded records
    • Deep sharing and update
    • UP
    • &x->s, *x = y, …
ad