1 / 25

Pointer Logic

Pointer Logic. Daniel Kroening and Ofer Strichman Decision Procedure. Why pointer logic?. A pointer is a program variable whose sole purpose is to refer to some other program construct. Other program construct - variable, procedures, or another pointer

sabina
Download Presentation

Pointer Logic

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Pointer Logic Daniel Kroening and OferStrichman Decision Procedure

  2. Why pointer logic? • A pointer is a program variable whose sole purpose is to refer to some other program construct. • Other program construct - variable, procedures, or another pointer • A Pointer is useful but common source of programming errors. • Aliasing • Null pointer dereference error

  3. Table of Contents • Introduction • Pointer logic • Modeling Heap-Allocated Data Structures • A Decision Procedure • Conclusion

  4. Memory model • The implementation of pointer relies on the fact that the memory cells of a computer have addresses, i.e., each cell has a unique number. • Definition 1. Memory model • A memory model describes the assumptions that are made about the way memory cells are addressed. We assume that the architecture provides a continuous, uniform address space. Each address corresponds to a memory cell that is able to store one data word. A memory valuation M: A  D is a mapping from a set of address A into the domain D of data words.

  5. Memory layout • The compiler assigns a particular memory location to each static variable. • The mapping is called memory layout. • Definition 2. Memory layout • A memory layoutL: V  A is a mapping from each variable v∊ Vto an address a∊A, where V denote the set of variables and A denote the set of addresses. • Memory layout is nonoverlappingwhich means that the memory locations of the statically allocated variables are distinct. • How about dynamic memory allocation?

  6. Dynamic memory allocation • Dynamic data structures are created at the run time of the program. • A runtime library maintains a list of the memory regions that are unused. • A function, which is part of this library, allocates a region of given size and returns a pointer to the beginning of the region. ( malloc(), …) • The memory layout changes during the runtime of the program. • The lifetime of a dynamic object is the time between its allocation and its deallocation.

  7. Analysis of programs with pointers • Aliasing • a situation in which a data location in memory can be accessed through different symbolic names in the program. • Modifying the data through one name implicitly modifies the values associated to all aliased names, which is not expected by the programmer. • Dereferencing • a situation which a pointer doesn’t point to a proper object. • Example

  8. Table of Contents • Introduction • Pointer logic • Modeling Heap-Allocated Data Structures • A Decision Procedure • Conclusion

  9. Syntax • The syntax of a formula in pointer logic is defined by the following rules: • pointer-identifier is of pointer type • identifier is of integers or an array of integers

  10. Semantics (1/2) • Define the semantics by referring to • memory layout L • L: V  A is a mapping from each variable v∊ Vto an address a∊A • memory valuation M • M: A  D, mapping from a set of address A into the domain D of data words • Pointer logic formulas are predicates on M, L pairs and the definition of semantics uses a reduction to integer arithmetic and array logic. • We treat M and L as array types.

  11. Semantics (2/2) • Definition 3. Semantics of pointer logic • Let LP denote the set of pointer logic expressions, and let LD denote the set of expressions permitted by the logic for the data words. • The function [⋅] is defined [⋅] : LP LDfor e ∊LP. The function [e] is defined recursively. The expression e∊ LP is valid if and only if [e] is valid.

  12. Example • a is an array identifier. • The semantic definition of the expression expands as follows: • Last equation is obviously valid, and thus so is original expression.

  13. Table of Contents • Introduction • Pointer logic • Modeling Heap-Allocated Data Structures • A Decision Procedure • Conclusion

  14. Lists (1/2) • The simplest dynamically allocated data structure is the linked list. • Structure type • contains fields for a next pointer and the data. • So, How to model linked list in pointer logic formulas?

  15. Lists (2/2) • We need to model the field for a next pointer. • Recursive definition • We need to add the property that the last element of the acyclic list should point a NULL. • Add another definition

  16. Table of Contents • Introduction • Pointer logic • Modeling Heap-Allocated Data Structures • A Decision Procedure • Conclusion

  17. Applying the semantic translation • The semantic translation • assigns meaning to the pointer logic formulas • gives rise to a simple decision procedure • The formula generated by semantic translation contain • array read operator (recall that memory layout L and memory valuation M are considered as array read operation) • linear arithmetic for the index. • equality over the type for modeling the contents of the memory cells • Decision procedure for pointer logic • Apply the semantic translation to a pointer formula to obtain a formula in the combined logic of linear arithmetic and array. • Pass the formula to the decision procedure for the combined logic.

  18. Examples • We want to check validity of following pointer logic formula: • The semantic translation expands as follows: • A decision procedure for array logic and equality logic easily concludes that the formula above is valid.

  19. Pure variables (1/2) • Sometimes the semantic translation can place an undue burden on the underlying decision procedure, as illustrated by the following example: • A decision procedure for array logic and equality logic is certainly able to deduce that the original formula is valid. • Therefore, the semantic translation process is not required in this kind of situation.

  20. Pure variables (2/2) • Definition 4. Pure variables • Given a formula with a set of variables V, let denote the subset of ’s variables that are not used within an argument of the “&” operator within . These variables are called pure. • Definition 5. [∙]P • A new translation function [e]P is identical to the definition [e] unless e denotes a variable . The new definition is:

  21. Example • This no longer burdens the decision procedure for array logic:

  22. Reachability predicate (1/2) • Definition 6. • This stands for the pointer that is obtained by starting from q and following the field f, n times: • Definition 7. reachability predicate, • We call a predicate as reachability predicate which satisfies following two conditions: • There exists some n such that q is reachable from p by following f for n times. • x is not reachable in fewer than n steps from p following f.

  23. Reachability predicate (2/2) • We say that a formula is a reachability predicate formula if it contains the reachability predicate. • Reachability predicate formulas often have quantifiers, which make decision problems much harder. • There is no automatic decision procedure for a logic that includes a reachability predicate.

  24. Table of Contents • Introduction • Pointer logic • Modeling Heap-Allocated Data Structures • A Decision Procedure • Conclusion

  25. Conclusion • The semantic translation not only assigns meaning to the pointer logic formulas, but also gives rise to a simple decision procedure. • Deciding pointer logic including reachability predicate is still an open problem.

More Related