TVLA for System Code

TVLA for System Code JörgKreikerHelmut SeidlVesalVojdani TU Munich Dagstuhl, July 2009

Motivation i-1 data data data data active objects i list list list list cleanup queue queue queue queue queue i+1 struct node { t data; structhlist_node list; structlist_head queue; } garbage

Motivation i-1 data data data data active objects i list list list list cleanup queue queue queue queue queue i+1 structhlist_node { structhlist_node *next; structhlist_node **pprev; } garbage

Motivation i-1 data data data data active objects i list list list list cleanup queue queue queue queue queue i+1 • overlapping, embedded records • UP (container_of, offset) • pointers to pointer • &x->s, &x, *x = y, … garbage

Motivation i-1 data data data data active objects i list list list list cleanup queue queue queue queue queue i+1 • inspired by race detecion • properties: • privatization: make data thread-local • cleanup queue needs no lock • unless there are two • reachability with and without UP garbage

Fine-grained memory model • TVLA • node : record • edge : dereferenced pointer-valued component • Fine-grained model • node : record component • edge : dereferencing • predicates: Var + Sel + * • predicate transformers only for *

Example • standard list (3 elements) • hlist_node • node * * * next next x next * * * next next x next pprev pprev pprev * * * list next pprev queue data next prev

TVLA example • indirect element deletion for (lpp = &x; *lpp != NULL; lpp = &(*lpp)->next) if ((*lpp)->data % 13 == 0) { *lpp = (*lpp)->next; break; } * * * next next x next

Coarse-grained model • TVLA • node : record • edge : dereferenced pointer-valued component • Fine-grained model • node : record component • edge : dereferencing • Coarse-grained • one node per struct • edge : dereference + source + target component • predicates : Var[π] + *[π1, π2]

Example • fine: • coarse: data data data list list list queue queue queue *[list.next,list] *[list.next,list] *[first,list] *[list.pprev,list.next] *[list.pprev,list.next]

TVLA example • delete element from hlist n = t->next; p = t->prev; *p = n; if (n) n->prev = p; next next pprev pprev pprev * * * next x

Some related work • Calcagno et al: Beyond Reachability: Shape Abstraction in the Presence of Pointer Arithmetic, SAS 2006 • Berdine et al: Shape Analysis for Composite Data Structures, CAV 2007 • Yang et al: Scalable Shape Analysis for Systems Code, CAV 2008 • Chatterjee et al: A Reachability Predicate for Analyzing Low-Level Software, TACAS 2007 • Gulwani, Tiwari: An Abstract Domain for Analyzing Heap-Manipulating Low-Level Software, CAV 2007 • Gulwani et al: A Combination Framework for Tracking Partition Sizes, POPL 2009

Conclusion • fine/coarse: • reachability with/without UP • Case study: one or two lists visible • conservative add-on, exploit existing knowledge • useful for subtle race detection • able to deal with • Overlapping, embedded records • Deep sharing and update • UP • &x->s, *x = y, …

TVLA for System Code

TVLA for System Code

Presentation Transcript

Subversion Source Code Management System

Subversion Source Code Management System

Harmonized System Code Descriptions

CODE DIVISION DUPLEXING SYSTEM

Applications of TVLA

Kansas Course Code Management System

Subversion Source Code Management System

Subversion Source Code Management System

Source Code Control System (SCCS)

system computer code

Code Report For PALMail System

Allied Bar Code System

Towards Abstraction Refinement in TVLA

TVLA: A System for Generating Abstract Interpreters

Manifestation Code System Review

Subject : Communication System Code : 10B11EC514

TVLA: A System for Generating Abstract Interpreters

Z Code System review

Trace System for Pharmaceutical Manufacturing - Bar Code India