1 / 27

The Pointer Assertion Logic Engine

The Pointer Assertion Logic Engine. Anders M øller Michael I. Schwartzbach. CMSC 631 presentation: Nikolaos Frangiadakis. Motivation. Finding bugs  Fixing them Providing counterexamples Want sound Construct FSM Use for safety-critical data types Help optimization. PALE. MONA.

vidor
Download Presentation

The Pointer Assertion Logic Engine

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Pointer Assertion Logic Engine Anders Møller Michael I. Schwartzbach CMSC 631 presentation: Nikolaos Frangiadakis

  2. Motivation • Finding bugs  • Fixing them • Providing counterexamples • Want sound • Construct FSM • Use for safety-critical data types • Help optimization

  3. PALE MONA The process • PALE: Pointer Assertion Logic Engine tool • MONA: MONAdic second order logic engine • Result: • If ok  Claim sound • If not  Counterexample annotated code

  4. tree-shaped data struct + extra pointers data pointers: backbone pointer fields: conditions Other Examples: doubly-linked cyclic list binary trees binary trees in which all the leaves are joined in a cyclic list red - black trees :) and so on... Example I: List with pointer to the last element: type Head = { data first: Node; pointer last: Node[this.first<next*.[pos.next=null]>last]; } type Node = { data next: Node; } Example II: Binary tree with cyclic post order pointers: type Node = { data left,right:Node; pointer post:Node[POST(this,post)]; pointer parent:Node[PARENT(this,parent)]; } Graph types example

  5. Graph types • A Graph type is a recursive type with auxiliary pointers: • the recursive type defines a spanning tree (the “backbone”) • the auxiliary pointers provide short-cuts across the backbone or into other trees • they must be functionally determined by the backbone(“well formedness”) • they are defined by “routing expressions” • Constraining to Graph types  Decidable

  6. Annotation • Store Model : records • Program vars • Records (Pointers,Bools) Organized in backbone constructs • Program variables (data vars, pointer vars) • Pointer Assertion Language • Data Structure Invariants • Loop invariants • If..then..else invariants • Procedure invariants

  7. Hoare triples  MONA • Split the program into Hoare triples: {pre} stm {post} • In MONA: assertions instead of post conditions • Graph types need only be valid at cut-points • multiple assignments allowed, but no loops • Verify each triple separately • Sound when annotation ok • Can include check for null-pointer dereference and other memory errors

  8. Encoding • Monadic : Single argument • Second order: This argument can be a First Order Logic Function • Here is a variable: • Null_p() :true if p is Null • bool_T_b(v): value of record v of type T (bool) • Succ_T_d(v,w): true if rec w reachable from rec along data field d • Each time a state

  9. Why monadic second order logic BDD: Binary Decision Diagrams WS1S: Weak Second order theory of one or two successors

  10. MONA encoding Example(Hyman’s mutual exclusion algorithm: ) while true do begin 1 < noncritical section > 2 bi := true 3 while ( k ¹ i ) do begin 4 while ( b1-i ) do skip 5 k := i end 6 < critical section > 7 bi := false end

  11. MONA Example var2 PC0’, PC0’’, PC0’’’, PC1’, PC1’’, PC1’’’, b0, b1, k; pred p0_at_line_1(var1 t) = tÏPC0’ Ù tÏPC0’’ Ù ÏPC0’’’; pred p0_at_line_2(var1 t) = tÏPC0’ Ù tÏPC0’’ Ù tÎPC0’’’; ... pred b0_false(var1 t) = tÏb0; pred b0_true(var1 t) = tÎb0; ... pred k_is_0(var1 t) = tÎk; pred k_is_1(var1 t) = tÏk; while true do begin 1 < noncritical section > 2 bi := true 3 while ( k ¹ i ) do begin 4 while (bi-1 ) do skip 5 k := i end 6 < critical section > 7 bi := false end

  12. MONA Example pred p0_proc_step(var1 t) = (p0_at_line_1(t) Þ p0_at_line_2(succ(t)) Ù unchanged_vars(t))Ù (p0_at_line_2(t) Þ p0_at_line_3(succ(t)) Ù b0_true(succ(t))Ù unchanged_k(t) Ù unchanged_b1(t)) Ù (p0_at_line_3(t) Þ (unchanged_vars(t) Ù (k_is_0(t) Þ p0_at_line_6(succ(t))) Ù (k_is_1(t) Þ p0_at_line_4(succ(t))))) Ù ... (p0_at_line_7(t) Þ p0_at_line_1(succ(t)) Ù b0_false(succ(t)) Ù ... while true do begin 1 < noncritical section > 2 bi := true 3 while ( k ¹ i ) do begin 4 while (bi-1 ) do skip 5 k := i end 6 < critical section > 7 bi := false end

  13. MONA result Valid() Þ "1 t: Ø(p0_at_line_6(t) Ù p1_at_line_6(t))); A counter-example of least length (10) is: PC0’ 0 0 0 0 0 1 1 1 0 1 PC0’’ 0 0 0 1 1 0 0 0 1 0 PC0’’’ 0 0 1 0 1 0 0 0 0 1 PC1’ 0 0 0 0 0 0 0 1 1 1 PC1’’ 0 0 0 0 0 0 1 0 0 0 PC1’’’ 0 1 1 1 1 1 0 1 1 1 b0 0 0 0 1 1 1 1 1 1 1 b1 0 0 0 0 0 0 1 1 1 1 k 0 0 0 0 0 0 0 0 1 1

  14. MONA Example A counter-example of least length (10) is: PC0’ 1 1 2 3 4 5 5 5 3 6 PC1’ 1 2 2 2 2 2 3 6 6 6 b0 0 0 0 1 1 1 1 1 1 1 b1 0 0 0 0 0 0 1 1 1 1 k 0 0 0 0 0 0 0 0 1 1 while true do begin 1 < noncritical section > 2 b0 := true 3 while ( k ¹ 0 ) do begin 4 while (b1) do skip 5 k := 0 end 6 < critical section > 7 b0 := false end while true do begin 1 < noncritical section > 2 b1 := true 3 while ( k ¹ 1 ) do begin 4 while (b0) do skip 5 k := 1 end 6 < critical section > 7 b1 := false end

  15. while true do begin 1 < noncritical section > 2 b0 := true 3 while ( k ¹ 0 ) do begin 4 while (b1) do skip 5 k := 0 end 6 < critical section > 7 b0 := false end while true do begin 1 < noncritical section > 2 b1 := true 3 while ( k ¹ 1 ) do begin 4 while (b0) do skip 5 k := 1 end 6 < critical section > 7 b1 := false end MONA Example A counter-example of least length (10) is: PC0’ 1 1 2 3 4 5 5 5 3 6 PC1’ 1 2 2 2 2 2 3 6 6 6 b0 0 0 0 1 1 1 1 1 1 1 b1 0 0 0 0 0 0 1 1 1 1 k 0 0 0 0 0 0 0 0 1 1

  16. while true do begin 1 < noncritical section > 2 b0 := true 3 while ( k ¹ 0 ) do begin 4 while (b1) do skip 5 k := 0 end 6 < critical section > 7 b0 := false end while true do begin 1 < noncritical section > 2 b1 := true 3 while ( k ¹ 1 ) do begin 4 while (b0) do skip 5 k := 1 end 6 < critical section > 7 b1 := false end MONA Example A counter-example of least length (10) is: PC0’ 1 1 2 3 4 5 5 5 3 6 PC1’ 1 2 2 2 2 2 3 6 6 6 b0 0 0 0 1 1 1 1 1 1 1 b1 0 0 0 0 0 0 1 1 1 1 k 0 0 0 0 0 0 0 0 1 1

  17. while true do begin 1 < noncritical section > 2 b0 := true 3 while ( k ¹ 0 ) do begin 4 while (b1) do skip 5 k := 0 end 6 < critical section > 7 b0 := false end while true do begin 1 < noncritical section > 2 b1 := true 3 while ( k ¹ 1 ) do begin 4 while (b0) do skip 5 k := 1 end 6 < critical section > 7 b1 := false end MONA Example A counter-example of least length (10) is: PC0’ 1 1 2 3 4 5 5 5 3 6 PC1’ 1 2 2 2 2 2 3 6 6 6 b0 0 0 0 1 1 1 1 1 1 1 b1 0 0 0 0 0 0 1 1 1 1 k 0 0 0 0 0 0 0 0 1 1

  18. while true do begin 1 < noncritical section > 2 b0 := true 3 while ( k ¹ 0 ) do begin 4 while (b1) do skip 5 k := 0 end 6 < critical section > 7 b0 := false end while true do begin 1 < noncritical section > 2 b1 := true 3 while ( k ¹ 1 ) do begin 4 while (b0) do skip 5 k := 1 end 6 < critical section > 7 b1 := false end MONA Example A counter-example of least length (10) is: PC0’ 0 0 1 2 3 4 4 4 2 5 PC1’ 0 1 1 1 1 1 2 5 5 5 b0 0 0 0 1 1 1 1 1 1 1 b1 0 0 0 0 0 0 1 1 1 1 k 0 0 0 0 0 0 0 0 1 1

  19. Aspects • Data abstraction • Of value properties • Automatic tracking when assigned • Comparison with TVLA (Three Valued Logic Analyzer) • Seem to found a bug • In exhibited cases: PALE significantly faster • Idea: trade-off between expressiveness - speed formally

  20. Statistics

  21. Opinions • Needs heuristics, • Automatic code annotation? (40ln  90 ln) • SLAM style Iterative process? • Optimization?

  22. Questions? • Thank you

  23. Kinds of predicates

  24. Pointer Assertion Logic

  25. Pointer Assertion Logic

  26. Data Types • Graph types • tree-shaped data struct + extra pointers • data pointers: backbone • pointer fields: conditions • Example: • list with pointer to the last element: type Head = { • data first: Node; • pointer last: Node[this.first<next*.[pos.next=null]>last]; • } • type Node = { • data next: Node; • } • Other Examples: • doubly-linked cyclic list • binary trees • binary trees in which all the leaves are joined in a cyclic list • red - black trees :) and so on...

More Related