Download - Pointer Logic

1/25 Pointer Logic Changki Hong @ PSWLAB

Pointer LogicDaniel Kroening and Ofer Strichman

Decision Procedure


Why pointer logic? A pointer is a program variable whose sole

purpose is to refer to some other program construct. Other program construct - variable, procedures, or

another pointer

A Pointer is useful but common source of pro-gramming errors. Aliasing Null pointer dereference error


Table of Contents

Introduction Pointer logic Modeling Heap-Allocated Data Struc-

tures A Decision Procedure Conclusion


Memory model The implementation of pointer relies on the

fact that the memory cells of a computer have addresses, i.e., each cell has a unique num-ber.

Definition 1. Memory model A memory model describes the assumptions that are

made about the way memory cells are addressed. We as-sume that the architecture provides a continuous, uniform address space. Each address corresponds to a memory cell that is able to store one data word. A memory valua-tion M: A D is a mapping from a set of address A into the domain D of data words.


Memory layout The compiler assigns a particular memory location

to each static variable. The mapping is called memory layout.

Definition 2. Memory layout A memory layout L: V A is a mapping from each vari-

able v ∊ V to an address a ∊ A, where V denote the set of variables and A denote the set of addresses.

Memory layout is nonoverlapping which means that the memory locations of the statically allocated variables are distinct.

How about dynamic memory allocation?


Dynamic memory allocation Dynamic data structures are created at the run

time of the program. A runtime library maintains a list of the memory re-

gions that are unused. A function, which is part of this library, allocates a re-

gion of given size and returns a pointer to the begin-ning of the region. ( malloc(), …)

The memory layout changes during the runtime of the program.

The lifetime of a dynamic object is the time between its allocation and its deallocation.


Analysis of programs with pointers Aliasing

a situation in which a data location in memory can be accessed through different symbolic names in the pro-gram. Modifying the data through one name implicitly modifies the

values associated to all aliased names, which is not expected by the programmer.

Dereferencing a situation which a pointer doesn’t point to a proper ob-

ject. Example


Table of Contents




Syntax The syntax of a formula in pointer logic is defined

by the following rules:

pointer-identifier is of pointer type identifier is of integers or an array of integers


Semantics (1/2) Define the semantics by referring to

memory layout L L: V A is a mapping from each variable v ∊ V to an address a ∊ A

memory valuation M M: A D, mapping from a set of address A into the domain D of

data words

Pointer logic formulas are predicates on M, L pairs and the definition of semantics uses a reduction to integer arithmetic and array logic. We treat M and L as array types.


Semantics (2/2) Definition 3. Semantics of pointer logic

Let LP denote the set of pointer logic expressions, and let LD denote the set of expressions permitted by the logic for the data words.

The function [⋅] is defined [⋅] : LP LD for e ∊ LP. The func-tion [e] is defined recursively. The expression e∊ LP is valid if and only if [e] is valid.


Example

a is an array identifier. The semantic definition of the expression expands

as follows:

Last equation is obviously valid, and thus so is original expression.

]1[)1)((&* aa


Table of Contents




Lists (1/2) The simplest dynamically allocated data structure

is the linked list. Structure type contains fields for a next pointer and the data.

So, How to model linked list in pointer logic formu-las?


Lists (2/2) We need to model the field for a next pointer.

Recursive definition

We need to add the property that the last element of the acyclic list should point a NULL. Add another definition

1for )1,(_ ),( _, )0,( _

inipelemlistipelemlistppelemlist

NULLlpelemlistlplist ),( _ ),(


Table of Contents




Applying the semantic translation The semantic translation

assigns meaning to the pointer logic formulas gives rise to a simple decision procedure The formula generated by semantic translation contain

array read operator (recall that memory layout L and memory valuation M are considered as array read operation)

linear arithmetic for the index. equality over the type for modeling the contents of the memory cells

Decision procedure for pointer logic1. Apply the semantic translation to a pointer formula to ob-

tain a formula in the combined logic of linear arithmetic and array.

2. Pass the formula to the decision procedure for the combined logic.

i

i


Examples We want to check validity of following pointer logic

formula:

The semantic translation expands as follows:

A decision procedure for array logic and equality logic easily concludes that the formula above is valid.

1* 1& pxxp

1]]][[[ 1]][[ ][]][[ 1* 1 &

1* 1 & 1* 1&

pLMMxLMxLpLMpxxp

pxxppxxp


Pure variables (1/2) Sometimes the semantic translation can place an

undue burden on the underlying decision proce-dure, as illustrated by the following example:

A decision procedure for array logic and equality logic is certainly able to deduce that the original formula is valid.

Therefore, the semantic translation process is not re-quired in this kind of situation.

]][[]][[ ]][[]][[

xLMyLMyLMxLMxyyx

xyyx


Definition 4. Pure variables Given a formula with a set of variables V, let

denote the subset of ’s variables that are not used within an argument of the “&” operator within . These variables are called pure.

Definition 5. [∙]P A new translation function [e]P is identical to the defini-

tion [e] unless e denotes a variable . The new definition is:

Pure variables (2/2)

VP )(

)(P

)(\ ]][[][

)( ][

PVvforvLMv

PvforvP

vP


Example This no longer burdens the decision procedure for

array logic:

xyyx

PP

P

xyyx

xyyx


Reachability predicate (1/2) Definition 6.

This stands for the pointer that is obtained by starting from q and following the field f, n times:

Definition 7. reachability predicate, We call a predicate as reachability predicate which satis-

fies following two conditions: There exists some n such that q is reachable from p by following

f for n times. x is not reachable in fewer than n steps from p following f.

)(follow qfn

fqq

qqfn

fn

f

)(follow)(follow

)(follow

1

0


Reachability predicate (2/2) We say that a formula is a reachability predicate

formula if it contains the reachability predicate. Reachability predicate formulas often have quantifiers,

which make decision problems much harder. There is no automatic decision procedure for a logic

that includes a reachability predicate.


Table of Contents




Conclusion The semantic translation not only assigns

meaning to the pointer logic formulas, but also gives rise to a simple decision procedure.

Deciding pointer logic including reachability predicate is still an open problem.

Download - Pointer Logic

Top Related