pointer logic

Download Pointer Logic

Post on 22-Feb-2016

31 views

Category:

Documents

0 download

Embed Size (px)

DESCRIPTION

Pointer Logic. Daniel Kroening and Ofer Strichman Decision Procedure. Why pointer logic?. A pointer is a program variable whose sole purpose is to refer to some other program construct. Other program construct - variable, procedures, or another pointer - PowerPoint PPT Presentation

TRANSCRIPT

1

Pointer Logic

Daniel Kroening and Ofer StrichmanDecision Procedure #/25 Pointer Logic Changki Hong @ PSWLAB #/25Why pointer logic?A pointer is a program variable whose sole purpose is to refer to some other program construct.Other program construct - variable, procedures, or another pointer

A Pointer is useful but common source of programming errors.AliasingNull pointer dereference error

Pointer Logic Changki Hong @ PSWLAB #/25Table of Contents IntroductionPointer logicModeling Heap-Allocated Data StructuresA Decision ProcedureConclusion

Pointer Logic Changki Hong @ PSWLAB #/25Memory modelThe implementation of pointer relies on the fact that the memory cells of a computer have addresses, i.e., each cell has a unique number.

Definition 1. Memory modelA memory model describes the assumptions that are made about the way memory cells are addressed. We assume that the architecture provides a continuous, uniform address space. Each address corresponds to a memory cell that is able to store one data word. A memory valuation M: A D is a mapping from a set of address A into the domain D of data words. Pointer Logic Changki Hong @ PSWLAB #/25Memory layoutThe compiler assigns a particular memory location to each static variable.The mapping is called memory layout.

Definition 2. Memory layoutA memory layout L: V A is a mapping from each variable v V to an address a A, where V denote the set of variables and A denote the set of addresses.Memory layout is nonoverlapping which means that the memory locations of the statically allocated variables are distinct. How about dynamic memory allocation?

Pointer Logic Changki Hong @ PSWLAB #/25Dynamic memory allocationDynamic data structures are created at the run time of the program.A runtime library maintains a list of the memory regions that are unused.A function, which is part of this library, allocates a region of given size and returns a pointer to the beginning of the region. ( malloc(), )The memory layout changes during the runtime of the program.The lifetime of a dynamic object is the time between its allocation and its deallocation.

Pointer Logic Changki Hong @ PSWLAB #/25Analysis of programs with pointersAliasing a situation in which a data location in memory can be accessed through different symbolic names in the program.Modifying the data through one name implicitly modifies the values associated to all aliased names, which is not expected by the programmer.Dereferencinga situation which a pointer doesnt point to a proper object.Example

Pointer Logic Changki Hong @ PSWLAB #/25Table of Contents IntroductionPointer logicModeling Heap-Allocated Data StructuresA Decision ProcedureConclusion

Pointer Logic Changki Hong @ PSWLAB #/25

SyntaxThe syntax of a formula in pointer logic is defined by the following rules:

pointer-identifier is of pointer typeidentifier is of integers or an array of integers

Pointer Logic Changki Hong @ PSWLAB #/25Semantics (1/2)Define the semantics by referring to memory layout LL: V A is a mapping from each variable v V to an address a Amemory valuation M M: A D, mapping from a set of address A into the domain D of data words

Pointer logic formulas are predicates on M, L pairs and the definition of semantics uses a reduction to integer arithmetic and array logic.We treat M and L as array types.

Pointer Logic Changki Hong @ PSWLAB #/25Semantics (2/2)Definition 3. Semantics of pointer logicLet LP denote the set of pointer logic expressions, and let LD denote the set of expressions permitted by the logic for the data words. The function [] is defined [] : LP LD for e LP. The function [e] is defined recursively. The expression e LP is valid if and only if [e] is valid.

Pointer Logic Changki Hong @ PSWLAB #/25Examplea is an array identifier.The semantic definition of the expression expands as follows:

Last equation is obviously valid, and thus so is original expression.

Pointer Logic Changki Hong @ PSWLAB #/25Table of Contents IntroductionPointer logicModeling Heap-Allocated Data StructuresA Decision ProcedureConclusion

Pointer Logic Changki Hong @ PSWLAB #/25Lists (1/2)The simplest dynamically allocated data structure is the linked list.Structure typecontains fields for a next pointer and the data.

So, How to model linked list in pointer logic formulas?

Pointer Logic Changki Hong @ PSWLAB #/25Lists (2/2) We need to model the field for a next pointer.Recursive definition

We need to add the property that the last element of the acyclic list should point a NULL.Add another definition

Pointer Logic Changki Hong @ PSWLAB #/25Table of Contents IntroductionPointer logicModeling Heap-Allocated Data StructuresA Decision ProcedureConclusion

Pointer Logic Changki Hong @ PSWLAB #/25Applying the semantic translationThe semantic translationassigns meaning to the pointer logic formulasgives rise to a simple decision procedureThe formula generated by semantic translation containarray read operator (recall that memory layout L and memory valuation M are considered as array read operation) linear arithmetic for the index.equality over the type for modeling the contents of the memory cells

Decision procedure for pointer logicApply the semantic translation to a pointer formula to obtain a formula in the combined logic of linear arithmetic and array.Pass the formula to the decision procedure for the combined logic.

Pointer Logic Changki Hong @ PSWLAB #/25ExamplesWe want to check validity of following pointer logic formula:

The semantic translation expands as follows:

A decision procedure for array logic and equality logic easily concludes that the formula above is valid.

Pointer Logic Changki Hong @ PSWLAB #/25Pure variables (1/2)Sometimes the semantic translation can place an undue burden on the underlying decision procedure, as illustrated by the following example:

A decision procedure for array logic and equality logic is certainly able to deduce that the original formula is valid. Therefore, the semantic translation process is not required in this kind of situation.

Pointer Logic Changki Hong @ PSWLAB #/25Definition 4. Pure variablesGiven a formula with a set of variables V, let denote the subset of s variables that are not used within an argument of the & operator within . These variables are called pure.

Definition 5. []P A new translation function [e]P is identical to the definition [e] unless e denotes a variable . The new definition is:

Pure variables (2/2)

Pointer Logic Changki Hong @ PSWLAB #/25ExampleThis no longer burdens the decision procedure for array logic:

Pointer Logic Changki Hong @ PSWLAB #/25

Reachability predicate (1/2)Definition 6. This stands for the pointer that is obtained by starting from q and following the field f, n times:

Definition 7. reachability predicate,We call a predicate as reachability predicate which satisfies following two conditions:There exists some n such that q is reachable from p by following f for n times.x is not reachable in fewer than n steps from p following f.

Pointer Logic Changki Hong @ PSWLAB #/25Reachability predicate (2/2) We say that a formula is a reachability predicate formula if it contains the reachability predicate.Reachability predicate formulas often have quantifiers, which make decision problems much harder.There is no automatic decision procedure for a logic that includes a reachability predicate. Pointer Logic Changki Hong @ PSWLAB #/25Table of Contents IntroductionPointer logicModeling Heap-Allocated Data StructuresA Decision ProcedureConclusion