lazy heap analysis with symbolic memory graphs
play

Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer - PowerPoint PPT Presentation

Mar 29, 2024 •162 likes •412 views

Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2. CPAchecker and Symbolic Memory Graphs 3. Abstractions of Symbolic Memory Graphs 4. Using counterexample guided abstraction refinement with Symbolic

  1. Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer

  2. Outline 1. Motivation 2. CPAchecker and Symbolic Memory Graphs 3. Abstractions of Symbolic Memory Graphs 4. Using counterexample guided abstraction refinement with Symbolic Memory Graphs 5. Challenges and conclusion

  3. Motivation ● Use symbolic memory graphs to verify programs with complex heap structures ● Use abstraction to be able to check all possible states of a program for the specified safety property ● Use abstraction refinement to find a level of abstraction that is as coarse as possible while still fine enough to eliminate all spurious safety property violation

  4. Outline 1. Motivation 2. CPAchecker and Symbolic Memory Graphs 3. Abstractions of Symbolic Memory Graphs 4. Using counterexample guided abstraction refinement with Symbolic Memory Graphs 5. Challenges and conclusion

  5. CPAchecker CPAchecker program + specification CFA ARG 5 @ N2 1 int main() { main 2 [] 2 Line 9: int a; int a; 3 int a = nondet_int(); 6 @ N3 3 main [] 5 a = nondet(); Line 9: a = __VERIFIER_nondet_int(); 6 if(a == 5) { 7 @ N4 4 main 7 a = 7; [] [a != 5] [a == 5] 8 } else { Line 11: [!(a == 5)] Line 11: [a == 5] 7 6 9 a = 6; 9 @ N7 8 @ N6 main main [] [main::a=5] 10 } a = 6; a = 7; Line 14: a = 6; Line 12: a = 7; 11 } 10 @ N9 13 @ N8 main main 9 8 [main::a=6] [main::a=7] Line 14: Line 15: 11 @ N5 14 @ N5 5 main main [main::a=6] [main::a=7] default return; Line 15: default return Line 15: default return 12 @ N0 15 @ N0 0 main exit main exit [main::a=6] [main::a=7]

  6. Symbolic Memory Graph (SMG) ● Represents sets of heap graphs of a program at a program location ● Supports read and write operations, join of smgs, checking values for equality and inequality, and list abstraction ● Detects memory leaks and invalid read, write or free operations

  8. Outline 1. Motivation 2. CPAchecker and Symbolic Memory Graphs 3. Abstractions of Symbolic Memory Graphs 4. Using counterexample guided abstraction refinement with Symbolic Memory Graphs 5. Challenges and conclusion

  9. List Abstraction ● Used to handle infinitely recursive list segments ● Heap objects are abstracted to list segments and the sub-graphs of the heap objects are joined together ● Whether to execute a possible list abstraction depends on the number of heap objects that can be abstracted into a list, and the loss of information when joining their sub graphs

  13. SMG Precision ● Determines the level of abstraction of a program verification with symbolic memory graphs ● Consist of sets of memory locations, memory paths and locks for list abstractions for every program location ● Adjusts symbolic memory graphs of abstract states in the ARG after each calculation of new abstract states for the ARG

  15. Outline 1. Motivation 2. CPAchecker and Symbolic Memory Graphs 3. Abstractions of Symbolic Memory Graphs 4. Using counterexample guided abstraction refinement with Symbolic Memory Graphs 5. Challenges and conclusion

  16. Counterexample guided abstraction refinement ● Method to obtain a good level of abstraction for an analysis for a program ● 1 Step Abstraction : Construct an abstract model of the program ● 2 Step Verification: Check if the model violates a chosen safety property ● 3 Step Refinement: Refine the level of abstraction based on a found spurious counterexample

  17. CEGAR with Symbolic Memory Graphs ● Use SMG precision to determine the level of abstraction for Step 1 ● Use the full SMG precision on a path to check if a found counterexample is feasible for Step 2 ● Use the flow dependence of the SMGs of the spurious counterexample to calculate the new SMG precision for step 3

  18. Lazy Abstraction ● Used to improve performance of Counterexample guided abstraction refinement ● Instead of continuously recalculating the abstract model after each refinement step, calculate the model and the refinement of the model on the fly

  19. Lazy Abstraction

  20. Example

  23. Outline 1. Motivation 2. CPAchecker and Symbolic Memory Graphs 3. Abstractions of Symbolic Memory Graphs 4. Using counterexample guided abstraction refinement with Symbolic Memory Graphs 5. Challenges and conclusion

  24. Challenges And Conclusion ● Finding a better refinement method for list abstractions ● A method to reduce the loss of information when writing to program location that is not known at the current level of abstraction ● Heap abstraction for trees and other data structures

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Shape Analysis via Symbolic Memory Graphs and Conversion from Pointers to Containers Kamil Dudka

Shape Analysis via Symbolic Memory Graphs and Conversion from Pointers to Containers Kamil Dudka

Shape Analysis via Symbolic Memory Graphs and Conversion from Pointers to Containers Kamil Dudka Luk a s Hol k Petr Peringer Marek Trt k Tom a s Vojnar Brno University of Technology, Czech Republic Dagstuhl, 2/11/2015

516 views • 50 slides
Symbolic Memory Graphs invariant and corresponding optimizations for SMGCPA Anton Vasilyev

Symbolic Memory Graphs invariant and corresponding optimizations for SMGCPA Anton Vasilyev

Symbolic Memory Graphs invariant and corresponding optimizations for SMGCPA Anton Vasilyev Ivannikov Institute for System Programming of the RAS Symbolic Memory Graph void main() { S t a c k void *array; # 1 : v o i d m a i n

289 views • 16 slides
EDA045F: Program Analysis LECTURE 6: DATALOG Christoph Reichenbach In the last lecture. . .

EDA045F: Program Analysis LECTURE 6: DATALOG Christoph Reichenbach In the last lecture. . .

EDA045F: Program Analysis LECTURE 6: DATALOG Christoph Reichenbach In the last lecture. . . Pointer Analysis Points-To Analysis Alias Analysis Concrete Heap Graphs Abstract Heap Graphs Access Paths Heap Summarisation

822 views • 53 slides
Interprocedural Heap Analysis using Access Graphs and Value Contexts with applications to

Interprocedural Heap Analysis using Access Graphs and Value Contexts with applications to

Interprocedural Heap Analysis using Access Graphs and Value Contexts with applications to liveness-based garbage collection Rohan Padhye under the guidance of Prof. Uday Khedker Department of Computer Science & Engineering Indian

1.58k views • 142 slides
Symbolic Heap Abstraction with Demand-Driven Axiomatization of Memory Invariants Isil Dillig

Symbolic Heap Abstraction with Demand-Driven Axiomatization of Memory Invariants Isil Dillig

Symbolic Heap Abstraction with Demand-Driven Axiomatization of Memory Invariants Isil Dillig Thomas Dillig Alex Aiken Stanford University Isil Dillig Thomas Dillig Alex Aiken Symbolic Heap Abstraction with Demand-Driven Axiomatization

1.62k views • 123 slides
Symbolic Reachability Analysis of Lazy Linear Hybrid Automata Susmit Jha, Bryan Brady and

Symbolic Reachability Analysis of Lazy Linear Hybrid Automata Susmit Jha, Bryan Brady and

Symbolic Reachability Analysis of Lazy Linear Hybrid Automata Susmit Jha, Bryan Brady and Sanjit A. Seshia Traditional Hybrid Automata Traditional Hybrid Automata do not model delay and finite precision in sensing and actuation PLANT

580 views • 33 slides
Say Goodbye to Off-heap Caches! On-heap Caches Using Memory-Mapped I/O Iacovos G. Kolokasis 1 ,

Say Goodbye to Off-heap Caches! On-heap Caches Using Memory-Mapped I/O Iacovos G. Kolokasis 1 ,

Say Goodbye to Off-heap Caches! On-heap Caches Using Memory-Mapped I/O Iacovos G. Kolokasis 1 , Anastasios Papagiannis 1 , Foivos Zakkak 2 , Polyvios Pratikakis 1 , and Angelos Bilas 1 1 University of Crete & Foundation of Research and

457 views • 19 slides
Dynamic Memory Allocation in the Heap (malloc and free) Explicit allocators (a.k.a. manual memory

Dynamic Memory Allocation in the Heap (malloc and free) Explicit allocators (a.k.a. manual memory

Dynamic Memory Allocation in the Heap (malloc and free) Explicit allocators (a.k.a. manual memory management) Heap Allocation Addr Perm Contents Managed by Initialized Stack 2 N -1 RW Procedure context Compiler Run-time Programmer,

565 views • 31 slides
A non-moving collector Organization of heap memory in GC Heap memory falls in 4 sets in a GC

A non-moving collector Organization of heap memory in GC Heap memory falls in 4 sets in a GC

A non-moving collector Organization of heap memory in GC Heap memory falls in 4 sets in a GC world Scanned objects Visited but unscanned objects Objects not yet visited Free space Semi-space copying collector attempts to

240 views • 13 slides
Dynamic Memory Overview Dynamically allocated memory is stored in the Heap-section of

Dynamic Memory Overview Dynamically allocated memory is stored in the Heap-section of

Dynamic Memory Overview Dynamically allocated memory is stored in the Heap-section of memory. It is solely controlled by the programmer (unlike, for example, stack frames or read-only data). As a result, it is the programmers

269 views • 15 slides
the stack & the heap hic 1 memory management So far: data representations: how are

the stack & the heap hic 1 memory management So far: data representations: how are

memory management the stack & the heap hic 1 memory management So far: data representations: how are individual data elements represented in memory? pointers and pointer arithmetic to find out where data is allocated Now: memory

230 views • 21 slides
Last week Data can be allocated on the stack or on the heap (aka dynamic memory) or on the heap

Last week Data can be allocated on the stack or on the heap (aka dynamic memory) or on the heap

Last week Data can be allocated on the stack or on the heap (aka dynamic memory) or on the heap (aka dynamic memory) Data on the stack is allocated automatically when we do a function call, and removed when we return ll d d h t f() {

605 views • 25 slides
Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean

Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean

11/27/2011 Heap Cloning: Enabling Dynamic Symbolic Execution of Java Programs Saswat Anand Mary Jean Harrold Supported by NSF (CCF-0725202, CCF-0541048) and IBM (Software Quality Innovation Award) Symbolic Execution 35 Databases 30

558 views • 22 slides
Dynamic Memory Allocation in the Heap (malloc and free) Now: Explicit allocators (a.k.a. manual

Dynamic Memory Allocation in the Heap (malloc and free) Now: Explicit allocators (a.k.a. manual

Dynamic Memory Allocation in the Heap (malloc and free) Now: Explicit allocators (a.k.a. manual memory management) Later: implicit allocators (a.k.a. automatic memory management) Heap Allocation Addr Perm Contents Managed by Initialized

420 views • 31 slides
Symbolic Bayesian inference by lazy partial evaluation Chung-chieh Shan (Indiana University)

Symbolic Bayesian inference by lazy partial evaluation Chung-chieh Shan (Indiana University)

Symbolic Bayesian inference by lazy partial evaluation Chung-chieh Shan (Indiana University) Norman Ramsey (Tufts University) November 2015 This research was supported by DARPA grants FA8750-14-2-0007 and FA8750-14-C-0002, NSF grant

721 views • 34 slides
Virtual Memory Thierry Sans The problem of managing the memory How to make programs and

Virtual Memory Thierry Sans The problem of managing the memory How to make programs and

Virtual Memory Thierry Sans The problem of managing the memory How to make programs and execution contexts co- stack B exists in memory? heap B Placing multiple execution contexts (stack and heap) prog B at random locations in memory is

604 views • 29 slides
iPod Usage Study Quantitative Research Report Prepared for Apple iPod Team December 4, 2015

iPod Usage Study Quantitative Research Report Prepared for Apple iPod Team December 4, 2015

iPod Usage Study Quantitative Research Report Prepared for Apple iPod Team December 4, 2015 Alexander Katherine Valerie Kevin Maya Dfouni Hayes Laufer Ng Porter Background: History of the iPod 1997: iPod development started

1.02k views • 87 slides
Open Source SQL databases enters millions queries per second era Alexander Korotkov, Sveta

Open Source SQL databases enters millions queries per second era Alexander Korotkov, Sveta

Open Source SQL databases enters millions queries per second era Alexander Korotkov, Sveta Smirnova Postgres Professional, Percona 2016 Alexander Korotkov, Sveta Smirnova Open Source SQL databases enters millions queries per second era 1 / 33

611 views • 35 slides
NOvA Beam Stability Alexander Radovic College of William and Mary Justin Vasel Indiana

NOvA Beam Stability Alexander Radovic College of William and Mary Justin Vasel Indiana

NOvA Beam Stability Alexander Radovic College of William and Mary Justin Vasel Indiana University Alexander Radovic NOvA Beam Stability 1 Introduction NOvA offers another view of the NuMI beam, and potentially another way to spot beam

241 views • 6 slides
Mass dependence of the heavy quark potential and its effects on quarkonium states Alexander

Mass dependence of the heavy quark potential and its effects on quarkonium states Alexander

Mass dependence of the heavy quark potential and its effects on quarkonium states Alexander Laschka Norbert Kaiser Wolfram Weise Physik Department Technische Universit at M unchen XIV International Conference on Hadron Spectroscopy

544 views • 16 slides
NANCY DUARTE Alexander Zandelov & Julia Panek || Interaction Engeneering || Prof. Dr. Michael

NANCY DUARTE Alexander Zandelov & Julia Panek || Interaction Engeneering || Prof. Dr. Michael

NANCY DUARTE Alexander Zandelov & Julia Panek || Interaction Engeneering || Prof. Dr. Michael Kipp || Hochschule Augsburg || WS 2015/16 Alexander Zandelov & Julia Panek || Interaction Engeneering || Prof. Dr. Michael Kipp || Hochschule

287 views • 18 slides
Design Patterns: Background Design Patterns: Background Five Principles (revisited)

Design Patterns: Background Design Patterns: Background Five Principles (revisited)

Five Principles (revisited) Design Patterns: Background Design Patterns: Background Five Principles (revisited) Architectural design patterns Architectural design patterns 1. 1. Single Single- - Responsibility Principle

88 views • 5 slides
Software Engineering I cs361 Announcements Friday Extra office hour of Coding Lab 2-3pm

Software Engineering I cs361 Announcements Friday Extra office hour of Coding Lab 2-3pm

Software Engineering I cs361 Announcements Friday Extra office hour of Coding Lab 2-3pm CI instructions added to Assignment 3 travis-ci.ORG http://www.umlet.com/ umletino/umletino.html Design Patterns Attribution Much of

417 views • 41 slides
Christopher Alexanders Thought and Eastern Philosophy Zen, Mindfulness and Egoless Creation

Christopher Alexanders Thought and Eastern Philosophy Zen, Mindfulness and Egoless Creation

PUARL2018 Conference Christopher Alexanders Thought and Eastern Philosophy Zen, Mindfulness and Egoless Creation with a Pattern Language Takashi Iba Professor at Faculty of Policy Management, Keio University Ph.D in Media and Governance

730 views • 43 slides

More recommend