Symbolic Memory Graphs invariant and corresponding optimizations - PowerPoint PPT Presentation

Symbolic Memory Graphs invariant and corresponding optimizations for SMGCPA Anton Vasilyev Ivannikov Institute for System Programming of the RAS

Symbolic Memory Graph void main() { S t a c k void *array; # 1 : v o i d m a i n ( ) ; R E G I O N ( a r r a y , 4 B ) long b = 2; l e v e l = 0 long c = 3; L o c a t i o n : v o i d * a r r a y ; array = calloc(1, 16); memcpy(&array[4], &b, 4); memcpy(&array[5], &c, 4); }

Symbolic Memory Graph void main() { S t a c k # 1 : v o i d m a i n ( ) ; void *array; R E G I O N ( b , 4 B ) R E G I O N ( a r r a y , 4 B ) l e v e l = 0 l e v e l = 0 long b = 2; [ 0 B - 4 B ] long c = 3; # 1 : 2 array = calloc(1, 16); L o c a t i o n : l o n g b = 2 ; memcpy(&array[4], &b, 4); memcpy(&array[5], &c, 4); }

Symbolic Memory Graph void main() { S t a c k # 1 : v o i d m a i n ( ) ; void *array; R E G I O N ( b , 4 B ) R E G I O N ( c , 4 B ) R E G I O N ( a r r a y , 4 B ) l e v e l = 0 l e v e l = 0 l e v e l = 0 long b = 2; [ 0 B - 4 B ] [ 0 B - 4 B ] long c = 3; # 1 : 2 # 2 : 3 array = calloc(1, 16); L o c a t i o n : l o n g c = 3 ; memcpy(&array[4], &b, 4); memcpy(&array[5], &c, 4); }

Symbolic Memory Graph void main() { S t a c k # 1 : v o i d m a i n ( ) ; void *array; R E G I O N ( b , 4 B ) R E G I O N ( c , 4 B ) R E G I O N ( a r r a y , 4 B ) l e v e l = 0 l e v e l = 0 l e v e l = 0 long b = 2; [ 0 B - 4 B ] [ 0 B - 4 B ] [ 0 B - 4 B ] long c = 3; # 1 : 2 # 2 : 3 # 4 array = calloc(1, 16); + 0 B , r e g R E G I O N ( c a l l o c _ I D 3 _ L i n e : 1 2 , 1 6 B ) l e v e l = 0 memcpy(&array[4], &b, 4); [ 0 B - 1 6 B ] memcpy(&array[5], &c, 4); N U L L } L o c a t i o n : a r r a y = c a l l o c ( 1 , 1 6 ) ;

Symbolic Memory Graph void main() { S t a c k # 1 : v o i d m a i n ( ) ; void *array; R E G I O N ( b , 4 B ) R E G I O N ( c , 4 B ) R E G I O N ( a r r a y , 4 B ) l e v e l = 0 l e v e l = 0 l e v e l = 0 long b = 2; [ 0 B - 4 B ] [ 0 B - 4 B ] long c = 3; # 2 : 3 # 4 array = calloc(1, 16); [ 0 B - 4 B ] + 0 B , r e g R E G I O N ( c a l l o c _ I D 3 _ L i n e : 1 2 , 1 6 B ) l e v e l = 0 memcpy(&array[4], &b, 4); [ 4 B - 8 B ] [ 8 B - 1 6 B ] [ 0 B - 4 B ] memcpy(&array[5], &c, 4); # 1 : 2 N U L L N U L L } L o c a t i o n : m e m c p y ( & ( a r r a y [ 4 ] ) , & b , 4 U L ) ;

Symbolic Memory Graph void main() { S t a c k # 1 : v o i d m a i n ( ) ; void *array; R E G I O N ( b , 4 B ) R E G I O N ( c , 4 B ) R E G I O N ( a r r a y , 4 B ) l e v e l = 0 l e v e l = 0 l e v e l = 0 long b = 2; [ 0 B - 4 B ] [ 0 B - 4 B ] long c = 3; # 1 : 2 # 4 array = calloc(1, 16); [ 0 B - 4 B ] + 0 B , r e g R E G I O N ( c a l l o c _ I D 3 _ L i n e : 1 2 , 1 6 B ) l e v e l = 0 memcpy(&array[4], &b, 4); [ 5 B - 9 B ] [ 0 B - 4 B ] [ 9 B - 1 6 B ] memcpy(&array[5], &c, 4); # 2 : 3 N U L L N U L L } L o c a t i o n : m e m c p y ( & ( a r r a y [ 5 ] ) , & c , 4 U L ) ;

Symbolic Values ● Values S t a c k # 1 : v o i d m a i n ( ) ; R E G I O N ( b , 4 B ) R E G I O N ( c , 4 B ) R E G I O N ( a r r a y , 4 B ) l e v e l = 0 l e v e l = 0 l e v e l = 0 [ 0 B - 4 B ] [ 0 B - 4 B ] # 1 : 2 # 4 [ 0 B - 4 B ] + 0 B , r e g R E G I O N ( c a l l o c _ I D 3 _ L i n e : 1 2 , 1 6 B ) l e v e l = 0 [ 5 B - 9 B ] [ 0 B - 4 B ] [ 9 B - 1 6 B ] # 2 : 3 N U L L N U L L L o c a t i o n : m e m c p y ( & ( a r r a y [ 5 ] ) , & c , 4 U L ) ;

Symbolic Values ● Values S t a c k # 1 : v o i d m a i n ( ) ; ● Pointers R E G I O N ( b , 4 B ) R E G I O N ( c , 4 B ) R E G I O N ( a r r a y , 4 B ) l e v e l = 0 l e v e l = 0 l e v e l = 0 [ 0 B - 4 B ] [ 0 B - 4 B ] # 1 : 2 # 4 [ 0 B - 4 B ] + 0 B , r e g R E G I O N ( c a l l o c _ I D 3 _ L i n e : 1 2 , 1 6 B ) l e v e l = 0 [ 5 B - 9 B ] [ 0 B - 4 B ] [ 9 B - 1 6 B ] # 2 : 3 N U L L N U L L L o c a t i o n : m e m c p y ( & ( a r r a y [ 5 ] ) , & c , 4 U L ) ;

Invariant of Memory Graph ● Separate values for S t a c k # 1 : v o i d m a i n ( ) ; object don`t R E G I O N ( b , 4 B ) R E G I O N ( c , 4 B ) R E G I O N ( a r r a y , 4 B ) l e v e l = 0 l e v e l = 0 l e v e l = 0 intesect [ 0 B - 4 B ] [ 0 B - 4 B ] # 1 : 2 # 4 [ 0 B - 4 B ] + 0 B , r e g R E G I O N ( c a l l o c _ I D 3 _ L i n e : 1 2 , 1 6 B ) l e v e l = 0 [ 5 B - 9 B ] [ 0 B - 4 B ] [ 9 B - 1 6 B ] # 2 : 3 N U L L N U L L L o c a t i o n : m e m c p y ( & ( a r r a y [ 5 ] ) , & c , 4 U L ) ;

Invariant of Memory Graph ● Separate values for S t a c k # 1 : v o i d m a i n ( ) ; object don`t R E G I O N ( b , 4 B ) R E G I O N ( c , 4 B ) R E G I O N ( a r r a y , 4 B ) l e v e l = 0 l e v e l = 0 l e v e l = 0 intesect [ 0 B - 4 B ] [ 0 B - 4 B ] # 1 : 2 # 4 ● Use immutable [ 0 B - 4 B ] + 0 B , r e g collection with sort R E G I O N ( c a l l o c _ I D 3 _ L i n e : 1 2 , 1 6 B ) l e v e l = 0 by objects and [ 5 B - 9 B ] [ 0 B - 4 B ] [ 9 B - 1 6 B ] # 2 : 3 N U L L N U L L offsets L o c a t i o n : m e m c p y ( & ( a r r a y [ 5 ] ) , & c , 4 U L ) ;

Join based on object +

Join based on object + ● Fast check on equivalense of HasValueEdgeSet on selected objects

Results Trunk Trunk soundness Branch Correct true 147 76 69 Correct false 115 108 100 Incorrect true 6 1 0 Incorrect false 28 22 83 Timeouts 81 147 108 Exceptions 4 26 1

Results. Branch vs fjxed Trunk

Future work ● Mathematical prove of correctness ● Abstractions for strings, arrays, set of values, work with loops ● Symbolic size and offset ● Refactore predicate extention ● Refactore storage of pointers ● Repair comunication explicit and symbolic values ● Merge branches