Symbolic Memory Graphs invariant and corresponding optimizations - - PowerPoint PPT Presentation

symbolic memory graphs invariant and corresponding
SMART_READER_LITE
LIVE PREVIEW

Symbolic Memory Graphs invariant and corresponding optimizations - - PowerPoint PPT Presentation

Jun 15, 2023 114 likes •293 views

Symbolic Memory Graphs invariant and corresponding optimizations for SMGCPA Anton Vasilyev Ivannikov Institute for System Programming of the RAS Symbolic Memory Graph void main() { S t a c k void *array; # 1 : v o i d m a i n

slide-1
SLIDE 1

Ivannikov Institute for System Programming of the RAS

Symbolic Memory Graphs invariant and corresponding

  • ptimizations for SMGCPA

Anton Vasilyev

slide-2
SLIDE 2

Symbolic Memory Graph

void main() { void *array; long b = 2; long c = 3; array = calloc(1, 16); memcpy(&array[4], &b, 4); memcpy(&array[5], &c, 4); }

L

  • c

a t i

  • n

: v

  • i

d * a r r a y ; S t a c k # 1 : v

  • i

d m a i n ( ) ; R E G I O N ( a r r a y , 4 B ) l e v e l =

slide-3
SLIDE 3

Symbolic Memory Graph

void main() { void *array; long b = 2; long c = 3; array = calloc(1, 16); memcpy(&array[4], &b, 4); memcpy(&array[5], &c, 4); }

L

  • c

a t i

  • n

: l

  • n

g b = 2 ; S t a c k # 1 : v

  • i

d m a i n ( ) ; R E G I O N ( b , 4 B ) l e v e l = R E G I O N ( a r r a y , 4 B ) l e v e l = # 1 : 2 [ B

  • 4

B ]

slide-4
SLIDE 4

Symbolic Memory Graph

void main() { void *array; long b = 2; long c = 3; array = calloc(1, 16); memcpy(&array[4], &b, 4); memcpy(&array[5], &c, 4); }

L

  • c

a t i

  • n

: l

  • n

g c = 3 ; S t a c k # 1 : v

  • i

d m a i n ( ) ; R E G I O N ( b , 4 B ) l e v e l = R E G I O N ( c , 4 B ) l e v e l = R E G I O N ( a r r a y , 4 B ) l e v e l = # 1 : 2 [ B

  • 4

B ] # 2 : 3 [ B

  • 4

B ]

slide-5
SLIDE 5

Symbolic Memory Graph

void main() { void *array; long b = 2; long c = 3; array = calloc(1, 16); memcpy(&array[4], &b, 4); memcpy(&array[5], &c, 4); }

L

  • c

a t i

  • n

: a r r a y = c a l l

  • c

( 1 , 1 6 ) ; S t a c k # 1 : v

  • i

d m a i n ( ) ; R E G I O N ( b , 4 B ) l e v e l = R E G I O N ( c , 4 B ) l e v e l = R E G I O N ( a r r a y , 4 B ) l e v e l = # 1 : 2 [ B

  • 4

B ] # 2 : 3 [ B

  • 4

B ] # 4 [ B

  • 4

B ] R E G I O N ( c a l l

  • c

_ I D 3 _ L i n e : 1 2 , 1 6 B ) l e v e l = N U L L [ B

  • 1

6 B ] + B , r e g

slide-6
SLIDE 6

Symbolic Memory Graph

void main() { void *array; long b = 2; long c = 3; array = calloc(1, 16); memcpy(&array[4], &b, 4); memcpy(&array[5], &c, 4); }

L

  • c

a t i

  • n

: m e m c p y ( & ( a r r a y [ 4 ] ) , & b , 4 U L ) ; S t a c k # 1 : v

  • i

d m a i n ( ) ; R E G I O N ( b , 4 B ) l e v e l = R E G I O N ( c , 4 B ) l e v e l = R E G I O N ( a r r a y , 4 B ) l e v e l = # 1 : 2 [ B

  • 4

B ] # 2 : 3 [ B

  • 4

B ] # 4 [ B

  • 4

B ] R E G I O N ( c a l l

  • c

_ I D 3 _ L i n e : 1 2 , 1 6 B ) l e v e l = [ 4 B

  • 8

B ] N U L L [ 8 B

  • 1

6 B ] N U L L [ B

  • 4

B ] + B , r e g

slide-7
SLIDE 7

Symbolic Memory Graph

void main() { void *array; long b = 2; long c = 3; array = calloc(1, 16); memcpy(&array[4], &b, 4); memcpy(&array[5], &c, 4); }

L

  • c

a t i

  • n

: m e m c p y ( & ( a r r a y [ 5 ] ) , & c , 4 U L ) ; S t a c k # 1 : v

  • i

d m a i n ( ) ; R E G I O N ( b , 4 B ) l e v e l = R E G I O N ( c , 4 B ) l e v e l = R E G I O N ( a r r a y , 4 B ) l e v e l = # 1 : 2 [ B

  • 4

B ] # 2 : 3 [ B

  • 4

B ] # 4 [ B

  • 4

B ] R E G I O N ( c a l l

  • c

_ I D 3 _ L i n e : 1 2 , 1 6 B ) l e v e l = [ 5 B

  • 9

B ] N U L L [ B

  • 4

B ] N U L L [ 9 B

  • 1

6 B ] + B , r e g

slide-8
SLIDE 8

Symbolic Values

  • Values

L

  • c

a t i

  • n

: m e m c p y ( & ( a r r a y [ 5 ] ) , & c , 4 U L ) ; S t a c k # 1 : v

  • i

d m a i n ( ) ; R E G I O N ( b , 4 B ) l e v e l = R E G I O N ( c , 4 B ) l e v e l = R E G I O N ( a r r a y , 4 B ) l e v e l = # 1 : 2 [ B

  • 4

B ] # 2 : 3 [ B

  • 4

B ] # 4 [ B

  • 4

B ] R E G I O N ( c a l l

  • c

_ I D 3 _ L i n e : 1 2 , 1 6 B ) l e v e l = [ 5 B

  • 9

B ] N U L L [ B

  • 4

B ] N U L L [ 9 B

  • 1

6 B ] + B , r e g

slide-9
SLIDE 9

Symbolic Values

  • Values
  • Pointers

L

  • c

a t i

  • n

: m e m c p y ( & ( a r r a y [ 5 ] ) , & c , 4 U L ) ; S t a c k # 1 : v

  • i

d m a i n ( ) ; R E G I O N ( b , 4 B ) l e v e l = R E G I O N ( c , 4 B ) l e v e l = R E G I O N ( a r r a y , 4 B ) l e v e l = # 1 : 2 [ B

  • 4

B ] # 2 : 3 [ B

  • 4

B ] # 4 [ B

  • 4

B ] R E G I O N ( c a l l

  • c

_ I D 3 _ L i n e : 1 2 , 1 6 B ) l e v e l = [ 5 B

  • 9

B ] N U L L [ B

  • 4

B ] N U L L [ 9 B

  • 1

6 B ] + B , r e g

slide-10
SLIDE 10

Invariant of Memory Graph

  • Separate values for
  • bject don`t

intesect

L

  • c

a t i

  • n

: m e m c p y ( & ( a r r a y [ 5 ] ) , & c , 4 U L ) ; S t a c k # 1 : v

  • i

d m a i n ( ) ; R E G I O N ( b , 4 B ) l e v e l = R E G I O N ( c , 4 B ) l e v e l = R E G I O N ( a r r a y , 4 B ) l e v e l = # 1 : 2 [ B

  • 4

B ] # 2 : 3 [ B

  • 4

B ] # 4 [ B

  • 4

B ] R E G I O N ( c a l l

  • c

_ I D 3 _ L i n e : 1 2 , 1 6 B ) l e v e l = [ 5 B

  • 9

B ] N U L L [ B

  • 4

B ] N U L L [ 9 B

  • 1

6 B ] + B , r e g

slide-11
SLIDE 11

Invariant of Memory Graph

  • Separate values for
  • bject don`t

intesect

  • Use immutable

collection with sort by objects and

  • ffsets

L

  • c

a t i

  • n

: m e m c p y ( & ( a r r a y [ 5 ] ) , & c , 4 U L ) ; S t a c k # 1 : v

  • i

d m a i n ( ) ; R E G I O N ( b , 4 B ) l e v e l = R E G I O N ( c , 4 B ) l e v e l = R E G I O N ( a r r a y , 4 B ) l e v e l = # 1 : 2 [ B

  • 4

B ] # 2 : 3 [ B

  • 4

B ] # 4 [ B

  • 4

B ] R E G I O N ( c a l l

  • c

_ I D 3 _ L i n e : 1 2 , 1 6 B ) l e v e l = [ 5 B

  • 9

B ] N U L L [ B

  • 4

B ] N U L L [ 9 B

  • 1

6 B ] + B , r e g

slide-12
SLIDE 12

Join based on object

+

slide-13
SLIDE 13

Join based on object

+

  • Fast check on equivalense of

HasValueEdgeSet on selected objects

slide-14
SLIDE 14

Results

Trunk Trunk soundness Branch Correct true 147 76 69 Correct false 115 108 100 Incorrect true 6 1 Incorrect false 28 22 83 Timeouts 81 147 108 Exceptions 4 26 1

slide-15
SLIDE 15
  • Results. Branch vs fjxed

Trunk

slide-16
SLIDE 16

Future work

  • Mathematical prove of correctness
  • Abstractions for strings, arrays, set of values,

work with loops

  • Symbolic size and offset
  • Refactore predicate extention
  • Refactore storage of pointers
  • Repair comunication explicit and symbolic values
  • Merge branches