the penultimate challenge bug report construction in the
play

The Penultimate Challenge: Bug report construction in the Clang - PowerPoint PPT Presentation

Jan 16, 2023 •158 likes •1.91k views

The Penultimate Challenge: Bug report construction in the Clang Static Analyzer Kristf Umann dkszelethus@gmail.com Etvs Lornd University, Budapest Ericsson Hungary 2019. oct. 22. 2/38 Clear, precise bug reports are important One of

  1. [B5 (ENTRY)] [B1] foo: [B0 (EXIT)] [B0 (EXIT)] [B2 (ENTRY)] flag = coin(); [B1] main: [B0 (EXIT)] *x = 5 x == nullptr; [B4] if (flag) foo(); [B2] x = new int; [B3] if (flag) foo(); flag = 1; int *x = 0; 8/38 flag ∈ ( −∞ , ∞ ) ;

  2. [B5 (ENTRY)] x == nullptr; foo: [B0 (EXIT)] [B2 (ENTRY)] flag = coin(); [B1] main: [B0 (EXIT)] *x = 5 [B1] 8/38 [B4] if (flag) foo(); [B2] x = new int; [B3] if (flag) foo(); flag = 1; int *x = 0; flag ∈ ( −∞ , ∞ ) ;

  3. [B5 (ENTRY)] [B4] foo: [B0 (EXIT)] [B2 (ENTRY)] flag = coin(); [B1] main: [B0 (EXIT)] *x = 5 [B1] x == nullptr; if (flag) foo(); [B2] if (flag) foo(); [B2] x = new int; [B3] if (flag) foo(); flag = 1; int *x = 0; 8/38 flag ∈ ( −∞ , ∞ ) ;

  4. [B5 (ENTRY)] [B4] foo: [B0 (EXIT)] [B2 (ENTRY)] flag = coin(); [B1] main: [B0 (EXIT)] dereference of x! x == nullptr; *x = 5 [B1] *x = 5 [B1] if (flag) foo(); [B2] x = new int; [B3] if (flag) foo(); flag = 1; int *x = 0; 8/38 flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ;

  5. The ExplodedGraph Contains everything the analyzer learned during symbolic execution All explored paths of execution Every symbolic value in every program state 9/38

  6. [B5 (ENTRY)] flag = 0 x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined x = (heap allocated object) dereference of x! *x = 5 x = (heap allocated object) x = nullptr *x = undefined flag = 0 x = nullptr (after the call to foo ) x = nullptr x = nullptr dereference of x! flag = 0 x = nullptr [B5 (ENTRY)] x = nullptr (after the call to foo ) main: [B4] int *x = 0; flag = 1; foo(); if (flag) [B3] x = new int; [B2] foo(); if (flag) [B1] *x = 5 [B0 (EXIT)] 10/38 flag = 1 [B1] flag = coin(); x = nullptr [B2 (ENTRY)] [B0 (EXIT)] foo: flag ∈ ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  7. [B5 (ENTRY)] dereference of x! (after the call to foo ) [B4] x = nullptr x = nullptr x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined x = (heap allocated object) *x = 5 flag = 1 flag = 0 x = (heap allocated object) *x = undefined flag = 0 x = nullptr (after the call to foo ) x = nullptr x = nullptr dereference of x! flag = 0 x = nullptr x = nullptr 10/38 x = nullptr flag = 1 int *x = 0; flag = 1; foo(); if (flag) [B4] int *x = 0; flag = 1; foo(); if (flag) [B3] x = new int; [B2] foo(); if (flag) flag = coin(); [B2 (ENTRY)] *x = 5 foo: [B0 (EXIT)] main: [B1] [B0 (EXIT)] [B1] flag ∈ ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  8. [B5 (ENTRY)] flag = 0 x = nullptr x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined x = (heap allocated object) dereference of x! *x = 5 x = (heap allocated object) x = nullptr *x = undefined flag = 0 x = nullptr (after the call to foo ) x = nullptr x = nullptr dereference of x! flag = 0 x = nullptr [B4] 10/38 (after the call to foo ) [B1] int *x = 0; flag = 1; foo(); if (flag) [B3] x = new int; [B2] foo(); if (flag) [B1] *x = 5 [B0 (EXIT)] main: x = nullptr flag = coin(); [B2 (ENTRY)] x = nullptr [B0 (EXIT)] foo: flag = 1 flag = 1 flag ∈ ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  9. [B5 (ENTRY)] *x = 5 [B4] x = nullptr x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined x = (heap allocated object) dereference of x! flag = 0 (after the call to foo ) x = (heap allocated object) *x = undefined flag = 0 x = nullptr (after the call to foo ) x = nullptr x = nullptr dereference of x! flag = 0 x = nullptr x = nullptr 10/38 x = nullptr [B1] int *x = 0; flag = 1; foo(); if (flag) [B3] x = new int; [B2] foo(); if (flag) [B1] *x = 5 [B0 (EXIT)] main: flag = 1 flag = coin(); [B2 (ENTRY)] flag = 1 [B2 (ENTRY)] [B0 (EXIT)] foo: x = nullptr flag ∈ ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  10. [B5 (ENTRY)] *x = 5 [B4] x = nullptr x = nullptr x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined x = (heap allocated object) dereference of x! flag = 0 x = nullptr x = (heap allocated object) *x = undefined flag = 0 x = nullptr (after the call to foo ) x = nullptr x = nullptr dereference of x! flag = 0 x = nullptr (after the call to foo ) 10/38 (after the call to foo ) flag = coin(); [B1] *x = 5 [B0 (EXIT)] main: [B1] [B2] flag = coin(); [B1] x = new int; [B3] [B2 (ENTRY)] foo(); [B0 (EXIT)] if (flag) foo: foo(); flag = 1 flag = 1; x = nullptr flag = 1 x = nullptr int *x = 0; if (flag) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  11. [B5 (ENTRY)] *x = 5 [B4] x = nullptr x = nullptr x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined x = (heap allocated object) dereference of x! flag = 0 x = nullptr x = (heap allocated object) *x = undefined flag = 0 x = nullptr (after the call to foo ) x = nullptr x = nullptr dereference of x! flag = 0 x = nullptr (after the call to foo ) 10/38 [B1] if (flag) [B1] *x = 5 [B0 (EXIT)] main: [B2] x = new int; flag = coin(); [B2 (ENTRY)] [B3] [B0 (EXIT)] foo(); [B0 (EXIT)] foo: foo(); flag = 1 flag = 1; x = nullptr flag = 1 int *x = 0; x = nullptr (after the call to foo ) if (flag) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  12. [B5 (ENTRY)] *x = 5 [B4] x = nullptr x = nullptr x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined x = (heap allocated object) dereference of x! flag = 0 x = nullptr x = (heap allocated object) *x = undefined flag = 0 x = nullptr (after the call to foo ) x = nullptr x = nullptr dereference of x! flag = 0 x = nullptr (after the call to foo ) 10/38 [B1] if (flag) foo(); if (flag) [B1] *x = 5 [B0 (EXIT)] main: [B3] flag = coin(); [B2 (ENTRY)] foo(); x = new int; [B0 (EXIT)] foo: flag = 1 flag = 1; x = nullptr int *x = 0; flag = 1 x = nullptr (after the call to foo ) [B2] flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  13. [B5 (ENTRY)] dereference of x! x = nullptr [B4] x = nullptr x = nullptr x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined x = (heap allocated object) *x = 5 x = nullptr flag = 0 x = (heap allocated object) *x = undefined flag = 0 x = nullptr (after the call to foo ) x = nullptr x = nullptr dereference of x! flag = 0 x = nullptr (after the call to foo ) (after the call to foo ) flag = 1 foo(); if (flag) foo(); [B2] x = new int; [B3] if (flag) flag = 1; *x = 5 int *x = 0; [B4] if (flag) foo(); flag = 1; int *x = 0; x = nullptr [B1] 10/38 [B0 (EXIT)] flag = 1 [B0 (EXIT)] main: [B1] flag = coin(); [B2 (ENTRY)] foo: flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  14. [B5 (ENTRY)] dereference of x! [B4] x = nullptr x = nullptr x = nullptr x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined x = (heap allocated object) *x = 5 x = nullptr flag = 0 x = (heap allocated object) *x = undefined flag = 0 x = nullptr (after the call to foo ) x = nullptr x = nullptr dereference of x! flag = 0 x = nullptr (after the call to foo ) 10/38 x = new int; flag = coin(); [B2] foo(); if (flag) [B1] *x = 5 [B0 (EXIT)] x = new int; main: [B1] [B3] if (flag) [B2 (ENTRY)] [B3] [B0 (EXIT)] foo(); foo: flag = 1; flag = 1 int *x = 0; x = nullptr flag = 1 x = nullptr (after the call to foo ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  15. [B5 (ENTRY)] x = (heap allocated object) x = nullptr [B4] x = nullptr x = nullptr x = (heap allocated object) *x = undefined x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined dereference of x! x = nullptr *x = 5 flag = 0 x = (heap allocated object) *x = undefined flag = 0 x = nullptr (after the call to foo ) x = nullptr x = nullptr dereference of x! flag = 0 x = nullptr (after the call to foo ) 10/38 main: [B2 (ENTRY)] foo(); if (flag) [B1] *x = 5 [B0 (EXIT)] [B3] [B1] x = new int; [B3] flag = coin(); [B0 (EXIT)] x = new int; if (flag) foo: flag = 1 foo(); x = nullptr flag = 1; flag = 1 x = nullptr (after the call to foo ) int *x = 0; [B2] flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  16. [B5 (ENTRY)] dereference of x! [B4] x = nullptr x = nullptr x = (heap allocated object) *x = undefined x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined x = (heap allocated object) *x = 5 x = nullptr flag = 0 x = (heap allocated object) *x = undefined flag = 0 x = nullptr (after the call to foo ) x = nullptr x = nullptr dereference of x! flag = 0 x = nullptr (after the call to foo ) x = nullptr 10/38 [B0 (EXIT)] int *x = 0; flag = 1; foo(); if (flag) [B3] x = new int; [B2] foo(); if (flag) [B2] foo(); if (flag) [B1] *x = 5 main: [B1] flag = 1 (after the call to foo ) x = nullptr flag = coin(); [B2 (ENTRY)] flag = 1 [B0 (EXIT)] foo: x = nullptr flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  17. [B5 (ENTRY)] dereference of x! [B4] x = nullptr x = (heap allocated object) *x = undefined x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined x = (heap allocated object) *x = 5 (after the call to foo ) flag = 0 x = (heap allocated object) *x = undefined flag = 0 x = nullptr (after the call to foo ) x = nullptr x = nullptr dereference of x! flag = 0 x = nullptr x = nullptr x = nullptr x = nullptr [B2 (ENTRY)] int *x = 0; flag = 1; foo(); if (flag) [B3] x = new int; [B2] foo(); if (flag) [B1] *x = 5 [B0 (EXIT)] main: [B1] flag = coin(); 10/38 flag = 1 (after the call to foo ) flag = 1 x = nullptr x = nullptr foo: [B0 (EXIT)] flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  18. [B5 (ENTRY)] dereference of x! [B4] x = nullptr x = nullptr x = (heap allocated object) *x = undefined x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined x = (heap allocated object) *x = 5 (after the call to foo ) flag = 0 x = (heap allocated object) *x = undefined flag = 0 x = nullptr (after the call to foo ) x = nullptr x = nullptr dereference of x! flag = 0 x = nullptr x = nullptr 10/38 x = nullptr [B2 (ENTRY)] int *x = 0; flag = 1; foo(); if (flag) [B3] x = new int; [B2] foo(); if (flag) [B1] *x = 5 [B0 (EXIT)] main: [B1] flag = coin(); flag = 1 x = nullptr [B2 (ENTRY)] [B0 (EXIT)] foo: flag = 1 x = nullptr (after the call to foo ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  19. [B5 (ENTRY)] x = (heap allocated object) [B4] x = nullptr x = (heap allocated object) *x = undefined x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined dereference of x! x = nullptr *x = 5 flag = 0 x = (heap allocated object) *x = undefined flag = 0 x = nullptr (after the call to foo ) x = nullptr x = nullptr dereference of x! flag = 0 x = nullptr x = nullptr 10/38 (after the call to foo ) [B3] [B1] *x = 5 [B0 (EXIT)] main: [B1] [B2] flag = coin(); [B1] x = new int; flag = coin(); [B2 (ENTRY)] [B0 (EXIT)] if (flag) foo(); foo: flag = 1 x = nullptr foo(); flag = 1 x = nullptr flag = 1; (after the call to foo ) int *x = 0; x = nullptr if (flag) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  20. [B5 (ENTRY)] x = (heap allocated object) [B4] x = (heap allocated object) *x = undefined x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined dereference of x! x = nullptr *x = 5 flag = 0 x = (heap allocated object) *x = undefined flag = 0 x = nullptr (after the call to foo ) x = nullptr x = nullptr dereference of x! flag = 0 x = nullptr x = nullptr x = nullptr (after the call to foo ) if (flag) flag = coin(); [B1] main: [B0 (EXIT)] *x = 5 [B1] foo(); [B0 (EXIT)] [B2] x = new int; [B3] if (flag) foo(); flag = 1; int *x = 0; [B2 (ENTRY)] 10/38 [B0 (EXIT)] flag = 1 x = nullptr x = nullptr flag = 1 x = nullptr (after the call to foo ) foo: flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  21. [B5 (ENTRY)] x = (heap allocated object) [B4] x = (heap allocated object) *x = undefined x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined dereference of x! x = nullptr *x = 5 flag = 0 x = (heap allocated object) *x = undefined flag = 0 x = nullptr (after the call to foo ) x = nullptr x = nullptr dereference of x! flag = 0 x = nullptr x = nullptr x = nullptr 10/38 foo(); [B1] main: [B0 (EXIT)] *x = 5 [B1] if (flag) [B2] [B0 (EXIT)] x = new int; [B3] if (flag) foo(); flag = 1; int *x = 0; flag = coin(); [B2 (ENTRY)] foo: x = nullptr (after the call to foo ) x = nullptr x = nullptr flag = 1 (after the call to foo ) flag = 1 flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  22. [B5 (ENTRY)] *x = undefined x = nullptr [B4] x = nullptr x = (heap allocated object) *x = undefined x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) x = (heap allocated object) (after the call to foo ) dereference of x! *x = 5 flag = 0 x = (heap allocated object) *x = undefined flag = 0 x = nullptr (after the call to foo ) x = nullptr x = nullptr dereference of x! flag = 0 x = nullptr x = nullptr 10/38 x = nullptr [B3] [B2] foo(); if (flag) [B1] *x = 5 [B2] [B0 (EXIT)] main: x = new int; [B1] flag = coin(); [B2 (ENTRY)] if (flag) foo(); [B0 (EXIT)] foo: flag = 1 foo(); x = nullptr flag = 1 flag = 1; x = nullptr (after the call to foo ) int *x = 0; if (flag) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  23. [B5 (ENTRY)] dereference of x! x = nullptr [B4] x = (heap allocated object) *x = undefined x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined x = (heap allocated object) *x = 5 x = nullptr x = (heap allocated object) dereference of x! *x = 5 flag = 0 x = (heap allocated object) *x = undefined flag = 0 x = nullptr (after the call to foo ) x = nullptr x = nullptr dereference of x! flag = 0 x = nullptr x = nullptr 10/38 flag = coin(); flag = 1 *x = 5 [B0 (EXIT)] [B1] main: [B1] if (flag) foo(); [B2 (ENTRY)] [B0 (EXIT)] [B2] x = new int; foo: x = nullptr *x = 5 [B3] if (flag) flag = 1 x = nullptr (after the call to foo ) foo(); flag = 1; x = nullptr (after the call to foo ) int *x = 0; [B1] flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  24. [B5 (ENTRY)] *x = 5 x = nullptr [B4] *x = undefined x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined x = (heap allocated object) dereference of x! x = (heap allocated object) x = nullptr dereference of x! *x = 5 flag = 0 x = (heap allocated object) *x = undefined flag = 0 x = nullptr (after the call to foo ) x = nullptr x = nullptr dereference of x! flag = 0 x = nullptr x = nullptr x = (heap allocated object) 10/38 if (flag) [B1] main: [B0 (EXIT)] [B0 (EXIT)] *x = 5 [B1] foo(); [B0 (EXIT)] [B2] x = new int; [B3] if (flag) foo(); flag = 1; int *x = 0; flag = coin(); [B2 (ENTRY)] foo: x = nullptr (after the call to foo ) x = nullptr x = nullptr flag = 1 (after the call to foo ) flag = 1 flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  25. [B5 (ENTRY)] dereference of x! x = nullptr [B4] x = (heap allocated object) *x = undefined x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined x = (heap allocated object) *x = 5 x = nullptr x = (heap allocated object) dereference of x! *x = 5 flag = 0 x = (heap allocated object) *x = undefined flag = 0 x = nullptr (after the call to foo ) x = nullptr x = nullptr dereference of x! flag = 0 x = nullptr x = nullptr 10/38 foo(); [B2] if (flag) [B2] foo(); if (flag) [B1] *x = 5 x = new int; [B0 (EXIT)] main: [B1] flag = coin(); [B2 (ENTRY)] [B3] if (flag) [B0 (EXIT)] foo: x = nullptr (after the call to foo ) x = nullptr (after the call to foo ) flag = 1 int *x = 0; flag = 1 x = nullptr flag = 1; foo(); flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  26. [B5 (ENTRY)] dereference of x! x = (heap allocated object) [B4] x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined x = (heap allocated object) dereference of x! *x = 5 x = (heap allocated object) *x = 5 x = nullptr flag = 0 x = (heap allocated object) *x = undefined flag = 0 x = (heap allocated object) *x = undefined flag = 0 x = nullptr (after the call to foo ) x = nullptr x = nullptr dereference of x! flag = 0 x = nullptr x = nullptr *x = undefined 10/38 if (flag) flag = coin(); [B1] main: [B0 (EXIT)] [B0 (EXIT)] *x = 5 [B1] foo(); foo: [B2] x = new int; [B3] if (flag) foo(); flag = 1; int *x = 0; [B2 (ENTRY)] [B0 (EXIT)] flag = 1 x = nullptr x = nullptr flag = 1 (after the call to foo ) x = nullptr (after the call to foo ) x = nullptr flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  27. [B5 (ENTRY)] x = (heap allocated object) dereference of x! x = (heap allocated object) *x = undefined x = (heap allocated object) (after the call to foo ) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined x = (heap allocated object) *x = undefined x = (heap allocated object) [B4] x = nullptr *x = 5 dereference of x! x = nullptr x = nullptr x = nullptr flag = 0 dereference of x! x = nullptr x = nullptr (after the call to foo ) flag = 0 *x = 5 *x = undefined x = (heap allocated object) flag = 0 *x = undefined x = (heap allocated object) flag = 0 x = nullptr 10/38 [B1] int *x = 0; foo(); if (flag) [B1] *x = 5 [B0 (EXIT)] [B3] main: if (flag) flag = coin(); foo(); [B2 (ENTRY)] [B0 (EXIT)] flag = 1; foo: x = new int; flag = 1 x = nullptr [B4] if (flag) flag = 1 x = nullptr (after the call to foo ) foo(); flag = 1; x = nullptr (after the call to foo ) int *x = 0; [B2] flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  28. [B5 (ENTRY)] (after the call to foo ) x = (heap allocated object) *x = 5 dereference of x! x = (heap allocated object) *x = undefined x = (heap allocated object) *x = undefined *x = 5 x = (heap allocated object) (after the call to foo ) *x = undefined x = (heap allocated object) [B4] x = (heap allocated object) dereference of x! flag = 0 x = nullptr x = nullptr x = nullptr flag = 0 dereference of x! x = nullptr x = nullptr (after the call to foo ) flag = 0 x = (heap allocated object) x = nullptr flag = 0 *x = undefined x = (heap allocated object) flag = 0 *x = undefined x = nullptr *x = undefined 10/38 x = nullptr foo(); if (flag) [B1] *x = 5 [B0 (EXIT)] main: [B1] flag = coin(); [B2 (ENTRY)] foo(); [B0 (EXIT)] foo: flag = 1 [B2] flag = 1 if (flag) x = new int; x = nullptr int *x = 0; flag = 1; (after the call to foo ) x = nullptr [B2] foo(); if (flag) (after the call to foo ) x = nullptr [B3] flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  29. [B5 (ENTRY)] *x = 5 *x = undefined [B4] *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined (after the call to foo ) x = (heap allocated object) *x = undefined x = (heap allocated object) dereference of x! *x = 5 x = (heap allocated object) dereference of x! flag = 0 x = nullptr x = nullptr x = nullptr flag = 0 dereference of x! x = nullptr x = nullptr (after the call to foo ) flag = 0 x = (heap allocated object) x = nullptr flag = 0 *x = undefined x = (heap allocated object) flag = 0 *x = undefined x = (heap allocated object) x = (heap allocated object) 10/38 if (flag) [B2 (ENTRY)] flag = coin(); [B1] main: [B0 (EXIT)] *x = 5 [B1] foo(); foo: [B2] x = new int; [B3] if (flag) foo(); flag = 1; int *x = 0; [B0 (EXIT)] flag = 1 x = nullptr (after the call to foo ) x = nullptr x = nullptr x = nullptr (after the call to foo ) flag = 1 x = nullptr flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  30. [B5 (ENTRY)] (after the call to foo ) x = (heap allocated object) *x = 5 dereference of x! x = (heap allocated object) *x = undefined x = (heap allocated object) *x = undefined *x = 5 x = (heap allocated object) (after the call to foo ) *x = undefined x = (heap allocated object) [B4] *x = undefined dereference of x! flag = 0 x = nullptr x = nullptr x = nullptr flag = 0 dereference of x! x = nullptr x = nullptr (after the call to foo ) flag = 0 x = (heap allocated object) x = nullptr flag = 0 *x = undefined x = (heap allocated object) flag = 0 *x = undefined x = (heap allocated object) 10/38 foo: x = new int; *x = 5 [B0 (EXIT)] main: [B1] flag = coin(); [B2 (ENTRY)] [B2 (ENTRY)] [B0 (EXIT)] foo(); [B2] flag = 1 x = nullptr flag = 1 x = nullptr if (flag) (after the call to foo ) [B3] if (flag) x = nullptr foo(); flag = 1; (after the call to foo ) x = nullptr int *x = 0; x = nullptr [B1] flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  31. [B5 (ENTRY)] x = (heap allocated object) dereference of x! x = (heap allocated object) *x = 5 dereference of x! x = (heap allocated object) *x = undefined (after the call to foo ) flag = 0 *x = undefined x = (heap allocated object) (after the call to foo ) [B4] x = (heap allocated object) *x = undefined *x = 5 x = (heap allocated object) x = nullptr x = nullptr x = nullptr flag = 0 dereference of x! x = nullptr x = nullptr (after the call to foo ) (after the call to foo ) *x = undefined x = nullptr flag = 0 x = nullptr flag = 0 *x = undefined x = (heap allocated object) flag = 0 x = (heap allocated object) *x = undefined 10/38 [B1] [B2 (ENTRY)] flag = coin(); [B1] flag = coin(); [B1] main: [B0 (EXIT)] *x = 5 if (flag) flag = 1 foo(); [B2] x = new int; [B3] if (flag) foo(); flag = 1; int *x = 0; foo: [B0 (EXIT)] x = nullptr (after the call to foo ) x = nullptr (after the call to foo ) x = nullptr x = nullptr flag = 1 x = nullptr flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  32. [B5 (ENTRY)] *x = undefined *x = 5 dereference of x! x = (heap allocated object) *x = 5 dereference of x! x = (heap allocated object) x = (heap allocated object) x = (heap allocated object) (after the call to foo ) *x = undefined x = (heap allocated object) (after the call to foo ) [B4] x = (heap allocated object) flag = 0 *x = undefined x = (heap allocated object) x = nullptr x = nullptr flag = 0 dereference of x! x = nullptr x = nullptr (after the call to foo ) (after the call to foo ) flag = 0 x = nullptr flag = 0 x = nullptr flag = 0 *x = undefined x = (heap allocated object) *x = undefined *x = undefined x = nullptr [B1] [B0 (EXIT)] [B0 (EXIT)] [B2 (ENTRY)] flag = coin(); [B1] main: [B0 (EXIT)] *x = 5 if (flag) x = nullptr foo(); [B2] x = new int; [B3] if (flag) foo(); flag = 1; int *x = 0; flag = 1 foo: 10/38 x = nullptr x = nullptr flag = 1 x = nullptr (after the call to foo ) (after the call to foo ) x = nullptr flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  33. [B5 (ENTRY)] *x = undefined *x = 5 dereference of x! x = (heap allocated object) *x = 5 dereference of x! x = (heap allocated object) x = (heap allocated object) x = (heap allocated object) (after the call to foo ) *x = undefined x = (heap allocated object) [B4] *x = undefined x = (heap allocated object) flag = 0 *x = undefined x = (heap allocated object) x = nullptr x = nullptr flag = 0 dereference of x! x = nullptr x = nullptr (after the call to foo ) (after the call to foo ) flag = 0 x = nullptr flag = 0 x = nullptr flag = 0 *x = undefined x = (heap allocated object) *x = undefined (after the call to foo ) 10/38 [B1] x = nullptr [B0 (EXIT)] [B2 (ENTRY)] flag = coin(); [B1] main: [B0 (EXIT)] *x = 5 if (flag) x = nullptr foo(); [B2] x = new int; [B3] if (flag) foo(); flag = 1; int *x = 0; flag = 1 foo: flag = 1 x = nullptr x = nullptr (after the call to foo ) x = nullptr x = nullptr (after the call to foo ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  34. [B5 (ENTRY)] x = (heap allocated object) dereference of x! x = (heap allocated object) *x = 5 dereference of x! x = (heap allocated object) *x = undefined (after the call to foo ) flag = 0 *x = undefined x = (heap allocated object) (after the call to foo ) *x = undefined [B4] *x = undefined *x = 5 x = (heap allocated object) x = nullptr x = nullptr x = nullptr flag = 0 dereference of x! x = nullptr x = nullptr (after the call to foo ) (after the call to foo ) *x = undefined x = nullptr flag = 0 x = nullptr flag = 0 *x = undefined x = (heap allocated object) flag = 0 x = (heap allocated object) x = (heap allocated object) 10/38 foo(); x = nullptr flag = coin(); [B1] main: [B0 (EXIT)] *x = 5 [B1] if (flag) [B2] foo: if (flag) foo(); [B2] x = new int; [B3] if (flag) foo(); flag = 1; int *x = 0; [B0 (EXIT)] [B2 (ENTRY)] x = nullptr x = nullptr flag = 1 x = nullptr (after the call to foo ) (after the call to foo ) x = nullptr flag = 1 flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  35. [B5 (ENTRY)] x = (heap allocated object) flag = 0 *x = 5 dereference of x! x = (heap allocated object) *x = 5 dereference of x! *x = undefined *x = undefined x = (heap allocated object) (after the call to foo ) *x = undefined x = (heap allocated object) [B4] *x = undefined x = (heap allocated object) x = (heap allocated object) flag = 0 x = (heap allocated object) x = nullptr x = nullptr flag = 0 dereference of x! x = nullptr dereference of x! x = nullptr (after the call to foo ) x = (heap allocated object) x = nullptr (after the call to foo ) x = nullptr flag = 0 x = nullptr flag = 0 *x = undefined *x = undefined (after the call to foo ) 10/38 *x = 5 x = nullptr [B2 (ENTRY)] flag = coin(); [B1] main: [B0 (EXIT)] *x = 5 [B1] [B1] flag = 1 if (flag) foo(); [B2] x = new int; [B3] if (flag) foo(); flag = 1; int *x = 0; foo: [B0 (EXIT)] x = nullptr x = nullptr x = nullptr x = nullptr (after the call to foo ) x = nullptr flag = 1 (after the call to foo ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  36. [B5 (ENTRY)] x = (heap allocated object) flag = 0 *x = 5 dereference of x! x = (heap allocated object) *x = 5 dereference of x! *x = undefined *x = undefined x = (heap allocated object) (after the call to foo ) *x = undefined x = (heap allocated object) [B4] *x = undefined x = (heap allocated object) x = (heap allocated object) flag = 0 x = (heap allocated object) x = nullptr x = nullptr flag = 0 dereference of x! x = nullptr dereference of x! x = nullptr (after the call to foo ) x = (heap allocated object) x = nullptr (after the call to foo ) x = nullptr flag = 0 x = nullptr flag = 0 *x = undefined *x = undefined (after the call to foo ) x = nullptr foo(); [B0 (EXIT)] flag = coin(); [B1] main: [B0 (EXIT)] *x = 5 [B1] if (flag) [B2] flag = 1 if (flag) foo(); [B2] x = new int; [B3] if (flag) foo(); flag = 1; int *x = 0; foo: [B2 (ENTRY)] x = nullptr x = nullptr x = nullptr x = nullptr (after the call to foo ) 10/38 flag = 1 (after the call to foo ) x = nullptr flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  37. [B5 (ENTRY)] dereference of x! x = (heap allocated object) flag = 0 *x = 5 dereference of x! x = (heap allocated object) *x = 5 x = (heap allocated object) flag = 0 *x = undefined x = (heap allocated object) (after the call to foo ) *x = undefined x = (heap allocated object) [B4] (after the call to foo ) *x = undefined x = (heap allocated object) x = (heap allocated object) x = nullptr x = nullptr flag = 0 x = nullptr flag = 0 dereference of x! x = nullptr dereference of x! x = nullptr *x = undefined (after the call to foo ) x = nullptr (after the call to foo ) x = nullptr flag = 0 x = nullptr flag = 0 *x = undefined 10/38 *x = undefined [B1] [B0 (EXIT)] [B2 (ENTRY)] flag = coin(); [B1] main: [B0 (EXIT)] [B0 (EXIT)] *x = 5 if (flag) x = nullptr foo(); [B2] x = new int; [B3] if (flag) foo(); flag = 1; int *x = 0; flag = 1 foo: flag = 1 x = nullptr x = nullptr x = nullptr x = nullptr x = nullptr (after the call to foo ) (after the call to foo ) x = (heap allocated object) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  38. There is always more to talk about... Branches in the ExplodedGraph may happen far more often Representation of values, regions: symbols ExplodedGraphs are usually very-very large, and contain tremendous amount of information 11/38

  39. There is always more to talk about... Branches in the ExplodedGraph may happen far more often Representation of values, regions: symbols ExplodedGraphs are usually very-very large, and contain tremendous amount of information 11/38

  40. There is always more to talk about... Branches in the ExplodedGraph may happen far more often Representation of values, regions: symbols ExplodedGraphs are usually very-very large, and contain tremendous amount of information 11/38

  41. Bug report construction

  42. Processing of the ExplodedGraph Bugs are represented with error nodes The graph may contain several of them The goal is to explain the path to these nodes For each node, construct the shortest path from the root to the error node This is called a bug path 12/38

  43. Processing of the ExplodedGraph Bugs are represented with error nodes The graph may contain several of them The goal is to explain the path to these nodes For each node, construct the shortest path from the root to the error node This is called a bug path 12/38

  44. Processing of the ExplodedGraph Bugs are represented with error nodes The graph may contain several of them The goal is to explain the path to these nodes For each node, construct the shortest path from the root to the error node This is called a bug path 12/38

  45. flag = 1 x = (heap allocated object) dereference of x! *x = 5 x = (heap allocated object) dereference of x! *x = 5 flag = 0 x = (heap allocated object) *x = undefined flag = 0 *x = undefined *x = undefined flag = 0 x = nullptr (after the call to foo ) x = nullptr x = nullptr dereference of x! flag = 0 x = nullptr flag = 0 x = nullptr x = nullptr x = (heap allocated object) x = (heap allocated object) (after the call to foo ) (after the call to foo ) x = nullptr x = nullptr x = nullptr x = (heap allocated object) x = (heap allocated object) *x = undefined *x = undefined 13/38 x = (heap allocated object) *x = undefined (after the call to foo ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  46. flag = 1 x = nullptr x = nullptr *x = 5 x = (heap allocated object) dereference of x! *x = 5 flag = 0 x = (heap allocated object) *x = undefined flag = 0 x = (heap allocated object) *x = undefined flag = 0 flag = 0 *x = undefined x = nullptr (after the call to foo ) x = nullptr (after the call to foo ) x = nullptr x = nullptr dereference of x! x = nullptr dereference of x! flag = 0 x = nullptr flag = 0 x = nullptr x = (heap allocated object) dereference of x! x = (heap allocated object) x = (heap allocated object) flag = 1 x = nullptr (after the call to foo ) x = nullptr (after the call to foo ) x = nullptr x = nullptr x = (heap allocated object) *x = undefined x = nullptr *x = undefined x = (heap allocated object) (after the call to foo ) *x = undefined 13/38 (after the call to foo ) ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  47. flag = 1 11 04 void foo() { 05 flag = coin(); 06 } 07 08 int main() { 09 int *x = 0; 10 flag = 1; foo(); bool coin(); 12 if (flag) 13 x = new int; 14 foo(); 15 16 if (flag) 17 *x = 5; 18 } 03 02 x = nullptr int flag; flag = 1 x = nullptr (after the call to foo ) x = nullptr (after the call to foo ) x = nullptr flag = 0 x = nullptr flag = 0 x = nullptr (after the call to foo ) x = nullptr x = nullptr 01 dereference of x! x = nullptr dereference of x! 14/38 x = nullptr (after the call to foo ) ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  48. The ideal bug report The goal is to generate a bug report from the bug path that is complete: contains every information necessary to understand how the bug occured minimal: contains no unnecessary information 15/38

  49. Techniques used by the analyzer 2 techniques: BugReporterVisitors Interestingness propagation Visit the nodes of the bugpath from the error node to the root 16/38

  50. Techniques used by the analyzer 2 techniques: BugReporterVisitors Interestingness propagation Visit the nodes of the bugpath from the error node to the root 16/38

  51. Techniques used by the analyzer 2 techniques: BugReporterVisitors Interestingness propagation Visit the nodes of the bugpath from the error node to the root 16/38

  52. flag = 1 flag = 0 dereference of x! x = nullptr dereference of x! x = nullptr x = nullptr (after the call to foo ) x = nullptr x = nullptr x = nullptr (after the call to foo ) x = nullptr flag = 0 (after the call to foo ) x = nullptr (after the call to foo ) 17/38 x = nullptr ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  53. flag = 1 flag = 0 flag = 1 x = nullptr (after the call to foo ) flag x = nullptr (after the call to foo ) flag x = nullptr flag = 0 x = nullptr x = nullptr x = nullptr (after the call to foo ) flag x = nullptr (after the call to foo ) flag x = nullptr x = nullptr dereference of x! x = nullptr dereference of x! <warning msg> <warning msg> dereference of x! x = nullptr (after the call to foo ) (after the call to foo ) x = nullptr (after the call to foo ) x = nullptr flag = 0 x = nullptr x = nullptr flag = 0 17/38 x = nullptr x = nullptr (after the call to foo ) dereference of x! x = nullptr ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  54. flag = 1 x = nullptr (after the call to foo ) flag x = nullptr (after the call to foo ) flag x = nullptr flag = 0 x = nullptr flag = 0 x = nullptr (after the call to foo ) (after the call to foo ) flag = 1 x = nullptr flag 0 0 x = nullptr dereference of x! flag 0 0 x = nullptr dereference of x! <diagnostic msg 4> x = nullptr x = nullptr <diagnostic msg 4> dereference of x! (after the call to foo ) x = nullptr (after the call to foo ) x = nullptr flag = 0 x = nullptr flag = 0 x = nullptr (after the call to foo ) x = nullptr x = nullptr x = nullptr dereference of x! x = nullptr (after the call to foo ) 17/38 ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  55. flag = 1 (after the call to foo ) flag x = nullptr (after the call to foo ) flag x = nullptr flag = 0 x = nullptr flag = 0 x = nullptr (after the call to foo ) flag x = nullptr flag x = nullptr x = nullptr flag 0 0 x = nullptr dereference of x! flag 0 0 x = nullptr dereference of x! <diagnostic msg 3> (after the call to foo ) flag = 1 x = nullptr <diagnostic msg 3> (after the call to foo ) x = nullptr (after the call to foo ) x = nullptr flag = 0 x = nullptr flag = 0 x = nullptr (after the call to foo ) 17/38 x = nullptr x = nullptr dereference of x! x = nullptr dereference of x! (after the call to foo ) x = nullptr ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  56. flag = 1 (after the call to foo ) (after the call to foo ) x = nullptr (after the call to foo ) x = nullptr flag = 0 x = nullptr flag = 0 x = nullptr (after the call to foo ) flag x = nullptr flag flag = 1 x = nullptr flag 0 0 x = nullptr dereference of x! flag 0 0 x = nullptr dereference of x! <diagnostic msg 2> x = nullptr x = nullptr <diagnostic msg 2> (after the call to foo ) (after the call to foo ) x = nullptr (after the call to foo ) x = nullptr flag = 0 x = nullptr flag = 0 x = nullptr (after the call to foo ) dereference of x! x = nullptr 17/38 x = nullptr x = nullptr x = nullptr dereference of x! ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  57. flag = 1 (after the call to foo ) flag x = nullptr (after the call to foo ) flag x = nullptr flag = 0 x = nullptr flag = 0 x = nullptr (after the call to foo ) flag x = nullptr flag x = nullptr x = nullptr flag 0 0 x = nullptr dereference of x! flag 0 0 x = nullptr dereference of x! <diagnostic msg 1> (after the call to foo ) flag = 1 x = nullptr <diagnostic msg 1> (after the call to foo ) x = nullptr (after the call to foo ) x = nullptr flag = 0 x = nullptr flag = 0 x = nullptr (after the call to foo ) 17/38 x = nullptr x = nullptr dereference of x! x = nullptr dereference of x! (after the call to foo ) x = nullptr ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ ( −∞ , ∞ ) ( −∞ , ∞ ) flag ∈ flag ∈ flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ ) flag ∈ ( −∞ , 0 ) ∪ ( 0 , ∞ )

  58. BugReporterVisitors An arbitrary number of visitors can be registered Their visitNode() is called on each node visit Visitors may create diagnostic messages about the node they are currently visiting Despite the misleading name, they are more like callbacks than visitors 18/38

  59. BugReporterVisitors An arbitrary number of visitors can be registered Their visitNode() is called on each node visit Visitors may create diagnostic messages about the node they are currently visiting Despite the misleading name, they are more like callbacks than visitors 18/38

  60. BugReporterVisitors An arbitrary number of visitors can be registered Their visitNode() is called on each node visit Visitors may create diagnostic messages about the node they are currently visiting Despite the misleading name, they are more like callbacks than visitors 18/38

  61. BugReporterVisitors An arbitrary number of visitors can be registered Their visitNode() is called on each node visit Visitors may create diagnostic messages about the node they are currently visiting Despite the misleading name, they are more like callbacks than visitors 18/38

  62. Visitors ConditionBRVisitor : Describes conditions of if branches, loops, conditional operators etc. FindLastStoreBRVisitor : Finds the last store to a given variable TrackControlDependencyCondBRVisitor 19/38

  63. Visitors ConditionBRVisitor : Describes conditions of if branches, loops, conditional operators etc. FindLastStoreBRVisitor : Finds the last store to a given variable TrackControlDependencyCondBRVisitor 19/38

  64. Visitors ConditionBRVisitor : Describes conditions of if branches, loops, conditional operators etc. FindLastStoreBRVisitor : Finds the last store to a given variable TrackControlDependencyCondBRVisitor 19/38

  65. TrackControlDependencyCondBRVisitor Most recent addition, available in Clang 10.0.0 GSoC’19 project mentored by Artem Dergachev, Gábor Horváth and Ádám Balogh https://szelethus.github.io/gsoc2019/ Calculates control dependencies to points of interest Tells the analyzer to explain the conditions of control dependency blocks 20/38

  66. TrackControlDependencyCondBRVisitor Most recent addition, available in Clang 10.0.0 GSoC’19 project mentored by Artem Dergachev, Gábor Horváth and Ádám Balogh https://szelethus.github.io/gsoc2019/ Calculates control dependencies to points of interest Tells the analyzer to explain the conditions of control dependency blocks 20/38

  67. TrackControlDependencyCondBRVisitor Most recent addition, available in Clang 10.0.0 GSoC’19 project mentored by Artem Dergachev, Gábor Horváth and Ádám Balogh https://szelethus.github.io/gsoc2019/ Calculates control dependencies to points of interest Tells the analyzer to explain the conditions of control dependency blocks 20/38

  68. [B5 (ENTRY)] foo(); int *x = 0; 10 flag = 1; 11 foo(); 12 if (flag) 13 x = new int; 14 15 int main() { 16 if (flag) 17 *x = 5; 18 } foo: [B2 (ENTRY)] [B1] flag = coin(); [B0 (EXIT)] 09 08 [B4] [B0 (EXIT)] int *x = 0; flag = 1; foo(); if (flag) [B3] x = new int; [B2] foo(); if (flag) [B1] *x = 5 main: 07 01 int flag; 02 bool coin(); 03 04 void foo() { 05 flag = coin(); 06 } 21/38

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introducing the 2017 Penultimate Year Survey What is the Penultimate Year Survey? Its a

Introducing the 2017 Penultimate Year Survey What is the Penultimate Year Survey? Its a

Introducing the 2017 Penultimate Year Survey What is the Penultimate Year Survey? Its a chance for you to have your say about your course and your time at Royal Holloway Your feedback is totally anonymous The survey only takes ten

450 views • 4 slides
MPLS Basics Penultimate Hop Popping How a router determines the outgoing interface: Last Hop

MPLS Basics Penultimate Hop Popping How a router determines the outgoing interface: Last Hop

MPLS Basics Penultimate Hop Popping How a router determines the outgoing interface: Last Hop Router Without PHP Pentagramatical Body Popping? Penultimate Hop Popping Fancy-pants definition: In order to save an additional lookup on an

347 views • 7 slides
Penultimate Review IT Security Ido Rosen University of Chicago 3 March 2007 Ido Rosen

Penultimate Review IT Security Ido Rosen University of Chicago 3 March 2007 Ido Rosen

Policy Cryptography Network Security Penultimate Review IT Security Ido Rosen University of Chicago 3 March 2007 Ido Rosen Penultimate Review Policy Cryptography Network Security 1 Policy Information Security Framework Defining

538 views • 32 slides
CONSTRUCTION/PROJECT MANAGEMENT REPORT REPORT NO. 02 Steenhof Building Services Group April 30,

CONSTRUCTION/PROJECT MANAGEMENT REPORT REPORT NO. 02 Steenhof Building Services Group April 30,

ORO MEDONTE COMMUNITY ARENA O RO M EDONTE , ON CONSTRUCTION/PROJECT MANAGEMENT REPORT REPORT NO. 02 Steenhof Building Services Group April 30, 2014 OUTLINE 1. P ROJECT O VERVIEW 2. F INANCIAL R EPORT 3. P URCHASING 4. SCHEDULE UPDATE 5.

401 views • 26 slides
Construction Design and Defect Litigation: Using Daubert/Frye to Challenge Admissibility of Expert

Construction Design and Defect Litigation: Using Daubert/Frye to Challenge Admissibility of Expert

Presenting a live 90-minute webinar with interactive Q&amp;A Construction Design and Defect Litigation: Using Daubert/Frye to Challenge Admissibility of Expert Witness Testimony TUESDAY, MAY 3, 2016 1pm Eastern | 12pm Central | 11am

654 views • 52 slides
Updated School Year 2016-17 Quarter 3 Report The Challenge The Challenge Navigating the public

Updated School Year 2016-17 Quarter 3 Report The Challenge The Challenge Navigating the public

Updated School Year 2016-17 Quarter 3 Report The Challenge The Challenge Navigating the public education system in DC can be daunting. Understanding how the public education system should work for our individual students and The Role of the

275 views • 25 slides
Example of a challenge that we faced early in the life of the construction project. The new

Example of a challenge that we faced early in the life of the construction project. The new

Example of a challenge that we faced early in the life of the construction project. The new northbound road bed is fully constructed up to the existing on-ramp. There is a difference in elevation between the existing road and the top of the new

463 views • 31 slides
Construction of a Mathematical Model of a Cell as a Challenge for Science in the 21 Century and

Construction of a Mathematical Model of a Cell as a Challenge for Science in the 21 Century and

Enabling Grids for E-sciencE Construction of a Mathematical Model of a Cell as a Challenge for Science in the 21 Century and EGEE Project Victor Lakhno Institute of Mathematical Problems of Biology RAS EGEE User Forum CERN, 01-03.03.2006

440 views • 12 slides
Swansfield Elementary School Additions and Renovations Construction Documents Report Scott

Swansfield Elementary School Additions and Renovations Construction Documents Report Scott

Swansfield Elementary School Additions and Renovations Construction Documents Report Scott Washington Director, School Construction November 19, 2015 Project Updates Relocatable classrooms have been placed on site to accommodate phase

442 views • 11 slides
New Elementary School #42 Construction Documents Report Scott Washington Director, School

New Elementary School #42 Construction Documents Report Scott Washington Director, School

New Elementary School #42 Construction Documents Report Scott Washington Director, School Construction March 24, 2016 Project Update Provided paved access path from buss loop to the community walking path at the rear of the building

264 views • 9 slides
MERKO EHITUS GROUP Construction, Engineering &amp; Real Estate LHV Baltic Challenge 2016 07

MERKO EHITUS GROUP Construction, Engineering &amp; Real Estate LHV Baltic Challenge 2016 07

MERKO EHITUS GROUP Construction, Engineering &amp; Real Estate LHV Baltic Challenge 2016 07 April 2016 Agenda 1. Group in brief 4. Shareholders and dividends 2. Market 5. Merko: long term outlook 3. Business activities 2 Liepaja Concert

719 views • 20 slides
2020 CONSTRUCTION OUTLOOK SURVEY 1 INTRODUCTION The construction landscape continues to improve

2020 CONSTRUCTION OUTLOOK SURVEY 1 INTRODUCTION The construction landscape continues to improve

2020 CONSTRUCTION OUTLOOK SURVEY 1 INTRODUCTION The construction landscape continues to improve and grow along with the economy in Georgia. The following report is based upon an online survey of privately-held construction companies in

714 views • 69 slides
Wilde Lake Middle School Replacement School Construction Documents Report Scott Washington

Wilde Lake Middle School Replacement School Construction Documents Report Scott Washington

Wilde Lake Middle School Replacement School Construction Documents Report Scott Washington Director, School Construction December 15, 2014 Project Updates Reconfigured the locker room support spaces Removed dust collection system and

421 views • 11 slides
Laurel Woods Elementary School Construction Document Report Bruce Gist Director, School

Laurel Woods Elementary School Construction Document Report Bruce Gist Director, School

Laurel Woods Elementary School Construction Document Report Bruce Gist Director, School Construction February 25, 2014 Project Updates Design features and requirements were fully refined after all stakeholders were engaged The new

138 views • 11 slides
MJUSD FACILITIES DEPARTMENT Construction Management: Project Report Modernization and New

MJUSD FACILITIES DEPARTMENT Construction Management: Project Report Modernization and New

MJUSD FACILITIES DEPARTMENT Construction Management: Project Report Modernization and New Construction Update from the Facilities Department Provided to the Board of Trustees May 2012 Facilities Construction Management Department

262 views • 11 slides
Agenda Item 8 Report to Safer and Stronger Communities Scrutiny &amp; Policy Development

Agenda Item 8 Report to Safer and Stronger Communities Scrutiny &amp; Policy Development

Agenda Item 8 Report to Safer and Stronger Communities Scrutiny &amp; Policy Development Committee Report of: Challenge for Change Tenant Scrutiny Group ______________________________________________________________ Subject: Challenge for

831 views • 8 slides
Edition Heidi Dempsey Customer Success Manager Training Rules Download training materials

Edition Heidi Dempsey Customer Success Manager Training Rules Download training materials

V300 Acumatica ERP Construction Edition Heidi Dempsey Customer Success Manager Training Rules Download training materials related to the webinar. You can find the links to the training materials in the Reminder email sent by RingCentral

810 views • 62 slides
EECS 192: Mechatronics Design Lab Discussion 9: Car Construction and Simulation GSI: Justin Yim

EECS 192: Mechatronics Design Lab Discussion 9: Car Construction and Simulation GSI: Justin Yim

EECS 192: Mechatronics Design Lab Discussion 9: Car Construction and Simulation GSI: Justin Yim 20 &amp; 21 March 2019 (Week 9) 1 Car Construction 2 Controls 3 Simulation Ducky (UCB EECS) Mechatronics Design Lab 20 &amp; 21 March 2019 (Week 9)

263 views • 10 slides
Deterministic Finite Automata Lecture 4 1 Input Accepted by a DFA We say that M accepts w

Deterministic Finite Automata Lecture 4 1 Input Accepted by a DFA We say that M accepts w

Deterministic Finite Automata Lecture 4 1 Input Accepted by a DFA We say that M accepts w * if M , on input w , starting from the start state s , reaches a final state i.e., * ( s,w ) F L ( M ) is the set of all strings accepted by

652 views • 51 slides
Surface Construction Labeling Lori Levin Language Technologies Institute Carnegie Mellon

Surface Construction Labeling Lori Levin Language Technologies Institute Carnegie Mellon

Corpus Annotation for Surface Construction Labeling Lori Levin Language Technologies Institute Carnegie Mellon University Collaborators and acknowledgements Collaborators: Jesse Dunietz, Jaime Carbonell, Dunietz, Jesse, Lori Levin, and

1.29k views • 104 slides
Diabetes management in liver and kidney disease Epidemiology 1 4/12/2018 Clinical case A 59

Diabetes management in liver and kidney disease Epidemiology 1 4/12/2018 Clinical case A 59

4/12/2018 Diabetes management in liver and kidney disease Epidemiology 1 4/12/2018 Clinical case A 59 year old man with alcoholic cirrhosis; portal hypertension; mild encephalopathy Fasting plasma glucose - 103, March 2016; 101, July 2017

566 views • 23 slides
Session 3: Communication of HTE to Key Stakeholders Daniel Arthur Caos, PhD, MPH Director,

Session 3: Communication of HTE to Key Stakeholders Daniel Arthur Caos, PhD, MPH Director,

Session 3: Communication of HTE to Key Stakeholders Daniel Arthur Caos, PhD, MPH Director, Evidence Development Division Coverage and Analysis Group Center for Clinical Standards and Quality CMS Challenge Question Ho w do e s CMS pro mo

272 views • 10 slides
Consensus or Controversy? Investigator Perspectives on Practical Issues and Research Questions in

Consensus or Controversy? Investigator Perspectives on Practical Issues and Research Questions in

Consensus or Controversy? Investigator Perspectives on Practical Issues and Research Questions in Multiple Myeloma Friday, December 6, 2013 6:30 PM - 9:00 PM New Orleans, Louisiana Moderator Neil Love, MD Faculty Amrita Krishnan, MD

601 views • 44 slides
UK Living Kidney Sharing Scheme Breakout Session Lisa Burnapp Discussion Slides: UK LKD Network,

UK Living Kidney Sharing Scheme Breakout Session Lisa Burnapp Discussion Slides: UK LKD Network,

UK Living Kidney Sharing Scheme Breakout Session Lisa Burnapp Discussion Slides: UK LKD Network, February 2020 Extract from RTSM, January 2020 We committed to Increase living donor kidney transplantation (LDKT) Address unwarranted

536 views • 35 slides

More recommend