The Pointer Assertion Logic Engine [PLDI 01] Anders M ller - - PowerPoint PPT Presentation

the pointer assertion logic engine
SMART_READER_LITE
LIVE PREVIEW

The Pointer Assertion Logic Engine [PLDI 01] Anders M ller - - PowerPoint PPT Presentation

Jun 09, 2023 31 likes •375 views

The Pointer Assertion Logic Engine [PLDI 01] Anders M ller Michael I. Schwartzbach Presented by K. Vikram Cornell University Introduction Pointer manipulation is hard Find bugs, optimize code General Approach Model

slide-1
SLIDE 1

The Pointer Assertion Logic Engine

Anders Mφller Michael I. Schwartzbach

[PLDI ’01] Presented by K. Vikram Cornell University

slide-2
SLIDE 2

Introduction

  • Pointer manipulation is hard

– Find bugs, optimize code

  • General Approach

– Model the heap, including records & pointers – Describe properties in an assertion lang. – Verify correctness

slide-3
SLIDE 3

The Objective

  • Pointer Verification
  • Check for

– Type errors – Memory errors – Data structure invariant violations

  • Safety critical data-type

implementations

Some slides have been adapted from a talk by Anders Mφller

slide-4
SLIDE 4

Motivation

  • Standard type-checking not enough

– Tree ≡ List – Avoiding memory errors

  • Verify an abstract data type
slide-5
SLIDE 5

Graph Types

  • Regular Types

– T → v(a1 : T1, …, an : Tn)

  • Graph Types

– T → v(… ai : Ti … aj : Tj [R] …) – data fields + routing fields (R) – backbone (ST) + other pointers – functionally dependent

  • Doubly linked-list, trees with parent

pointers, threaded trees, red-black trees, etc.

slide-6
SLIDE 6

Routing Expressions

  • Regular Expressions
  • ⇓ a - move down along a
  • ↑ - move along parent
  • - verify presence at root
  • $ - verify presence at leaf
  • T:v – verify type and variant
  • Well-formedness
slide-7
SLIDE 7

Examples

  • List with first and last pointers

H → (first: L, last: L[⇓ first ⇓ tail * $ ↑) L → (head: Int, tail: L) → ()

  • Doubly-linked cyclic list

D → (next: D, prev: D[↑ + ^⇓ next* $] → (next: D[↑ * ], prev: D[↑ + ^]

slide-8
SLIDE 8

Monadic Second Order Logic

  • Quantification done over predicates and

terms

  • Unary predicates
  • Most expressive logic that is practically

decidable

  • Decidable using tree automata
slide-9
SLIDE 9

Pointer Assertion Logic

  • Monadic 2nd order

– Over records, pointers and booleans

  • Specify

– Structural invariants – Pre- and post- conditions – Invariants and assertions

slide-10
SLIDE 10

Methodology

  • Verify a single ADT at a time
  • Data structures as graph types
  • Programs in a restricted language
  • Annotations in Pointer Assertion Logic

– properties of the store (assertions) – invariants

  • Encode in monadic 2nd order logic
  • Use a standard tool (MONA)
slide-11
SLIDE 11

Comparison with shape analysis

  • Goals similar – approach different
  • fixpoint iterations over store model vs.

encoding of program in logic

  • Similar precision and speed
  • Use of loop invariants/assertions
  • Need to specify operational semantics
  • Restriction to graph types
  • Generation of counter-examples
slide-12
SLIDE 12

Routing Expressions

  • Slightly generalized
  • ptr <routingexp> ptr
  • Up – x^T.p
  • A general formula can be embedded
slide-13
SLIDE 13

Example data structure

  • Binary tree with pointers to root
slide-14
SLIDE 14

Another Example

slide-15
SLIDE 15

Example Program

slide-16
SLIDE 16

Details…

  • Store Model
  • Graph Types
  • Abstract Programming Language
  • Program Annotations
slide-17
SLIDE 17

The Programming Language

slide-18
SLIDE 18

The Programming Language

slide-19
SLIDE 19

The Programming Language

slide-20
SLIDE 20

Program Annotations

  • Monadic 2nd order Logic on graph types
  • Quantification over heap records

– Individual elements, sets of elements

  • Formulas* used for

– Constraining destinations of pointers – Invariants in loops and procedure calls – Pre- and post- conditions – Assert and split statements

slide-21
SLIDE 21

Monadic 2L on finite trees

  • Φ ::= ¬ Φ | Φ ∨ Φ | Φ ∧ Φ | Φ ⇒ Φ |

Φ ⇔ Φ | ∀1x.Φ | ∃1x.Φ | ∀2x.Φ | ∃2x.Φ | t = t | t ∈ T | T = T | T ⊆ T | … (formulas)

  • T ::= X | T ∪ T | T ∩ T | T \ T | ∅

(set terms)

  • t ::= x | t.left | t.right | t.up

(position terms)

slide-22
SLIDE 22

Program Annotations

slide-23
SLIDE 23

Program Annotations

slide-24
SLIDE 24

A More Involved Example

  • Threaded Trees

– Pointer to successor in post-order traversal

slide-25
SLIDE 25

The Fix Procedure

slide-26
SLIDE 26

Annotations

Precondition to fix ALMOSTPOST Predicate

slide-27
SLIDE 27

Hoare Triples

  • {P} S {Q}
  • P = pre-conditions (boolean predicate)
  • Q = post-conditions ( -do- )
  • S = program
  • Standard tools available
slide-28
SLIDE 28

Verification with Hoare Logic

  • Split program into Hoare triples

“property stm”

  • Use PAL as assertion language
  • Cut-points

– beginning/end of procedure and while bodies – split statements – graph types valid only at cut-points

slide-29
SLIDE 29

Verification with Hoare Logic

  • Hoare Triple – property stm
  • stm is without loops, procedure calls
  • Use transduction to simulate

statements

  • Update store predicates (11 kinds)
  • Interface for querying the store
slide-30
SLIDE 30

Advantages over earlier tools

  • Can handle temporary violations

– Overriding pointer directives – Allow different constraints at different points – Use property instead of formula

  • Modular and thus, scalable
slide-31
SLIDE 31

MONA

  • Reduces formulas to tree automata
  • Deduces validity or generates counter-

examples

slide-32
SLIDE 32

Evaluation

  • As fast as previous tools
  • Very few intractable examples in

practice

  • Found a null-pointer dereference in a

bubblesort example

slide-33
SLIDE 33

Evaluation

slide-34
SLIDE 34

Finally

  • Questions
  • Comments
  • Praise/Criticism
  • Thank you!