towards unbounded heap support for predicate analysis
play

Towards Unbounded Heap Support for Predicate Analysis Using SMT - PowerPoint PPT Presentation

Dec 11, 2022 •164 likes •357 views

Towards Unbounded Heap Support for Predicate Analysis Using SMT Arrays Stephan Lukasczyk 20160923 University of Passau, 94032 Passau, Germany Motivation (or (= mallocOffset4 array[p]) (= (*signed_int@2 mallocOffset4) (*signed_int@1

  1. Towards Unbounded Heap Support for Predicate Analysis Using SMT Arrays Stephan Lukasczyk 2016–09–23 University of Passau, 94032 Passau, Germany

  2. Motivation (or (= mallocOffset4 array[p]) (= (*signed_int@2 mallocOffset4) (*signed_int@1 mallocOffset4)))) (= |getArray::p@2| |main::pos@2|) (= |getArray::__CPAchecker_TMP_0@3| |__ADDRESS_OF_malloc#2|) (= |getArray::arr@2| |getArray::__CPAchecker_TMP_0@3|) (= (*signed_int@2 array[p]) |getArray::v@2|) (= |getArray::__retval__@2| |getArray::arr@2|) (> baseAddressArr 0) (>= |__ADDRESS_OF_malloc#2| baseAddressArr) (let ((mallocOffset4 (+ |__ADDRESS_OF_malloc#2| 16))) (let ((mallocOffset3 (+ |__ADDRESS_OF_malloc#2| 12))) (> |__ADDRESS_OF_main::arr| 0) (or (= mallocOffset3 array[p]) (= (*signed_int@2 mallocOffset3) (*signed_int@1 mallocOffset3)))) (let ((mallocOffset2 (+ |__ADDRESS_OF_malloc#2| 8))) (or (= mallocOffset2 array[p]) (= (*signed_int@2 mallocOffset2) (*signed_int@1 mallocOffset2)))) (let ((mallocOffset1 (+ |__ADDRESS_OF_malloc#2| 4))) (or (= mallocOffset1 array[p]) (= (*signed_int@2 mallocOffset1) (*signed_int@1 mallocOffset1)))) (let ((mallocOffset0 (+ |__ADDRESS_OF_malloc#2| 0))) (or (= mallocOffset0 array[p]) (= (*signed_int@2 mallocOffset0) (*signed_int@1 mallocOffset0)))) (= |main::arr@3| |getArray::__retval__@2|) (= |main::read@3| (*signed_int@2 (+ |main::arr@3| (* 4 |main::pos@2|)))) (= |getArray::v@2| |main::val@2|) (= |main::pos@2| 3) extern void __VERIFIER_error(); int *arr = getArray(val, pos); extern void * malloc(int); int * getArray(int v, int p) { int *arr = (int*) malloc(5 * sizeof(int)); return arr; } void main(void) { int val = 2; int pos = 3; int read; (= |main::val@2| 2) read = arr[pos]; if (val == read) ERROR: __VERIFIER_error(); } (assert (let ( (baseAddressArr (+ |__ADDRESS_OF_main::arr| 4)) (array[p] (+ |getArray::arr@2| (* 4 |getArray::p@2|)))) (and (= |main::val@2| |main::read@3|)))) arr[p] = v;

  3. arr[p] = v; read = arr[pos]; Motivation (= |getArray::__CPAchecker_TMP_0@3| |__ADDRESS_OF_malloc#2|) (= |getArray::arr@2| |getArray::__CPAchecker_TMP_0@3|) (= (*signed_int@2 array[p]) |getArray::v@2|) (= |getArray::__retval__@2| |getArray::arr@2|) (> baseAddressArr 0) (>= |__ADDRESS_OF_malloc#2| baseAddressArr) (let ((mallocOffset4 (+ |__ADDRESS_OF_malloc#2| 16))) (or (= mallocOffset4 array[p]) (= (*signed_int@2 mallocOffset4) (*signed_int@1 mallocOffset4)))) (or (= mallocOffset3 array[p]) (= (*signed_int@2 mallocOffset3) (*signed_int@1 mallocOffset3)))) (let ((mallocOffset3 (+ |__ADDRESS_OF_malloc#2| 12))) (= |getArray::v@2| |main::val@2|) (let ((mallocOffset2 (+ |__ADDRESS_OF_malloc#2| 8))) (or (= mallocOffset2 array[p]) (= (*signed_int@2 mallocOffset2) (*signed_int@1 mallocOffset2)))) (let ((mallocOffset1 (+ |__ADDRESS_OF_malloc#2| 4))) (or (= mallocOffset1 array[p]) (= (*signed_int@2 mallocOffset1) (*signed_int@1 mallocOffset1)))) (let ((mallocOffset0 (+ |__ADDRESS_OF_malloc#2| 0))) (or (= mallocOffset0 array[p]) (= (*signed_int@2 mallocOffset0) (*signed_int@1 mallocOffset0)))) (= |main::arr@3| |getArray::__retval__@2|) (= |main::read@3| (*signed_int@2 (+ |main::arr@3| (* 4 |main::pos@2|)))) (= |getArray::p@2| |main::pos@2|) (= |main::pos@2| 3) (> |__ADDRESS_OF_main::arr| 0) int *arr = getArray(val, pos); extern void * malloc(int); int * getArray(int v, int p) { int *arr = (int*) malloc(5 * sizeof(int)); return arr; } void main(void) { int val = 2; int pos = 3; int read; extern void __VERIFIER_error(); if (val == read) ERROR: __VERIFIER_error(); } (assert (let ( (baseAddressArr (+ |__ADDRESS_OF_main::arr| 4)) (array[p] (+ |getArray::arr@2| (* 4 |getArray::p@2|)))) (and (= |main::val@2| 2) (= |main::val@2| |main::read@3|))))

  4. Predicate Analysis • use predicates from logics to model data states • implemented as CPA in CPAchecker • takes C statements • uses Satisfjability Modulo Theories (SMT) formulae

  5. Quantifjer-free SMT Theories • Equality and Uninterpreted Functions • Linear Arithmetic over Integers or Reals • Bit Vectors • Arrays

  6. Defjning the Heap-Array Converter • previous: two converters (simple, uninterpreted functions) • new: heap-array formula converter • SMT arrays instead of uninterpreted functions • “simple” statements with basic theories • SMT arrays only for heap access modelling • heap model: one SMT array per C data type

  7. Defjning the Heap-Array Converter • previous: two converters (simple, uninterpreted functions) • new: heap-array formula converter • SMT arrays instead of uninterpreted functions • “simple” statements with basic theories • SMT arrays only for heap access modelling • heap model: one SMT array per C data type

  8. Heap-Array Converter—Discussion • avoid disjunctions • lower number of formula clauses • eliminate size bounds for arrays • quantifjers for interpolation on arrays • higher complexity for solvers

  9. Heap-Array Converter—Discussion • avoid disjunctions • lower number of formula clauses • eliminate size bounds for arrays • quantifjers for interpolation on arrays • higher complexity for solvers

  10. Example Using Heap-Array Converter (= *signed_int@2 (store *signed_int@1 (select *signed_int@2 (+ |main::arr@3| (* 4 |main::pos@2|)))) (= |main::read@3| (= |main::arr@3| |getArray::__retval__@2|) (>= |__ADDRESS_OF_malloc#2| baseAddressArr) (> baseAddressArr 0) (= |getArray::__retval__@2| |getArray::arr@2|) (+ |getArray::arr@2| (* 4 |getArray::p@2|)) |getArray::v@2|)) (= |getArray::arr@2| |getArray::__CPAchecker_TMP_0@3|) (assert (= |getArray::__CPAchecker_TMP_0@3| |__ADDRESS_OF_malloc#2|) (= |getArray::p@2| |main::pos@2|) (= |getArray::v@2| |main::val@2|) (> |__ADDRESS_OF_main::arr| 0) (= |main::pos@2| 3) (= |main::val@2| 2) (and (let ((baseAddressArr (+ |__ADDRESS_OF_main::arr| 4))) (= |main::val@2| |main::read@3|))))

  11. Quantifjers for C Initializers • Initializer statements in C int x[10] = {0}; • Use universal quantifjer in formula init ∈ A∀ i ∈ N , 0 ≤ i < S ( init ) : init [ i ] = 0 ( A : set of possible arrays; function S returns size of array) • Problem: Arrays + Quantifjers ⇒ Undecidable

  12. Prerequisites for the Evaluation • SV-COMP Categories: ArraysReach, ControlFlow, DeviceDrivers64, ECA, HeapReach, Loops, ProductLines, Sequentialized, Simple (4 552 fjles) • Customized ArraysReach (880 fjles) • Each run: 900 s • SMT solvers: MathSAT5, PRINCESS, SMTInterpol, Z3 (64bit), Kernel 4.2, Java 8 • Run limits: 15 GB RAM, two CPU cores, 13 GB Java heap, 10 MB stack size • cf. https://research.lukasczyk.me/heaparray for supplementary web page with all results • Machines: 2 × 16 core Intel Xeon (3 . 4 GHz), 135 GB RAM, Ubuntu 14.04

  13. Comparison of HA and UF MS-ha Z3-ha SI-uf SI-ha PR-uf PR-ha MS-uf CPU time ( s ) −500 Accumulated score 10 3 10 2 10 1 500 0 Z3-uf 1 000 1 500 2 000 2 500 3 000 3 500 4 000 4 500

  14. Comparison of HA and UF… CPU time ( s ) Z3-ha SI-uf SI-ha PR-uf PR-ha MS-uf MS-ha 𝑜 -th fastest correct result 0 10 3 10 2 10 1 2 500 2 000 1 500 1 000 500 Z3-uf

  15. Behaviour on Larger Arrays 60 Z3-ha SI-uf SI-ha PR-uf PR-ha MS-uf MS-ha Correct tasks Array size 80 40 0 20 0 180 160 140 120 100 80 60 40 20 Z3-uf

  16. Infmuence of Quantifjers on Initializers 13 incorrect 0 1 17 12 true 0 0 0 176 false 0 1 4 12 score (4 478) 2 242 2 406 2 252 194 120 Only on sets DeviceDrivers64, HeapReach, and Sequentialized correct PR-hq PR-ha Z3-hq Z3-ha total 2 462 2 462 2 462 2 462 1 177 112 1 271 1 454 1 470 true 1 065 1 151 1 278 1 276 false 2 554

  17. Summary • Implementation and evaluation of heap-array converter • Arrays harder for solvers than uninterpreted functions • Quantifjer necessary for array interpolation • Better results on arrays with sizes between 25 and 150, but more tasks necessary • Quantifjers diffjcult for array initializers • Unbounding UFs with quantifjers (done by Philipp Wendler) cpa.predicate.useArraysForHeap cpa.predicate.useQuantifiersOnArrays ⇒ Undecidable

  18. Summary • Implementation and evaluation of heap-array converter • Arrays harder for solvers than uninterpreted functions • Quantifjer necessary for array interpolation • Better results on arrays with sizes between 25 and 150, but more tasks necessary • Quantifjers diffjcult for array initializers • Unbounding UFs with quantifjers (done by Philipp Wendler) cpa.predicate.useArraysForHeap cpa.predicate.useQuantifiersOnArrays ⇒ Undecidable

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Last time Today Next (Midterm) Hash tables Unbounded arrays Implementation Amortized

Last time Today Next (Midterm) Hash tables Unbounded arrays Implementation Amortized

Last time Today Next (Midterm) Hash tables Unbounded arrays Implementation Amortized analysis Stacks Queues Linked Lists Toward unbounded arrays Unsorted Arrays Linked Lists O(1) access Self-resizing PROS Built-in support

405 views • 39 slides
heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O (

heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O (

heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O ( n ) analysis via picture (learn) or using summations (know result) data structures and algorithms building a heap one-by-one in O ( n log n ) 2020

672 views • 7 slides
EDA045F: Program Analysis LECTURE 6: DATALOG Christoph Reichenbach In the last lecture. . .

EDA045F: Program Analysis LECTURE 6: DATALOG Christoph Reichenbach In the last lecture. . .

EDA045F: Program Analysis LECTURE 6: DATALOG Christoph Reichenbach In the last lecture. . . Pointer Analysis Points-To Analysis Alias Analysis Concrete Heap Graphs Abstract Heap Graphs Access Paths Heap Summarisation

822 views • 53 slides
PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low

PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low

ERIE COUNTY DEPARTMENT OF SOCIAL SERVICES Program Overview PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low income households to reduce energy expense s. HEAP PROGRAMS Regular HEAP Available

531 views • 14 slides
PA PACE Programming Languages, Architecture and Compilers Education Laboratory Heap analysis

PA PACE Programming Languages, Architecture and Compilers Education Laboratory Heap analysis

Compare Less, Defer More Scaling Value-Contexts Based Whole-Program Heap Analyses Manas Thakur and V Krishna Nandivada CC 2019 PA PACE Programming Languages, Architecture and Compilers Education Laboratory Heap analysis Any analysis that

1.12k views • 78 slides
CS 225 Data Structures November 5 Heap Analysis and Dis isjoint Sets Wad ade Fag agen-Ulm

CS 225 Data Structures November 5 Heap Analysis and Dis isjoint Sets Wad ade Fag agen-Ulm

CS 225 Data Structures November 5 Heap Analysis and Dis isjoint Sets Wad ade Fag agen-Ulm lmschneid ider buildHeap B 1. Sort the array its a heap! U I L D H E 2. template &lt;class T&gt; 1 2 void

329 views • 32 slides
Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A) for i = floor( A.length/2 ) to 1 Max-Heapify(A, i) Build-Max-Heap Red part is already Heapified Build-Max-Heap Correctness: Base: Each alone

429 views • 23 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The

Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The

Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The binomial heap allows for efficient union, which can not be done efficiently in the binary heap. The extra cost paid is the minimum operation, which

560 views • 24 slides
Amortised analysis of heap consumption Olha Shkaravska Institut of Informatics, LMU Munich,

Amortised analysis of heap consumption Olha Shkaravska Institut of Informatics, LMU Munich,

Amortised analysis of heap consumption Olha Shkaravska Institut of Informatics, LMU Munich, Germany Amortised analysisof heap consumption p.1/27 Motivation and Structure of this talk Hofmann-Jost inference system: inference of linear

597 views • 27 slides
Fibonacci Heap CS31005: Algorithms-II Autumn 2020 IIT Kharagpur Heaps as Priority Queues

Fibonacci Heap CS31005: Algorithms-II Autumn 2020 IIT Kharagpur Heaps as Priority Queues

Fibonacci Heap CS31005: Algorithms-II Autumn 2020 IIT Kharagpur Heaps as Priority Queues You have seen binary min-heaps/max-heaps Can support creating a heap, insert, finding/extracting the min (max) efficiently Can also support

1.08k views • 49 slides
Equality 1 Predicate logic with equality Predicate logic + distinguished predicate symbol =

Equality 1 Predicate logic with equality Predicate logic + distinguished predicate symbol =

First-order Predicate Logic Equality 1 Predicate logic with equality Predicate logic + distinguished predicate symbol = of arity 2 Semantics: A structure A of predicate logic with equality always maps the predicate symbol = to the

401 views • 6 slides
Fibonacci Heap Group Minus One Second December 6, 2016 Group Minus One Second Fibonacci Heap

Fibonacci Heap Group Minus One Second December 6, 2016 Group Minus One Second Fibonacci Heap

Introduction Fibonacci Heap Time Complexity Analysis Fibonacci Heap Group Minus One Second December 6, 2016 Group Minus One Second Fibonacci Heap Introduction Fibonacci Heap Time Complexity Analysis Outline Introduction Motivation

848 views • 51 slides
Efficient Analysis of Probabilistic Programs with an Unbounded Counter CAV 2011 azdil 1 Stefan

Efficient Analysis of Probabilistic Programs with an Unbounded Counter CAV 2011 azdil 1 Stefan

Efficient Analysis of Probabilistic Programs with an Unbounded Counter CAV 2011 azdil 1 Stefan Kiefer 2 cera 1 Tom a s Br Anton n Ku 1 Masaryk University, Brno, Czech Republic 2 University of Oxford, UK Evaluation of And-Or Trees

848 views • 48 slides
What is a predicate? A predicate is a statement involving variables over a specified

What is a predicate? A predicate is a statement involving variables over a specified

What is a predicate? A predicate is a statement involving variables over a specified domain (set). Domain is understood ahead of time Example Domain (set) Predicate Integers ( Z ) S ( x ): x is a perfect square Reals ( R ) G ( x , y

604 views • 37 slides
Making Context-sensitive Points-to Analysis with Heap Cloning Practical For The Real World Chris

Making Context-sensitive Points-to Analysis with Heap Cloning Practical For The Real World Chris

Making Context-sensitive Points-to Analysis with Heap Cloning Practical For The Real World Chris Lattner Andrew Lenharth Vikram Adve Apple UIUC UIUC What is Heap Cloning? Distinguish objects by acyclic call path void foo() { list*

556 views • 28 slides
Data structures Exercise session Week 1 I. Introduction Two kinds of types in Java

Data structures Exercise session Week 1 I. Introduction Two kinds of types in Java

Data structures Exercise session Week 1 I. Introduction Two kinds of types in Java Primitive types int, char, boolean, fmoat, double, etc. Object types Integer, Character, String, etc. Java generics Before generics you had to

739 views • 20 slides
Josh Bloch Charlie Garrod 17-214 1 Administrivia Homework 6 available Due last night

Josh Bloch Charlie Garrod 17-214 1 Administrivia Homework 6 available Due last night

Principles of Software Construction: Objects, Design, and Concurrency Part 4: et cetera A puzzling finale: What you see is what you get? Josh Bloch Charlie Garrod 17-214 1 Administrivia Homework 6 available Due last night Final

974 views • 61 slides
Lists, Stacks and Queues The List ADT List ADT n A list is a dynamic ordered tuple of

Lists, Stacks and Queues The List ADT List ADT n A list is a dynamic ordered tuple of

Lists, Stacks and Queues The List ADT List ADT n A list is a dynamic ordered tuple of homogeneous elements A o , A 1 , A 2 , , A N-1 where A i is the i-th element of the list n The position of element A i is i; positions range from 0

437 views • 31 slides
Compiler Verification meets Cross-Language Linking via Data Abstraction Peng Wang,

Compiler Verification meets Cross-Language Linking via Data Abstraction Peng Wang,

Compiler Verification meets Cross-Language Linking via Data Abstraction Peng Wang, MIT CSAIL Santiago Cuellar, Princeton University Adam Chlipala, MIT CSAIL Verified Compiler Program Verification Techniques

706 views • 35 slides
A Case for Static Analyzers in the Cloud Mehdi Bouaziz Ecole normale sup erieure, Paris,

A Case for Static Analyzers in the Cloud Mehdi Bouaziz Ecole normale sup erieure, Paris,

A Case for Static Analyzers in the Cloud Mehdi Bouaziz Ecole normale sup erieure, Paris, France joint work with Michael Barnett, Manuel F ahndrich, and Francesco Logozzo Microsoft Research, Redmond, WA, USA Eighth Workshop on

646 views • 26 slides
Arrows and Reagents KC Sivaramakrishnan Advanced Functional Programming March 3rd, 2016

Arrows and Reagents KC Sivaramakrishnan Advanced Functional Programming March 3rd, 2016

Arrows and Reagents KC Sivaramakrishnan Advanced Functional Programming March 3rd, 2016 Slides were borrowed and modified from Aaron Turons PLDI 2012 talk: http://www.mpi-sws.org/~turon/pldi-2012-reagents.pdf Arrows module type Arrow

822 views • 78 slides
Stefan Heule, Manu Sridharan, Satish Chandra Stanford University, Samsung Research America

Stefan Heule, Manu Sridharan, Satish Chandra Stanford University, Samsung Research America

Stefan Heule, Manu Sridharan, Satish Chandra Stanford University, Samsung Research America September 4, 2015; FSE; Bergamo, Italy 1 Opaque code Code is executable Source not available, or hard to process Challenge: Program

459 views • 27 slides
Priority Queues Given x and y , is x less than, equal to, or greater than y Meaning of the

Priority Queues Given x and y , is x less than, equal to, or greater than y Meaning of the

1/31/2016 A new ADT: Priority Queue A priority queue holds compare-able data (totally ordered) Like dictionaries with ordered keys, we need to compare CSE373: Data Structures and Algorithms items Priority Queues Given x and y , is x

575 views • 8 slides

More recommend