Add to collection(s) Add to saved
  1. No category

The Pointer Assertion Logic Engine Anders Møller Michael I. Schwartzbach

advertisement 
The Pointer Assertion Logic
Engine
Anders Møller
Michael I. Schwartzbach
CMSC 631 presentation: Nikolaos Frangiadakis
Motivation


Finding bugs 
Fixing them


Want sound



Providing counterexamples
Construct FSM
Use for safety-critical data types
Help optimization
The process
annotated
code
PALE
MONA



PALE: Pointer Assertion Logic Engine tool
MONA: MONAdic second order logic engine
Result:


If ok  Claim sound
If not  Counterexample
Graph types example
Example I:

List with pointer to the last element:
type Head = {

data first: Node;

pointer last:
Node[this.first<next*.[pos.next=null]>last];
tree-shaped data struct +
extra pointers
data pointers: backbone
pointer fields: conditions
}
type Node = {
data next: Node;
}

Other Examples:


Example II:
Binary tree with cyclic post order pointers:
type Node = {
data left,right:Node;
pointer post:Node[POST(this,post)];
pointer parent:Node[PARENT(this,parent)];
}


doubly-linked cyclic list
binary trees
binary trees in which all the
leaves are joined in a cyclic list
red - black trees :)
and so on...
Graph types

A Graph type is a recursive type with
auxiliary pointers:


the recursive type defines a spanning tree
(the “backbone”)
the auxiliary pointers provide short-cuts across
the backbone or into other trees



they must be functionally determined by the
backbone(“well formedness”)
they are defined by “routing expressions”
Constraining to Graph types  Decidable
Annotation

Store Model : records




Program vars
Records (Pointers,Bools)
Organized in backbone constructs
Program variables (data vars, pointer vars)
Pointer Assertion Language




Data Structure Invariants
Loop invariants
If..then..else invariants
Procedure invariants
Hoare triples  MONA



Split the program into Hoare triples:
{pre} stm {post}
In MONA: assertions instead of post conditions
Graph types need only be valid at cut-points




multiple assignments allowed, but no loops
Verify each triple separately
Sound when annotation ok
Can include check for null-pointer dereference
and other memory errors
Encoding

Monadic : Single argument
Second order: This argument can be
a First Order Logic Function

Here is a variable:





Null_p() :true if p is Null
bool_T_b(v): value of record v of type T (bool)
Succ_T_d(v,w): true if rec w reachable from rec
along data field d
Each time a state
Why monadic second order logic
BDD: Binary Decision Diagrams
WS1S: Weak Second order theory
of one or two successors
MONA encoding Example
(Hyman’s mutual exclusion algorithm: )
while true do begin
1
< noncritical section >
2
bi := true
3
while ( k i ) do begin
4
while ( b1-i ) do skip
5
k := i
end
6
< critical section >
7
bi := false
end
MONA Example
var2 PC0’, PC0’’, PC0’’’, PC1’, PC1’’, PC1’’’, b0,
b1, k;
pred p0_at_line_1(var1 t) = tPC0’ tPC0’’ 
PC0’’’;
pred p0_at_line_2(var1 t) = tPC0’ tPC0’’ 
tPC0’’’;
...
pred b0_false(var1 t) = tb0;
while true do begin
pred b0_true(var1 t) = tb0;
1
< noncritical section >
2
bi := true
...
3
while ( k i ) do begin
pred k_is_0(var1 t) = tk;
4
while (bi-1 ) do skip
pred k_is_1(var1 t) = tk;
5
k := i
6
7
end
end
< critical section >
bi := false
MONA Example
pred p0_proc_step(var1 t) =
(p0_at_line_1(t) p0_at_line_2(succ(t)) unchanged_vars(t)) 
(p0_at_line_2(t) p0_at_line_3(succ(t)) b0_true(succ(t)) 
unchanged_k(t) unchanged_b1(t)) 
(p0_at_line_3(t) (unchanged_vars(t) 
(k_is_0(t) p0_at_line_6(succ(t))) 
(k_is_1(t) p0_at_line_4(succ(t))))) 
...
(p0_at_line_7(t) 
while true do begin
p0_at_line_1(succ(t))
1
< noncritical section >
b0_false(succ(t)) 
2
bi := true
3
while ( k i ) do begin
...
4
5
6
7
end
while (bi-1 ) do skip
k := i
end
< critical section >
bi := false
MONA result
Valid() 1 t: (p0_at_line_6(t) 
p1_at_line_6(t)));
A counter-example of
PC0’
0 0 0 0 0 1 1
PC0’’ 0 0 0 1 1 0 0
PC0’’’ 0 0 1 0 1 0 0
PC1’
0 0 0 0 0 0 0
PC1’’ 0 0 0 0 0 0 1
PC1’’’ 0 1 1 1 1 1 0
b0
0 0 0 1 1 1 1
b1
0 0 0 0 0 0 1
k
0 0 0 0 0 0 0
least length (10) is:
1 0 1
0 1 0
0 0 1
1 1 1
0 0 0
1 1 1
1 1 1
1 1 1
0 1 1
MONA Example
A counter-example of
PC0’
1 1 2 3 4 5 5
PC1’
1 2 2 2 2 2 3
b0
0 0 0 1 1 1 1
b1
0 0 0 0 0 0 1
k
0 0 0 0 0 0 0
while true do begin
1
< noncritical section >
2
b0 := true
3
while ( k 0 ) do begin
4
while (b1) do skip
5
k := 0
end
6
< critical section >
7
b0 := false
end
least length (10) is:
5 3 6
6 6 6
1 1 1
1 1 1
0 1 1
while true do begin
1
< noncritical section >
2
b1 := true
3
while ( k 1 ) do begin
4
while (b0) do skip
5
k := 1
end
6
< critical section >
7
b1 := false
end
MONA Example
A counter-example of
PC0’
1 1 2 3 4 5 5
PC1’
1 2 2 2 2 2 3
b0
0 0 0 1 1 1 1
b1
0 0 0 0 0 0 1
k
0 0 0 0 0 0 0
while true do begin
1
< noncritical section >
2
b0 := true
3
while ( k 0 ) do begin
4
while (b1) do skip
5
k := 0
end
6
< critical section >
7
b0 := false
end
least length (10) is:
5 3 6
6 6 6
1 1 1
1 1 1
0 1 1
while true do begin
1
< noncritical section >
2
b1 := true
3
while ( k 1 ) do begin
4
while (b0) do skip
5
k := 1
end
6
< critical section >
7
b1 := false
end
MONA Example
A counter-example of
PC0’
1 1 2 3 4 5 5
PC1’
1 2 2 2 2 2 3
b0
0 0 0 1 1 1 1
b1
0 0 0 0 0 0 1
k
0 0 0 0 0 0 0
while true do begin
1
< noncritical section >
2
b0 := true
3
while ( k 0 ) do begin
4
while (b1) do skip
5
k := 0
end
6
< critical section >
7
b0 := false
end
least length (10) is:
5 3 6
6 6 6
1 1 1
1 1 1
0 1 1
while true do begin
1
< noncritical section >
2
b1 := true
3
while ( k 1 ) do begin
4
while (b0) do skip
5
k := 1
end
6
< critical section >
7
b1 := false
end
MONA Example
A counter-example of
PC0’
1 1 2 3 4 5 5
PC1’
1 2 2 2 2 2 3
b0
0 0 0 1 1 1 1
b1
0 0 0 0 0 0 1
k
0 0 0 0 0 0 0
while true do begin
1
< noncritical section >
2
b0 := true
3
while ( k 0 ) do begin
4
while (b1) do skip
5
k := 0
end
6
< critical section >
7
b0 := false
end
least length (10) is:
5 3 6
6 6 6
1 1 1
1 1 1
0 1 1
while true do begin
1
< noncritical section >
2
b1 := true
3
while ( k 1 ) do begin
4
while (b0) do skip
5
k := 1
end
6
< critical section >
7
b1 := false
end
MONA Example
A counter-example of
PC0’
0 0 1 2 3 4 4
PC1’
0 1 1 1 1 1 2
b0
0 0 0 1 1 1 1
b1
0 0 0 0 0 0 1
k
0 0 0 0 0 0 0
while true do begin
1
< noncritical section >
2
b0 := true
3
while ( k 0 ) do begin
4
while (b1) do skip
5
k := 0
end
6
< critical section >
7
b0 := false
end
least length (10) is:
4 2 5
5 5 5
1 1 1
1 1 1
0 1 1
while true do begin
1
< noncritical section >
2
b1 := true
3
while ( k 1 ) do begin
4
while (b0) do skip
5
k := 1
end
6
< critical section >
7
b1 := false
end
Aspects

Data abstraction



Comparison with TVLA



Of value properties
Automatic tracking when assigned
(Three Valued Logic Analyzer)
Seem to found a bug
In exhibited cases: PALE significantly faster
Idea: trade-off between
expressiveness - speed formally
Statistics
Opinions




Needs heuristics,
Automatic code annotation? (40ln  90 ln)
SLAM style Iterative process?
Optimization?
Questions?

Thank you
Kinds of predicates
Pointer Assertion Logic
Pointer Assertion Logic
Data Types

Graph types



tree-shaped data struct + extra pointers
data pointers: backbone
pointer fields: conditions
Example:
Other Examples:
 list with pointer to the last element:
 doubly-linked cyclic list
type Head = {
data first: Node;
pointer last: Node[this.first<next*.[pos.next=null]>last];
}
type Node = {
data next: Node;
}
 binary trees
 binary trees in which all
the leaves are joined in a
cyclic list
 red - black trees :)
and so on...
Download
advertisement