Program Analysis via 3-Valued Logic

About This Presentation

Title:

Program Analysis via 3-Valued Logic

Description:

Example: In-Situ List Reversal. List reverse (List x) { List y, t; y = NULL; while (x ! ... Example: In-Situ List Reversal. List reverse (List x) { List y, t; y ... – PowerPoint PPT presentation

Number of Views:31

Avg rating:3.0/5.0

Slides: 96

Provided by: thoma424

Learn more at: http://www.cs.cmu.edu

Category:

more less

Transcript and Presenter's Notes

Title: Program Analysis via 3-Valued Logic

1
Program Analysisvia 3-Valued Logic

Thomas Reps
University of Wisconsin

Joint work with Mooly Sagiv (Tel-Aviv) and
Reinhard Wilhelm (Univ. of Saarbruecken)
2
Program Analysisvia 3-Valued Logic

Thomas Reps
University of Wisconsin

Joint work with Mooly Sagiv (Tel-Aviv) and
Reinhard Wilhelm (Univ. of Saarbrücken)
3
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
4
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
5
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
6
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
7
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
8
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
9
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
10
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
11
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
12
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
13
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
14
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
15
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
16
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
17
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
18
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
19
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
20
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
21
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
22
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
Materialization
23
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
24
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
25
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
26
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
27
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
28
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
29
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
30
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
31
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
32
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
33
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
34
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
35
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
36
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
37
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
38
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
39
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
40
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
41
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
42
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
43
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
44
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
45
Original Problem Shape Analysis

Characterize dynamically allocated data
x points to an acyclic list, cyclic list, tree,
dag, etc.
data-structure invariants
Identify may-alias relationships
Establish disjointedness properties
x and y point to structures that do not share
cells

46
Why is Shape Analysis Difficult?

Destructive updating through pointers
p?next q
Produces complicated aliasing relationships
Dynamic storage allocation
No bound on the size of run-time data structures
Data-structure invariants typically only hold at
the beginning and end of operations
Need to verify that data-structure invariants are
re-established

47
Formalizing . . .
Informal
x
48
Applications Software Tools

Static detection of memory errors (cleanness)
dereferencing NULL pointers
dereferencing dangling pointers
memory leaks
Static detection of logical errors
Is a shape invariant restored?
What is in the heap?
list? doubly-linked list? tree? DAG?
disjoint? intertwined?

49
Properties of reverse(x)

On entry x points to an acyclic list
On exit y points to an acyclic list
On exit x NULL
On each iteration, x and y point to disjoint
acyclic lists
All the pointer dereferences are safe
No memory leaks

50
Detection of Malicious Code

De-obfuscate usage of dynamically allocated
memory
Undesirable information flows
Buffer-overrun attacks
Actions performed to conceal virus activity (??)
To advertise here, call 608-262-2091

51
A Yacc for Shape Analysis TVLA

Parametric framework
Some instantiations ? known analyses
Other instantiations ? new analyses

52
A Yacc for Shape Analysis TVLA

Parametric framework
Some instantiations ? known analyses
Other instantiations ? new analyses
Applications beyond shape analysis
Partial correctness of sorting algorithms
Safety of mobile code
Deadlock detection in multi-threaded programs
Partial correctness of mark-and-sweep gc alg.

53
A Yacc for Static Analysis TVLA

Parametric framework
Some instantiations ? known analyses
Other instantiations ? new analyses
Applications beyond shape analysis
Partial correctness of sorting algorithms
Safety of mobile code
Deadlock detection in multi-threaded programs
Partial correctness of mark-and-sweep gc alg.

54
A Yacc for Static Analysis(Using Logic)

Correctness proofs via inductive-assertion
method
Proof derivation via weakest-precondition
calculus
Annotate your loops with invariants!

55
A Yacc for Static Analysis(Using Logic)
I learned many things and equally important
I unlearned many things. S.K. Allison

Correctness proofs via inductive-assertion
method
Proof derivation via weakest-precondition
calculus
Annotate your loops with invariants!

56
A Yacc for Static Analysis(Using Logic)

First-order structures ( predicate tables)
hold recorded information
model-theoretic approach, not proof-theoretic
Formulae
means for observing information
Predicate-update formulae
operational semantics
update recorded information

57
Recorded Information (for reverse)
58
Recorded Information (for reverse)
59
Formulae for Observing Properties

Are x and y pointer aliases?
?v x(v) ? y(v)
Does x point to a cell with a self cycle?
?v x(v) ? n(v,v)

60
Are x and y Pointer Aliases?
?v x(v) ? y(v)
u2
u3
u4
u1
61
Predicate-Update Formulae for y NULL

x(v) x(v)
y(v) 0
t(v) t(v)
n(v1,v2) n(v1,v2)

62
Predicate-Update Formulae for y NULL
y(v) 0
63
Predicate-Update Formulae for y x

x(v) x(v)
y(v) x(v)
t(v) t(v)
n(v1,v2) n(v1,v2)

64
Predicate-Update Formulae for y x
y(v) x(v)
65
Predicate-Update Formulae for x x ? n

x(v) ?v1 x(v1) ? n(v1,v)
y(v) y(v)
t(v) t(v)
n(v1, v2) n(v1, v2)

66
Predicate-Update Formulae for x x ? n
x(v) ?v1 x(v1) ? n(v1,v)
x
y
u2
u3
u4
u1
67
Predicate-Update Formulae for y ? n t

x(v) x(v)
y(v) y(v)
t(v) t(v)
n(v1,v2) ?y(v1)?? n(v1,v2) ? y(v1) ? t(v2)

68
Outline

Logic and box/arrow diagrams
Kleenes 3-valued logic
The abstraction principle
Using 3-valued structures to represent sets of
stores
Conservative extraction of store properties
Abstract interpretation
More precise abstract interpretation

69
Why is Shape Analysis Difficult?

Destructive updating through pointers
p?next q
Produces complicated aliasing relationships
Dynamic storage allocation
No bound on the size of run-time data structures
Data-structure invariants typically only hold at
the beginning and end of operations
Need to verify that data-structure invariants are
re-established

70
Two- vs. Three-Valued Logic
0 ? 0,1
1 ? 0,1
71
Two- vs. Three-Valued Logic
72
Two- vs. Three-Valued Logic
Three-valued logic
73
Two- vs. Three-Valued Logic
74
Two- vs. Three-Valued Logic
0 ?3½
1 ?3½
75
Boolean Connectives Kleene
76
Three-Valued Logic

1 True
0 False
1/2 Unknown
A join semi-lattice 0 ? 1 1/2

77
Outline

Logic and box/arrow diagrams
Kleenes 3-valued logic
The abstraction principle
Using 3-valued structures to represent sets of
stores
Conservative extraction of store properties
Abstract interpretation
More precise abstract interpretation

78
The Abstraction Principle
79
The Abstraction Principle

Partition the individuals into equivalence
classes based on the values of their unary
predicates
Collapse other predicates via ?

80
What StoresDoes a 3-Valued Structure Represent?

Example 3-valued structure
individuals u1
predicates
graphical presentation
concrete stores represented

81
What StoresDoes a 3-Valued Structure Represent?

Example 3-valued structure
graphical presentation
concrete stores

82
What StoresDoes a 3-Valued Structure Represent?

Example 3-valued structure
graphical presentation
concrete stores

83
Property-Extraction Principle

Questions about store properties can be answered
conservatively by evaluating formulae in
three-valued logic
Formula evaluates to 1
? formula always holds in every store ?
Formula evaluates to 0
? formula never holds in any store ?
Formula evaluates to 1/2
? dont know
? ?

84
Are x and y Pointer Aliases?
?v x(v) ? y(v)
85
Is Cell u Heap-Shared?
u
?v1,v2 n(v1,u) ? n(v2,u) ? v1 ? v2
86
Is Cell u Heap-Shared?
?v1,v2 n(v1,u) ? n(v2,u) ? v1 ? v2
87
Outline

Logic and box/arrow diagrams
Kleenes 3-valued logic
The abstraction principle
Using 3-valued structures to represent sets of
stores
Conservative extraction of store properties
Abstract interpretation
More precise abstract interpretation

88
Abstract Interpretation
89
Abstract Interpretation
f (a,b) (16 b 3) (2 a 1)
O
O
O
E
O
O
E
?
E
E
?
f _ ? _ ? O
90
Shape Analysis viaAbstract Interpretation

Iteratively compute a set of 3-valued structures
for every program point
Every statement transforms structures according
to the predicate-update formulae
use 3-valued logic instead of 2-valued logic
use exactly the predicate-update formulae of the
concrete semantics!!

91
Predicate-Update Formulae for y x
y(v) x(v)
92
Predicate-Update Formulae for x x ? n
x(v) ? v1 x(v1) ? n(v1,v)
93
(No Transcript)
94
(No Transcript)
95
Why is Shape Analysis Difficult?

Destructive updating through pointers
p?next q
Produces complicated aliasing relationships
Track aliasing on 3-valued structures
Dynamic storage allocation
No bound on the size of run-time data structures
Abstraction principle ? finite-sized 3-valued
structures
Data-structure invariants typically only hold at
the beginning and end of operations
Need to verify that data-structure invariants are
re-established
Evaluate formulas over 3-valued structures

96
TVLA vs. Model Checking
TVLA
Model checking

Determine properties of a transition system
State-space exploration
State labels 1st-order structures
3-valued structures represent commonalities
Properties checked Formulas in FOTC

Determine properties of a transition system
State-space exploration
State labels Propositions
BDDs represent commonalities
Properties checked Formulas in temporal logic

97
Example Mark and Sweep
void Sweep() unexplored Universe
collected ? while (unexplored ? ?) x
SelectAndRemove(unexplored) if (x ? marked)
collected collected ? x
assert(collected Universe
Reachset(root) )
void Mark(Node root) if (root ! NULL)
pending ? pending pending ? root
marked ? while (pending ? ?)
x SelectAndRemove(pending) marked
marked ? x t x ? left if (t
? NULL) if (t ? marked)
pending pending ? t t x ? right
if (t ? NULL) if (t ? marked)
pending pending ? t
assert(marked Reachset(root))
Run Demo
98
Demo Exploring Static-Analysis Tradeoffs
99
Static Analysis forMandatory Access Control
high
high
low
low
Flow of information from high to low?
100
Example Multiplexed Channel
Multiplexer
101
Example Multiplexed Channel
102
Example Multiplexed Channel
Multiplexer
103
Example Multiplexed Channel
Multiplexer
104
Static Analysis forMandatory Access Control
high
high
low
low
Flow of information from high to low?
Program Chopping Chop(high, low) ??
105
Analysis Tradeoffs Demo I
CodeSurfer Chopping flow-insensitive
points-to analysis
106
Shape Analysis Formalizing . . .
107
Shape of Multiplexers Buffer
108
Modeling the Output Loop
/ Direct the data to appropriate output stream
/ List high, low temp packetBuffer while
(temp ! NULL) t temp temp
temp-gtnext if (t-gtlevel HIGH) / Put t
on high list / t-gtnext high high t
else / Put t on low list
/ t-gtnext low low t
109
Shape of Multiplexers Output
110
Analysis Tradeoffs Demo II
TVLA Shape analysis security-level annotations
111
Malicious Output Loop
temp packetBuffer while (temp ! NULL) t
temp temp temp-gtnext if (t-gtlevel
HIGH) / Put t on high list / t-gtnext
high high t else /
Put t on low list / t-gtnext low low t

112
Malicious Output Loop
temp packetBuffer i 0 while (temp ! NULL)
t temp temp temp-gtnext if (i
17) / Put t on low list /
t-gtnext low low t if (t-gtlevel
HIGH) / Put t on high list / t-gtnext
high high t else /
Put t on low list / t-gtnext low low t
i i 1
113
Analysis Tradeoffs Demo III
TVLA Shape analysis security-level annotations
114
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
Run Demo

Write a Comment

User Comments (0)