static analysis of heap-manipulating low-level software sumit gulwaniashish tiwari msr, redmond sri...
TRANSCRIPT
Static Analysis of Heap-manipulating Low-level
software
Sumit Gulwani Ashish Tiwari MSR, Redmond SRI
International
2
Related Work
• Alias/Pointer Analysis [Work done in early 90s]– Must/May equalities– Considered not expressive enough
• Shape Analysis [Work that followed]– Fancy predicates – Need to provide transfer functions for each of
them
• This work– Must/May equalities extended with quantifiers
(Provides expressiveness of an infinite class of predicates and avoids the need of providing transfer functions)
3
Example 1
9i: List(x,i,next) Æ 8j: (0·j<i) )
Array(x!nextj!data, 4*(x!nextj!len))
struct List { int Len, *Data; List* Next; }
ListOfPtrArray(struct List* x) { for (y := x; ynull; y := y!next)
t := ?; y!len := t; y!data = malloc(4t); for (y := x; ynull; y := y!next) for (z :=0; z < y!len; z := z+1)
y!data!(4z) := ….;
Invariant required after first loop for proving memory safety
4
Example 2
struct List { int Data; List* Next; }
List2Array(struct List* x) { n := 0; for (y := x; ynull; y := y!next)
n := n+1; A := malloc(4n); y:= x; for (k := 0; k < n; k++)
A!(4k) := y!data; y := y!next; return A;
Prog. Point
Invariant
1 9 i: List(x,i,next)
2 9 i: List(x,i,next),
0·n<i, y=x!nextn
3 List(x,n,next)
4 List(x,n.next), Array(A,4n)
5 List(x,n.next), Array(A,4n)
8 j: (0·j<n) ) A!(4j) = x!nextj!data
1
2
3
4
5
5
Outline
• Abstract Domain
• Implies Algorithm
• Join Algorithm
• Meet Algorithm
• PostAssignment Algorithm
6
Abstract Domain
9V: Cons Æ Must Æ May
Must := true | Must Æ 8V: (Cons ) e1=e2)
May := true | May Æ 8V: (Cons ) e1 » e2)
e := y | c | e1 § e2 |ce | e1 ! e2e3 | valid | null
Cons represent constraints over the base abstract domain, eg. Combination of linear arithmetic and uninterpreted functions
7
Expressiveness
List(x,i,next) ´ i ¸ 0 Æ x!nexti = null Æ 8 j: (0·j<i) ) Valid(x!nextj)
Valid(e) ´ e!w=valid
Array(x,k) ´ 8 j: (0·j<k) ) Valid(x+j)
8
Abstract Interpreter
Join Node Conditional Node
pTrue False
F
F1 F2
F2
F
F1
F = Join(F1,F2) F1 = Meet(F, p)
F2 = Meet(F,:p)
Statement s
F’
F
Assignment Node
F = Post(F’,s)
Where s may be:
x := e
*x := e
x := malloc(e)
free(x)
9
Implies Algorithm
Implies(F1, F2) returns 1 only if F1 ) F2
KeyIdea for checking F ) e1=e2
Check if e2 2 MustAliases(e1,F)
KeyIdea for checking F ) e1 e2
Check if : (e2 2 MayAliases(e1,F))
10
MustAliases and MayAliases
F1: x = x!nextj
F2: 8i: (0·i·j) ) x!nexti = x!nexti+1!prev
MustAliasesKeyIdea: Apply k quantifier instantiationsMustAliases(x,F1) = { x!nextj, x!next2j }
MustAliases(x,F2) =
11
MustAliases and MayAliases
F1: x = x!nextj
F2: 8j: (0·i·j) ) x!nexti=x!nexti+1!prev
MustAliasesKeyIdea: Apply k quantifier instantiationsMustAliases(x,F1) = { x!nextj, x!next2j }
MustAliases(x,F2) = { x!next!prev,
x!next!prev!next!prev }
12
MustAliases and MayAliases
F1: x = x!nextj
F2: 8j: (0·i·j) ) x!nexti=x!nexti+1!prev
MustAliasesKeyIdea: Apply k instantiations of each equalityMustAliases(x,F1) = { x!nextj, x!next2j }
MustAliases(x,F2) = { x!next!prev,
x!next!prev!next!prev }MayAliasesKeyIdea: Represent aliases by expressions of size kMayAliases(x,F1) = { x!nextt | t¸j }
MayAliases(x,F2) =
13
MustAliases and MayAliases
F1: x = x!nextj
F2: 8j: (0·i·j) ) x!nexti=x!nexti+1!prev
MustAliasesKeyIdea: Apply k instantiations of each equalityMustAliases(x,F1) = { x!nextj, x!next2j }
MustAliases(x,F2) = { x!next!prev,
x!next!prev!next!prev }MayAliasesKeyIdea: Represent aliases by expressions of size kMayAliases(x,F1) = { x!nextt | t¸j }
MayAliases(x,F2) = { x!(next|prev)t | t¸0 }
14
Join Algorithm
Join(F1, F2) returns an overapproximation of F1 Ç F2
Example 1Input 1: i=1 Æ A[0]=0 Input 2: i=2 Æ A[0]=0 Æ A[1]=1Output: 8 j: (0·j<i) ) A[j]=j
Example 2Let S(k) ´ Array(x!nextk!data, x!nextk!len)Input 1: y=x!next Æ S(0)Input 2: y=x!next2 Æ S(0) Æ S(1)Output: 9i: 1·i·2 Æ y=x!nexti Æ 8j: (0·j<i) ) S(j)
15
Join Algorithm: Key Idea
Input 1: y=x!next Æ S(0)Input 2: y=x!next2 Æ S(0) Æ S(1)
After Normalization, we get:Input 1: 9i: i=1 Æ y=x!nexti Æ 8j: (0·j<1) ) S(j)Input 2: 9i: i=2 Æ y=x!nexti Æ 8j: (0·j<2) ) S(j)
Now we use the following rule:Join (9V: E1 Æ 8U: C1)S, 9V: E2 Æ 8U: C2)S) =
9V: E3 Æ 8U: C3)S
where E3 = Join(E1, E2)
C3 = Underapproximation of C1ÆC2
16
Join Algorithm: Key Idea
Input 1: y=x!next Æ S(0)Input 2: y=x!next2 Æ S(0) Æ S(1)
After Normalization, we get:Input 1: 9i: i=1 Æ y=x!nexti Æ 8j: (0·j<1) ) S(j)Input 2: 9i: i=2 Æ y=x!nexti Æ 8j: (0·j<2) ) S(j)
Now we use the following rule:Join (9V: E1 Æ 8U: C1)S, 9V: E2 Æ 8U: C2)S) =
9V: E3 Æ 8U: C3)S
where E3 = Join(E1, E2)
C3 = Underapproximation of (E1)C1 Æ E2)C2)
17
Meet Algorithm
Meet(F,p) returns an overapproximation of F Æ pKeyIdea: Reason about interaction between
equalities & disequalities
Example 1 Input 1: 9 i: len·i Æ List(x,i,next) Æ y=x!nextlen
Input 2: y=nullOutput: 9 i: len=i Æ List(x,i,next) Æ y=x!nextlen
Example 2 Input 1: 9 i: len·i Æ List(x,i,next) Æ y=x!nextlen
Input 2: ynullOutput: 9 i: len<i Æ List(x,i,next) Æ y=x!nextlen
18
PostAssignment Algorithm
Input 1: List(y,i,next) Æ List(result,j,next) Æ y+next=x Æ *x=tmpInput 2: *x := resultOutput: List(tmp,i-1,next) Æ List(result,j,next) Æ y+next=x Æ *x=result
null
result
null
y
tmp
Post(F, s) returns an overapproximation of the strongest postcondition of F w.r.t. s
KeyIdea: Transitive Closure; Invalidate Must; Invalidate May; Add new fact
19
Experiments
Program Base Constraint Domain Required
Property Discovered (apart from memory safety)
Precondition provided
List2Array Generalized Difference Constraints
Corresponding array & list elements are same
Input is a list
ListReverse Generalized Difference Constraints
Reversed list has length 100
Input is a list of size 100
ArrayPtrArray Generalized Difference Constraints + Uninterpreted Functions
Input array has length Len (where Len is also an input)
20
Related Work
• Alias/Pointer Analysis [Work done in early 90s]– Must/May equalities– Considered not expressive enough
• Shape Analysis [Work that followed]– Fancy predicates – Need to provide transfer functions for each of
them
• This work– Must/May equalities extended with quantifiers
(Provides expressiveness of an infinite class of predicates and avoids the need of providing transfer functions)
21
Conclusion and Future Work
• Quantified abstract domain for pointer analysis– Expressive enough to reason rich properties– Amenable to automated deduction
• Extend analysis to inter-procedural setting
• Add disjunction and richer quantification support in abstract domain