The Pointer Assertion Logic Engine - PowerPoint PPT Presentation

1 / 27

About This Presentation

Title:

The Pointer Assertion Logic Engine

Description:

3 while ( k i ) do begin. 4 while ( b1-i ) do skip. 5 k := i. end. 6 critical section ... while true do begin. 1 noncritical section 2 b0 := true. 3 ... – PowerPoint PPT presentation

Number of Views:75

Avg rating:3.0/5.0

Slides: 28

Provided by: nikolaosfr

Category:

more less

Transcript and Presenter's Notes

Title: The Pointer Assertion Logic Engine

1
The Pointer Assertion Logic Engine

Anders Møller
Michael I. Schwartzbach

CMSC 631 presentation Nikolaos Frangiadakis
2
Motivation

Finding bugs ?
Fixing them
Providing counterexamples
Want sound
Construct FSM
Use for safety-critical data types
Help optimization

3
The process
annotated code

PALE Pointer Assertion Logic Engine tool
MONA MONAdic second order logic engine
Result
If ok ? Claim sound
If not ? Counterexample

4
Graph types example

tree-shaped data struct extra pointers
data pointers backbone
pointer fields conditions
Other Examples
doubly-linked cyclic list
binary trees
binary trees in which all the leaves are joined
in a cyclic list
red - black trees )
and so on...

Example I
List with pointer to the last element
type Head
data first Node
pointer last Nodethis.firstltnext.pos.nextn
ullgtlast
type Node
data next Node
Example II
Binary tree with cyclic post order pointers
type Node
data left,rightNode
pointer postNodePOST(this,post)
pointer parentNodePARENT(this,parent)

5
Graph types

A Graph type is a recursive type with auxiliary
pointers
the recursive type defines a spanning tree
(the backbone)
the auxiliary pointers provide short-cuts across
the backbone or into other trees
they must be functionally determined by the
backbone(well formedness)
they are defined by routing expressions
Constraining to Graph types ? Decidable

6
Annotation

Store Model records
Program vars
Records (Pointers,Bools)
?Organized in backbone constructs
Program variables (data vars, pointer vars)
Pointer Assertion Language
Data Structure Invariants
Loop invariants
If..then..else invariants
Procedure invariants

7
Hoare triples ? MONA

Split the program into Hoare triples
pre stm post
In MONA assertions instead of post conditions
Graph types need only be valid at cut-points
multiple assignments allowed, but no loops
Verify each triple separately
Sound when annotation ok
Can include check for null-pointer dereference
and other memory errors

8
Encoding

Monadic Single argument
Second order This argument can be
a First Order Logic Function
Here is a variable
Null_p() true if p is Null
bool_T_b(v) value of record v of type T (bool)
Succ_T_d(v,w) true if rec w reachable from rec
along data field d
Each time a state

9
Why monadic second order logic
BDD Binary Decision Diagrams WS1S Weak Second
order theory of one or two successors
10
MONA encoding Example(Hymans mutual exclusion
algorithm )

while true do begin
1 lt noncritical section gt
2 bi true
3 while ( k ¹ i ) do begin
4 while ( b1-i ) do skip
5 k i
end
6 lt critical section gt
7 bi false
end

11
MONA Example

var2 PC0, PC0, PC0, PC1, PC1, PC1,
b0, b1, k
pred p0_at_line_1(var1 t) tÏPC0 Ù tÏPC0 Ù
ÏPC0
pred p0_at_line_2(var1 t) tÏPC0 Ù tÏPC0 Ù
tÎPC0
...
pred b0_false(var1 t) tÏb0
pred b0_true(var1 t) tÎb0
...
pred k_is_0(var1 t) tÎk
pred k_is_1(var1 t) tÏk

while true do begin 1 lt noncritical
section gt 2 bi true 3 while ( k
¹ i ) do begin 4 while (bi-1 ) do
skip 5 k i end 6 lt
critical section gt 7 bi false end
12
MONA Example

pred p0_proc_step(var1 t)
(p0_at_line_1(t) Þ p0_at_line_2(succ(t)) Ù
unchanged_vars(t)) Ù
(p0_at_line_2(t) Þ p0_at_line_3(succ(t)) Ù
b0_true(succ(t)) Ù
unchanged_k(t) Ù unchanged_b1(t)) Ù
(p0_at_line_3(t) Þ (unchanged_vars(t) Ù
(k_is_0(t) Þ p0_at_line_6(succ(t))) Ù
(k_is_1(t) Þ p0_at_line_4(succ(t))))) Ù
...
(p0_at_line_7(t) Þ
p0_at_line_1(succ(t))
Ù b0_false(succ(t)) Ù
...

while true do begin 1 lt noncritical
section gt 2 bi true 3 while ( k
¹ i ) do begin 4 while (bi-1 ) do
skip 5 k i end 6 lt
critical section gt 7 bi false end
13
MONA result

Valid() Þ "1 t Ø(p0_at_line_6(t) Ù
p1_at_line_6(t)))
A counter-example of least length (10) is
PC0 0 0 0 0 0 1 1 1 0 1
PC0 0 0 0 1 1 0 0 0 1 0
PC0 0 0 1 0 1 0 0 0 0 1
PC1 0 0 0 0 0 0 0 1 1 1
PC1 0 0 0 0 0 0 1 0 0 0
PC1 0 1 1 1 1 1 0 1 1 1
b0 0 0 0 1 1 1 1 1 1 1
b1 0 0 0 0 0 0 1 1 1 1
k 0 0 0 0 0 0 0 0 1 1

14
MONA Example

A counter-example of least length (10) is
PC0 1 1 2 3 4 5 5 5 3 6
PC1 1 2 2 2 2 2 3 6 6 6
b0 0 0 0 1 1 1 1 1 1 1
b1 0 0 0 0 0 0 1 1 1 1
k 0 0 0 0 0 0 0 0 1 1

while true do begin 1 lt noncritical
section gt 2 b0 true 3 while ( k
¹ 0 ) do begin 4 while (b1) do skip
5 k 0 end 6 lt
critical section gt 7 b0 false end
while true do begin 1 lt noncritical
section gt 2 b1 true 3 while ( k
¹ 1 ) do begin 4 while (b0) do skip
5 k 1 end 6 lt
critical section gt 7 b1 false end
15
MONA Example