![Page 1: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/1.jpg)
A Context-Sensitive Memory Model forVerification of C/C++ Programs
Arie Gurfinkel and Jorge A. Navas
University of Waterloo and SRI International
SAS’17, August 30th, 2017
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 1 / 25
![Page 2: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/2.jpg)
Our Motivation
Automatic modular safety proofs on realistic C and C++ programs
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 2 / 25
![Page 3: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/3.jpg)
Classical Memory Models for C/C++
Byte-level model: a large array of bytes and every allocationreturns a new offset in that array
Ptr = Int Mem : Ptr→ Byte
Untyped Block-level model: a pointer is a pair 〈ref , o〉 where refuniquely defines a memory object and o defines the byte in theobject being point to
Ptr = Ref × Int Mem : Ptr→ Ptr
Typed Block-level model: refines the block-level model by havinga separate block for each distinct type:
Ptr = Ref × Int Mem : Type× Ptr→ Ptr
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 3 / 25
![Page 4: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/4.jpg)
Classical Memory Models for C/C++
Byte-level model: a large array of bytes and every allocationreturns a new offset in that array
Ptr = Int Mem : Ptr→ Byte
Untyped Block-level model: a pointer is a pair 〈ref , o〉 where refuniquely defines a memory object and o defines the byte in theobject being point to
Ptr = Ref × Int Mem : Ptr→ Ptr
Typed Block-level model: refines the block-level model by havinga separate block for each distinct type:
Ptr = Ref × Int Mem : Type× Ptr→ Ptr
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 3 / 25
![Page 5: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/5.jpg)
From Pointer Analysis to Verification Conditions
Run a pointer analysis to disambiguate memory
Produce a side-effect-free encoding by:
Replacing each memory object o to a logical array Ao
Replacing memory accesses to a pointer p (within object o) to arrayreads and writes over Ao
Each array write on Ao produces a new version of A′o representing the
array after the execution of the memory write
Logical arrays are unbounded and the “whole array” is updated inits entirety:
A[1] = 5 → A1 = λi : i = 1 ? 5 : A0
A[k] = 7 → A2 = λi : i = k ? 7 : A1
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 4 / 25
![Page 6: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/6.jpg)
VCs Using a Context-Insensitive Pointer Analysis
void f(int∗ x,int∗ y) {∗x = 1;∗y = 2;
}
void g(int∗ p,int∗ q,int∗ r,int∗ s) {
f(p,q);f(r,s);
}
Assume p and q may alias
f(p,q)
f(x,y) x y
p,q
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 5 / 25
![Page 7: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/7.jpg)
VCs Using a Context-Insensitive Pointer Analysis
void f(int∗ x,int∗ y) {∗x = 1;∗y = 2;
}
void g(int∗ p,int∗ q,int∗ r,int∗ s) {
f(p,q);f(r,s);
}
Assume p and q may alias
f(p,q)
f(x,y)x,y,p,q
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 5 / 25
![Page 8: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/8.jpg)
VCs Using a Context-Insensitive Pointer Analysis
void f(int∗ x,int∗ y) {∗x = 1;∗y = 2;
}
void g(int∗ p,int∗ q,int∗ r,int∗ s) {
f(p,q);f(r,s);
}
Assume p and q may alias
f(r,s)
f(x,y) x,y,p,q
r s
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 5 / 25
![Page 9: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/9.jpg)
VCs Using a Context-Insensitive Pointer Analysis
void f(int∗ x,int∗ y) {∗x = 1;∗y = 2;
}
void g(int∗ p,int∗ q,int∗ r,int∗ s) {
f(p,q);f(r,s);
}
Assume p and q may alias
f(r,s)
f(x,y)x,y,p,q,r,s
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 5 / 25
![Page 10: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/10.jpg)
VCs Using a Context-Insensitive Pointer Analysis
void f(int∗ x,int∗ y) {∗x = 1;∗y = 2;
}
void g(int∗ p,int∗ q,int∗ r,int∗ s) {
f(p,q);f(r,s);
}
Verification conditions:
f (x , y ,Axy ,A′′xy ){
A′xy = store(Axy , x , 1)
A′′xy = store(A′
xy , y , 2)}
g(p, q, r , s,Apqrs ,A′′pqrs){
f (p, q,Apqrs ,A′pqrs)
f (r , s,A′pqrs ,A
′′pqrs)
}
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 5 / 25
![Page 11: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/11.jpg)
VCs Using a Context-Sensitive Pointer Analysis
void f(int∗ x,int∗ y) {∗x = 1;∗y = 2;
}
void g(int∗ p,int∗ q,int∗ r,int∗ s) {
f(p,q);f(r,s);
}
Assume p and q may alias
f(p,q)
f(x’,y’) x’ y’
p,q
fsum(x,y) x y
A direct VC encoding is unsound:First call to f : A′
pq = store(Apq, p, 1) and A′pq = store(Apq, q, 2)
The update of p is lost!
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 6 / 25
![Page 12: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/12.jpg)
VCs Using a Context-Sensitive Pointer Analysis
void f(int∗ x,int∗ y) {∗x = 1;∗y = 2;
}
void g(int∗ p,int∗ q,int∗ r,int∗ s) {
f(p,q);f(r,s);
}
Assume p and q may alias
f(p,q)
f(x’,y’) x’,y’
p,q
fsum(x,y) x y
A direct VC encoding is unsound:First call to f : A′
pq = store(Apq, p, 1) and A′pq = store(Apq, q, 2)
The update of p is lost!
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 6 / 25
![Page 13: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/13.jpg)
VCs Using a Context-Sensitive Pointer Analysis
void f(int∗ x,int∗ y) {∗x = 1;∗y = 2;
}
void g(int∗ p,int∗ q,int∗ r,int∗ s) {
f(p,q);f(r,s);
}
Assume p and q may alias
f(r,s)
f(x’’,y’’) x’’ y’’
r s
fsum(x,y) x y
A direct VC encoding is unsound:First call to f : A′
pq = store(Apq, p, 1) and A′pq = store(Apq, q, 2)
The update of p is lost!
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 6 / 25
![Page 14: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/14.jpg)
VCs Using a Context-Sensitive Pointer Analysis
void f(int∗ x,int∗ y) {∗x = 1;∗y = 2;
}
void g(int∗ p,int∗ q,int∗ r,int∗ s) {
f(p,q);f(r,s);
}
Verification conditions:
f (x , y ,Ax ,Ay ,A′x ,A
′y ){
A′x = store(Ax , x , 1)
A′y = store(Ay , y , 2)
}
g(p, q, r , s,Apq,Ar ,As ,A′pq,A
′r ,A
′s){
f (p, q,Apq,Apq,A′pq,A
′pq)
f (r , s,Ar ,As ,A′r ,A
′s)
}
A direct VC encoding is unsound:First call to f : A′
pq = store(Apq, p, 1) and A′pq = store(Apq, q, 2)
The update of p is lost!
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 6 / 25
![Page 15: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/15.jpg)
VCs Using a Context-Sensitive Pointer Analysis
void f(int∗ x,int∗ y) {∗x = 1;∗y = 2;
}
void g(int∗ p,int∗ q,int∗ r,int∗ s) {
f(p,q);f(r,s);
}
Verification conditions:
f (x , y ,Ax ,Ay ,A′x ,A
′y ){
A′x = store(Ax , x , 1)
A′y = store(Ay , y , 2)
}
g(p, q, r , s,Apq,Ar ,As ,A′pq,A
′r ,A
′s){
f (p, q,Apq,Apq,A′pq,A
′pq)
f (r , s,Ar ,As ,A′r ,A
′s)
}
A direct VC encoding is unsound:First call to f : A′
pq = store(Apq, p, 1) and A′pq = store(Apq, q, 2)
The update of p is lost!
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 6 / 25
![Page 16: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/16.jpg)
Ensuring Sound VCs using a CS Pointer Analysis
Arbitrary CS pointer analysis cannot be directly leveraged formodular verification
They must satisfy this Correctness Condition (CC):
“No two disjoint memory objects modified in a function can bealiased at any particular call site“
Observed by Reynolds’78, Moy’s PhD thesis’09, and many others
Proposed solutions:ignore context-sensitivity: SMACK and Cascade
generate contracts that ensure CC holds, otherwise reject programs:Frama-C + Jessie plugin
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 7 / 25
![Page 17: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/17.jpg)
Ensuring Sound Modular VC Generation: Our Solution
void f(int∗ x,int∗ y) {∗x = 1;∗y = 2;
}
void g(int∗ p,int∗ q,int∗ r,int∗ s) {
f(p,q);f(r,s);
}
Assume p and q may alias
f(p,q)
f(x’,y’) x’ y’
p,q
fsum(x,y) x y
Good compromise:
context-sensitive: calls to f do not merge {p,q} and {r,s}ensure that CC holds!
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 8 / 25
![Page 18: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/18.jpg)
Ensuring Sound Modular VC Generation: Our Solution
void f(int∗ x,int∗ y) {∗x = 1;∗y = 2;
}
void g(int∗ p,int∗ q,int∗ r,int∗ s) {
f(p,q);f(r,s);
}
Assume p and q may alias
f(p,q)
f(x’,y’) x’,y’
p,q
fsum(x,y) x y
Good compromise:
context-sensitive: calls to f do not merge {p,q} and {r,s}ensure that CC holds!
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 8 / 25
![Page 19: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/19.jpg)
Ensuring Sound Modular VC Generation: Our Solution
void f(int∗ x,int∗ y) {∗x = 1;∗y = 2;
}
void g(int∗ p,int∗ q,int∗ r,int∗ s) {
f(p,q);f(r,s);
}
Assume p and q may alias
f(p,q)
f(x’,y’) x’,y’
p,q
fsum(x,y) x,y
Good compromise:
context-sensitive: calls to f do not merge {p,q} and {r,s}ensure that CC holds!
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 8 / 25
![Page 20: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/20.jpg)
Ensuring Sound Modular VC Generation: Our Solution
void f(int∗ x,int∗ y) {∗x = 1;∗y = 2;
}
void g(int∗ p,int∗ q,int∗ r,int∗ s) {
f(p,q);f(r,s);
}
Assume p and q may alias
f(r,s)
f(x’’,y’’) x’’,y’’
r s
fsum(x,y) x,y
Good compromise:
context-sensitive: calls to f do not merge {p,q} and {r,s}ensure that CC holds!
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 8 / 25
![Page 21: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/21.jpg)
Ensuring Sound Modular VC Generation: Our Solution
void f(int∗ x,int∗ y) {∗x = 1;∗y = 2;
}
void g(int∗ p,int∗ q,int∗ r,int∗ s) {
f(p,q);f(r,s);
}
Assume p and q may alias
f(r,s)
f(x’’,y’’) x’’,y’’
r,s
x’’,y’’
fsum(x,y) x,y
Good compromise:
context-sensitive: calls to f do not merge {p,q} and {r,s}ensure that CC holds!
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 8 / 25
![Page 22: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/22.jpg)
Ensuring Sound Modular VC Generation: Our Solution
void f(int∗ x,int∗ y) {∗x = 1;∗y = 2;
}
void g(int∗ p,int∗ q,int∗ r,int∗ s) {
f(p,q);f(r,s);
}
Sound verification conditions:
f (x , y ,Axy ,A′′xy ){
A′xy = store(Axy , x , 1)
A′′xy = store(A′
xy , y , 2)}g(p, q, r , s,Apq,Ars ,A
′pq,A
′rs){
f (p, q,Apq,A′pq)
f (r , s,Ars ,A′rs)
}
Good compromise:
context-sensitive: calls to f do not merge {p,q} and {r,s}ensure that CC holds!
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 8 / 25
![Page 23: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/23.jpg)
Ensuring Sound Modular VC Generation: Our Solution
void f(int∗ x,int∗ y) {∗x = 1;∗y = 2;
}
void g(int∗ p,int∗ q,int∗ r,int∗ s) {
f(p,q);f(r,s);
}
Sound verification conditions:
f (x , y ,Axy ,A′′xy ){
A′xy = store(Axy , x , 1)
A′′xy = store(A′
xy , y , 2)}g(p, q, r , s,Apq,Ars ,A
′pq,A
′rs){
f (p, q,Apq,A′pq)
f (r , s,Ars ,A′rs)
}
Good compromise:
context-sensitive: calls to f do not merge {p,q} and {r,s}ensure that CC holds!
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 8 / 25
![Page 24: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/24.jpg)
Field- and Array-Sensitive Pointer Analysis
typedef struct list{struct list ∗n;int e;
} ll;
ll∗ mkList(int s,int e){if (s <= 0)return NULL;
ll∗p=malloc(sizeof(ll));p−>e=e;p−>n=mkList(s−1,e);return p;}
void main(){ll∗ a[N];int i;for(i=0;i<N;++i)a[i] = mkList(M,0);
}
Our pointer analysis infers:
1 &a[0] points to an object OA
which has ≥ 1 elements ofsize of a pointer
2 OA points to another objectOL with 0 and 4 offsets
Similar pointer analyses donot distinguish OA from OL
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 9 / 25
![Page 25: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/25.jpg)
Our contributions
We present a new pointer analysis for verification of C/C++ that:
1 is context-, field-, and array-sensitive
2 has been implemented and publicly available
https://github.com/seahorn/sea-dsa
3 has been evaluated on flight control components written in C++and SV-COMP benchmarks in C
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 10 / 25
![Page 26: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/26.jpg)
Concrete Semantics
A concrete cell is a pair of an object reference and offset
A concrete points-to graph g ∈ GC is a triple 〈V ,E , σ〉:V ⊆ CC E ⊆ CC × CC σ : VP 7→ CC
A concrete state is a triple 〈g , π, pc〉 where
g ∈ GC π : VI 7→ Z pc ∈ L
malloc returns a fresh memory object
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 11 / 25
![Page 27: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/27.jpg)
Concrete Semantics: Assumptions
1 Freed memory is not reused:
int ∗p = (int∗) malloc(..);int ∗q = p;free(p);int ∗r = (int∗) malloc(..)
it assumes that r cannot alias with q
2 It does not distinguish between valid and invalid pointers:
int ∗p = (int∗) malloc(..);free(p);int ∗q = (int∗) malloc(..);if (p == q) ∗p=0;
it assumes no null dereference
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 12 / 25
![Page 28: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/28.jpg)
Abstract Semantics
An abstract cell is a pair of an abstract object and byte offset
An abstract object has an identifier and:1 is sequence: unknown sequence of consecutive bytes2 is collapsed: all outgoing cells have been merged3 size in bytes (see paper for details)
An abstract points-to graph GA is a triple 〈V ,E , σ〉:V ⊆ CA E ⊆ CA × CA σ : VP 7→ CA
The number of abstract objects is finite
An abstract state is represented by an abstract points-to graphit does not keep track of an environment for integer variables
it is flow-insensitive
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 13 / 25
![Page 29: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/29.jpg)
Concrete vs Abstract points-to Graphs
0 4 8 12
0 4 0 4 0 4 0 4
0 0 0 04 4 4 4
NULL
sequence = truecollapsed = falsesize = multiple of 4
0 4
sequence = falsecollapsed = falsesize = 8
Concrete points-to graph Abstract points-to graph
NULL NULL NULL
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 14 / 25
![Page 30: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/30.jpg)
Simulation Relation between Graphs
0 4 8 12
0 4 0 4 0 4 0 4
0 0 0 04 4 4 4
NULL
sequence = truecollapsed = falsesize = multiple of 4
0 4
sequence = falsecollapsed = falsesize = 8
NULL NULL NULL
ρ
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 15 / 25
![Page 31: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/31.jpg)
Simulation Relation between Graphs
0 4
0 4 8 12
0 4 0 4 0 4 0 4
0 0 0 04 4 4 4
NULL
sequence = truecollapsed = falsesize = multiple of 4
sequence = falsecollapsed = falsesize = 8
NULL NULL NULL
ρsequence = false size = 16collapsed = false
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 15 / 25
![Page 32: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/32.jpg)
Simulation Relation between Graphs
0 4 8 12
0 4 0 4 0 4 0 4
0 0 0 04 4 4 4
NULL
sequence = truecollapsed = falsesize = multiple of 4
0 4
sequence = falsecollapsed = falsesize = 8
NULL NULL NULL
ρ
sequence = false size = 16collapsed = false
sequence = false collapsed = false size = 8
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 15 / 25
![Page 33: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/33.jpg)
Simulation Relation between Graphs
0 4 8 12
0 4 0 4 0 4 0 4
0 0 0 04 4 4 4
NULL
sequence = truecollapsed = falsesize = multiple of 4
0 4
sequence = falsecollapsed = falsesize = 8
NULL NULL NULL
ρ
sequence = false size = 16collapsed = false
sequence = false collapsed = false size = 8
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 15 / 25
![Page 34: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/34.jpg)
Simulation Relation between Graphs
0 4 8 12
0 4 0 4 0 4 0 4
0 0 0 04 4 4 4
NULL
sequence = truecollapsed = falsesize = multiple of 4
0 4
sequence = falsecollapsed = falsesize = 8
NULL NULL NULL
ρ
sequence = false size = 16collapsed = false
sequence = false collapsed = false size = 8
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 15 / 25
![Page 35: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/35.jpg)
Simulation Relation between Graphs
0 4 8 12
0 4 0 4 0 4 0 4
0 0 0 04 4 4 4
NULL
sequence = truecollapsed = falsesize = multiple of 4
0 4
sequence = falsecollapsed = falsesize = 8
NULL NULL NULL
ρ
sequence = false size = 16collapsed = false
sequence = false collapsed = false size = 8
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 15 / 25
![Page 36: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/36.jpg)
Simulation Relation between Graphs
0 4 8 12
0 4 0 4 0 4 0 4
0 0 0 04 4 4 4
NULL
sequence = truecollapsed = falsesize = multiple of 4
0 4
sequence = falsecollapsed = falsesize = 8
NULL NULL NULL
ρ
sequence = false size = 16collapsed = false
sequence = false collapsed = false size = 8
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 15 / 25
![Page 37: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/37.jpg)
Simulation Relation between Graphs
0 4 8 12
0 4 0 4 0 4 0 4
0 0 0 04 4 4 4
NULL
sequence = truecollapsed = falsesize = multiple of 4
0 4
sequence = falsecollapsed = falsesize = 8
NULL NULL NULL
ρ
sequence = false size = 16collapsed = false
sequence = false collapsed = false size = 8
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 15 / 25
![Page 38: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/38.jpg)
Simulation Relation between Graphs
0 4 8 12
0 4 0 4 0 4 0 4
0 0 0 04 4 4 4
NULL
sequence = truecollapsed = falsesize = multiple of 4
0 4
sequence = falsecollapsed = falsesize = 8
NULL NULL NULL
ρ
sequence = false size = 16collapsed = false
sequence = false collapsed = false size = 8
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 15 / 25
![Page 39: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/39.jpg)
Simulation Relation between Graphs
0 4 8 12
0 4 0 4 0 4 0 4
0 0 0 04 4 4 4
NULL
sequence = truecollapsed = falsesize = multiple of 4
0 4
sequence = falsecollapsed = falsesize = 8
NULL NULL NULL
ρ
sequence = false size = 16collapsed = false
sequence = false collapsed = false size = 8
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 15 / 25
![Page 40: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/40.jpg)
Simulation Relation between Graphs
0 4 8 12
0 4 0 4 0 4 0 4
0 0 0 04 4 4 4
NULL
sequence = truecollapsed = falsesize = multiple of 4
0 4
sequence = falsecollapsed = falsesize = 8
NULL NULL NULLρ
sequence = false size = 16collapsed = false
sequence = false collapsed = false size = 4
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 15 / 25
![Page 41: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/41.jpg)
Simulation Relation between Graphs
0 4 8 12
0 4 0 4 0 4 0 4
0 0 0 04 4 4 4
NULL
sequence = truecollapsed = falsesize = multiple of 4
0 4
sequence = falsecollapsed = falsesize = 8
NULL NULL NULLρ
sequence = false size = 16collapsed = false
sequence = false collapsed = false size = 4
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 15 / 25
![Page 42: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/42.jpg)
Simulation Relation between Graphs
0 4 8 12
0 4 0 4 0 4 0 4
0 0 0 04 4 4 4
NULL
sequence = truecollapsed = falsesize = multiple of 4
0 4
sequence = falsecollapsed = falsesize = 8
NULL NULL NULLρ
sequence = false size = 16collapsed = false
sequence = false collapsed = false size = 4
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 15 / 25
![Page 43: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/43.jpg)
Simulation Relation between Graphs
0 4 8 12
0 4 0 4 0 4 0 4
0 0 0 04 4 4 4
NULL
sequence = truecollapsed = falsesize = multiple of 4
0 4
sequence = falsecollapsed = falsesize = 8
NULL NULL NULLρ
sequence = false size = 16collapsed = false
sequence = false collapsed = false size = 4
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 15 / 25
![Page 44: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/44.jpg)
Simulation Relation between Graphs
γ : GA 7→ 2GC defined as
γ(ga) = {gc ∈ GC | gc simulated by ga}
It defines also an ordering between abstract graphs g , g ′ ∈ GA
g vGA g ′ if and only if g is simulated by g ′
It will play an essential role during the context-sensitive analysis(later in this talk)
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 16 / 25
![Page 45: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/45.jpg)
Intra-Procedural Pointer Analysis
Based on field-sensitive Steensgaard’s
Key operation: cell unification
Ensure c1 = (n1, o1) and c2 = (n2, o2) are the same address
If o1 < o2 then (other case symmetric)map (n1, 0) to (n2, o2 − o1)
(n1, o1) = (n2, o2 − o1 + o1) = (n2, o2)
unify each (n1, ok) with (n2, o2 − o1 + ok)
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 17 / 25
![Page 46: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/46.jpg)
Intra-Procedural Pointer Analysis
Based on field-sensitive Steensgaard’s
Key operation: cell unification
Ensure c1 = (n1, o1) and c2 = (n2, o2) are the same address
If o1 < o2 then (other case symmetric)map (n1, 0) to (n2, o2 − o1)
(n1, o1) = (n2, o2 − o1 + o1) = (n2, o2)
unify each (n1, ok) with (n2, o2 − o1 + ok)
X Y Z
unify(Y,C) = unify((N1,4),(N2,8))
N1
A B C D
N2
0 4 8 8 4 0 12
Y
C A B D
X Z
0 4 8 12
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 17 / 25
![Page 47: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/47.jpg)
Array-Sensitivity
typedef struct list{struct list ∗n;int e;
} ll;
ll∗ mkList(int s,int e){if (s <= 0)return NULL;
ll∗p=malloc(sizeof(ll));p−>e=e;p−>n=mkList(s−1,e);return p;}#define N 4void main(){ll∗ a[N];int i;for(i=0;i<N;++i)a[i] = mkList(M,0);
}
0 4 8 12
sequence = false collapsed = false size = 16
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 18 / 25
![Page 48: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/48.jpg)
Array-Sensitivity
typedef struct list{struct list ∗n;int e;
} ll;
ll∗ mkList(int s,int e){if (s <= 0)return NULL;
ll∗p=malloc(sizeof(ll));p−>e=e;p−>n=mkList(s−1,e);return p;}#define N 4void main(){ll∗ a[N];int i;for(i=0;i<N;++i)a[i] = mkList(M,0);
}
0 4 8 12
0 4
sequence = falsecollapsed = falsesize = 8
sequence = false collapsed = false size = 16
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 18 / 25
![Page 49: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/49.jpg)
Array-Sensitivity
typedef struct list{struct list ∗n;int e;
} ll;
ll∗ mkList(int s,int e){if (s <= 0)return NULL;
ll∗p=malloc(sizeof(ll));p−>e=e;p−>n=mkList(s−1,e);return p;}#define N 4void main(){ll∗ a[N];int i;for(i=0;i<N;++i)a[i] = mkList(M,0);
}
sequence = truecollapsed = falsesize = 4
0 4
sequence = falsecollapsed = falsesize = 8
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 18 / 25
![Page 50: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/50.jpg)
Context-Sensitive Pointer Analysis
void g(...) {f(p1,p2,p3);
}void h(...) {f(r1,r2,r3);
}void f(int∗q1,int∗q2,int∗q3) {...
}
p3 p1,p2
r3 r2 r1
q3 q2 q1
Next, h’s callsites and callsites where h is called must bere-analyzed, and so onIn general, after an unification we need to re-analyze:
if top-down: callsites with same callee and callsites within the calleeif bottom-up: callsites with same caller and callsites within the caller
However, no need to re-analyze the whole function!Fixpoint over all callsites until no more bottom-up or top-downunifications
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 19 / 25
![Page 51: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/51.jpg)
Context-Sensitive Pointer Analysis
void g(...) {f(p1,p2,p3);
}void h(...) {f(r1,r2,r3);
}void f(int∗q1,int∗q2,int∗q3) {...
}
p3 p1,p2
r3 r2 r1
q3 q1,q2 top-down
Next, h’s callsites and callsites where h is called must bere-analyzed, and so onIn general, after an unification we need to re-analyze:
if top-down: callsites with same callee and callsites within the calleeif bottom-up: callsites with same caller and callsites within the caller
However, no need to re-analyze the whole function!Fixpoint over all callsites until no more bottom-up or top-downunifications
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 19 / 25
![Page 52: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/52.jpg)
Context-Sensitive Pointer Analysis
void g(...) {f(p1,p2,p3);
}void h(...) {f(r1,r2,r3);
}void f(int∗q1,int∗q2,int∗q3) {...
}
p3 p1,p2
r3 r1,r2 bottom-up
q3 q1,q2 top-down
Next, h’s callsites and callsites where h is called must bere-analyzed, and so onIn general, after an unification we need to re-analyze:
if top-down: callsites with same callee and callsites within the calleeif bottom-up: callsites with same caller and callsites within the caller
However, no need to re-analyze the whole function!Fixpoint over all callsites until no more bottom-up or top-downunifications
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 19 / 25
![Page 53: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/53.jpg)
Context-Sensitive Pointer Analysis
void g(...) {f(p1,p2,p3);
}void h(...) {f(r1,r2,r3);
}void f(int∗q1,int∗q2,int∗q3) {...
}
p3 p1,p2
r3 r1,r2 bottom-up
q3 q1,q2 top-down
Next, h’s callsites and callsites where h is called must bere-analyzed, and so on
In general, after an unification we need to re-analyze:if top-down: callsites with same callee and callsites within the calleeif bottom-up: callsites with same caller and callsites within the caller
However, no need to re-analyze the whole function!Fixpoint over all callsites until no more bottom-up or top-downunifications
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 19 / 25
![Page 54: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/54.jpg)
Context-Sensitive Pointer Analysis
void g(...) {f(p1,p2,p3);
}void h(...) {f(r1,r2,r3);
}void f(int∗q1,int∗q2,int∗q3) {...
}
p3 p1,p2
r3 r1,r2 bottom-up
q3 q1,q2 top-down
Next, h’s callsites and callsites where h is called must bere-analyzed, and so onIn general, after an unification we need to re-analyze:
if top-down: callsites with same callee and callsites within the calleeif bottom-up: callsites with same caller and callsites within the caller
However, no need to re-analyze the whole function!Fixpoint over all callsites until no more bottom-up or top-downunifications
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 19 / 25
![Page 55: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/55.jpg)
Bottom-Up and Top-Down Unifications
BU
TD
Q: How to decide whether BU, TD or no more unifications?
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 20 / 25
![Page 56: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/56.jpg)
Bottom-Up and Top-Down Unifications
BU
TD
Q: How to decide whether BU, TD or no more unifications?A: Simulation relation!
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 20 / 25
![Page 57: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/57.jpg)
Bottom-Up and Top-Down Unifications
BU
TD
Q: How to decide whether BU, TD or no more unifications?A: Simulation relation!
Build a simulation relation ρ between callee and caller graphs:1 if ρ is not a function then BU2 else if ρ is a function but not injective then TD3 else ρ is an injective function then do nothing
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 20 / 25
![Page 58: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/58.jpg)
Context-Sensitive Pointer Analysis: All Pieces Together
1 for each function in reverse topological order of the call graphcompute summary
2 for each callsiteclone callee’s summary into the caller graph and unify formal/actualcells
3 apply BU and TD unifications until CC holds for all callsites
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 21 / 25
![Page 59: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/59.jpg)
Experiments
Integrated the pointer analysis in SeaHorn
The pointer analysis is used during VC generation
Compared SeaHorn verification time using:
(CI) DSA Pointer analysis from LLVM PoolAlloc project
Our pointer analysis
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 22 / 25
![Page 60: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/60.jpg)
Experiments on SV-COMP C Programs
50 100 150 200 250 300
SeaHorn + DSA
50
100
150
200
250
300
SeaHorn + our CS analysis
Cpu time
2000 benchmarks from SV-COMP DeviceDrivers64 categoryVerification time with timeout of 5m and 4GB memory limitWith our analysis SeaHorn proved 81 more programs
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 23 / 25
![Page 61: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/61.jpg)
(Ongoing) C++ Case Study
Goal:
Verify absence of buffer overflows on the flight control system of theCore Autonomous Safety Software (CASS) of an Autonomous FlightSafety System
13, 640 LOC (excluding blanks/comments) written in C++ usingstandard C++ 2011 and following MISRA C++ 2008
It follows an object-oriented style and makes heavy use ofdynamic arrays and singly-linked lists
#Objects #Collapsed Max. Density % Proven
Sea + DSA 258 49% 80% 13Sea + our CS 12, 789 4% 13% 21
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 24 / 25
![Page 62: A Context-Sensitive Memory Model for Verification of C/C++ ...seahorn.github.io/papers/sas17_slides.pdf · A Context-Sensitive Memory Model for Veri cation of C/C++ Programs Arie](https://reader030.vdocuments.us/reader030/viewer/2022040314/5e12b907dc5d3e73206fe807/html5/thumbnails/62.jpg)
Conclusions
Modular proofs require context-sensitive heap reasoning
We adopted a very high-level memory model that can still expresslow-level C/C++ features such as:
pointer arithmetic, pointer casts and type unions
We presented a scalable field-,array-,context-sensitive pointeranalysis tailored for VC generation
A simulation relation between points-to graphs plays a major role inthe analysis of function calls
It can produce a finer-grained partition of memory that oftenresults in faster verification times
Gurfinkel and Navas (UWaterloo/SRI) A CS Memory Model for C/C++ Verification SAS’17, August 30th, 2017 25 / 25