pin 相关论文Statically-Directed Dynamic Automated Test Generation 二

最新推荐文章于 2021-01-09 17:52:49 发布

冬季的小麦

最新推荐文章于 2021-01-09 17:52:49 发布

阅读量1.5k

点赞数

CC 4.0 BY-SA版权

分类专栏： pin

本文链接：https://blog.youkuaiyun.com/familyvirtue/article/details/7787311

pin 专栏收录该内容

13 篇文章

订阅专栏

本文深入探讨了程序抽象域的概念，特别是Region的概念及其在内存管理中的应用。文章详细解释了如何使用Region来表示不同类型的内存区域，并介绍了State的定义及各种操作符的作用。此外，还讨论了抽象状态表示法以及其在实际程序分析中的应用。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

接“pin 相关论文 .......一”

3.1抽象域

........

Regions 定义为一个图：Region:=SInterval——>ValMap。单独的区域表示为R，可能要有索引。例如栈区域在stack slot -4的包含常数7，在stack slot -12包含一个地址在1000的全局变量，可以表示为

R={4[-4,0]——>{CId——>1[7,8]}, 4[-12,8]——>{GlbId——>4[1000,1004]}}

.......

还是没看懂，哪里不懂？

00，strided interval 是对内存地址的抽象表示？

10，文中说指的RegionID是不是计算机内存的地址信息？

20，文中的stack slot是什么？（从例子中我推测是栈的确定的一段，长度由栈中元素类型确定）

30，既然State的定义是：State := RegionID→Region，而Region的定义在前面给出了，s [GlbId,4[1000,1004]]，这个是什么？

40，s[r,a]为什么会返回the value map defining the location a in the region with identifier r in state s, or⊥if the location is undefined.

50，post# (s0, if c then S1 else S2) = post# (s0,S1)⊔post# (s0,S2)

post# (s0,while c do S) = s0▽post# (s0,S)

post# (s0,write(r,a, v)) = s0 [r,a←v]

附后面的说明：

post# (s0, if c then S1 else S2) = post# (s0,S1)⊔post# (s0,S2)

post# (s0,while c do S) = s0▽post# (s0,S)

post# (s0,write(r,a, v)) = s0 [r,a←v]

Figure 1: Definition of the Transition Relation. The pre-state is denoted s0, statements Si , the widening operator ▽, branch condition c, and temporary variable v of the ValMap type. Our instruction decoder creates temporary variables for intermediate results loaded from memory or created by complex assembly instructions. The control-flow construction (Section 2) identifies branches and loops, which can be classified as either if-then-else branches or while-do loops. Thus, the above are all the state-modifying transitions required.

Regions with different identifiers are considered to be infinitely far apart. The C standard [26, page 83] considers the result of address arithmetic pointing outside a region undefined, so our treatment of regions is following the C standard (for binaries compiled from C programs). For binaries compiled from type-safe languages, our assumption is safe.

Finally, we define an abstract state as a map from region identifiers to regions: State := RegionID→Region. For denoting individual

states, we will use the letter s, possibly with indices. The State map is indexed by a region identifier and address (strided interval), e.g., s [GlbId,4[1000,1004]]. The indexing operation s[r,a] returns the value map defining the location a in the region with identifier r in state s, or ⊥ if the location is undefined. We define substitution on states s [r,a←v] as an operator that replaces the value map s[r,a] with v, without changing other regions or addresses, and returns the newly constructed state.

For efficiency, we represent the maps in each level of the abstract state as persistent red-black trees [35] (using Eker’s optimizations
[19]) to allow fast functional updates with sharing. Regions use interval trees to efficiently detect overlap, and we use hash consing to avoid constructing duplicate objects.

Formally, our abstract interpretation is a monotone non-distributive (e.g., [34]) with domain (P(State) ,⊑,⊔,⊥), where the transition relation post# is defined by the rules in Fig. 1, while the operations over value maps are defined in Fig. 2. To compute the fixed-point, we use a simple aggressive widening operator for strided intervals, described in [2]. We define the join and widen operators on states later (Section 3.4).

今天又回去看了看pin的manual，懂了 argc 和 argv，其实so easy。