接“pin 相關論文 .......一”
3.1抽象域
........
Regions 定義爲一個圖:Region:=SInterval——>ValMap。單獨的區域表示爲R,可能要有索引。例如棧區域在stack slot -4的包含常數7,在stack slot -12包含一個地址在1000的全局變量,可以表示爲
R={4[-4,0]——>{CId——>1[7,8]}, 4[-12,8]——>{GlbId——>4[1000,1004]}}
.......
還是沒看懂,哪裏不懂?
00,strided interval 是對內存地址的抽象表示?
10,文中說指的RegionID是不是計算機內存的地址信息?
20,文中的stack slot是什麼? (從例子中我推測是棧的確定的一段,長度由棧中元素類型確定)
30,既然State的定義是:State := RegionID→Region,而Region的定義在前面給出了,s [GlbId,4[1000,1004]],這個是什麼?
40,s[r,a]爲什麼會返回the value map defining the location a in the region with identifier r in state s, or⊥if the location is undefined.
50,post# (s0, if c then S1 else S2) = post# (s0,S1)⊔post# (s0,S2)
post# (s0,while c do S) = s0▽post# (s0,S)
post# (s0,write(r,a, v)) = s0 [r,a←v]
附後面的說明:
post# (s0, if c then S1 else S2) = post# (s0,S1)⊔post# (s0,S2)
post# (s0,while c do S) = s0▽post# (s0,S)
post# (s0,write(r,a, v)) = s0 [r,a←v]
Figure 1: Definition of the Transition Relation. The pre-state is denoted s0, statements Si , the widening operator ▽, branch condition c, and temporary variable v of the ValMap type. Our instruction
decoder creates temporary variables for intermediate results loaded from memory or created by complex assembly instructions. The control-flow construction (Section 2) identifies branches and loops, which can be classified as either if-then-else branches or
while-do loops. Thus, the above are all the state-modifying transitions required.
Regions with different identifiers are considered to be infinitely far apart. The C standard [26, page 83] considers the result of address arithmetic pointing outside a region undefined, so our treatment of regions is
following the C standard (for binaries compiled from C programs). For binaries compiled from type-safe languages, our assumption is safe.
Finally, we define an abstract state as a map from region identifiers to regions: State := RegionID→Region. For denoting individual
states, we will use the letter s, possibly with indices. The State map is indexed by a region identifier and address (strided interval), e.g.,
s [GlbId,4[1000,1004]]. The indexing operation s[r,a] returns the value map defining the location a in the region with identifier r in state s, or ⊥ if the location is undefined. We define substitution
on states s [r,a←v] as an operator that replaces the value map s[r,a] with v, without changing other regions or addresses, and returns the newly constructed state.
For efficiency, we represent the maps in each level of the abstract state as persistent red-black trees [35] (using Eker’s optimizations
[19]) to allow fast functional updates with sharing. Regions use interval trees to efficiently detect overlap, and we use hash consing to avoid constructing duplicate objects.
Formally, our abstract interpretation is a monotone non-distributive (e.g., [34]) with domain (P(State) ,⊑,⊔,⊥), where the transition relation post# is defined by the rules in Fig. 1, while the operations over value maps are defined in Fig. 2. To compute the fixed-point, we use a simple aggressive widening operator for strided intervals, described in [2]. We define the join and widen operators on states later (Section 3.4).
今天又回去看了看pin的manual,懂了 argc 和 argv,其實so easy。