| | 1 | == Heap & Canonicalization == |
| | 2 | |
| | 3 | === Heap === |
| | 4 | In CIVL, each scope has one and only one heap. |
| | 5 | The heaps of the same CIVL model has the same type regardless of which scope it belongs to. |
| | 6 | |
| | 7 | The heap type is defined as the following: |
| | 8 | {{{ |
| | 9 | struct __heap_type{ |
| | 10 | __type1 [][]; |
| | 11 | __type2 [][]; |
| | 12 | ... |
| | 13 | } |
| | 14 | }}} |
| | 15 | where `__type1`, `__type2`,... are corresponding to the object type of each `$malloc` statement. |
| | 16 | |
| | 17 | ==== Heap Object ==== |
| | 18 | |
| | 19 | * Allocation: a heap object is created by a `$malloc` statement, and it is added into the heap of the dyscope specified by the `$malloc` statement. |
| | 20 | |
| | 21 | * Initialization: |
| | 22 | - If the size of the `$malloc` statement is not concrete or the type of the heap object has a non-concrete state (e.g, a struct containing an array field whose extent is not concrete), then the heap object has to be a symbolic constant with a unique name; |
| | 23 | - Otherwise, initialize each leaf-node element of the heap object with the symbolic NULL expression (not Java NULL). |
| | 24 | |
| | 25 | * Naming rule: `"Hp" + pid + "s" + dyscopeId + "i" + mallocId + "l" + calledId` |
| | 26 | |
| | 27 | * Deallocation: a heap object is removed from the heap when a `$free` is called with the corresponding pointer. (Semantics of `$free` follows C11 standards) |
| | 28 | - Update all pointers to the heap object to be UNDEFINED |
| | 29 | - Note: the removal of the heap object only happens later when garbage collection/canonicalization is performed. |
| | 30 | |
| | 31 | ==== Heap Object Reachability Analysis ==== |
| | 32 | |
| | 33 | {{{ |
| | 34 | Map<HeapObject, Integer> reachableHeapObjectsOfState(state){ |
| | 35 | Set<HeapObject> visited; |
| | 36 | Map<HeapObject, Integer> idMap; |
| | 37 | |
| | 38 | for(dyscope: state.dyscopes()){ |
| | 39 | for(varValue: dyscope.varValues()){ |
| | 40 | reachableHeapObjects(varValue); |
| | 41 | } |
| | 42 | } |
| | 43 | return idMap; |
| | 44 | } |
| | 45 | |
| | 46 | //dfs |
| | 47 | void reachableHeapObjectsOfValue(varValue, visited, idMap){ |
| | 48 | if(varValue NOT pointer){ |
| | 49 | for(element: varValue.elements()){ |
| | 50 | reachableHeapObjects(varValue, visited, idMap); |
| | 51 | } |
| | 52 | }else if(varValue IS heap pointer){ |
| | 53 | object = dereference(varValue); |
| | 54 | |
| | 55 | if(!visited.contains(object)){ |
| | 56 | visited.add(object); |
| | 57 | idMap.put(object, idMap.size()); |
| | 58 | } |
| | 59 | }else{//other pointer |
| | 60 | reachableHeapObjects(dereference(varValue), visited, idMap){ |
| | 61 | } |
| | 62 | } |
| | 63 | }}} |
| | 64 | |
| | 65 | TBC |
