Symbolic Implementation of the Best Transformer
Download
Report
Transcript Symbolic Implementation of the Best Transformer
Symbolically Computing
Most-Precise
Abstract Operations
for Shape Analysis
Greta Yorsh
Tel Aviv University
Thomas Reps
University of Wisconsin
Mooly Sagiv
Tel Aviv University
TACAS’04
Motivation
New approach to using symbolic techniques in
abstract interpretation
– for shape analysis
– for other analyses
What does it mean to harness a decision
procedure for use in static analysis?
– what are the requirements ?
– what does it buy us ?
2
Symbolically computing most-precise abstract operations for shape analysis - TACAS'04
April 2004
What are the requirements ?
S ∈ (a) ⇔ S ⊧ ^(a)
Is (a) empty? ⇔ Is ^(a) satisfiable?
a
^
(a)
Concrete
3
Formulas
Symbolically computing most-precise abstract operations for shape analysis - TACAS'04
Abstract
April 2004
What does it buy us ?
Guarantee the most-precise result w.r.t. to the
abstraction
– best transformer
– other abstract operations
Modular reasoning
– assume-guarantee reasoning
– scalability
4
Symbolically computing most-precise abstract operations for shape analysis - TACAS'04
April 2004
Assume-Guarantee Reasoning
Is ^
(a)⇒
valid?
{prebar, postbar}
T bar();
{prefoo, postfoo}
void foo() {
assume[prefoo];
T p;
...
assert[prebar];
----------p = bar();
assume[postbar];
...
assert[postfoo];
}
5
<⊤>
<a1>
assert[](a)
<a2>
assume[](a)
<a3>
<a4>
Symbolically computing most-precise abstract operations for shape analysis - TACAS'04
?
April 2004
The assume[](a) Operation
^ ^(a) )
(
assume[](a) = ((a)
X
^
(a)
(a)
X
^
a
Concrete
6
Formulas
Symbolically computing most-precise abstract operations for shape analysis - TACAS'04
Abstract
April 2004
The abstraction operation ^
()
^
a2
a1
Concrete
7
Formulas
Symbolically computing most-precise abstract operations for shape analysis - TACAS'04
Abstract
April 2004
The idea behind ^
()
⊤
ans
^
a1
Concrete
8
Formulas
Symbolically computing most-precise abstract operations for shape analysis - TACAS'04
Abstract
April 2004
Reminder of the talk
Shape analysis
– Canonical abstraction
9
^ - example
Algorithm for abstraction
^
Abstract operations using
Further work
Symbolically computing most-precise abstract operations for shape analysis - TACAS'04
April 2004
Shape Analysis
Static program analysis
Determine “shape invariants”
– all possible memory configurations
Can be used to
– Verify programs (partially)
– Detect memory errors
– Prove properties about dynamically allocated data
– Detect logical errors
– Code optimizations
10
Symbolically computing most-precise abstract operations for shape analysis - TACAS'04
April 2004
Why is Shape Analysis Difficult?
Destructive updating through pointers
– pnext = q
– Produces complicated aliasing relationships
Dynamic memory allocation
– No bound on the size of run-time data structures
11
Abstract domain of 3-valued structures with
canonical abstraction [Sagiv,Reps,Wilhelm]
Symbolically computing most-precise abstract operations for shape analysis - TACAS'04
April 2004
3-Valued Logical Structures
Relation meaning over {0, 1, ½}
Kleene
– 1: True
– 0: False
–
½
A join semi-lattice: 0 ⊔ 1 =
12
: Unknown
½
½
Symbolically computing most-precise abstract operations for shape analysis - TACAS'04
April 2004
Canonical Abstraction
u1
u2
u3
u4
c,rx
c,rx
c,rx
x
c,rx
(a) ≜
^
x
u2
u1
c,rx
13
c,rx
Symbolically computing most-precise abstract operations for shape analysis - TACAS'04
∃v1,v2:nodeu1(v1)⋀nodeu2(v2)
⋀∀w: nodeu1(w)⋁nodeu2(w)
⋀ ∀w1,w2:nodeu1(w1)⋀nodeu1(w2)
TC ,w )
⇒(w1=w2)⋀⌝n(w
1 2
⋀∀v:rx(v)⇔∃v1: x(v1) ⋀ n*(v1,v)
⋀∀v:c(v)⇔∃v1:n(v,v1)⋀n*(v1,v)
⋀∀v1,v2:x(v1)⋀x(v2)⇒v1=v2
⋀ ∀v,v1,v2:n(v,v1)⋀n(v,v2)⇒v1=v2
FO
April 2004
Example of ^
() : y == x->n
≜ ∀v1:y(v1) ↔∃v2: x(v2) ⋀ n(v2, v1)
⊤
x
u1
ans
u2
y
y
^
()
xx
uy
u1
u2
y
y
x
Concrete
14
u1
Formulas
Symbolically computing most-precise abstract operations for shape analysis - TACAS'04
uy
Abstract
Abstract
April 2004
Example - Materialization
y == x->n
x
u2
u1
y
Is ^(a)
satisfiable ?
y
materialization
u2 uy, u2
y(uy) = 1, y(u2) =0
x
x
uy
u1
y
15
y(u2)=0
y(u2)=1
u2
u1
u2
y
x
y
y
Symbolically computing most-precise abstract operations for shape analysis - TACAS'04
u2
u1
y
y
y
April 2004
Abstract Operations
^
()
– best abstract value that represents
What does it buy us ?
^ ^
assume[](a) = (
(a) ⋀ )
– assume-guarantee reasoning
– pre- and post-conditions specified by logical formulas
^ ^
BT(t,a) = (
(extend(a)) ⋀ ^t )
– best abstract transformer
– parametric abstractions
17
^ ^
meet(a1, a2) = (
(a1) ⋀ ^(a2) )
Symbolically computing most-precise abstract operations for shape analysis - TACAS'04
April 2004
SPASS Experience
Handles arbitrary FO formulas
Can diverge
– use timeout
Converges in our examples
– Captures older shape analysis algorithms
How to handle FOTC ?
– Overapproximations lead to too many structures
18
Symbolically computing most-precise abstract operations for shape analysis - TACAS'04
April 2004
Decidable Transitive-closure Logic
Neil Immerman
(UMASS),
Alexander Rabinovich
∃∀(TC,f) is subset of FOTC
(TAU)
– exist-forall form
– arbitrary unary relations
– single function f
Decidable for satisfiability
– NEXPTIME-complete
19
Any “reasonable” extension is undecidable
Rather limited
Symbolically computing most-precise abstract operations for shape analysis - TACAS'04
April 2004
Simulation Technique – CAV’04
Neil Immerman
(UMASS),
Alexander Rabinovich
Simulate realistic data structures using decidable
logic over tractable structures
(TAU)
– Singly linked list - shared/cyclic/nested
– Doubly linked list
– Trees
20
Preserved under mutations
Abstract interpretation, Hoare-style verification
Symbolically computing most-precise abstract operations for shape analysis - TACAS'04
April 2004
Further Work
Implementation
Decidable logic for shape analysis
Assume-guarantee of “real” programs
– case study: Java Collection
– specification language
– write procedure specifications
Extend to other domains
– Infinite-height
gretay
www.cs.tau.ac.il/~gretay
21
Symbolically computing most-precise abstract operations for shape analysis - TACAS'04
April 2004