Symbolically computing most precise abstract operations for shape analysis
This presentation is the property of its rightful owner.
Sponsored Links
1 / 20

Symbolically Computing Most-Precise Abstract Operations for Shape Analysis PowerPoint PPT Presentation


  • 65 Views
  • Uploaded on
  • Presentation posted in: General

Symbolically Computing Most-Precise Abstract Operations for Shape Analysis. Greta Yorsh Thomas Reps Mooly Sagiv. Tel Aviv University. University of Wisconsin. Tel Aviv University. TACAS’04. Motivation. New approach to using symbolic techniques in abstract interpretation

Download Presentation

Symbolically Computing Most-Precise Abstract Operations for Shape Analysis

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Symbolically computing most precise abstract operations for shape analysis

Symbolically Computing Most-Precise Abstract Operations for Shape Analysis

Greta Yorsh

Thomas Reps

Mooly Sagiv

Tel Aviv University

University of Wisconsin

Tel Aviv University

TACAS’04


Motivation

Motivation

  • New approach to using symbolic techniques in abstract interpretation

    • for shape analysis

    • for other analyses

  • What does it mean to harness a decision procedure for use in static analysis?

    • what are the requirements ?

    • what does it buy us ?

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


What are the requirements

^

S ∈ (a) ⇔S ⊧ (a)

^

Is (a) satisfiable?

a

^

(a)

Concrete

Abstract

What are the requirements ?

Is (a) empty?

Formulas

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


What does it buy us

What does it buy us ?

  • Guarantee the most-precise result w.r.t. to the abstraction

    • best transformer

    • other abstract operations

  • Modular reasoning

    • assume-guarantee reasoning

    • scalability

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


Assume guarantee reasoning

^

Is (a)⇒ valid?

assert[](a)

assume[](a)

?

Assume-Guarantee Reasoning

T bar();

void foo() {

T p;

...

p = bar();

...

}

{prebar, postbar}

{prefoo, postfoo}

assume[prefoo];

assert[prebar];

-----------

assume[postbar];

assert[postfoo];

<⊤>

<a1>

<a2>

<a3>

<a4>

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


The assume a operation

assume[](a)

^

^

( (a) )

X

^

(a)

^

(a)

X



The assume[](a) Operation

= ((a))

a

Concrete

Formulas

Abstract

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


The abstraction operation

^

^

a1

a2

Formulas

The abstraction operation ()



Concrete

Abstract

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


The idea behind

^

^

a1

Formulas

The idea behind ()

ans



Concrete

Abstract

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


Reminder of the talk

Reminder of the talk

  • Shape analysis

    • Canonical abstraction

  • Algorithm for abstraction  - example

  • Abstract operations using 

  • Further work

^

^

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


Shape analysis

Shape Analysis

  • Static program analysis

  • Determine “shape invariants”

    • all possible memory configurations

  • Can be used to

    • Verify programs (partially)

    • Detect memory errors

    • Prove properties about dynamically allocated data

    • Detect logical errors

    • Code optimizations

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


Why is shape analysis difficult

Why is Shape Analysis Difficult?

  • Destructive updating through pointers

    • pnext = q

    • Produces complicated aliasing relationships

  • Dynamic memory allocation

    • No bound on the size of run-time data structures

  • Abstract domain of 3-valued structures with canonicalabstraction [Sagiv,Reps,Wilhelm]

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


3 valued logical structures

3-Valued Logical Structures

  • Relation meaning over {0, 1, ½}

  • Kleene

    • 1: True

    • 0: False

    • ½ : Unknown

  • A join semi-lattice: 0 ⊔ 1 = ½

½

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


Canonical abstraction

u1

u2

u3

u4

x

x

c,rx

c,rx

c,rx

c,rx

^

(a) ≜

∃v1,v2:nodeu1(v1)⋀nodeu2(v2)

⋀∀w: nodeu1(w)⋁nodeu2(w)

⋀ ∀w1,w2:nodeu1(w1)⋀nodeu1(w2)

⇒(w1=w2)⋀⌝n(w1,w2) ⋀∀v:rx(v)⇔∃v1: x(v1) ⋀ n*(v1,v)⋀∀v:c(v)⇔∃v1:n(v,v1)⋀n*(v1,v)

⋀∀v1,v2:x(v1)⋀x(v2)⇒v1=v2

⋀ ∀v,v1,v2:n(v,v1)⋀n(v,v2)⇒v1=v2

x

c,rx

c,rx

Canonical Abstraction

u2

u1

FOTC

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


Example of

^

 ≜∀v1:y(v1) ↔∃v2: x(v2) ⋀ n(v2, v1)

ans

y

y

x

u2

u1

x

x

uy

u2

u1

y

y

x

uy

u1

Abstract

Formulas

Example of () :

y == x->n

^

()



Concrete

Abstract

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


Example materialization

^

Is (a) satisfiable ?



materialization

u2 uy, u2

y(uy) = 1, y(u2) =0

y(u2)=0

y(u2)=1

x

x

x

u2

u2

u1

u1

uy

u1

u2

y

y

y

y

y

y

y

Example - Materialization

y == x->n

x

u2

u1

y

y

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


Abstract operations

Abstract Operations

^

  • () – best abstract value that represents 

  • What does it buy us ?

  • assume[](a) = ( (a) ⋀ )

    • assume-guarantee reasoning

    • pre- and post-conditions specified by logical formulas

  • BT(t,a) = ( (extend(a)) ⋀ t )

    • best abstract transformer

    • parametric abstractions

  • meet(a1, a2) = ( (a1) ⋀ (a2) )

^

^

^

^

^

^

^

^

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


Spass experience

SPASS Experience

  • Handles arbitrary FO formulas

  • Can diverge

    • use timeout

  • Converges in our examples

    • Captures older shape analysis algorithms

  • How to handle FOTC ?

    • Overapproximations lead to too many structures

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


Decidable transitive closure logic

Decidable Transitive-closure Logic

  • Neil Immerman (UMASS), Alexander Rabinovich (TAU)

  • ∃∀(TC,f) is subset of FOTC

    • exist-forall form

    • arbitrary unary relations

    • single function f

  • Decidable for satisfiability

    • NEXPTIME-complete

  • Any “reasonable” extension is undecidable

  • Rather limited

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


Simulation technique cav 04

Simulation Technique – CAV’04

  • Neil Immerman (UMASS), Alexander Rabinovich (TAU)

  • Simulate realistic data structures using decidable logic over tractable structures

    • Singly linked list - shared/cyclic/nested

    • Doubly linked list

    • Trees

  • Preserved under mutations

  • Abstract interpretation, Hoare-style verification

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


Further work

Further Work

  • Implementation

  • Decidable logic for shape analysis

  • Assume-guarantee of “real” programs

    • case study: Java Collection

    • specification language

    • write procedure specifications

  • Extend to other domains

    • Infinite-height

gretay

www.cs.tau.ac.il/~gretay

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


  • Login