Symbolically computing most precise abstract operations for shape analysis
Sponsored Links
This presentation is the property of its rightful owner.
1 / 20

Symbolically Computing Most-Precise Abstract Operations for Shape Analysis PowerPoint PPT Presentation


  • 69 Views
  • Uploaded on
  • Presentation posted in: General

Symbolically Computing Most-Precise Abstract Operations for Shape Analysis. Greta Yorsh Thomas Reps Mooly Sagiv. Tel Aviv University. University of Wisconsin. Tel Aviv University. TACAS’04. Motivation. New approach to using symbolic techniques in abstract interpretation

Download Presentation

Symbolically Computing Most-Precise Abstract Operations for Shape Analysis

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Symbolically Computing Most-Precise Abstract Operations for Shape Analysis

Greta Yorsh

Thomas Reps

Mooly Sagiv

Tel Aviv University

University of Wisconsin

Tel Aviv University

TACAS’04


Motivation

  • New approach to using symbolic techniques in abstract interpretation

    • for shape analysis

    • for other analyses

  • What does it mean to harness a decision procedure for use in static analysis?

    • what are the requirements ?

    • what does it buy us ?

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


^

S ∈ (a) ⇔S ⊧ (a)

^

Is (a) satisfiable?

a

^

(a)

Concrete

Abstract

What are the requirements ?

Is (a) empty?

Formulas

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


What does it buy us ?

  • Guarantee the most-precise result w.r.t. to the abstraction

    • best transformer

    • other abstract operations

  • Modular reasoning

    • assume-guarantee reasoning

    • scalability

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


^

Is (a)⇒ valid?

assert[](a)

assume[](a)

?

Assume-Guarantee Reasoning

T bar();

void foo() {

T p;

...

p = bar();

...

}

{prebar, postbar}

{prefoo, postfoo}

assume[prefoo];

assert[prebar];

-----------

assume[postbar];

assert[postfoo];

<⊤>

<a1>

<a2>

<a3>

<a4>

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


assume[](a)

^

^

( (a) )

X

^

(a)

^

(a)

X



The assume[](a) Operation

= ((a))

a

Concrete

Formulas

Abstract

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


^

^

a1

a2

Formulas

The abstraction operation ()



Concrete

Abstract

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


^

^

a1

Formulas

The idea behind ()

ans



Concrete

Abstract

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


Reminder of the talk

  • Shape analysis

    • Canonical abstraction

  • Algorithm for abstraction  - example

  • Abstract operations using 

  • Further work

^

^

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


Shape Analysis

  • Static program analysis

  • Determine “shape invariants”

    • all possible memory configurations

  • Can be used to

    • Verify programs (partially)

    • Detect memory errors

    • Prove properties about dynamically allocated data

    • Detect logical errors

    • Code optimizations

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


Why is Shape Analysis Difficult?

  • Destructive updating through pointers

    • pnext = q

    • Produces complicated aliasing relationships

  • Dynamic memory allocation

    • No bound on the size of run-time data structures

  • Abstract domain of 3-valued structures with canonicalabstraction [Sagiv,Reps,Wilhelm]

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


3-Valued Logical Structures

  • Relation meaning over {0, 1, ½}

  • Kleene

    • 1: True

    • 0: False

    • ½ : Unknown

  • A join semi-lattice: 0 ⊔ 1 = ½

½

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


u1

u2

u3

u4

x

x

c,rx

c,rx

c,rx

c,rx

^

(a) ≜

∃v1,v2:nodeu1(v1)⋀nodeu2(v2)

⋀∀w: nodeu1(w)⋁nodeu2(w)

⋀ ∀w1,w2:nodeu1(w1)⋀nodeu1(w2)

⇒(w1=w2)⋀⌝n(w1,w2) ⋀∀v:rx(v)⇔∃v1: x(v1) ⋀ n*(v1,v)⋀∀v:c(v)⇔∃v1:n(v,v1)⋀n*(v1,v)

⋀∀v1,v2:x(v1)⋀x(v2)⇒v1=v2

⋀ ∀v,v1,v2:n(v,v1)⋀n(v,v2)⇒v1=v2

x

c,rx

c,rx

Canonical Abstraction

u2

u1

FOTC

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


^

 ≜∀v1:y(v1) ↔∃v2: x(v2) ⋀ n(v2, v1)

ans

y

y

x

u2

u1

x

x

uy

u2

u1

y

y

x

uy

u1

Abstract

Formulas

Example of () :

y == x->n

^

()



Concrete

Abstract

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


^

Is (a) satisfiable ?



materialization

u2 uy, u2

y(uy) = 1, y(u2) =0

y(u2)=0

y(u2)=1

x

x

x

u2

u2

u1

u1

uy

u1

u2

y

y

y

y

y

y

y

Example - Materialization

y == x->n

x

u2

u1

y

y

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


Abstract Operations

^

  • () – best abstract value that represents 

  • What does it buy us ?

  • assume[](a) = ( (a) ⋀ )

    • assume-guarantee reasoning

    • pre- and post-conditions specified by logical formulas

  • BT(t,a) = ( (extend(a)) ⋀ t )

    • best abstract transformer

    • parametric abstractions

  • meet(a1, a2) = ( (a1) ⋀ (a2) )

^

^

^

^

^

^

^

^

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


SPASS Experience

  • Handles arbitrary FO formulas

  • Can diverge

    • use timeout

  • Converges in our examples

    • Captures older shape analysis algorithms

  • How to handle FOTC ?

    • Overapproximations lead to too many structures

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


Decidable Transitive-closure Logic

  • Neil Immerman (UMASS), Alexander Rabinovich (TAU)

  • ∃∀(TC,f) is subset of FOTC

    • exist-forall form

    • arbitrary unary relations

    • single function f

  • Decidable for satisfiability

    • NEXPTIME-complete

  • Any “reasonable” extension is undecidable

  • Rather limited

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


Simulation Technique – CAV’04

  • Neil Immerman (UMASS), Alexander Rabinovich (TAU)

  • Simulate realistic data structures using decidable logic over tractable structures

    • Singly linked list - shared/cyclic/nested

    • Doubly linked list

    • Trees

  • Preserved under mutations

  • Abstract interpretation, Hoare-style verification

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


Further Work

  • Implementation

  • Decidable logic for shape analysis

  • Assume-guarantee of “real” programs

    • case study: Java Collection

    • specification language

    • write procedure specifications

  • Extend to other domains

    • Infinite-height

gretay

www.cs.tau.ac.il/~gretay

Symbolically computing most-precise abstract operations for shape analysis - TACAS'04


  • Login