1 / 30

Symbolic Characterization of Heap Abstractions

This paper presents a symbolic characterization of heap abstractions, focusing on automatically generating loop invariants in first-order logic and separation logic. It discusses the use of decision procedures and extracting information in the most precise way.

maselli
Download Presentation

Symbolic Characterization of Heap Abstractions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. www.math.tau.ac.il/~gretay Symbolic Characterization of Heap Abstractions Greta Yorsh Joint work with Thomas Reps Mooly Sagiv Reinhard Wilhelm

  2. x x u234 u1 u2 u3 u4 u1 Canonical Abstraction:An embedding whose result is of bounded size Dagstuhl Seminar

  3. Motivation • Automatically generate loop invariants in some logic • First order logic • Separation logic (BI) • … Dagstuhl Seminar

  4. S3 S1 S2 t y NULL x y t y t   (S1) (S2) (S3) … NULL NULL x x Generating Loop Invariants List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } Dagstuhl Seminar

  5. Motivation • Automatically generate loop invariants in some logic • First order logic • Separation logic (BI) • … • Employ decision procedures • Extract information in the most precise way • More precise than the compositional way Dagstuhl Seminar

  6. Motivation – Extracting Information • Does program condition x == NULL evaluate to TRUE in all stores that arise at program point p ? • YES • p: if (x == null) then S; else P; • p: S; Dagstuhl Seminar

  7. is is compositional:   1 1/2 1/2 supervaluational: 0 1/2 Is there a heap sharing? x u2 u1 rx rx  = v1,v2,v: n(v1,v)  n(v2,v)  v1  v2 Dagstuhl Seminar

  8. Computing Most Precise Value if (S) is valid return 1 if (S) is valid return 0 otherwise return ½ Dagstuhl Seminar

  9. Why should you be interested ? • Automatically generate loop invariants in some logic • First order logic • Separation logic (BI) • … • Employ decision procedures • Extract information from in the most precise way • More precise than the compositional way • Compute the best (induced) transformer Dagstuhl Seminar

  10. T# T  Symbolic Operations: Three Value-Spaces Abstract Values Concrete Values Formulas Dagstuhl Seminar

  11. Why should you be interested ? • Automatically generate loop invariants in some logic • First order logic • Separation logic (BI) • … • Employ decision procedures • Extract information from in the most precise way • More precise than the compositional way • Compute the best (induced) transformer • Assume-guarantee reasoning Dagstuhl Seminar

  12. Why should you be interested ? • Automatically generate loop invariants in some logic • First order logic • Separation logic (BI) • … • Employ decision procedures • Extract information from in the most precise way • More precise than the compositional way • Compute the best (induced) transformer • Assume-guarantee reasoning • Expressive power of 3-valued abstraction Dagstuhl Seminar

  13. SO formulas NP formulas 3-valued structures FO+TC formulas Canonical abstraction Quantifier free formulas Expressive Power Predicate abstraction Dagstuhl Seminar

  14. Outline • The problem • Characterizing concretization with a FO formula • Negative result • Simplifying assumptions • Generating FO+TC formula • Loop invariants • Supervaluation • NP formula • Conclusion Dagstuhl Seminar

  15. Formulas Characterizing Concretizations Concrete Domain Abstract Domain Dagstuhl Seminar

  16. (S1) (S1) S1 S2 Formulas store (S1) store (S1) Characterizing Concretizations Concrete Domain Abstract Domain Dagstuhl Seminar

  17. u1 u2 u3 Quiz Dagstuhl Seminar

  18. u1 u2 u3 Negative Result • 3-colorable graphs with at least 3 nodes • 3-colorability is NP-complete • NP computation can not be expressed with first order formula [Courcelle] There exists a 3-valued structure that can NOT be characterized with first-order formula Dagstuhl Seminar

  19. u1 u2 u3 FO Identifiable Nodes Dagstuhl Seminar

  20. u1 u2 u3 FO Identifiable Nodes Dagstuhl Seminar

  21. x u2 u1 l2 l3 l4 l1 rx rx rx rx rx rx x nodeu1s(w) nodeu2s(w) nodeu2s(w) nodeu2s(w) nodeu1s(w) nodeu2s(w) FO Identifiable Nodes Dagstuhl Seminar

  22. x u2 u1 l2 l3 l4 l1 rx rx rx rx rx rx x nodeu1s(w) = x(w)  rx(w)  y(w)  ry(w) nodeu2s(w) = x(w)  rx(w)  y(w)  ry(w) Generating nodeu(w) formula Dagstuhl Seminar

  23. u2 u1 rx rx x Generating FO formula • (S) = “onto” “total”  “predicate embedding”  “integrity rules” Dagstuhl Seminar

  24. Supervaluation Dagstuhl Seminar

  25.  is true for all store  (S) TRUE  is false for all stores  (S) FALSE  is true for some store  (S) and false for others UNKNOWN Supervaluational Semantics • Related work [B. van Fraassen66][Blamey02][Bruns,Godefroid00][Reps, Loginov, Sagiv 02] • value of  on S is summary of values of  on store (S) Dagstuhl Seminar

  26. NOT Constructive Supervaluation Semantics 1 if store for all store(S) 0 if store for all store(S) ½ otherwise Dagstuhl Seminar

  27. S3 S1 S2 t y NULL x y t y t   (S1) (S2) (S3) … NULL NULL x x Generating Loop Invariants List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; }    “x and y point to disjoint lists” Dagstuhl Seminar

  28. Missing … • Prototype implementation using • TVLA • SPASS • NP – formula • Best transformer for canonical abstraction Dagstuhl Seminar

  29. Conclusions • First order logic provides a way to express concretization in interesting domains • linear size • Theorem provers can be integrated with program analyzers • enables flexible abstractions • no loss of information beyond the abstraction Dagstuhl Seminar

  30. The End www.math.tau.ac.il/~gretay Dagstuhl Seminar

More Related