Meta Predicate Abstractionfor Hierarchical Symbolic

HeapsJosh Berdine

Microsoft Research, Cambridge

joint with

Mike EmmiUniversity of California, Los Angeles

• What:

– Method of defining extrapolation and join operations

for separation logic based analyses

• Main Goals:

– Enable join operations between Powerset and Cartesian

– Provide systematic definitions and parameterizations of operations

2

• Goal: Enable join operations between Powerset and Cartesian

– “Maximally” precise Powerset (disjunctive-normal form) join too

costly / redundant

• Particularly for shape analysis: tends to overuse disjunction

– “Minimally” precise Cartesian (no disjunction) join usually too

imprecise

• Therefore here:

– Use symbolic heap formulae that allow arbitrary nesting of

conjunction & disjunction

– Parameterize join to control when to weaken by shifting from

disjunctive to a more conjunctive form

3

• Goal: Provide systematic definitions and parameterizations of

operations

– Join & extrapolation generally have ad-hoc definitions in SL analyses

– Significant impediment to systematic or automatic tuning

• Therefore here:

– Define join & extrapolation using a form of predicate abstraction

• Unary predicates in (positive) first-order logic with transitive closure

• Interpreted over “points in the structure” of SL formulae

– Opens the way to specializing operations to particular:

• Program

• Program point: lazy abstraction

• Program point at particular point in analysis: abstraction refinement

4

• Approximate semantics

• Soundness condition for

– Join:

– Extrapolation:

5

What are extrapolation & join?

• Simple fragment of separation logic

• Consider analysis

– Sets of symbolic heap formulae

– Set theoretic order, join, pointwise lift of transformers

• Now to define extrapolation…

6

Simple symbolic heaps

• First-order logic with transitive closure

• Entailment judgment

• Closure rules

7

Meta predicate logic

• Base predicate satisfaction

• Predicate satisfaction

• Unary predicates:

are evaluated:

lift to vectors of predicates: and expressions:

8

Meta predicate evaluation

• Predicates:

• Symbolic Heap:

• Valuations:

9

Predicate evaluation example

• Append entailment

• Simplified concatenation rewrite rule

• General concatenation rewrite rule

10

Meta predicate based Extrapolation

• Consider:

– then:

– and:

• Non-confluence:

• In general, confluence depends on predicate set

11

Extrapolation example

• Consider the predicates

• Then we have the rewrites

• Note similarity to Distefano+ TACAS’06 & Manevich+ VMCAI’05

• But:

12

Predicates example

• Disjunctive symbolic heaps

Add production:

• Symbolic heap contexts

• Predicate satisfaction judgment

13

Disjunctive symbolic heaps

14

Predicate satisfaction

15

Example deduction

16

Predicate evaluation algorithm

17

Predicate evaluation algorithm

• Concatenation rewrite

• “Selected branch” of a context

18

Extrapolation

• Factorization rewrite

• Example

19

“Weaken & distribute ¤ over Ç” Join

• Joining segments with equal heads and unequal tails

• Example

20

“Trade disjuncts for existentials” Join

• Work from leaves of whole formula to root

• For each decomposition into context and symbolic heap

– View selected symbolic heap as graph

– Edges for points-to’s, list segments and equalities

• Apply rewrite rules to paths in graph in a length-decreasing

order

21

Extrapolation & Join algorithms

• Disjunctive Hierarchical Symbolic Heaps

• Base predicate satisfaction changes

• Otherwise mostly orthogonal extension

• Extrapolation & Join algorithms complicated by needing to

construct segment graphs inductively over patterns

• Rewrite rules now need to use subtraction

– Paths in segment graph don’t imply append entailment applies

22

Hierarchical Symbolic Heaps

• Proposed method of defining extrapolation & join operations

– For separation logic based analyses

– Over formulae allowing arbitrary nesting of *-conjunction and

disjunction

– Using a form of (unary, FOTC) predicate abstraction

• Enables join operations between Powerset and Cartesian

• Provides systematic definitions and parameterizations of

operations

• Can be seen as a meeting point of Canonical Abstraction and

separation logic based analysis

– Representation of invariants & local semantics of programs from SL

– Extrapolation & join based on valuation of FOTC predicates a la CA

23

Summary