shape analysis via 3-valued logic mooly sagiv tel aviv university msagiv/toplas02.ps tvla
Post on 19-Dec-2015
215 views
TRANSCRIPT
![Page 1: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/1.jpg)
Shape Analysisvia 3-Valued Logic
Mooly SagivTel Aviv University
http://www.cs.tau.ac.il/~msagiv/toplas02.ps
www.cs.tau.ac.il/~tvla
![Page 2: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/2.jpg)
Topics• A new abstract domain for static
analysis• Abstract dynamically allocated memory
• TVLA: A system for generating abstract interpreters
• Applications
![Page 3: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/3.jpg)
Motivation
• Dynamically allocated storage and pointers are essential programming tools– Object oriented– Modularity– Data structure
• But– Error prone– Inefficient
• Static analysis can be very useful here
![Page 4: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/4.jpg)
A Pathological C Program
a = malloc(…) ;
b = a;
free (a);
c = malloc (…);
if (b == c) printf(“unexpected equality”);
![Page 5: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/5.jpg)
Dereference of NULL pointers
typedef struct element {
int value;
struct element *next;
} Elements
bool search(int value, Elements *c) {Elements *elem;for (elem = c;
c != NULL;
elem = elem->next;)if (elem->val == value)
return TRUE;
return FALSE
![Page 6: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/6.jpg)
Dereference of NULL pointers
typedef struct element {
int value;
struct element *next;
} Elements
bool search(int value, Elements *c) {Elements *elem;for (elem = c;
c != NULL;
elem = elem->next;)if (elem->val == value)
return TRUE;
return FALSE
potential null de-reference
![Page 7: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/7.jpg)
Memory leakageElements* reverse(Elements *c)
{
Elements *h,*g;h = NULL;while (c!= NULL) {
g = c->next;h = c;c->next = h;c = g;
}return h;
typedef struct element {
int value;
struct element *next;
} Elements
![Page 8: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/8.jpg)
Memory leakageElements* reverse(Elements *c)
{
Elements *h,*g;h = NULL;while (c!= NULL) {
g = c->next;h = c;c->next = h;c = g;
}return h;
leakage of address pointed-by h
typedef struct element {
int value;
struct element *next;
} Elements
![Page 9: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/9.jpg)
Memory leakageElements* reverse(Elements *c)
{
Elements *h,*g;h = NULL;while (c!= NULL) {
g = c->next;h = c;c->next = h;c = g;
}return h;
typedef struct element {
int value;
struct element *next;
} Elements
✔ No memory leaks
![Page 10: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/10.jpg)
Example: List Creationtypedef struct node { int val; struct node *next;} *List;
✔ No null dereferences
✔ No memory leaks
✔ Returns acyclic list
List create (…)
{
List x, t;
x = NULL;
while (…) do {
t = malloc();
t next=x;
x = t ;}
return x;
}
![Page 11: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/11.jpg)
Example: Collecting Interpretation
x
tn n
t
x
n
x
t n
x
tn n
x
tn n
xtt
x
ntt
nt
x
t
x
t
xempty
return x
x = t
t =malloc(..);
tnext=x;
x = NULL
TF
![Page 12: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/12.jpg)
Example: Abstract Interpretation
t
x
n
x
t n
x
tn n
xtt
x
ntt
nt
x
t
x
t
xempty
x
tn
n
x
tn
n
n
x
tn
t n
xn
x
tn
nreturn x
x = t
t =malloc(..);
tnext=x;
x = NULL
TF
![Page 13: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/13.jpg)
Challenge 1 - Memory Allocation
• The number of allocated objects/threads is not known
• Concrete state space is infinite
• How to guarantee termination?
![Page 14: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/14.jpg)
Challenge 2 - Destructive Updates
• The program manipulates states using destructive updates – e next = t
• Hard to define concrete interpretation
• Harder to define abstract interpretation
![Page 15: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/15.jpg)
Challenge 2 - Destructive Update
Unsound
yp
x
yp
x n
px n
ynext = NULL
y
px n
yp
x
px n
![Page 16: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/16.jpg)
Challenge 2 - Destructive Update
Imprecise
ynext = NULL
y
px n
y
px n
![Page 17: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/17.jpg)
Challenge 3 – Re-establishing Data Structure Invariants
• Data-structure invariants typically only hold at the beginning and end of ADT operations
• Need to verify that data-structure invariants are re-established
![Page 18: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/18.jpg)
Challenge 3 – Re-establishing Data Structure Invariants
rotate(List first, List last) {if ( first != NULL) {
last next = first;
first = first next;
last = last next;
last next = NULL;
}
}
lastfirst n n n
lastfirst n n n
n
lastfirst
n n n
n
lastfirst
n n n
n
lastfirst
n n
n
![Page 19: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/19.jpg)
Plan
• Concrete interpretation
• Canonical abstraction
• Abstract interpretation using canonical abstraction
• The TVLA system
![Page 20: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/20.jpg)
Traditional Heap Interpretation• States = Two level stores
– Env: Var Values– fields: Loc Values– Values=Loc Atoms
• Example – Env = [x 30, p 79]– next = [30 40, 40 50, 50 79, 79 90]– val = [30 1, 40 2, 50 3, 79 4, 90 5]
1 40 2 50 3 79 4 90 5 0 x
p
30 40 50 79 90
![Page 21: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/21.jpg)
Predicate Logic• Vocabulary
– A finite set of predicate symbols Peach with a fixed arity
• Logical Structures S provide meaning for predicates – A set of individuals (nodes) U– pS: (US)k {0, 1}
• FOTC over TC, express logical structure properties
![Page 22: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/22.jpg)
Representing Stores as Logical Structures
• Locations Individuals• Program variables Unary predicates• Fields Binary predicates• Example
– U = {u1, u2, u3, u4, u5}– x = {u1}, p = {u3}– n = {<u1, u2>, <u2, u3>, <u3, u4>, <u4, u5>}
u1 u2 u3 u4 u5xn n n n
p
![Page 23: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/23.jpg)
Formal Semantics of First Order Formulae
• For a structure S=<US, pS>
• Formulae with LVar free variables
• Assignment z: LVarUS
S(z): {0, 1}
1S(z)=1
p (v1, v2, …, vk)S(z)=pS (z(v1), z(v2), …, z(vk))
0S(z)=0
![Page 24: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/24.jpg)
Formal Semantics of First Order Formulae
• For a structure S=<US, pS>
• Formulae with LVar free variables
• Assignment z: LVarUS
S(z): {0, 1}
12S(z)=max (1 S(z), 2 S(z))
12S(z)=min (1 S(z), 2 S(z))
1S(z)=1- 1 S(z)
v: 1S(z)=max {1 S(z[vu]) : u US}
![Page 25: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/25.jpg)
Formal Semantics of Transitive Closure
• For a structure S=<US, pS>
• Formulae with LVar free variables
• Assignment z: LVarUS
S(z): {0, 1}
p*(v1, v2)S(z) = max {u1, ..., uk U, Z(v1)=u1, Z(v2)=uk} min{1 i < k} pS(ui, ui+1)
![Page 26: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/26.jpg)
Concrete Interpretation Rules
Statement Update formula
x =NULL x’(v)= 0
x= malloc() x’(v) = IsNew(v)
x=y x’(v)= y(v)
x=y next x’(v)= w: y(w) n(w, v)
x next=y n’(v, w) = (x(v) n(v, w)) (x(v) y(w))
![Page 27: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/27.jpg)
Invariants
• No memory leaksv: {x PVar} w: x(w) n*(w, v)
• Acyclic list(x)v, w: x(v) n*(v, w) n+(w, v)
• Reverse (x)v, w, r: x(v) n*(v, w) n(w, r) n’(r, w)
![Page 28: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/28.jpg)
Why use logical structures?
• Naturally model pointers and dynamic allocation
• No a priori bound on number of locations
• Use formulas to express semantics• Indirect store updates using quantifiers• Can model other features
– Concurrency– Abstract fields
![Page 29: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/29.jpg)
Why use logical structures?
• Behaves well under abstraction• Enables automatic construction of
abstract interpreters from concrete interpretation rules (TVLA)
![Page 30: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/30.jpg)
Collecting Interpretation
• The set of reachable logical structures in every program point
• Statements operate on sets of logical structures• Cannot be directly computed for programs with
unbounded store and loopsx = NULL;
while (…) do {
t = malloc();
t next=x;
x = t
}
u1x
t
empty u1x
t
u2n
u1x
t
u2 un…n n n
![Page 31: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/31.jpg)
Plan• Concrete interpretation
• Canonical abstraction
• TVLA
![Page 32: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/32.jpg)
Canonical Abstraction
• Convert logical structures of unbounded size into bounded size
• Guarantees that number of logical structures in every program is finite
• Every first-order formula can be conservatively interpreted
![Page 33: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/33.jpg)
• 1: True
• 0: False
• 1/2: Unknown
• A join semi-lattice: 0 1 = 1/2
Kleene Three-Valued Logic
1/2 Information
order
Logical order
![Page 34: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/34.jpg)
Boolean Connectives [Kleene] 0 1/2 1
0 0 0 01/2 0 1/2 1/21 0 1/2 1
0 1/2 1
0 0 1/2 11/2 1/2 1/2 11 1 1 1
![Page 35: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/35.jpg)
3-Valued Logical Structures
• A set of individuals (nodes) U
• Predicate meaning– pS: (US)k {0, 1, 1/2}
![Page 36: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/36.jpg)
Canonical Abstraction
• Partition the individuals into equivalence classes based on the values of their unary predicates– Every individual is mapped into its equivalence class
• Collapse predicates via
– pS (u’1, ..., u’k) = {pB (u1, ..., uk) | f(u1)=u’1, ..., f(u’k)=u’k) }
• At most 2A abstract individuals
![Page 37: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/37.jpg)
Canonical Abstraction
x = NULL;
while (…) do {
t = malloc();
t next=x;
x = t
}
u1x
t
u2 u3
u1x
t
u2,3
n n
n
n
![Page 38: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/38.jpg)
x
t
n nu2u1 u3
Canonical Abstraction
x = NULL;
while (…) do {
t = malloc();
t next=x;
x = t
} u1x
t
u2,3n
n
n
![Page 39: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/39.jpg)
Canonical Abstraction and Equality
• Summary nodes may represent more than one element
• (In)equality need not be preserved under abstraction
• Explicitly record equality
• Summary nodes are nodes with eq(u, u)=1/2
![Page 40: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/40.jpg)
Canonical Abstraction and Equality
x = NULL;
while (…) do {
t = malloc();
t next=x;
x = t
}
u1x
t
u2 u3
u1x
t
u2,3
eq
eq
eq
n n
n
n
eq eq
eq
eq
eq
eqeq
u2,3
![Page 41: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/41.jpg)
Canonical Abstraction
x = NULL;
while (…) do {
t = malloc();
t next=x;
x = t
}
u1x
t
u2 u3n n
u1x
t
u2,3n
n
![Page 42: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/42.jpg)
Challenges: Heap & Concurrency[Yahav POPL’01]
• Concurrency with the heap is evil…• Java threads are just heap allocated objects• Data and control are strongly related
– Thread-scheduling info may require understanding of heap structure (e.g., scheduling queue)
– Heap analysis requires information about thread scheduling
Thread t1 = new Thread();Thread t2 = new Thread();…t = t1;…t.start();
![Page 43: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/43.jpg)
Configurations – Example
at[l_C]
rval[myLock]
held_by
at[l_1]rval[myLock]
at[l_0]at[l_0]at[l_1]
rval[myLock]
blocked
l_0: while (true) {l_1: synchronized(myLock) {l_C: // critical actionsl_2: } l_3: }
![Page 44: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/44.jpg)
Concrete Configuration
at[l_C]
rval[myLock]
held_by
at[l_1]rval[myLock]
at[l_0]at[l_0]
at[l_1]
rval[myLock]
blocked
![Page 45: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/45.jpg)
Abstract Configuration
at[l_C]
rval[myLock]
held_byblocked
at[l_1]rval[myLock]
at[l_0]
![Page 46: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/46.jpg)
Examples VerifiedProgram Property
twoLock Q No interference
No memory leaks
Partial correctness
Producer/consumer No interference
No memory leaks
Apprentice
Challenge
Counter increasing
Dining philosophers with resource ordering
Absence of deadlock
Mutex Mutual exclusion
Web Server No interference
![Page 47: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/47.jpg)
Summary
• Canonical abstraction guarantees finite number of structures
• The concrete location of an object plays no significance
• But what is the significance of 3-valued logic?
![Page 48: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/48.jpg)
Topics• Embedding • Instrumentation
• Abstract Interpretation
• [Extensions]
![Page 49: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/49.jpg)
Embedding
u1 u2 u3 u4
xu5 u6
u12 u34 u56
x
u123 u456
x
![Page 50: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/50.jpg)
Embedding
• B f S• onto function f
• pB(u1, .., uk) pS (f(u1), ..., f(uk))
• S is a tight embedding of B with respect to f if:• pS(u#
1, .., u#k) = {pB (u1 ..., uk) | f(u1)=u#
1, ..., f(uk)=u#k}
• Canonical Abstraction is a tight embedding
![Page 51: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/51.jpg)
Embedding (cont)
• S1 f S2 every concrete state represented by S1 is also represented by S2
• The set of nodes in S1 and S2 may be different
– No meaning for node names (abstract locations)
(S#)= {S : 2-valued structure S, S f S#}
![Page 52: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/52.jpg)
Embedding Theorem
• Assume B f S, pB(u1, .., uk) pS (f(u1), ..., f(uk))
• Then every formula is preserved:
– If = 1 in S, then = 1 in B
– If = 0 in S, then = 0 in B
– If = 1/2 in S, then could be 0 or 1 in B
![Page 53: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/53.jpg)
Embedding Theorem
• For every formula is preserved:
– If = 1 in S, then = 1 for all B(S)
– If = 0 in S, then = 0 for all B(S)
– If = 1/2 in S, then could be 0 or 1 in (S)
![Page 54: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/54.jpg)
Challenge 2 - Destructive Update
Sound
ynext = NULL
y
px n
yp
x
n’(v, w) = y(v) n(v, w)
![Page 55: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/55.jpg)
Challenge 2 - Destructive Update
Sound
ynext = NULL
y
px n
yp
x
n’(v, w) = y(v) n(v, w)
![Page 56: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/56.jpg)
Embedding Theorem
u1x
t
u2,3n
n
v: x(v) 1=Yes
v: x(v)t(v) 1=Yes
v: x(v)y(v) 0=No
v,w: x(v)n(v, w) ½=Maybe
v, w: x(v)n(v, w) n(v, w) 0=No
v,w: x(v) n*(v,w) n+(w, w) 1/2=Maybe
![Page 57: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/57.jpg)
Summary
• The embedding theorem eliminates the need for proving near commutavity
• Guarantees soundness
• Applied to arbitrary logics
• But can be imprecise
![Page 58: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/58.jpg)
Limitations
• Information on summary nodes is lost
• Leads to useless verification
![Page 59: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/59.jpg)
Increasing Precision
• User (Programming Language) supplied global invariants– Naturally expressed in FOTC
• Record extra information in the concrete interpretation– Tune the abstraction– Refine concretization
![Page 60: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/60.jpg)
Cyclicity predicatec[x]() = v1,v2: x(v1) n*(v1,v2) n+(v2, v2)
c[x]()=0
c[x]()=0
u1x
t
u2 un…
u1x
t
u2..n
n
n
nn n
![Page 61: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/61.jpg)
Cyclicity predicatec[x]() = v1,v2: x(v1) n*(v1,v2) n+(v2, v2)
c[x]()=1
c[x]()=1
u1x
t
u2 un…
u1x
t
u2..n
n
n
nn n
n
![Page 62: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/62.jpg)
Heap Sharing predicate
is(v)=0
u1x
t
u2 un…
u1x
t
u2..n
n
n
is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2
is(v)=0 is(v)=0
is(v)=0 is(v)=0
n n n
![Page 63: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/63.jpg)
Heap Sharing predicate
is(v)=0
u1x
t
u2 un…
is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2
is(v)=1 is(v)=0
n n
n
n
u1x
t
u2n
is(v)=0 is(v)=1 is(v)=0
n
u3..n
n
n
![Page 64: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/64.jpg)
Concrete Interpretation RulesStatement Update formula
x =NULL x’(v)= 0
x= malloc() x’(v) = IsNew(v)
x=y x’(v)= y(v)
x=y next x’(v)= w: y(w) n(w, v)
x next=NULL n’(v, w) = x(v) n(v, w)
is’(v) = is(v) v1, v2: n(v1, v) n(v2, v) x(v1) x(v2) eq(v1, v2)
![Page 65: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/65.jpg)
Reachability predicatet[n](v1, v2) = n*(v1,v2)
u1x
t
u2 unn n n
t[n] t[n] t[n]
t[n]
t[n]
t[n]
u1x
t
u2..n
n
n
t[n]
t[n]
t[n]
![Page 66: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/66.jpg)
• reachable-from-variable-x(v)
• cfb(v) = v1: f(v, v1) b(v1, v)
• tree(v)
• dag(v)
• inOrder(v) = v1: n(v, v1) dle(v,v1)
• Weakest Precondition [Ramalingam PLDI 02]
Additional Instrumentation predicates
![Page 67: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/67.jpg)
Instrumentation (Summary)• Refines the abstraction
• Adds global invariants
• But requires update-formulas (generated automatically in TVLA2
is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2
is(v) v1,v2: n(v1,v) n(v2,v) v1 v2
(S#)={S : S , S f S#}
![Page 68: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/68.jpg)
Plan• Embedding Theorem
• Instrumentation
• Abstract interpretation using canonical abstraction
• TVLA
![Page 69: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/69.jpg)
Best Conservative Interpretation (CC79)
Abstraction
ConcretizationConcrete Representati
on
Collecting Interpretation
stc
ConcreteRepresentati
on
AbstractRepresentati
on
Abstract Representati
on
Abstract Interpretation
st#
![Page 70: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/70.jpg)
Best Transformer (x = x n)
yx
yx
...Evaluateupdateformulas
y
x
y
x
...
inverse embedding
y
x
y
xcanoniccanonic abstraction
xy
![Page 71: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/71.jpg)
yx
yx ...
Evaluateupdateformulas
y
x
y
x
...
inverse embedding
y
x
y
xcanoniccanonic abstraction
xy
“Focus”- Based Transformer (x = x n)
![Page 72: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/72.jpg)
“Focus”-Based Transformer (x = x n)
y
x
y
x
EvaluateupdateFormulas (Kleene)
y
x
y
xcanonic
yx
yx
Focus(x n)
“Partial ”
xy
![Page 73: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/73.jpg)
Semantic Reduction• Improve the precision by recovering
properties of the program semantics
• A Galois connection (L1, , , L2)
• An operation op:L2L2 is a semantic reduction lL2 op(l)l (op(l)) = (l)
• Can be applied before and after basic operations
l
L1
L2 op
![Page 74: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/74.jpg)
Three Valued Logic Analysis (TVLA)T. Lev-Ami & R. Manevich
• Input (FOTC)
– Concrete interpretation rules
– Definition of instrumentation predicates
– Definition of safety properties
– First Order Transition System (TVP)
• Output– Warnings (text)
– The 3-valued structure at every node (invariants)
![Page 75: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/75.jpg)
Null Dereferences
Demo
typedef struct element
{
int value;
struct element n;
} Element
bool search( int value, Element x)
{
Element c = x
while ( x != NULL ){
if (c val == value)
return TRUE;
c = c n;
}
return FALSE; }40
![Page 76: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/76.jpg)
TVLA inputs
TVP - Three Valued Program– Predicate declaration– Action definitions SOS– Control flow graph
• TVS - Three Valued Structure
Program independent
Demo
![Page 77: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/77.jpg)
Challenge 1
• Write a C procedure on which TVLA reports false null dereference
![Page 78: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/78.jpg)
Proving Correctness of Sorting Implementations (Lev-Ami, Reps, S,
Wilhelm ISSTA 2000)• Partial correctness
– The elements are sorted– The list is a permutation of the original list
• Termination– At every loop iterations the set of elements
reachable from the head is decreased
![Page 79: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/79.jpg)
Example: InsertSort
Run Demo
List InsertSort(List x) { List r, pr, rn, l, pl; r = x; pr = NULL; while (r != NULL) { l = x; rn = r n; pl = NULL; while (l != r) { if (l data > r data) { pr n = rn; r n = l; if (pl = = NULL) x = r; else pl n = r; r = pr; break; } pl = l; l = l n; } pr = r; r = rn; } return x; }
typedef struct list_cell { int data; struct list_cell *n;} *List;
pred.tvp
actions.tvp
![Page 80: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/80.jpg)
Example: InsertSort
Run Demo
List InsertSort(List x) { if (x == NULL) return NULL pr = x; r = x->n; while (r != NULL) {
pl = x; rn = r->n; l = x->n; while (l != r) {
pr->n = rn ; r->n = l;
pl->n = r; r = pr; break; }
pl = l; l = l->n;
} pr = r; r = rn;
}
typedef struct list_cell { int data; struct list_cell *n;} *List;
14
![Page 81: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/81.jpg)
Example: Reverse
Run Demo
typedef struct list_cell { int data; struct list_cell *n;} *List;
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
![Page 82: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/82.jpg)
Challenge
• Write a sorting C procedure on which TVLA fails to prove sortedness or permutation
![Page 83: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/83.jpg)
Example: Mark and Sweepvoid Sweep() { unexplored = Universe collected = while (unexplored ) { x = SelectAndRemove(unexplored) if (x marked) collected = collected {x} } assert(collected = = Universe – Reachset(root) )}
void Mark(Node root) { if (root != NULL) { pending = pending = pending {root} marked = while (pending ) { x = SelectAndRemove(pending) marked = marked {x} t = x left if (t NULL) if (t marked) pending = pending {t} t = x right if (t NULL) if (t marked) pending = pending {t} } } assert(marked = = Reachset(root))}
Run Demo
pred.tvp
![Page 84: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/84.jpg)
Challenge 2
• Use TVLA to show termination of markAndSweep
![Page 85: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/85.jpg)
Lightweight Specification"correct usage" rules a client must follow
"call open() before read()"
Certificationdoes the client program satisfy the lightweight specification?
Verification of Safety Properties(PLDI’02, 04)
Componenta library with cleanly encapsulated state
Clienta program that uses
the library
The Canvas Project (with IBM Watson)(Component Annotation, Verification and Stuff)
![Page 86: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/86.jpg)
Prototype Implementation
• Applied to several example programs– Up to 5000 lines of Java
• Used to verify– Absence of concurrent modification
exception – JDBC API conformance– IOStreams API conformance
![Page 87: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/87.jpg)
![Page 88: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/88.jpg)
Scaling
• Staged analysis• Controlled complexity
– More coarse abstractions [Manevich SAS’04]• Handle libraries
– Use procedure specifications[Yorsh, TACAS’04]
– Decision procedures for linked data structures[Immerman, CAV’04, Lev-Ami, CADE’05]
• Handling procedures– Compute procedure summaries [Jeannet, SAS’04]– Local heaps [Rinetzky, POPL’05]
![Page 89: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/89.jpg)
y
t
g
x
x
Local heaps [Rinetzky, POPL’05]
x
y
t
g
call p(x);
x
![Page 90: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/90.jpg)
Why is Heap Analysis Difficult?• Destructive updating through pointers
– pnext = q– Produces complicated aliasing relationships– Track aliasing on 3-valued structures
• Dynamic storage allocation– No bound on the size of run-time data structures– Canonical abstraction finite-sized 3-valued structures
• Data-structure invariants typically only hold at the beginning and end of operations– Need to verify that data-structure invariants are re-
established– Query the 3-valued structures that arise at the exit
![Page 91: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/91.jpg)
Summary
• Canonical abstraction is powerful– Intuitive– Adapts to the property of interest
• Used to verify interesting program properties– Very few false alarms
• But scaling is an issue
![Page 92: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/92.jpg)
Summary
• Effective Abstract Interpretation– Always terminates– Precise enough– But still expensive
• Can model– Heap– Unbounded arrays– Concurrency
• More instrumentation can mean more efficient• But canonic abstraction is limited
– Correlation between list lengths– Arithmetic– Partial heaps
![Page 93: Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University msagiv/toplas02.ps tvla](https://reader033.vdocument.in/reader033/viewer/2022051618/56649d3e5503460f94a16c4c/html5/thumbnails/93.jpg)
Summary
• The embedding theorem eliminates the need for proving near commutavity
• Guarantees soundness
• Applied to arbitrary logics
• But can be imprecise