parametric shape analysis via 3-valued · pdf fileparametric shape analysis via 3-valued logic...

Parametric Shape Analysis via 3-valued logic

Parametric Shape Analysis via 3-valued logic

Sebastian Hahn

[email protected]

Fakultät 6.2 Informatik der Universität Saarbrücken

12. Juni 2010

1 computer science

saarlanduniversity

Parametric Shape Analysis via 3-valued logicIntroduction

Motivation

/* list.h */typedef struct node {struct node *n;int data;

} *List;

/* insert.c */#include "list.h"void insert(List x, int d) {List y, t, e;assert(acyclic_list(x) && x != NULL);y = x;while (y->n != NULL && ...) {y = y->n;

}t = malloc ();t->data = d;e = y->n;t->n = e;y->n = t;

}

We want to determine, thatno null-pointer dereferencation occursthe resulting list is acyclicall list members are reachable from xelement d is part of the resulting list

2 computer science

saarlanduniversity

Parametric Shape Analysis via 3-valued logicIntroduction

What is Shape Analysis?

Shape Analysis

Shape Analysis wants tostatically analyse a programdetermine information about heap-allocated data structuresmanipulated by the programdetermine the ’shape’ of the heap’s content

We are interested in:values of pointer-variablesvalues of pointer-valuedfields

3 computer science

saarlanduniversity

Parametric Shape Analysis via 3-valued logicRepresenting Stores via Logical Structures

Modeling the Heap

Modeling the Heap

We want to model a list of length 3, that is pointed to by a variable xand connected via n-fields.

x u1 u2 u3n n

unary preds. binary preds.indiv. x y t eu1 1 0 0 0u2 0 0 0 0u3 0 0 0 0

n u1 u2 u3

u1 0 1 0u2 0 0 1u3 0 0 0

4 computer science

saarlanduniversity


Modeling the Heap

ObservationWe can use

unary predicate of form q(v) to represent that the pointer variable qpoints to an heap element vbinary predicate of form n(u,w) to represent that the n-field of upoints to w .

For our example, we choose the predicates x , y , t, e, and n.

5 computer science

saarlanduniversity


Modeling the Heap

Logical structures

DefinitionLet P be the set of our predicate symbols.

We call S a logical stucture, denoted by 〈Us , ιs〉, with Us the universe ofindividuals and ι a mapping P → Us k → B.

x u1 u2 u3n n

unary preds. binary preds.indiv. x y t eu1 1 0 0 0u2 0 0 0 0u3 0 0 0 0

n u1 u2 u3

u1 0 1 0u2 0 0 1u3 0 0 0

6 computer science

saarlanduniversity


Modeling the Heap

Graphical notation

Individuals circles with names insideu0

Unary predicates solid arrow from predicate name p to node u

if ι(p)(u) = 1 holdsp u

Binary predicates solid arrow from node u1 to node u2 labeled withpredicate name q if ι(q)(u1, u2) = 1 holds

u1 u2q

7 computer science

saarlanduniversity

Parametric Shape Analysis via 3-valued logicExtraction of Store Properties

Properties of Heap cells

8 computer science

saarlanduniversity


Example formulae

Example

The ’is-x-null-pointer’ property:

isNullPointerx() := ¬∃v : x(v)

isNullPointerx() evaluates to 0, because x(u1) holds. But isNullPointery ()evaluates to 1, because neither y(u1) nor y(u2) nor y(u3) holds.

unary preds. binary preds.indiv. x y t e

u1 1 0 0 0u2 0 0 0 0u3 0 0 0 0

S\3

n u1 u2 u3u1 0 1 0u2 0 0 1u3 0 0 0

9 computer science

saarlanduniversity


Observation (Property-Extraction Principle)

By encoding stores as logical structures, questions about store propertiescan be answered by evaluating logical formulae.

A property holds if the corresponding formula evaluates to true (1) in agiven structure.

If the formula evaluates to false (0), the property does not hold in thegiven structure.

10 computer science

saarlanduniversity

Parametric Shape Analysis via 3-valued logicExpressing the semantics of Program statements

Statement Execution

11 computer science

saarlanduniversity


Example y = y->n

x

y y ′

u1 u2 u3n n

Example

Predicate update formulae for our predicates of the insert example:

x ′(v) = x(v)

t ′(v) = t(v)

e′(v) = e(v)

n′(v1, v2) = n(v1, v2)

y ′(v) = ∃v1 : y(v1) ∧ n(v1, v)

12 computer science

saarlanduniversity


Results

unary preds. binary preds.indiv. x y t eu1 1 1 0 0u2 0 0 0 0u3 0 0 0 0u4 0 0 0 0

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

x

y

u1 u2 u3 u4n n n

unary preds. binary preds.indiv. x y t eu1 1 0 0 0u2 0 1 0 0u3 0 0 0 0u4 0 0 0 0

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

x

y

u1 u2 u3 u4n n n

13 computer science

saarlanduniversity


Observation(Expressing the Semantics of Statements via Logical Formulae)

We have a logical structure that encodes a store that arises before theexecution of a statement.If we evaluate a predicate-update-formula in that structure, the resultindicates the value of the predicate after the execution of the statement.

14 computer science

saarlanduniversity


The Meaning of Program Statements

Predicate-Update Formulae

st p′

x = NULL x ′(v) := 0x = t x ′(v) := t(v)x = t->sel x ′(v) := ∃v1 : t(v1) ∧ sel(v1, v)x->sel = NULL sel ′(v1, v2) := sel(v1, v2) ∧ ¬x(v1)x->sel = t(assuming thatx->sel == NULL )

sel ′(v1, v2) := sel(v1, v2) ∨ (x(v1) ∧ t(v2))

x = malloc() x ′(v) := isNew(v)

15 computer science

saarlanduniversity



DefinitionThe P transformer associated with statement st, denoted by

JstK : 2− STRUCT [P]→ 2− STRUCT [P]

takes a logical structure and yields the structure that arises by applyingthe predicate-update formulae for every predicate.

indiv. x y t eu1 1 1 0 0u2 0 0 0 0u3 0 0 0 0u4 0 0 0 0

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

Jy = y->nK−−−−−−−−→

indiv. x y t eu1 1 0 0 0u2 0 1 0 0u3 0 0 0 0u4 0 0 0 0

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

16 computer science

saarlanduniversity



DefinitionConsider the transformer associated with x = malloc().

We must extend our universe of individuals by unew .

indiv. x y t eu1 1 1 0 0u2 0 0 0 0unew ? ? ? ?

n u1 u2 unew

u1 0 1 ?u2 0 0 ?unew ? ? ?

17 computer science

saarlanduniversity




We must extend our universe of individuals by unew .We introduce a temporary predicate isNew , so that ι(isNew)(unew )yields 1.

indiv. x y t e isNewu1 1 1 0 0 0u2 0 0 0 0 0unew ? ? ? ? 1

n u1 u2 unew

u1 0 1 ?u2 0 0 ?unew ? ? ?

17 computer science

saarlanduniversity




We must extend our universe of individuals by unew .We introduce a temporary predicate isNew , so that ι(isNew)(unew )yields 1.We initialise the ι(p)(u1, . . . , uk) with 0 if ui = unew

Finally we apply the predicate-update formulae for every predicate.

indiv. x y t e isNewu1 0 1 0 0 0u2 0 0 0 0 0unew 1 0 0 0 1

n u1 u2 unew

u1 0 1 0u2 0 0 0unew 0 0 0

17 computer science

saarlanduniversity


Collecting Semantics

Collecting Semantics

int x = 3; (1) {T ,F}

y->sel == z (2) {T ,F}

y->sel = 0; (3){T} y->sel = z; (4) {F}

printf(’done’); (5) {T ′,F ′}

true false

18 computer science

saarlanduniversity

Parametric Shape Analysis via 3-valued logicAbstraction via Truth-Blurring Embeddings

Abstraction

Problem:Infinitely many logical structures can arise during

program execution!

19 computer science

saarlanduniversity


Kleene’s 3-Valued Logic

Interpretation of Operators∧ 0 1 1/20 0 0 01 0 1 1/21/2 0 1/2 1/2

∨ 0 1 1/20 0 1 1/21 1 1 11/2 1/2 1 1/2

¬0 11 01/2 1/2

Definition

We call the values 0 and 1 definite values and the value 1/2 indefinitevalue.

20 computer science

saarlanduniversity


Kleene’s 3-Valued Logic (2)

Definition (Information Order)

For l1, l2 ∈ {0, 1, 1/2}, we define the information order on truth values asfollows:

l1 v l2 if l1 = l2 or l2 = 1/2

The symbol t denotes the least-upper-bound operationwith respect to v.

Information Order1/2

0 1

Logical Order

1/2

0

1

21 computer science

saarlanduniversity


Example

indv. x y t eu1 1 1 0 0u2 0 0 0 0u3 0 0 0 0u4 0 0 0 0

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

x

y

u1 u2 u3 u4n n n

22 computer science

saarlanduniversity


Example

indv. x y t eu1 1 1 0 0u2 0 0 0 0u3 0 0 0 0u4 0 0 0 0

abstracts to−−−−−−−−→

indv. x y t e smu1 1 1 0 0 0u234 0 0 0 0 1/2

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

x

y

u1 u2 u3 u4n n n

22 computer science

saarlanduniversity


Exampleindv. x y t eu1 1 1 0 0u2 0 0 0 0u3 0 0 0 0u4 0 0 0 0


indv. x y t e smu1 1 1 0 0 0u234 0 0 0 0 1/2

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0


n u1 u234

u1 0 1/2u234 0 1/2

x

y

u1 u2 u3 u4n n n x

y

u1 u234n

n

22 computer science

saarlanduniversity


Graphical notation Reloaded

Individuals circles with names insideu0

Summary Nodes double circles with names insideu0

Unary predicates solid arrow from predicate name p to node u

if ι(p)(u) = 1 holdsp u

dotted arrow if ι(p)(u) = 1/2p u

Binary predicates solid arrow from node v to node w labeled with

predicate name q if ι(q)(v ,w) = 1 holdsv w

q

dotted arrow if ι(q)(v ,w) = 1/2v w

q

23 computer science

saarlanduniversity


Bounded Structures

Bounded Structures

Definition

A bounded structure over a given vocabulary is a structure S = 〈US , ιS〉sucht that for every two different individuals u1, u2, there exists anabstraction predicate symbol p such that ιS(p)(u1) 6= ιS(p)(u2).For a bounded structure S , there exists an upper bound for the numberof individuals: |US | ≤ 3|A |.

24 computer science

saarlanduniversity


Bounded Structures

Abstraction Principle Reloaded

Observation (Abstraction Principle)

Our method of abstracting structures always leads us to boundedstructures.

indv. x y t eu1 1 1 0 0u2 0 0 0 0u3 0 0 0 0u4 0 0 0 0


indv. x y t e smu1 1 1 0 0 0u234 0 0 0 0 1/2

25 computer science

saarlanduniversity

Parametric Shape Analysis via 3-valued logicEmbedding into 3-Valued Structures

Embedding

S

indv. x y t e smu1 1 1 0 0 0u2 0 0 0 0 0u3 0 0 0 0 0u4 0 0 0 0 0

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

embeds to−−−−−−−→

indv. x y t e smu1 1 1 0 0 0u234 0 0 0 0 1/2

n u1 u234

u1 0 1/2u234 0 1/2

S ′

We need a surjective function f that maps individuals of S toindividuals of S ′.For every predicate ιS(p)(u1, . . . , uk) v ιS′

(p)(f (u1), . . . , f (uk))must holdIf several individuals of S are mapped to one individual of S ′, the smpredicate must yield 1/2

26 computer science

saarlanduniversity


Tight Embedding

A trivial Embedding

indv. x y t e smu1 1 1 0 0 0u2 0 0 0 0 0u3 0 0 0 0 0u4 0 0 0 0 0

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0


indv. x y t e smu1 1/2 1/2 1/2 1/2 1/2u234 1/2 1/2 1/2 1/2 1/2

n u1 u234

u1 1/2 1/2u234 1/2 1/2

27 computer science

saarlanduniversity


Tight Embedding

A trivial Embedding

indv. x y t e smu1 1 1 0 0 0u2 0 0 0 0 0u3 0 0 0 0 0u4 0 0 0 0 0

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0


indv. x y t e smu1 1/2 1/2 1/2 1/2 1/2u234 1/2 1/2 1/2 1/2 1/2

n u1 u234

u1 1/2 1/2u234 1/2 1/2

We want an embedding with minimal information loss. We call such anembedding tight embedding.

indv. x y t e smu1 1 1 0 0 0u2 0 0 0 0 0u3 0 0 0 0 0u4 0 0 0 0 0

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

tightly embeds to−−−−−−−−−−−−→

indv. x y t e smu1 1 1 0 0 0u234 0 0 0 0 1/2

n u1 u234

u1 0 1/2u234 0 1/2

27 computer science

saarlanduniversity


2-valued logic versus 3-valued logic

describe properties of heap cellsextract information from a logical structuredescribe in which way our heap is affected by the execution ofprogram statements.

28 computer science

saarlanduniversity


Expressing the Semantics of Program Statements in 3-valued logic

Observation:(Reinterpretation Principle)

The transfer function of the concrete semantics for a statement iscaptured by evaluating the corresponding predicate-update formulae in a2-valued logical structure.

Evaluation of the same formulae in a 3-valued logical structure capturesthe transfer function of the abstract semantics.

x

y

u1 u234n

n

predicate − update formulae−−−−−−−−−−−−−−−−−−−−→

x

y

u1 u234n

n

29 computer science

saarlanduniversity


Conservative Extraction of Store Properties

Embedding Theorem

TheoremLet S be a 3-valued logical structure. The following statements hold:

If a formula evaluates to 1 in S, the formula also holds in every storerepresented by S.If a formula evaluates to 0 in S, the formula does not hold in anystore represented by S.If a formula evaluates to 1/2 in S, we do not know whether theformula holds in all stores, does not hold for any store or holds forsome store and does not hold for some other stores represented by S.

30 computer science

saarlanduniversity


Conservative Extraction of Store Properties

S\

indv. x y t eu1 1 0 0 0u2 0 0 0 0u3 0 0 0 0

n u1 u2 u3

u1 0 1 0u2 0 0 1u3 0 0 0

x u1 u2 u3n n

Sindv. x y t e smu1 1 0 0 0 0u 0 0 0 0 1/2

n u1 uu1 0 1/2u 0 1/2 x u1 un

n

Example

Consider the formula for cyclicity cn(v) := n+(v , v)

(v 7→ u1) Jcn(v)KS\

= 0 v 0 = Jcn(v)KS

(v 7→ u2) Jcn(v)KS\

= 0 v 1/2 = Jcn(v)KS

31 computer science

saarlanduniversity

Parametric Shape Analysis via 3-valued logicInstrumentation Predicates

Motivation

Sacylic

indv. x y t e sm cnu1 1 0 0 0 0 0u 0 0 0 0 1/2 0

n u1 uu1 0 1/2u 0 1/2 x u1 un

n

Example

The fact that ιSacyclic (cn)(u1) = 0 and ιSacyclic (cn)(u) = 0 implies thatSacyclic can only represent acyclic lists, although n+(u, u) = 1/2.

32 computer science

saarlanduniversity


Overview

Observation:(Instrumentation Principle)

Let S be a 3-valued logical structure that represents the 2-valuedstructure S\.

By explicitly ’storing’ in S the values that a formula has in S\, it issometimes possible to extract more precise information from S than canbe obtained just by evaluating the formula in S.

33 computer science

saarlanduniversity


Overview

Examples of Instrumentation PredicatesPred. Intended Meaning Purposeis(v) Do two or more fields of heap elements

point to v?lists and trees

rx,n(v) Is v (transitively) reachable from pointervariable x along n fields?

disjoint datastructures

rn(v) Is v reachable from some pointervariable along n fields?

compile-timegarbage collection

cn(v) Is v on a directed cycle of n fields? listscf .b(v) Does a field f dereferencation from v fol-

lowed by a field b dereferencation, yield v?doubly linked lists

34 computer science

saarlanduniversity


Overview

x

u3

u1

u2

u4 u5

n

n

n n

n

Formula for Instrumentation Predicatesis(v) := ∃v1, v2 : n(v1, v) ∧ n(v2, v) ∧ v1 6= v2rx,n(v) := x(v) ∨ ∃v1 : x(v1) ∧ n+(v1, v)cn(v) := n+(v , v)

35 computer science

saarlanduniversity


Updating Instrumentation Predicates

Trivial Update Formula

Let p be an instrumentation predicate. By re-evaluating thedefinition-formula we capture a possible predicate-update-formula for p.

DefinitionLet S be a 2-valued structure.

If a predicate-update formula for p maintains the correct instrumentationfor statement st, it doesn’t matter, if the predicate-update formula isevaluated in S or the definition-formula is reevaluated in JstK(S).

36 computer science

saarlanduniversity


Updating Reachability

Predicate-Update Formulae for Instrumentation Predicate rz,nx = NULL z ≡ x 0

z 6≡ x rz,n(v)

z x

u1 u2 u3 u4 u5 u6n n n n n

n

Predicate-Update Formulae for Instrumentation Predicate rz,nx->n = NULL z ≡ x x(v)

z 6≡ x

{reevaluate rz,n if cn(v) ∧ rx,n(v)

rz,n(v) ∧ ¬(∃v ′ : rz,n(v ′) ∧ x(v ′) ∧ rx,n(v) ∧ ¬x(v)) otherwise

37 computer science

saarlanduniversity

Parametric Shape Analysis via 3-valued logicConclusions

Conclusions

Writing an Analysis

We must describethe properties of heap cells with predicate logichow we can extract information from the heap via logical formulaein which way the execution of a statement affects the heap viapredicate-update formluae

38 computer science

saarlanduniversity


Abstract Interpretation of y = y->n

indv. x y t eu1 1 1 0 0u2 0 0 0 0u3 0 0 0 0u4 0 0 0 0

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0


indv. x y t e smu1 1 1 0 0 0u234 0 0 0 0 1/2

n u1 u234

u1 0 1/2u234 0 1/2

x

y

u1 u2 u3 u4n n n x

y

u1 u234n

n

indv. x y t eu1 1 0 0 0u2 0 1 0 0u3 0 0 0 0u4 0 0 0 0

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

embeds to−−−−−−−−→

indv. x y t e smu1 1 0 0 0 0u234 0 1/2 0 0 1/2

n u1 u234

u1 0 1/2u234 0 1/2

x

y

u1 u2 u3 u4n n n x

y

u1 u234n

n

39 computer science

saarlanduniversity


Open Issue

Result of the Abstract Interpretation of y = y->nindv. x y t eu1 1 0 0 0u2 0 1 0 0u3 0 0 0 0u4 0 0 0 0

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0


indv. x y t e smu1 1 0 0 0 0u234 0 1/2 0 0 1/2

n u1 u234

u1 0 1/2u234 0 1/2

x

y

u1 u2 u3 u4n n n x

y

u1 u234n

n

Our aim

indv. x y t e smu1 1 0 0 0 0u2 0 1 0 0 0u34 0 0 0 0 1/2

n u1 u2 u34

u1 0 1 0u2 0 0 1/2u34 0 0 1/2

x

y

u1 u2 u34n n

n

40 computer science

saarlanduniversity

parametric shape analysis via 3-valued · pdf fileparametric shape analysis via 3-valued logic...

Documents