shape analysis via 3-valued logic
DESCRIPTION
Shape Analysis via 3-Valued Logic. Mooly Sagiv Tel Aviv University. Shape analysis with applications Chapter 4.6 http://www.cs.tau.ac.il/~rumster/TVLA/. Outline. Collecting Semantics using first order logic 3-valued logic and embedding Simple abstract semantics using logic - PowerPoint PPT PresentationTRANSCRIPT
1
Shape Analysisvia 3-Valued Logic
Mooly SagivTel Aviv University
Shape analysis with applications
Chapter 4.6
http://www.cs.tau.ac.il/~rumster/TVLA/
2
Outline
• Collecting Semantics using first order logic
• 3-valued logic and embedding
• Simple abstract semantics using logic
• More precise abstract semantics
• TVLA
3
Collecting Semantics using Logic
• Represent states using logical structures• Construct the program control flow graph
with a distinguished node start• Define the set of logical structures at start• Define the meaning of program conditions
using closed first order formulae • Define the meaning of statements using
first order formulae
4
The SWhile Programming Language Abstract Syntax
a := x | x.sel | null | n | a1 opa a2
b := true | false | not b | b1 opb b2 | a1 opr a2
S := [x := a]l | [x.sel := a]l | [x := malloc()]l | [skip] l | S1 ; S2 | if [b]l then S1 else S2 | while [b]l do S
sel:= car | cdr
5
Example
[x := null;]1
while ([count > 0]2) (
[t := malloc();]3
[t.cdr := x;]4
[x :=t;]5
Predicates
• Unary
•x(v)
•t(v)
• Binary
•car(v1, v2)
•cdr(v1, v2)
•eq(v1, v2)
6
([count > 0]2
[x :=t;]5
exit
[x := null;]1
[t.cdr :=x;]4
[t :=malloc();]3
x:=null {x’(v) := 0 }
t:=malloc() {let v0 := new() in t(v) := eq(v, v0)}
t.cdr :=x {message v: t(v) … cdr’(v1, v2) := (t(v1)? x(v2): cdr(v1, v2))}
x:=tx’(v) := t(v) }
(?1:2)
(1)(2)
[count:=count-1;]6
7
The reverse example
[y := null;]1
while ([x !=null]2) (
[t := y;]3
[y := x;]4
[x :=x.cdr;]5
[y.cdr :=t;]6
Predicates
• Unary
•x(v)
•t(v)
•y(v)
• Binary
•car(v1, v2)
•cdr(v1, v2)
•eq(v1, v2)
8
([x!=null]2
[y.cdr :=t;]6
exit
[y:= null;]1
[x :=x.cdr;]5
[t :=y;]3
a3
y:=null={ y’(v) :=0 }
x !=null = v: x(v) t:=y={t(v) :=y(v)}
x:=x.cdr ={ message v:x(v) … x’(v) := v1:x(v1) cdr(v1, v) }
y.cdr :=t ={ cdr’(v1, v2) := y(v1)? t(v2) : cdr(v1, v2) }
[y :=x;]4
y:=x={{ y’(v) :=x(v)}
9
Statement’s Meaning
st st
x:=null {x(v) := 0 }
x:=malloc() {let v0 = new() in
x’(v) := eq(v, v0) }
x := y {x’(v) := y(v)}
x:=y.sel {message v:x(v) …
x’(v) := v1:x(v1) sel(v1, v)
}
x.sel:=y {message v:x(v) …sel’(v1, v2) := (x(v1)? y(v2) : sel(v1, v2))
}
10
Condition’s Meaning
cond condx!=null v:x(v)
x==null v:x(v)
x==y v:x(v)y(v)
x!=y v:x(v)y(v)
11
Collecting Semantics
CS (start) = {<, >}
CS (v) =
{st(u) (S): uv E, S CS(u)} {S : S, uv Et , S cond(u) }
{S: S, uv Ef , S cond(u) }
12
• 1: True
• 0: False
• 1/2: Unknown
• A join semi-lattice: 0 1 = 1/2
Three-Valued Logic
1/2
Information order
13
3-Valued Logical Structures
• A set of individuals (nodes) U
• Predicate meaning– PS: US {0, 1, 1/2}
14
u1 ux
u1 u2
xu3
cdr cdr cdr
US={u1, u2, u3}xS=[u11, u20, u30] yS=[u10, u20, u30]
carS=[<u1 , u1> 0, <u1, u2>0, <u1,u3>0, <u2 , u1> 0, <u2, u2>0, <u2, u3>0 <u3, u1> 0, <u3, u2>0, <u3, u3>0]
cdrS=[<u1 , u1> 0, <u1, u2>1, <u1,u3>0, <u2 , u1> 0, <u2, u2>0, <u2, u3>1/2,
<u3, u1> 0, <u3, u2>0, <u3, u3>1/2]
eqS=[<u1 , u1> 1, <u1, u2>0, <u1,u3>0, <u2 , u1> 0, <u2, u2>1, <u2, u3>0,
<u3, u1> 0, <u3, u2>0, <u3, u3>1/2]
15
Embedding
• A pre-partial order on 3-valued logical structures
• S1 S2 every concrete state represented by S1 is also represented by S2
• The set of nodes in S1 and S2 may be different– No meaning for nodes (abstract locations)
16
Embedding
• S1 f S2 – f maps the individuals of S1 onto S2
– pS1(u1, .., uk) pS
2 (f(u1), ..., f(uk))
• S1 S2 there exists f such that S1 f S2
• Pre partial order• Induces a pre-partial order on P(3-Struct)
– Set-union is a least upper bound • Finite height :3-Struct P(2-Struct)
(S) = {S’ : S’2-Struct, S’ S } :P(3-Struct) P(2-Struct)
(XS) = S XS (S)
17
Tight Embedding
• S=<US, PS>
• f: US U# such that f is onto
• Define S#=<U#, P#>– p#(u#
1, .., u#k) ={pS (u1, ..., uk) : f(ui)=u#
i}
• S f S#
18
The Abstraction Principle
• Partition the individuals into equivalence classes based on the values of their unary predicates
• Collapse other predicates via
19
cdr u1 u2 u3 u4 u1 0 1 0 0 u2 0 0 1 0 u3 0 0 0 1 u4 0 0 0 0
The Abstraction Principle
u1 u2 u3 u4
x
x(u) y(u)u1 1 0u2 0 0u3 0 0u4 0 0
cdr
u1 u234
u1 0 u234 0 1/2
x(u) y(u)u1 1 0
u234 0 0
cdr cdr cdr
u1
xu234
blur cdrcdr
20
Boolean Connectives [Kleene]
0 1/2 1
0 0 0 01/2 0 1/2 1/21 0 1/2 1
0 1/2 1
0 0 1/2 11/2 1/2 1/2 11 1 1 1
21
Formal Semantics of First Order Formulae
• For a structure S=<US, PS>
• Formulae with LVar free variables
• Assignment z: LVarUS
S(z): {0, 1, 1/2}
1S(z)=1
0S(z)=1
p (v1, v2, …, vk)S(z)=pS (z(v1), z(v2), …, z(vk))
22
Formal Semantics of First Order Formulae
• For a structure S=<US, PS>
• Formulae with LVar free variables
• Assignment z: LVarUS
S(z): {0, 1, 1/2}
12S(z)=max (1 S(z), 2 S(z))
12S(z)=min (1 S(z), 2 S(z))
1S(z)=1- 1 S(z)
v: 1S(z)=max {1 S(z[vu]) : u US}
23
The Embedding Theorem
• Evaluating a formula in S is conservative with respect to (S)
• Every formula is preserved =1 in S =1 in every S’(S) =0 in S =0 in every S’(S) =1/2 in S don’t know
24
The Embedding Theorem
• Sf S’
• Formulae with LVar free variables
• Assignment z: LVarUS
S(z) S’(f z)
25
Shape Analysis viaAbstract Interpretation
• Iteratively compute a set of 3-valued structures for every program point
• Every statement transforms structures according to the predicate-update formulae– use 3-valued logic instead of 2-valued logic– use exactly the predicate-update formulae of the
concrete semantics!!
26
Abstract Semantics
AI (start) = {<, >}
CS (v) =
{blur(st(u)3(S)): uv E, S AI(u)} {S : S, uv Et , S3 cond(u) }
{S: S, uv Ef , S3 cond(u) }
27
([count > 0]2
[x :=t;]5
exit a2
[x := null;]1
[t.cdr :=x;]4
[t :=malloc();]3
x:=null {x’(v) := 0 }
t:=malloc() {let v0 := new() in t(v) := eq(v, v0)}
t.cdr :=x {message v: t(v) … cdr’(v1, v2) := (t(v1)? x(v2): cdr(v1, v2))}
x:=tx’(v) := t(v) }
28
([x!=null]2
[y.cdr :=t;]6
exit
[y:= null;]1
[x :=x.cdr;]5
[t :=y;]3
a3
y:=null={ y’(v) :=0 }
x !=null = v: x(v) t:=y={t(v) :=y(v)}
x:=x.cdr ={ message v:x(v) … x’(v) := v1:x(v1) cdr(v1, v) }
y.cdr :=t ={ cdr’(v1, v2) := y(v1)? t(v2) : cdr(v1, v2) }
[y :=x;]4
y:=x={{ y’(v) :=x(v)}
29
Intermediate Summary
• Predicate logics allows naturally expressing SOS for languages with pointers and dynamically allocated structures
• 3-valued logic provides a sound solution– Immediate from Embedding theorem– All you need is to guarantee the SOS
correctness
• But not very precise
30
More precise abstract interpretation
• Refine the abstraction (concretization)
• More precise abstract interpretation of basic statements– But not necessarily the best (induced)
31
The Instrumentation Principle
• Increase precision by storing the truth-value of some designated formulae
• Introduce predicate-update formulae to update the extra predicates
32
is = 0 is = 0 is = 0 is = 0
Example: Heap Sharing
x 31 71 91
is[sel](v) = v1,v2: sel(v1,v) sel(v2,v) eq(v1, v2)
u1 ux
u1 ux
is = 0 is = 0
33
is = 0 is = 0 is = 0 is = 0
Example: Heap Sharing
x 31 71 91
is[sel](v) = v1,v2: sel(v1,v) sel(v2,v) eq(v1 , v2)
u1 ux
u1 ux
is = 0 is = 0
is = 1
is = 1
34
Updating sharing x.sel:=y
is [sel]’(v) := (v1:x(v1)? (y(v)? v2:sel(v2, v) x(v2) :(sel(v1, v)? v2, v3: is[sel](v2, v3, v) x(v2) x(v3) : is[sel](v)) :is[sel](v)) is[sel](v2, v3, v) = sel(v2, v)sel(v3, v) eq(v2, v3)
35
Other Instrumentation
• c[cdr,car](v)=v1: cdr(v, v1)car(v1, v)• c[car,cdr](v)=v1: car(v, v1)cdr(v1, v)• r[sel](v1, v2) = sel*(v1, v2)• r[x, sel](v) = v1: x(v1)sel*(v1, v)• r[x](v) = v1: x(v1)(car|cdr)*(v1, v)• inOrder[sel,dle](v) = v1: sel(v, v1) dle(v, v1)• inROrder[sel,dle](v) = v1: sel(v, v1) dle(v1, v)
36
([x!=null]2
[y.cdr :=t;]6
exit
[y:= null;]1
[x :=x.cdr;]5
[t :=y;]3
a3
y:=null={ y’(v) :=0 }
x !=null = v: x(v) t:=y={t(v) :=y(v)}
x:=x.cdr ={ message v:x(v) … x’(v) := v1:x(v1) cdr(v1, v) }
y.cdr :=t ={ cdr’(v1, v2) := y(v1)? t(v2) : cdr(v1, v2) }
[y :=x;]4
y:=x={{ y’(v) :=x(v)}
37
Semantic Reduction
l
L1
L2 op
• Improve the precision of the analysis by recovering properties of the program semantics
• A Galois connection (L1, , , L2)
• An operation op:L2L2 is a semantic reduction lL2 op(l)l (op(l)) = (l)
• Can be applied before and after basic operations
• Preserve soundness
38
Materialization
x = x cdry u1 ux
u1 ux cdr
cdr
xy u1 uu1 ucdr
cdr
x = x cdry
x
u1 u3u2y u1 ux
u1 ux cdr
cdr
cdr
cdr
39
The Focusing Principle
• To increase precision– “Bring the predicate-update formula into
focus” (Force 1/2 to 0 or 1)
– Then apply the predicate-update formulae
• Generalizes materialization
40
(1) Focus on v1: x(v1) cdr(v1,v)
y u1 ux
u1 ux cdr
cdr
r[cdr]
y u1 ux
u1 ux
cdr
y u1 ux
u1 ux cdr
cdr
yu1 u.1
x
u.0
cdr
cdr cdr
cdr
41
x’(v) = v1: x(v1) cdr(v1,v)
(2) Evaluate Predicate-Update Formulae
y u1 ux
u1 ux
cdr
y u1 uu1 u
cdr
y u1 ux
u1 ux cdr
cdr
yu.0u1 u.1
cdrcdr
y u1 uu1 uxcdr
cdr
cdrcdr
cdr
x
u.0y
u1 u.1
cdr
cdrcdr
cdr
cdr
42
The Focus Operation
• Focus: Formula(P(3-Struct) P(3-Struct))
• For every formula – Focus()(X) yields structure in which evaluates to a
definite values in all assignments
– Focus() is a semantic reduction
– But Focus()(X) may be undefined for some X
43
(1) Focus on v1: x(v1) cdr(v1,v)
y u1 ux
u1 ux cdr
cdr
y u1 ux
u1 ux
cdr
y u1 ux
u1 ux cdr
cdr
yu1 u.1
x
u.0
cdr
cdr cdr
cdr
44
(1) Focus on v1: cdr(v1,v)
y u1 ux
u1 ux cdr
cdr
45
x’(v) = v1: x(v1) cdr(v1,v)
(2) Evaluate Predicate-Update Formulae
y u1 ux
u1 ux
cdr
y u1 uu1 u
cdr
y u1 ux
u1 ux cdr
cdr
yu.0u1 u.1
cdrcdr
y u1 uu1 uxcdr
cdr
cdrcdr
cdr
x
u.0y
u1 u.1
cdr
cdrcdr
cdr
cdr
46
The Coercion Principle
• Another Semantic Reduction• Can be applied after Focus or after Update or both• Increase precision by exploiting some structural
properties possessed by all stores (Global invariants)
• Structural properties captured by constraints
• Apply a constraint solver
47
(3) Apply Constraint Solver
x
u.0y
u1 u.1
cdr
cdrcdr
cdr
cdr
x
u.0y
u1 u.1
cdr cdr
48
Example Constraints
x(v1) x(v2)eq(v1, v2)
sel(v, v1) sel(v,v2)eq(v1, v2)
sel(v1, v) sel(v2,v)eq(v1, v2)is[sel](v)
49
Sources of Constraints
• Properties of the operational semantics
• Domain specific knowledge– Instrumentation predicates
• User supplied
50
Format of Constraints
p(v1, v2, …, vk) ij vivj
p(v1, v2, …, vk) ij vivj
• Interpretation– If LHS is 1 so is RHS– Preserved under tight embedding
51
Example Constraintsx(v1) x(v2)eq(v1, v2) (1)
sel(v, v1) sel(v,v2)eq(v1, v2) (2)
sel(v1, v) sel(v2,v)eq(v1, v2)is[sel](v) (3)
is[sel](v) sel(v1, v) sel(v2,v)eq(v1, v2) (4)
x(v1) eq(v1, v2) x(v2) (1a)
sel(v, v1) eq(v1, v2) sel(v,v2) (2a)
sel(v1, v) sel(v2,v)is[sel](v) eq(v1, v2) (3a)
sel(v1, v) eq(v1, v2) is[sel](v) sel(v2,v) (3b)
52
(3) Apply Constraint Solver
x
u.0y
u1 u.1
cdr
cdrcdr
cdr
cdr
x(v1) x(v2)eq(v1, v2) (1)
x
u.0y
u1 u.1
cdr
cdrcdr
cdr
cdr
x
u.0y
u1 u.1
cdr
cdrcdr
cdr
cdr
sel(v1, v) eq(v1, v2) is[sel](v) sel(v2,v) (3b)
x
u.0y
u1 u.1
cdr
cdrcdr
cdr
cdr
53
Summary
• Predicate logics allows naturally expressing SOS for languages with pointers and dynamically allocated structures
• 3-valued logic provides a sound solution
• Semantic reductions improve precision and preserve soundness
• Next meeting: TVLA + some applications