View
236
Download
4
Category
Preview:
Citation preview
Parametric Shape Analysis via 3-valued logic
Parametric Shape Analysis via 3-valued logic
Sebastian Hahn
saarinformatix@googlemail.com
Fakultät 6.2 Informatik der Universität Saarbrücken
12. Juni 2010
1 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicIntroduction
Motivation
/* list.h */typedef struct node {struct node *n;int data;
} *List;
/* insert.c */#include "list.h"void insert(List x, int d) {List y, t, e;assert(acyclic_list(x) && x != NULL);y = x;while (y->n != NULL && ...) {y = y->n;
}t = malloc ();t->data = d;e = y->n;t->n = e;y->n = t;
}
We want to determine, thatno null-pointer dereferencation occursthe resulting list is acyclicall list members are reachable from xelement d is part of the resulting list
2 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicIntroduction
What is Shape Analysis?
Shape Analysis
Shape Analysis wants tostatically analyse a programdetermine information about heap-allocated data structuresmanipulated by the programdetermine the ’shape’ of the heap’s content
We are interested in:values of pointer-variablesvalues of pointer-valuedfields
3 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicRepresenting Stores via Logical Structures
Modeling the Heap
Modeling the Heap
We want to model a list of length 3, that is pointed to by a variable xand connected via n-fields.
x u1 u2 u3n n
unary preds. binary preds.indiv. x y t eu1 1 0 0 0u2 0 0 0 0u3 0 0 0 0
n u1 u2 u3
u1 0 1 0u2 0 0 1u3 0 0 0
4 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicRepresenting Stores via Logical Structures
Modeling the Heap
ObservationWe can use
unary predicate of form q(v) to represent that the pointer variable qpoints to an heap element vbinary predicate of form n(u,w) to represent that the n-field of upoints to w .
For our example, we choose the predicates x , y , t, e, and n.
5 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicRepresenting Stores via Logical Structures
Modeling the Heap
Logical structures
DefinitionLet P be the set of our predicate symbols.
We call S a logical stucture, denoted by 〈Us , ιs〉, with Us the universe ofindividuals and ι a mapping P → Us k → B.
x u1 u2 u3n n
unary preds. binary preds.indiv. x y t eu1 1 0 0 0u2 0 0 0 0u3 0 0 0 0
n u1 u2 u3
u1 0 1 0u2 0 0 1u3 0 0 0
6 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicRepresenting Stores via Logical Structures
Modeling the Heap
Graphical notation
Individuals circles with names insideu0
Unary predicates solid arrow from predicate name p to node u
if ι(p)(u) = 1 holdsp u
Binary predicates solid arrow from node u1 to node u2 labeled withpredicate name q if ι(q)(u1, u2) = 1 holds
u1 u2q
7 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicExtraction of Store Properties
Properties of Heap cells
8 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicExtraction of Store Properties
Example formulae
Example
The ’is-x-null-pointer’ property:
isNullPointerx() := ¬∃v : x(v)
isNullPointerx() evaluates to 0, because x(u1) holds. But isNullPointery ()evaluates to 1, because neither y(u1) nor y(u2) nor y(u3) holds.
unary preds. binary preds.indiv. x y t e
u1 1 0 0 0u2 0 0 0 0u3 0 0 0 0
S\3
n u1 u2 u3u1 0 1 0u2 0 0 1u3 0 0 0
9 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicExtraction of Store Properties
Observation (Property-Extraction Principle)
By encoding stores as logical structures, questions about store propertiescan be answered by evaluating logical formulae.
A property holds if the corresponding formula evaluates to true (1) in agiven structure.
If the formula evaluates to false (0), the property does not hold in thegiven structure.
10 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicExpressing the semantics of Program statements
Statement Execution
11 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicExpressing the semantics of Program statements
Example y = y->n
x
y y ′
u1 u2 u3n n
Example
Predicate update formulae for our predicates of the insert example:
x ′(v) = x(v)
t ′(v) = t(v)
e′(v) = e(v)
n′(v1, v2) = n(v1, v2)
y ′(v) = ∃v1 : y(v1) ∧ n(v1, v)
12 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicExpressing the semantics of Program statements
Results
unary preds. binary preds.indiv. x y t eu1 1 1 0 0u2 0 0 0 0u3 0 0 0 0u4 0 0 0 0
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
x
y
u1 u2 u3 u4n n n
unary preds. binary preds.indiv. x y t eu1 1 0 0 0u2 0 1 0 0u3 0 0 0 0u4 0 0 0 0
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
x
y
u1 u2 u3 u4n n n
13 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicExpressing the semantics of Program statements
Observation(Expressing the Semantics of Statements via Logical Formulae)
We have a logical structure that encodes a store that arises before theexecution of a statement.If we evaluate a predicate-update-formula in that structure, the resultindicates the value of the predicate after the execution of the statement.
14 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicExpressing the semantics of Program statements
The Meaning of Program Statements
Predicate-Update Formulae
st p′
x = NULL x ′(v) := 0x = t x ′(v) := t(v)x = t->sel x ′(v) := ∃v1 : t(v1) ∧ sel(v1, v)x->sel = NULL sel ′(v1, v2) := sel(v1, v2) ∧ ¬x(v1)x->sel = t(assuming thatx->sel == NULL )
sel ′(v1, v2) := sel(v1, v2) ∨ (x(v1) ∧ t(v2))
x = malloc() x ′(v) := isNew(v)
15 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicExpressing the semantics of Program statements
The Meaning of Program Statements
DefinitionThe P transformer associated with statement st, denoted by
JstK : 2− STRUCT [P]→ 2− STRUCT [P]
takes a logical structure and yields the structure that arises by applyingthe predicate-update formulae for every predicate.
indiv. x y t eu1 1 1 0 0u2 0 0 0 0u3 0 0 0 0u4 0 0 0 0
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
Jy = y->nK−−−−−−−−→
indiv. x y t eu1 1 0 0 0u2 0 1 0 0u3 0 0 0 0u4 0 0 0 0
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
16 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicExpressing the semantics of Program statements
The Meaning of Program Statements
DefinitionConsider the transformer associated with x = malloc().
We must extend our universe of individuals by unew .
indiv. x y t eu1 1 1 0 0u2 0 0 0 0unew ? ? ? ?
n u1 u2 unew
u1 0 1 ?u2 0 0 ?unew ? ? ?
17 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicExpressing the semantics of Program statements
The Meaning of Program Statements
DefinitionConsider the transformer associated with x = malloc().
We must extend our universe of individuals by unew .We introduce a temporary predicate isNew , so that ι(isNew)(unew )yields 1.
indiv. x y t e isNewu1 1 1 0 0 0u2 0 0 0 0 0unew ? ? ? ? 1
n u1 u2 unew
u1 0 1 ?u2 0 0 ?unew ? ? ?
17 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicExpressing the semantics of Program statements
The Meaning of Program Statements
DefinitionConsider the transformer associated with x = malloc().
We must extend our universe of individuals by unew .We introduce a temporary predicate isNew , so that ι(isNew)(unew )yields 1.We initialise the ι(p)(u1, . . . , uk) with 0 if ui = unew
Finally we apply the predicate-update formulae for every predicate.
indiv. x y t e isNewu1 0 1 0 0 0u2 0 0 0 0 0unew 1 0 0 0 1
n u1 u2 unew
u1 0 1 0u2 0 0 0unew 0 0 0
17 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicExpressing the semantics of Program statements
Collecting Semantics
Collecting Semantics
int x = 3; (1) {T ,F}
y->sel == z (2) {T ,F}
y->sel = 0; (3){T} y->sel = z; (4) {F}
printf(’done’); (5) {T ′,F ′}
true false
18 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicAbstraction via Truth-Blurring Embeddings
Abstraction
Problem:Infinitely many logical structures can arise during
program execution!
19 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicAbstraction via Truth-Blurring Embeddings
Kleene’s 3-Valued Logic
Interpretation of Operators∧ 0 1 1/20 0 0 01 0 1 1/21/2 0 1/2 1/2
∨ 0 1 1/20 0 1 1/21 1 1 11/2 1/2 1 1/2
¬0 11 01/2 1/2
Definition
We call the values 0 and 1 definite values and the value 1/2 indefinitevalue.
20 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicAbstraction via Truth-Blurring Embeddings
Kleene’s 3-Valued Logic (2)
Definition (Information Order)
For l1, l2 ∈ {0, 1, 1/2}, we define the information order on truth values asfollows:
l1 v l2 if l1 = l2 or l2 = 1/2
The symbol t denotes the least-upper-bound operationwith respect to v.
Information Order1/2
0 1
Logical Order
1/2
0
1
21 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicAbstraction via Truth-Blurring Embeddings
Example
indv. x y t eu1 1 1 0 0u2 0 0 0 0u3 0 0 0 0u4 0 0 0 0
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
x
y
u1 u2 u3 u4n n n
22 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicAbstraction via Truth-Blurring Embeddings
Example
indv. x y t eu1 1 1 0 0u2 0 0 0 0u3 0 0 0 0u4 0 0 0 0
abstracts to−−−−−−−−→
indv. x y t e smu1 1 1 0 0 0u234 0 0 0 0 1/2
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
x
y
u1 u2 u3 u4n n n
22 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicAbstraction via Truth-Blurring Embeddings
Exampleindv. x y t eu1 1 1 0 0u2 0 0 0 0u3 0 0 0 0u4 0 0 0 0
abstracts to−−−−−−−−→
indv. x y t e smu1 1 1 0 0 0u234 0 0 0 0 1/2
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
abstracts to−−−−−−−−→
n u1 u234
u1 0 1/2u234 0 1/2
x
y
u1 u2 u3 u4n n n x
y
u1 u234n
n
22 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicAbstraction via Truth-Blurring Embeddings
Graphical notation Reloaded
Individuals circles with names insideu0
Summary Nodes double circles with names insideu0
Unary predicates solid arrow from predicate name p to node u
if ι(p)(u) = 1 holdsp u
dotted arrow if ι(p)(u) = 1/2p u
Binary predicates solid arrow from node v to node w labeled with
predicate name q if ι(q)(v ,w) = 1 holdsv w
q
dotted arrow if ι(q)(v ,w) = 1/2v w
q
23 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicAbstraction via Truth-Blurring Embeddings
Bounded Structures
Bounded Structures
Definition
A bounded structure over a given vocabulary is a structure S = 〈US , ιS〉sucht that for every two different individuals u1, u2, there exists anabstraction predicate symbol p such that ιS(p)(u1) 6= ιS(p)(u2).For a bounded structure S , there exists an upper bound for the numberof individuals: |US | ≤ 3|A |.
24 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicAbstraction via Truth-Blurring Embeddings
Bounded Structures
Abstraction Principle Reloaded
Observation (Abstraction Principle)
Our method of abstracting structures always leads us to boundedstructures.
indv. x y t eu1 1 1 0 0u2 0 0 0 0u3 0 0 0 0u4 0 0 0 0
abstracts to−−−−−−−−→
indv. x y t e smu1 1 1 0 0 0u234 0 0 0 0 1/2
25 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicEmbedding into 3-Valued Structures
Embedding
S
indv. x y t e smu1 1 1 0 0 0u2 0 0 0 0 0u3 0 0 0 0 0u4 0 0 0 0 0
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
embeds to−−−−−−−→
indv. x y t e smu1 1 1 0 0 0u234 0 0 0 0 1/2
n u1 u234
u1 0 1/2u234 0 1/2
S ′
We need a surjective function f that maps individuals of S toindividuals of S ′.For every predicate ιS(p)(u1, . . . , uk) v ιS′
(p)(f (u1), . . . , f (uk))must holdIf several individuals of S are mapped to one individual of S ′, the smpredicate must yield 1/2
26 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicEmbedding into 3-Valued Structures
Tight Embedding
A trivial Embedding
indv. x y t e smu1 1 1 0 0 0u2 0 0 0 0 0u3 0 0 0 0 0u4 0 0 0 0 0
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
embeds to−−−−−−−→
indv. x y t e smu1 1/2 1/2 1/2 1/2 1/2u234 1/2 1/2 1/2 1/2 1/2
n u1 u234
u1 1/2 1/2u234 1/2 1/2
27 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicEmbedding into 3-Valued Structures
Tight Embedding
A trivial Embedding
indv. x y t e smu1 1 1 0 0 0u2 0 0 0 0 0u3 0 0 0 0 0u4 0 0 0 0 0
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
embeds to−−−−−−−→
indv. x y t e smu1 1/2 1/2 1/2 1/2 1/2u234 1/2 1/2 1/2 1/2 1/2
n u1 u234
u1 1/2 1/2u234 1/2 1/2
We want an embedding with minimal information loss. We call such anembedding tight embedding.
indv. x y t e smu1 1 1 0 0 0u2 0 0 0 0 0u3 0 0 0 0 0u4 0 0 0 0 0
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
tightly embeds to−−−−−−−−−−−−→
indv. x y t e smu1 1 1 0 0 0u234 0 0 0 0 1/2
n u1 u234
u1 0 1/2u234 0 1/2
27 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicEmbedding into 3-Valued Structures
2-valued logic versus 3-valued logic
describe properties of heap cellsextract information from a logical structuredescribe in which way our heap is affected by the execution ofprogram statements.
28 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicEmbedding into 3-Valued Structures
Expressing the Semantics of Program Statements in 3-valued logic
Observation:(Reinterpretation Principle)
The transfer function of the concrete semantics for a statement iscaptured by evaluating the corresponding predicate-update formulae in a2-valued logical structure.
Evaluation of the same formulae in a 3-valued logical structure capturesthe transfer function of the abstract semantics.
x
y
u1 u234n
n
predicate − update formulae−−−−−−−−−−−−−−−−−−−−→
x
y
u1 u234n
n
29 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicEmbedding into 3-Valued Structures
Conservative Extraction of Store Properties
Embedding Theorem
TheoremLet S be a 3-valued logical structure. The following statements hold:
If a formula evaluates to 1 in S, the formula also holds in every storerepresented by S.If a formula evaluates to 0 in S, the formula does not hold in anystore represented by S.If a formula evaluates to 1/2 in S, we do not know whether theformula holds in all stores, does not hold for any store or holds forsome store and does not hold for some other stores represented by S.
30 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicEmbedding into 3-Valued Structures
Conservative Extraction of Store Properties
S\
indv. x y t eu1 1 0 0 0u2 0 0 0 0u3 0 0 0 0
n u1 u2 u3
u1 0 1 0u2 0 0 1u3 0 0 0
x u1 u2 u3n n
Sindv. x y t e smu1 1 0 0 0 0u 0 0 0 0 1/2
n u1 uu1 0 1/2u 0 1/2 x u1 un
n
Example
Consider the formula for cyclicity cn(v) := n+(v , v)
(v 7→ u1) Jcn(v)KS\
= 0 v 0 = Jcn(v)KS
(v 7→ u2) Jcn(v)KS\
= 0 v 1/2 = Jcn(v)KS
31 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicInstrumentation Predicates
Motivation
Sacylic
indv. x y t e sm cnu1 1 0 0 0 0 0u 0 0 0 0 1/2 0
n u1 uu1 0 1/2u 0 1/2 x u1 un
n
Example
The fact that ιSacyclic (cn)(u1) = 0 and ιSacyclic (cn)(u) = 0 implies thatSacyclic can only represent acyclic lists, although n+(u, u) = 1/2.
32 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicInstrumentation Predicates
Overview
Observation:(Instrumentation Principle)
Let S be a 3-valued logical structure that represents the 2-valuedstructure S\.
By explicitly ’storing’ in S the values that a formula has in S\, it issometimes possible to extract more precise information from S than canbe obtained just by evaluating the formula in S.
33 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicInstrumentation Predicates
Overview
Examples of Instrumentation PredicatesPred. Intended Meaning Purposeis(v) Do two or more fields of heap elements
point to v?lists and trees
rx,n(v) Is v (transitively) reachable from pointervariable x along n fields?
disjoint datastructures
rn(v) Is v reachable from some pointervariable along n fields?
compile-timegarbage collection
cn(v) Is v on a directed cycle of n fields? listscf .b(v) Does a field f dereferencation from v fol-
lowed by a field b dereferencation, yield v?doubly linked lists
34 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicInstrumentation Predicates
Overview
x
u3
u1
u2
u4 u5
n
n
n n
n
Formula for Instrumentation Predicatesis(v) := ∃v1, v2 : n(v1, v) ∧ n(v2, v) ∧ v1 6= v2rx,n(v) := x(v) ∨ ∃v1 : x(v1) ∧ n+(v1, v)cn(v) := n+(v , v)
35 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicInstrumentation Predicates
Updating Instrumentation Predicates
Trivial Update Formula
Let p be an instrumentation predicate. By re-evaluating thedefinition-formula we capture a possible predicate-update-formula for p.
DefinitionLet S be a 2-valued structure.
If a predicate-update formula for p maintains the correct instrumentationfor statement st, it doesn’t matter, if the predicate-update formula isevaluated in S or the definition-formula is reevaluated in JstK(S).
36 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicInstrumentation Predicates
Updating Reachability
Predicate-Update Formulae for Instrumentation Predicate rz,nx = NULL z ≡ x 0
z 6≡ x rz,n(v)
z x
u1 u2 u3 u4 u5 u6n n n n n
n
Predicate-Update Formulae for Instrumentation Predicate rz,nx->n = NULL z ≡ x x(v)
z 6≡ x
{reevaluate rz,n if cn(v) ∧ rx,n(v)
rz,n(v) ∧ ¬(∃v ′ : rz,n(v ′) ∧ x(v ′) ∧ rx,n(v) ∧ ¬x(v)) otherwise
37 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicConclusions
Conclusions
Writing an Analysis
We must describethe properties of heap cells with predicate logichow we can extract information from the heap via logical formulaein which way the execution of a statement affects the heap viapredicate-update formluae
38 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicConclusions
Abstract Interpretation of y = y->n
indv. x y t eu1 1 1 0 0u2 0 0 0 0u3 0 0 0 0u4 0 0 0 0
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
abstracts to−−−−−−−−→
indv. x y t e smu1 1 1 0 0 0u234 0 0 0 0 1/2
n u1 u234
u1 0 1/2u234 0 1/2
x
y
u1 u2 u3 u4n n n x
y
u1 u234n
n
indv. x y t eu1 1 0 0 0u2 0 1 0 0u3 0 0 0 0u4 0 0 0 0
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
embeds to−−−−−−−−→
indv. x y t e smu1 1 0 0 0 0u234 0 1/2 0 0 1/2
n u1 u234
u1 0 1/2u234 0 1/2
x
y
u1 u2 u3 u4n n n x
y
u1 u234n
n
39 computer science
saarlanduniversity
Parametric Shape Analysis via 3-valued logicConclusions
Open Issue
Result of the Abstract Interpretation of y = y->nindv. x y t eu1 1 0 0 0u2 0 1 0 0u3 0 0 0 0u4 0 0 0 0
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
embeds to−−−−−−−→
indv. x y t e smu1 1 0 0 0 0u234 0 1/2 0 0 1/2
n u1 u234
u1 0 1/2u234 0 1/2
x
y
u1 u2 u3 u4n n n x
y
u1 u234n
n
Our aim
indv. x y t e smu1 1 0 0 0 0u2 0 1 0 0 0u34 0 0 0 0 1/2
n u1 u2 u34
u1 0 1 0u2 0 0 1/2u34 0 0 1/2
x
y
u1 u2 u34n n
n
40 computer science
saarlanduniversity
Recommended