1 / 31

3-Valued Logic Analyzer (TVP)

3-Valued Logic Analyzer (TVP). Tal Lev-Ami and Mooly Sagiv. Motivation. Many dataflow problems can be solved using Monotone Frameworks But Monotone Framework are hard to be used Compiler-writer obligations Define the lattice Define the initial value 

arav
Download Presentation

3-Valued Logic Analyzer (TVP)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 3-Valued Logic Analyzer(TVP) Tal Lev-Ami and Mooly Sagiv

  2. Motivation • Many dataflow problems can be solved using Monotone Frameworks • But Monotone Framework are hard to be used • Compiler-writer obligations • Define the lattice • Define the initial value  • Show that it is sound ({s0})   • Define transfer functions of elementarystatements fl • Show that these functions are monotone x y  fl(x) fl(y) • Show soundness ({[b]l(s) | s CS })  fl ((CS)) • Find an efficient representation

  3. A Different Solution • Write structural operational semantics in a special form • Automatically derive the Monotone Framework from the operational semantics  • Monotonicity and soundness is immediate  • Operational semantics need to be written in a special form  • Scarify the generality of Monotone Frameworks  • The derived solution is not necessarily the induced one but rather precise

  4. Outline • 3-valued proposional logic • Parity Analysis in TVLA • The Shape Analysis Problem • 3-valued predicate logicMay 19, 10-13 Scriber 309

  5. information order 01=1/2 Logical order 3-Valued Kleene Logic • A logic with 3-values • 0 -false • 1 - true • 1/2 - don’t know • Operators are conservatively interpreted • 1/2 means either true or false 1/2 0 1

  6. Kleene Interpretation of Operators(logical-and)

  7. Kleene Interpretation of Operators(logical-or)

  8. Kleene Interpretation of Operators(logical-negation)

  9. Kleene Interpretation of Operators(logical-implication)

  10. 3-valued logic program analysis • Choose a fixed set of proposional variables P per program P ={even[x] | x  Var} • Represent “concrete” states by a truth assignments from P to {0, 1}[even[x]  0, even[y]  1] • The meaning of every statement (SOS) is expressed using update formulaex := y * z = { even’[x] := even[y]  even[y], even’[y] := even[y], even’[z] := even[z] } • Use lattice L=(P{0, 1/2, 1}){} • The transformer is obtained by evaluating the formula in 3-valued logic

  11. Preconditions • The effect of some program conditions can be defined using a precondition formulaif (x % 2 == 0 || y %2 != 0) even[x] even[y] • These conditions are associated with control flow edges • For other program conditions no effect is given • If the formula is potentially satisfied 1 the statement is executed • May yield overly conservative results due to missing or naively interpreted conditions

  12. Example Program while [x !=1]1 do if [ (x %2) = 0]2 then [x := x / 2;]3 else [x := x * 3 + 1;]4

  13. The Focus Operation • It is sometimes possible to improve the precision by maintaining finer distinctions • If a formula evaluates to 1/2 replace the assignment by an equivalent set of assignments in which the formula evaluates to 1 or 0 • Formally, Focus[](A)=… • Always conservative • Can increase the space complexity

  14. Example Focus Formulae • even[x] • Input Truth-Assignment [even[x]  1/2, even[y]  0] • Output Truth-Assignments

  15. Example Program while [x !=1]1 do if [ (x %2) = 0]2 then [x := x / 2;]3 else [x := x * 3 + 1;]4

  16. A TVLA Specification of Parity • There are two files per analyzed program • prgm.tvp -The specification of the control flow graph and the transfer functions • prgm.tvs - The specification of the value at the initial node • Propostions are specified in a file (pred.tvp) • Conditions are specified in a file (cond.tvp) • The meaning of statements is specified in a file (stat.tvp)

  17. %s Var {x, t} #include "pred.tvp" %% #include "cond.tvp" #include "stat.tvp" %% /* while [x !=1]^1 do */ l_1 Uninterpreted_Cond() l_2 l_1 Uninterpreted_Cond() l_end /* if [ (x %2) = 0]^2 */ l_2 Is_Even(x) l_3 l_2 Is_Odd(x) l_4 /* then [x := x / 2;]^3 */ l_3 Divide_Even(x,x) l_5 l_5 Skip() l_1 /* else [x := x * 3 + 1;]^4 */ l_4 Multiply_Odd(t, x) l_41 l_41 Add_Odd(x, t) l_6 l_6 Skip() l_1

  18. pred.tvp foreach (z in Var) { %p even[z]() {0, 1, 1/2} }

  19. cond.tvp %action Uninterpreted_Cond() { %t "uninterpreted-Condition" } %action Is_Even(x1) { %t x1 + " %2 == 0" %f {even[x1]()} %p even[x1]() } %action Is_Odd(x1) { %t x1 + " %2 != 0" %f {!even[x1]()} %p !even[x1]() }

  20. stat.tvp (part 1) %action Skip() { %t "Skip" } %action Set_Even(x1) { %t x1 + " = Even" { even[x1]() = 1 } } %action Set_Odd(x1) { %t x1 + " = Odd" { even[x1]() = 0 } }

  21. stat.tvp (part 2) %action Add(x1, x2, x3) { %t x1 + " = " + x2 + " + " + x3 {even[x1]() = even[x2]() & even[x3]() | !even[x2]() & !even[x3]() } } %action Add_Even(x1, x2) { %t x1 + " = " + x2 + " + EVEN" {even[x1]() = even[x2]() } } %action Add_Odd(x1, x2) { %t x1 + " = " + x2 + " + ODD" {even[x1]() = !even[x2]() } }

  22. stat.tvp (part 3) %action Multiply(x1, x2, x3) { %t x1 + " = " + x2 + " * " + x3 {even[x1]() = even[x2]() | even[x3]() } } %action Multiply_Even(x1, x2) { %t x1 + " = " + x2 + " * EVEN" {even[x1]() = 1} } %action Multiply_Odd(x1, x2) { %t x1 + " = " + x2 + " * Odd" { even[x1]() = even[x2]() } }

  23. stat.tvp (part 4) %action Divide(x1, x2, x3) { %t x1 + " = " + x2 + " / " + x3 {even[x1]() = 1/2 } } %action Divide_Even(x1, x2) { %t x1 + " = " + x2 + " / EVEN" {even[x1]() = 1/2 } } %action Divide_Odd(x1, x2) { %t x1 + " = " + x2 + " / ODD" {even[x1]() = 1/2} }

  24. %s Var {x, t} #include "pred.tvp" %% #include "cond.tvp" #include "stat.tvp" %% /* while [x !=1]^1 do */ l_1 Uninterpreted_Cond() l_2 l_1 Uninterpreted_Cond() l_end /* if [ (x %2) = 0]^2 */ l_2 Is_Even(x) l_3 l_2 Is_Odd(x) l_4 /* then [x := x / 2;]^3 */ l_3 Divide_Even(x,x) l_5 l_5 Skip() l_1 /* else [x := x * 3 + 1;]^4 */ l_4 Multiply_Odd(t, x) l_41 l_41 Add_Odd(x, t) l_6 l_6 Skip() l_1

  25. prgm.tvs %n = {} %p = { even[x] = 1/2 even[t] = 1/2 }

  26. Command Prompt tvla prgm prgm -d -action fpu

  27. Shape Analysis • Determine the possible shapes of a dynamically allocated data structure at given program point • Relevant questions: • Does a variable point to an acyclic list? • Does a variable point to a doubly-linked list? • Does a variable point p to an allocated element every time p is dereferenced? • Can a procedure create a memory-leak

  28. NULL dereference Dereference of NULL pointers typedef struct element { int value; struct element *next; } Elements bool search(int value, Elements *c) {Elements *elem;for ( elem = c; c != NULL;elem = elem->next;) if (elem->val == value) return TRUE; return FALSE

  29. Memory leakage Elements* reverse(Elements *c){ Elements *h,*g; h = NULL; while (c!= NULL) { g = c->next; h = c; c->next = h; c = g; } return h; leakage of address pointed-by h

  30. The SWhile Programming Language Abstract Syntax sel:= car | cdr a := x | x.sel | null | n | a1 opa a2 b := true | false | not b | b1 opb b2 | a1 opr a2 S := [x := a]l | [x.sel := a]l | [x := malloc()]l | [skip] l | S1 ; S2| if [b]lthen S1else S2 | while [b]l do S

  31. NULL dereference Dereference of NULL pointers [elem := c;]1 [found := false;]2 while ([c != null]3 && [!found]4) ( if ([elem->car= value]5) then [found := true]6 else [elem = elem->cdr]7 )

More Related