1 / 53

Shape Analysis via 3-Valued Logic

Shape Analysis via 3-Valued Logic. Mooly Sagiv Tel Aviv University. Shape analysis with applications Chapter 4.6 http://www.cs.tau.ac.il/~rumster/TVLA/. Outline. Collecting Semantics using first order logic 3-valued logic and embedding Simple abstract semantics using logic

dane
Download Presentation

Shape Analysis via 3-Valued Logic

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Shape Analysisvia 3-Valued Logic Mooly Sagiv Tel Aviv University Shape analysis with applications Chapter 4.6 http://www.cs.tau.ac.il/~rumster/TVLA/

  2. Outline • Collecting Semantics using first order logic • 3-valued logic and embedding • Simple abstract semantics using logic • More precise abstract semantics • TVLA

  3. Collecting Semantics using Logic • Represent states using logical structures • Construct the program control flow graph with a distinguished node start • Define the set of logical structures at start • Define the meaning of program conditions using closed first order formulae • Define the meaning of statements using first order formulae

  4. The SWhile Programming Language Abstract Syntax sel:= car | cdr a := x | x.sel | null | n | a1 opa a2 b := true | false | not b | b1 opb b2 | a1 opr a2 S := [x := a]l | [x.sel := a]l | [x := malloc()]l | [skip] l | S1 ; S2| if [b]lthen S1else S2 | while [b]l do S

  5. Example • Predicates • Unary • x(v) • t(v) • Binary • car(v1, v2) • cdr(v1, v2) • eq(v1, v2) [x := null;]1 while ([count > 0]2) ( [t := malloc();]3 [t.cdr := x;]4 [x :=t;]5

  6. x:=null {x’(v) := 0 } t:=malloc() { let v0 := new() in t(v) := eq(v, v0) } [x := null;]1 ([count > 0]2 t.cdr :=x { message v: t(v) … cdr’(v1, v2) := (t(v1)? x(v2): cdr(v1, v2)) } [count:=count-1;]6 [t :=malloc();]3 exit [t.cdr :=x;]4 x:=t x’(v) := t(v) } (?1:2) (1)(2) [x :=t;]5

  7. The reverse example • Predicates • Unary • x(v) • t(v) • y(v) • Binary • car(v1, v2) • cdr(v1, v2) • eq(v1, v2) [y := null;]1 while ([x !=null]2) ( [t := y;]3 [y := x;]4 [x :=x.cdr;]5 [y.cdr :=t;]6

  8. y:=null={ y’(v) :=0 } [y:= null;]1 t:=y={ t(v) :=y(v) } ([x!=null]2 x !=null = v: x(v) [t :=y;]3 y:=x={ { y’(v) :=x(v) } [y :=x;]4 a3 exit y.cdr :=t ={ cdr’(v1, v2) := y(v1)? t(v2) : cdr(v1, v2) } [x :=x.cdr;]5 x:=x.cdr ={ message v:x(v) … x’(v) := v1:x(v1) cdr(v1, v) } [y.cdr :=t;]6

  9. Statement’s Meaning

  10. Condition’s Meaning

  11. Collecting Semantics CS (start) = {<, >} CS (v) = {st(u) (S): uv  E, S CS(u)} {S : S, uv  Et , S cond(u) }  {S: S, uv  Ef , S cond(u) }

  12. 1/2 Information order   Three-Valued Logic • 1: True • 0: False • 1/2: Unknown • A join semi-lattice: 0  1 = 1/2

  13. 3-Valued Logical Structures • A set of individuals (nodes) U • Predicate meaning • PS: US {0, 1, 1/2}

  14. cdr cdr cdr x x u u2 u1 u1 u3 US={u1, u2, u3} xS=[u11, u20, u30] yS=[u10, u20, u30] carS=[<u1 , u1>0, <u1, u2>0, <u1,u3>0, <u2, u1>0, <u2, u2>0, <u2, u3>0 <u3, u1>0, <u3, u2>0, <u3, u3>0] cdrS=[<u1 , u1>0, <u1, u2>1, <u1,u3>0, <u2, u1>0, <u2, u2>0, <u2, u3>1/2, <u3, u1>0, <u3, u2>0, <u3, u3>1/2] eqS=[<u1 , u1>1, <u1, u2>0, <u1,u3>0, <u2, u1>0, <u2, u2>1, <u2, u3>0, <u3, u1>0, <u3, u2>0, <u3, u3>1/2]

  15. Embedding • A pre-partial order on 3-valued logical structures • S1 S2 every concrete state represented by S1 is also represented by S2 • The set of nodes in S1 and S2 may be different • No meaning for nodes (abstract locations)

  16. Embedding • S1f S2 • f maps the individuals of S1 onto S2 • pS1(u1, .., uk)  pS2(f(u1), ..., f(uk)) • S1 S2 there exists f such that S1f S2 • Pre partial order • Induces a pre-partial order on P(3-Struct) • Set-union is a least upper bound • Finite height • :3-Struct  P(2-Struct) • (S) = {S’ : S’2-Struct, S’  S } • :P(3-Struct)  P(2-Struct) • (XS) =  S XS (S)

  17. Tight Embedding • S=<US, PS> • f: US U# such that f is onto • Define S#=<U#, P#> • p#(u#1, .., u#k) ={pS (u1, ..., uk) : f(ui)=u#i} • S f S#

  18. The Abstraction Principle • Partition the individuals into equivalence classes based on the values of their unary predicates • Collapse other predicates via 

  19. cdr cdr blur x x u234 u1 u2 u3 u4 u1 0  1 0  0  0 The Abstraction Principle cdr cdr cdr

  20. Boolean Connectives [Kleene]

  21. Formal Semantics of First Order Formulae • For a structure S=<US, PS> • Formulae  with LVar free variables • Assignment z: LVarUS • S(z): {0, 1, 1/2} • 1S(z)=1 • 0S(z)=1 p(v1, v2, …, vk)S(z)=pS (z(v1), z(v2), …, z(vk))

  22. Formal Semantics of First Order Formulae • For a structure S=<US, PS> • Formulae  with LVar free variables • Assignment z: LVarUS • S(z): {0, 1, 1/2} • 12S(z)=max (1 S(z), 2S(z)) • 12S(z)=min (1 S(z), 2S(z)) • 1S(z)=1- 1 S(z) • v: 1S(z)=max {1 S(z[vu]) : u  US}

  23. The Embedding Theorem • Evaluating a formula in S is conservative with respect to (S) • Every formula  is preserved • =1 in S =1 in every S’(S) • =0 in S =0 in every S’(S) • =1/2 in S don’t know

  24. The Embedding Theorem • Sf S’ • Formulae  with LVar free variables • Assignment z: LVarUS • S(z)  S’(f  z)

  25. Shape Analysis viaAbstract Interpretation • Iteratively compute a set of 3-valued structures for every program point • Every statement transforms structures according to the predicate-update formulae • use 3-valued logic instead of 2-valued logic • use exactly the predicate-update formulae of the concrete semantics!!

  26. Abstract Semantics AI (start) = {<, >} CS (v) = {blur(st(u)3(S)): uv  E, S AI(u)} {S : S, uv  Et , S3 cond(u) }  {S: S, uv  Ef , S3cond(u) }

  27. x:=null {x’(v) := 0 } t:=malloc() { let v0 := new() in t(v) := eq(v, v0) } [x := null;]1 ([count > 0]2 t.cdr :=x { message v: t(v) … cdr’(v1, v2) := (t(v1)? x(v2): cdr(v1, v2)) } [t :=malloc();]3 exit [t.cdr :=x;]4 a2 x:=t x’(v) := t(v) } [x :=t;]5

  28. y:=null={ y’(v) :=0 } [y:= null;]1 t:=y={ t(v) :=y(v) } ([x!=null]2 x !=null = v: x(v) [t :=y;]3 y:=x={ { y’(v) :=x(v) } [y :=x;]4 a3 exit y.cdr :=t ={ cdr’(v1, v2) := y(v1)? t(v2) : cdr(v1, v2) } [x :=x.cdr;]5 x:=x.cdr ={ message v:x(v) … x’(v) := v1:x(v1) cdr(v1, v) } [y.cdr :=t;]6

  29. Intermediate Summary • Predicate logics allows naturally expressing SOS for languages with pointers and dynamically allocated structures • 3-valued logic provides a sound solution • Immediate from Embedding theorem • All you need is to guarantee the SOS correctness • But not very precise

  30. More precise abstract interpretation • Refine the abstraction (concretization) • More precise abstract interpretation of basic statements • But not necessarily the best (induced)

  31. The Instrumentation Principle • Increase precision by storing the truth-value of some designated formulae • Introduce predicate-update formulae to update the extra predicates

  32. x 31 71 91 is = 0 is = 0 is = 0 is = 0 x x u u u1 u1 is = 0 is = 0 Example: Heap Sharing is[sel](v) = v1,v2: sel(v1,v)  sel(v2,v)  eq(v1, v2)

  33. x 31 71 91 is = 0 is = 0 is = 0 is = 0 Example: Heap Sharing is[sel](v) = v1,v2: sel(v1,v)  sel(v2,v)  eq(v1 , v2) is = 1 x x u u u1 u1 is = 0 is = 1 is = 0

  34. Updating sharing x.sel:=y is [sel]’(v) := (v1:x(v1)? (y(v)? v2:sel(v2, v) x(v2) :(sel(v1, v)? v2, v3: is[sel](v2, v3, v)  x(v2) x(v3) : is[sel](v)) :is[sel](v)) is[sel](v2, v3, v) = sel(v2, v)sel(v3, v)  eq(v2, v3)

  35. Other Instrumentation • c[cdr,car](v)=v1: cdr(v, v1)car(v1, v) • c[car,cdr](v)=v1: car(v, v1)cdr(v1, v) • r[sel](v1, v2) = sel*(v1, v2) • r[x, sel](v) = v1: x(v1)sel*(v1, v) • r[x](v) = v1: x(v1)(car|cdr)*(v1, v) • inOrder[sel,dle](v) = v1: sel(v, v1) dle(v, v1) • inROrder[sel,dle](v) = v1: sel(v, v1) dle(v1, v)

  36. y:=null={ y’(v) :=0 } [y:= null;]1 t:=y={ t(v) :=y(v) } ([x!=null]2 x !=null = v: x(v) [t :=y;]3 y:=x={ { y’(v) :=x(v) } [y :=x;]4 a3 exit y.cdr :=t ={ cdr’(v1, v2) := y(v1)? t(v2) : cdr(v1, v2) } [x :=x.cdr;]5 x:=x.cdr ={ message v:x(v) … x’(v) := v1:x(v1) cdr(v1, v) } [y.cdr :=t;]6

  37. L1  L2  l  op Semantic Reduction • Improve the precision of the analysis by recovering properties of the program semantics • A Galois connection (L1, , , L2) • An operation op:L2L2 is a semantic reduction • lL2 op(l)l • (op(l)) = (l) • Can be applied before and after basic operations • Preserve soundness

  38. x x u u u1 u1 Materialization cdr cdr x = x  cdr x cdr cdr y u u y u1 u1 u u1 x x cdr cdr x = x  cdr x cdr y cdr y u u1 u3 u1 u2

  39. The Focusing Principle • To increase precision • “Bring the predicate-update formula into focus” (Force 1/2 to 0 or 1) • Then apply the predicate-update formulae • Generalizes materialization

  40. x x x u u u1 u1 (1) Focus on  v1: x(v1)  cdr(v1,v) cdr            x x y u u u1 u1 cdr cdr x cdr x cdr y u u1 y u u1 r[cdr] cdr cdr cdr y cdr u1 u.1 u.0

  41. x u u1 (2) Evaluate Predicate-Update Formulae x’(v) =  v1: x(v1)  cdr(v1,v) cdr cdr x x y y u u u u u1 u1 u1 u1 cdr x cdr cdr y x u u u1 u1 cdr y u u1 x cdr cdr cdr cdr cdr cdr y cdr cdr cdr y u.0 u1 u.1 cdr u1 u.1 u.0

  42. The Focus Operation • Focus: Formula(P(3-Struct) P(3-Struct)) • For every formula  • Focus()(X) yields structure in which  evaluates to a definite values in all assignments • Focus() is a semantic reduction • But Focus()(X) may be undefined for some X

  43. x x x u u u1 u1 (1) Focus on  v1: x(v1)  cdr(v1,v) cdr            x x y u u u1 u1 cdr cdr x cdr x cdr y u u1 y u u1 cdr cdr cdr y cdr u1 u.1 u.0

  44. x u u1 (1) Focus on  v1: cdr(v1,v) cdr x cdr y u u1

  45. x u u1 (2) Evaluate Predicate-Update Formulae x’(v) =  v1: x(v1)  cdr(v1,v) cdr cdr x x y y u u u u u1 u1 u1 u1 cdr x cdr cdr y x u u u1 u1 cdr y u u1 x cdr cdr cdr cdr cdr cdr y cdr cdr cdr y u.0 u1 u.1 cdr u1 u.1 u.0

  46. The Coercion Principle • Another Semantic Reduction • Can be applied after Focus or after Update or both • Increase precision by exploiting some structural properties possessed by all stores (Global invariants) • Structural properties captured by constraints • Apply a constraint solver

  47. x x cdr cdr cdr y cdr cdr u.0 u1 u.1 y cdr u.0 u1 u.1 (3) Apply Constraint Solver cdr

  48. Example Constraints x(v1) x(v2)eq(v1, v2) sel(v, v1) sel(v,v2)eq(v1, v2) sel(v1, v) sel(v2,v)eq(v1, v2)is[sel](v)

  49. Sources of Constraints • Properties of the operational semantics • Domain specific knowledge • Instrumentation predicates • User supplied

  50. Format of Constraints • p(v1, v2, …, vk) ij  vivj • p(v1, v2, …, vk) ij  vivj • Interpretation • If LHS is 1 so is RHS • Preserved under tight embedding

More Related