1 / 33

Predicate Abstraction and Canonical Abstraction for Singly - linked Lists

This paper presents a new approach to predicate and canonical abstraction for analyzing singly-linked lists, handling cycles more precisely than existing methods. The approach encodes the abstraction using two methods: canonical abstraction and polynomial predicate abstraction.

eileenbryant
Download Presentation

Predicate Abstraction and Canonical Abstraction for Singly - linked Lists

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Predicate Abstraction andCanonical Abstractionfor Singly-linked Lists Roman ManevichMooly SagivTel Aviv University Eran Yahav G. RamalingamIBM T.J. Watson

  2. curr Motivating Example 1: CEGAR curr = head; while (curr != tail) { assert (curr != null); curr = curr.n; } Counterexample-guided abstraction refinement generates following predicates:curr.n ≠ null ,curr.n.n ≠ null ,… after i refinement steps:curr(.n)i ≠ null n n n n … tail head

  3. curr Motivating Example 1: CEGAR curr = head; while (curr != tail) { assert (curr != null); curr = curr.n; } n n n n … tail head In general, problem is undecidable:V. Chakaravathy [POPL 2003] State-of-the-art canonical abstractions can prove assertion

  4. Motivating Example 2 // @pre cyclic(x)t = null; y = x; while (t != x && y.data < low) { t = y.n; y = t; } z = y; while (z != x && z.data < high) { t = z.n; z = t; } t = null; if (y != z) { y.n = null; y.n = z; }// @post cyclic(x)

  5. Motivating Example 2 @pre cyclic(x) @post cyclic(x) z z n n n n n x x n n n n n n n y y

  6. Existing Canonical Abstraction concrete abstract z,cnrx,ry,rz order between variables lost!cannot establish @post cyclic(x) z n n n n x,cnrx,ry,rz x n n n n n n n cnrx,ry,rz n n n y y,cnrx,ry,rz

  7. Overview and Main Results • Current predicate abstraction refinement methods not adequate for analyzing heaps • Predicate abstraction can simulate arbitrary finite abstract domains • Often requires too many predicates • New family of abstractions for lists • Bounded number of sharing patterns • Handles cycles more precisely than existing canonical abstractions • Encode abstraction with two methods: • Canonical abstraction • Polynomial predicate abstraction

  8. Outline • New abstractions for lists • Observations on concrete shapes • Static naming scheme • Encoding via predicate abstraction • Encoding via canonical abstraction • Controlling the number of predicates via heap-sharing depth parameter • Experimental results • Related work • Conclusion

  9. Concrete Shapes • Assume the following class of (list-) heaps • Heap contains only singly-linked lists • No garbage (easy to handle) • A heap can be decomposed into • Basic shape (sharing pattern) • List lengths

  10. Concrete Shapes class SLL {Object value; SLL n;} n n n n n n n n n n x n n n n y

  11. Interrupting Nodes Interruption: node pointed-to by a variableor shared by n fields n n n n n n n n n n x n n n n y #interruptions ≤ 2 · #variables(bounded number of sharing patterns)

  12. Maximal Uninterrupted Lists Maximal uninterrupted list: maximal list segment between two interruptionsnot containing interruptions in-between n n n n n n n n n n x n n n n y

  13. Maximal Uninterrupted Lists max. uninterrupted 1 max. uninterrupted 2 n n n n n n n n n n x n n n n y max. uninterrupted 3 max. uninterrupted 4

  14. Maximal Uninterrupted Lists number of links 4 2 n n n n n n n n n n x 4 4 n n n n y

  15. Maximal Uninterrupted Lists Abstract lengths: {1,2,>2} >2 2 n n n n n n n n n n x >2 >2 n n n n y

  16. Using Static Names • Goal: name all sharing patterns • Prepare static names for interruptions • Derive predicates for canonical abstraction • Prepare static names for max. uninterrupted lists • Derive predicates for predicate abstraction • All names expressed by FOTC formulae

  17. Naming Interruptions We name interruptions by adding auxiliary variables For every variable x : x1,…,xk (k=#variables) x2 x1 n n n n n n n n n n x x n n n n y y y1 y2

  18. Naming Max. Uninterrupted Lists [x1,x2][x1,y2][y1,x2][y1,y2] [x,x1][x,y1] x2 x1 n n n n n n n n n n x x n n n n y y y1 [x2,x2][x2,y2][y2,x2][y2,y2] y2 [y,x1][y,y1]

  19. A Predicate Abstraction • For every pair of variables x,y (regular and auxiliary) • Aliased[x,y] = x and y point to same node • UList1[x,y] = max. uninterrupted list of length 1 • UList2[x,y] = max. uninterrupted list of length 2 • UList[x,y] = max. uninterrupted list of any length • For every variable x (regular and auxiliary) • UList1[x,null] = max. uninterrupted list of length 1 • UList2[x,null] = max. uninterrupted list of length 2 • UList[x,null] = max. uninterrupted list of any length • Predicates expressed by FOTC formulae

  20. Predicate Abstraction Example x2 x1 n n n n n n n n n n x x concrete n n n n y y y1 y2 abstract

  21. A Canonical Abstraction • For every variable x (regular and auxiliary) • x(v) = v is pointed-to by x • cul[x](v) = uninterrupted list from node pointed-to by x to v • Predicates expressed by FOTC formulae

  22. Canonical Abstraction Example concrete cul[x1]cul[y1] cul[x2]cul[y2] cul[x] x2 x1 n n n n n n n n n n x x n n n n y y y1 y2 cul[y]

  23. Canonical Abstraction Example abstract cul[x1]cul[y1] cul[x2]cul[y2] cul[x] x2 x1 n n n n n n x x n n n n y y y1 n y2 cul[y]

  24. Canonical Abstractionof Cyclic List concrete abstract cul[z] z z n n n n n x x n n n n n n n n n cul[x] cul[y] y y

  25. Canonical Abstractionof Cyclic List abstract pre abstract post cul[z] z cul[z] z n n n n x x n n n n n n n n cul[x] cul[x] cul[y] cul[y] y y

  26. Heap-sharing Depth In this example the heap-sharing depth is 2In practice depth expected to be low (≤ 1) x2 x1 n n n n n n n n n n x x n n n n y y y1 y2

  27. Setting the Heap-sharing Depth Setting the heap-sharing depth parameter to 1results in lost information about shape x1 n n n n n n n n n n x x n n n n y y y1 Heap-sharing depth parameter d determinesnumber of static names : control over number of predicates

  28. Experimental Results

  29. Related Work • Dor, Rode and Sagiv [SAS ’00] • Checking cleanness in lists • Sagiv, Reps and Wilhelm [TOPLAS ‘02] • General framework + abstractions for lists • Dams and Namjoshi [VMCAI ’03] • Semi-automatic predicate abstraction for shape analysis • Balaban, Pnueli and Zuck [VMCAI ’05] • Predicate abstraction for shapes via small models • Deutsch [PLDI ’94] • Symbolic access paths with lengths

  30. Conclusion • New abstractions for lists • Observations about concrete shapes • Precise for programs containing heaps with sharing and cycles, ignoring list lengths • Parametric in sharing-depth d:[1…k] • Encoded new abstractions via • Canonical abstraction O(d·k) • Polynomial predicate abstraction O(d2·k2) • d=1 sufficient for all examples

  31. Missing from Talk • Simulating abstract domains by pred. abs. • Formal definition of abstractions • Abstract transformers • Decidable logic  can be automatically derived • Abstraction equivalence:for every two concrete heaps H1,H2βPA(H1)=βPA(H2) iff βC(H1)=βC(H2) • Abstractions with less predicates • Cycle breaking • Linear static naming scheme

  32. Merci

  33. Simulating Finite Domainsby Predicate Abstraction • Assume finite abstract domain of numbered elements {1,…,n} • Naïve simulation • Predicates {Pi} i=1…n • Pi Holds when abstract program state is i • Simulation using logarithmic number of predicates • Use binary representation of numbers • Predicates {Pj} j=1…log n • Pj Holds when j-th bit of abstract program state is 1

More Related