590 likes | 798 Views
Parametric Shape Analysis via 3-Valued Logic. Mooly Sagiv Thomas Reps Reinhard Wilhelm. pointer analysis? points-to analysis? shape analysis? alias analysis?. The Shape-Analysis Problem.
E N D
Parametric Shape Analysisvia 3-Valued Logic Mooly Sagiv Thomas Reps Reinhard Wilhelm
pointer analysis? points-to analysis? shape analysis? alias analysis?
The Shape-Analysis Problem For every program point, compute a finite characterization of the possible “shapes” of the heap-allocated data structures.
Formal: x y Formalizing “. . .” Informal: x y Summary Information
Why Shape Analysis? • Capture storage invariants • x points to an acyclic list, cyclic list, tree, dag, etc. • May-alias information • Identify (absence of) sharing • x and y point to structures that do not share cells • “Dynamization” of static structure-description formalisms • e.g., ADDS annotations [Hendren 94]
What’s New? • Parametric framework for a class of shape-analysis algorithms • “Rational reconstruction” of a number of previous shape-analysis methods • [Jones & Muchnick 81] • [Chase, Wegman, & Zadeck 90] • [Stransky 93] • [Assmann & Weinhardt 93] • [Pleyvak, Chien, & Karamcheti 93] • [Wang 94] • [Sagiv, Reps, & Wilhelm 96, 98] • New shape-analysis methods • General abstraction principle Much simpler proofs • Basis for a tool that generates shape-analysis algorithms
Outline • Using logic to describe stores • Using logic to express store transformations • Forming abstractions of stores • Three-valued logic • Using three-valued logic to express transformations of abstract stores
x u u2 u1 u1 u2 u2 u1 Using Logic to Describe Stores • Predicate Symbols • Whether variable x points to location u: • x(u) • Pointer fields: • n(u1, u2) • car(u1, u2) • cdr(u1, u2)
u2 u2 u4 u1 u1 u3 is(u1) = 0 is(u2) = 0 is(u3) = 0 is(u4) = 0 x y u3 is(u1) = 0 is(u2) = 1 is(u3) = 0 Using Logic to Describe Stores is(v) v1,v2 : n(v1,v) n(v2,v) v1 v2 • Formulas: Other Properties of Locations
First-Order Logic (Syntax) • Vocabulary • Predicate symbols: p1, p2, . . ., pn • Constant symbols: c1, c2, . . ., cm • Function symbols: f1, f2, . . ., fk • Formulas • Variables • Equality-predicate symbol: = • Logical-constant symbols: 0, 1 • Connectives: , , • Quantifiers: ,
First-Order Logic (Semantics) • Truth values: 0, 1 • Logical structures • Individuals: U = {u1, u2, . . ., un} • Predicates: pi : Uarity(pi) {0, 1} In Our Application Logical structures = Concrete stores
x x u1 u1 u2 y y u3 u3 u3 An Example u1 u2 u3 Individuals: U = {u1, u2, u3} Predicates:
x u1 u2 y u3 Example (Cont’d) u1 u2 u3 Individuals: U = {u1, u2, u3} Predicates:
First-Order Logic (Semantics) • Assignments • Z: free variables individuals • Meaning of a formula (Z)
x y Meaning of a Formula u1 u2 u3 (v,v1,v2) n(v1,v) n(v2,v) v1 v2 Z = { v u2, v1 u1,v2 u3 } (v,v1,v2)(Z) = ???
Meaning of a Formula (Z) • 0 (Z) = 0 • 1 (Z) = 1 • pi(v1, …, vk)(Z) = pi (Z(v1), …, Z(vk)) • 1 2(Z) = 1(Z) 2(Z) • 1 2(Z) = 1(Z) 2(Z) • Negation, quantification, . . .
x u1 u2 y u3 Meaning of a Formula (v,v1,v2) n(v1,v) n(v2,v) v1 v2 Z = { v u2, v1 u1,v2 u3} (Z) = n(v1,v) n(v2,v) v1 v2(Z) = n(u1,u2) n(u3,u2) u1 u3 1 1 = 1 = 1
Outline • Using logic to describe stores • Using logic to express store transformations • Forming abstractions of stores • Three-valued logic • Using three-valued logic to express transformations of abstract stores
Before: After: x x y y u1 u1 u2 u2 z z u3 u3 0 Using Logic to Change Stores x = null
New: Old: u1 u2 x y u1 u3 u2 z u3 Predicate-Alteration Formulas for x = null x[x = null](v) 0
New: y Old: u1 u2 x y u1 u3 u2 z u3 Predicate-Alteration Formulas for x = null y[x = null](v) y(v)
New: y Old: u1 u2 x z y u1 u3 u2 z u3 Predicate-Alteration Formulas for x = null z[x = null](v) z(v)
Old: x y u1 u2 z u3 Predicate-Alteration Formulas for x = null New: y u1 u2 z u3
Old: x y u1 u2 z u3 n n Predicate-Alteration Formulas for x = null New: y u1 u2 z u3 n[x = null](v1,v2) n(v1,v2)
Old: x y u1 u2 z u3 n n Predicate-Alteration Formulas for x = null New: y u1 u2 z u3
Old: x y u1 u2 z u3 n Predicate-Alteration Formulas for x = null New: y u1 u2 z u3
Outline • Using logic to describe stores • Using logic to express store transformations • Forming abstractions of stores • Three-valued logic • Using three-valued logic to express transformations of abstract stores
x u2 u3 u4 u1 x u234 u1 The Abstraction Principle Summary Information {0,1}
x u2 u3 u4 u1 x u234 u1 The Abstraction Principle
The Abstraction Principle • Select some subset A of the predicate symbols • Partition the individuals US of structure S into equivalence classes based on the values of their A predicates • u [u]A • Form the “union-quotient” of S with respect to {[u]A | u US}
x u2 u3 u4 u1 Quotient w.r.t. {w, x, y, z} x [u1] [u2] Example • A = {v | v is a program variable} • [Chase, Wegman, & Zadeck 90] • [Sagiv, Reps, & Wilhelm 96, 98]
Outline • Using logic to describe stores • Using logic to express store transformations • Forming abstractions of stores • Three-valued logic • Using three-valued logic to express transformations of abstract stores
Two-valued logic Three-valued logic {0,1} 0 1 {0} {1} Two- vs. Three-Valued Logic {0} 3{0,1} {1} 3 {0,1}
1 {1} 1 0 {0,1} {0} 0 Two- vs. Three-Valued Logic Two-valued logic Three-valued logic
First-Order Logic (Semantics) • Truth values: 0, 1, • Logical structures • Individuals: U = {u1, u2, . . ., un} • Predicates: pi : Uarity(pi) {0, 1, } In Our Application 3-valued logical structures = Abstract stores
The Abstraction Principle • Select some subset A of the predicate symbols • Partition the individuals US of structure S into equivalence classes based on the values of their A predicates • u [u]A • Form the “union-quotient” of S with respect to {[u]A | u US}
Abs(A) S S# = S/[u]A Abstraction Conserves Predicates u [u]A pS (u1, …, uk) 3 pS# ([u1]A, …, [uk]A) “Form the ‘union-quotient’ of S with respect to {[u]A | u US}”
x u2 u3 u4 u1 x [u1] [u2] pS (u1,…,uk) 3 pS#([u1]A,…,[uk]A)
x u2 u3 u4 u1 x [u1] [u2] pS (u1,…,uk) 3 pS#([u1]A,…,[uk]A)
Abs(A) S S# = S/[u]A S (u1, …, uk) 3 S# ([u1]A, …, [uk]A) Abstraction Conserves Properties u [u]A pS (u1, …, uk) 3 pS# ([u1]A, …, [uk]A) Evaluating a formula extracts information conservatively
x u2 u3 u4 u1 1 = x [u1] [u2] S (u1, …, uk) 3 S# ([u1]A, …, [uk]A) (v) v1,v2 : n(v1,v) n(v2,v) v1 v2 For S#([u2]), let v1= [u1], and v2= [u2]
x u2 u3 u4 u1 x [u1] [u2] “Tracking Properties” Beats“Inferring Properties”
x u2 u3 u4 u1 x [u1] [u2] “Tracking Properties” Beats“Inferring Properties” pS (u1, …, uk) 3 pS#([u1]A, …, [uk]A) pS (u1, …, uk) 3 pS#([u1]A, …, [uk]A) pS (u1, …, uk) = pS (u1, …, uk) 3 pS#([u1]A, …, [uk]A) 3 pS#([u1]A, …, [uk]A)
Outline • Using logic to describe stores • Using logic to express store transformations • Forming abstractions of stores • Three-valued logic • Using three-valued logic to express transformations of abstract stores
x y x y [u2] [u2] [u1] [u1] Example x = y n “Rational reconstruction” of [Chase, Wegman, & Zadeck 90]
x y x [u2] [u2] [u1] [u1] Example (~[CWZ 90]) x = y n x[x = y n](v) v1 : y(v1) n(v1,v) 1
x y y [u2] [u2] [u1] [u1] Example (~[CWZ 90]) x x = y n x[x = y n](v) v1 : y(v1) n(v1,v) y[x = y n](v) y(v) 1
x y y [u2] [u2] [u1] [u1] Example (~[CWZ 90]) x x = y n x[x = y n](v) v1 : y(v1) n(v1,v) y[x = y n](v) y(v) n[x = y n](v1,v2) n(v1,v2)
x y y [u2] [u2] [u1] [u1] Example (~[CWZ 90]) x x = y n x[x = y n](v) v1 : y(v1) n(v1,v) y[x = y n](v) y(v) n[x = y n](v1,v2) n(v1,v2)
x y [u2] [u2] [u1] [u1] Example (~[CWZ 90]) x x = y n y x[x = y n](v) v1 : y(v1) n(v1,v) y[x = y n](v) y(v) n[x = y n](v1,v2) n(v1,v2) is[x = y n](v) is(v)