1 / 27

Abstract Interpretation with Alien Expressions and Heap Structures

Abstract Interpretation with Alien Expressions and Heap Structures. Bor-Yuh Evan Chang K. Rustan M. Leino UC Berkeley Microsoft Research November 11, 2004 OSQ Meeting. Standard Abstract Interpretation. y := 8; x := 0; while (*) { y := y + x; x++; } y ¸ 8

rudolf
Download Presentation

Abstract Interpretation with Alien Expressions and Heap Structures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan Chang K. Rustan M. Leino UC Berkeley Microsoft Research November 11, 2004 OSQ Meeting

  2. Standard Abstract Interpretation y := 8; x := 0; while (*) { y := y + x; x++; } y ¸ 8 • Can do this inference with the polyhedra abstract domain [CH79]

  3. Standard Abstract Interpretation this.y := 8; this.x := 0; while (*) { this.y := this.y + this.x; this.x++; } this.y ¸ 8? Goal: Given a base domain that can infer certain kind of predicates on variables, use it to infer predicates on fields

  4. Achieving the Goal • Handling Alien Expressions / Uninterpreted Functions • Handling Heap Updates

  5. Abstract Domains interface AbstractDomain { type Elt Constrain : Elt £ Expr ! Elt Eliminate : Elt £ Var ! Elt Rename : Elt £ Var £ Var ! Elt ToPredicate : Elt ! Expr Join : Elt £ Elt ! Elt AtMost : Elt £ Elt ! bool }

  6. Fooling the Base Domains assume o.f ¸ 8 Constrain( sel(H,o,f)¸8 ) Congruence-Closure Domain / “Name Service” sel(H,o,f)  SymbolicValue Constrain(¸8 ) Polyhedra Base Domains

  7. 2 x y z H o f Understandable to the Base Domain Understands : FunSymbol £ Expr[] ! bool ¸ + | | ² sel 2 ¢ x +sel(H,o,f)· |y - z|

  8. 2 x y z H o f Understandable to the Base Domain Understands : FunSymbol £ Expr[] ! bool ¸ Yes + | | Yes ² sel Yes No Yes 2 ¢ x +sel(H,o,f)· |y - z|

  9. 2 x y z Understandable to the Base Domain Understands : FunSymbol £ Expr[] ! bool ¸ + | | No  ² No 2 ¢ x +· |y - z|

  10. Understandable to the Base Domain Understands : FunSymbol £ Expr[] ! bool ¸  + No   ² Yes  = y - z 2 x y z 2 ¢ x+·

  11. Congruence-Closure Domain • Could always choose new names, but … • Should use the same name for syntactically equivalent expressions • Even Better: same name for known equalities • Tracks equalities of uninterpreted functions • an E-Graph with abstract domain operations • symbolic values “name” equivalence classes of expressions • implements congruence closure

  12. x y w b g f f g  d h E-Graph • w =f(x)Æg(x,y)= f(y) Æ w =h(w) • A set of mappings: w  x  f() y  g(b,g)d f()d h() • Always congruence-closed

  13. Join • Join the e-graphs, then join the base domains • Think of the lattice over conjunctions of equalities (including infinite ones) • Let G = Join(G0,G1) x Gh’,’i if x G0’ and x G1’ f(h,i)Gh’,’i if f()G0’ and f(b)G1b’ • Rename distinct pairs to fresh symbolic values

  14. Join • Complexity: O(n¢m) • Complete? As precise as possible? • No, e-graphs do not form a lattice! x = y tg(x) = g(y)Æ x = f(x)Æ y = f(y) = Æi : i ¸ 0g(fi(x)) = g(fi(y)) • Only relatively complete [Gulwani et al.] • Tell base domains about renaming h,iÃgConstrainB0(=), ConstrainB1(=)

  15. So Far We Have … • Reasoning for uninterpreted functions • Base domains that work with alien expressions transparently • What we need for field reads • sel is alien to all base domains

  16. Achieving the Goal • Handling Alien Expressions / Uninterpreted Functions • Handling Heap Updates

  17. Heap Updates Java/C# if (p.g == 8) { o.f = x; } Abstract assume H[p,g] == 8; Interpreter H := upd(H,o,f,x); sel(upd(H,o,f,e),o’,f’) = e if o = o’ and f = f’ sel(upd(H,o,f,e),o’,f’) = sel(H,o’,f’) if o  o’ or f  f’

  18. Heap Updates Java/C# if (p.g == 8) { o.f = x; } Abstract assume H[p,g] == 8; Interpreter H := H’ where H’ ´o,f H and sel(H’,o,f)= x

  19. Heap Updates Abstract assume H[p,g] == 8; Interpreter H := H’ where H’ ´o,f H and sel(H’,o,f)= x Abstract Constrain(sel(H,p,g) = 8) DomainConstrain( H’ ´o,f H ) Constrain(sel(H’,o,f)= x ) Eliminate( H ) Rename( H’, H ) ToPredicate() Tracked by a new base domain: Heap Succession

  20. Heap Update Example Constrain(sel(H,p,g) = 8) Constrain( H’ ´o,f H ) Constrain(sel(H’,o,f)= x ) Eliminate( H ) Rename( H’, H ) ToPredicate() Heap Succession H’´o,fH E-Graph sel(H,p,g) 8 sel(H’,o,f) x  H H p p H’ H’gg o off

  21. Heap Update Example Constrain(sel(H,p,g) = 8) Constrain( H’ ´o,f H ) Constrain(sel(H’,o,f)= x ) Eliminate( H ) Rename( H’, H ) ToPredicate() Heap Succession H’´o,fH E-Graph sel(H,p,g) 8 sel(H’,o,f) x  H H p p H’ H’gg o off

  22. Heap Update Example Constrain(sel(H,p,g) = 8) Constrain( H’ ´o,f H ) Constrain(sel(H’,o,f)= x ) Eliminate( H ) Rename( H’, H ) ToPredicate() Heap Succession H’´o,fH E-Graph sel(H,p,g) 8 sel(H’,o,f) x  H H p p H H’gg o off

  23. Can you give me an equivalent expression without H? Heap Update Example Constrain(sel(H,p,g) = 8) Constrain( H’ ´o,f H ) Constrain(sel(H’,o,f)= x ) Eliminate( H ) Rename( H’, H ) ToPredicate() Heap Succession H’´o,fH E-Graph sel(H,p,g) 8 sel(H’,o,f) x  H H p p H H’gg o off • “Collect Garbage” (H) • EquivalentExpr : Queryable £ Expr £ Var ! Expr

  24. Heap Update Example Constrain(sel(H,p,g) = 8) Constrain( H’ ´o,f H ) Constrain(sel(H’,o,f)= x ) Eliminate( H ) Rename( H’, H ) ToPredicate() Heap Succession H’´o,fH E-Graph sel(H’,p,g) 8 sel(H’,o,f) x  H H p p H H’gg o off Yes, use H’ • “Collect Garbage” (H) • EquivalentExpr : Queryable £ Expr £ Var ! Expr option • Eliminate(H) on Base • ToPredicate() on Base and Convert Expr for Client • Add Equalities

  25. Related Work • Join for Uninterpreted Functions [Gulwani, Tiwari, Necula] • Shape Analysis [many] and TVLA [Sagiv, Reps, Wilhelm, …]

  26. Conclusion • Extended the power of abstract domains to work with alien expressions using the congruence-closure domain • Added reasoning about heap updates with the heap succession domain • Close to having “cooperating abstract interpreters”? • missing propagating back equalities inferred by base domains

  27. Thank you! Questions? Comments?

More Related