Program Analysis via 3-Valued Logic - PowerPoint PPT Presentation

1 / 111
About This Presentation
Title:

Program Analysis via 3-Valued Logic

Description:

(Powerset of) fixed set of program entities and entities from ... Interprocedural Analysis. Dynamically created procedure incarnations. Domain P(Lab* (Var ... – PowerPoint PPT presentation

Number of Views:49
Avg rating:3.0/5.0
Slides: 112
Provided by: moolysagiv
Category:

less

Transcript and Presenter's Notes

Title: Program Analysis via 3-Valued Logic


1
Program Analysisvia 3-Valued Logic
  • Mooly Sagiv, Tal Lev-Ami, Roman Manevich
  • Tel Aviv University
  • Thomas Reps, University of Wisconsin, Madison
  • Reinhard Wilhelm, Universität des Saarlandes

2
Interprocedural Analysis, so far
  • Abstract domains
  • (Powerset of) fixed set of program entities and
    entities from underlying domain
  • Domains
  • P(Aexp) Available expressions
  • P(Var ? Lab ) Reaching Definitions
  • Var ? Val Constant Propagation
  • Var ? Int Interval Analysis

3
Interprocedural Analysis
  • Dynamically created procedure incarnations
  • Domain P(Lab ? (Var ? ))
  • Call strings strings of labels of call sites
  • Sufficient to represent recursion because of
    nested lifetimes, a call string corresponds to an
    actual stack
  • in general of unbounded length ?
    non-computable fixed point
  • approximated by fixed length, k

4
Dynamically Created Objects
  • How to represent dynamically created
  • heap cells, created by calls to
    mallocxmalloc() xmalloc() xmalloc()
  • objects, created by constructors of classesxnew
    C xnew C xnew C
  • threads, created by thread constructors
  • In general,
  • unbounded sets
  • non-nested lifetimes
  • anonymous

5
Anonymous Objects (contd.)
  • Concrete domains relations reflecting
    accessibility,
  • Stack for program variables
  • Heap for anonymous, dynamically created objects
  • pointer variables point from Stack into Heap
  • Heap consists of a set of functions modelling
    references/pointer components
  • Abstract domains How to deal with unboundedness?
  • How to analyze programs without bounds on number
    of objects?

6
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
Reverses lists of arbitrary length
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
7
Questions Posed to the Analysis
  • Can x be dereferenced while having value NULL in
    some execution state?
  • Can an object leak out of the programs
    execution?
  • Can an object be freed while being shared?

8
Freeing a Shared Object
a malloc() b a free (a) c malloc
() if (b c) printf(unexpected equality)
9
Dereferencing a NULL pointer
  • typedef struct element
  • int value
  • struct element next
  • Elements

bool search(int value, Elements c) Elements
elemfor (elem c c ! NULL
elem elem-gtnext) if (elem-gtval
value) return TRUE return FALSE
10
Dereferencing a NULL pointer
  • typedef struct element
  • int value
  • struct element next
  • Elements

bool search(int value, Elements c) Elements
elemfor (elem c c ! NULL
elem elem-gtnext) if (elem-gtval
value) return TRUE return FALSE
potential null de-reference
11
Memory Leakage
typedef struct element int value struct
element next Elements
  • Elements strange(Elements x)
  • Elements y,gy NULLwhile (x! NULL) g
    x-gtnext y x x-gtnext y x
    g return y

12
Memory Leakage
typedef struct element int value struct
element next Elements
  • Elements strange (Elements x)
  • Elements y,gy NULLwhile (x! NULL) g
    x-gtnext y x x-gtnext y x
    g return y

leakage of list elements
13
  • class Make
  • private Worklist worklist
  • public static void main (String args)
  • Make m new Make()
  • m.initializeWorklist(args)
  • m.processWorklist()
  • void initializeWorklist(String args)
  • ... worklist new Worklist() ...
  • // add some items to worklist
  • void processWorklist()
  • Set s worklist.unprocessedItems()
  • for (Iterator i s.iterator()
    i.hasNext())
  • Object item i.next()
  • if (...) processItem(item)
  • void processItem(Object i) ...
    doSubproblem(...)
  • void doSubproblem(...)
  • ... worklist.addItem(newitem) ...
  • public class Worklist
  • Set s
  • public Worklist() .
  • .. s new HashSet() ...
  • public void addItem(Object item)
    s.add(item)
  • public Set unprocessedItems()
  • return s
  • return rev

14
Example In-Situ List Reversal
  • Concrete execution on a list of length 3

15
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
16
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
17
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
18
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
19
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
20
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
21
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
22
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
23
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
24
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
25
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
26
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
27
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
28
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
29
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
30
Original Problem Shape Analysis
  • Characterize dynamically allocated data
    structures
  • x points to an acyclic list, cyclic list, tree,
    dag, etc.
  • data-structure invariants
  • Identify may-alias relationships
  • Establish disjointedness properties
  • x and y point to data structures that do not
    share cells

31
Properties of reverse(x)
  • On entry x points to an acyclic list
  • On exit y points to an acyclic list
  • On exit x NULL
  • Invariant At the start of while loop, x points
    to head of non-reversed suffix, y to head of
    already reversed prefix or NULL (start)(they are
    disjoint acyclic lists)
  • All the pointer dereferences are safe
  • No memory leaks

32
Example In-Situ List Reversal
  • Abstract execution

33
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
34
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
35
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
36
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
37
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
38
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
39
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
40
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
41
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
42
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
43
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
44
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
45
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
46
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
47
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
48
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
49
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
50
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
51
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
52
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
53
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
54
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
55
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
56
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
57
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
58
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
59
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
60
Why is Shape Analysis Difficult?
  • Destructive updating through pointers
  • p?next q
  • Produces complicated aliasing relationships
  • Dynamic storage allocation
  • No bound on the size of run-time data structures
  • No syntactic names for locations
  • Data-structure invariants typically only hold at
    the beginning and end of operations
  • Need to verify that data-structure invariants are
    re-established

61
Main Ingredients Abstract Domain
  • A new abstract domain for static analysis
  • Represents dynamically allocated memory
  • Based on predicate logic
  • Execution states in concrete semantics coded as
    interpretations of sets of predicates over a
    2-valued domain (1 ? true, 0 ? false)
  • unary predicate x for pointer variable x
    x(l) if x points to l
  • binary predicate next for selector next
    next (l1, l2) if next selector of l1 points to
    l2

62
Predicates (for reverse)
63
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
64
Main Ingredients Semantics of Statements
  • Predicate-Update Formulae for a statement
  • Describe how the interpretation of predicates
    changes by executing the statement
  • x ychanges the interpretation of x to that of
    y
  • x -gt next ychanges the interpretation of next
    such thatn(l1,l2)1 for some l, l1, l2 with x(l)
    1, n(l, l1)1, and y(l2)1

65
Main Ingredients Analysis
  • Abstract interpretation by evaluation over
    3-valued domain (1, 0, ½ ? dont know)
  • Kleenes interpretation of predicate logic
  • A system TVLA
  • Input
  • Operational semantics
  • Input Program
  • Output the result of the analysis

66
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
n(l1,) ? n(l3,) ?
n(l1,) 1/2 n(l3,) 1/2
67
Formalizing . . .
Informal
x
68
Plan
  • Motivation
  • SWhile
  • An SOS for SWhile
  • An SOS for SWhile using predicate calculus
  • Simple Abstract interpretation using 3-valued
    logics
  • More precise abstract interpretation TVLA (next
    meeting)

69
Repetition
  • 3-valued logic based analysis
  • computes invariants about data structuresx
    points to acyclic singly linked list
  • Semantics is formulated in 1st order predicate
    logicx(v) 1 if x points to v
  • 3rd value ½ to express dont know

70
The SWhile Programming Language Abstract Syntax
sel car cdr
a x x.sel null n a1 opa a2
b true false not b b1 opb b2 a1 opr a2
S x a x.sel a x malloc()
skip S1 S2 if b then S1 else S2 while b
do S
71
Dereferencing NULL pointers
elem c found false while (c ! null
!found) ( if (elem-gtcar value) then found
true else elem elem-gtcdr )
72
Structural Operational Semantics
  • The program state consists of
  • current allocated objects
  • a mapping from variables into atoms, objects, and
    null
  • a car mapping from objects into atoms, objects,
    and null
  • a cdr mapping from objects into atoms, objects,
    and null
  • malloc() allocates more objects
  • assignments update the state

73
Structural Operational Semantics
  • The program state SltO, env, car, cdrgt
  • current allocated objects O
  • atoms (integers, Booleans) A
  • env Var ? A ? O ? null
  • car A ? A ? O ? null
  • cdr A ? A ? O ? null

74
The meaning of expressions
  • A?a? S ? A ? O ? null

A?at?(s) at
A?x?(ltO, env, car, cdrgt) env(x)
75
Structural Semantics for SWhileaxioms
assvsos ltx a, s(O, e, car, cdr)gt ? (O, ex
?A?a?s, car, cdr)
asscarsos ltx.car a, (O, e, car, cdr)gt ? (O,
e, care(x) ?A?a?s, cdr)where env(x)?O
asscdrsos ltx.cdr a, (O, e, car, cdr)gt ? (O,
e, car,cdre(x)?A?a?s) where env(x)?O
assmsos ltx malloc(), (O, e, car, cdr)gt ? (O
?n, ex ?n, car, cdr) where n?O
skipsos ltskip, sgt ? s
76
Structural Semantics for SWhile(rules)
77
Summary
  • The SOS is natural
  • Can handle
  • errors, e.g., null dereferences
  • free
  • garbage collection
  • But does not lead to an analysis
  • The set of potential objects is unbounded
  • Solution
  • Semantics coded as interpretation of a set of
    predicates
  • Reinterpreted over a Three-Valued domain with
    Kleenes interpretation

78
Predicate Logic
  • Vocabulary
  • A finite set of predicate symbols Peach with a
    fixed arity
  • A finite set of function symbols
  • Logical Structures S provide meaning for the
    predicate symbols
  • A set of individuals (nodes) U
  • PS US ? 0, 1
  • First-Order Formulas using ?, ?, ?, ?, ? express
    properties

79
P x1, y1, car2, cdr2
USl1, l2, l3
xSl1 ?? 1, l2 ?? 0, l3 ?? 0
ySl1 ?? 0, l2 ?? 0, l3 ?? 0,
carSltl1, 1gt ?? 1, ltl2, 2gt ?? 1, ltl3, 3gt ?? 1,
ltl1 , 0gt ?? 0, ltl1,2 gt ?? 0, , ltl2 , 1gt ?? 0,
ltl2,3 gt ?? 0,
cdrSltl1, l1gt ?? 0, ltl1 , l2gt ?? 1, ltl1,l3 gt ??
0, ltl2, l1gt ?? 0, ltl2 , l2gt ?? 0,
ltl2,l3 gt ?? 1, ltl3, l1gt ?? 0, ltl3
, l2gt ?? 0, ltl3,l3 gt ?? 0
80
Formal Semantics of First Order Formulae
  • For a structure SltUS, PSgt
  • Formula ? with free variables from a set LVar
  • Assignment z LVar?US
  • ???S(z) 0, 1

?1?S(z)1
?0?S(z)1
?p (v1, v2, , vk)?S(z)pS (z(v1), z(v2), ,
z(vk))
81
Formal Semantics of 1st Order Formulae
  • For a structure S ltUS, PSgt
  • Formulae ? with LVar free variables
  • Assignment z LVar?US
  • ???S(z) 0, 1

??1 ? ?2?S(z)max (??1 ?S(z), ??2 ?S(z))
??1 ? ?2?S(z)min (??1 ?S(z), ??2 ?S(z))
? ? ?1?S(z)1- ??1 ?S(z)
??v ?1?S(z)max ??1 ?S(zv?u) u ? US
82
Using Predicate Logic to Describe States
  • UO
  • For a pointer variable x define a unary predicate
  • x(u)1 when env(x)u and u is an object
  • Two binary predicates
  • car(u1, u2) 1 when car(u1)u2 and u2 is object
  • cdr(u1, u2) 1 when cdr(u1)u2 and u2 is object

83
Semantics Described in Predicate Logic
  • First-order structures
  • hold recorded information about states
  • Formulae
  • means for querying structures describing states
  • Predicate-update formulae
  • operational semantics of statements
  • update recorded information about states

84
Recorded Information (for reverse)
85
Recorded Information (for reverse)
86
Formulae for Querying Structures
  • Are x and y pointer aliases?
  • ?v x(v) ? y(v)
  • Does x point to a cell with a self cycle?
  • ?v x(v) ? n(v,v)

87
Are x and y Pointer Aliases?
?v x(v) ? y(v)
u2
u3
u4
u1
88
Predicate-Update Formulae for y NULL
  • x(v) x(v)
  • y(v) 0
  • t(v) t(v)
  • n(v1,v2) n(v1,v2)

89
Predicate-Update Formulae for y NULL
y(v) 0
90
Predicate-Update Formulae for y x
  • x(v) x(v)
  • y(v) x(v)
  • t(v) t(v)
  • n(v1,v2) n(v1,v2)

91
Predicate-Update Formulae for y x
y(v) x(v)
92
Predicate-Update Formulae for x x ? n
  • x(v) ?v1 x(v1) ? n(v1,v)
  • y(v) y(v)
  • t(v) t(v)
  • n(v1, v2) n(v1, v2)

93
Predicate-Update Formulae for x x ? n
x(v) ?v1 x(v1) ? n(v1,v)
x
y
u2
u3
u4
u1
94
Predicate-Update Formulae for y ? n t
  • x(v) x(v)
  • y(v) y(v)
  • t(v) t(v)
  • n(v1,v2) ?y(v1)?? n(v1,v2) ? y(v1) ? t(v2)

95
Two- vs. Three-Valued Logic
0 ? 0,1
1 ? 0,1
96
Two- vs. Three-Valued Logic
Two-valued logic
?
1
0
1
1
0
0
0
0
?
1
0
1
1
1
0
1
0
97
Two- vs. Three-Valued Logic
Three-valued logic
98
Three-Valued Logic
  • 1 True
  • 0 False
  • 1/2 Unknown
  • A join semi-lattice 0 ? 1 1/2

99
Boolean Connectives Kleene
100
The Abstraction Principle
  • Partition the individuals into equivalence
    classes based on the values of their unary
    predicates
  • Collapse other predicates via ?

101
The Abstraction Principle
102
What StoresDoes a 3-Valued Structure Represent?
  • Example 3-valued structure
  • individuals u1
  • predicates
  • graphical presentation
  • concrete stores represented

103
What StoresDoes a 3-Valued Structure Represent?
  • Example 3-valued structure
  • graphical presentation
  • concrete stores

104
What StoresDoes a 3-Valued Structure Represent?
  • Example 3-valued structure
  • graphical presentation
  • concrete stores

105
Property-Extraction Principle
  • Questions about store properties can be answered
    conservatively by evaluating formulae in
    three-valued logic
  • Formula evaluates to 1
  • ? formula always holds in every store ?
  • Formula evaluates to 0
  • ? formula never holds in any store ?
  • Formula evaluates to 1/2
  • ? dont know
    ? ?

106
The Embedding Theorem (Intuition)
  • Property of Canonical Abstraction
  • definitive information, i.e. with value 0 or 1 is
    preserved (conservatism)
  • allows trading precision for efficiency (up to
    surprises)

107
The Embedding Theorem
  • If a structure B can be embedded into a structure
    S via a surjective (onto) function f such that
    the interpretation of predicates is preserved,
    i.e., pB(u1, ..., uk) ? pS (f(u1), ..., f(uk))
  • Then, the interpretation of every formula ? is
    preserved
  • ?1 in S ? ?1 in B
  • ?0 in S ? ?0 in B
  • ?1/2 in S ? dont know

108
Are x and y Pointer Aliases?
?v x(v) ? y(v)
109
Is Cell u Heap-Shared?
u
?v1,v2 n(v1,u) ? n(v2,u) ? v1 ? v2
110
Is Cell u Heap-Shared?
?v1,v2 n(v1,u) ? n(v2,u) ? v1 ? v2
111
The Instrumentation Principle
  • So far, structures could be queried by evaluating
    a formula
  • However, often low precision
  • Increase precision by storing the truth-value of
    some designated formulae
  • Introduce predicate-update formulae to update the
    extra predicates

112
Example Heap Sharing
is(v) ?v1,v2 n(v1,v) ? n(v2,v) ? v1 ? v2
113
Example Heap Sharing
is(v) ?v1,v2 n(v1,v) ? n(v2,v) ? v1 ? v2
114
Example Heap Sharing
is(v) ?v1,v2 n(v1,v) ? n(v2,v) ? v1 ? v2
is 1
x
x
u
u
u1
u1
is 0
is 1
is 0
115
Is Cell u Heap-Shared?
is 0
is 0
?v1,v2 n(v1,u) ? n(v2,u) ? v1 ? v2
116
Example2 Sortedness
inOrder(v) ?v1 n(v,v1) ? dle(v, v1)
?
?
?
?
?
?
n
n
n
inOrder 1
inOrder 1
inOrder 1
inOrder 1
?
?
n
n
inOrder 1
inOrder 1
117
Example2 Sortedness
inOrder(v) ?v1 n(v,v1) ? dle(v, v1)
?
?
?
?
?
?
n
n
n
?
inOrder 1
inOrder 0
inOrder 1
inOrder 1
?
?
?
?
n
n
n
x
x
u
inOrder 1
inOrder 1
inOrder 0
118
Shape Analysis viaAbstract Interpretation
  • Iteratively compute a set of 3-valued structures
    for every program point
  • Every statement transforms structures according
    to the predicate-update formulae
  • use 3-valued logic instead of 2-valued logic
  • use exactly the predicate-update formulae of the
    concrete semantics!!

119
Predicate-Update Formulae for y x
y(v) x(v)
120
Predicate-Update Formulae for x x ? n
x(v) ? v1 x(v1) ? n(v1,v)
121
Summary
  • Predicate logics allows to naturally express the
    operational semantics for languages with pointers
    and dynamically allocated objects
  • 3-valued logic provides a sound solution
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Program Analysis via 3-Valued Logic" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!