Title: Symbolically Computing MostPrecise Abstract Operations for Shape Analysis
1Symbolically Computing Most-Precise Abstract
Operations for Shape Analysis
Greta Yorsh Joint work with Thomas Reps Mooly
Sagiv
2Why use theorem prover?
- Guarantee the most-precise result w.r.t. the
abstraction - Modular reasoning
- assume guarantee reasoning
- scalability
3Outline
- Background
- The assume Operation
- The assume Algorithm
- canonical abstraction
- Main Results
- Future Work
4Shape Analysis
- Static program analysis
- Determine shape invariants
- Verify programs (partially)
- Detect memory errors
- Prove properties about dynamically allocated data
- Detect logical errors
- Code optimizations
- Abstract Interpretation CC77
- Galois Connection (?, ?)
5Concretization Function ?
Concrete Domain
Abstract Domain
6Abstraction Function ?
C
Concrete Domain
Abstract Domain
7Galois Connection (?, ?)
?
?(C)
C
Concrete Domain
Abstract Domain
8Most Precise Abstract Value
?
?
?(C)
C
Concrete Domain
Abstract Domain
9New Approach
- Use symbolic techniques in abstract
interpretation - For shape analysis
- For other abstract domains
- What does it mean to employ decision
procedure/theorem prover for shape analysis? - symbolic concretization
- decision procedure for satisfiability
10Symbolic Concretization ?(a)
a1
a2
Formulas
Concrete Domain
Abstract Domain
11Outline
?
- Background
- The assume Operation
- The assume Algorithm
- canonical abstraction
- Main Results
- Future Work
12Assume-Guarantee Reasoning
T bar() void foo() T p ... p
bar() ...
prebar, postbar prefoo, postfoo assumepre
foo assertprebar ----------- assumepost
bar assertpostfoo
lttopgt
lta1gt
lta2gt
lta3gt
lta4gt
13 The assume?(a) Operation
a
?(a)
X
?
Formulas
Concrete Domain
Abstract Domain
14 The assume?(a) Operation
a
?(a)
?(X)
?
assume?(a)
X
?
Concrete Domain
Abstract Domain
15 The assume?(a) Operation
a
?(a)
?
?(X)
?
assume?(a)
X
?
Concrete Domain
Abstract Domain
16Outline
?
- Shape Analysis
- The assume Operation
- The assume Algorithm
- canonical abstraction
- Main Results
- Future Work
?
17The assume?(a) Algorithm
a
?(a)
X
?
Concrete Domain
Abstract Domain
18The assume?(a) Algorithm
a
?(a)
X
?
Concrete Domain
Abstract Domain
19The assume?(a) Algorithm
a
?(a)
X
?
Concrete Domain
Abstract Domain
20The assume?(a) Algorithm
a
?(a)
?(X)
assume?(a)
X
?
Concrete Domain
Abstract Domain
21Outline
?
- Shape Analysis
- The assume Operation
- The assume Algorithm
- canonical abstraction
- Main Results
- Future Work
?
22Abstraction Function ?
?(C) ?(S) S ? C
?
?(C)
C
sets of 3-valued logical structures
2-valuedlogical structures
Concrete Domain
Abstract Domain
23Describing Heap Using Logical Structure
- Definition of linked list
- Cyclic linked list of length 4 pointed to by
variable x - structure S lt U, x, n, rxgt
- universe U u1, u2, u3, u4,
- unary relation x u1
- binary relation n lt u1, u2gt, lt u2, u3 gt, lt
u3, u4gt, ltu4,u1gt - unary relation rx u1, u2, u3, u4
- unary relation c u1, u2, u3, u4
struct List int d struct List n
x
243-Valued Logical Structures
- Relation meaning over 0, 1, ½
- Kleene
- 1 True
- 0 False
- ½ Unknown
- A join semi-lattice 0 ? 1 ½
25Canonical Abstraction ?
u1
u2
u3
u4
c,rx
c,rx
c,rx
c,rx
u2 summary node
u2
u1
26Canonical Abstraction ?
u1
u2
u3
u4
c,rx
c,rx
c,rx
c,rx
?
u2 summary node
- Unary relations have definite values
27Concretization Function ?
?(a)
a
?(a)
?a ? ?v1,v2nodeu1(v1)?nodeu2(v2) ??w
nodeu1(w)?nodeu2(w) ? ?w1,w2nodeu1(w1)?nodeu1(w2)
?(w1w2)??n(w1,w2)
Formulas
Concrete Domain
Abstract Domain
28Concretization Function ?
IR uniquex ? functionn ?
reachablex ? cyclicn
?(a)
a
?(a)
uniquex ? ?v1,v2x(v1)?x(v2)?v1v2
Formulas
functionn ? ?v,v1,v2n(v,v1)?n(v,v2)?v1v2
Concrete Domain
Abstract Domain
reachablex ? ?vrx(v)??v1 x(v1) ? n(v1,v)
cyclicn ? ?vc(v)??v1n(v,v1)?n(v1,v)
29Outline
?
- Shape Analysis
- The assume Operation
- The assume Algorithm
- canonical abstraction
- Main Results
- Future Work
?
?
30Example
a
? ? ?v1y(v1) ??v2 x(v2) ? n(v1, v2)
x
u2
u1
yx-gtn
c,rx
c,rx
IR uniquex ? uniquey ?
reachablex ? reachabley ? cyclicn
? functionn
31The assume?(a) Algorithm
assume?(a) set of 3-valued structures //
initialization for all S?a if ?(S)? ? is
satisfiable then W?S // phase 1 node
materialization while there is S?W with p(u)1/2
do duplicate nodes and deduce their unary
relations using calls to theorem prover //
phase 2 relation refinement while there is S?W
with p(u1,u2)1/2 do duplicate structures and
deduce their binary relations using calls to
theorem prover return W
32Example - Materialization
S
x
u2
u1
c,rx
c,rx
materialization u2 ? uy, u2 y(uy) 1, y(u2) 0
33Example - Materialization
x
uy
u1
u2
ry
ry
y
rx
y
c,rx
c,rx
y,ry
34Example Refinement
x
uy
u1
u2
c,rx ry
y
c,rx ry
c,rxry
n(u2,uy)
35Example
a
? ? ?v1y(v1) ??v2 x(v2) ? n(v1, v2)
x
u2
u1
yx-gtn
c,rx
c,rx
IR uniquex ? uniquey ?
reachablex ? reachabley ? cyclicn
? functionn
x
x
u2
uy
uy
u1
u1
c,rx ry
c,rx ry
c,rx ry
c,rx ry
c,rx ry
y
y
36Algorithm
- assume?(a) set of 3-valued structures
- for all S?a
- if ?(S)?? is satisfiable then W?S
- // phase 1 materialization
- while there is S?W with p(u)1/2 do
- W?W/S
- if ?(S)????p,u is satisfiable then W?S'
- if ?(S0)?? is satisfiable then W?S0
- if ?(S1)?? is satisfiable then W?S1
- // phase 2 relation refinement
- while there is S?W with p(u1,u2)1/2 do
- if ?(S)????p,u1,u2 is not satisfiable then
W?W/S - if ?(S0)?? is satisfiable then W?S0
- if ?(S1)?? is satisfiable then W?S1
- return W
37Theorem Prover
- Satisfiability of FOTC
- Calls to theorem prover need not terminate
- Experience with SPASS
- Solutions ?
38SPASS Experience
- Handles arbitrary FO formulas
- Can diverge
- Converges in our examples
- Captures older shape analysis algorithms
- How to handle FOTC?
- Overapproximations are not good enough
- Lead to too many structures
39Theorem Prover
- Satisfiability of FOTC
- Calls to theorem prover need not terminate
- Experience with SPASS
- Solutions
- timeout and return ½
- decidable logic
- Bad news
- Even ??TC is undecidable
- Reduction to halting problem
40??DTCE Logic
- Neil Immerman, Alexander Rabinovich
- ??DTCE is subset of FOTC
- ?? form
- arbitrary unary relations
- single binary relation E
- deterministic transitive closure E(v,w)
- E-path through individuals with at most one
successor - Decidable for satisfiability
- NEXPTIME-complete
41Simulation Technique
- Simulate regular data structures using ??DTCE
- Singly linked list
- shared/cyclic/nested
- Doubly linked list
- (Shared) Trees
- Preserved under mutations
42Outline
?
- Shape Analysis
- The assume Operation
- The assume Algorithm
- canonical abstraction
- Main Results
- Future Work
?
?
?
43Most-precise Operations
- Most-precise abstract value
- Best transformer
- statement
- loop-free fragment
44Best Transformer BT(a,t)
C
t
a
Concrete Domain
Abstract Domain
45Most-precise Operations
- Most-precise abstract value
- Best transformer
- statement
- loop-free fragment
- Meet operation
- Assume guarantee reasoning
- procedure specifications
46Conclusions
- Employ decision procedure/theorem prover for
shape analysis - most precise
- modular - assume guarantee reasoning
47Future Work
- Implementation
- Assume guarantee of real programs
- specification language
- write procedure specifications
- Extend to other domains
48THE END