Finite Differencing of Logical Formulas for Static Analysis

About This Presentation
Title:

Finite Differencing of Logical Formulas for Static Analysis

Description:

List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; ... List reverse (List x) { List y, t; y = NULL; while (x != NULL) ... –

Number of Views:33
Avg rating:3.0/5.0
Slides: 74
Provided by: thoma424
Category:

less

Transcript and Presenter's Notes

Title: Finite Differencing of Logical Formulas for Static Analysis


1
Finite Differencing of Logical Formulasfor
Static Analysis
  • Thomas Reps
  • University of Wisconsin

Joint work with M. Sagiv and A. Loginov
2
Dynamic Algorithms
  • This meeting, this community, . . .
  • Dynamic algorithms for better efficiency
  • This talk
  • Dynamic updates expressed via logical formulas
  • DB maintenance of materialized views
  • Dynamic descriptive complexity
  • Dyn-FO Patnaik Immerman
  • FOIES Dong Su
  • Dynamic algorithms for greater precision (avoid
    loss of information)

3
  • The administrator of the U.S.S. Yorktowns
    Standard Monitoring Control System entered 0 into
    a data field for the Remote Data Base Manager
    program. That caused the database to overflow
    and crash all LAN consoles and miniature remote
    terminal units.
  • The Yorktown was dead in the water for about two
    hours and 45 minutes.

4
Analysis must track numeric information
  • A sailor on the U.S.S. Yorktown entered a 0 into
    a data field in a kitchen-inventory program.
    That caused the database to overflow and crash
    all LAN consoles and miniature remote terminal
    units.
  • The Yorktown was dead in the water for about two
    hours and 45 minutes.

5
need to track values other than 0
x 3 y 1/(x-3)
x 3 px x y 1/(px-3)
need to track pointers
x 3 p (int)malloc(sizeof int) p x q
p y 1/(q-3)
need to track dynamically allocated storage
6
Static Analysis
  • Determine information about the possible
    situations that can arise at execution time,
    without actually running the program on
    particular inputs
  • Typically
  • Run the program on aggregate values, which
    describe many stores all at once
  • For each point in the program, find a descriptor
    that represents (a superset of) the stores that
    could possibly arise at that point

7
Static Analysis
  • Determine information about the possible
    situations that can arise at execution time,
    without actually running the program on
    particular inputs
  • Typically
  • For each point in the program, find a descriptor
    that represents (a superset of) the stores that
    could possibly arise at that point
  • Correctness of analysis justified via abstract
    interpretation Cousot Cousot 77

8
Static Analysis
typedef struct list_cell int val
struct list_cell next List
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
9
Static Analysis
typedef struct list_cell int val
struct list_cell next List
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
10
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
11
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
12
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
13
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
14
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
Materialization
15
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
16
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
17
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
18
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
19
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
20
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
21
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
22
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
23
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
24
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
25
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
26
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
27
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
28
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
29
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
30
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
31
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
32
(No Transcript)
33
What Does a List Descriptor Describe?
represents
34
pointer analysis? points-to analysis? alias
analysis? shape analysis?
Dynamic storage allocation Destructive updating
through pointers
35
Why is Shape Analysis Difficult?
  • Destructive updating through pointers
  • p ? next q
  • Produces complicated aliasing relationships
  • Dynamic storage allocation
  • No bound on the size of run-time data structures

36
Formalizing . . .
Informal
x
37
Using Relations to Represent Linked Lists
38
Using Relations to Represent Linked Lists
39
Canonical Abstraction
40
Canonical Abstraction
41
Canonical Abstraction
42
1 0
43
(No Transcript)
44
Formalizing . . .
  • Informally


x
y
  • Formally

x
u2
u1
y
  • Really tables for x, y, and n

v2 v1 u1 u2
u1 0 ½
u2 0 ½
v
u1 1
u2 0
v
u1 1
u2 0
n(v1,v2)
y(v)
x(v)
45
Good Descriptors?
46
Good Descriptors?
47
Formalizing . . .
  • Informally
  • Formally

48
Formalizing . . .
t


x
  • Informally



y
t
  • Formally

49
Formalizing . . .
  • Informally

u1
u2
  • Formally

u3
u4
50
Formalizing . . .
t


x
  • Informally



y
t
u1
u2
u3
u4
  • Formally

u8
u7
u6
u5
51
Formalizing . . .
u1
u2
u3
u4
  • Formally

u8
u7
u6
u5
  • Really

p (relation) ?p (definition)
var(v) core
n(v1,v2), eq(v1,v2) core
rvar(v) ?v (var(v) ? n(v,v))
52
Formalizing . . .
u1
u2
u3
u4
  • Formally

u8
u7
u6
u5
t(v)
  • Really

v2 v1 u1 u2 u3 u4 ?
u1 0 ½ 0 0
u2 0 ½ ½ 0
u3 0 0 0 ½
u4 0 0 0 ½
?
v u1 u2 u3 u4 u5 u6 u7 u8
0 0 1 0 0 0 0 0
n(v1,v2)
rt(v)
v u1 u2 u3 u4 u5 u6 u7 u8
0 0 1 1 0 0 0 0
53
Need for Update Formulas
  • Re-evaluating formulas can be imprecise

rx(v) ?v (x(v) ? n(v,v))
x
x
rx
x x?n
rx
rx
rx
rx
54
Need for Update Formulas
  • Re-evaluating formulas can be imprecise

rx(v) ?v (x(v) ? n(v,v))
Frx(v) rx(v) ? x(v)
x
x
rx
x x?n
rx
rx
rx ½
rx 1
55
Goal Create Update Formulas Automatically
  • Originally users provided all update formulas
  • A lot of work
  • Error prone
  • Idea finite differencing of formulas
  • pnew(v) p(v) ?
  • Fp, st(v)

??p, st(v)
???p, st(v)
negative difference
update formula
positive difference
56
Finite Differencing of Formulas
  • Fp(v) p(v) ? ???p(v) ??p(v)

???p
??p
Fp
p
57
Laws for ?
?0 0 ?1 0 ?? ??? ????
(?? ? ?) ? (? ? ??) ??v ? (?v
??) ? (?v ?)
58
Finite Differencing of Formulas
  • ? core update
  • S - updated core structure
  • ?p instrumentation relation formula
  • p instrumentation relation

?
S
S
?p
?p
p
p
?p
59
Maintenance of Materialized DB Views
U
DB
DB
  • U database update
  • DB updated database
  • ? - view query
  • V view value

?
?
V
V
UV
DB efficiency Static analysis avoid loss of
precision (½)
60
TC Maintenance for Single Edge Addition in
Arbitrary Graphs
  • Let tn(v1,v2) n(v1,v2)
  • Ftn(v1,v2) tn(v1,v2) ?
  • ? v1,v2 tn(v1,v1) ? ?n(v1,v2) ?
    tn(v2,v2)

61
TC Maintenance in FO Logic
  • 3 special cases DongSu, Immerman
  • Acyclic relations
  • Relations with all nodes of outdegree at most 1
  • Undirected relations
  • For a single edge addition or deletion (not both)

62
TC Maintenance for Single Edge Deletion in
Acyclic Graphs
b
a
but
b
a
63
Suspicious Pairs
  • Suspicious tn pairs (a,b)
  • S(v1,v2)
  • ? v1,v2 tn(v1,v1) ? ??n(v1,v2) ?
    tn(v2,v2)

b
a
64
Suspicious Pairs (cont.)
  • Suspicious tn pairs (a,b) but not (c,d)
  • S(v1,v2)
  • ? v1,v2 tn(v1,v1) ? ??n(v1,v2) ?
    tn(v2,v2)

b
a
d
c
65
Trusty Pairs
  • Trusty pairs (c,d) but not (a,b)
  • non-suspicious tn pairs (not using the deleted
    edge).
  • T(v1,v2) tn(v1,v2) ? S(v1,v2)

b
a
d
c
66
TC Maintenance for Single Edge Deletion in
Acyclic Graphs (cont.)
  • Future tn pairs
  • Ftn(v1,v2) equal(v1,v2) ?
  • ? v1,v2 T(v1,v1) ? Fn(v1,v2) ?
    T(v2,v2)

b
a
67
TC Maintenance for Single Edge Deletion in
Acyclic Graphs (cont.)
  • Future tn pairs
  • Ftn(v1,v2) equal(v1,v2) ?
  • ? v1,v2 T(v1,v1) ? Fn(v1,v2) ?
    T(v2,v2)

b
a
b
a
68
TC Maintenance for Single Edge Deletion in
Acyclic Graphs (cont.)
  • Future tn pairs
  • Ftn(v1,v2) equal(v1,v2) ?
  • ? v1,v2 T(v1,v1) ? Fn(v1,v2) ?
    T(v2,v2)

b
a
69
TC Maintenance for Single Edge Deletion in
Acyclic Graphs (cont.)
  • Future tn paths
  • Ftn(v1,v2) equal(v1,v2) ?
  • ? v1,v2 T(v1,v1) ? Fn(v1,v2) ?
    T(v2,v2)

c
d
b
a
70
Evaluation
Data Structure Sample properties
Singly linked list Partial correctness of sorting Absence of insecure information flow Merge preserves ADT and loses no elements of either list
Doubly linked list Append and Delete preserve ADT
Binary tree Deutsch-Schorr-Waite preserves ADT
Binary-search tree Insert and Delete preserve ADT
Measure of Success Fraction of automatically
generated update formulas that are as precise as
existing hand-crafted update formulas
71
Results
  • 100 success (acyclic relations)
  • Cyclic relations correctly detected in 3 programs
  • Performance effect was modest
  • - 4 (decrease) to 44
  • average 15
  • Can be improved (e.g., caching of results)

72
Related Work
  • Optimization of set-theoretic expressions
  • Paige 79, Paige and Koenig 82
  • Fong Ullman (late 70s)
  • DB view maintenance enforce integrity
    constraints
  • Stonebraker 75 Paige 81 Horwitz Teitelbaum 86
  • Large body of DB literature in the 90s
  • Dynamic descriptive complexity (Dyn-FO, FOIES)
  • Patnaik Immerman 94 Dong Su 93
  • Incrementalizing functional programs
  • Liu 95 Liu Teitelbaum 95

73
For More Information
  • Reps, T., Sagiv, M., and Loginov, A., Finite
    differencing of logical formulas for static
    analysis. In Proc. European Symp. on Programming,
    LNCS Vol. 2618, 2003.
  • Sagiv, M., Reps, T., and Wilhelm, R., Parametric
    shape analysis via 3-valued logic. ACM TOPLAS
    24, 3 (2002).
  • Homepage for the TVLA system http//www.math.tau.
    ac.il/rumster/TVLA/

74
Finite Differencing of Logical Formulasfor
Static Analysis
  • Thomas Reps
  • University of Wisconsin

Joint work with M. Sagiv and A. Loginov
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "Finite Differencing of Logical Formulas for Static Analysis" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!