Abstract Interpretation with Alien Expressions and Heap Structures - PowerPoint PPT Presentation

About This Presentation
Title:

Abstract Interpretation with Alien Expressions and Heap Structures

Description:

Bor-Yuh Evan Chang K. Rustan M. Leino UC Berkeley Microsoft Research November 11, 2004 OSQ Meeting – PowerPoint PPT presentation

Number of Views:72
Avg rating:3.0/5.0
Slides: 28
Provided by: BorYu
Learn more at: https://plv.colorado.edu
Category:

less

Transcript and Presenter's Notes

Title: Abstract Interpretation with Alien Expressions and Heap Structures


1
Abstract Interpretation with Alien Expressions
and Heap Structures
  • Bor-Yuh Evan Chang K. Rustan M. Leino
  • UC Berkeley Microsoft Research
  • November 11, 2004
  • OSQ Meeting

2
Standard Abstract Interpretation
  • y 8 x 0
  • while ()
  • y y x
  • x
  • y 8
  • Can do this inference with the polyhedra abstract
    domain CH79

3
Standard Abstract Interpretation
  • this.y 8 this.x 0
  • while ()
  • this.y this.y this.x
  • this.x
  • this.y 8?
  • Goal Given a base domain that can infer certain
    kind of predicates on variables, use it to infer
    predicates on fields

4
Achieving the Goal
  • Handling Alien Expressions
  • / Uninterpreted Functions
  • Handling Heap Updates

5
Abstract Domains
  • interface AbstractDomain
  • type Elt
  • Constrain Elt Expr ! Elt
  • Eliminate Elt Var ! Elt
  • Rename Elt Var Var ! Elt
  • ToPredicate Elt ! Expr
  • Join Elt Elt ! Elt
  • AtMost Elt Elt ! bool

6
Fooling the Base Domains
assume o.f 8
Constrain( sel(H,o,f) 8 )
Congruence-Closure Domain / Name Service
sel(H,o,f) ? ?
SymbolicValue
Constrain( ? 8 )
Polyhedra
Base Domains
7
Understandable to the Base Domain
Understands FunSymbol Expr ! bool



sel
²
2 x sel(H,o,f) y - z
8
Understandable to the Base Domain
Understands FunSymbol Expr ! bool

Yes


Yes
sel
²
Yes
No
Yes
2 x sel(H,o,f) y - z
9
Understandable to the Base Domain
Understands FunSymbol Expr ! bool



No
?
²
No
2 x ? y - z
10
Understandable to the Base Domain
Understands FunSymbol Expr ! bool

?

No
?
?
²
Yes
? y - z
2
x
y
z
2 x ? ?
11
Congruence-Closure Domain
  • Could always choose new names, but
  • Should use the same name for syntactically
    equivalent expressions
  • Even Better same name for known equalities
  • Tracks equalities of uninterpreted functions
  • an E-Graph with abstract domain operations
  • symbolic values name equivalence classes of
    expressions
  • implements congruence closure

12
E-Graph
  • w f(x) Æ g(x,y) f(y) Æ w h(w)
  • A set of mappings
  • w ? ?
  • x ? ?
  • f(?) ? ?
  • y ? ?
  • g(b,g) ? d
  • f(?) ? d
  • h(?) ? ?
  • Always congruence-closed

13
Join
  • Join the e-graphs, then join the base domains
  • Think of the lattice over conjunctions of
    equalities (including infinite ones)
  • Let G Join(G0,G1)
  • x ?G h?,?i if x ?G0 ? and x ?G1 ?
  • f(h?,?i) ?G h?,?i if f(?) ?G0 ? and f(b)
    ?G1 b
  • Rename distinct pairs to fresh symbolic values

14
Join
  • Complexity O(nm)
  • Complete? As precise as possible?
  • No, e-graphs do not form a lattice!
  • x y t g(x) g(y) Æ x f(x) Æ y f(y)
  • Æi i 0 g(fi(x)) g(fi(y))
  • Only relatively complete
  • Gulwani et al.
  • Tell base domains about renaming
  • h?,?i à g ConstrainB0(? ?), ConstrainB1(? ?)

15
So Far We Have
  • Reasoning for uninterpreted functions
  • Base domains that work with alien expressions
    transparently
  • What we need for field reads
  • sel is alien to all base domains

16
Achieving the Goal
  • Handling Alien Expressions
  • / Uninterpreted Functions
  • Handling Heap Updates

17
Heap Updates
  • Java/C if (p.g 8) o.f x
  • Abstract assume Hp,g 8
  • Interpreter H upd(H,o,f,x)
  • sel(upd(H,o,f,e),o,f) e
  • if o o and f f
  • sel(upd(H,o,f,e),o,f) sel(H,o,f)
  • if o ? o or f ? f

18
Heap Updates
  • Java/C if (p.g 8) o.f x
  • Abstract assume Hp,g 8
  • Interpreter H H where
  • H o,f H and
  • sel(H,o,f) x

19
Heap Updates
  • Abstract assume Hp,g 8
  • Interpreter H H where
  • H o,f H and
  • sel(H,o,f) x
  • Abstract Constrain( sel(H,p,g) 8 )
  • Domain Constrain( H o,f H )
  • Constrain( sel(H,o,f) x )
  • Eliminate( H )
  • Rename( H, H )
  • ToPredicate()

Tracked by a new base domain Heap Succession
20
Heap Update Example
Constrain( sel(H,p,g) 8 ) Constrain( H o,f H
) Constrain( sel(H,o,f) x ) Eliminate( H
) Rename( H, H ) ToPredicate()
  • Heap Succession
  • H o,f H
  • E-Graph
  • sel(H,p,g) ? ?
  • 8 ? ?
  • sel(H,o,f) ? ?
  • x ? ?
  • H ? H p ? p
  • H ? H g ? g
  • o ? o f ? f

21
Heap Update Example
Constrain( sel(H,p,g) 8 ) Constrain( H o,f H
) Constrain( sel(H,o,f) x ) Eliminate( H
) Rename( H, H ) ToPredicate()
  • Heap Succession
  • H o,f H
  • E-Graph
  • sel(H,p,g) ? ?
  • 8 ? ?
  • sel(H,o,f) ? ?
  • x ? ?
  • H ? H p ? p
  • H ? H g ? g
  • o ? o f ? f

22
Heap Update Example
Constrain( sel(H,p,g) 8 ) Constrain( H o,f H
) Constrain( sel(H,o,f) x ) Eliminate( H
) Rename( H, H ) ToPredicate()
  • Heap Succession
  • H o,f H
  • E-Graph
  • sel(H,p,g) ? ?
  • 8 ? ?
  • sel(H,o,f) ? ?
  • x ? ?
  • H ? H p ? p
  • H ? H g ? g
  • o ? o f ? f

23
Heap Update Example
Constrain( sel(H,p,g) 8 ) Constrain( H o,f H
) Constrain( sel(H,o,f) x ) Eliminate( H
) Rename( H, H ) ToPredicate()
  • Heap Succession
  • H o,f H
  • E-Graph
  • sel(H,p,g) ? ?
  • 8 ? ?
  • sel(H,o,f) ? ?
  • x ? ?
  • H ? H p ? p
  • H ? H g ? g
  • o ? o f ? f
  • Collect Garbage (H)
  • EquivalentExpr
  • Queryable Expr Var
  • ! Expr

24
Heap Update Example
Constrain( sel(H,p,g) 8 ) Constrain( H o,f H
) Constrain( sel(H,o,f) x ) Eliminate( H
) Rename( H, H ) ToPredicate()
  • Heap Succession
  • H o,f H
  • E-Graph
  • sel(H,p,g) ? ?
  • 8 ? ?
  • sel(H,o,f) ? ?
  • x ? ?
  • H ? H p ? p
  • H ? H g ? g
  • o ? o f ? f

Yes, use H
  • Collect Garbage (H)
  • EquivalentExpr
  • Queryable Expr Var
  • ! Expr option
  • Eliminate(H) on Base
  • ToPredicate() on Base and Convert Expr for Client
  • Add Equalities

25
Related Work
  • Join for Uninterpreted Functions Gulwani,
    Tiwari, Necula
  • Shape Analysis many and
  • TVLA Sagiv, Reps, Wilhelm,

26
Conclusion
  • Extended the power of abstract domains to work
    with alien expressions using the
    congruence-closure domain
  • Added reasoning about heap updates with the heap
    succession domain
  • Close to having cooperating abstract
    interpreters?
  • missing propagating back equalities inferred by
    base domains

27
Thank you!
  • Questions? Comments?
Write a Comment
User Comments (0)
About PowerShow.com