Program Analysis via 3Valued Logic

1
Program Analysisvia 3-Valued Logic

• Thomas Reps
• University of Wisconsin

Joint work with Mooly Sagiv and Reinhard Wilhelm
2
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
3
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
4
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
5
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
6
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
7
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
8
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
9
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
10
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
11
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
12
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
13
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
14
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
15
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
16
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t
NULL
1
2
3
NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
17
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
18
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
19
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
20
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t

NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
21
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
Materialization
22
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
23
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
24
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
25
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
26
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
27
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
28
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
29
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
30
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
31
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
32
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
33
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
34
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
35
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
36
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
37
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t



List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
38
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
39
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
40
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
41
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
42
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
43
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
y
t


NULL
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
x
44
Original Problem Shape Analysis

• Characterize dynamically allocated data
• x points to an acyclic list, cyclic list, tree,
  dag, etc.
• data-structure invariants
• Identify may-alias relationships
• Establish disjointedness properties
• x and y point to structures that do not share
  cells

45
Formalizing . . .
Informal
x
Summary node
46
Why is Shape Analysis Difficult?

• Destructive updating through pointers
• p?next q
• Produces complicated aliasing relationships
• Dynamic storage allocation
• No bound on the size of run-time data structures
• Data-structure invariants typically only hold at
  the beginning and end of operations
• Need to verify that data-structure invariants are
  re-established

47
Applications Code Optimization

• Machine-independent optimizations
• constant propagation
• loop-invariant code motion
• common subexpression elimination
• Machine-dependent optimizations
• register allocation
• parallelization
• software prefetching
• Insert storage-reclamation operations
• Eliminate or move checking code

48
Applications Software Tools

• Static detection of memory errors (cleanness)
• dereferencing NULL pointers
• dereferencing dangling pointers
• memory leaks
• Static detection of logical errors
• Is a shape invariant restored?
• What is in the heap?
• list? doubly-linked list? tree? DAG?
• disjoint? intertwined?

49
Properties of reverse(x)

• On entry x points to an acyclic list
• On exit y points to an acyclic list
• On exit x NULL
• On each iteration, x and y point to disjoint
  acyclic lists
• All the pointer dereferences are safe
• No memory leaks

50
A Yacc for Shape Analysis TVLA

• Parametric framework
• Some instantiations ? known analyses
• Other instantiations ? new analyses

51
A Yacc for Shape Analysis TVLA

• Parametric framework
• Some instantiations ? known analyses
• Other instantiations ? new analyses
• Applications beyond shape analysis
• Partial correctness of sorting algorithms
• Safety of mobile code
• Deadlock detection in multi-threaded programs
• Partial correctness of mark-and-sweep gc alg.

52
A Yacc for Static Analysis TVLA

• Parametric framework
• Some instantiations ? known analyses
• Other instantiations ? new analyses
• Applications beyond shape analysis
• Partial correctness of sorting algorithms
• Safety of mobile code
• Deadlock detection in multi-threaded programs
• Partial correctness of mark-and-sweep gc alg.

53
A Yacc for Static Analysis(Using Logic)

• Correctness proofs via inductive-assertion
  method
• Proof derivation via weakest-precondition
  calculus
• Annotate your loops with invariants!

54
A Yacc for Static Analysis(Using Logic)
I learned many things and equally important
I unlearned many things. S.K. Allison

• Correctness proofs via inductive-assertion
  method
• Proof derivation via weakest-precondition
  calculus
• Annotate your loops with invariants!

55
A Yacc for Static Analysis(Using Logic)

• First-order structures ( predicate tables)
• hold recorded information
• model-theoretic approach, not proof-theoretic
• Formulae
• means for observing information
• Predicate-update formulae
• operational semantics
• update recorded information

56
Recorded Information (for reverse)
57
Recorded Information (for reverse)
58
Formulae for Observing Properties

• Are x and y pointer aliases?
• ?v x(v) ? y(v)
• Does x point to a cell with a self cycle?
• ?v x(v) ? n(v,v)
• Is cell v heap-shared?
• ?v1,v2 n(v1,v) ? n(v2,v) ? v1 ? v2

59
Are x and y Pointer Aliases?
?v x(v) ? y(v)
u2
u3
u4
u1
60
Predicate-Update Formulae for y NULL

• x(v) x(v)
• y(v) 0
• t(v) t(v)
• n(v1,v2) n(v1,v2)

61
Predicate-Update Formulae for y NULL
y(v) 0
62
Predicate-Update Formulae for y x

• x(v) x(v)
• y(v) x(v)
• t(v) t(v)
• n(v1,v2) n(v1,v2)

63
Predicate-Update Formulae for y x
y(v) x(v)
64
Predicate-Update Formulae for x x ? n

• x(v) ?v1 x(v1) ? n(v1,v)
• y(v) y(v)
• t(v) t(v)
• n(v1, v2) n(v1, v2)

65
Predicate-Update Formulae for x x ? n
x(v) ?v1 x(v1) ? n(v1,v)
x
y
u2
u3
u4
u1
66
Predicate-Update Formulae for y ? n t

• x(v) x(v)
• y(v) y(v)
• t(v) t(v)
• n(v1,v2) ?y(v1)?? n(v1,v2) ? y(v1) ? t(v2)
  

67
Outline

• Logic and box/arrow diagrams
• Kleenes 3-valued logic
• The abstraction principle
• Using 3-valued structures to represent sets of
  stores
• Conservative extraction of store properties
• Abstract interpretation
• More precise abstract interpretation

68
Two- vs. Three-Valued Logic
0 ? 0,1
1 ? 0,1
69
Two- vs. Three-Valued Logic
70
Two- vs. Three-Valued Logic
Three-valued logic
71
Two- vs. Three-Valued Logic
72
Two- vs. Three-Valued Logic
0 ?3½
1 ?3½
73
Boolean Connectives Kleene
74
Three-Valued Logic

• 1 True
• 0 False
• 1/2 Unknown
• A join semi-lattice 0 ? 1 1/2

75
Outline

• Logic and box/arrow diagrams
• Kleenes 3-valued logic
• The abstraction principle
• Using 3-valued structures to represent sets of
  stores
• Conservative extraction of store properties
• Abstract interpretation
• More precise abstract interpretation

76
Why is Shape Analysis Difficult?

• Destructive updating through pointers
• p?next q
• Produces complicated aliasing relationships
• Dynamic storage allocation
• No bound on the size of run-time data structures
• Data-structure invariants typically only hold at
  the beginning and end of operations
• Need to verify that data-structure invariants are
  re-established

77
The Abstraction Principle
78
The Abstraction Principle

• Partition the individuals into equivalence
  classes based on the values of their unary
  predicates
• Collapse other predicates via ?

79
What StoresDoes a 3-Valued Structure Represent?

• Example 3-valued structure
• individuals u1
• predicates
• graphical presentation
• concrete stores represented

80
What StoresDoes a 3-Valued Structure Represent?

• Example 3-valued structure
• graphical presentation
• concrete stores

81
What StoresDoes a 3-Valued Structure Represent?

• Example 3-valued structure
• graphical presentation
• concrete stores

82
Property-Extraction Principle

• Questions about store properties can be answered
  conservatively by evaluating formulae in
  three-valued logic
• Formula evaluates to 1
• ? formula always holds in every store ?
• Formula evaluates to 0
• ? formula never holds in any store ?
• Formula evaluates to 1/2
• ? dont know
  ? ?

83
Are x and y Pointer Aliases?
?v x(v) ? y(v)
84
Is Cell u Heap-Shared?
?v1,v2 n(v1,u) ? n(v2,u) ? v1 ? v2
85
Outline

• Logic and box/arrow diagrams
• Kleenes 3-valued logic
• The abstraction principle
• Using 3-valued structures to represent sets of
  stores
• Conservative extraction of store properties
• Abstract interpretation
• More precise abstract interpretation

86
Abstract Interpretation
87
Abstract Interpretation
f (a,b) (16 b 3) (2 a 1)
O
O
O
E
O
O
E
?
E
E
?
f _ ? _ ? O
88
Shape Analysis viaAbstract Interpretation

• Iteratively compute a set of 3-valued structures
  for every program point
• Every statement transforms structures according
  to the predicate-update formulae
• use 3-valued logic instead of 2-valued logic
• use exactly the predicate-update formulae of the
  concrete semantics!!

89
Predicate-Update Formulae for y x
y(v) x(v)
90
Predicate-Update Formulae for x x ? n
x(v) ? v1 x(v1) ? n(v1,v)
91
Abstract Interpretation
Concrete
Sets of stores
92
Abstract Interpretation
Concrete
Sets of stores
93
Abstract Interpretation
Concrete
94
Abstract Interpretation
Concrete
95
Abstract Interpretation
Concrete
96
Abstract Interpretation
Concrete
97
The Embedding Theorem
No
?v x(v) ? y(v)
No
No
Maybe
98
The Embedding Theorem
No
?v x(v) ? y(v)
No
99
The Embedding Theorem

• If a structure B can be embedded in a structure S
  via a surjective (onto) function f such that
  basic predicates are preserved, i.e., pB(u1,
  .., uk) ? pS (f(u1), ..., f(uk))
• Then, every formula ? is preserved
• If ?1 in S, then ?1 in B
• If ?0 in S, then ?0 in B
• If ?1/2 in S, then ? could be 0 or 1 in B

100
How Are We Doing?

• Conservative ?
• Convenient ?
• But not very precise ?
• Advancing a pointer down a list loses precision
• Cannot distinguish an acyclic list from a cyclic
  list

101
Cyclic versus Acyclic Lists
102
Outline

• Logic and box/arrow diagrams
• Kleenes 3-valued logic
• The abstraction principle
• Using 3-valued structures to represent sets of
  stores
• Conservative extraction of store properties
• Abstract interpretation
• More precise abstract interpretation

103
The Instrumentation Principle

• Increase precision by storing the truth-value of
  some chosen formulae
• Introduce predicate-update formulae to update the
  extra predicates

104
Example Heap Sharing
is(v) ?v1,v2 n(v1,v) ? n(v2,v) ? v1 ? v2
105
Example Heap Sharing
is(v) ?v1,v2 n(v1,v) ? n(v2,v) ? v1 ? v2
is 1
x
x
u
u
u1
u1
is 0
is 1
is 0
106
Is Cell u Heap-Shared?
is 0
is 0
?v1,v2 n(v1,u) ? n(v2,u) ? v1 ? v2
107
Predicate-Update Formulae for y NULL

• x(v) x(v)
• y(v) 0
• t(v) t(v)
• n(v1,v2) n(v1,v2)
• is(v) is(v)

108
Predicate-Update Formulae for y x

• x(v) x(v)
• y(v) x(v)
• t(v) t(v)
• n(v1,v2) n(v1,v2)
• is(v) is(v)

109
Example Heap Sharing
is(v) ?v1,v2 n(v1,v) ? n(v2,v) ? v1 ? v2
110
Predicate-Update Formulae for x x ? n

• x(v) ?v1 x(v1) ? n(v1,v)
• y(v) y(v)
• t(v) t(v)
• n(v1,v2) n(v1, v2)
• is(v) is(v)

111
Predicate-Update Formulae for y ? n t

• x(v) x(v)
• y(v) y(v)
• t(v) t(v)
• n(v1,v2) ?y(v1)?? n(v1,v2) ? y(v1) ? t(v2)
• is(v)

?v1,v2 (is(v) ? n(v1,v) ? n(v2,v) ? v1 ?
v2) ? (t(v) ? n(v1,v) ? ?y(v1))
112
Predicate-Update Formulae for y ? n t

• x(v) x(v)
• y(v) y(v)
• t(v) t(v)
• n(v1,v2) ?y(v1)?? n(v1,v2) ? y(v1) ? t(v2)
• is(v)

( ?((?v1 y(v1) ? n(v1,v2)) ? t(v)) ?
is(v)) ? ( ((?v1 y(v1) ? n(v1,v2)) ? t(v))
? (is(v) ? t(v)) ? ?v1,v2
n(v1,v) ? n(v1,v) ? v1 ? v2 )
113
Additional Instrumentation Predicates

• reachable-from-variable-x(v)
• acyclic-along-dimension-d(v)
• à la ADDS
• doubly-linked(v)
• tree(v)
• dag(v)
• AVL trees
• balanced(v), left-heavy(v), right-heavy(v)
• . . . but not via height arithmetic

114
Materialization
115
Materialization
Chase, Wegman, Zadeck 90
x x ? n
116
The Focusing Principle

• Bring the structure into better focus
• Selectively force 1/2 to 0 or 1
• Avoid indefiniteness
• Then apply the predicate-update formulae

117
(1) Focus on ?v1 x(v1) ? n(v1,v)
u
118
(2) Evaluate Predicate-Update Formulae
x (v) ?v1 x(v1) ? n(v1,v)
u
y
u1
u.1
u.0
119
The Coercion Principle

• Increase precision by exploiting some structural
  properties possessed by all stores
• Structural properties captured by constraints
• Apply a constraint solver

120
(3) Apply Constraint Solver
u1
x
y
u1
u.1
u.0
121
(3) Apply Constraint Solver
x
y
u1
u.1
u.0
n(v1, v ) ? n(v2, v)?? v1 ? v2 ? is(v)
?is(v) ? n(v1, v)?? v1 ? v2 ? ?n(v2, v)
122
(3) Apply Constraint Solver
x
y
u1
u.1
u.0
123
(3) Apply Constraint Solver
x
y
u1
u.1
u.0
n(v1, v ) ? n(v2, v)?? v1 ? v2 ? is(v)
?is(v) ? n(v1, v)?? v1 ? v2 ? ?n(v2, v)
124
(3) Apply Constraint Solver
x
y
u1
u.1
u.0
x(v1) ? x(v2) ? v1 v2
125
(3) Apply Constraint Solver
x
y
u1
u.1
u.0
126
Formalizing . . .
Informal
x
y
127
Formalizing . . .
Informal
t1
x
y
t2
128
Formalizing . . .
Informal
x
y
129
Formalizing . . .
Informal
t1
x
y
t2
130
Additional Instrumentation Predicates

• reachable-from-variable-x(v)
• acyclic-following-field-f(v)
• doubly-linked(v)
• tree(v)
• dag(v)
• AVL trees
• balanced(v), left-heavy(v), right-heavy(v)
• . . . but not via height arithmetic

131
A Yacc for Shape Analysis
pointer-field predicates n(v1,v2)
instrumentation-predicate definitions is(v)
?v1,v2 n(v1,v) ? n(v2,v) ? v1 ? v2
predicate-update formulae stmt x NULL
is(v) is(v) x t
is(v) is(v) x
t ? n is(v) is(v)
x ? n t is(v)
?v1,v2 (is(v) ? n(v1,v) ? n(v2,v) ? v1 ? v2)
? (t(v) ? n(v1,v) ?
?y(v1)) x malloc(INT)
is(v) is(v) ? ?NEW(v)
132
Why is Shape Analysis Difficult?

• Destructive updating through pointers
• p?next q
• Produces complicated aliasing relationships
• Track aliasing on 3-valued structures
• Dynamic storage allocation
• No bound on the size of run-time data structures
• Abstraction principle ? finite-sized 3-valued
  structures
• Data-structure invariants typically only hold at
  the beginning and end of operations
• Need to verify that data-structure invariants are
  re-established
• Evaluate formulas over 3-valued structures

133
Example In-Situ List Reversal
typedef struct list_cell int val
struct list_cell next List
List reverse (List x) List y, t y
NULL while (x ! NULL) t y
y x x x ? next y ? next
t return y
Run Demo
134
Example Mark and Sweep
void Sweep() unexplored Universe
collected ? while (unexplored ? ?) x
SelectAndRemove(unexplored) if (x ? marked)
collected collected ? x
assert(collected Universe
Reachset(root) )
void Mark(Node root) if (root ! NULL)
pending ? pending pending ? root
marked ? while (pending ? ?)
x SelectAndRemove(pending) marked
marked ? x t x ? left if (t
? NULL) if (t ? marked)
pending pending ? t t x ? right
if (t ? NULL) if (t ? marked)
pending pending ? t
assert(marked Reachset(root))
Run Demo
135
TVLA vs. Model Checking
TVLA
Model checking

• Determine properties of a transition system
• State-space exploration
• State labels 1st-order structures
• 3-valued structures represent commonalities
• Properties checked Formulas in FOTC

• Determine properties of a transition system
• State-space exploration
• State labels Propositions
• BDDs represent commonalities
• Properties checked Formulas in temporal logic

136
Summary

• 1/2 arises from abstraction
• One-sided analyses (e.g., 1 means true, 0 means
  dont know) conflate 0 and 1/2
• 1/2 essential conflation not essential
• For program analysis, 3-valued logic allows
• Materialization
• Conservative extraction of properties

137
Cleanness Checking
typedef struct list_cell int val
struct list_cell next List
bool member (int v, List c) List e c
while (e ! NULL) if (e ? val v)
return TRUE e e ? next
return FALSE
138
Cleanness Checking
typedef struct list_cell int val
struct list_cell next List
bool member (int v, List c) List e c
while (e ! NULL) if (e ? val v)
potential dereference of NULL? return
TRUE e e ? next return
FALSE
139
Cleanness Checking
typedef struct list_cell int val
struct list_cell next List
bool member (int v, List c) List e c
while (e ! NULL) if (e ? val v)
potential dereference of NULL? return
TRUE e e ? next potential
dereference of NULL? return FALSE
140
Possibly Uninitialized Variables

?V.w,x,y
w,x,y
?V.V x
w,y
?V.V
?V.V
w,y
w,y
?V.if x ? V then V ? y else V y
w
?V.if w ? V then V ? y else V y
?V.V w
w,y