Title: Symbolically Computing MostPrecise Abstract Operations for Shape Analysis
1Symbolically Computing Most-Precise Abstract
Operations for Shape Analysis
- Greta Yorsh
- Thomas Reps
- Mooly Sagiv
Tel Aviv University
University of Wisconsin
Tel Aviv University
TACAS04
2Motivation
- New approach to using symbolic techniques in
abstract interpretation - for shape analysis
- for other analyses
- What does it mean to harness a decision procedure
for use in static analysis? - what are the requirements ?
- what does it buy us ?
3What are the requirements ?
Is ?(a) empty?
Formulas
4What does it buy us ?
- Guarantee the most-precise result w.r.t. to the
abstraction - best transformer
- other abstract operations
- Modular reasoning
- assume-guarantee reasoning
- scalability
5Assume-Guarantee Reasoning
T bar() void foo() T p ... p
bar() ...
prebar, postbar prefoo, postfoo assumepre
foo assertprebar ----------- assumepost
bar assertpostfoo
lt?gt
lta1gt
lta2gt
lta3gt
lta4gt
6 The assume?(a) Operation
?(?(a)????)
a
?
Abstract
Concrete
Formulas
7The abstraction operation ?(?)
?
???
Abstract
Concrete
8The idea behind ?(?)
ans
?
?
???
Abstract
Concrete
9Reminder of the talk
- Shape analysis
- Canonical abstraction
- Algorithm for abstraction ? - example
- Abstract operations using ?
- Further work
10Shape Analysis
- Static program analysis
- Determine shape invariants
- all possible memory configurations
- Can be used to
- Verify programs (partially)
- Detect memory errors
- Prove properties about dynamically allocated data
- Detect logical errors
- Code optimizations
11Why is Shape Analysis Difficult?
- Destructive updating through pointers
- p?next q
- Produces complicated aliasing relationships
- Dynamic memory allocation
- No bound on the size of run-time data structures
- Abstract domain of 3-valued structures with
canonical abstraction Sagiv,Reps,Wilhelm
123-Valued Logical Structures
- Relation meaning over 0, 1, ½
- Kleene
- 1 True
- 0 False
- ½ Unknown
- A join semi-lattice 0 ? 1 ½
½
?
?
13Canonical Abstraction
u2
u1
FOTC
14Example of ?(?)
y x-gtn
?
?
?(?)
???
Concrete
Abstract
15Example - Materialization
y x-gtn
x
u2
u1
y
y
16Example Refinement
y x-gtn
? concrete stores ? pair of nodesn(a1, a2) 1
or n(a1, a2) 0
?concrete stores ? two pairs of nodes n(a1, a2)
1 and n(b1, b2) 0
17Abstract Operations
- ?(?) best abstract value that represents ?
- What does it buy us ?
- assume?(a) ?( ?(a) ? ? )
- assume-guarantee reasoning
- pre- and post-conditions specified by logical
formulas - BT(t,a) ?( ?(extend(a)) ? t )
- best abstract transformer
- parametric abstractions
- meet(a1, a2) ?( ?(a1) ? ?(a2) )
18SPASS Experience
- Handles arbitrary FO formulas
- Can diverge
- use timeout
- Converges in our examples
- Captures older shape analysis algorithms
- How to handle FOTC ?
- Overapproximations lead to too many structures
19Decidable Transitive-closure Logic
- Neil Immerman (UMASS), Alexander Rabinovich (TAU)
- ??(TC,f) is subset of FOTC
- exist-forall form
- arbitrary unary relations
- single function f
- Decidable for satisfiability
- NEXPTIME-complete
- Any reasonable extension is undecidable
- Rather limited
20Simulation Technique CAV04
- Neil Immerman (UMASS), Alexander Rabinovich (TAU)
- Simulate realistic data structures using
decidable logic over tractable structures - Singly linked list - shared/cyclic/nested
- Doubly linked list
- Trees
- Preserved under mutations
- Abstract interpretation, Hoare-style verification
21Further Work
- Implementation
- Decidable logic for shape analysis
- Assume-guarantee of real programs
- case study Java Collection
- specification language
- write procedure specifications
- Extend to other domains
- Infinite-height
gretay
www.cs.tau.ac.il/gretay