Symbolically Computing MostPrecise Abstract Operations for Shape Analysis - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

Symbolically Computing MostPrecise Abstract Operations for Shape Analysis

Description:

Tel Aviv University. University of Wisconsin. TACAS'04. Tel Aviv University. April 2004 ... No bound on the size of run-time data structures ... – PowerPoint PPT presentation

Number of Views:37
Avg rating:3.0/5.0
Slides: 21
Provided by: thoma423
Category:

less

Transcript and Presenter's Notes

Title: Symbolically Computing MostPrecise Abstract Operations for Shape Analysis


1
Symbolically Computing Most-Precise Abstract
Operations for Shape Analysis
  • Greta Yorsh
  • Thomas Reps
  • Mooly Sagiv

Tel Aviv University
University of Wisconsin
Tel Aviv University
TACAS04
2
Motivation
  • New approach to using symbolic techniques in
    abstract interpretation
  • for shape analysis
  • for other analyses
  • What does it mean to harness a decision procedure
    for use in static analysis?
  • what are the requirements ?
  • what does it buy us ?

3
What are the requirements ?
Is ?(a) empty?
Formulas
4
What does it buy us ?
  • Guarantee the most-precise result w.r.t. to the
    abstraction
  • best transformer
  • other abstract operations
  • Modular reasoning
  • assume-guarantee reasoning
  • scalability

5
Assume-Guarantee Reasoning
T bar() void foo() T p ... p
bar() ...
prebar, postbar prefoo, postfoo assumepre
foo assertprebar ----------- assumepost
bar assertpostfoo
lt?gt
lta1gt
lta2gt
lta3gt
lta4gt
6
The assume?(a) Operation
?(?(a)????)
a
?
Abstract
Concrete
Formulas
7
The abstraction operation ?(?)

?
???
Abstract
Concrete
8
The idea behind ?(?)

ans
?
?
???
Abstract
Concrete
9
Reminder of the talk
  • Shape analysis
  • Canonical abstraction
  • Algorithm for abstraction ? - example
  • Abstract operations using ?
  • Further work



10
Shape Analysis
  • Static program analysis
  • Determine shape invariants
  • all possible memory configurations
  • Can be used to
  • Verify programs (partially)
  • Detect memory errors
  • Prove properties about dynamically allocated data
  • Detect logical errors
  • Code optimizations

11
Why is Shape Analysis Difficult?
  • Destructive updating through pointers
  • p?next q
  • Produces complicated aliasing relationships
  • Dynamic memory allocation
  • No bound on the size of run-time data structures
  • Abstract domain of 3-valued structures with
    canonical abstraction Sagiv,Reps,Wilhelm

12
3-Valued Logical Structures
  • Relation meaning over 0, 1, ½
  • Kleene
  • 1 True
  • 0 False
  • ½ Unknown
  • A join semi-lattice 0 ? 1 ½

½
?
?
13
Canonical Abstraction
u2
u1
FOTC
14
Example of ?(?)

y x-gtn
?
?

?(?)
???
Concrete
Abstract
15
Example - Materialization
y x-gtn
x
u2
u1
y
y
16
Example Refinement
y x-gtn
? concrete stores ? pair of nodesn(a1, a2) 1
or n(a1, a2) 0
?concrete stores ? two pairs of nodes n(a1, a2)
1 and n(b1, b2) 0
17
Abstract Operations
  • ?(?) best abstract value that represents ?
  • What does it buy us ?
  • assume?(a) ?( ?(a) ? ? )
  • assume-guarantee reasoning
  • pre- and post-conditions specified by logical
    formulas
  • BT(t,a) ?( ?(extend(a)) ? t )
  • best abstract transformer
  • parametric abstractions
  • meet(a1, a2) ?( ?(a1) ? ?(a2) )









18
SPASS Experience
  • Handles arbitrary FO formulas
  • Can diverge
  • use timeout
  • Converges in our examples
  • Captures older shape analysis algorithms
  • How to handle FOTC ?
  • Overapproximations lead to too many structures

19
Decidable Transitive-closure Logic
  • Neil Immerman (UMASS), Alexander Rabinovich (TAU)
  • ??(TC,f) is subset of FOTC
  • exist-forall form
  • arbitrary unary relations
  • single function f
  • Decidable for satisfiability
  • NEXPTIME-complete
  • Any reasonable extension is undecidable
  • Rather limited

20
Simulation Technique CAV04
  • Neil Immerman (UMASS), Alexander Rabinovich (TAU)
  • Simulate realistic data structures using
    decidable logic over tractable structures
  • Singly linked list - shared/cyclic/nested
  • Doubly linked list
  • Trees
  • Preserved under mutations
  • Abstract interpretation, Hoare-style verification

21
Further Work
  • Implementation
  • Decidable logic for shape analysis
  • Assume-guarantee of real programs
  • case study Java Collection
  • specification language
  • write procedure specifications
  • Extend to other domains
  • Infinite-height

gretay
www.cs.tau.ac.il/gretay
Write a Comment
User Comments (0)
About PowerShow.com