Symbolically Computing MostPrecise Abstract Operations for Shape Analysis

1
Symbolically Computing Most-Precise Abstract
Operations for Shape Analysis
Greta Yorsh Joint work with Thomas Reps Mooly
Sagiv
2
Why use theorem prover?

• Guarantee the most-precise result w.r.t. the
  abstraction
• Modular reasoning
• assume guarantee reasoning
• scalability

3
Outline

• Background
• The assume Operation
• The assume Algorithm
• canonical abstraction
• Main Results
• Future Work

4
Shape Analysis

• Static program analysis
• Determine shape invariants
• Verify programs (partially)
• Detect memory errors
• Prove properties about dynamically allocated data
• Detect logical errors
• Code optimizations
• Abstract Interpretation CC77
• Galois Connection (?, ?)

5
Concretization Function ?
Concrete Domain
Abstract Domain
6
Abstraction Function ?
C
Concrete Domain
Abstract Domain
7
Galois Connection (?, ?)
?
?(C)
C
Concrete Domain
Abstract Domain
8
Most Precise Abstract Value
?
?
?(C)
C
Concrete Domain
Abstract Domain
9
New Approach

• Use symbolic techniques in abstract
  interpretation
• For shape analysis
• For other abstract domains
• What does it mean to employ decision
  procedure/theorem prover for shape analysis?
• symbolic concretization
• decision procedure for satisfiability

10
Symbolic Concretization ?(a)

a1
a2
Formulas
Concrete Domain
Abstract Domain
11
Outline
?

• Background
• The assume Operation
• The assume Algorithm
• canonical abstraction
• Main Results
• Future Work

12
Assume-Guarantee Reasoning
T bar() void foo() T p ... p
bar() ...
prebar, postbar prefoo, postfoo assumepre
foo assertprebar ----------- assumepost
bar assertpostfoo





13
The assume?(a) Operation
a
?(a)
X
?
Formulas
Concrete Domain
Abstract Domain
14
The assume?(a) Operation
a
?(a)
?(X)
?
assume?(a)
X
?
Concrete Domain
Abstract Domain
15
The assume?(a) Operation
a
?(a)
?
?(X)
?
assume?(a)
X
?
Concrete Domain
Abstract Domain
16
Outline
?

• Shape Analysis
• The assume Operation
• The assume Algorithm
• canonical abstraction
• Main Results
• Future Work

?

17
The assume?(a) Algorithm

a
?(a)
X
?
Concrete Domain
Abstract Domain
18
The assume?(a) Algorithm

a
?(a)
X
?
Concrete Domain
Abstract Domain
19
The assume?(a) Algorithm

a
?(a)
X
?
Concrete Domain
Abstract Domain
20
The assume?(a) Algorithm

a
?(a)
?(X)
assume?(a)
X
?
Concrete Domain
Abstract Domain
21
Outline
?

• Shape Analysis
• The assume Operation
• The assume Algorithm
• canonical abstraction
• Main Results
• Future Work

?

22
Abstraction Function ?
?(C) ?(S) S ? C
?
?(C)
C
sets of 3-valued logical structures
2-valuedlogical structures
Concrete Domain
Abstract Domain
23
Describing Heap Using Logical Structure

• Definition of linked list
• Cyclic linked list of length 4 pointed to by
  variable x
• structure S
• universe U u1, u2, u3, u4,
• unary relation x u1
• binary relation n , , u3, u4,
• unary relation rx u1, u2, u3, u4
• unary relation c u1, u2, u3, u4

struct List int d struct List n
x
24
3-Valued Logical Structures

• Relation meaning over 0, 1, ½
• Kleene
• 1 True
• 0 False
• ½ Unknown
• A join semi-lattice 0 ? 1 ½

25
Canonical Abstraction ?
u1
u2
u3
u4
c,rx
c,rx
c,rx
c,rx
u2 summary node
u2
u1
26
Canonical Abstraction ?
u1
u2
u3
u4
c,rx
c,rx
c,rx
c,rx
?
u2 summary node

• Unary relations have definite values

27
Concretization Function ?

?(a)
a
?(a)
?a ? ?v1,v2nodeu1(v1)?nodeu2(v2) ??w
nodeu1(w)?nodeu2(w) ? ?w1,w2nodeu1(w1)?nodeu1(w2)
?(w1w2)??n(w1,w2)
Formulas
Concrete Domain
Abstract Domain
28
Concretization Function ?
IR uniquex ? functionn ?
reachablex ? cyclicn

?(a)
a
?(a)
uniquex ? ?v1,v2x(v1)?x(v2)?v1v2
Formulas
functionn ? ?v,v1,v2n(v,v1)?n(v,v2)?v1v2
Concrete Domain
Abstract Domain
reachablex ? ?vrx(v)??v1 x(v1) ? n(v1,v)
cyclicn ? ?vc(v)??v1n(v,v1)?n(v1,v)
29
Outline
?

• Shape Analysis
• The assume Operation
• The assume Algorithm
• canonical abstraction
• Main Results
• Future Work

?

?
30
Example
a
? ? ?v1y(v1) ??v2 x(v2) ? n(v1, v2)
x
u2
u1
yx-n
c,rx
c,rx
IR uniquex ? uniquey ?
reachablex ? reachabley ? cyclicn
? functionn
31
The assume?(a) Algorithm


assume?(a) set of 3-valued structures //
initialization for all S?a if ?(S)? ? is
satisfiable then W?S // phase 1 node
materialization while there is S?W with p(u)1/2
do duplicate nodes and deduce their unary
relations using calls to theorem prover //
phase 2 relation refinement while there is S?W
with p(u1,u2)1/2 do duplicate structures and
deduce their binary relations using calls to
theorem prover return W

32
Example - Materialization
S
x
u2
u1
c,rx
c,rx
materialization u2 ? uy, u2 y(uy) 1, y(u2) 0
33
Example - Materialization
x
uy
u1
u2
ry
ry
y
rx
y
c,rx
c,rx
y,ry
34
Example Refinement
x
uy
u1
u2
c,rx ry
y
c,rx ry
c,rxry
n(u2,uy)
35
Example
a
? ? ?v1y(v1) ??v2 x(v2) ? n(v1, v2)
x
u2
u1
yx-n
c,rx
c,rx
IR uniquex ? uniquey ?
reachablex ? reachabley ? cyclicn
? functionn
x
x
u2
uy
uy
u1
u1
c,rx ry
c,rx ry
c,rx ry
c,rx ry
c,rx ry
y
y
36
Algorithm

• assume?(a) set of 3-valued structures
• for all S?a
• if ?(S)?? is satisfiable then W?S
• // phase 1 materialization
• while there is S?W with p(u)1/2 do
• W?W/S
• if ?(S)????p,u is satisfiable then W?S'
• if ?(S0)?? is satisfiable then W?S0
• if ?(S1)?? is satisfiable then W?S1
• // phase 2 relation refinement
• while there is S?W with p(u1,u2)1/2 do
• if ?(S)????p,u1,u2 is not satisfiable then
  W?W/S
• if ?(S0)?? is satisfiable then W?S0
• if ?(S1)?? is satisfiable then W?S1
• return W

37
Theorem Prover

• Satisfiability of FOTC
• Calls to theorem prover need not terminate
• Experience with SPASS
• Solutions ?

38
SPASS Experience

• Handles arbitrary FO formulas
• Can diverge
• Converges in our examples
• Captures older shape analysis algorithms
• How to handle FOTC?
• Overapproximations are not good enough
• Lead to too many structures

39
Theorem Prover

• Satisfiability of FOTC
• Calls to theorem prover need not terminate
• Experience with SPASS
• Solutions
• timeout and return ½
• decidable logic
• Bad news
• Even ??TC is undecidable
• Reduction to halting problem

40
??DTCE Logic

• Neil Immerman, Alexander Rabinovich
• ??DTCE is subset of FOTC
• ?? form
• arbitrary unary relations
• single binary relation E
• deterministic transitive closure E(v,w)
• E-path through individuals with at most one
  successor
• Decidable for satisfiability
• NEXPTIME-complete

41
Simulation Technique

• Simulate regular data structures using ??DTCE
• Singly linked list
• shared/cyclic/nested
• Doubly linked list
• (Shared) Trees
• Preserved under mutations

42
Outline
?

• Shape Analysis
• The assume Operation
• The assume Algorithm
• canonical abstraction
• Main Results
• Future Work

?

?
?
43
Most-precise Operations

• Most-precise abstract value
• Best transformer
• statement
• loop-free fragment

44
Best Transformer BT(a,t)
C
t
a
Concrete Domain
Abstract Domain
45
Most-precise Operations

• Most-precise abstract value
• Best transformer
• statement
• loop-free fragment
• Meet operation
• Assume guarantee reasoning
• procedure specifications

46
Conclusions

• Employ decision procedure/theorem prover for
  shape analysis
• most precise
• modular - assume guarantee reasoning

47
Future Work

• Implementation
• Assume guarantee of real programs
• specification language
• write procedure specifications
• Extend to other domains

48
THE END