Shape Analysis via 3-Valued Logic

1
Shape Analysisvia 3-Valued Logic

• Mooly Sagiv
• Tel Aviv University

Shape analysis with applications Chapter
4.6 http//www.cs.tau.ac.il/rumster/TVLA/
2
Outline

• Collecting Semantics using first order logic
• 3-valued logic and embedding
• Simple abstract semantics using logic
• More precise abstract semantics
• TVLA

3
Collecting Semantics using Logic

• Represent states using logical structures
• Construct the program control flow graph with a
  distinguished node start
• Define the set of logical structures at start
• Define the meaning of program conditions using
  closed first order formulae
• Define the meaning of statements using first
  order formulae

4
The SWhile Programming Language Abstract Syntax
sel car cdr
a x x.sel null n a1 opa a2
b true false not b b1 opb b2 a1 opr a2
S x al x.sel al x malloc()l
skip l S1 S2 if bl then S1
else S2 while bl do S
5
Example

• Predicates
• Unary
• x(v)
• t(v)
• Binary
• car(v1, v2)
• cdr(v1, v2)
• eq(v1, v2)

x null1 while (count gt 02) ( t
malloc()3 t.cdr x4 x
t5
6
?xnull? x(v) 0
?tmalloc()? let v0 new() in t(v)
eq(v, v0)
x null1
(count gt 02
?t.cdr x? message ??v t(v) ? cdr(v1, v2)
(t(v1)? x(v2)
cdr(v1, v2))
countcount-16
t malloc()3
exit
t.cdr x4
?xt? x(v) t(v)
(???1?2)? (???1)?(????2)
x t5
7
The reverse example

• Predicates
• Unary
• x(v)
• t(v)
• y(v)
• Binary
• car(v1, v2)
• cdr(v1, v2)
• eq(v1, v2)

y null1 while (x !null2) ( t y3
y x4 x x.cdr5
y.cdr t6
8
?ynull? y(v) 0
y null1
?ty? t(v) y(v)
(x!null2
?x !null? ?v x(v)
t y3
?yx? y(v) x(v)
y x4
a3
exit
?y.cdr t? cdr(v1, v2) y(v1)? t(v2)
cdr(v1, v2)
x x.cdr5
?xx.cdr? message ??vx(v) ? x(v)
?v1x(v1)? cdr(v1, v)
y.cdr t6
9
Statements Meaning
st ?st?
xnull x(v) 0
xmalloc() let v0 new() in x(v) eq(v, v0)
x y x(v) y(v)
xy.sel message ??vx(v) ? x(v) ?v1x(v1)? sel(v1, v)
x.sely message ??vx(v) ?sel(v1, v2) (x(v1)? y(v2) sel(v1, v2))
10
Conditions Meaning
cond ?cond?
x!null ?vx(v)
xnull ??vx(v)
xy ?vx(v)?y(v)
x!y ??vx(v)?y(v)
11
Collecting Semantics
CS (start) lt?, ? gt
CS (v) ??st(u)? (S) u?v ? E, S ?CS(u) ??S
S, u?v ? Et , S? ?cond(u) ? ? ?S S, u?v ? Ef
, S? ??cond(u) ?
12
Three-Valued Logic

• 1 True
• 0 False
• 1/2 Unknown
• A join semi-lattice 0 ? 1 1/2

13
3-Valued Logical Structures

• A set of individuals (nodes) U
• Predicate meaning
• PS US ? 0, 1, 1/2

14
USu1, u2, u3
xSu1?1, u2?0, u3?0
ySu1?0, u2?0, u3?0
carSltu1 , u1gt ?0, ltu1, u2gt?0, ltu1,u3gt?0,
ltu2 , u1gt ?0, ltu2, u2gt?0, ltu2, u3gt?0
ltu3, u1gt ?0, ltu3, u2gt?0, ltu3, u3gt?0
cdrSltu1 , u1gt ?0, ltu1, u2gt?1, ltu1,u3gt?0,
ltu2 , u1gt ?0, ltu2, u2gt?0, ltu2, u3gt?1/2,
ltu3, u1gt ?0, ltu3, u2gt?0, ltu3, u3gt?1/2
eqSltu1 , u1gt ?1, ltu1, u2gt?0, ltu1,u3gt?0,
ltu2 , u1gt ?0, ltu2, u2gt?1, ltu2, u3gt?0,
ltu3, u1gt ?0, ltu3, u2gt?0, ltu3, u3gt?1/2
15
Embedding

• A pre-partial order on 3-valued logical
  structures
• S1 ? S2 ? every concrete state represented by S1
  is also represented by S2
• The set of nodes in S1 and S2 may be different
• No meaning for nodes (abstract locations)

16
Embedding

• S1 ?f S2 ?
• f maps the individuals of S1 onto S2
• pS1(u1, .., uk) ? pS2 (f(u1), ..., f(uk))
• S1 ? S2 ? there exists f such that S1 ?f S2
• Pre partial order
• Induces a pre-partial order on P(3-Struct)
• Set-union is a least upper bound
• Finite height
• ?3-Struct ? P(2-Struct)
• ?(S) S S?2-Struct, S ? S
• ?P(3-Struct) ? P(2-Struct)
• ?(XS) ? S ?XS ?(S)

17
Tight Embedding

• SltUS, PSgt
• f US ? U such that f is onto
• Define SltU, Pgt
• p(u1, .., uk) ?pS (u1, ..., uk) f(ui)ui
  
• S ?f S

18
The Abstraction Principle

• Partition the individuals into equivalence
  classes based on the values of their unary
  predicates
• Collapse other predicates via ?

19
The Abstraction Principle
cdr
cdr
cdr
20
Boolean Connectives Kleene
21
Formal Semantics of First Order Formulae

• For a structure SltUS, PSgt
• Formulae ? with LVar free variables
• Assignment z LVar?US
• ???S(z) 0, 1, 1/2

?1?S(z)1
?0?S(z)1
?p (v1, v2, , vk)?S(z)pS (z(v1), z(v2), ,
z(vk))
22
Formal Semantics of First Order Formulae

• For a structure SltUS, PSgt
• Formulae ? with LVar free variables
• Assignment z LVar?US
• ???S(z) 0, 1, 1/2

??1??2?S(z)max (??1 ?S(z), ??2 ?S(z))
??1??2?S(z)min (??1 ?S(z), ??2 ?S(z))
???1?S(z)1- ??1 ?S(z)
??v ?1?S(z)max ??1 ?S(zv?u) u ? US
23
The Embedding Theorem

• Evaluating a formula in S is conservative with
  respect to ?(S)
• Every formula ? is preserved
• ?1 in S? ?1 in every S??(S)
• ?0 in S? ?0 in every S??(S)
• ?1/2 in S? dont know

24
The Embedding Theorem

• S?f S
• Formulae ? with LVar free variables
• Assignment z LVar?US
• ???S(z) ? ???S(f ? z)

25
Shape Analysis viaAbstract Interpretation

• Iteratively compute a set of 3-valued structures
  for every program point
• Every statement transforms structures according
  to the predicate-update formulae
• use 3-valued logic instead of 2-valued logic
• use exactly the predicate-update formulae of the
  concrete semantics!!

26
Abstract Semantics
AI (start) lt?, ? gt
CS (v) ?blur(?st(u)?3(S)) u?v ? E, S ?AI(u)
??S S, u?v ? Et , S?3 ?cond(u) ? ? ?S S,
u?v ? Ef , S?3 ??cond(u) ?
27
?xnull? x(v) 0
?tmalloc()? let v0 new() in t(v)
eq(v, v0)
x null1
(count gt 02
?t.cdr x? message ??v t(v) ? cdr(v1, v2)
(t(v1)? x(v2)
cdr(v1, v2))
t malloc()3
exit
t.cdr x4
a2
?xt? x(v) t(v)
x t5
28
?ynull? y(v) 0
y null1
?ty? t(v) y(v)
(x!null2
?x !null? ?v x(v)
t y3
?yx? y(v) x(v)
y x4
a3
exit
?y.cdr t? cdr(v1, v2) y(v1)? t(v2)
cdr(v1, v2)
x x.cdr5
?xx.cdr? message ??vx(v) ? x(v)
?v1x(v1)? cdr(v1, v)
y.cdr t6
29
Intermediate Summary

• Predicate logics allows naturally expressing SOS
  for languages with pointers and dynamically
  allocated structures
• 3-valued logic provides a sound solution
• Immediate from Embedding theorem
• All you need is to guarantee the SOS correctness
• But not very precise

30
More precise abstract interpretation

• Refine the abstraction (concretization)
• More precise abstract interpretation of basic
  statements
• But not necessarily the best (induced)

31
The Instrumentation Principle

• Increase precision by storing the truth-value of
  some designated formulae
• Introduce predicate-update formulae to update the
  extra predicates

32
Example Heap Sharing
issel(v) ?v1,v2 sel(v1,v) ? sel(v2,v) ?
?eq(v1, v2)
33
Example Heap Sharing
issel(v) ?v1,v2 sel(v1,v) ? sel(v2,v) ?
?eq(v1 , v2)
is 1
x
x
u
u
u1
u1
is 0
is 1
is 0
34
Updating sharing x.sely
is sel(v) (?v1x(v1)?
(y(v)? ?v2sel(v2,
v) ??x(v2) (sel(v1, v)?
?v2, v3 ?issel(v2, v3, v)
? ?x(v2) ??x(v3)
issel(v))
issel(v))
?issel(v2, v3, v) sel(v2, v)?sel(v3, v) ?
?eq(v2, v3)
35
Other Instrumentation

• ccdr,car(v)?v1 cdr(v, v1)?car(v1, v)
• ccar,cdr(v)?v1 car(v, v1)?cdr(v1, v)
• rsel(v1, v2) sel(v1, v2)
• rx, sel(v) ?v1 x(v1)?sel(v1, v)
• rx(v) ?v1 x(v1)?(carcdr)(v1, v)
• inOrdersel,dle(v) ?v1 sel(v, v1) ?dle(v, v1)
• inROrdersel,dle(v) ?v1 sel(v, v1) ?dle(v1, v)

36
?ynull? y(v) 0
y null1
?ty? t(v) y(v)
(x!null2
?x !null? ?v x(v)
t y3
?yx? y(v) x(v)
y x4
a3
exit
?y.cdr t? cdr(v1, v2) y(v1)? t(v2)
cdr(v1, v2)
x x.cdr5
?xx.cdr? message ??vx(v) ? x(v)
?v1x(v1)? cdr(v1, v)
y.cdr t6
37
Semantic Reduction

• Improve the precision of the analysis by
  recovering properties of the program semantics
• A Galois connection (L1, ?, ?, L2)
• An operation opL2?L2 is a semantic reduction
• ?l?L2 op(l)?l
• ?(op(l)) ?(l)
• Can be applied before and after basic operations
• Preserve soundness

38
Materialization
cdr
cdr
x x ? cdr
x
cdr
cdr
y
u
u
y
u1
u1
u
u1
x
x
cdr
cdr
x x ? cdr
x
cdr
y
cdr
y
u
u1
u3
u1
u2
39
The Focusing Principle

• To increase precision
• Bring the predicate-update formula into focus
  (Force 1/2 to 0 or 1)
• Then apply the predicate-update formulae
• Generalizes materialization

40
(1) Focus on ? v1 x(v1) ? cdr(v1,v)
cdr
? ? ? ? ? ? ? ? ? ? ?
x
x
y
u
u
u1
u1
cdr
cdr
x
cdr
x
cdr
y
u
u1
y
u
u1
rcdr
cdr
cdr
cdr
y
cdr
u1
u.1
u.0
41
(2) Evaluate Predicate-Update Formulae
x(v) ? v1 x(v1) ? cdr(v1,v)
cdr
cdr
x
x
y
y
u
u
u
u
u1
u1
u1
u1
cdr
x
cdr
cdr
y
x
u
u
u1
u1
cdr
y
u
u1
x
cdr
cdr
cdr
cdr
cdr
cdr
y
cdr
cdr
cdr
y
u.0
u1
u.1
cdr
u1
u.1
u.0
42
The Focus Operation

• Focus Formula?(P(3-Struct) ?P(3-Struct))
• For every formula ?
• Focus(?)(X) yields structure in which ? evaluates
  to a definite values in all assignments
• Focus(?) is a semantic reduction
• But Focus(?)(X) may be undefined for some X

43
(1) Focus on ? v1 x(v1) ? cdr(v1,v)
cdr
? ? ? ? ? ? ? ? ? ? ?
x
x
y
u
u
u1
u1
cdr
cdr
x
cdr
x
cdr
y
u
u1
y
u
u1
cdr
cdr
cdr
y
cdr
u1
u.1
u.0
44
(1) Focus on ? v1 cdr(v1,v)
cdr
x
cdr
y
u
u1
45
(2) Evaluate Predicate-Update Formulae
x(v) ? v1 x(v1) ? cdr(v1,v)
cdr
cdr
x
x
y
y
u
u
u
u
u1
u1
u1
u1
cdr
x
cdr
cdr
y
x
u
u
u1
u1
cdr
y
u
u1
x
cdr
cdr
cdr
cdr
cdr
cdr
y
cdr
cdr
cdr
y
u.0
u1
u.1
cdr
u1
u.1
u.0
46
The Coercion Principle

• Another Semantic Reduction
• Can be applied after Focus or after Update or
  both
• Increase precision by exploiting some structural
  properties possessed by all stores (Global
  invariants)
• Structural properties captured by constraints
• Apply a constraint solver

47
(3) Apply Constraint Solver
cdr
48
Example Constraints
x(v1) ?x(v2)?eq(v1, v2)
sel(v, v1) ?sel(v,v2)?eq(v1, v2)
sel(v1, v) ?sel(v2,v)??eq(v1, v2)?issel(v)
49
Sources of Constraints

• Properties of the operational semantics
• Domain specific knowledge
• Instrumentation predicates
• User supplied

50
Format of Constraints

• ??p(v1, v2, , vk) i?j ? vi?vj
• ???p(v1, v2, , vk) i?j ? vi?vj
• Interpretation
• If LHS is 1 so is RHS
• Preserved under tight embedding

51
Example Constraints
x(v1) ?x(v2)?eq(v1, v2) (1)
x(v1) ??eq(v1, v2) ??x(v2) (1a)
sel(v, v1) ?sel(v,v2)?eq(v1, v2) (2)
sel(v, v1) ? ?eq(v1, v2) ? ?sel(v,v2) (2a)
sel(v1, v) ?sel(v2,v)??eq(v1, v2)?issel(v) (3)
sel(v1, v) ?sel(v2,v)??issel(v)? eq(v1, v2) (3a)
sel(v1, v) ??eq(v1, v2) ??issel(v)? ?sel(v2,v)
(3b)
issel(v) ?sel(v1, v) ?sel(v2,v)??eq(v1, v2) (4)
52
(3) Apply Constraint Solver
x(v1) ?x(v2)?eq(v1, v2) (1)
sel(v1, v) ??eq(v1, v2) ??issel(v)? ?sel(v2,v)
(3b)
53
Summary

• Predicate logics allows naturally expressing SOS
  for languages with pointers and dynamically
  allocated structures
• 3-valued logic provides a sound solution
• Semantic reductions improve precision and
  preserve soundness
• Next meeting TVLA some applications