Symbolic Implementation of the Best Transformer - PowerPoint PPT Presentation

About This Presentation

Title:

Symbolic Implementation of the Best Transformer

Description:

For each abstract domain, there is a best transformer for each program statement ... For predicate-abstraction domains, implementation of best transformer is known ... – PowerPoint PPT presentation

Number of Views:13

Avg rating:3.0/5.0

Slides: 52

Provided by: thoma55

Learn more at: https://research.cs.wisc.edu

Category:

more less

Transcript and Presenter's Notes

Title: Symbolic Implementation of the Best Transformer

1
Symbolic Implementationof the Best Transformer

Thomas Reps
University of Wisconsin

Joint work with M. Sagiv and G. Yorsh
(Tel-Aviv) TR-1468, Comp. Sci. Dept., Univ. of
Wisconsin
2
Who Cares?

New approach to using symbolic techniques in
abstract interpretation
For shape analysis
For other abstract domains
What does it mean to harness a decision procedure
for use in static analysis?

3
Abstract Interpretation
Concrete
?
Descriptors of sets of stores
Sets of stores
4
Abstract Interpretation
Concrete
?
Descriptors of sets of stores
Sets of stores
5
Best Abstract Transformer
Concrete
?
Descriptors of sets of stores
Sets of stores
6
Best Abstract Transformers

For each abstract domain, there is a best
transformer for each program statement
Best possible precision for that abstraction
For predicate-abstraction domains, implementation
of best transformer is known
Uses theorem prover
Our work implement best transformers for
non-predicate-abstraction domains
Also uses theorem prover

7
Symbolic Operations Three Value-Spaces
Concrete Values
Abstract Values
8
Symbolic Operations Three Value-Spaces
Formulas
Abstract Values
Concrete Values
9
Symbolic Operations Three Value-Spaces
?
Formulas
Concrete Values
Abstract Values
10
Required Primitive Operations

Abstraction
?(S) ?s?S ?(s)
?( )
Symbolic concretization
?( ) ?v1,v2 nodeu1(v1) ?
nodeu (v2) ? v1 ? v2
? ?v nodeu1(v) ? nodeu (v)
? . . .
Theorem prover returning a satisfying structure
(store) S ? ?
For shape analysis, SPASS is mostly
satisfactory

11
Constant-Propagation Domain
(Var ? ZT)?, where ZT
Examples ?, x?0, y?43, z?0,
x?T, y?T, z?0,
x?T, y?T, z? T
Infinite cardinality, but finite height
12
Three Value-Spaces
x?0, y?T, z?0
Formulas
Abstract Values
Concrete Values
13
Three Value-Spaces
(x 0) ? (z 0)
Formulas
Abstract Values
Concrete Values
14
Required Primitive Operations

Abstraction
?(S) ?s?S ?(s)
?(x ? 0, y ? 2, z ? 0) x?0, y?2, z?0
Symbolic concretization
?(x?0, y?T, z?0) (x 0) ? (z 0)
Theorem prover returning a satisfying structure
(store) S ? ?
x ? 0, y ? 2, z ? 0 ? (x 0) ? (z 0)

15
Required Primitive Operations

Abstraction
?(S) ?s?S ?(s)
?(x ? 0, y ? 2, z ? 0) x?0, y?2, z?0
Symbolic concretization
?(x?0, y?T, z?0) (x 0) ? (z 0)
Theorem prover returning a satisfying structure
(store) S ? ?
x ? 0, y ? 2, z ? 0 ? (z 0) ? (x yz)

16
Constant Propagation
x?3, y?4, z?1
x y z
?e.ex? e(y)e(z)
x?4, y?4, z?1
Tx yz df (x y z) ? (y y) ? (z z)
17
Constant Propagation
x y z
x?3, y?T, z?1
?e.ex? e(y) ? e(z)
x?T, y?T, z?1
18
Constant Propagation
?
?e.?
?
?e.ex?3
?
?e.e
?e.e
?
?e.ez?2
?
?
?e.ey?e(x)
?e.ey?e(z)1
?
19
Constant Propagation
?
?e.?
x?T, y?T, z?T
?
?e.ex?3
?
x?3, y?T, z?T
?e.e
?e.e
x?3, y?T, z?T
?
?e.ez?2
?
x?3, y?T, z?T
?
x?3, y?T, z?2
?e.ey?e(x)
?e.ey?e(z)1
x?3, y?3, z?2
x?3, y?3, z?T
?
20
Abstract Transformer
x?3, y?3, z?0, x?7, y?2, z?0
x?0, y?3, z?0, x?0, y?2, z?0
Tx yz
?
?
x?T, y?T, z?0 ? x?0, y?T, z?0
x?T, y?T, z?0
Tx yz
21
Best Abstract Transformer
x?0, y?0, z?0, x?1, y?0, z?0, . . .
x?0, y?1, z?0, x?1, y?1, z?0, . . .
x?0, y?0, z?0, x?0, y?1, z?0, . . .
Tx yz
?
?
x?0, y?T, z?0
x?T, y?T, z?0
22
Three Value-Spaces
x?0,y?T,z?0
x?T,y?T,z?0
(z 0)
Abstract Values
23
Remainder of the Talk

?(?) best abstract value that represents ?
Best ?T ? ? best abstract transformer

24
Idea Behind Procedure ?CP(?)
?
Formulas
Concrete Values
Abstract Values
25
Idea Behind Procedure ?CP(?)
?
ans
Formulas
Concrete Values
Abstract Values
26
Idea Behind Procedure ?CP(?)
?
ans
Formulas
Concrete Values
Abstract Values
27
Idea Behind Procedure ?CP(?)
?1
S ? ?1
ans
S
Formulas
Concrete Values
Abstract Values
28
Idea Behind Procedure ?CP(?)
?2
??2?
ans
Formulas
Concrete Values
Abstract Values
?2 ?1 ? ??(ans)
29
Idea Behind Procedure ?CP(?)
?2
S ? ?2
?(S)
??2?
ans
?
Formulas
Concrete Values
Abstract Values
30
Idea Behind Procedure ?CP(?)
?5 false
ans
Formulas
Concrete Values
Abstract Values
31
Procedure ?
? (formula ?) ans ? ? ? while (?
is satisfiable) Select a store S such
that S ? ? ans ans ? ?(S) ? ? ?
??(ans) return ans
32
Example ?CP((y 3) ? (x 4y 1))
Initialization ans ?
? (y 3) ? (x 4y 1) Iteration 1
S x ? 13, y ? 3 // A satisfying
store ans ? ? ? (x ? 13, y
? 3) x?13, y?3
?(ans) (x 13) ? (y 3)
? (y 3) ? (x 4y 1) ? ?((x
13)?(y 3)) (y 3)
? (x 4y 1) ? ((x ? 13) ? (y ? 3))
false Iteration 2 ? is
unsatisfiable Return value x?13, y?3
33
Procedure ?CP(?)
(z 0) ? (x y z)
x?0, y?43, z?0
ans
Formulas
Concrete Values
Abstract Values
34
Procedure ?CP(?)
(z 0) ? (x y z)
x?0, y?43, z?0
ans
Formulas
Concrete Values
Abstract Values
35
Example ?CP((z 0) ? (x y z))
Initialization ans ?
? (z 0) ? (x y z) Iteration 1 S x
? 0, y ? 43, z ? 0 // A satisfying store
ans ? ? ? (x ? 0, y ? 43, z ? 0)
x?0, y?43, z?0
?(ans) (x 0) ? (y 43) ? (z 0)
? (z 0) ? (x yz) ? ?((x0) ?
(y43) ? (z0)) (z 0)
? (x yz) ? (y ? 43)
36
Procedure ?CP(?)

(z 0)
(x y z)
(y ? 43)

x?0, y?46, z?0
x?0, y?43, z?0
Formulas
Concrete Values
Abstract Values
37
Procedure ?CP(?)

(z 0)
(x y z)
(y ? 43)

x?0, y?T, z?0
ans
Formulas
Concrete Values
Abstract Values
38
Example ?CP((z 0) ? (x y z))
. . . ? (z
0) ? (x y z) ? (y ? 43) Iteration 2 S
x?0,y?46,z?0 // A satisfying store
ans x?0,y?43,z?0 ? ?
(x?0,y?46,z?0)
x?0, y?43, z?0 ? x?0,y?46,z?0
x?0, y?T, z?0
?(ans) (x 0) ? (z 0)
? (z0) ? (xyz) ? (y?43) ? ?((x0) ?
(z0)) false Iteration 3 ? is
unsatisfiable Return value x?0, y?T, z?0
39
The Idea Behind Best ?T ? ?
a
Formulas
T
Abstract Values
40
The Idea Behind Best ?T ? ?
a
Formulas
T
Abstract Values
41
The Idea Behind Best ?T ? ?
a
ans
Formulas
T
Abstract Values
42
The Idea Behind Best ?T ? ?
a
ans
Formulas
T
Abstract Values
43
Procedure Best
Best(two-store-formula T, abs-store a) ans
? ? ?(a) ? T while (? is
satisfiable) Select a store pair (S,S )
such that (S,S ) ? ? ans ans ? ? (S
) ? ? ? ??(ans) return ans
44
Best((x y z) ? (y y) ? (z z),
x?T, y?T, z?0)
Initialization ans ? ?
(z 0) ? (x y z) ? (y y) ? (z
z) Iteration 1 (S,S ) x ? 5, y ?
17, z ? 0, x? 0, y? 17, z? 0
45
The Idea Behind Best ?T ? ?
a
Formulas
Abstract Values
T
46
Best((x y z) ? (y y) ? (z z),
x?T, y?T, z?0)
Initialization ans ? ?
(z 0) ? (x y z) ? (y y) ? (z
z) Iteration 1 (S,S ) x ? 5, y ?
17, z ? 0, x? 0, y? 17, z? 0
ans x?0, y?17, z?0 ?(ans)
(x 0) ? (y 17) ? (z 0) ?
(z 0) ? (x yz) ? (y y) ? (z z) ? (y
? 17)
47
Best((x y z) ? (y y) ? (z z),
x?T, y?T, z?0)
Iteration 2 (S,S ) x ?12, y ? 99,
z ? 0, x? 0, y? 99, z? 0
ans x?0, y?17, z?0 ? x?0, y?99,
z?0 x?0, y?T, z?0 ?(ans)
(x 0) ? (z 0) ? (z 0) ?
(x y z) ? (y y) ? (z z) ? (y ? 17)
? ((x ? 0) ? (z ? 0))
false Iteration 3 ? is unsatisfiable Return
value x?0, y?T, z?0
48
Best(y x ? next, )
rx
rx
. . . ? (y(v) ? ? v1 x(v1) ? n(v1,v)) ? . . .
u4
49
Predicate Abstraction
y 3 x 4y 1
x ? 13, y ? 3
B1 ? (y 1), B2 ? (y 3), B3 ? (y 4), B4
? (x 1), B5 ? (x 3), B6 ? (x 4)
?B1 ? B2 ? ?B3 ? ?B4 ? ?B5 ? ?B6
y 3 ? x ?1, 3, 4
x ? 13, y ? 3
50
Three Value-Spaces
(?B1, B2,?B3, ?B4,?B5,?B6)
Abstract Values
51
Three Value-Spaces
(?B1, B2,?B3, ?B4,?B5,?B6)
Abstract Values
52
Predicate Abstraction

Abstract values
(?B1, B2, ?B3, ?B4, ?B5, ?B6)
Apply ?, which performs ? symbolically
(y ? 1) ? (y 3) ? (y ? 4) ? (x ? 1) ? (x ? 3) ?
(x ? 4)
Apply ?T, which implements a ? T

53
a PA Most-Precise Abstract ValuePredicate
Abstraction
(y 3) ? (x 4y 1)
Formulas
Abstract Values
Concrete Values
54
a PA Most-Precise Abstract ValuePredicate
Abstraction
55
a PA Most-Precise Abstract ValuePredicate
Abstraction
(y 3) ? (x 4y 1) ? ?(x 1)
(y 3) ? (x 4y 1) ? ?(x 3)
(y 3) ? (x 4y 1) ? ?(x 4)
56
Procedure ?PA vs. General ?
57
Conclusions

Requirements
Finite-height abstract domain
Theorem prover that returns a satisfying
structure (store)
?(S) ?s?S ?(S)
Symbolic-concretization operation (?)
?(?) best abstract value that represents ?
Best(T,a) best abstract transformer
Best(T1 T2 . . . Tk, a) best abstract
transformer for a basic block

58
(No Transcript)
59
Clients of Abstract Interpretation
p if (x yz) then S1 else S2 fi At p, x?0,
y?T, z?0 holds
Querying an abstract value ? (x yz) ?(x?0,
y?T, z?0) true?
60
The Most-Precise Answer to a QueryDefinition
61
Quiz
What is the value of ??(y 1)??(x?0, y?T, z?0)?
?(x?0, y?T, z?0) x ? 0, y ? 0, z ? 0,
x ? 0, y ?
1, z ? 0,
x ? 0, y ? 2, z ? 0, . . .
??(y 1)??(x?0, y?T, z?0) ?
62
Quiz
What is the value of ??(x yz)??(x?0, y?T,
z?0)?
?(x?0, y?T, z?0) x ? 0, y ? 0, z ? 0,
x ? 0, y ?
1, z ? 0,
x ? 0, y ? 2, z ? 0, . . .
??(x yz)??(x?0, y?T, z?0) true
63
The Most-Precise Answer to a Query
Implementation
What is the value of ??(x yz)??(x?0, y?T,
z?0)?
?(x?0, y?T, z?0) (x 0) ? (z 0)
Is (x 0) ? (z 0) ? (x yz) valid? Is (x
0) ? (z 0) ? (x ? yz) valid?
yes
no
?? (x yz) ??(x?0, y?T, z?0) true
64
The Most-Precise Answer to a Query
Implementation
What is the value of ??(y 1)??(x?0, y?T, z?0)?
?(x?0, y?T, z?0) (x 0) ? (z 0)
Is (x 0) ? (z 0) ? (y 1) valid? Is (x 0)
? (z 0) ? (y ? 1) valid?
no
no
??(y 1)??(x?0, y?T, z?0) ?
65
Canonical Abstraction
rx
rx
rx
rx
rx
rx
?v1,v2 nodeu1(v1) ? nodeu (v2) ? v1 ? v2 ?
?v nodeu1(v) ? nodeu (v) ? . . .
66
Canonical Abstraction
rx
rx
rx
rx
rx
rx
?v1,v2 nodeu1(v1) ? nodeu (v2) ? v1 ? v2 ?
?v nodeu1(v) ? nodeu (v) ? . . .

Write a Comment

User Comments (0)