3-Valued Logic Analyzer (TVP) Part II

1
3-Valued Logic Analyzer(TVP)Part II

• Tal Lev-Ami and Mooly Sagiv

2
Outline

• The Shape Analysis Problem
• Solving Shape Analysis with TVLA
• Structural Operational Semantics
• Predicate logic
• Embedding
• (Imprecise) Abstract Interpretation
• Instrumentation Predicates
• Focus
• Coerce
• Bibliography

3
Shape Analysis

• Determine the possible shapes of a dynamically
  allocated data structure at given program point
• Relevant questions
• Does a variable point to an acyclic list?
• Does a variable point to a doubly-linked list?
• Does a variable point p to an allocated element
  every time p is dereferenced?
• Can a procedure create a memory-leak

4
Dereference of NULL pointers

• typedef struct element
• int value
• struct element next
• Elements

bool search(int value, Elements c) Elements
elemfor ( elem c c ! NULLelem
elem-gtnext) if (elem-gtval value) return
TRUE return FALSE
5
Memory leakage

• Elements reverse(Elements c)
• Elements h,g h NULL while (c! NULL)
  g c-gtnext h c c-gtnext h c
  g return h

leakage of address pointed-by h
6
The SWhile Programming Language Abstract Syntax
sel car cdr
a x x.sel null n a1 opa a2
b true false not b b1 opb b2 a1 opr a2
S x al x.sel al x malloc()l
skip l S1 S2 if bl then S1
else S2 while bl do S
7
Dereference of NULL pointers
elem c1 found false2 while (c !
null3 !found4) ( if (elem-gtcar value5)
then found true6 else elem
elem-gtcdr7 )
8
Structural Operational Semanticsfor languages
with dynamically allocated objects

• The program state consists of
• current allocated objects
• a mapping from variables into atoms, objects, and
  null
• a car mapping from objects into atoms, objects,
  and null
• a cdr mapping from objects into atoms, objects,
  and null
• malloc() allocates more objects
• assignments update the state

9
Structural Operational Semantics

• The program state S(O, env, car, cdr)
• current allocated objects O
• atoms (integers, Booleans) A
• env Var ? A ? O ? null
• car A ? A ? O ? null
• cdr A ? A ? O ? null
• The meaning of expressions A?a? S ? A ? O ?
  null
• A?at?(s) at
• A?x?((O, env, car, cdr)) env(x)
• A?x.car?((O, env, car, cdr)) car(env(x))
• A?x.cdr?((O, env, car, cdr)) cdr(env(x))

10
Structural Semantics for SWhileaxioms
assvsos ltx a, s(O, e, car, cdr)gt ? (O, ex
?A?a?s, car, cdr)
asscarsos ltx.car a, (O, e, car, cdr)gt ? (O,
e, care(x) ?A?a?s, cdr)
asscdrsos ltx.cdr a, (O, e, car, cdr)gt ? (O,
e, car, cdre(x) ?A?a?s)
assmsos ltx malloc(), (O, e, car, cdr)gt ? (O
?n, ex ?n, car, cdr) where n?O

• skipsos ltskip, sgt ? s

11
Structural Semantics for SWhilerules
12
Summary

• The SOS is natural
• Can handle
• errors, e.g., null dereferences
• free
• garbage collection
• But does not lead to an analysis
• The set of potential objects is unbound
• Solution Three-Valued Kleene Predicate Logic

13
Predicate Logic

• Vocabulary
• A finite set of predicate symbols Peach with a
  fixed arity
• A finite set of function symbols
• Logical Structures S provide meaning for
  predicates
• A set of individuals (nodes) U
• PS US ? 0, 1
• First-Order Formulas over ????? express logical
  structure properties

14
Using Predicate Logic to describe states in SOS

• UO
• For a Boolean variable x define a nullary
  predicate (proposition) bx
• bx 1 when env(x)1
• For a pointer variable x define a unary predicate
• px(u)1 when env(x)u and u is an object
• Two binary predicates
• scar(u1, u2) 1 when car(u1)u2 and u2 is
  object
• scdr(u1, u2) 1 when cdr(u1)u2 and u2 is
  object

15
Running Example
elem c1 found false2 while (c !
null3 !found4) ( if (elem-gtcar value5)
then found true6 else elem
elem-gtcdr7 )
16
s Pvar elem, c s Bvar found s Sel car,
cdr include "pred.tvp" include
"cond.tvp" include "stat.tvp" / elem
c1 / l_1 Copy_Var(elem, c) l_2 / found
false2 / l_2 Set_False(found) l_3 / while
(c ! null3 !found4) ( / l_3
Is_Not_Null_Var (c) l_4 l_3 Is_Null_Var (c)
l_end l_4 Is_False(found) l_5 l_4
Is_True(found) l_end / if (elem-gtcar value5)
/ l_5 Uninterpreted_Cond() l_6 l_5
Uninterpreted_Cond() l_7 / then found
true6 / l_6 Set_True(found) l_3 / else
elem elem-gtcdr7 / l_7 Get_Sel(cdr, elem,
elem) l_3 / ) / l_1, l_end
17
pred.tvp
foreach (z in Bvar) p bz()
foreach (z in Pvar) p pz(v) unique box
foreach (sel in Sel) p ssel(v1, v2)
function
18
Actions

• Use first order formulae over ????? to express
  the SOS
• Every action can have
• title t
• focus formula f
• precondition formula p
• error messages message
• new formula new
• predicate-update formulas
• retain formula

19
cond.tvp (part 1)
action Uninterpreted_Cond() t
"uninterpreted-Condition" action Is_True(x1)
t x1 p bx1() bx1() 1
action Is_False(x1) t "!" x1
p !bx1() bx1() 0
20
cond.tvp (part 2)
action Is_Not_Null_Var(x1) t x1 " !
null" p E(v) px1(v) action
Is_Null_Var(x1) t x1 " null" p
!(E(v) px1(v))
21
stat.tvp (part 1)
action Skip() t "Skip" action
Set_True(x1) t x1 " true"
bx1() 1 action Set_False(x1)
t x1 " false" bx1() 0
22
stat.tvp (part 2)
action Copy_Var(x1, x2) t x1 " " x2
px1(v) px2(v)
23
stat.tvp (part 3)
action Get_Sel(sel, x1, x2) t x1 " "
x2 . sel message (!E(v) px2(v))
-gt "an illegal dereference to" sel "
component of " x2 px1(v) E(v_1)
px2(v_1) ssel(v_1, v)
24
stat.tvp (part 4)
action Set_Sel_Null(x1, sel) t x1 "."
sel " null" message (!E(v) px1(v)) -gt
"an illegal dereference to" sel "
component of " x1 ssel(v_1, v_2)
ssel(v_1, v_2) !px1(v_1)
25
stat.tvp (part 5)
action Set_Sel(x1, sel, x2) t x1 .
sel " " x2 message (E(v, v1) px1(v)
ssel(v, v1)) -gt "Internal Error! assume that "
x1 "." sel NULL" message (!E(v)
px1(v)) -gt "an illegal dereference to" sel
" component of " x1 ssel(v_1, v_2)
ssel(v_1, v_2) px1(v_1) px2(v_2)

26
stat.tvp (part 6)
action Malloc(x1) t x1 " malloc()"
new px1(v) isNew(v)
27
3-Valued Kleene Logic

• A logic with 3-values
• 0 -false
• 1 - true
• 1/2 - dont know
• Operators are conservatively interpreted
• 1/2 means either true or false

1/2
0
1
28
Kleene Interpretation of Operators(logical-and)
29
Kleene Interpretation of Operators(logical-or)
30
Kleene Interpretation of Operators(logical-negati
on)
31
Kleene Interpretation of Operators(logical-implic
ation)
32
3-Valued Predicate Logic

• Vocabulary
• A finite set of predicate symbols P
• A special unary predicate sm
• sm(u)0 when u represents a unique concrete node
• sm(u)1/2 when u may represent more than one
  concrete node
• 3-valued Logical Structures S provide meaning for
  predicates
• A (bounded) set of individuals (nodes) U
• PS US ? 0, 1/2, 1
• First-Order Formulas over ????? express logical
  structure properties
• Interpret ? as maximum on logical order

33
The Blur Operation

• Abstract an arbitrary structure into a structure
  of bounded size
• Select a set of unary predicates as
  abstraction-predicates
• Map all the nodes with the same value of
  abstraction predicates into a single summary node
• Join the values of other predicates

34
The Embedding Theorem

• If a big structure B can be embedded in a
  structure S via a surjective (onto) function f
  such that all predicate values are preserved,
  i.e.,pB(u1, .., uk) ? pS (f(u1), ..., f(uk))
• Then, every formula ? is preserved? is preserved
• ?1 in S? ?1 in B
• ?0 in S? ?0 in B
• ?1/2 in S? dont know

35
Naive Program Analysis via 3-valued predicate
logic

• Chaotic iterations
• Start with the initial 3-valued structure
• Execute every action in three phases
• check if precondition is satisfied
• execute update formulas
• execute blur
• Command line tvla prgm prgm -action pub

36
prgm.tvs
n u, u0 p sm u1/2 scdr
u-gtu1/2, u0-gtu1/2 pc u0
37
More Precise Shape Analysis

• Distinguish between cyclic and acyclic lists
• Use Focus to guarantee that important formulas do
  not evaluate to 1/2
• Use Coerce to maintain global invariants
• It all works
• Singly linked lists (reverse, insert, delete,
  del_all)
• Sortedness (bubble-sort, insetion-sort, reverse)
• Doubly linked lists (insert, delete
• Mobile code (router)
• Java multithreading (interference,
  concurrent-queue)

38
The Instrumentation Principle

• Increase precision by storing the truth-value of
  some designated formulae
• Introduce predicate-update formulae to update the
  extra predicates

39
Example Heap Sharing
iscdr(v) ?v1,v2 cdr(v1,v) ? cdr(v2,v) ? v1
? v2
x
x
u
u
u1
u1
40
Example Heap Sharing
iscdr(v) ?v1,v2 cdr(v1,v) ? cdr(v2,v) ? v1
? v2
is 1
x
x
u
u
u1
u1
is 0
is 1
is 0
41
pred.tvp
foreach (z in Bvar) p bz()
foreach (z in Pvar) p pz(v) unique box
foreach (sel in Sel) p ssel(v1, v2)
function
foreach (sel in Sel) i issel(v) E(v1, v2)
sel(v_1) sel(v2, v) v_1 ! v_2
42
stat.tvp (part 4)
action Set_Sel_Null(x1, sel) t x1 "."
sel " null" message (!E(v) px1(v)) -gt
"an illegal dereference to" sel "
component of " x1 ssel(v_1, v_2)
ssel(v_1, v_2) !px1(v_1) issel(v)
is(v) (!(E(v_1) x1(v_1) sel(v_1, v))
E(v_1, v_2) v_1 ! v_2
(sel(v_1, v) !x1(v_1))
(sel(v_2, v)
!x1(v_2)))
43
stat.tvp (part 5)
action Set_Sel(x1, sel, x2) t x1 .
sel " " x2 message (E(v, v1) px1(v)
ssel(v, v1)) -gt "Internal Error! assume that "
x1 "." sel NULL" message (!E(v)
px1(v)) -gt "an illegal dereference to" sel
" component of " x1 ssel(v_1, v_2)
ssel(v_1, v_2) px1(v_1)
px2(v_2) issel(v) issel(v) E(v_1) x2(v)
sel(v_1, v)
44
Additional Instrumentation Predicates

• reachable-from-variable-x(v) ?v1x(v1) ?
  cdr(v1,v)
• cyclic-along-dimension-d(v) cdr(v, v)
• ordered elementinOrder(v) ?v1cdr(v, v_1)?v-gtd
  lt v_1-gtd
• doubly linked lists

45
The Focusing Principle

• To increase precision
• Bring the predicate-update formula into focus
  (Force 1/2 to 0 or 1)
• Then apply the predicate-update formulas

46
(1) Focus on ? v1 x(v1) ? cdr(v1,v)
? ? ? ? ? ? ? ? ? ? ?
u
u1
u1
u
u
y
y
u1
u.1
u.0
47
(2) Evaluate Predicate-Update Formulae
x(v) ? v1 x(v1) ? cdr(v1,v)
? ? ? ? ? ? ? ? ? ? ?
u
u1
u1
u
y
u1
u.1
u.0
48
The Coercion Principle

• Increase precision by exploiting some structural
  properties possessed by all stores (Global
  invariants)
• Structural properties captured by constraints
• Apply a constraint solver

49
(3) Apply Constraint Solver
50
Conclusion

• TVLA allows construction of non trivial analyses
• But it is no panacea
• Expressing operational semantics using logical
  formulas is not always easy
• Need instrumentation to be reasonably precise
  (sometimes help efficiency as well)
• Open problems
• A debugger for TVLA
• Frontends
• Algorithmic problems
• Space optimizations

51
Bibliography

• Chapter 2.6
• http//www.cs.uni-sb.de/wilhelm/foiles/(Invited
  talk CC2000)
• http//www.cs.wisc.edu/reps/shape_analysisParam
  etric Shape Analysis based on 3-valued logics
  (the general theory)
• http//www.math.tau.ac.il/tla/The system and
  its applications