Abstract Interpretation with Alien Expressions and Heap Structures

1
Abstract Interpretation with Alien Expressions
and Heap Structures

• Bor-Yuh Evan Chang K. Rustan M. Leino
• UC Berkeley Microsoft Research
• November 11, 2004
• OSQ Meeting

2
Standard Abstract Interpretation

• y 8 x 0
• while ()
• y y x
• x
• y 8
• Can do this inference with the polyhedra abstract
  domain CH79

3
Standard Abstract Interpretation

• this.y 8 this.x 0
• while ()
• this.y this.y this.x
• this.x
• this.y 8?
• Goal Given a base domain that can infer certain
  kind of predicates on variables, use it to infer
  predicates on fields

4
Achieving the Goal

• Handling Alien Expressions
• / Uninterpreted Functions
• Handling Heap Updates

5
Abstract Domains

• interface AbstractDomain
• type Elt
• Constrain Elt Expr ! Elt
• Eliminate Elt Var ! Elt
• Rename Elt Var Var ! Elt
• ToPredicate Elt ! Expr
• Join Elt Elt ! Elt
• AtMost Elt Elt ! bool

6
Fooling the Base Domains
assume o.f 8
Constrain( sel(H,o,f) 8 )
Congruence-Closure Domain / Name Service
sel(H,o,f) ? ?
SymbolicValue
Constrain( ? 8 )
Polyhedra
Base Domains
7
Understandable to the Base Domain
Understands FunSymbol Expr ! bool



sel
²
2 x sel(H,o,f) y - z
8
Understandable to the Base Domain
Understands FunSymbol Expr ! bool

Yes


Yes
sel
²
Yes
No
Yes
2 x sel(H,o,f) y - z
9
Understandable to the Base Domain
Understands FunSymbol Expr ! bool



No
?
²
No
2 x ? y - z
10
Understandable to the Base Domain
Understands FunSymbol Expr ! bool

?

No
?
?
²
Yes
? y - z
2
x
y
z
2 x ? ?
11
Congruence-Closure Domain

• Could always choose new names, but
• Should use the same name for syntactically
  equivalent expressions
• Even Better same name for known equalities
• Tracks equalities of uninterpreted functions
• an E-Graph with abstract domain operations
• symbolic values name equivalence classes of
  expressions
• implements congruence closure

12
E-Graph

• w f(x) Æ g(x,y) f(y) Æ w h(w)
• A set of mappings
• w ? ?
• x ? ?
• f(?) ? ?
• y ? ?
• g(b,g) ? d
• f(?) ? d
• h(?) ? ?
• Always congruence-closed

13
Join

• Join the e-graphs, then join the base domains
• Think of the lattice over conjunctions of
  equalities (including infinite ones)
• Let G Join(G0,G1)
• x ?G h?,?i if x ?G0 ? and x ?G1 ?
• f(h?,?i) ?G h?,?i if f(?) ?G0 ? and f(b)
  ?G1 b
• Rename distinct pairs to fresh symbolic values

14
Join

• Complexity O(nm)
• Complete? As precise as possible?
• No, e-graphs do not form a lattice!
• x y t g(x) g(y) Æ x f(x) Æ y f(y)
• Æi i 0 g(fi(x)) g(fi(y))
• Only relatively complete
• Gulwani et al.
• Tell base domains about renaming
• h?,?i à g ConstrainB0(? ?), ConstrainB1(? ?)

15
So Far We Have

• Reasoning for uninterpreted functions
• Base domains that work with alien expressions
  transparently
• What we need for field reads
• sel is alien to all base domains

16
Achieving the Goal

• Handling Alien Expressions
• / Uninterpreted Functions
• Handling Heap Updates

17
Heap Updates

• Java/C if (p.g 8) o.f x
• Abstract assume Hp,g 8
• Interpreter H upd(H,o,f,x)
• sel(upd(H,o,f,e),o,f) e
• if o o and f f
• sel(upd(H,o,f,e),o,f) sel(H,o,f)
• if o ? o or f ? f

18
Heap Updates

• Java/C if (p.g 8) o.f x
• Abstract assume Hp,g 8
• Interpreter H H where
• H o,f H and
• sel(H,o,f) x

19
Heap Updates

• Abstract assume Hp,g 8
• Interpreter H H where
• H o,f H and
• sel(H,o,f) x
• Abstract Constrain( sel(H,p,g) 8 )
• Domain Constrain( H o,f H )
• Constrain( sel(H,o,f) x )
• Eliminate( H )
• Rename( H, H )
• ToPredicate()

Tracked by a new base domain Heap Succession
20
Heap Update Example
Constrain( sel(H,p,g) 8 ) Constrain( H o,f H
) Constrain( sel(H,o,f) x ) Eliminate( H
) Rename( H, H ) ToPredicate()

• Heap Succession
• H o,f H
• E-Graph
• sel(H,p,g) ? ?
• 8 ? ?
• sel(H,o,f) ? ?
• x ? ?
• H ? H p ? p
• H ? H g ? g
• o ? o f ? f

21
Heap Update Example
Constrain( sel(H,p,g) 8 ) Constrain( H o,f H
) Constrain( sel(H,o,f) x ) Eliminate( H
) Rename( H, H ) ToPredicate()

• Heap Succession
• H o,f H
• E-Graph
• sel(H,p,g) ? ?
• 8 ? ?
• sel(H,o,f) ? ?
• x ? ?
• H ? H p ? p
• H ? H g ? g
• o ? o f ? f

22
Heap Update Example
Constrain( sel(H,p,g) 8 ) Constrain( H o,f H
) Constrain( sel(H,o,f) x ) Eliminate( H
) Rename( H, H ) ToPredicate()

• Heap Succession
• H o,f H
• E-Graph
• sel(H,p,g) ? ?
• 8 ? ?
• sel(H,o,f) ? ?
• x ? ?
• H ? H p ? p
• H ? H g ? g
• o ? o f ? f

23
Heap Update Example
Constrain( sel(H,p,g) 8 ) Constrain( H o,f H
) Constrain( sel(H,o,f) x ) Eliminate( H
) Rename( H, H ) ToPredicate()

• Heap Succession
• H o,f H
• E-Graph
• sel(H,p,g) ? ?
• 8 ? ?
• sel(H,o,f) ? ?
• x ? ?
• H ? H p ? p
• H ? H g ? g
• o ? o f ? f

• Collect Garbage (H)
• EquivalentExpr
• Queryable Expr Var
• ! Expr

24
Heap Update Example
Constrain( sel(H,p,g) 8 ) Constrain( H o,f H
) Constrain( sel(H,o,f) x ) Eliminate( H
) Rename( H, H ) ToPredicate()

• Heap Succession
• H o,f H
• E-Graph
• sel(H,p,g) ? ?
• 8 ? ?
• sel(H,o,f) ? ?
• x ? ?
• H ? H p ? p
• H ? H g ? g
• o ? o f ? f

Yes, use H

• Collect Garbage (H)
• EquivalentExpr
• Queryable Expr Var
• ! Expr option
• Eliminate(H) on Base
• ToPredicate() on Base and Convert Expr for Client
• Add Equalities

25
Related Work

• Join for Uninterpreted Functions Gulwani,
  Tiwari, Necula
• Shape Analysis many and
• TVLA Sagiv, Reps, Wilhelm,

26
Conclusion

• Extended the power of abstract domains to work
  with alien expressions using the
  congruence-closure domain
• Added reasoning about heap updates with the heap
  succession domain
• Close to having cooperating abstract
  interpreters?
• missing propagating back equalities inferred by
  base domains

27
Thank you!

• Questions? Comments?