Parametric Shape Analysis via 3-Valued Logic Mooly Sagiv Thomas Reps Reinhard Wilhelm

Goals Capture storage invariants May-alias information x points to a list, tree, dag, etc. May-alias information Sharing of structures x and y point to structures that do not share cells Parametric Framework for a collection of analyses Basis for an analysis-generation tool

The Shape-Analysis Problem For every program point, compute a finite characterization of the possible “shapes” of the heap-allocated data structures.

Formalizing “. . .” Informal: x y Formal: x y

Formalizing “. . .” Informal: Formal: x y x y {x} transitively pointed to by

Formalizing “. . .” Informal: t1 x y t2 Formal: x y t2 t1

Formalizing “. . .” Informal: t1 t2 Formal: t1 t2 x y x y {x} {x} {t2,y} {t2,y}

Abstract Interpretation f(a,b) = (16 * b + 3) * (2 * a + 1) * + b 1 2 a 3 16

Abstract Interpretation f(a,b) = (16 * b + 3) * (2 * a + 1) O * + b 1 2 a 3 16 O O O E E O E ? E ? f : _  _  O

Abstract Interpretation Concrete

Outline Using logic to describe stores Using logic to express store transformations Forming abstractions of stores Three-valued logic Using three-valued logic to express transformations of abstract stores

Logic (Syntax) Vocabulary Formulas Predicate symbols: p1, p2, . . ., pn Constant symbols: c1, c2, . . ., cm Function symbols: f1, f2, . . ., fk Formulas Variables Equality-predicate symbol: = Logical constant symbols: 0, 1 Connectives: , ,  Quantifiers: , 

Using Logic to Describe Stores Predicate Symbols Whether variable x points to location u: x(u) Pointer fields: n(u1, u2) car(u1, u2) cdr(u1, u2) x u u1 u2 u1 u2 u1 u2

Using Logic to Describe Stores Formulas: Other Properties of Locations un(v)   v1,v2 : n(v1,v)  n(v2,v)  v1 = v2 u3 u4 u1 u2 un(u1) = 1 un(u2) = 1 un(u4) = 1 un(u3) = 1 u3 u1 u2 un(u1) = 1 un(u2) = 0 un(u3) = 1

Logic (Semantics) Truth values: 0, 1 Logical Structures Individuals: U = {u1, u2, . . ., un} Predicates: pi : U arity(pi)  {0, 1}

An Example Individuals: U = {u1, u2, u3} Predicates: x u1 x u1 u3 u1 y u3 y u3 Individuals: U = {u1, u2, u3} Predicates:

Logic (Semantics) Assignments Z: free variables  individuals Meaning of a formula (Z)

Meaning of a Formula  (v,v1,v2) = n(v1,v)  n(v2,v)  v1 = v2 x u1 u2 y u3  (v,v1,v2) = n(v1,v)  n(v2,v)  v1 = v2 Z = { v  u2, v1  u1, v2  u3} (Z) = ???

Meaning of a Formula (Z) pi(v1, …, vk) (Z) = pi (Z(v1), …, Z(vk)) 1  2(Z) = 1 (Z)  2(Z) 1  2(Z) = 1 (Z)  2(Z) 1  2(Z) = 1 (Z)  2(Z)

Meaning of a Formula  (v,v1,v2) = n(v1,v)  n(v2,v)  v1 = v2 y x  (v,v1,v2) = n(v1,v)  n(v2,v)  v1 = v2 Z = { v  u2, v1  u1, v2  u3} (Z) = n(v1,v)  n(v2,v) (Z)  v1 = v2(Z) = n(u1, u2)  n(u3, u2)  u1 = u3 = 1  1  0 = 0

Outline Using logic to describe stores Using logic to express store transformations Forming abstractions of stores Three-valued logic Using three-valued logic to express transformations of abstract stores

Using Logic to Change Stores x = null Before: x u3 u1 u2 y z After: u3 u1 u2 y z x

Predicate-Alteration Formulas for x = null Old: x u3 u1 u2 y z New: u3 u1 u2 x[x = null](v)  0

Predicate-Alteration Formulas for x = null Old: x u3 u1 u2 y z New: u3 u1 u2 y y[x = null](v)  y(v)

Predicate-Alteration Formulas for x = null Old: x u3 u1 u2 y z New: u3 u1 u2 y z z[x = null](v)  z(v)

Predicate-Alteration Formulas for x = null Old: x u3 u1 u2 y z New: y u1 u2 z u3

Predicate-Alteration Formulas for x = null Old: x u3 u1 u2 y z New: y u1 u2 z u3 n[x = null](v1,v2)  n(v1,v2) n n

Predicate-Alteration Formulas for x = null Old: x u3 u1 u2 y z New: y u1 u2 z u3 n n

Predicate-Alteration Formulas for x = null Old: x u3 u1 u2 y z New: y u1 u2 z u3 n n

Outline Using logic to describe stores Using logic to express store transformations Forming abstractions of stores Three-valued logic Using three-valued logic to express transformations of abstract stores

Abstraction Principle u1 u2 u3 u4 x u1 u234 x

Abstraction Principle u1 u2 u3 u4 x un(v)   v1,v2 : n(v1,v)  n(v2,v)  v1 = v2 u1 u234 x

Outline Using logic to describe stores Using logic to express store transformations Forming abstractions of stores Three-valued logic Using three-valued logic to express transformations of abstract stores

Two- vs. Three-Valued Logic 1 Two-valued logic {0,1} {0} {1} Three-valued logic

Two- vs. Three-Valued Logic Two-valued logic Three-valued logic {1} {0,1} {0} 1  1

Outline Using logic to describe stores Using logic to express store transformations Forming abstractions of stores Three-valued logic Using three-valued logic to express transformations of abstract stores