Parametric Shape Analysis via 3-Valued Logic Mooly Sagiv Thomas Reps Reinhard Wilhelm
pointer analysis? points-to analysis? shape analysis? alias analysis?
The Shape-Analysis Problem For every program point, compute a finite characterization of the possible “shapes” of the heap-allocated data structures.
Formalizing “. . .” Informal: x y Formal: x y Summary Information
Why Shape Analysis? Capture storage invariants May-alias information x points to an acyclic list, cyclic list, tree, dag, etc. May-alias information Identify (absence of) sharing x and y point to structures that do not share cells “Dynamization” of static structure-description formalisms e.g., ADDS annotations [Hendren 94]
What’s New? Parametric framework for a class of shape-analysis algorithms “Rational reconstruction” of a number of previous shape-analysis methods [Jones & Muchnick 81] [Chase, Wegman, & Zadeck 90] [Stransky 93] [Assmann & Weinhardt 93] [Pleyvak, Chien, & Karamcheti 93] [Wang 94] [Sagiv, Reps, & Wilhelm 96, 98] New shape-analysis methods General abstraction principle Much simpler proofs Basis for a tool that generates shape-analysis algorithms
Outline Using logic to describe stores Using logic to express store transformations Forming abstractions of stores Three-valued logic Using three-valued logic to express transformations of abstract stores
Using Logic to Describe Stores Predicate Symbols Whether variable x points to location u: x(u) Pointer fields: n(u1, u2) car(u1, u2) cdr(u1, u2) x u u1 u2 u1 u2 u1 u2
Using Logic to Describe Stores Formulas: Other Properties of Locations is(v) v1,v2 : n(v1,v) n(v2,v) v1 v2 x y u3 u1 u2 is(u1) = 0 is(u2) = 1 is(u3) = 0 u3 u4 u1 u2 is(u1) = 0 is(u2) = 0 is(u4) = 0 is(u3) = 0
First-Order Logic (Syntax) Vocabulary Predicate symbols: p1, p2, . . ., pn Constant symbols: c1, c2, . . ., cm Function symbols: f1, f2, . . ., fk Formulas Variables Equality-predicate symbol: = Logical-constant symbols: 0, 1 Connectives: , , Quantifiers: ,
First-Order Logic (Semantics) Truth values: 0, 1 Logical structures Individuals: U = {u1, u2, . . ., un} Predicates: pi : U arity(pi) {0, 1} In Our Application Logical structures = Concrete stores
An Example Individuals: U = {u1, u2, u3} Predicates: x u1 x u1 u3 u1 y u3 y u3 Individuals: U = {u1, u2, u3} Predicates:
Example (Cont’d) Individuals: U = {u1, u2, u3} Predicates: x u2 u3 u1 y u3 Individuals: U = {u1, u2, u3} Predicates:
First-Order Logic (Semantics) Assignments Z: free variables individuals Meaning of a formula (Z)
Meaning of a Formula (v,v1,v2) n(v1,v) n(v2,v) v1 v2 x u1 u2 y u3 (v,v1,v2) n(v1,v) n(v2,v) v1 v2 Z = { v u2, v1 u1, v2 u3 } (v,v1,v2)(Z) = ???
Meaning of a Formula (Z) pi(v1, …, vk) (Z) = pi (Z(v1), …, Z(vk)) 1 2(Z) = 1 (Z) 2(Z) 1 2(Z) = 1 (Z) 2(Z) Negation, quantification, . . .
Meaning of a Formula (v,v1,v2) n(v1,v) n(v2,v) v1 v2 y x (v,v1,v2) n(v1,v) n(v2,v) v1 v2 Z = { v u2, v1 u1, v2 u3} (Z) = n(v1,v) n(v2,v) v1 v2(Z) = n(u1, u2) n(u3, u2) u1 u3 = 1 1 1 = 1
Outline Using logic to describe stores Using logic to express store transformations Forming abstractions of stores Three-valued logic Using three-valued logic to express transformations of abstract stores
Using Logic to Change Stores x = null Before: x u3 u1 u2 y z After: u3 u1 u2 y z x
Predicate-Alteration Formulas for x = null Old: x u3 u1 u2 y z New: u3 u1 u2 x[x = null](v) 0
Predicate-Alteration Formulas for x = null Old: x u3 u1 u2 y z New: u3 u1 u2 y y[x = null](v) y(v)
Predicate-Alteration Formulas for x = null Old: x u3 u1 u2 y z New: u3 u1 u2 y z z[x = null](v) z(v)
Predicate-Alteration Formulas for x = null Old: x u3 u1 u2 y z New: y u1 u2 z u3
Predicate-Alteration Formulas for x = null Old: x u3 u1 u2 y z New: y u1 u2 z u3 n[x = null](v1,v2) n(v1,v2) n n
Predicate-Alteration Formulas for x = null Old: x u3 u1 u2 y z New: y u1 u2 z u3 n n
Predicate-Alteration Formulas for x = null Old: x u3 u1 u2 y z New: y u1 u2 z u3 n
Outline Using logic to describe stores Using logic to express store transformations Forming abstractions of stores Three-valued logic Using three-valued logic to express transformations of abstract stores
The Abstraction Principle u1 u2 u3 u4 x u1 u234 x Summary Information {0,1}
The Abstraction Principle u1 u2 u3 u4 x u1 u234 x
The Abstraction Principle Select some subset A of the predicate symbols Partition the individuals US of structure S into equivalence classes based on the values of their A predicates u [u]A Form the “union-quotient” of S with respect to {[u]A | u US}
Example A = {v | v is a program variable} [Chase, Wegman, & Zadeck 90] [Sagiv, Reps, & Wilhelm 96, 98] u1 u2 u3 u4 x [u1] x [u2] Quotient w.r.t. {w, x, y, z}
Outline Using logic to describe stores Using logic to express store transformations Forming abstractions of stores Three-valued logic Using three-valued logic to express transformations of abstract stores
Two- vs. Three-Valued Logic 1 Two-valued logic {0,1} {0} {1} Three-valued logic {0} 3 {0,1} {1} 3 {0,1}
Two- vs. Three-Valued Logic Two-valued logic Three-valued logic {1} {0,1} {0} 1 1
First-Order Logic (Semantics) Truth values: 0, 1, Logical structures Individuals: U = {u1, u2, . . ., un} Predicates: pi : U arity(pi) {0, 1, } In Our Application 3-valued logical structures = Abstract stores
The Abstraction Principle Select some subset A of the predicate symbols Partition the individuals US of structure S into equivalence classes based on the values of their A predicates u [u]A Form the “union-quotient” of S with respect to {[u]A | u US}
Abstraction Conserves Predicates S# = S/[u]A S Abs(A) u [u]A pS (u1, …, uk) 3 pS# ([u1]A, …, [uk]A) “Form the ‘union-quotient’ of S with respect to {[u]A | u US}”
pS (u1,…,uk) 3 pS# ([u1]A,…,[uk]A) x [u2] u1 u2 u3 u4 x
pS (u1,…,uk) 3 pS# ([u1]A,…,[uk]A) x [u2] u1 u2 u3 u4 x
Abstraction Conserves Properties S# = S/[u]A S Abs(A) u [u]A pS (u1, …, uk) 3 pS# ([u1]A, …, [uk]A) S (u1, …, uk) 3 S# ([u1]A, …, [uk]A) Evaluating a formula extracts information conservatively
S (u1, …, uk) 3 S# ([u1]A, …, [uk]A) [u1] x [u2] u1 u2 u3 u4 x (v) v1,v2 : n(v1,v) n(v2,v) v1 v2 1 For S#([u2]), let v1 = [u1], and v2 = [u2] =
“Tracking Properties” Beats “Inferring Properties” [u1] x [u2] u1 u2 u3 u4 x
“Tracking Properties” Beats “Inferring Properties” [u1] x [u2] u1 u2 u3 u4 x pS (u1, …, uk) 3 pS# ([u1]A, …, [uk]A) pS (u1, …, uk) 3 pS# ([u1]A, …, [uk]A) pS (u1, …, uk) = pS (u1, …, uk) 3 pS# ([u1]A, …, [uk]A) 3 pS# ([u1]A, …, [uk]A)
Outline Using logic to describe stores Using logic to express store transformations Forming abstractions of stores Three-valued logic Using three-valued logic to express transformations of abstract stores
“Rational reconstruction” of [Chase, Wegman, & Zadeck 90] Example y x [u1] [u2] x y [u1] [u2] x = y n “Rational reconstruction” of [Chase, Wegman, & Zadeck 90]
Example (~[CWZ 90]) x[x = y n](v) v1 : y(v1) n(v1,v) [u1] [u2] [u1] [u2] x[x = y n](v) v1 : y(v1) n(v1,v) 1
Example (~[CWZ 90]) x[x = y n](v) v1 : y(v1) n(v1,v) [u1] [u2] [u1] [u2] x[x = y n](v) v1 : y(v1) n(v1,v) y[x = y n](v) y(v) 1
Example (~[CWZ 90]) x[x = y n](v) v1 : y(v1) n(v1,v) [u1] [u2] [u1] [u2] x[x = y n](v) v1 : y(v1) n(v1,v) y[x = y n](v) y(v) n[x = y n](v1,v2) n(v1,v2)
Example (~[CWZ 90]) x[x = y n](v) v1 : y(v1) n(v1,v) [u1] [u2] [u1] [u2] x[x = y n](v) v1 : y(v1) n(v1,v) y[x = y n](v) y(v) n[x = y n](v1,v2) n(v1,v2)
Example (~[CWZ 90]) x[x = y n](v) v1 : y(v1) n(v1,v) [u1] [u2] [u1] [u2] x[x = y n](v) v1 : y(v1) n(v1,v) y[x = y n](v) y(v) n[x = y n](v1,v2) n(v1,v2) is[x = y n](v) is(v)
[Chase, Wegman, & Zadeck 90] Materialization [Chase, Wegman, & Zadeck 90] y x [u1] [u2] x y [u1] [u2] x = y n x = y n [Sagiv, Reps, & Wilhelm 96, 98] x y [u1] [u2] [u3]
(1) Triplicate the Structure x[x = y n](v) v1 : y(v1) n(v1,v) x y [u1] [u1] [u2] x y x y [u1] [u2.1] x y [u1] [u2.1] [u2.0]
(2) Evaluate Predicate-Alteration Formulas x[x = y n](v) v1 : y(v1) n(v1,v) x y [u1] y [u1] x [u1] [u2.1] x y y [u1] [u2.1] x x y y [u1] [u2.1] [u2.0] [u1] [u2.1] [u2.0]
Additional Abstraction Predicates reachable-from-variable-x(v) acyclic-along-dimension-d(v) à la ADDS doubly-linked(v) tree(v) dag(v) AVL trees: balanced(v), left-heavy(v), right-heavy(v) . . . but not via height arithmetic Need FO + TC
Formalizing “. . .” Informal: x y Formal: x y
Formalizing “. . .” Informal: t1 x y t2 Formal: x y t2 t1
Formalizing “. . .” Informal: Formal: x y x y reachable from variable x variable y
Formalizing “. . .” Informal: t1 t2 Formal: t1 t2 x y x y {x} {x} {t2,y} {t2,y}
Summary Parametric framework Three-valued logic arises from abstraction Three-valued logic also allows: Materialization Conservative extraction of properties Interpretation of program conditions Simpler proofs