Symbolic Characterization of Heap Abstractions

Slides:

Advertisements

Similar presentations

Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD.

Advertisements

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Meta Predicate Abstraction for Hierarchical Symbolic Heaps Josh Berdine Microsoft Research, Cambridge joint with Mike Emmi University of California, Los.

2005conjunctive-ii1 Query languages II: equivalence & containment (Motivation: rewriting queries using views)  conjunctive queries – CQ’s  Extensions.

Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.

Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.

1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.

1 Control Flow Analysis Mooly Sagiv Tel Aviv University Textbook Chapter 3

1 Verifying Temporal Heap Properties Specified via Evolution Logic Eran Yahav, Tom Reps, Mooly Sagiv and Reinhard Wilhelm

1 Eran Yahav and Mooly Sagiv School of Computer Science Tel-Aviv University Verifying Safety Properties.

Search in the semantic domain. Some definitions atomic formula: smallest formula possible (no sub- formulas) literal: atomic formula or negation of an.

Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }

Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.

Invisible Invariants: Underapproximating to Overapproximate Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Composing Dataflow Analyses and Transformations Sorin Lerner (University of Washington) David Grove (IBM T.J. Watson) Craig Chambers (University of Washington)

Static Program Analysis via Three-Valued Logic Thomas Reps University of Wisconsin Joint work with M. Sagiv (Tel Aviv) and R. Wilhelm (U. Saarlandes)

Ofer Strichman, Technion Deciding Combined Theories.

1/25 Pointer Logic Changki PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision Procedure.

FRANCISCO J. GALAN AND AHMED RIVERAS UNIVERSITY OF SEVILLE SEMANTIC WEB SERVICES IN A TRANSACTIONAL CONTEXT PROLE 2013 (MADRID)

Predicates and Quantifiers

Dagstuhl Seminar "Applied Deductive Verification" November Symbolically Computing Most-Precise Abstract Operations for Shape.

Program Analysis and Verification Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav.

1 Employing decision procedures for automatic analysis and verification of heap-manipulating programs Greta Yorsh under the supervision of Mooly Sagiv.

SAT and SMT solvers Ayrat Khalimov (based on Georg Hofferek‘s slides) AKDV 2014.

Program Analysis with Dynamic Change of Precision Dirk Beyer Tom Henzinger Grégory Théoduloz Presented by: Pashootan Vaezipoor Directed Reading ASE 2008.

Symbolic Implementation of the Best Transformer Thomas Reps University of Wisconsin Joint work with M. Sagiv and G. Yorsh (Tel-Aviv) [TR-1468, Comp. Sci.

Shape Analysis Overview presented by Greta Yorsh.

Symbolically Computing Most-Precise Abstract Operations for Shape Analysis Greta Yorsh Thomas Reps Mooly Sagiv Tel Aviv University University of Wisconsin.

Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.

NP-Complete Problems. Running Time v.s. Input Size Concern with problems whose complexity may be described by exponential functions. Tractable problems.

1 Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University Shape analysis with applications Chapter 4.6

Semantics of Predicate Calculus For the propositional calculus, an interpretation was simply an assignment of truth values to the proposition letters of.

Daniel Kroening and Ofer Strichman Decision Procedures An Algorithmic Point of View Deciding Combined Theories.

1 Combining Abstract Interpreters Mooly Sagiv Tel Aviv University

Quantified Data Automata on Skinny Trees: an Abstract Domain for Lists Pranav Garg 1, P. Madhusudan 1 and Gennaro Parlato 2 1 University of Illinois at.

Program Analysis via 3-Valued Logic Thomas Reps University of Wisconsin Joint work with Mooly Sagiv and Reinhard Wilhelm.

1 Simulating Reachability using First-Order Logic with Applications to Verification of Linked Data Structures Tal Lev-Ami 1, Neil Immerman 2, Tom Reps.

Putting Static Analysis to Work for Verification A Case Study Tal Lev-Ami Thomas Reps Mooly Sagiv Reinhard Wilhelm.

Counterexample-Guided Abstraction Refinement By Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith Presented by Yunho Kim Provable Software.

Lifting Abstract Interpreters to Quantified Logical Domains (POPL’08)

Quick Course Overview Quick review of logic and computational problems

Assumptions For testing a claim about the mean of a single population

Formal Modeling Concepts

Program Analysis and Verification

Abstraction Data type based abstractions

Instructor: Rajeev Alur

Reasoning About Code.

Graph-Based Operational Semantics

Semantic Minimization of 3-Valued Propositional Formulas

Symbolic Implementation of the Best Transformer

Lifting Propositional Interpolants to the Word-Level

4.9 – Antiderivatives.

Intro to Theory of Computation

Iterative Program Analysis Abstract Interpretation

Parametric Shape Analysis via 3-Valued Logic

Constrained Bipartite Vertex Cover: The Easy Kernel is Essentially Tight Bart M. P. Jansen June 4th, WORKER 2015, Nordfjordeid, Norway.

Parametric Shape Analysis via 3-Valued Logic

Reduction in End-User Shape Analysis

Semantics In Text: Chapter 3.

NP-Complete Problems.

Predicate Transformers

NP-Completeness Yin Tat Lee

Search techniques.

CS21 Decidability and Tractability

Predicates and Quantifiers

Instructor: Aaron Roth

Presentation transcript:

Symbolic Characterization of Heap Abstractions www.math.tau.ac.il/~gretay Symbolic Characterization of Heap Abstractions Greta Yorsh Joint work with Thomas Reps Mooly Sagiv Reinhard Wilhelm

Canonical Abstraction: An embedding whose result is of bounded size x u234 Dagstuhl Seminar April 19

Motivation Automatically generate loop invariants in some logic First order logic Separation logic (BI) … Dagstuhl Seminar April 19

Generating Loop Invariants 4/3/2019 Generating Loop Invariants List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; x y t NULL S1 S2 S3 (S1) (S2) (S3) … There are 12 structures at this node.  Dagstuhl Seminar April 19

Motivation Automatically generate loop invariants in some logic First order logic Separation logic (BI) … Employ decision procedures Extract information in the most precise way More precise than the compositional way Dagstuhl Seminar April 19

Motivation – Extracting Information Does program condition x == NULL evaluate to TRUE in all stores that arise at program point p ? YES p: if (x == null) then S; else P; p: S; Dagstuhl Seminar April 19

 = v1,v2,v: n(v1,v)  n(v2,v)  v1  v2 Is there a heap sharing? x 1/2  1 u1 u2 is rx rx  = v1,v2,v: n(v1,v)  n(v2,v)  v1  v2 1/2 compositional: supervaluational: Dagstuhl Seminar April 19

Computing Most Precise Value if (S)   is valid return 1 if (S)   is valid return 0 otherwise return ½ Dagstuhl Seminar April 19

Why should you be interested ? Automatically generate loop invariants in some logic First order logic Separation logic (BI) … Employ decision procedures Extract information from in the most precise way More precise than the compositional way Compute the best (induced) transformer Dagstuhl Seminar April 19

Symbolic Operations: Three Value-Spaces  T# T  Concrete Values Formulas Abstract Values Dagstuhl Seminar April 19

Why should you be interested ? Automatically generate loop invariants in some logic First order logic Separation logic (BI) … Employ decision procedures Extract information from in the most precise way More precise than the compositional way Compute the best (induced) transformer Assume-guarantee reasoning Dagstuhl Seminar April 19

Why should you be interested ? Automatically generate loop invariants in some logic First order logic Separation logic (BI) … Employ decision procedures Extract information from in the most precise way More precise than the compositional way Compute the best (induced) transformer Assume-guarantee reasoning Expressive power of 3-valued abstraction Dagstuhl Seminar April 19

Expressive Power SO formulas NP formulas 3-valued structures FO+TC formulas Canonical abstraction Quantifier free formulas Predicate abstraction Dagstuhl Seminar April 19

Outline The problem Negative result Simplifying assumptions Characterizing concretization with a FO formula Negative result Simplifying assumptions Generating FO+TC formula Loop invariants Supervaluation NP formula Conclusion Dagstuhl Seminar April 19

Characterizing Concretizations Formulas Concrete Domain Abstract Domain Dagstuhl Seminar April 19

Characterizing Concretizations 4/3/2019 Characterizing Concretizations Formulas (S1) (S1) S1 S2 iff important extracting info loss of info from concrete to abstract but no loss from abstract to formula Concrete Domain Abstract Domain store  (S1) store  (S1) Dagstuhl Seminar April 19

4/3/2019 Quiz u2 u3 u1 Explain the edges from concrete to abstract: given a concrete store, let me should why this concrete store embeds into the 3 valued structure, because I can pick a mapping, such that… What concrete structures does it represent ? 3-Col of undirected graphs is NP complete NP computation cannot be expressed by FO even with TC ! Therefore, there is no FO-formula that characterizes all concrete structures embedded into this structure This shows that there exists a 3-valued structure that cannot be characterised with first order formula Dagstuhl Seminar April 19

4/3/2019 Negative Result u2 u3 u1 3-colorable graphs with at least 3 nodes 3-colorability is NP-complete NP computation can not be expressed with first order formula [Courcelle] There exists a 3-valued structure that can NOT be characterized with first-order formula What concrete structures does it represent ? 3-Col of undirected graphs is NP complete NP computation cannot be expressed by FO even with TC ! Therefore, there is no FO-formula that characterizes all concrete structures embedded into this structure This shows that there exists a 3-valued structure that cannot be characterised with first order formula Dagstuhl Seminar April 19

FO Identifiable Nodes u2 u3 u1 4/3/2019 What concrete structures does it represent ? 3-Col of undirected graphs is NP complete NP computation cannot be expressed by FO even with TC ! Therefore, there is no FO-formula that characterizes all concrete structures embedded into this structure This shows that there exists a 3-valued structure that cannot be characterised with first order formula Dagstuhl Seminar April 19

FO Identifiable Nodes u2 u3 u1 4/3/2019 What concrete structures does it represent ? 3-Col of undirected graphs is NP complete NP computation cannot be expressed by FO even with TC ! Therefore, there is no FO-formula that characterizes all concrete structures embedded into this structure This shows that there exists a 3-valued structure that cannot be characterised with first order formula Dagstuhl Seminar April 19

FO Identifiable Nodes x u1 u2 l1 l2 l3 l4 x rx rx nodeu1s(w) 4/3/2019 FO Identifiable Nodes x u1 u2 rx l1 l2 l3 l4 x rx nodeu1s(w) nodeu2s(w) nodeu1s(w) nodeu2s(w) node formula for u1 is satisfied by some concrete node iff the concrete node corresponds to the abstract node u1. Dagstuhl Seminar April 19

Generating nodeu(w) formula x u1 u2 rx l1 l2 l3 l4 x rx nodeu1s(w) = x(w)  rx(w)  y(w)  ry(w) nodeu2s(w) = x(w)  rx(w)  y(w)  ry(w) Dagstuhl Seminar April 19

(S) = “onto”  “total”  “predicate embedding”  “integrity rules” Generating FO formula x u1 u2 rx (S) = “onto”  “total”  “predicate embedding”  “integrity rules” Dagstuhl Seminar April 19

Supervaluation Dagstuhl Seminar April 19

Supervaluational Semantics 4/3/2019 Supervaluational Semantics Related work [B. van Fraassen66][Blamey02] [Bruns,Godefroid00][Reps, Loginov, Sagiv 02] value of  on S is summary of values of  on store  (S)  is true for all store  (S) TRUE  is false for all stores  (S) FALSE Difference between compositional and this is that here we have iff and there only ….  is true for some store  (S) and false for others UNKNOWN Dagstuhl Seminar April 19

Supervaluation Semantics 4/3/2019 Supervaluation Semantics NOT Constructive 1 if store for all store  (S) 0 if store for all store  (S) ½ otherwise << phi >> (S) is join of values of phi obtainted from each of the concrete structures that S represents. It does NOT provide a constructive way to compute, because gamma(S) is infinite set. Dagstuhl Seminar April 19

Generating Loop Invariants 4/3/2019 Generating Loop Invariants List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; x y t NULL S1 S2 S3 (S1) (S2) (S3) … There are 12 structures at this node.      “x and y point to disjoint lists” Dagstuhl Seminar April 19

Missing … Prototype implementation using NP – formula TVLA SPASS NP – formula Best transformer for canonical abstraction Dagstuhl Seminar April 19

Conclusions First order logic provides a way to express concretization in interesting domains linear size Theorem provers can be integrated with program analyzers enables flexible abstractions no loss of information beyond the abstraction Dagstuhl Seminar April 19

The End www.math.tau.ac.il/~gretay Dagstuhl Seminar April 19