3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv

Motivation u Many dataflow problems can be solved using Monotone Frameworks u But Monotone Framework are hard to be used u Compiler-writer obligations –Define the lattice –Define the initial value  »Show that it is sound  ({s 0 })   –Define transfer functions of elementary statements f l »Show that these functions are monotone x  y  f l (x)  f l (y) »Show soundness  ({  [b] l  (s) | s  CS })  f l (  (CS)) »Find an efficient representation

A Different Solution u Write structural operational semantics in a special form u Automatically derive the Monotone Framework from the operational semantics  u Monotonicity and soundness is immediate  u Operational semantics need to be written in a special form  u Scarify the generality of Monotone Frameworks  u The derived solution is not necessarily the induced one but rather precise

Outline u 3-valued proposional logic u Parity Analysis in TVLA u The Shape Analysis Problem u 3-valued predicate logic May 19, Scriber 309

3-Valued Kleene Logic u A logic with 3-values –0 -false –1 - true –1/2 - don’t know u Operators are conservatively interpreted –1/2 means either true or false 01 1/2 Logical order information order 0  1=1/2

Kleene Interpretation of Operators (logical-and)

Kleene Interpretation of Operators (logical-or)

Kleene Interpretation of Operators (logical-negation)

Kleene Interpretation of Operators (logical-implication)

3-valued logic program analysis u Choose a fixed set of proposional variables P per program P ={even[x] | x  Var} u Represent “concrete” states by a truth assignments from P to {0, 1} [even[x]  0, even[y]  1] u The meaning of every statement (SOS) is expressed using update formulae  x := y * z  = {even’[x] := even[y]  even[y], even’[y] := even[y], even’[z] := even[z] } u Use lattice L=(P  {0, 1/2, 1})  {  } u The transformer is obtained by evaluating the formula in 3-valued logic

Preconditions u The effect of some program conditions can be defined using a precondition formula if (x % 2 == 0 || y %2 != 0) even[x]   even[y] u These conditions are associated with control flow edges u For other program conditions no effect is given u If the formula is potentially satisfied  1 the statement is executed u May yield overly conservative results due to missing or naively interpreted conditions

Example Program while [x !=1] 1 do if [ (x %2) = 0] 2 then [x := x / 2;] 3 else [x := x * 3 + 1;] 4

The Focus Operation u It is sometimes possible to improve the precision by maintaining finer distinctions u If a formula evaluates to 1/2 replace the assignment by an equivalent set of assignments in which the formula evaluates to 1 or 0 u Formally, Focus[  ](A)=… u Always conservative u Can increase the space complexity

Example Focus Formulae u even[x] u Input Truth-Assignment [even[x]  1/2, even[y]  0] u Output Truth-Assignments

Example Program while [x !=1] 1 do if [ (x %2) = 0] 2 then [x := x / 2;] 3 else [x := x * 3 + 1;] 4

A TVLA Specification of Parity u There are two files per analyzed program –prgm.tvp -The specification of the control flow graph and the transfer functions –prgm.tvs - The specification of the value at the initial node u Propostions are specified in a file (pred.tvp) u Conditions are specified in a file (cond.tvp) u The meaning of statements is specified in a file (stat.tvp)

%s Var {x, t} #include "pred.tvp" % #include "cond.tvp" #include "stat.tvp" % /* while [x !=1]^1 do */ l_1 Uninterpreted_Cond() l_2 l_1 Uninterpreted_Cond() l_end /*if [ (x %2) = 0]^2 */ l_2 Is_Even(x) l_3 l_2 Is_Odd(x) l_4 /* then [x := x / 2;]^3 */ l_3 Divide_Even(x,x) l_5 l_5 Skip() l_1 /*else [x := x * 3 + 1;]^4 */ l_4 Multiply_Odd(t, x) l_41 l_41 Add_Odd(x, t) l_6 l_6 Skip() l_1

foreach (z in Var) { %p even[z]() {0, 1, 1/2} } pred.tvp

cond.tvp %action Uninterpreted_Cond() { %t "uninterpreted-Condition" } %action Is_Even(x1) { %t x1 + " %2 == 0" %f {even[x1]()} %p even[x1]() } %action Is_Odd(x1) { %t x1 + " %2 != 0" %f {!even[x1]()} %p !even[x1]() }

stat.tvp (part 1) %action Skip() { %t "Skip" } %action Set_Even(x1) { %t x1 + " = Even" { even[x1]() = 1 } %action Set_Odd(x1) { %t x1 + " = Odd" { even[x1]() = 0 }

stat.tvp (part 2) %action Add(x1, x2, x3) { %t x1 + " = " + x2 + " + " + x3 {even[x1]() = even[x2]() & even[x3]() | !even[x2]() & !even[x3]() } } %action Add_Even(x1, x2) { %t x1 + " = " + x2 + " + EVEN" {even[x1]() = even[x2]() } } %action Add_Odd(x1, x2) { %t x1 + " = " + x2 + " + ODD" {even[x1]() = !even[x2]() } }

stat.tvp (part 3) %action Multiply(x1, x2, x3) { %t x1 + " = " + x2 + " * " + x3 {even[x1]() = even[x2]() | even[x3]() } } %action Multiply_Even(x1, x2) { %t x1 + " = " + x2 + " * EVEN" {even[x1]() = 1} } %action Multiply_Odd(x1, x2) { %t x1 + " = " + x2 + " * Odd" { even[x1]() = even[x2]() }

stat.tvp (part 4) %action Divide(x1, x2, x3) { %t x1 + " = " + x2 + " / " + x3 {even[x1]() = 1/2 } } %action Divide_Even(x1, x2) { %t x1 + " = " + x2 + " / EVEN" {even[x1]() = 1/2 } } %action Divide_Odd(x1, x2) { %t x1 + " = " + x2 + " / ODD" {even[x1]() = 1/2} }

%s Var {x, t} #include "pred.tvp" % #include "cond.tvp" #include "stat.tvp" % /* while [x !=1]^1 do */ l_1 Uninterpreted_Cond() l_2 l_1 Uninterpreted_Cond() l_end /*if [ (x %2) = 0]^2 */ l_2 Is_Even(x) l_3 l_2 Is_Odd(x) l_4 /* then [x := x / 2;]^3 */ l_3 Divide_Even(x,x) l_5 l_5 Skip() l_1 /*else [x := x * 3 + 1;]^4 */ l_4 Multiply_Odd(t, x) l_41 l_41 Add_Odd(x, t) l_6 l_6 Skip() l_1

prgm.tvs %n = {} %p = { even[x] = 1/2 even[t] = 1/2 }

Command Prompt tvla prgm prgm -d -action fpu

Shape Analysis u Determine the possible shapes of a dynamically allocated data structure at given program point u Relevant questions: –Does a variable point to an acyclic list? –Does a variable point to a doubly-linked list? –Does a variable point p to an allocated element every time p is dereferenced? –Can a procedure create a memory-leak

Dereference of NULL pointers typedef struct element { int value; struct element *next; } Elements bool search(int value, Elements *c) { Elements *elem; for ( elem = c; c != NULL;elem = elem->next;) if (elem->val == value) return TRUE; return FALSE NULL dereference

Memory leakage Elements* reverse(Elements *c) { Elements *h,*g; h = NULL; while (c!= NULL) { g = c->next; h = c; c->next = h; c = g; } return h; leakage of address pointed-by h

The SWhile Programming Language Abstract Syntax a := x | x.sel | null | n | a 1 op a a 2 b := true | false | not b | b 1 op b b 2 | a 1 op r a 2 S := [x := a] l | [x.sel := a] l | [x := malloc()] l | [skip] l | S 1 ; S 2 | if [b] l then S 1 else S 2 | while [b] l do S sel:= car | cdr

Dereference of NULL pointers [elem := c;] 1 [found := false;] 2 while ([c != null] 3 && [!found] 4 ) ( if ([elem->car= value] 5 ) then [found := true] 6 else [elem = elem->cdr] 7 ) NULL dereference