Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.

Slides:



Advertisements
Similar presentations
Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.
Advertisements

Join Algorithms for the Theory of Uninterpreted Functions Sumit Gulwani Ashish Tiwari George Necula UC-Berkeley SRI UC-Berkeley.
Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD.
Precise Interprocedural Analysis using Random Interpretation Sumit Gulwani George Necula UC-Berkeley.
TVLA for System Code Jörg KreikerHelmut SeidlVesal Vojdani TU Munich Dagstuhl, July 2009.
Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.
Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.
Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,
Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.
1 PROPERTIES OF A TYPE ABSTRACT INTERPRETATER. 2 MOTIVATION OF THE EXPERIMENT § a well understood case l type inference in functional programming à la.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN
Program Representations. Representing programs Goals.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Type-Based Verification of Assembly Language for Compiler Debugging Bor-Yuh Evan ChangAdam Chlipala George C. NeculaRobert R. Schneck University of California,
Inferring Object Invariants Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research January 21, 2005 AIOOL 2005 Paris,
Relational Inductive Shape Analysis Bor-Yuh Evan Chang University of California, Berkeley Xavier Rival INRIA POPL 2008.
Lifting Abstract Interpreters to Quantified Logical Domains Sumit Gulwani, MSR Bill McCloskey, UCB Ashish Tiwari, SRI 1.
Today’s Agenda  HW #1 Due  Quick Review  Finish Input Space Partitioning  Combinatorial Testing Software Testing and Maintenance 1.
Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.
Lecture 2 Towards a Verifying Compiler: Logic of Object oriented Programs Wolfram Schulte Microsoft Research Formal Methods 2006 Objects, references, heaps,
Last time Proof-system search ( ` ) Interpretation search ( ² ) Quantifiers Equality Decision procedures Induction Cross-cutting aspectsMain search strategy.
Interpolants [Craig 1957] G(y,z) F(x,y)
Automated Theorem Proving Lecture 4.   Formula := A |  |    A  Atom := b | t = 0 | t < 0 | t  0 t  Term := c | x | t + t | t – t | ct | Select(m,t)
Purity Analysis : Abstract Interpretation Formulation Ravichandhran Madhavan, G. Ramalingam, Kapil Vaswani Microsoft Research, India.
Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino UC BerkeleyMicrosoft Research November 11, 2004.
Prof. Necula CS Lecture 121 Decision-Procedure Based Theorem Provers Tactic-Based Theorem Proving Inferring Loop Invariants CS Lecture 12.
From last time: reaching definitions For each use of a variable, determine what assignments could have set the value being read from the variable Information.
4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)
1 Control Flow Analysis Mooly Sagiv Tel Aviv University Textbook Chapter 3
Randomized Analysis with Repeated Conditionals for Affine Equalities Bor-Yuh Evan Chang CS263 Final Project December 4, 2002.
A Polynomial-Time Algorithm for Global Value Numbering SAS 2004 Sumit Gulwani George C. Necula.
Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.
1 Tentative Schedule u Today: Theory of abstract interpretation u May 5 Procedures u May 15, Orna Grumberg u May 12 Yom Hatzamaut u May.
Ofer Strichman, Technion Deciding Combined Theories.
Introduction to Logic for Artificial Intelligence Lecture 2 Erik Sandewall 2010.
Daniel Kroening and Ofer Strichman 1 Decision Procedures in First Order Logic Decision Procedures for Equality Logic.
Impact Analysis of Database Schema Changes Andy Maule, Wolfgang Emmerich and David S. Rosenblum London Software Systems Dept. of Computer Science, University.
The Efficient Maintenance of Access Roles with Role Hiding Chaoyi Pang Xiuzhen Zhang
RDF: Concepts and Abstract Syntax W3C Recommendation 10 February Michael Felderer Digital Enterprise.
Deciding a Combination of Theories - Decision Procedure - Changki pswlab Combination of Theories Daniel Kroening, Ofer Strichman Presented by Changki.
Cristian Gherghina Joint work with: Wei-Ngan Chin, Razvan Voicu, Quang Loc Le Florin Craciun, Shengchao Qin TexPoint fonts used in EMF. Read the TexPoint.
A Parametric Segmentation Functor for Fully Automatic and Scalable Array Content Analysis Patrick Cousot, NYU & ENS Radhia Cousot, CNRS & ENS & MSR Francesco.
1 A Combination Method for Generating Interpolants Greta Yorsh Madan Musuvathi Tel Aviv University, Israel Microsoft Research, Redmond, US CAV’05.
SAT and SMT solvers Ayrat Khalimov (based on Georg Hofferek‘s slides) AKDV 2014.
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 14: Numerical Abstractions Roman Manevich Ben-Gurion University.
Program Analysis and Verification Spring 2014 Program Analysis and Verification Lecture 14: Numerical Abstractions Roman Manevich Ben-Gurion University.
Jeopardy Growing Exponentially Welcome to the Function Fun with Functions Snoitcunf A special Function Let’s Change it Up
INTERNATIONAL CONFERENCE ON INFORMATION SCIENCE AND TECHNOLOGY, P.P , MARCH An ANFIS-based Dispatching Rule For Complex Fuzzy Job Shop Scheduling.
Type Systems CS Definitions Program analysis Discovering facts about programs. Dynamic analysis Program analysis by using program executions.
Formal Specification of Intrusion Signatures and Detection Rules By Jean-Philippe Pouzol and Mireille Ducassé 15 th IEEE Computer Security Foundations.
Section 3-2: Solving Systems Algebraically (Pg.125) By Ms. Beydoun.
Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 12: Abstract Interpretation IV Roman Manevich Ben-Gurion University.
11th Nov 2004PLDI Region Inference for an Object-Oriented Language Wei Ngan Chin 1,2 Joint work with Florin Craciun 1, Shengchao Qin 1,2, Martin.
Ch 9 – Properties and Attributes of Functions 9.4 – Operations with Functions.
Daniel Kroening and Ofer Strichman Decision Procedures An Algorithmic Point of View Deciding Combined Theories.
1 Combining Abstract Interpreters Mooly Sagiv Tel Aviv University
Quantified Data Automata on Skinny Trees: an Abstract Domain for Lists Pranav Garg 1, P. Madhusudan 1 and Gennaro Parlato 2 1 University of Illinois at.
Abstraction and Abstract Interpretation. Abstraction (a simplified view) Abstraction is an effective tool in verification Given a transition system, we.
Satisfiability Modulo Theories and DPLL(T) Andrew Reynolds March 18, 2015.
Spring 2016 Program Analysis and Verification
Partially Disjunctive Heap Abstraction
Matching Logic An Alternative to Hoare/Floyd Logic
Associative Query Answering via Query Feature Similarity
Symbolic Implementation of the Best Transformer
Program Analysis and Verification
Reduction in End-User Shape Analysis
Symbolic Characterization of Heap Abstractions
Objectives Identify functions.
Consistency algorithms
Presentation transcript:

Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research January 18, 2005 VMCAI 2005 Paris, France

2 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Verifying Object-Oriented Programs OO Program Verifier Inference… Java /C#   Abstract Interpretation

3 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Problem and Motivation Standard abstract interpretation infer properties following a domain specific- schema of relations among (program) variables –e.g., can infer this with Polyhedra [CH78] 0 · x · y z := 2 ¢ y – 2 ¢ x; 0 · z

4 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Problem and Motivation But … this.x 0 · this.x · y this.x z := 2 ¢ y – 2 ¢ this.x; 0 · z? length(x) 0 · length(x) · y length(x) z := 2 ¢ y – 2 ¢ length(x); 0 · z? this.xo  this 0 · this.x · y Æ o  this o.x := o.x := 2 ¢ y this.x z := 2 ¢ y – 2 ¢ this.x; 0 · z? alien expression to Polyhedra

5 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Goal Given a base abstract domain that can represent certain kind of constraints on variables, use it to represent constraints on arbitrary alien expressions (e.g., fields of objects)

6 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Outline Overview Handling Alien Expressions Handling Heap Updates Concluding Remarks

7 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Overview of Contributions To extend base domains to work with alien expressions –use a general abstract domain parameterized by base domains that hide alien expressions as fresh variables (cf. Nelson-Oppen) –congruence-closure abstract domain To deal with heap updates –track successive heaps as a separate base domain –heap succession abstract domain

8 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Fooling the Base Domains Congruence-Closure Abstract Domain Polyhedra Constrain( sel(H,o,f) ¸ 8 ) assume o.f ¸ 8 Constrain(  ¸ 8 ) sel(H,o,f)   Base Domains SymbolicValue

9 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Understands : FunSymbol £ Expr[] ! bool Understandable to the Base Domain + sel Hof ² Abs 2 ¢ x + sel(H,o,f) · Abs(y – z) 2xyz Yes No Understands ·

10 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Understandable to the Base Domain · +  ² Abs 2 ¢ x +  · Abs(y – z) 2xyz Understands : FunSymbol £ Expr[] ! bool No No

11 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Understandable to the Base Domain +  ²  2 ¢ x +  ·  2xyz Understands : FunSymbol £ Expr[] ! bool No Yes   = y - z Also, add this constraint to Polyhedra ·

12 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Congruence-Closure Domain equivalence graph (e-graph)Store mappings in an equivalence graph (e-graph) –give the same symbolic value for equivalent expressions Tracks equalities of uninterpreted functions –an e-graph with abstract domain operations –symbolic values “name” equivalence classes of expressions –implements congruence closure

13 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures E-Graph w = f(x) Æ g(x,y) = f(y) Æ w = h(w) A set of mappings: w   x   f(  )   y   g( ,  )   f(  )   h(  )   Always congruence-closed    w x g h  y f f

14 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Join Roughly, join the e-graphs, then join the base domains G0G0 P0P0 Base Domains G1G1 P1P1 G 0 t G 1 P 0 t P 1 Base Domains

15 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Join of E-Graphs Think of the lattice over conjunctions of equalities (including infinite ones) Let G = Join(G 0,G 1 ) x  G h  0,  0 i if x  G 0  0 and x  G 1  f( h ,  i )  G h  0,  0 i if f(  )  G 0  0 and if f(  )  G 1  0 Rename distinct pairs to fresh symbolic values  x f  x f  f  x f  f h,i à h,i à  h,i à h,i à  Tell base domains about renaming

16 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Join of E-Graphs Complexity: O(n ¢ m) Complete? As precise as possible? –No, e-graphs do not form a lattice! x = y t g(x) = g(y) Æ x = f(x) Æ y = f(y) = Æ i : i ¸ 0 g(f i (x)) = g(f i (y)) –Only relatively complete [Gulwani et al. 2004]

17 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Widen Widen the e-graphs, then widen the base domains Widen of e-graphs is a join of e-graphs that limits the number of new names introduced (see paper)

18 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures So Far We Have … Reasoning for uninterpreted functions Base domains that work with alien expressions transparently What we need for field reads – sel is alien to all base domains

19 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Outline Overview Handling Alien Expressions Handling Heap Updates Concluding Remarks

20 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Heap Updates Java/C#if (p.g == 8) { o.f = x; } Guardedassume H[p,g] == 8; CommandsH := H 0 where sel(H 0,o,f) = x and H 0 ´ o,f H

21 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Heap Updates Guardedassume H[p,g] == 8; CommandsH := H 0 where sel(H 0,o,f) = x and H 0 ´ o,f H AbstractConstrain( sel(H,p,g) = 8 ) InterpreterConstrain( sel(H 0,o,f) = x ) Constrain( H 0 ´ o,f H ) Eliminate( H ) Rename( H 0, H ) Tracked by a new base domain: Heap Succession

22 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Heap Update Example Heap Succession H 0 ´ o,f H E-Graph sel(H,p,g)   8   sel(H 0,o,f)   x   H  Hp  p H 0  H 0 g  g o  of  f Constrain( sel(H,p,g) = 8 ) Constrain( sel(H 0,o,f) = x ) Constrain( H 0 ´ o,f H ) Eliminate( H ) Rename( H 0, H ) ToPredicate()

23 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Constrain( sel(H,p,g) = 8 ) Constrain( sel(H 0,o,f) = x ) Constrain( H 0 ´ o,f H ) Eliminate( H ) Rename( H 0, H ) ToPredicate() Heap Update Example Heap Succession H 0 ´ o,f H E-Graph sel(H,p,g)   8   sel(H 0,o,f)   x   H  Hp  p H 0  H 0 g  g o  of  f Only removes mapping “Lazy quantifier elimination” “Garbage values” remain

24 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Constrain( sel(H,p,g) = 8 ) Constrain( sel(H 0,o,f) = x ) Constrain( H 0 ´ o,f H ) Eliminate( H ) Rename( H 0, H ) ToPredicate() Heap Update Example Heap Succession H 0 ´ o,f H E-Graph sel(H,p,g)   8   sel(H 0,o,f)   x   H  Hp  p H  H 0 o  of  f g  gg  g

25 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Constrain( sel(H,p,g) = 8 ) Constrain( sel(H 0,o,f) = x ) Constrain( H 0 ´ o,f H ) Eliminate( H ) Rename( H 0, H ) ToPredicate() Heap Update Example Heap Succession H 0 ´ o,f H E-Graph sel(H,p,g)   8   sel(H 0,o,f)   x   H  Hp  p H  H 0 g  g o  of  f 1.Do Eliminate (H) EquivalentExpr : Queryable £ Expr £ Var ! Expr option Can you give me an equivalent expression without H?

26 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Constrain( sel(H,p,g) = 8 ) Constrain( sel(H 0,o,f) = x ) Constrain( H 0 ´ o,f H ) Eliminate( H ) Rename( H 0, H ) ToPredicate() Heap Update Example Heap Succession H 0 ´ o,f H E-Graph sel(H 0,p,g)   8   sel(H 0,o,f)   x   H  Hp  p H  H 0 g  g o  of  f 1.Do Eliminate (H) EquivalentExpr : Queryable £ Expr £ Var ! Expr option Eliminate(H) on Base 2.ToPredicate() on Base and Convert Expr for Client 3.Conjoin Equalities Yes, use H 0 H 0 To query other abstract domains (e.g., o  p?)

27 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Related Work Join for Uninterpreted Functions [Gulwani, Tiwari, Necula 2004] –same as our join for e-graphs Shape Analysis [many] and TVLA [Sagiv, Reps, Wilhelm, …] –they abstract heap nodes into summary nodes –they use special “instrumentation predicates” whereas we use “off-the-shelf” abstract domains –could use shape analysis as base domain?

28 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Conclusion and Future Work Extended the power of abstract domains to work with alien expressions using the congruence- closure domain Added reasoning about heap updates with the heap succession domain Close to having “cooperating abstract interpreters”? –missing propagating back equalities inferred by base domains Implementation and experiments in progress

Thank you! Questions? Comments?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.