Finite Differencing of Logical Formulas for Static Analysis Thomas Reps University of Wisconsin Joint work with M. Sagiv and A. Loginov
Dynamic Algorithms This meeting, this community,... –Dynamic algorithms for better efficiency This talk –Dynamic updates expressed via logical formulas DB maintenance of materialized views Dynamic descriptive complexity –Dyn-FO [Patnaik & Immerman] –FOIES [Dong & Su] –Dynamic algorithms for greater precision (avoid loss of information)
The administrator of the U.S.S. Yorktown’s Standard Monitoring Control System entered 0 into a data field for the Remote Data Base Manager program. That caused the database to overflow and crash all LAN consoles and miniature remote terminal units. The Yorktown was dead in the water for about two hours and 45 minutes.
A sailor on the U.S.S. Yorktown entered a 0 into a data field in a kitchen-inventory program. That caused the database to overflow and crash all LAN consoles and miniature remote terminal units. The Yorktown was dead in the water for about two hours and 45 minutes. Analysis must track numeric information
x = 3; y = 1/(x-3); x = 3; px = &x; y = 1/(*px-3); x = 3; p = (int*)malloc(sizeof int); *p = x; q = p; y = 1/(*q-3); need to track values other than 0 need to track pointers need to track dynamically allocated storage
Static Analysis Determine information about the possible situations that can arise at execution time, without actually running the program on particular inputs Typically: –Run the program on “aggregate values”, which describe many stores all at once –For each point in the program, find a descriptor that represents (a superset of) the stores that could possibly arise at that point
Static Analysis Determine information about the possible situations that can arise at execution time, without actually running the program on particular inputs Typically: –For each point in the program, find a descriptor that represents (a superset of) the stores that could possibly arise at that point Correctness of analysis justified via abstract interpretation [Cousot & Cousot 77]
Static Analysis List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; Bad Actual
Static Analysis List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; Bad Actual
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL Materialization
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
x yt x y t x y t return y t = y y next = t y = x x = x next x != NULL x yt NULL x yt x y t x y t x y t x y t x y t x y t x y t x y t x y t x y t
What Does a List Descriptor Describe? represents x y t NULL x y t x y t x y t
pointer analysis? points-to analysis? alias analysis? shape analysis? Dynamic storage allocation Destructive updating through pointers
Why is Shape Analysis Difficult? Destructive updating through pointers –p next = q –Produces complicated aliasing relationships Dynamic storage allocation –No bound on the size of run-time data structures
Formalizing “... ” Informal: x Formal: x Summary node
Using Relations to Represent Linked Lists
u1u1 u2u2 u3u3 u4u4 x y
Canonical Abstraction u1u1 u2u2 u3u3 u4u4 x u1u1 x u 234
Canonical Abstraction u1u1 u2u2 u3u3 u4u4 x u1u1 x u 234
Canonical Abstraction u1u1 u2u2 u3u3 u4u4 x u1u1 x u 234
x yt NULL return y t = y y next = t y = x x = x next x != NULL x yt NULL x yt u1u1 u x y u1u1 u x y ’ (v) = x(v) 1010
x yt NULL x y t x y t return y t = y y next = t y = x x = x next x != NULL x yt NULL x yt x y t x y t x y t x y t x y t x y t x y t x y t x y t x y t
Formalizing “...” Informally x … Formally u1u1 x u2u2 y y Really: tables for x, y, and n v 2 v 1 u1u1 u2u2 u1u1 0½ u2u2 0½ n(v 1,v 2 ) x(v) v u1u1 1 u2u2 0 y(v) v u1u1 1 u2u2 0
Good Descriptors?
Formalizing “...” Informally x y … … Formally u1u1 x u2u2 y u3u3
Formalizing “...” Informally Formally x y …… … t t’t’ u1u1 x u2u2 y u3u3 u4u4 u5u5 t’t’ t …
Formalizing “...” Informally Formally x y … … rxrx x ryry y … rxrx ryry u1u1 u2u2 u3u3 u4u4
Formalizing “...” Informally Formally x y … … t t’t’ rxrx rxrx x ryry y ryry r y,r t ’ t’t’ t r x,r t r y,r t ’ r x,r t u4u4 u8u8 u7u7 u6u6 u5u5 u1u1 u2u2 u3u3 … …
Formalizing “...” Really Formally p (relation) p (definition) var(v)core n(v 1,v 2 ), eq(v 1,v 2 )core r var (v) v ’ : (var(v’) n*(v’,v)) rxrx rxrx x ryry y ryry r y,r t ’ t’t’ t r x,r t r y,r t ’ r x,r t u4u4 u8u8 u7u7 u6u6 u5u5 u1u1 u2u2 u3u3
Formalizing “...” Really Formally v 2 v 1 u1u1 u2u2 u3u3 u4u4 u1u1 0½00 u2u2 0½½0 u3u3 000½ u4u4 000½ v u1u1 u2u2 u3u3 u4u4 u5u5 u6u6 u7u7 u8u n(v 1,v 2 ) t(v) r t (v) v u1u1 u2u2 u3u3 u4u4 u5u5 u6u6 u7u7 u8u rxrx rxrx x ryry y ryry r y,r t ’ t’t’ t r x,r t r y,r t ’ r x,r t u4u4 u8u8 u7u7 u6u6 u5u5 u1u1 u2u2 u3u3
Need for Update Formulas x = x n rxrx x rxrx rxrx x rxrx rxrx Re-evaluating formulas can be imprecise r x (v) = v ’ : (x(v ’ ) n*(v ’,v))
Need for Update Formulas Re-evaluating formulas can be imprecise rxrx rxrx x r x = ½ rxrx x r x = 1 x = x n r x (v) = v ’ : (x(v ’ ) n*(v ’,v)) F[r x ](v) = r x (v) ¬ x(v)
Goal: Create Update Formulas Automatically Originally: users provided all update formulas –A lot of work –Error prone Idea: finite differencing of formulas p new (v) = p(v) ? ¬ : = F[p, st](v) negative difference positive difference [ p, st](v) + [ p, st](v) update formula
F[p] Finite Differencing of Formulas F[p](v) = p(v) ? ¬ [ p ](v) : + [ p ](v) [p][p] +[p]+[p] p
Laws for + + [0] = 0 + [1] = 0 + [¬ ] = [ ] + [ ] = ( + [ ] ¬ ) (¬ + [ ]) + [ v : ] = ( v : + [ ]) ¬( v : )
Finite Differencing of Formulas – core update S’ - updated core structure p – instrumentation relation formula p – instrumentation relation S S’ pp pp p pp p’
DB DB’ U V’ V Maintenance of Materialized DB Views U – database update DB’ – updated database - view query V – view value UVUV DB: efficiency Static analysis: avoid loss of precision (½)
TC Maintenance for Single Edge Addition in Arbitrary Graphs Let t n (v 1,v 2 ) = n*(v 1,v 2 ) F[t n (v 1,v 2 )] = t n (v 1,v 2 ) v 1 ’,v 2 ’: t n (v 1,v 1 ’) + [n(v 1 ’,v 2 ’)] t n (v 2 ’,v 2 )
TC Maintenance in FO Logic 3 special cases [Dong&Su, Immerman] –Acyclic relations –Relations with all nodes of outdegree at most 1 –Undirected relations For a single edge addition or deletion (not both)
TC Maintenance for Single Edge Deletion in Acyclic Graphs a b a b but
Suspicious Pairs a b Suspicious t n pairs: (a,b) S(v 1,v 2 ) = v 1 ’,v 2 ’: t n (v 1,v 1 ’) [n(v 1 ’,v 2 ’)] t n (v 2 ’,v 2 )
Suspicious Pairs (cont.) Suspicious t n pairs: (a,b) but not (c,d) S(v 1,v 2 ) = v 1 ’,v 2 ’: t n (v 1,v 1 ’) [n(v 1 ’,v 2 ’)] t n (v 2 ’,v 2 ) a b c d
Trusty Pairs Trusty pairs: (c,d) but not (a,b) –non-suspicious t n pairs (not using the deleted edge). T(v 1,v 2 ) = t n (v 1,v 2 ) ¬ S(v 1,v 2 ) a b c d
TC Maintenance for Single Edge Deletion in Acyclic Graphs (cont.) Future t n pairs: F[t n (v 1,v 2 )] = equal(v 1,v 2 ) v 1 ’,v 2 ’: T(v 1,v 1 ’) F[n(v 1,v 2 )] T(v 2 ’,v 2 ) a b
TC Maintenance for Single Edge Deletion in Acyclic Graphs (cont.) Future t n pairs: F[t n (v 1,v 2 )] = equal(v 1,v 2 ) v 1 ’,v 2 ’: T(v 1,v 1 ’) F[n(v 1,v 2 )] T(v 2 ’,v 2 ) a b a b
TC Maintenance for Single Edge Deletion in Acyclic Graphs (cont.) Future t n pairs: F[t n (v 1,v 2 )] = equal(v 1,v 2 ) v 1 ’,v 2 ’: T(v 1,v 1 ’) F[n(v 1,v 2 )] T(v 2 ’,v 2 ) a b
TC Maintenance for Single Edge Deletion in Acyclic Graphs (cont.) Future t n paths: F[t n (v 1,v 2 )] = equal(v 1,v 2 ) v 1 ’,v 2 ’: T(v 1,v 1 ’) F[n(v 1,v 2 )] T(v 2 ’,v 2 ) a b cd
Measure of Success Fraction of automatically generated update formulas that are as precise as existing hand-crafted update formulas Evaluation Data StructureSample properties Singly linked list Partial correctness of sorting Absence of insecure information flow Merge preserves ADT and loses no elements of either list Doubly linked listAppend and Delete preserve ADT Binary treeDeutsch-Schorr-Waite preserves ADT Binary-search treeInsert and Delete preserve ADT
Results 100% success (acyclic relations) –Cyclic relations correctly detected in 3 programs Performance effect was modest − 4% (decrease) to 44% average: ‹ 15% –Can be improved (e.g., caching of results)
Optimization of set-theoretic expressions –Paige 79, Paige and Koenig 82 –Fong & Ullman (late 70s) DB: view maintenance; enforce integrity constraints –Stonebraker 75; Paige 81; Horwitz & Teitelbaum 86 –Large body of DB literature in the 90s Dynamic descriptive complexity (Dyn-FO, FOIES) –Patnaik & Immerman 94; Dong & Su 93 “Incrementalizing” functional programs –Liu 95; Liu & Teitelbaum 95 Related Work
For More Information Reps, T., Sagiv, M., and Loginov, A., Finite differencing of logical formulas for static analysis. In Proc. European Symp. on Programming, LNCS Vol. 2618, Sagiv, M., Reps, T., and Wilhelm, R., Parametric shape analysis via 3-valued logic. ACM TOPLAS 24, 3 (2002). Homepage for the TVLA system:
Finite Differencing of Logical Formulas for Static Analysis Thomas Reps University of Wisconsin Joint work with M. Sagiv and A. Loginov