Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino UC BerkeleyMicrosoft Research November 11, 2004 OSQ Meeting

2 11/12/2004 Standard Abstract Interpretation y := 8; x := 0; while (*) { y := y + x; x++; } y ¸ 8 Can do this inference with the polyhedra abstract domain [CH79]

3 11/12/2004 Standard Abstract Interpretation this.y := 8; this.x := 0; while (*) { this.y := this.y + this.x; this.x++; } this.y ¸ 8? Goal: Given a base domain that can infer certain kind of predicates on variables, use it to infer predicates on fields

4 11/12/2004 Achieving the Goal 1.Handling Alien Expressions / Uninterpreted Functions 2.Handling Heap Updates

5 11/12/2004 Abstract Domains interface AbstractDomain { type Elt Constrain : Elt £ Expr ! Elt Eliminate : Elt £ Var ! Elt Rename : Elt £ Var £ Var ! Elt ToPredicate : Elt ! Expr Join : Elt £ Elt ! Elt AtMost : Elt £ Elt ! bool }

6 11/12/2004 Fooling the Base Domains Congruence-Closure Domain / “Name Service” Polyhedra Constrain( sel(H,o,f) ¸ 8 ) assume o.f ¸ 8 Constrain(  ¸ 8 ) sel(H,o,f)   Base Domains SymbolicValue

7 11/12/2004 Understandable to the Base Domain ¸ + sel Hof ² | 2 ¢ x + sel(H,o,f) · |y - z| 2xyz Understands : FunSymbol £ Expr[] ! bool

8 11/12/2004 Understandable to the Base Domain ¸ + sel Hof ² | 2 ¢ x + sel(H,o,f) · |y - z| 2xyz Understands : FunSymbol £ Expr[] ! bool Yes No

9 11/12/2004 Understandable to the Base Domain ¸ +  ² | 2 ¢ x +  · |y - z| 2xyz Understands : FunSymbol £ Expr[] ! bool No No

10 11/12/2004 Understandable to the Base Domain ¸ +  ²  2 ¢ x +  ·  2xyz Understands : FunSymbol £ Expr[] ! bool No Yes   = y - z

11 11/12/2004 Congruence-Closure Domain Could always choose new names, but … –Should use the same name for syntactically equivalent expressions –Even Better: same name for known equalities Tracks equalities of uninterpreted functions –an E-Graph with abstract domain operations –symbolic values “name” equivalence classes of expressions –implements congruence closure

12 11/12/2004 E-Graph w = f(x) Æ g(x,y) = f(y) Æ w = h(w) A set of mappings: w   x   f(  )   y   g( ,  )   f(  )   h(  )   Always congruence-closed    w xy g h  ff

13 11/12/2004 Join Join the e-graphs, then join the base domains Think of the lattice over conjunctions of equalities (including infinite ones) Let G = Join(G 0,G 1 ) x  G h  ’,  ’ i if x  G 0  ’ and x  G 1  ’ f( h ,  i )  G h  ’,  ’ i if f(  )  G 0  ’ and f(  )  G 1  ’ Rename distinct pairs to fresh symbolic values

14 11/12/2004 Join Complexity: O(n ¢ m) Complete? As precise as possible? –No, e-graphs do not form a lattice! x = y t g(x) = g(y) Æ x = f(x) Æ y = f(y) = Æ i : i ¸ 0 g(f i (x)) = g(f i (y)) –Only relatively complete [Gulwani et al.] Tell base domains about renaming h ,  i à  Constrain B 0 (  =  ), Constrain B 1 (  =  )

15 11/12/2004 So Far We Have … Reasoning for uninterpreted functions Base domains that work with alien expressions transparently What we need for field reads –sel is alien to all base domains

16 11/12/2004 Achieving the Goal 1.Handling Alien Expressions / Uninterpreted Functions 2.Handling Heap Updates

17 11/12/2004 Heap Updates Java/C#if (p.g == 8) { o.f = x; } Abstractassume H[p,g] == 8; InterpreterH := upd(H,o,f,x); sel(upd(H,o,f,e),o’,f’) = e if o = o’ and f = f’ sel(upd(H,o,f,e),o’,f’) = sel(H,o’,f’) if o  o’ or f  f’

18 11/12/2004 Heap Updates Java/C#if (p.g == 8) { o.f = x; } Abstractassume H[p,g] == 8; InterpreterH := H’ where H’ ´ o,f H and sel(H’,o,f) = x

19 11/12/2004 Heap Updates Abstractassume H[p,g] == 8; InterpreterH := H’ where H’ ´ o,f H and sel(H’,o,f) = x AbstractConstrain( sel(H,p,g) = 8 ) DomainConstrain( H’ ´ o,f H ) Constrain( sel(H’,o,f) = x ) Eliminate( H ) Rename( H’, H ) ToPredicate() Tracked by a new base domain: Heap Succession

20 11/12/2004 Heap Update Example Heap Succession H’ ´ o,f H E-Graph sel(H,p,g)   8   sel(H’,o,f)   x   H  Hp  p H’  H’ g  g o  of  f Constrain( sel(H,p,g) = 8 ) Constrain( H’ ´ o,f H ) Constrain( sel(H’,o,f) = x ) Eliminate( H ) Rename( H’, H ) ToPredicate()

21 11/12/2004 Heap Update Example Heap Succession H’ ´ o,f H E-Graph sel(H,p,g)   8   sel(H’,o,f)   x   H  Hp  p H’  H’ g  g o  of  f Constrain( sel(H,p,g) = 8 ) Constrain( H’ ´ o,f H ) Constrain( sel(H’,o,f) = x ) Eliminate( H ) Rename( H’, H ) ToPredicate()

22 11/12/2004 Heap Update Example Heap Succession H’ ´ o,f H E-Graph sel(H,p,g)   8   sel(H’,o,f)   x   H  Hp  p H  H’ g  g o  of  f Constrain( sel(H,p,g) = 8 ) Constrain( H’ ´ o,f H ) Constrain( sel(H’,o,f) = x ) Eliminate( H ) Rename( H’, H ) ToPredicate()

23 11/12/2004 Heap Update Example Heap Succession H’ ´ o,f H E-Graph sel(H,p,g)   8   sel(H’,o,f)   x   H  Hp  p H  H’ g  g o  of  f Constrain( sel(H,p,g) = 8 ) Constrain( H’ ´ o,f H ) Constrain( sel(H’,o,f) = x ) Eliminate( H ) Rename( H’, H ) ToPredicate() 1.“Collect Garbage” (H) EquivalentExpr : Queryable £ Expr £ Var ! Expr Can you give me an equivalent expression without H?

24 11/12/2004 Heap Update Example Heap Succession H’ ´ o,f H E-Graph sel(H’,p,g)   8   sel(H’,o,f)   x   H  Hp  p H  H’ g  g o  of  f Constrain( sel(H,p,g) = 8 ) Constrain( H’ ´ o,f H ) Constrain( sel(H’,o,f) = x ) Eliminate( H ) Rename( H’, H ) ToPredicate() 1.“Collect Garbage” (H) EquivalentExpr : Queryable £ Expr £ Var ! Expr option Eliminate(H) on Base 2.ToPredicate() on Base and Convert Expr for Client 3.Add Equalities Yes, use H’

25 11/12/2004 Related Work Join for Uninterpreted Functions [Gulwani, Tiwari, Necula] Shape Analysis [many] and TVLA [Sagiv, Reps, Wilhelm, …]

26 11/12/2004 Conclusion Extended the power of abstract domains to work with alien expressions using the congruence-closure domain Added reasoning about heap updates with the heap succession domain Close to having “cooperating abstract interpreters”? –missing propagating back equalities inferred by base domains

Thank you! Questions? Comments?