Quantified Data Automata on Skinny Trees: an Abstract Domain for Lists Pranav Garg 1, P. Madhusudan 1 and Gennaro Parlato 2 1 University of Illinois at Urbana-Champaign 2 University of Southampton, UK
Automatic Shapes Static analysis of heap structures - heaps with a single pointer field Properties: Universally Quantified properties over heap + data Introduce Automatic Shapes - abstract domain of automata Automata are classical ways to capture infinite sets of objects using finite means. Aim: - Represent properties of the data stored in the heap. - Build automata that can express universally quantified properties 2
Universally Quantified Properties on Lists head less 4 9 more fold-split(key) splits input list into two lists. List pointed to by head is sorted Abstract analysis of heap is hard - unbounded size of the heap - unbounded data stored in the heap
Heap Configurations and Skinny Trees Restrict to heaps with a single pointer field (acyclic). Let P: the program’s pointer variables - Heap configuration skinny trees labeled by P k- skinny tree has at most k- branching points. Heap configurations are k- skinny trees (k = number of pointer vars.) head head 2 $ nil 4 1 head 3 8
Quantified Data Automata Extends Quantified Data Automata over lists [CAV’13] QDAs logically define universally quantified properties of lists Example : 5
Quantified Data Automata Fix P – program pointer variables Fix Y – set of quantified variables Fix F – data domain which forms a lattice QDA over skinny trees: - reads a tree annotated with pointers P and Y - checks whether data stored at these positions satisfy a data property QDA accepts a tree T with pointers P if it accepts all possible extensions of T with valuations for Y. 6 head y1y1 y2y2 data(y 1 ) <= data(y 2 )
Valuation Trees Valuation tree = Skinny tree over P + valuation for Y 7 Skinny Tree Valuation Trees Universal Quantification QDA accepts a skinny tree iff it accepts ALL corresponding valuation trees head head 2 $ nil head head 2 $ nil y1y1 y2y head head 2 $ nil y1y1 y2y2
Quantified Data Automata Bottom-up, deterministic, register automata over trees - each state labeled with a data formula f For a valuation tree, QDA reads ptr. and univ. vars. and stores the data values in the register reg. At the final state, QDA checks if these data values satisfy the formula labeling the state. - reg satisfies f(q) Accepts the valuation tree - reg does not satisfy f(q) Rejects the valuation tree head head 2 $ nil y1y1 y2y head head 2 $ nil y1y1 y2y2 head 1 5 head 2 3 y 1 4 y 2 7 nil $ reg: f(q) = data(y 1 ) < data(y 2 )
QSDAs capture sets of heap skinny trees of the logical form: Meaning: For a given valuations of universal variables y’s, whenever Guard i (p,y) is true QSDA reads p, y to reach (q, reg) then Data i (data(p), data(y)) is true reg satisfies f(q) = Data i - This property should be true for all valuations of y’s 9 Quantified Data Automata
Formula Tree = (Valuation Tree \ data) paired with a data formula - complete separation of the structure of the heap and its data Define L f (A) = Language of formula trees accepted by A 10 Formula Tree, data(y 1 ) < data(y 2 ) head 1 head 2 nil y1y1 y2y2
11 QDAs as a Partial Order Natural Partial Order -- set inclusion over the language of QDAs - not closed under disjunctions Alternate partial order: if such that and - Least upper bound associates every tree to - Infinite sets of QDAs might not have a least upper bound. Hence do not form a complete lattice.
12 Elastic QDAs Require a notion of widening for analysis of loops - Ignore lengths of stretches of the heap not pointed by variables. QDA: head nil y1y1 head nil y1y1 -Restriction: All transitions on blank symbols must be self-loops head y1y1 y1y1 Elastic QDA:
13 Theorems about EQDAs 1. Number of states in a minimal EQDA is bounded - Finite number of EQDAs modulo the data formulas - widening proc. for EQDAs given widening for data formulas. 2. For every QDA, there is a most-precise over-approximating EQDA (in terms of their accepting languages) elastification EQDAs form a complete lattice abstract domain 3. EQDAs correspond to decidable STRAND logic [POPL’11] over lists. - Abstract interpretation using EQDAs can be used for checking STRAND assertions.
14 Abstract transformer over EQDAs Strongest post condition involves existential quantification of the pre-state + constraining post-state acc. to the semantics of the stmt. Example: strongest-post( ) = These precise post-conditions are not expressible by QDAs. Over-approximate the post-condition to: - eliminate existential quantifier via quantifier elimination for the structure (Guard) using automata, and data-formulas (Data) separately. /\ Guard => Data
15 Abstract transformer over EQDAs Pointer Assignment statement p i := p j Similar abstract transformer for structure manipulating statements: Pointer Lookup p i := p j.next Pointer Mutate p i.next := p j Allocate new p i … pipi pjpj p i := p j pipi pjpj b, p i p i := p j
16 Abstract transformer over EQDAs Data Assignment statement p i.data := data_exp Slightly more involved: - Also account for all variables which point to the same node as p i pipi p i.data := data_exp pipi
17 Abstract transformer over EQDAs A’ might not be elastic. Use the most-precise over-approximation result to get an EQDA. - defines the actual abstract transformer over EQDAs Fix-point computation of the abstract semantics terminates - widening for the data domain stmt elastification EQDA QDA
18 Experiments Simple programming language consisting of heap allocation, pointer assignment, pointer lookup, pointer mutate, … Given a STRAND formula as pre-condition, construct the corresponding EQDA. Compute the abstract semantics of the program over EQDAs using the abstract transformer. Fix-point EQDAs are translated to decidable STRAND formulas over lists to verify program assertions, post-conditions. - Instantiate data-formulas with the octagonal domain (using Apron). - Prototype implementation available at
19 Experiments Programs#PV#Y#DVProperty#Iter.Max. size of QSDATime (s) INIT211Init, List MAX211Max, List CLONE411Init, List FOLD-CLONE511Init, List COPY-GE5410Gek, List FOLD-SPLIT311Gek, List CONCAT411Init, List SORTED-FIND222Sort, List SORTED-INSERT421Sort, List BUBBLE-SORT421Sort, List5/ SORTED-REVERSE320Sort, List EXPRESSOS-LOOKUP-PREV321Sort, List GSLIST-CUSTOM-FIND311Gek, List GSLIST-REMOVE-ALL511Gek, List GSLIST-INSERT-SORTED521Sort, List
Related Work (Shape Analysis) Merges nodes that satisfy the same predicates - unary + instrumentation predicates Instrumentation predicates provided by the user - often complex, - very particular to the program being verified 20 Example: sub-list before pointer i is sorted, that is - instrumentation predicate required Clearly, - s(x) too dependent on the property being verified - complex (writing binary property as a unary predicate)
Conclusion Automatic Shapes – an abstract domain of automata - can express universally quantified properties of lists - can prove these properties precisely and efficiently Future Work Extensions to trees to capture universally quantified properties like binary-search-tree, max-heap, … Extensions to general graphs using graph automatons. 21 Thank You !