Parametric Shape Analysis via 3-Valued Logic

Parametric Shape Analysis via 3-Valued Logic
Mooly Sagiv Thomas Reps Reinhard Wilhelm

pointer analysis? points-to analysis? shape analysis? alias analysis?

The Shape-Analysis Problem
For every program point, compute a finite characterization of the possible “shapes” of the heap-allocated data structures.

Formalizing “. . .” Informal: x y Formal: x y Summary Information

Why Shape Analysis? Capture storage invariants May-alias information
x points to an acyclic list, cyclic list, tree, dag, etc. May-alias information Identify (absence of) sharing x and y point to structures that do not share cells “Dynamization” of static structure-description formalisms e.g., ADDS annotations [Hendren 94]

What’s New? Parametric framework for a class of shape-analysis algorithms “Rational reconstruction” of a number of previous shape-analysis methods [Jones & Muchnick 81] [Chase, Wegman, & Zadeck 90] [Stransky 93] [Assmann & Weinhardt 93] [Pleyvak, Chien, & Karamcheti 93] [Wang 94] [Sagiv, Reps, & Wilhelm 96, 98] New shape-analysis methods General abstraction principle  Much simpler proofs Basis for a tool that generates shape-analysis algorithms

Outline Using logic to describe stores
Using logic to express store transformations Forming abstractions of stores Three-valued logic Using three-valued logic to express transformations of abstract stores

Using Logic to Describe Stores
Predicate Symbols Whether variable x points to location u: x(u) Pointer fields: n(u1, u2) car(u1, u2) cdr(u1, u2) x u u1 u2 u1 u2 u1 u2

Using Logic to Describe Stores
Formulas: Other Properties of Locations is(v)   v1,v2 : n(v1,v)  n(v2,v)  v1  v2 x y u3 u1 u2 is(u1) = 0 is(u2) = 1 is(u3) = 0 u3 u4 u1 u2 is(u1) = 0 is(u2) = 0 is(u4) = 0 is(u3) = 0

First-Order Logic (Syntax)
Vocabulary Predicate symbols: p1, p2, . . ., pn Constant symbols: c1, c2, . . ., cm Function symbols: f1, f2, . . ., fk Formulas Variables Equality-predicate symbol: = Logical-constant symbols: 0, 1 Connectives: , ,  Quantifiers: , 

First-Order Logic (Semantics)
Truth values: 0, 1 Logical structures Individuals: U = {u1, u2, . . ., un} Predicates: pi : U arity(pi)  {0, 1} In Our Application Logical structures = Concrete stores

An Example Individuals: U = {u1, u2, u3} Predicates: x u1 x u1 u3 u1
y u3 y u3 Individuals: U = {u1, u2, u3} Predicates:

Example (Cont’d) Individuals: U = {u1, u2, u3} Predicates: x u2 u3 u1
y u3 Individuals: U = {u1, u2, u3} Predicates:

Assignments Z: free variables  individuals Meaning of a formula (Z)

Meaning of a Formula (v,v1,v2)  n(v1,v)  n(v2,v)  v1  v2
x u1 u2 y u3 (v,v1,v2)  n(v1,v)  n(v2,v)  v1  v2 Z = { v  u2, v1  u1, v2  u3 } (v,v1,v2)(Z) = ???

Meaning of a Formula (Z)
pi(v1, …, vk) (Z) = pi (Z(v1), …, Z(vk)) 1  2(Z) = 1 (Z)  2(Z) 1  2(Z) = 1 (Z)  2(Z) Negation, quantification, . . .

Meaning of a Formula  (v,v1,v2)  n(v1,v)  n(v2,v)  v1  v2
y x  (v,v1,v2)  n(v1,v)  n(v2,v)  v1  v2 Z = { v  u2, v1  u1, v2  u3} (Z) = n(v1,v)  n(v2,v)  v1  v2(Z) = n(u1, u2)  n(u3, u2)  u1  u3 =   1 = 1

Using Logic to Change Stores
x = null Before: x u3 u1 u2 y z After: u3 u1 u2 y z x

Predicate-Alteration Formulas for x = null
Old: x u3 u1 u2 y z New: u3 u1 u2 x[x = null](v)  0

Old: x u3 u1 u2 y z New: u3 u1 u2 y y[x = null](v)  y(v)

Old: x u3 u1 u2 y z New: u3 u1 u2 y z z[x = null](v)  z(v)

Old: x u3 u1 u2 y z New: y u1 u2 z u3

Old: x u3 u1 u2 y z New: y u1 u2 z u3 n[x = null](v1,v2)  n(v1,v2) n n

Old: x u3 u1 u2 y z New: y u1 u2 z u3 n n

Old: x u3 u1 u2 y z New: y u1 u2 z u3 n

The Abstraction Principle
u1 u2 u3 u4 x u1 u234 x Summary Information {0,1}

u1 u2 u3 u4 x u1 u234 x

Select some subset A of the predicate symbols Partition the individuals US of structure S into equivalence classes based on the values of their A predicates u  [u]A Form the “union-quotient” of S with respect to {[u]A | u  US}

Example A = {v | v is a program variable} [Chase, Wegman, & Zadeck 90]
[Sagiv, Reps, & Wilhelm 96, 98] u1 u2 u3 u4 x [u1] x [u2] Quotient w.r.t. {w, x, y, z}

Two- vs. Three-Valued Logic
1 Two-valued logic {0,1} {0} {1} Three-valued logic {0} 3 {0,1} {1} 3 {0,1}

Two- vs. Three-Valued Logic
Two-valued logic Three-valued logic {1} {0,1} {0} 1  1

Truth values: 0, 1,  Logical structures Individuals: U = {u1, u2, . . ., un} Predicates: pi : U arity(pi)  {0, 1, } In Our Application 3-valued logical structures = Abstract stores

Select some subset A of the predicate symbols Partition the individuals US of structure S into equivalence classes based on the values of their A predicates u  [u]A Form the “union-quotient” of S with respect to {[u]A | u  US}

Abstraction Conserves Predicates
S# = S/[u]A S Abs(A) u  [u]A pS (u1, …, uk) 3 pS# ([u1]A, …, [uk]A) “Form the ‘union-quotient’ of S with respect to {[u]A | u  US}”

pS (u1,…,uk) 3 pS# ([u1]A,…,[uk]A)
x [u2] u1 u2 u3 u4 x

Abstraction Conserves Properties
S# = S/[u]A S Abs(A) u  [u]A pS (u1, …, uk) 3 pS# ([u1]A, …, [uk]A)  S (u1, …, uk) 3  S# ([u1]A, …, [uk]A) Evaluating a formula extracts information conservatively

 S (u1, …, uk) 3  S# ([u1]A, …, [uk]A)
  [u1] x [u2] u1 u2 u3 u4 x   (v)   v1,v2 : n(v1,v)  n(v2,v)  v1  v2 1  For  S#([u2]), let v1 = [u1], and v2 = [u2] =  

“Tracking Properties” Beats “Inferring Properties”
[u1] x [u2] u1 u2 u3 u4 x

“Tracking Properties” Beats “Inferring Properties”
[u1] x [u2] u1 u2 u3 u4 x pS (u1, …, uk) 3 pS# ([u1]A, …, [uk]A) pS (u1, …, uk) 3 pS# ([u1]A, …, [uk]A) pS (u1, …, uk) = pS (u1, …, uk) 3 pS# ([u1]A, …, [uk]A) 3 pS# ([u1]A, …, [uk]A)

“Rational reconstruction” of [Chase, Wegman, & Zadeck 90]
Example y x [u1] [u2] x y [u1] [u2] x = y  n “Rational reconstruction” of [Chase, Wegman, & Zadeck 90]

Example (~[CWZ 90]) x[x = y  n](v)   v1 : y(v1)  n(v1,v)  
[u1] [u2] [u1] [u2] x[x = y  n](v)   v1 : y(v1)  n(v1,v) 1   

Example (~[CWZ 90]) x[x = y  n](v)   v1 : y(v1)  n(v1,v)
[u1] [u2] [u1] [u2] x[x = y  n](v)   v1 : y(v1)  n(v1,v) y[x = y  n](v)  y(v) 1

[u1] [u2] [u1] [u2] x[x = y  n](v)   v1 : y(v1)  n(v1,v) y[x = y  n](v)  y(v) n[x = y  n](v1,v2)  n(v1,v2) 

[u1] [u2] [u1] [u2] x[x = y  n](v)   v1 : y(v1)  n(v1,v) y[x = y  n](v)  y(v) n[x = y  n](v1,v2)  n(v1,v2) is[x = y  n](v)  is(v)

[Chase, Wegman, & Zadeck 90]
Materialization [Chase, Wegman, & Zadeck 90] y x [u1] [u2] x y [u1] [u2] x = y  n x = y  n [Sagiv, Reps, & Wilhelm 96, 98] x y [u1] [u2] [u3]

(1) Triplicate the Structure
x[x = y  n](v)   v1 : y(v1)  n(v1,v) x     y [u1] [u1] [u2] x y x y [u1] [u2.1] x y [u1] [u2.1] [u2.0]

(2) Evaluate Predicate-Alteration Formulas
x[x = y  n](v)   v1 : y(v1)  n(v1,v) x y [u1] y [u1] x [u1] [u2.1] x y y [u1] [u2.1] x x y y [u1] [u2.1] [u2.0] [u1] [u2.1] [u2.0]

Additional Abstraction Predicates
reachable-from-variable-x(v) acyclic-along-dimension-d(v) à la ADDS doubly-linked(v) tree(v) dag(v) AVL trees: balanced(v), left-heavy(v), right-heavy(v) . . . but not via height arithmetic Need FO + TC

Formalizing “. . .” Informal: x y Formal: x y

Formalizing “. . .” Informal: t1 x y t2 Formal: x y t2 t1

Formalizing “. . .” Informal: Formal: x y x y reachable from
variable x variable y

Formalizing “. . .” Informal: t1 t2 Formal: t1 t2 x y x y {x} {x}
{t2,y} {t2,y}

Summary Parametric framework
Three-valued logic arises from abstraction Three-valued logic also allows: Materialization Conservative extraction of properties Interpretation of program conditions Simpler proofs

Parametric Shape Analysis via 3-Valued Logic

Similar presentations

Presentation on theme: "Parametric Shape Analysis via 3-Valued Logic"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Parametric Shape Analysis via 3-Valued Logic

Similar presentations

Presentation on theme: "Parametric Shape Analysis via 3-Valued Logic"— Presentation transcript:

Similar presentations

About project

Feedback