Presentation is loading. Please wait.

Presentation is loading. Please wait.

Finite Differencing of Logical Formulas for Static Analysis Thomas Reps University of Wisconsin Joint work with M. Sagiv and A. Loginov.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Finite Differencing of Logical Formulas for Static Analysis Thomas Reps University of Wisconsin Joint work with M. Sagiv and A. Loginov."— Presentation transcript:

1 Finite Differencing of Logical Formulas for Static Analysis Thomas Reps University of Wisconsin Joint work with M. Sagiv and A. Loginov

2 Dynamic Algorithms This meeting, this community,... –Dynamic algorithms for better efficiency This talk –Dynamic updates expressed via logical formulas DB maintenance of materialized views Dynamic descriptive complexity –Dyn-FO [Patnaik & Immerman] –FOIES [Dong & Su] –Dynamic algorithms for greater precision (avoid loss of information)

3 The administrator of the U.S.S. Yorktown’s Standard Monitoring Control System entered 0 into a data field for the Remote Data Base Manager program. That caused the database to overflow and crash all LAN consoles and miniature remote terminal units. The Yorktown was dead in the water for about two hours and 45 minutes.

4 A sailor on the U.S.S. Yorktown entered a 0 into a data field in a kitchen-inventory program. That caused the database to overflow and crash all LAN consoles and miniature remote terminal units. The Yorktown was dead in the water for about two hours and 45 minutes. Analysis must track numeric information

5 x = 3; y = 1/(x-3); x = 3; px = &x; y = 1/(*px-3); x = 3; p = (int*)malloc(sizeof int); *p = x; q = p; y = 1/(*q-3); need to track values other than 0 need to track pointers need to track dynamically allocated storage

6 Static Analysis Determine information about the possible situations that can arise at execution time, without actually running the program on particular inputs Typically: –Run the program on “aggregate values”, which describe many stores all at once –For each point in the program, find a descriptor that represents (a superset of) the stores that could possibly arise at that point

7 Static Analysis Determine information about the possible situations that can arise at execution time, without actually running the program on particular inputs Typically: –For each point in the program, find a descriptor that represents (a superset of) the stores that could possibly arise at that point Correctness of analysis justified via abstract interpretation [Cousot & Cousot 77]

8 Static Analysis List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; Bad Actual

9 Static Analysis List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; Bad Actual

10 Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt

11 Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL

12 Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL

13 Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL

14 Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL Materialization

15 Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL

16 Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL

17 Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL

18 Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL

19 Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL

20 Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL

21 Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt

22 Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt

23 Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt

24 Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt

25 Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt

26 Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt

27 Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt

28 Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL

29 Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL

30 Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL

31 Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL

32 x yt x y t x y t return y t = y y  next = t y = x x = x  next x != NULL x yt NULL x yt x y t x y t x y t x y t x y t x y t x y t x y t x y t x y t

33 What Does a List Descriptor Describe? represents x y t NULL x y t x y t x y t

34 pointer analysis? points-to analysis? alias analysis? shape analysis? Dynamic storage allocation Destructive updating through pointers

35 Why is Shape Analysis Difficult? Destructive updating through pointers –p  next = q –Produces complicated aliasing relationships Dynamic storage allocation –No bound on the size of run-time data structures

36 Formalizing “... ” Informal: x Formal: x Summary node

37 Using Relations to Represent Linked Lists

38 u1u1 u2u2 u3u3 u4u4 x y

39 Canonical Abstraction u1u1 u2u2 u3u3 u4u4 x u1u1 x u 234        

40 Canonical Abstraction u1u1 u2u2 u3u3 u4u4 x u1u1 x u 234

41 Canonical Abstraction u1u1 u2u2 u3u3 u4u4 x u1u1 x u 234   

42 x yt NULL return y t = y y  next = t y = x x = x  next x != NULL x yt NULL x yt u1u1 u x y u1u1 u x y ’ (v) = x(v) 1010

43 x yt NULL x y t x y t return y t = y y  next = t y = x x = x  next x != NULL x yt NULL x yt x y t x y t x y t x y t x y t x y t x y t x y t x y t x y t

44 Formalizing “...” Informally x … Formally u1u1 x u2u2 y y Really: tables for x, y, and n v 2 v 1 u1u1 u2u2 u1u1 0½ u2u2 0½ n(v 1,v 2 ) x(v) v u1u1 1 u2u2 0 y(v) v u1u1 1 u2u2 0

45 Good Descriptors?

46

47 Formalizing “...” Informally x y … … Formally u1u1 x u2u2 y u3u3

48 Formalizing “...” Informally Formally x y …… … t t’t’ u1u1 x u2u2 y u3u3 u4u4 u5u5 t’t’ t …

49 Formalizing “...” Informally Formally x y … … rxrx x ryry y … rxrx ryry u1u1 u2u2 u3u3 u4u4

50 Formalizing “...” Informally Formally x y … … t t’t’ rxrx rxrx x ryry y ryry r y,r t ’ t’t’ t r x,r t r y,r t ’ r x,r t u4u4 u8u8 u7u7 u6u6 u5u5 u1u1 u2u2 u3u3 … …

51 Formalizing “...” Really Formally p (relation)  p (definition) var(v)core n(v 1,v 2 ), eq(v 1,v 2 )core r var (v)  v ’ : (var(v’)  n*(v’,v)) rxrx rxrx x ryry y ryry r y,r t ’ t’t’ t r x,r t r y,r t ’ r x,r t u4u4 u8u8 u7u7 u6u6 u5u5 u1u1 u2u2 u3u3

52 Formalizing “...” Really Formally v 2 v 1 u1u1 u2u2 u3u3 u4u4  u1u1 0½00 u2u2 0½½0 u3u3 000½ u4u4 000½  v u1u1 u2u2 u3u3 u4u4 u5u5 u6u6 u7u7 u8u8 00100000 n(v 1,v 2 ) t(v) r t (v) v u1u1 u2u2 u3u3 u4u4 u5u5 u6u6 u7u7 u8u8 00110000 rxrx rxrx x ryry y ryry r y,r t ’ t’t’ t r x,r t r y,r t ’ r x,r t u4u4 u8u8 u7u7 u6u6 u5u5 u1u1 u2u2 u3u3

53 Need for Update Formulas x = x  n rxrx x rxrx rxrx x rxrx rxrx Re-evaluating formulas can be imprecise r x (v) =  v ’ : (x(v ’ )  n*(v ’,v))

54 Need for Update Formulas Re-evaluating formulas can be imprecise rxrx rxrx x r x = ½ rxrx x r x = 1 x = x  n r x (v) =  v ’ : (x(v ’ )  n*(v ’,v)) F[r x ](v) = r x (v)  ¬ x(v)

55 Goal: Create Update Formulas Automatically Originally: users provided all update formulas –A lot of work –Error prone Idea: finite differencing of formulas p new (v) = p(v) ? ¬ : = F[p, st](v) negative difference positive difference   [  p, st](v)  + [  p, st](v) update formula

56 F[p] Finite Differencing of Formulas F[p](v) = p(v) ? ¬   [  p ](v) :  + [  p ](v) [p][p] +[p]+[p] p

57 Laws for  +  + [0] = 0  + [1] = 0  + [¬  ] =   [  ]  + [    ] = (  + [  ]  ¬  )  (¬    + [  ])  + [  v :  ] = (  v :  + [  ])  ¬(  v :  )

58 Finite Differencing of Formulas  – core update S’ - updated core structure  p – instrumentation relation formula p – instrumentation relation S S’  pp pp p pp p’

59 DB DB’ U   V’ V Maintenance of Materialized DB Views U – database update DB’ – updated database  - view query V – view value UVUV DB: efficiency Static analysis: avoid loss of precision (½)

60 TC Maintenance for Single Edge Addition in Arbitrary Graphs Let t n (v 1,v 2 ) = n*(v 1,v 2 ) F[t n (v 1,v 2 )] = t n (v 1,v 2 )   v 1 ’,v 2 ’: t n (v 1,v 1 ’)   + [n(v 1 ’,v 2 ’)]  t n (v 2 ’,v 2 )

61 TC Maintenance in FO Logic 3 special cases [Dong&Su, Immerman] –Acyclic relations –Relations with all nodes of outdegree at most 1 –Undirected relations For a single edge addition or deletion (not both)

62 TC Maintenance for Single Edge Deletion in Acyclic Graphs a b a b but

63 Suspicious Pairs a b Suspicious t n pairs: (a,b) S(v 1,v 2 ) =  v 1 ’,v 2 ’: t n (v 1,v 1 ’)    [n(v 1 ’,v 2 ’)]  t n (v 2 ’,v 2 )

64 Suspicious Pairs (cont.) Suspicious t n pairs: (a,b) but not (c,d) S(v 1,v 2 ) =  v 1 ’,v 2 ’: t n (v 1,v 1 ’)    [n(v 1 ’,v 2 ’)]  t n (v 2 ’,v 2 ) a b c d

65 Trusty Pairs Trusty pairs: (c,d) but not (a,b) –non-suspicious t n pairs (not using the deleted edge). T(v 1,v 2 ) = t n (v 1,v 2 )  ¬ S(v 1,v 2 ) a b c d

66 TC Maintenance for Single Edge Deletion in Acyclic Graphs (cont.) Future t n pairs: F[t n (v 1,v 2 )] = equal(v 1,v 2 )   v 1 ’,v 2 ’: T(v 1,v 1 ’)  F[n(v 1,v 2 )]  T(v 2 ’,v 2 ) a b

67 TC Maintenance for Single Edge Deletion in Acyclic Graphs (cont.) Future t n pairs: F[t n (v 1,v 2 )] = equal(v 1,v 2 )   v 1 ’,v 2 ’: T(v 1,v 1 ’)  F[n(v 1,v 2 )]  T(v 2 ’,v 2 ) a b a b

68 TC Maintenance for Single Edge Deletion in Acyclic Graphs (cont.) Future t n pairs: F[t n (v 1,v 2 )] = equal(v 1,v 2 )   v 1 ’,v 2 ’: T(v 1,v 1 ’)  F[n(v 1,v 2 )]  T(v 2 ’,v 2 ) a b

69 TC Maintenance for Single Edge Deletion in Acyclic Graphs (cont.) Future t n paths: F[t n (v 1,v 2 )] = equal(v 1,v 2 )   v 1 ’,v 2 ’: T(v 1,v 1 ’)  F[n(v 1,v 2 )]  T(v 2 ’,v 2 ) a b cd

70 Measure of Success Fraction of automatically generated update formulas that are as precise as existing hand-crafted update formulas Evaluation Data StructureSample properties Singly linked list Partial correctness of sorting Absence of insecure information flow Merge preserves ADT and loses no elements of either list Doubly linked listAppend and Delete preserve ADT Binary treeDeutsch-Schorr-Waite preserves ADT Binary-search treeInsert and Delete preserve ADT

71 Results 100% success (acyclic relations) –Cyclic relations correctly detected in 3 programs Performance effect was modest − 4% (decrease) to 44% average: ‹ 15% –Can be improved (e.g., caching of results)

72 Optimization of set-theoretic expressions –Paige 79, Paige and Koenig 82 –Fong & Ullman (late 70s) DB: view maintenance; enforce integrity constraints –Stonebraker 75; Paige 81; Horwitz & Teitelbaum 86 –Large body of DB literature in the 90s Dynamic descriptive complexity (Dyn-FO, FOIES) –Patnaik & Immerman 94; Dong & Su 93 “Incrementalizing” functional programs –Liu 95; Liu & Teitelbaum 95 Related Work

73 For More Information Reps, T., Sagiv, M., and Loginov, A., Finite differencing of logical formulas for static analysis. In Proc. European Symp. on Programming, LNCS Vol. 2618, 2003. Sagiv, M., Reps, T., and Wilhelm, R., Parametric shape analysis via 3-valued logic. ACM TOPLAS 24, 3 (2002). Homepage for the TVLA system: http://www.math.tau.ac.il/~rumster/TVLA/

74 Finite Differencing of Logical Formulas for Static Analysis Thomas Reps University of Wisconsin Joint work with M. Sagiv and A. Loginov

Download ppt "Finite Differencing of Logical Formulas for Static Analysis Thomas Reps University of Wisconsin Joint work with M. Sagiv and A. Loginov."

Similar presentations

Chapter 22 Implementing lists: linked implementations.

Chapter 22 Implementing lists: linked implementations.
Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.

Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.
Interprocedural Shape Analysis for Recursive Programs Noam Rinetzky Mooly Sagiv.

Interprocedural Shape Analysis for Recursive Programs Noam Rinetzky Mooly Sagiv.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
© M. Winter COSC 4P41 – Functional Programming 10. 1 Testing vs Proving Testing –uses a set of “typical” examples, –symbolic testing, –may find errors,

© M. Winter COSC 4P41 – Functional Programming Testing vs Proving Testing –uses a set of “typical” examples, –symbolic testing, –may find errors,
Relational Inductive Shape Analysis Bor-Yuh Evan Chang University of California, Berkeley Xavier Rival INRIA POPL 2008.

Relational Inductive Shape Analysis Bor-Yuh Evan Chang University of California, Berkeley Xavier Rival INRIA POPL 2008.
1 Lecture 07 – Shape Analysis Eran Yahav. Previously  LFP computation and join-over-all-paths  Inter-procedural analysis  call-string approach  functional.

1 Lecture 07 – Shape Analysis Eran Yahav. Previously  LFP computation and join-over-all-paths  Inter-procedural analysis  call-string approach  functional.
1 Lecture 08(a) – Shape Analysis – continued Lecture 08(b) – Typestate Verification Lecture 08(c) – Predicate Abstraction Eran Yahav.

1 Lecture 08(a) – Shape Analysis – continued Lecture 08(b) – Typestate Verification Lecture 08(c) – Predicate Abstraction Eran Yahav.
Static Program Analysis via Three-Valued Logic Thomas Reps University of Wisconsin Joint work with M. Sagiv (Tel Aviv) and R. Wilhelm (U. Saarlandes)

Static Program Analysis via Three-Valued Logic Thomas Reps University of Wisconsin Joint work with M. Sagiv (Tel Aviv) and R. Wilhelm (U. Saarlandes)
Specialized Reference Counting Garbage Collection using Data Structure Annotations By Eric Watkins and Dzin Avots for CS 343 Spring 2002.

Specialized Reference Counting Garbage Collection using Data Structure Annotations By Eric Watkins and Dzin Avots for CS 343 Spring 2002.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.

Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.

Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
1 Motivation Dynamically allocated storage and pointers are an essential programming tools –Object oriented –Modularity –Data structure But –Error prone.

1 Motivation Dynamically allocated storage and pointers are an essential programming tools –Object oriented –Modularity –Data structure But –Error prone.
Run time vs. Compile time

Run time vs. Compile time
Abstract Interpretation Part I Mooly Sagiv Textbook: Chapter 4.

Abstract Interpretation Part I Mooly Sagiv Textbook: Chapter 4.
Finding the Weakest Characterization of Erroneous Inputs Dzintars Avots and Benjamin Livshits.

Finding the Weakest Characterization of Erroneous Inputs Dzintars Avots and Benjamin Livshits.
Overview of program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc05.html.

Overview of program analysis Mooly Sagiv html://
Detecting Memory Errors using Compile Time Techniques Nurit Dor Mooly Sagiv Tel-Aviv University.

Detecting Memory Errors using Compile Time Techniques Nurit Dor Mooly Sagiv Tel-Aviv University.

Similar presentations

Ads by Google