Presentation is loading. Please wait.

Presentation is loading. Please wait.

Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino UC BerkeleyMicrosoft Research November 11, 2004.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino UC BerkeleyMicrosoft Research November 11, 2004."— Presentation transcript:

1 Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino UC BerkeleyMicrosoft Research November 11, 2004 OSQ Meeting

2 2 11/12/2004 Standard Abstract Interpretation y := 8; x := 0; while (*) { y := y + x; x++; } y ¸ 8 Can do this inference with the polyhedra abstract domain [CH79]

3 3 11/12/2004 Standard Abstract Interpretation this.y := 8; this.x := 0; while (*) { this.y := this.y + this.x; this.x++; } this.y ¸ 8? Goal: Given a base domain that can infer certain kind of predicates on variables, use it to infer predicates on fields

4 4 11/12/2004 Achieving the Goal 1.Handling Alien Expressions / Uninterpreted Functions 2.Handling Heap Updates

5 5 11/12/2004 Abstract Domains interface AbstractDomain { type Elt Constrain : Elt £ Expr ! Elt Eliminate : Elt £ Var ! Elt Rename : Elt £ Var £ Var ! Elt ToPredicate : Elt ! Expr Join : Elt £ Elt ! Elt AtMost : Elt £ Elt ! bool }

6 6 11/12/2004 Fooling the Base Domains Congruence-Closure Domain / “Name Service” Polyhedra Constrain( sel(H,o,f) ¸ 8 ) assume o.f ¸ 8 Constrain(  ¸ 8 ) sel(H,o,f)   Base Domains SymbolicValue

7 7 11/12/2004 Understandable to the Base Domain ¸ + sel Hof ² | 2 ¢ x + sel(H,o,f) · |y - z| 2xyz Understands : FunSymbol £ Expr[] ! bool

8 8 11/12/2004 Understandable to the Base Domain ¸ + sel Hof ² | 2 ¢ x + sel(H,o,f) · |y - z| 2xyz Understands : FunSymbol £ Expr[] ! bool Yes No

9 9 11/12/2004 Understandable to the Base Domain ¸ +  ² | 2 ¢ x +  · |y - z| 2xyz Understands : FunSymbol £ Expr[] ! bool No No

10 10 11/12/2004 Understandable to the Base Domain ¸ +  ²  2 ¢ x +  ·  2xyz Understands : FunSymbol £ Expr[] ! bool No Yes   = y - z

11 11 11/12/2004 Congruence-Closure Domain Could always choose new names, but … –Should use the same name for syntactically equivalent expressions –Even Better: same name for known equalities Tracks equalities of uninterpreted functions –an E-Graph with abstract domain operations –symbolic values “name” equivalence classes of expressions –implements congruence closure

12 12 11/12/2004 E-Graph w = f(x) Æ g(x,y) = f(y) Æ w = h(w) A set of mappings: w   x   f(  )   y   g( ,  )   f(  )   h(  )   Always congruence-closed    w xy g h  ff

13 13 11/12/2004 Join Join the e-graphs, then join the base domains Think of the lattice over conjunctions of equalities (including infinite ones) Let G = Join(G 0,G 1 ) x  G h  ’,  ’ i if x  G 0  ’ and x  G 1  ’ f( h ,  i )  G h  ’,  ’ i if f(  )  G 0  ’ and f(  )  G 1  ’ Rename distinct pairs to fresh symbolic values

14 14 11/12/2004 Join Complexity: O(n ¢ m) Complete? As precise as possible? –No, e-graphs do not form a lattice! x = y t g(x) = g(y) Æ x = f(x) Æ y = f(y) = Æ i : i ¸ 0 g(f i (x)) = g(f i (y)) –Only relatively complete [Gulwani et al.] Tell base domains about renaming h ,  i à  Constrain B 0 (  =  ), Constrain B 1 (  =  )

15 15 11/12/2004 So Far We Have … Reasoning for uninterpreted functions Base domains that work with alien expressions transparently What we need for field reads –sel is alien to all base domains

16 16 11/12/2004 Achieving the Goal 1.Handling Alien Expressions / Uninterpreted Functions 2.Handling Heap Updates

17 17 11/12/2004 Heap Updates Java/C#if (p.g == 8) { o.f = x; } Abstractassume H[p,g] == 8; InterpreterH := upd(H,o,f,x); sel(upd(H,o,f,e),o’,f’) = e if o = o’ and f = f’ sel(upd(H,o,f,e),o’,f’) = sel(H,o’,f’) if o  o’ or f  f’

18 18 11/12/2004 Heap Updates Java/C#if (p.g == 8) { o.f = x; } Abstractassume H[p,g] == 8; InterpreterH := H’ where H’ ´ o,f H and sel(H’,o,f) = x

19 19 11/12/2004 Heap Updates Abstractassume H[p,g] == 8; InterpreterH := H’ where H’ ´ o,f H and sel(H’,o,f) = x AbstractConstrain( sel(H,p,g) = 8 ) DomainConstrain( H’ ´ o,f H ) Constrain( sel(H’,o,f) = x ) Eliminate( H ) Rename( H’, H ) ToPredicate() Tracked by a new base domain: Heap Succession

20 20 11/12/2004 Heap Update Example Heap Succession H’ ´ o,f H E-Graph sel(H,p,g)   8   sel(H’,o,f)   x   H  Hp  p H’  H’ g  g o  of  f Constrain( sel(H,p,g) = 8 ) Constrain( H’ ´ o,f H ) Constrain( sel(H’,o,f) = x ) Eliminate( H ) Rename( H’, H ) ToPredicate()

21 21 11/12/2004 Heap Update Example Heap Succession H’ ´ o,f H E-Graph sel(H,p,g)   8   sel(H’,o,f)   x   H  Hp  p H’  H’ g  g o  of  f Constrain( sel(H,p,g) = 8 ) Constrain( H’ ´ o,f H ) Constrain( sel(H’,o,f) = x ) Eliminate( H ) Rename( H’, H ) ToPredicate()

22 22 11/12/2004 Heap Update Example Heap Succession H’ ´ o,f H E-Graph sel(H,p,g)   8   sel(H’,o,f)   x   H  Hp  p H  H’ g  g o  of  f Constrain( sel(H,p,g) = 8 ) Constrain( H’ ´ o,f H ) Constrain( sel(H’,o,f) = x ) Eliminate( H ) Rename( H’, H ) ToPredicate()

23 23 11/12/2004 Heap Update Example Heap Succession H’ ´ o,f H E-Graph sel(H,p,g)   8   sel(H’,o,f)   x   H  Hp  p H  H’ g  g o  of  f Constrain( sel(H,p,g) = 8 ) Constrain( H’ ´ o,f H ) Constrain( sel(H’,o,f) = x ) Eliminate( H ) Rename( H’, H ) ToPredicate() 1.“Collect Garbage” (H) EquivalentExpr : Queryable £ Expr £ Var ! Expr Can you give me an equivalent expression without H?

24 24 11/12/2004 Heap Update Example Heap Succession H’ ´ o,f H E-Graph sel(H’,p,g)   8   sel(H’,o,f)   x   H  Hp  p H  H’ g  g o  of  f Constrain( sel(H,p,g) = 8 ) Constrain( H’ ´ o,f H ) Constrain( sel(H’,o,f) = x ) Eliminate( H ) Rename( H’, H ) ToPredicate() 1.“Collect Garbage” (H) EquivalentExpr : Queryable £ Expr £ Var ! Expr option Eliminate(H) on Base 2.ToPredicate() on Base and Convert Expr for Client 3.Add Equalities Yes, use H’

25 25 11/12/2004 Related Work Join for Uninterpreted Functions [Gulwani, Tiwari, Necula] Shape Analysis [many] and TVLA [Sagiv, Reps, Wilhelm, …]

26 26 11/12/2004 Conclusion Extended the power of abstract domains to work with alien expressions using the congruence-closure domain Added reasoning about heap updates with the heap succession domain Close to having “cooperating abstract interpreters”? –missing propagating back equalities inferred by base domains

27 Thank you! Questions? Comments?

Download ppt "Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino UC BerkeleyMicrosoft Research November 11, 2004."

Similar presentations

Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.

Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.
Join Algorithms for the Theory of Uninterpreted Functions Sumit Gulwani Ashish Tiwari George Necula UC-Berkeley SRI UC-Berkeley.

Join Algorithms for the Theory of Uninterpreted Functions Sumit Gulwani Ashish Tiwari George Necula UC-Berkeley SRI UC-Berkeley.
Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD.

Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD.
A Randomized Satisfiability Procedure for Arithmetic and Uninterpreted Function Symbols Sumit Gulwani George Necula EECS Department University of California,

A Randomized Satisfiability Procedure for Arithmetic and Uninterpreted Function Symbols Sumit Gulwani George Necula EECS Department University of California,
Precise Interprocedural Analysis using Random Interpretation Sumit Gulwani George Necula UC-Berkeley.

Precise Interprocedural Analysis using Random Interpretation Sumit Gulwani George Necula UC-Berkeley.
TVLA for System Code Jörg KreikerHelmut SeidlVesal Vojdani TU Munich Dagstuhl, July 2009.

TVLA for System Code Jörg KreikerHelmut SeidlVesal Vojdani TU Munich Dagstuhl, July 2009.
Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.

Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.
1 Programming Languages (CS 550) Mini Language Interpreter Jeremy R. Johnson.

1 Programming Languages (CS 550) Mini Language Interpreter Jeremy R. Johnson.
Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.

Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
Domain: 1) f(0) = 8 2) f(3) = 3) g(-2) = -2 4) g(2) = 0 5) f(g(0)) = f(2) =0 6) f(g(-2)) = f(-2) =undefined 7) f(g(2)) = f(0) =8 8) f(g(-1)) = f(1) =3.

Domain: 1) f(0) = 8 2) f(3) = 3) g(-2) = -2 4) g(2) = 0 5) f(g(0)) = f(2) =0 6) f(g(-2)) = f(-2) =undefined 7) f(g(2)) = f(0) =8 8) f(g(-1)) = f(1) =3.
Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.

Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.
Program Representations. Representing programs Goals.

Program Representations. Representing programs Goals.
F22H1 Logic and Proof Week 7 Clausal Form and Resolution.

F22H1 Logic and Proof Week 7 Clausal Form and Resolution.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Type-Based Verification of Assembly Language for Compiler Debugging Bor-Yuh Evan ChangAdam Chlipala George C. NeculaRobert R. Schneck University of California,

Type-Based Verification of Assembly Language for Compiler Debugging Bor-Yuh Evan ChangAdam Chlipala George C. NeculaRobert R. Schneck University of California,
Inferring Object Invariants Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research January 21, 2005 AIOOL 2005 Paris,

Inferring Object Invariants Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research January 21, 2005 AIOOL 2005 Paris,
Discovering Affine Equalities Using Random Interpretation Sumit Gulwani George Necula EECS Department University of California, Berkeley.

Discovering Affine Equalities Using Random Interpretation Sumit Gulwani George Necula EECS Department University of California, Berkeley.
Assertion Checking Unified Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.

Assertion Checking Unified Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.
Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.

Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.

Similar presentations

Ads by Google