1 Program Analysis via 3-Valued Logic Mooly Sagiv, Tal Lev-Ami, Roman Manevich Tel Aviv University Thomas Reps, University of Wisconsin, Madison Reinhard.

1 Program Analysis via 3-Valued Logic Mooly Sagiv, Tal Lev-Ami, Roman Manevich Tel Aviv University Thomas Reps, University of Wisconsin, Madison Reinhard Wilhelm, Universität des Saarlandes

2 Interprocedural Analysis, so far Abstract domains (Powerset of) fixed set of program entities and entities from underlying domain Domains: –P(Aexp * ) Available expressions –P(Var *  Lab * ) Reaching Definitions –Var *  Val Constant Propagation –Var *  Int Interval Analysis

3 Interprocedural Analysis Dynamically created procedure incarnations Domain P(Lab *  (Var *  …)) –Call strings – strings of labels of call sites –Sufficient to represent recursion because of nested lifetimes, a call string corresponds to an actual stack –in general of unbounded length  non-computable fixed point –approximated by fixed length, k

4 Dynamically Created “Objects” How to represent dynamically created –heap cells, created by calls to malloc x=malloc();… x=malloc();… x=malloc(); –objects, created by constructors of classes x=new C;… x=new C;… x=new C; –threads, created by thread constructors In general, –unbounded sets –non-nested lifetimes –anonymous

5 Anonymous Objects (contd.) Concrete domains: relations reflecting accessibility, –Stack for program variables –Heap for anonymous, dynamically created objects –pointer variables point from Stack into Heap –Heap consists of a set of functions modelling references/pointer components Abstract domains: How to deal with unboundedness? How to analyze programs without bounds on number of objects?

Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; Reverses lists of arbitrary length Invariant: x points to head of non-reversed suffix, y to head of already reversed prefix or NULL (start)

7 Questions Posed to the Analysis Can x be dereferenced while having value NULL in some execution state? Can an object leak out of the program’s execution? Can an object be freed while being shared?

8 Freeing a Shared Object a = malloc(…) ; b = a; free (a); c = malloc (…); if (b == c) printf(“unexpected equality”);

9 Dereferencing a NULL pointer typedef struct element { int value; struct element *next; } Elements bool search(int value, Elements *c) { Elements *elem; for (elem = c; c != NULL; elem = elem->next;) if (elem->val == value) return TRUE; return FALSE

10 Dereferencing a NULL pointer typedef struct element { int value; struct element *next; } Elements bool search(int value, Elements *c) { Elements *elem; for (elem = c; c != NULL; elem = elem->next;) if (elem->val == value) return TRUE; return FALSE potential null de-reference

11 Memory Leakage Elements* strange(Elements *x) { Elements *y,*g; y = NULL; while (x!= NULL) { g = x->next; y = x; x->next = y; x = g; } return y; typedef struct element { int value; struct element *next; } Elements

12 Memory Leakage Elements* strange (Elements *x) { Elements *y,*g; y = NULL; while (x!= NULL) { g = x->next; y = x; x->next = y; x = g; } return y; leakage of list elements typedef struct element { int value; struct element *next; } Elements

13 class Make { private Worklist worklist; public static void main (String[] args) { Make m = new Make(); m.initializeWorklist(args); m.processWorklist(); } void initializeWorklist(String[] args) {...; worklist = new Worklist();... // add some items to worklist} void processWorklist() { Set s = worklist.unprocessedItems(); for (Iterator i = s.iterator(); i.hasNext()){ Object item = i.next(); if (...) processItem(item); } } void processItem(Object i){...; doSubproblem(...);} void doSubproblem(...) {... worklist.addItem(newitem);... } } public class Worklist { Set s; public Worklist() {...; s = new HashSet();... } public void addItem(Object item) { s.add(item); } public Set unprocessedItems() { return s; } } return rev; }

14 Example: In-Situ List Reversal Concrete execution on a list of length 3

Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; 123 NULL x yt

30 Original Problem: Shape Analysis Characterize dynamically allocated data structures –x points to an acyclic list, cyclic list, tree, dag, etc. –data-structure invariants Identify may-alias relationships Establish “disjointedness” properties –x and y point to data structures that do not share cells

31 Properties of reverse(x) On entry: x points to an acyclic list On exit: y points to an acyclic list On exit: x = = NULL Invariant: At the start of while loop, x points to head of non-reversed suffix, y to head of already reversed prefix or NULL (start) (they are disjoint acyclic lists) All the pointer dereferences are safe No memory leaks

32 Example: In-Situ List Reversal Abstract execution

Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt could be - the empty list - a non-empty list

Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL

Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL Materialization assuming that is not the empty list

Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt could be - the empty list - a non-empty list

Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt

Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL assuming that stood for the empty list

60 Why is Shape Analysis Difficult? Destructive updating through pointers –p  next = q –Produces complicated aliasing relationships Dynamic storage allocation –No bound on the size of run-time data structures –No syntactic names for locations Data-structure invariants typically only hold at the beginning and end of operations –Need to verify that data-structure invariants are re- established

61 Main Ingredients: Abstract Domain A new abstract domain for static analysis Represents dynamically allocated memory Based on predicate logic Execution states in concrete semantics coded as interpretations of sets of predicates over a 2-valued domain (1  true, 0  false) – unary predicate x for pointer variable x – x(l) if x points to l –binary predicate next for selector next – next (l 1, l 2 ) if next selector of l 1 points to l 2

62 Predicates (for reverse)

Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; 123 NULL x yt Coding: t(l 2 )=1, y(l 3 )=1, n(l 2,l 1 )=1, predicates with value 0 not listed l1l1 l2l2 l3l3

64 Main Ingredients: Semantics of Statements Predicate-Update Formulae for a statement Describe how the interpretation of predicates changes by executing the statement –x = y changes the interpretation of x to that of y –x -> next = y changes the interpretation of next such that n(l 1,l 2 )=1 for some l, l 1, l 2 with x(l) = 1, n(l, l 1 )=1, and y(l 2 )=1

65 Main Ingredients: Analysis Abstract interpretation by evaluation over 3-valued domain (1, 0, ½  don’t know) Kleene’s interpretation of predicate logic A system TVLA –Input: Operational semantics Input Program –Output: the result of the analysis

Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt l3l3 l1l1 l2l2 x(l 3 )=1, t(l 2 )=1, y(l 3 )=1, n(l 2, l 1 )=1, n(l 1,…) = ? n(l 3,…) = ? n(l 1,…) = 1/2 n(l 3,…) = 1/2

67 Formalizing “... ” Informal: x Formal: x Summary node

68 Plan Motivation SWhile An SOS for SWhile An SOS for SWhile using predicate calculus Simple Abstract interpretation using 3-valued logics More precise abstract interpretation+ TVLA (next meeting)

70 Dereferencing NULL pointers elem := c; found := false; while (c != null && !found) ( if (elem->car= value) then found := true else elem = elem->cdr )

71 Structural Operational Semantics The program state consists of: –current allocated objects –a mapping from variables into atoms, objects, and null –a car mapping from objects into atoms, objects, and null –a cdr mapping from objects into atoms, objects, and null malloc() allocates more objects assignments update the state

72 Structural Operational Semantics The program state S= : –current allocated objects O –atoms (integers, Booleans) A –env: Var *  A  O  {null} –car: A  A  O  {null} –cdr: A  A  O  {null} {l 1, l 2, l 3 }, [x  l 1,y  null], [l 1  1, l 2  2, l 3  3], [l 1  l 2, l 2  l 3, l 3  null] null 123 x y l1l1 l2l2 l3l3

73 The meaning of expressions A  a  : S  A  O  {null} A  at  (s) = at A  x  ( ) = env(x) A  x.cdr  ( ) = cdr(env(x)) env(x)  O undefinedotherwise A  x.car  ( ) = car(env(x)) env(x)  O undefinedotherwise

74 Structural Semantics for SWhile axioms [ass v sos ]  (O, e[x  A  a  s], car, cdr) [ass car sos ]  (O, e, car[e(x)  A  a  s], cdr) where env(x)  O [ass cdr sos ]  (O, e, car,cdr[e(x)  A  a  s]) where env(x)  O [skip sos ]  s [ass m sos ]  (O  {n}, e[x  n], car, cdr) where n  O

75 Structural Semantics for SWhile (rules) [comp 1 sos ]   [comp 2 sos ]  s’  [if tt sos ]  if B  b  s=tt [if ff sos ]  if B  b  s=ff

76 Summary The SOS is natural Can handle: –errors, e.g., null dereferences –free –garbage collection But does not lead to an analysis –The set of potential objects is unbounded Solution: –Semantics coded as interpretation of a set of predicates –Reinterpreted over a Three-Valued domain with Kleene’s interpretation

77 Predicate Logic Vocabulary –A finite set of predicate symbols P each with a fixed arity –A finite set of function symbols Logical Structures S provide meaning for predicates –A set of individuals (nodes) U –P S : U S  {0, 1} First-Order Formulas over  express logical structure properties

78 P = {x 1, y 1, car 2, cdr 2 } U S ={l 1, l 2, l 3 } x S =[l 1  1, l 2  0, l 3  0]y S =[l 1  0, l 2  0, l 3  0}, car S =[  0,  0,  0,  0,  0,  0,  0,  0,  0 ] null 123 x y l1l1 l2l2 l3l3 {l 1, l 2, l 3 }, [x  l 1,y  null], [l 1  1, l 2  2, l 3  3], [l 1  l2, l 2  l3, l 3  null] cdr S =[  0,  1,  0,  0,  0,  1,  0,  0,  0 ]

79 Formal Semantics of First Order Formulae For a structure S= Formulae  with LVar free variables Assignment z: LVar  U S    S (z): {0, 1}  1  S ( z)=1  0  S ( z)=1  v 1 =v 2  S (z) = 1 z(v 1 ) = z(v 2 ) 0 z(v 1 )  z(v 2 )  p (v 1, v 2, …, v k )  S (z)=p S (z(v 1 ), z(v 2 ), …, z(v k ))

80 Formal Semantics of First Order Formulae For a structure S= Formulae  with LVar free variables Assignment z: LVar  U S    S (z): {0, 1}   1   2  S (z)=max (   1  S (z),   2  S (z))   1   2  S (z)=min (   1  S (z),   2  S (z))   1  S (z)=1-   1  S (z)   v:  1  S (z)=max {   1  S (z[v  u]) : u  U S }

81 Using Predicate Logic to describe states in SOS U=O For a pointer variable x define a unary predicate –x(u )=1 when env(x)=u and u is an object Two binary predicates: –car(u 1, u 2 ) = 1 when car(u 1 )=u 2 and u 2 is object –cdr(u 1, u 2 ) = 1 when cdr(u 1 )=u 2 and u 2 is object

82 SOS (Using Predicate Logic) First-order structures (= predicate tables) –hold recorded information Formulae –means for observing information Predicate-update formulae –operational semantics –update recorded information

83 Recorded Information (for reverse)

84 Recorded Information (for reverse) u1u1 u2u2 u3u3 u4u4 x y

85 Formulae for Observing Properties Are x and y pointer aliases?  v: x(v)  y(v) Does x point to a cell with a self cycle?  v : x(v)  n(v,v)

86 x y u1u1 u2u2 u3u3 u4u4 Are x and y Pointer Aliases?  v: x(v)  y(v) x y u1u1  Yes

87 x ’ (v) = x(v) y ’ (v) = 0 t ’ (v) = t(v) n ’ (v1,v2) = n(v1,v2) Predicate-Update Formulae for ‘y = NULL’

88 x y u1u1 u2u2 u3u3 u4u4 Predicate-Update Formulae for ‘y = NULL’ y ’ (v) = 0 

89 Predicate-Update Formulae for ‘y = x’ x ’ (v) = x(v) y ’ (v) = x(v) t ’ (v) = t(v) n ’ (v1,v2) = n(v1,v2)

90 x u1u1 u2u2 u3u3 u4u4 Predicate-Update Formulae for ‘y = x’ y ’ (v) = x(v) y 

91 Predicate-Update Formulae for ‘x = x  n’ x ’ (v) =  v1: x(v1)  n(v1,v) y ’ (v) = y(v) t ’ (v) = t(v) n ’ (v1, v2) = n(v1, v2)

92 x u1u1 u2u2 u3u3 u4u4 Predicate-Update Formulae for ‘x = x  n’ y x ’ (v) =  v1: x(v1)  n(v1,v)   x

93 Predicate-Update Formulae for ‘y  n = t’ x ’ (v) = x(v) y ’ (v) = y(v) t ’ (v) = t(v) n ’ (v1,v2) =  y(v1)  n(v1,v2)  y(v1)  t(v2)

94 Two- vs. Three-Valued Logic 01 Two-valued logic {0,1} {0}{1} Three-valued logic {0}  {0,1} {1}  {0,1}

95 Two- vs. Three-Valued Logic Two-valued logicThree-valued logic

96 Two- vs. Three-Valued Logic Three-valued logic 0 1 Two-valued logic {1} {0,1} {0} 1 ½ 0

97 1: True 0: False 1/2: Unknown A join semi-lattice: 0  1 = 1/2 Three-Valued Logic   1/2 Information order

98 Boolean Connectives [Kleene]

99 The Abstraction Principle Partition the individuals into equivalence classes based on the values of their unary predicates Collapse other predicates via 

100 The Abstraction Principle u1u1 u2u2 u3u3 u4u4 x u1u1 x u 234        

101 What Stores Does a 3-Valued Structure Represent? Example 3-valued structure –individuals: {u 1 } –predicates: graphical presentation concrete stores represented x u1u1 33 x 88 x 37 x

102 Example 3-valued structure graphical presentation concrete stores What Stores Does a 3-Valued Structure Represent? u1u1 u x u1u1 u x  x 31 7191

103 Example 3-valued structure graphical presentation concrete stores u1u1 u x u1u1 u x  x 31 7191 What Stores Does a 3-Valued Structure Represent?

104 Property-Extraction Principle Questions about store properties can be answered conservatively by evaluating formulae in three-valued logic Formula evaluates to 1  formula always holds in every store Formula evaluates to 0  formula never holds in any store Formula evaluates to 1/2  don’t know  

105 The Embedding Theorem If a big structure B can be embedded in a structure S via a surjective (onto) function f such that basic predicates are preserved, i.e., p B (u 1,.., u k )  p S (f(u 1 ),..., f(u k )) Then, every formula  is preserved –  = 1 in S   = 1 in B –  =0 in S   =0 in B –  = 1/2 in S  don’t know

106 Are x and y Pointer Aliases? u1u1 u x y  v: x(v)  y(v)    Yes 1

107 Is Cell u Heap-Shared?  v1,v2: n(v1,u)  n(v2,u)  v1  v2 u Yes 1  1 1 1 

108 Maybe Is Cell u Heap-Shared?  v1,v2: n(v1,u)  n(v2,u)  v1  v2 u1u1 u x y 1/2   1

109 The Instrumentation Principle Increase precision by storing the truth- value of some designated formulae Introduce predicate-update formulae to update the extra predicates

110 is = 0 Example: Heap Sharing  x 31 7191 is(v) =  v1,v2: n(v1,v)  n(v2,v)  v1  v2 u1u1 u x u1u1 u x is = 0 is = 1 is = 1/2

111 is = 0 Example: Heap Sharing  x 31 7191 is(v) =  v1,v2: n(v1,v)  n(v2,v)  v1  v2 u1u1 u x u1u1 u x is = 0

112 is = 0 Example: Heap Sharing  x 31 7191 is(v) =  v1,v2: n(v1,v)  n(v2,v)  v1  v2 u1u1 u x u1u1 u x is = 0 is = 1

113 Is Cell u Heap-Shared?  v1,v2: n(v1,u)  n(v2,u)  v1  v2 u1u1 u x y  1/2   1 is = 0 No!

114 Example2: Sortedness inOrder(v) =  v1: n(v,v1)  dle(v, v1) u1u1 u x u1u1 u x inOrder = 1 n n  x 51 7191 inOrder = 1 n n n        

115 inOrder = 1 Example2: Sortedness  x 51 4591 inOrder(v) =  v1: n(v,v1)  dle(v, v1) u xx inOrder = 0inOrder = 1 n n n n n inOrder = 0          n  

116 Shape Analysis via Abstract Interpretation Iteratively compute a set of 3-valued structures for every program point Every statement transforms structures according to the predicate-update formulae –use 3-valued logic instead of 2-valued logic –use exactly the predicate-update formulae of the concrete semantics!!

117 Predicate-Update Formulae for “y = x” y ’ (v) = x(v) Old: u1u1 u x y New: u1u1 u x 

118 Predicate-Update Formulae for “x = x  n” x ’ (v) =  v1: x(v1)  n(v1,v) y Old: u1u1 u x y New: u1u1 u x  

119 Summary Predicate logics allows naturally expressing SOS for languages with pointers and dynamically allocated structures 3-valued logic provides a sound solution More precise solution+TVLA (next meeting)

1 Program Analysis via 3-Valued Logic Mooly Sagiv, Tal Lev-Ami, Roman Manevich Tel Aviv University Thomas Reps, University of Wisconsin, Madison Reinhard.

Similar presentations

Presentation on theme: "1 Program Analysis via 3-Valued Logic Mooly Sagiv, Tal Lev-Ami, Roman Manevich Tel Aviv University Thomas Reps, University of Wisconsin, Madison Reinhard."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

1 Program Analysis via 3-Valued Logic Mooly Sagiv, Tal Lev-Ami, Roman Manevich Tel Aviv University Thomas Reps, University of Wisconsin, Madison Reinhard.

Similar presentations

Presentation on theme: "1 Program Analysis via 3-Valued Logic Mooly Sagiv, Tal Lev-Ami, Roman Manevich Tel Aviv University Thomas Reps, University of Wisconsin, Madison Reinhard."— Presentation transcript:

Similar presentations

About project

Feedback