1. Quantified Data Automata on Skinny Trees: an Abstract Domain for Lists Pranav Garg 1, P. Madhusudan 1 and Gennaro Parlato 2 1 University of Illinois at Urbana-Champaign 2 University of Southampton, UK

2. Automatic Shapes  Static analysis of heap structures - heaps with a single pointer field  Properties: Universally Quantified properties over heap + data  Introduce Automatic Shapes - abstract domain of automata Automata are classical ways to capture infinite sets of objects using finite means. Aim: - Represent properties of the data stored in the heap. - Build automata that can express universally quantified properties 2

3. Universally Quantified Properties on Lists 3 5 789 head 4 291 2 1 less 4 9 more  fold-split(key) splits input list into two lists.  List pointed to by head is sorted Abstract analysis of heap is hard - unbounded size of the heap - unbounded data stored in the heap

4. Heap Configurations and Skinny Trees  Restrict to heaps with a single pointer field (acyclic).  Let P: the program’s pointer variables - Heap configuration skinny trees labeled by P  k- skinny tree has at most k- branching points.  Heap configurations are k- skinny trees (k = number of pointer vars.) 4 197 5 head 1 2 6 3 4 head 2 $ nil 4 1 head 3 8

5. Quantified Data Automata  Extends Quantified Data Automata over lists [CAV’13]  QDAs logically define universally quantified properties of lists Example : 5

6. Quantified Data Automata Fix P – program pointer variables Fix Y – set of quantified variables Fix F – data domain which forms a lattice  QDA over skinny trees: - reads a tree annotated with pointers P and Y - checks whether data stored at these positions satisfy a data property  QDA accepts a tree T with pointers P if it accepts all possible extensions of T with valuations for Y. 6 head y1y1 y2y2 data(y 1 ) <= data(y 2 )

7. Valuation Trees  Valuation tree = Skinny tree over P + valuation for Y 7 Skinny Tree Valuation Trees Universal Quantification QDA accepts a skinny tree iff it accepts ALL corresponding valuation trees. 197 5 head 1 2 6 3 4 head 2 $ nil 197 5 head 1 2 6 3 4 head 2 $ nil y1y1 y2y2 197 5 head 1 2 6 3 4 head 2 $ nil y1y1 y2y2

8. Quantified Data Automata  Bottom-up, deterministic, register automata over trees - each state labeled with a data formula f  For a valuation tree, QDA reads ptr. and univ. vars. and stores the data values in the register reg.  At the final state, QDA checks if these data values satisfy the formula labeling the state. - reg satisfies f(q) Accepts the valuation tree - reg does not satisfy f(q) Rejects the valuation tree 8 197 5 head 1 2 6 3 4 head 2 $ nil y1y1 y2y2 197 5 head 1 2 6 3 4 head 2 $ nil y1y1 y2y2 head 1  5 head 2  3 y 1  4 y 2  7 nil  $ reg: f(q) = data(y 1 ) < data(y 2 )

9.  QSDAs capture sets of heap skinny trees of the logical form: Meaning: For a given valuations of universal variables y’s, whenever Guard i (p,y) is true QSDA reads p, y to reach (q, reg) then Data i (data(p), data(y)) is true reg satisfies f(q) = Data i - This property should be true for all valuations of y’s 9 Quantified Data Automata

10.  Formula Tree = (Valuation Tree \ data) paired with a data formula - complete separation of the structure of the heap and its data Define L f (A) = Language of formula trees accepted by A 10 Formula Tree, data(y 1 ) < data(y 2 ) head 1 head 2 nil y1y1 y2y2

11. 11 QDAs as a Partial Order  Natural Partial Order -- set inclusion over the language of QDAs - not closed under disjunctions Alternate partial order:  if such that and - Least upper bound associates every tree to - Infinite sets of QDAs might not have a least upper bound. Hence do not form a complete lattice.

12. 12 Elastic QDAs  Require a notion of widening for analysis of loops - Ignore lengths of stretches of the heap not pointed by variables.  QDA: head nil y1y1 head nil y1y1 -Restriction: All transitions on blank symbols must be self-loops head y1y1 y1y1 Elastic QDA:

13. 13 Theorems about EQDAs 1. Number of states in a minimal EQDA is bounded - Finite number of EQDAs modulo the data formulas - widening proc. for EQDAs given widening for data formulas. 2. For every QDA, there is a most-precise over-approximating EQDA (in terms of their accepting languages)  elastification EQDAs form a complete lattice  abstract domain 3. EQDAs correspond to decidable STRAND logic [POPL’11] over lists. - Abstract interpretation using EQDAs can be used for checking STRAND assertions.

14. 14 Abstract transformer over EQDAs  Strongest post condition involves existential quantification of the pre-state + constraining post-state acc. to the semantics of the stmt. Example: strongest-post( ) =  These precise post-conditions are not expressible by QDAs.  Over-approximate the post-condition to: - eliminate existential quantifier via quantifier elimination for the structure (Guard) using automata, and data-formulas (Data) separately. /\ Guard => Data

15. 15 Abstract transformer over EQDAs Pointer Assignment statement p i := p j Similar abstract transformer for structure manipulating statements: Pointer Lookup p i := p j.next Pointer Mutate p i.next := p j Allocate new p i … pipi pjpj p i := p j pipi pjpj b, p i p i := p j

16. 16 Abstract transformer over EQDAs Data Assignment statement p i.data := data_exp Slightly more involved: - Also account for all variables which point to the same node as p i pipi p i.data := data_exp pipi

17. 17 Abstract transformer over EQDAs  A’ might not be elastic.  Use the most-precise over-approximation result to get an EQDA. - defines the actual abstract transformer over EQDAs  Fix-point computation of the abstract semantics terminates - widening for the data domain stmt elastification EQDA QDA

18. 18 Experiments  Simple programming language consisting of heap allocation, pointer assignment, pointer lookup, pointer mutate, …  Given a STRAND formula as pre-condition, construct the corresponding EQDA.  Compute the abstract semantics of the program over EQDAs using the abstract transformer.  Fix-point EQDAs are translated to decidable STRAND formulas over lists to verify program assertions, post-conditions. - Instantiate data-formulas with the octagonal domain (using Apron). - Prototype implementation available at http://web.engr.illinois.edu/~garg11/qsdas.html

19. 19 Experiments Programs#PV#Y#DVProperty#Iter.Max. size of QSDATime (s) INIT211Init, List4190.0 MAX211Max, List4190.1 CLONE411Init, List4440.7 FOLD-CLONE511Init, List5573.2 COPY-GE5410Gek, List9532.6 FOLD-SPLIT311Gek, List4330.3 CONCAT411Init, List5440.7 SORTED-FIND222Sort, List5380.3 SORTED-INSERT421Sort, List61635.8 BUBBLE-SORT421Sort, List5/1819142.8 SORTED-REVERSE320Sort, List5431.5 EXPRESSOS-LOOKUP-PREV321Sort, List6732.2 GSLIST-CUSTOM-FIND311Gek, List4290.1 GSLIST-REMOVE-ALL511Gek, List5510.6 GSLIST-INSERT-SORTED521Sort, List627927.4

20. Related Work (Shape Analysis)  Merges nodes that satisfy the same predicates - unary + instrumentation predicates  Instrumentation predicates provided by the user - often complex, - very particular to the program being verified 20 Example: sub-list before pointer i is sorted, that is - instrumentation predicate required Clearly, - s(x) too dependent on the property being verified - complex (writing binary property as a unary predicate)

21. Conclusion  Automatic Shapes – an abstract domain of automata - can express universally quantified properties of lists - can prove these properties precisely and efficiently Future Work  Extensions to trees to capture universally quantified properties like binary-search-tree, max-heap, …  Extensions to general graphs using graph automatons. 21 Thank You !