Presentation is loading. Please wait.

Presentation is loading. Please wait.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

Published byNash Soloway Modified over 9 years ago

Similar presentations

Presentation on theme: "3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv."— Presentation transcript:

1 3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv

2 Motivation u Many dataflow problems can be solved using Monotone Frameworks u But Monotone Framework are hard to be used u Compiler-writer obligations –Define the lattice –Define the initial value  »Show that it is sound  ({s 0 })   –Define transfer functions of elementary statements f l »Show that these functions are monotone x  y  f l (x)  f l (y) »Show soundness  ({  [b] l  (s) | s  CS })  f l (  (CS)) »Find an efficient representation

3 A Different Solution u Write structural operational semantics in a special form u Automatically derive the Monotone Framework from the operational semantics  u Monotonicity and soundness is immediate  u Operational semantics need to be written in a special form  u Scarify the generality of Monotone Frameworks  u The derived solution is not necessarily the induced one but rather precise

4 Outline u 3-valued proposional logic u Parity Analysis in TVLA u The Shape Analysis Problem u 3-valued predicate logic May 19, 10-13 Scriber 309

5 3-Valued Kleene Logic u A logic with 3-values –0 -false –1 - true –1/2 - don’t know u Operators are conservatively interpreted –1/2 means either true or false 01 1/2 Logical order information order 0  1=1/2

6 Kleene Interpretation of Operators (logical-and)

7 Kleene Interpretation of Operators (logical-or)

8 Kleene Interpretation of Operators (logical-negation)

9 Kleene Interpretation of Operators (logical-implication)

10 3-valued logic program analysis u Choose a fixed set of proposional variables P per program P ={even[x] | x  Var} u Represent “concrete” states by a truth assignments from P to {0, 1} [even[x]  0, even[y]  1] u The meaning of every statement (SOS) is expressed using update formulae  x := y * z  = {even’[x] := even[y]  even[y], even’[y] := even[y], even’[z] := even[z] } u Use lattice L=(P  {0, 1/2, 1})  {  } u The transformer is obtained by evaluating the formula in 3-valued logic

11 Preconditions u The effect of some program conditions can be defined using a precondition formula if (x % 2 == 0 || y %2 != 0) even[x]   even[y] u These conditions are associated with control flow edges u For other program conditions no effect is given u If the formula is potentially satisfied  1 the statement is executed u May yield overly conservative results due to missing or naively interpreted conditions

12 Example Program while [x !=1] 1 do if [ (x %2) = 0] 2 then [x := x / 2;] 3 else [x := x * 3 + 1;] 4

13 The Focus Operation u It is sometimes possible to improve the precision by maintaining finer distinctions u If a formula evaluates to 1/2 replace the assignment by an equivalent set of assignments in which the formula evaluates to 1 or 0 u Formally, Focus[  ](A)=… u Always conservative u Can increase the space complexity

14 Example Focus Formulae u even[x] u Input Truth-Assignment [even[x]  1/2, even[y]  0] u Output Truth-Assignments

15 Example Program while [x !=1] 1 do if [ (x %2) = 0] 2 then [x := x / 2;] 3 else [x := x * 3 + 1;] 4

16 A TVLA Specification of Parity u There are two files per analyzed program –prgm.tvp -The specification of the control flow graph and the transfer functions –prgm.tvs - The specification of the value at the initial node u Propostions are specified in a file (pred.tvp) u Conditions are specified in a file (cond.tvp) u The meaning of statements is specified in a file (stat.tvp)

17 %s Var {x, t} #include "pred.tvp" % #include "cond.tvp" #include "stat.tvp" % /* while [x !=1]^1 do */ l_1 Uninterpreted_Cond() l_2 l_1 Uninterpreted_Cond() l_end /*if [ (x %2) = 0]^2 */ l_2 Is_Even(x) l_3 l_2 Is_Odd(x) l_4 /* then [x := x / 2;]^3 */ l_3 Divide_Even(x,x) l_5 l_5 Skip() l_1 /*else [x := x * 3 + 1;]^4 */ l_4 Multiply_Odd(t, x) l_41 l_41 Add_Odd(x, t) l_6 l_6 Skip() l_1

18 foreach (z in Var) { %p even[z]() {0, 1, 1/2} } pred.tvp

19 cond.tvp %action Uninterpreted_Cond() { %t "uninterpreted-Condition" } %action Is_Even(x1) { %t x1 + " %2 == 0" %f {even[x1]()} %p even[x1]() } %action Is_Odd(x1) { %t x1 + " %2 != 0" %f {!even[x1]()} %p !even[x1]() }

20 stat.tvp (part 1) %action Skip() { %t "Skip" } %action Set_Even(x1) { %t x1 + " = Even" { even[x1]() = 1 } %action Set_Odd(x1) { %t x1 + " = Odd" { even[x1]() = 0 }

21 stat.tvp (part 2) %action Add(x1, x2, x3) { %t x1 + " = " + x2 + " + " + x3 {even[x1]() = even[x2]() & even[x3]() | !even[x2]() & !even[x3]() } } %action Add_Even(x1, x2) { %t x1 + " = " + x2 + " + EVEN" {even[x1]() = even[x2]() } } %action Add_Odd(x1, x2) { %t x1 + " = " + x2 + " + ODD" {even[x1]() = !even[x2]() } }

22 stat.tvp (part 3) %action Multiply(x1, x2, x3) { %t x1 + " = " + x2 + " * " + x3 {even[x1]() = even[x2]() | even[x3]() } } %action Multiply_Even(x1, x2) { %t x1 + " = " + x2 + " * EVEN" {even[x1]() = 1} } %action Multiply_Odd(x1, x2) { %t x1 + " = " + x2 + " * Odd" { even[x1]() = even[x2]() }

23 stat.tvp (part 4) %action Divide(x1, x2, x3) { %t x1 + " = " + x2 + " / " + x3 {even[x1]() = 1/2 } } %action Divide_Even(x1, x2) { %t x1 + " = " + x2 + " / EVEN" {even[x1]() = 1/2 } } %action Divide_Odd(x1, x2) { %t x1 + " = " + x2 + " / ODD" {even[x1]() = 1/2} }

24 %s Var {x, t} #include "pred.tvp" % #include "cond.tvp" #include "stat.tvp" % /* while [x !=1]^1 do */ l_1 Uninterpreted_Cond() l_2 l_1 Uninterpreted_Cond() l_end /*if [ (x %2) = 0]^2 */ l_2 Is_Even(x) l_3 l_2 Is_Odd(x) l_4 /* then [x := x / 2;]^3 */ l_3 Divide_Even(x,x) l_5 l_5 Skip() l_1 /*else [x := x * 3 + 1;]^4 */ l_4 Multiply_Odd(t, x) l_41 l_41 Add_Odd(x, t) l_6 l_6 Skip() l_1

25 prgm.tvs %n = {} %p = { even[x] = 1/2 even[t] = 1/2 }

26 Command Prompt tvla prgm prgm -d -action fpu

27 Shape Analysis u Determine the possible shapes of a dynamically allocated data structure at given program point u Relevant questions: –Does a variable point to an acyclic list? –Does a variable point to a doubly-linked list? –Does a variable point p to an allocated element every time p is dereferenced? –Can a procedure create a memory-leak

28 Dereference of NULL pointers typedef struct element { int value; struct element *next; } Elements bool search(int value, Elements *c) { Elements *elem; for ( elem = c; c != NULL;elem = elem->next;) if (elem->val == value) return TRUE; return FALSE NULL dereference

29 Memory leakage Elements* reverse(Elements *c) { Elements *h,*g; h = NULL; while (c!= NULL) { g = c->next; h = c; c->next = h; c = g; } return h; leakage of address pointed-by h

30 The SWhile Programming Language Abstract Syntax a := x | x.sel | null | n | a 1 op a a 2 b := true | false | not b | b 1 op b b 2 | a 1 op r a 2 S := [x := a] l | [x.sel := a] l | [x := malloc()] l | [skip] l | S 1 ; S 2 | if [b] l then S 1 else S 2 | while [b] l do S sel:= car | cdr

31 Dereference of NULL pointers [elem := c;] 1 [found := false;] 2 while ([c != null] 3 && [!found] 4 ) ( if ([elem->car= value] 5 ) then [found := true] 6 else [elem = elem->cdr] 7 ) NULL dereference

Download ppt "3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv."

Similar presentations

Pointers.

Pointers.
Abstract Interpretation Part II

Abstract Interpretation Part II
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Analysis of programs with pointers. Simple example What are the dependences in this program? Problem: just looking at variable names will not give you.

Analysis of programs with pointers. Simple example What are the dependences in this program? Problem: just looking at variable names will not give you.
Some Properties of SSA Mooly Sagiv. Outline Why is it called Static Single Assignment form What does it buy us? How much does it cost us? Open questions.

Some Properties of SSA Mooly Sagiv. Outline Why is it called Static Single Assignment form What does it buy us? How much does it cost us? Open questions.
1 Compiler Construction Intermediate Code Generation.

1 Compiler Construction Intermediate Code Generation.
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Functional Programming. Pure Functional Programming Computation is largely performed by applying functions to values. The value of an expression depends.

Functional Programming. Pure Functional Programming Computation is largely performed by applying functions to values. The value of an expression depends.
Chapter 3 Functional Programming. Outline Introduction to functional programming Scheme: an untyped functional programming language.

Chapter 3 Functional Programming. Outline Introduction to functional programming Scheme: an untyped functional programming language.
Lecture 02 – Structural Operational Semantics (SOS) Eran Yahav 1.

Lecture 02 – Structural Operational Semantics (SOS) Eran Yahav 1.
Common Sub-expression Elim Want to compute when an expression is available in a var Domain:

Common Sub-expression Elim Want to compute when an expression is available in a var Domain:
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
Control Flow Analysis Mooly Sagiv Tel Aviv University 640-6706 Sunday 18-21 Scrieber 8 Monday 10-12 Schrieber.

Control Flow Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
3-Valued Logic Analyzer (TVP) Part II Tal Lev-Ami and Mooly Sagiv.

3-Valued Logic Analyzer (TVP) Part II Tal Lev-Ami and Mooly Sagiv.
1 Motivation Dynamically allocated storage and pointers are an essential programming tools –Object oriented –Modularity –Data structure But –Error prone.

1 Motivation Dynamically allocated storage and pointers are an essential programming tools –Object oriented –Modularity –Data structure But –Error prone.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc08.html.

Program analysis Mooly Sagiv html://
1 Control Flow Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook Chapter 3

1 Control Flow Analysis Mooly Sagiv Tel Aviv University Textbook Chapter 3
X := 11; if (x == 11) { DoSomething(); } else { DoSomethingElse(); x := x + 1; } y := x; // value of y? Phase ordering problem Optimizations can interact.

X := 11; if (x == 11) { DoSomething(); } else { DoSomethingElse(); x := x + 1; } y := x; // value of y? Phase ordering problem Optimizations can interact.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space 03-640-760603-640-5358 html://www.cs.tau.ac.il/~msagiv/courses/sem03.html.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://

Similar presentations

Ads by Google