Presentation is loading. Please wait.

Presentation is loading. Please wait.

Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.

Published byJennifer Eastwood Modified over 9 years ago

Similar presentations

Presentation on theme: "Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research."— Presentation transcript:

1 Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research January 18, 2005 VMCAI 2005 Paris, France

2 2 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Verifying Object-Oriented Programs OO Program Verifier Inference… Java /C#   Abstract Interpretation

3 3 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Problem and Motivation Standard abstract interpretation infer properties following a domain specific- schema of relations among (program) variables –e.g., can infer this with Polyhedra [CH78] 0 · x · y z := 2 ¢ y – 2 ¢ x; 0 · z

4 4 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Problem and Motivation But … this.x 0 · this.x · y this.x z := 2 ¢ y – 2 ¢ this.x; 0 · z? length(x) 0 · length(x) · y length(x) z := 2 ¢ y – 2 ¢ length(x); 0 · z? this.xo  this 0 · this.x · y Æ o  this o.x := o.x := 2 ¢ y this.x z := 2 ¢ y – 2 ¢ this.x; 0 · z? alien expression to Polyhedra

5 5 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Goal Given a base abstract domain that can represent certain kind of constraints on variables, use it to represent constraints on arbitrary alien expressions (e.g., fields of objects)

6 6 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Outline Overview Handling Alien Expressions Handling Heap Updates Concluding Remarks

7 7 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Overview of Contributions To extend base domains to work with alien expressions –use a general abstract domain parameterized by base domains that hide alien expressions as fresh variables (cf. Nelson-Oppen) –congruence-closure abstract domain To deal with heap updates –track successive heaps as a separate base domain –heap succession abstract domain

8 8 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Fooling the Base Domains Congruence-Closure Abstract Domain Polyhedra Constrain( sel(H,o,f) ¸ 8 ) assume o.f ¸ 8 Constrain(  ¸ 8 ) sel(H,o,f)   Base Domains SymbolicValue

9 9 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Understands : FunSymbol £ Expr[] ! bool Understandable to the Base Domain + sel Hof ² Abs 2 ¢ x + sel(H,o,f) · Abs(y – z) 2xyz Yes No Understands ·

10 10 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Understandable to the Base Domain · +  ² Abs 2 ¢ x +  · Abs(y – z) 2xyz Understands : FunSymbol £ Expr[] ! bool No No

11 11 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Understandable to the Base Domain +  ²  2 ¢ x +  ·  2xyz Understands : FunSymbol £ Expr[] ! bool No Yes   = y - z Also, add this constraint to Polyhedra ·

12 12 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Congruence-Closure Domain equivalence graph (e-graph)Store mappings in an equivalence graph (e-graph) –give the same symbolic value for equivalent expressions Tracks equalities of uninterpreted functions –an e-graph with abstract domain operations –symbolic values “name” equivalence classes of expressions –implements congruence closure

13 13 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures E-Graph w = f(x) Æ g(x,y) = f(y) Æ w = h(w) A set of mappings: w   x   f(  )   y   g( ,  )   f(  )   h(  )   Always congruence-closed    w x g h  y f f

14 14 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Join Roughly, join the e-graphs, then join the base domains G0G0 P0P0 Base Domains G1G1 P1P1 G 0 t G 1 P 0 t P 1 Base Domains

15 15 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Join of E-Graphs Think of the lattice over conjunctions of equalities (including infinite ones) Let G = Join(G 0,G 1 ) x  G h  0,  0 i if x  G 0  0 and x  G 1  f( h ,  i )  G h  0,  0 i if f(  )  G 0  0 and if f(  )  G 1  0 Rename distinct pairs to fresh symbolic values  x f  x f  f  x f  f h,i à h,i à  h,i à h,i à  Tell base domains about renaming

16 16 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Join of E-Graphs Complexity: O(n ¢ m) Complete? As precise as possible? –No, e-graphs do not form a lattice! x = y t g(x) = g(y) Æ x = f(x) Æ y = f(y) = Æ i : i ¸ 0 g(f i (x)) = g(f i (y)) –Only relatively complete [Gulwani et al. 2004]

17 17 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Widen Widen the e-graphs, then widen the base domains Widen of e-graphs is a join of e-graphs that limits the number of new names introduced (see paper)

18 18 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures So Far We Have … Reasoning for uninterpreted functions Base domains that work with alien expressions transparently What we need for field reads – sel is alien to all base domains

19 19 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Outline Overview Handling Alien Expressions Handling Heap Updates Concluding Remarks

20 20 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Heap Updates Java/C#if (p.g == 8) { o.f = x; } Guardedassume H[p,g] == 8; CommandsH := H 0 where sel(H 0,o,f) = x and H 0 ´ o,f H

21 21 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Heap Updates Guardedassume H[p,g] == 8; CommandsH := H 0 where sel(H 0,o,f) = x and H 0 ´ o,f H AbstractConstrain( sel(H,p,g) = 8 ) InterpreterConstrain( sel(H 0,o,f) = x ) Constrain( H 0 ´ o,f H ) Eliminate( H ) Rename( H 0, H ) Tracked by a new base domain: Heap Succession

22 22 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Heap Update Example Heap Succession H 0 ´ o,f H E-Graph sel(H,p,g)   8   sel(H 0,o,f)   x   H  Hp  p H 0  H 0 g  g o  of  f Constrain( sel(H,p,g) = 8 ) Constrain( sel(H 0,o,f) = x ) Constrain( H 0 ´ o,f H ) Eliminate( H ) Rename( H 0, H ) ToPredicate()

23 23 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Constrain( sel(H,p,g) = 8 ) Constrain( sel(H 0,o,f) = x ) Constrain( H 0 ´ o,f H ) Eliminate( H ) Rename( H 0, H ) ToPredicate() Heap Update Example Heap Succession H 0 ´ o,f H E-Graph sel(H,p,g)   8   sel(H 0,o,f)   x   H  Hp  p H 0  H 0 g  g o  of  f Only removes mapping “Lazy quantifier elimination” “Garbage values” remain

24 24 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Constrain( sel(H,p,g) = 8 ) Constrain( sel(H 0,o,f) = x ) Constrain( H 0 ´ o,f H ) Eliminate( H ) Rename( H 0, H ) ToPredicate() Heap Update Example Heap Succession H 0 ´ o,f H E-Graph sel(H,p,g)   8   sel(H 0,o,f)   x   H  Hp  p H  H 0 o  of  f g  gg  g

25 25 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Constrain( sel(H,p,g) = 8 ) Constrain( sel(H 0,o,f) = x ) Constrain( H 0 ´ o,f H ) Eliminate( H ) Rename( H 0, H ) ToPredicate() Heap Update Example Heap Succession H 0 ´ o,f H E-Graph sel(H,p,g)   8   sel(H 0,o,f)   x   H  Hp  p H  H 0 g  g o  of  f 1.Do Eliminate (H) EquivalentExpr : Queryable £ Expr £ Var ! Expr option Can you give me an equivalent expression without H?

26 26 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Constrain( sel(H,p,g) = 8 ) Constrain( sel(H 0,o,f) = x ) Constrain( H 0 ´ o,f H ) Eliminate( H ) Rename( H 0, H ) ToPredicate() Heap Update Example Heap Succession H 0 ´ o,f H E-Graph sel(H 0,p,g)   8   sel(H 0,o,f)   x   H  Hp  p H  H 0 g  g o  of  f 1.Do Eliminate (H) EquivalentExpr : Queryable £ Expr £ Var ! Expr option Eliminate(H) on Base 2.ToPredicate() on Base and Convert Expr for Client 3.Conjoin Equalities Yes, use H 0 H 0 To query other abstract domains (e.g., o  p?)

27 27 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Related Work Join for Uninterpreted Functions [Gulwani, Tiwari, Necula 2004] –same as our join for e-graphs Shape Analysis [many] and TVLA [Sagiv, Reps, Wilhelm, …] –they abstract heap nodes into summary nodes –they use special “instrumentation predicates” whereas we use “off-the-shelf” abstract domains –could use shape analysis as base domain?

28 28 1/18/2005Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures Conclusion and Future Work Extended the power of abstract domains to work with alien expressions using the congruence- closure domain Added reasoning about heap updates with the heap succession domain Close to having “cooperating abstract interpreters”? –missing propagating back equalities inferred by base domains Implementation and experiments in progress

29 Thank you! Questions? Comments?

Download ppt "Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research."

Similar presentations

Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.

Assertion Checking over Combined Abstraction of Linear Arithmetic and Uninterpreted Functions Sumit Gulwani Microsoft Research, Redmond Ashish Tiwari SRI.
Join Algorithms for the Theory of Uninterpreted Functions Sumit Gulwani Ashish Tiwari George Necula UC-Berkeley SRI UC-Berkeley.

Join Algorithms for the Theory of Uninterpreted Functions Sumit Gulwani Ashish Tiwari George Necula UC-Berkeley SRI UC-Berkeley.
Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD.

Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD.
Precise Interprocedural Analysis using Random Interpretation Sumit Gulwani George Necula UC-Berkeley.

Precise Interprocedural Analysis using Random Interpretation Sumit Gulwani George Necula UC-Berkeley.
TVLA for System Code Jörg KreikerHelmut SeidlVesal Vojdani TU Munich Dagstuhl, July 2009.

TVLA for System Code Jörg KreikerHelmut SeidlVesal Vojdani TU Munich Dagstuhl, July 2009.
Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.

Continuing Abstract Interpretation We have seen: 1.How to compile abstract syntax trees into control-flow graphs 2.Lattices, as structures that describe.
Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.

Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.
Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,

Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,
Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.

Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.
1 PROPERTIES OF A TYPE ABSTRACT INTERPRETATER. 2 MOTIVATION OF THE EXPERIMENT § a well understood case l type inference in functional programming à la.

1 PROPERTIES OF A TYPE ABSTRACT INTERPRETATER. 2 MOTIVATION OF THE EXPERIMENT § a well understood case l type inference in functional programming à la.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN 2006 -

Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN
Program Representations. Representing programs Goals.

Program Representations. Representing programs Goals.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Type-Based Verification of Assembly Language for Compiler Debugging Bor-Yuh Evan ChangAdam Chlipala George C. NeculaRobert R. Schneck University of California,

Type-Based Verification of Assembly Language for Compiler Debugging Bor-Yuh Evan ChangAdam Chlipala George C. NeculaRobert R. Schneck University of California,
Inferring Object Invariants Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research January 21, 2005 AIOOL 2005 Paris,

Inferring Object Invariants Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research January 21, 2005 AIOOL 2005 Paris,
Relational Inductive Shape Analysis Bor-Yuh Evan Chang University of California, Berkeley Xavier Rival INRIA POPL 2008.

Relational Inductive Shape Analysis Bor-Yuh Evan Chang University of California, Berkeley Xavier Rival INRIA POPL 2008.
Lifting Abstract Interpreters to Quantified Logical Domains Sumit Gulwani, MSR Bill McCloskey, UCB Ashish Tiwari, SRI 1.

Lifting Abstract Interpreters to Quantified Logical Domains Sumit Gulwani, MSR Bill McCloskey, UCB Ashish Tiwari, SRI 1.
Today’s Agenda  HW #1 Due  Quick Review  Finish Input Space Partitioning  Combinatorial Testing Software Testing and Maintenance 1.

Today’s Agenda  HW #1 Due  Quick Review  Finish Input Space Partitioning  Combinatorial Testing Software Testing and Maintenance 1.
Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.

Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.

Similar presentations

Ads by Google