Symbolic Implementation of the Best Transformer Thomas Reps University of Wisconsin Joint work with M. Sagiv and G. Yorsh (Tel-Aviv) [TR-1468, Comp. Sci. Dept., Univ. of Wisconsin]
Who Cares? New approach to using symbolic techniques in abstract interpretation –For shape analysis –For other abstract domains What does it mean to harness a decision procedure for use in static analysis?
Abstract Abstract Interpretation Concrete Sets of stores Descriptors of sets of stores T#T# T
Abstract Abstract Interpretation Concrete Sets of stores Descriptors of sets of stores T#T# T
Abstract Best Abstract Transformer Concrete Sets of stores Descriptors of sets of stores T#T# T
Best Abstract Transformers For each abstract domain, there is a best transformer for each program statement –Best possible precision for that abstraction For predicate-abstraction domains, implementation of best transformer is known –Uses theorem prover Our work: implement best transformers for non-predicate-abstraction domains –Also uses theorem prover
Symbolic Operations: Three Value-Spaces Formulas Concrete Values Abstract Values T T
Symbolic Operations: Three Value-Spaces Formulas Abstract Values T T#T# Concrete Values
Symbolic Operations: Three Value-Spaces FormulasConcrete Values Abstract Values u1u1 x u x... x
Required Primitive Operations Abstraction (S) = s S (s) ( ) = { } Symbolic concretization ( ) = v 1,v 2 : node u1 ( v 1 ) node u ( v 2 ) v 1 ≠ v 2 v : node u1 ( v ) node u ( v ) ... Theorem prover returning a satisfying structure (store) S For shape analysis, SPASS is mostly satisfactory u1u1 x u x u1u1 x u
Constant-Propagation Domain (Var Z T ) , where Z T = T Examples: , [x 0, y 43, z 0], [x T, y T, z 0], [x T, y T, z T] Infinite cardinality, but finite height
Three Value-Spaces Formulas Abstract Values Concrete Values [x 0, y 0, z 0] [x 0, y 1, z 0] [x 0, y 2, z 0] (x = 0) (z = 0) [x 0, y T, z 0]
Three Value-Spaces Formulas Abstract Values Concrete Values [x 0, y 0, z 0] [x 0, y 1, z 0] [x 0, y 2, z 0] (x = 0) (z = 0)
Required Primitive Operations Abstraction (S) = s S (s) ([x 0, y 2, z 0]) = [x 0, y 2, z 0] Symbolic concretization ([x 0, y T, z 0]) = (x = 0) (z = 0) Theorem prover returning a satisfying structure (store) S [x 0, y 2, z 0] (x = 0) (z = 0)
Required Primitive Operations Abstraction (S) = s S (s) ([x 0, y 2, z 0]) = [x 0, y 2, z 0] Symbolic concretization ([x 0, y T, z 0]) = (x = 0) (z = 0) Theorem prover returning a satisfying structure (store) S [x 0, y 2, z 0] (z = 0) (x = y*z)
Constant Propagation x = y * z [x 3, y 4, z 1] [x ’ 4, y ’ 4, z ’ 1] T[x = y * z] λe.e[x e(y)*e(z)] T[x := y*z] = df (x ’ = y * z) (y ’ = y) (z ’ = z) (x ’ = y * z) (y ’ = y) (z ’ = z) [x 3, y 4, z 1, x ’ 4, y ’ 4, z ’ 1]
Constant Propagation x = y * z [x 3, y T, z 1] [x’ T, y’ T, z’ 1] T # [x = y * z] λ e. e [ x e(y) # e(z)]
Constant Propagation Startx = 3 if... z = 2 y = x y = z+1 printf(y) λe.λe. λ e. e [ x 3] λe.eλe.e λe.eλe.e λ e. e [ z 2] λ e. e [ y e(x)] λ e. e [ y e(z)+ # 1]
Constant Propagation Startx = 3 if... z = 2 y = x y = z+1 printf(y) λe.λe. λ e. e [ x 3] λe.eλe.e λe.eλe.e λ e. e [ z 2] λ e. e [ y e(x)] λ e. e [ y e(z)+ # 1] [ x T, y T, z T ] [ x 3, y T, z T ] [ x 3, y T, z 2 ] [ x 3, y 3, z 2 ] [ x 3, y 3, z T ]
Abstract Transformer T # [ x := y*z ] [x T, y T, z 0] {[x 3, y 3, z 0], [x 7, y 2, z 0]} [x T, y T, z 0] [x 0, y T, z 0] {[x 0, y 3, z 0], [x 0, y 2, z 0]} T[ x := y*z ]
Best Abstract Transformer [x T, y T, z 0] {[x 0, y 0, z 0], [x 1, y 0, z 0],... [x 0, y 1, z 0], [x 1, y 1, z 0],...} [x 0, y T, z 0] {[x 0, y 0, z 0], [x 0, y 1, z 0],...} T[ x := y*z ]
Three Value-Spaces Formulas Abstract Values Concrete Values (z = 0) [x’ 0,y’ T,z’ 0] α (x ’ = 0) (z ’ = 0) T[x := y*z] αT αT [x T,y T,z 0]
Remainder of the Talk ( ) – best abstract value that represents Best = T – best abstract transformer
Idea Behind Procedure CP ( ) FormulasConcrete Values Abstract Values ans
Idea Behind Procedure CP ( ) FormulasConcrete Values Abstract Values S S S (S)(S) ans
Idea Behind Procedure CP ( ) FormulasConcrete Values Abstract Values S S S (S)(S) ( ans ) ( ans ) ( ans ) ans
Idea Behind Procedure CP ( ) 11 FormulasConcrete Values Abstract Values S 11 ( ans ) 1 ( ans ) ( ans ) S 1S 1 ans (S)(S)
Idea Behind Procedure CP ( ) 22 FormulasConcrete Values Abstract Values 22 S 2S 2 S (S)(S) ans 2 = 1 ( ans )
( ans ) S 2S 2 Idea Behind Procedure CP ( ) 22 FormulasConcrete Values Abstract Values 22 2 ( ans ) S (S)(S) ans ( ans )
Idea Behind Procedure CP ( ) 5 = false FormulasConcrete Values Abstract Values ans ( ans ) ( ans ) , ( ans )
Procedure (formula ) { ans := := while ( is satisfiable) { Select a store S such that S ans := ans (S) := (ans) } return ans }
Example: CP ((y = 3) (x = 4*y + 1)) Initialization: ans := := (y = 3) (x = 4*y + 1) Iteration 1: S := [x 13, y 3] // A satisfying store ans := ([x 13, y 3]) = [x 13, y 3] (ans) = (x = 13) (y = 3) := (y = 3) (x = 4*y + 1) ((x = 13) (y = 3)) = (y = 3) (x = 4*y + 1) ((x 13) (y 3)) = false Iteration 2: is unsatisfiable Return value: [x 13, y 3]
Procedure CP ( ) (z = 0) (x = y * z) FormulasConcrete Values Abstract Values S ans [x 0,y 43,z 0] [x 0, y 43, z 0]
Procedure CP ( ) FormulasConcrete Values Abstract Values (x = 0) (y = 43) (z = 0) ( ans ) ( ans ) ans S (z = 0) (x = y * z) [x 0,y 43,z 0] [x 0, y 43, z 0]
Example: CP ((z = 0) (x = y * z)) Initialization: ans := := (z = 0) (x = y * z) Iteration 1: S := [x 0, y 43, z 0] // A satisfying store ans := ([x 0, y 43, z 0]) = [x 0, y 43, z 0] (ans) = (x = 0) (y = 43) (z = 0) := (z = 0) (x = y*z) ((x=0) (y=43) (z=0)) = (z = 0) (x = y*z) (y 43)
Procedure CP ( ) (z = 0) (x = y * z) (y 43) FormulasConcrete Values Abstract Values S [x 0,y 46,z 0] [x 0, y 43, z 0] [x 0, y 46, z 0]
Procedure CP ( ) (z = 0) (x = y * z) (y 43) FormulasConcrete Values Abstract Values S [x 0, y T, z 0] ans (x = 0) (z = 0) (x = 0) (z = 0)
Example: CP ((z = 0) (x = y * z))... = (z = 0) (x = y * z) (y 43) Iteration 2: S := [x 0,y 46,z 0] // A satisfying store ans := [x 0,y 43,z 0] ([x 0,y 46,z 0]) = [x 0, y 43, z 0] [x 0,y 46,z 0] = [x 0, y T, z 0] (ans) = (x = 0) (z = 0) := (z=0) (x=y*z) (y 43) ((x=0) (z=0)) = false Iteration 3: is unsatisfiable Return value: [x 0, y T, z 0]
(a) T The Idea Behind Best = T FormulasT Abstract Values (a) (a) a
(a) T The Idea Behind Best = T FormulasT Abstract Values (a) (a) a
(a) T The Idea Behind Best = T FormulasT Abstract Values (a) (a) a ans
(a) T The Idea Behind Best = T FormulasT Abstract Values (a) (a) a ans
Procedure Best Best(two-store-formula T, abs-store a) { ans’ := ’ := (a) T while ( is satisfiable) { Select a store pair (S,S ’) such that (S,S ’) ans’ := ans’ ’(S ’) := ’(ans’) } return ans’ }
Best( (x ’ = y * z) (y ’ = y) (z ’ = z), [x T, y T, z 0] ) Initialization: ans ’ := ’ := (z = 0) (x ’ = y * z) (y ’ = y) (z ’ = z) Iteration 1: (S,S ’ ) := [x 5, y 17, z 0, x ’ 0, y ’ 17, z ’ 0]
(a) T The Idea Behind Best = T Formulas T Abstract Values (a) (a) a [x 5, y 17, z 0] [ x ’ 0, y ’ 17, z ’ 0]
Best( (x ’ = y * z) (y ’ = y) (z ’ = z), [x T, y T, z 0] ) Initialization: ans ’ := ’ := (z = 0) (x ’ = y * z) (y ’ = y) (z ’ = z) Iteration 1: (S,S ’ ) := [x 5, y 17, z 0, x ’ 0, y ’ 17, z ’ 0] ans ’ := [x’ 0, y’ 17, z’ 0] ’ (ans ’ ) = (x ’ = 0) (y ’ = 17) (z ’ = 0) := (z = 0) (x ’ = y*z) (y ’ = y) (z ’ = z) (y ’ 17)
Best( (x ’ = y * z) (y ’ = y) (z ’ = z), [x T, y T, z 0] ) Iteration 2: (S,S ’ ) := [x 12, y 99, z 0, x ’ 0, y ’ 99, z ’ 0] ans ’ := [x’ 0, y’ 17, z’ 0] [x’ 0, y’ 99, z’ 0] = [x’ 0, y’ T, z’ 0] ’ (ans ’ ) = (x ’ = 0) (z ’ = 0) := (z = 0) (x ’ = y * z) (y ’ = y) (z ’ = z) (y ’ 17) ( (x ’ 0) (z ’ 0)) = false Iteration 3: is unsatisfiable Return value: [x’ 0, y’ T, z’ 0]
Best( y = x next, ) u1u1 x u r[x]r[x] r[x]r[x] u4u4 x r[x]r[x] r[x]r[x] r[x]r[x]r[x]r[x] u1u1 u2u2 u3u3 x’x’ r[x]’,r[y]’r[x]’,r[y]’ r[x]’,r[y]’r[x]’,r[y]’ r[x]’,r[y]’r[x]’,r[y]’ r[x]’r[x]’ y’y’ u2u2 x u r[x],r[y] u1u1 r[x]r[x] y... (y ’ (v) v 1 : x(v 1 ) n(v 1,v)) ...
Predicate Abstraction y := 3 x := 4*y + 1 B 1 B 2 B 3 B 4 B 5 B 6 [x 13, y 3] { B 1 (y = 1), B 2 (y = 3), B 3 (y = 4), B 4 (x = 1), B 5 (x = 3), B 6 (x = 4) } y = 3 x {1, 3, 4} [x 13, y 3]
Three Value-Spaces Formulas Abstract Values Concrete Values (y ≠ 1) (y = 3) (y ≠ 4) (x ≠ 1) (x ≠ 3) (x ≠ 4) ( B1, B2, B3, B4, B5, B6) [x 5, y 3] [x 0, y 3] [x 17, y 3]
Three Value-Spaces Formulas Abstract Values Concrete Values (y ≠ 1) (y = 3) (y ≠ 4) (x ≠ 1) (x ≠ 3) (x ≠ 4) ( B1, B2, B3, B4, B5, B6) ( B1, B2, B3, B6) α (y ≠ 1) (y = 3) (y ≠ 4) (x ≠ 4) T[x := x+1] αTαT
Predicate Abstraction Abstract values ( B1, B2, B3, B4, B5, B6) Apply , which performs symbolically (y ≠ 1) (y = 3) (y ≠ 4) (x ≠ 1) (x ≠ 3) (x ≠ 4) Apply T, which implements α T
α PA : Most-Precise Abstract Value [Predicate Abstraction] Formulas Abstract Values Concrete Values (y = 3) (x = 4*y + 1) ( B1, B2, B3, B4, B5, B6) α PA
α PA : Most-Precise Abstract Value [Predicate Abstraction] PA ( ) = false j = 1 k B j if j is valid B j if j is valid true otherwise if is unsatisfiable otherwise PA ((y = 3) (x = 4*y + 1)) = B 1, B 2, B 3, B 4, B 5, B 6 (y = 3) (x = 4*y + 1) (y = 1) (y = 3) (x = 4*y + 1) (y = 3) (y = 3) (x = 4*y + 1) (y = 4)
α PA : Most-Precise Abstract Value [Predicate Abstraction] PA ( ) = false j = 1 k B j if j is valid B j if j is valid true otherwise if is unsatisfiable otherwise (y = 3) (x = 4*y + 1) (x = 1) (y = 3) (x = 4*y + 1) (x = 3) (y = 3) (x = 4*y + 1) (x = 4) PA ((y = 3) (x = 4*y + 1)) = B 1, B 2, B 3, B 4, B 5, B 6
Procedure PA vs. General Concrete Values Formulas Abstract Values PA ii Formulas Concrete Values Abstract Values ii S iS i S ans i = ans i-1 ( S ) ans i-1 ( ans i-1 )
Conclusions Requirements –Finite-height abstract domain –Theorem prover that returns a satisfying structure (store) – (S) = s S (S) –Symbolic-concretization operation ( ) ( ) – best abstract value that represents Best(T,a) – best abstract transformer –Best(T 1 ; T 2 ;...; T k, a) – best abstract transformer for a basic block
Clients of Abstract Interpretation p: if (x == y*z) then S 1 else S 2 fi + At p, [x 0, y T, z 0] holds p: S 1 Querying an abstract value: (x = y*z) ( [x 0, y T, z 0] ) = true?
The Most-Precise Answer to a Query [Definition] (a) = true if S for all S (a) false if S for all S (a) ? otherwise true if (a) false if (a) ? otherwise (a) =
Quiz true if (a) false if (a) ? otherwise (a) = ( [x 0, y T, z 0] ) = {[x 0, y 0, z 0], [x 0, y 1, z 0], [x 0, y 2, z 0],...} What is the value of (y = 1) ( [x 0, y T, z 0] )? (y = 1) ( [x 0, y T, z 0] ) = ?
Quiz true if (a) false if (a) ? otherwise (a) = ( [x 0, y T, z 0] ) = {[x 0, y 0, z 0], [x 0, y 1, z 0], [x 0, y 2, z 0],...} What is the value of (x = y*z) ( [x 0, y T, z 0] )? (x = y*z) ( [x 0, y T, z 0] ) = true
The Most-Precise Answer to a Query [Implementation] true if (a) is valid false if (a) is valid ? otherwise (a) = What is the value of (x = y*z) ( [x 0, y T, z 0] )? ( [x 0, y T, z 0] ) = (x = 0) (z = 0) (x = y*z) ( [x 0, y T, z 0] ) = true Is (x = 0) (z = 0) (x = y*z) valid? Is (x = 0) (z = 0) (x y*z) valid? yes no
The Most-Precise Answer to a Query [Implementation] true if (a) is valid false if (a) is valid ? otherwise (a) = ( [x 0, y T, z 0] ) = (x = 0) (z = 0) What is the value of (y = 1) ( [x 0, y T, z 0] )? (y = 1) ( [x 0, y T, z 0] ) = ? Is (x = 0) (z = 0) (y = 1) valid? Is (x = 0) (z = 0) (y 1) valid? no
“Canonical Abstraction” u1u1 u2u2 u3u3 u4u4 x u1u1 x u node u1 (w) = x(w) ¬y(w) r[x](w) ¬r[y](w) node u (w) = ¬ x(w) ¬y(w) r[x](w) ¬r[y](w) r[x]r[x] r[x]r[x] v 1,v 2 : node u1 ( v 1 ) node u ( v 2 ) v 1 ≠ v 2 v : node u1 ( v ) node u ( v ) ... r[x]r[x] r[x]r[x] r[x]r[x]r[x]r[x]
“Canonical Abstraction” u1u1 u2u2 u3u3 u4u4 x u1u1 x u node u1 (w) = x(w) ¬y(w) r[x](w) ¬r[y](w) node u (w) = ¬ x(w) ¬y(w) r[x](w) ¬r[y](w) r[x]r[x] r[x]r[x] v 1,v 2 : node u1 ( v 1 ) node u ( v 2 ) v 1 ≠ v 2 v : node u1 ( v ) node u ( v ) ... r[x]r[x] r[x]r[x] r[x]r[x]r[x]r[x]