Presentation is loading. Please wait.

Presentation is loading. Please wait.

Symbolic Characterization of Heap Abstractions

Published byΟφέλια Αξιώτης Modified over 5 years ago

Similar presentations

Presentation on theme: "Symbolic Characterization of Heap Abstractions"— Presentation transcript:

1 Symbolic Characterization of Heap Abstractions
Symbolic Characterization of Heap Abstractions Greta Yorsh Joint work with Thomas Reps Mooly Sagiv Reinhard Wilhelm

2 Canonical Abstraction: An embedding whose result is of bounded size
x u234 Dagstuhl Seminar April 19

3 Motivation Automatically generate loop invariants in some logic
First order logic Separation logic (BI) Dagstuhl Seminar April 19

4 Generating Loop Invariants
4/3/2019 Generating Loop Invariants List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; x y t NULL S1 S2 S3 (S1) (S2) (S3) … There are 12 structures at this node. Dagstuhl Seminar April 19

5 Motivation Automatically generate loop invariants in some logic
First order logic Separation logic (BI) Employ decision procedures Extract information in the most precise way More precise than the compositional way Dagstuhl Seminar April 19

6 Motivation – Extracting Information
Does program condition x == NULL evaluate to TRUE in all stores that arise at program point p ? YES p: if (x == null) then S; else P; p: S; Dagstuhl Seminar April 19

7  = v1,v2,v: n(v1,v)  n(v2,v)  v1  v2
Is there a heap sharing? x 1/2 1 u1 u2 is rx rx  = v1,v2,v: n(v1,v)  n(v2,v)  v1  v2 1/2 compositional: supervaluational: Dagstuhl Seminar April 19

8 Computing Most Precise Value
if (S)   is valid return 1 if (S)   is valid return 0 otherwise return ½ Dagstuhl Seminar April 19

9 Why should you be interested ?
Automatically generate loop invariants in some logic First order logic Separation logic (BI) Employ decision procedures Extract information from in the most precise way More precise than the compositional way Compute the best (induced) transformer Dagstuhl Seminar April 19

10 Symbolic Operations: Three Value-Spaces
T# T Concrete Values Formulas Abstract Values Dagstuhl Seminar April 19

11 Why should you be interested ?
Automatically generate loop invariants in some logic First order logic Separation logic (BI) Employ decision procedures Extract information from in the most precise way More precise than the compositional way Compute the best (induced) transformer Assume-guarantee reasoning Dagstuhl Seminar April 19

12 Why should you be interested ?
Automatically generate loop invariants in some logic First order logic Separation logic (BI) Employ decision procedures Extract information from in the most precise way More precise than the compositional way Compute the best (induced) transformer Assume-guarantee reasoning Expressive power of 3-valued abstraction Dagstuhl Seminar April 19

13 Expressive Power SO formulas NP formulas 3-valued structures
FO+TC formulas Canonical abstraction Quantifier free formulas Predicate abstraction Dagstuhl Seminar April 19

14 Outline The problem Negative result Simplifying assumptions
Characterizing concretization with a FO formula Negative result Simplifying assumptions Generating FO+TC formula Loop invariants Supervaluation NP formula Conclusion Dagstuhl Seminar April 19

15 Characterizing Concretizations
Formulas Concrete Domain Abstract Domain Dagstuhl Seminar April 19

16 Characterizing Concretizations
4/3/2019 Characterizing Concretizations Formulas (S1) (S1) S1 S2 iff important extracting info loss of info from concrete to abstract but no loss from abstract to formula Concrete Domain Abstract Domain store  (S1) store  (S1) Dagstuhl Seminar April 19

17 4/3/2019 Quiz u2 u3 u1 Explain the edges from concrete to abstract: given a concrete store, let me should why this concrete store embeds into the 3 valued structure, because I can pick a mapping, such that… What concrete structures does it represent ? 3-Col of undirected graphs is NP complete NP computation cannot be expressed by FO even with TC ! Therefore, there is no FO-formula that characterizes all concrete structures embedded into this structure This shows that there exists a 3-valued structure that cannot be characterised with first order formula Dagstuhl Seminar April 19

18 4/3/2019 Negative Result u2 u3 u1 3-colorable graphs with at least 3 nodes 3-colorability is NP-complete NP computation can not be expressed with first order formula [Courcelle] There exists a 3-valued structure that can NOT be characterized with first-order formula What concrete structures does it represent ? 3-Col of undirected graphs is NP complete NP computation cannot be expressed by FO even with TC ! Therefore, there is no FO-formula that characterizes all concrete structures embedded into this structure This shows that there exists a 3-valued structure that cannot be characterised with first order formula Dagstuhl Seminar April 19

19 FO Identifiable Nodes u2 u3 u1 4/3/2019
What concrete structures does it represent ? 3-Col of undirected graphs is NP complete NP computation cannot be expressed by FO even with TC ! Therefore, there is no FO-formula that characterizes all concrete structures embedded into this structure This shows that there exists a 3-valued structure that cannot be characterised with first order formula Dagstuhl Seminar April 19

20 FO Identifiable Nodes u2 u3 u1 4/3/2019
What concrete structures does it represent ? 3-Col of undirected graphs is NP complete NP computation cannot be expressed by FO even with TC ! Therefore, there is no FO-formula that characterizes all concrete structures embedded into this structure This shows that there exists a 3-valued structure that cannot be characterised with first order formula Dagstuhl Seminar April 19

21 FO Identifiable Nodes x u1 u2 l1 l2 l3 l4 x rx rx nodeu1s(w)
4/3/2019 FO Identifiable Nodes x u1 u2 rx l1 l2 l3 l4 x rx nodeu1s(w) nodeu2s(w) nodeu1s(w) nodeu2s(w) node formula for u1 is satisfied by some concrete node iff the concrete node corresponds to the abstract node u1. Dagstuhl Seminar April 19

22 Generating nodeu(w) formula
x u1 u2 rx l1 l2 l3 l4 x rx nodeu1s(w) = x(w)  rx(w)  y(w)  ry(w) nodeu2s(w) = x(w)  rx(w)  y(w)  ry(w) Dagstuhl Seminar April 19

23 (S) = “onto”  “total”  “predicate embedding”  “integrity rules”
Generating FO formula x u1 u2 rx (S) = “onto”  “total”  “predicate embedding”  “integrity rules” Dagstuhl Seminar April 19

24 Supervaluation Dagstuhl Seminar April 19

25 Supervaluational Semantics
4/3/2019 Supervaluational Semantics Related work [B. van Fraassen66][Blamey02] [Bruns,Godefroid00][Reps, Loginov, Sagiv 02] value of  on S is summary of values of  on store  (S)  is true for all store  (S) TRUE  is false for all stores  (S) FALSE Difference between compositional and this is that here we have iff and there only ….  is true for some store  (S) and false for others UNKNOWN Dagstuhl Seminar April 19

26 Supervaluation Semantics
4/3/2019 Supervaluation Semantics NOT Constructive 1 if store for all store  (S) 0 if store for all store  (S) ½ otherwise << phi >> (S) is join of values of phi obtainted from each of the concrete structures that S represents. It does NOT provide a constructive way to compute, because gamma(S) is infinite set. Dagstuhl Seminar April 19

27 Generating Loop Invariants
4/3/2019 Generating Loop Invariants List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x  next; y  next = t; } return y; x y t NULL S1 S2 S3 (S1) (S2) (S3) … There are 12 structures at this node.     “x and y point to disjoint lists” Dagstuhl Seminar April 19

28 Missing … Prototype implementation using NP – formula
TVLA SPASS NP – formula Best transformer for canonical abstraction Dagstuhl Seminar April 19

29 Conclusions First order logic provides a way to express concretization in interesting domains linear size Theorem provers can be integrated with program analyzers enables flexible abstractions no loss of information beyond the abstraction Dagstuhl Seminar April 19

30 The End Dagstuhl Seminar April 19

Download ppt "Symbolic Characterization of Heap Abstractions"

Similar presentations

Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD.

Combining Abstract Interpreters Sumit Gulwani Microsoft Research Redmond, Group Ashish Tiwari SRI RADRAD.
Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.

Logical Abstract Interpretation Sumit Gulwani Microsoft Research, Redmond.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Meta Predicate Abstraction for Hierarchical Symbolic Heaps Josh Berdine Microsoft Research, Cambridge joint with Mike Emmi University of California, Los.

Meta Predicate Abstraction for Hierarchical Symbolic Heaps Josh Berdine Microsoft Research, Cambridge joint with Mike Emmi University of California, Los.
2005conjunctive-ii1 Query languages II: equivalence & containment (Motivation: rewriting queries using views)  conjunctive queries – CQ’s  Extensions.

2005conjunctive-ii1 Query languages II: equivalence & containment (Motivation: rewriting queries using views)  conjunctive queries – CQ’s  Extensions.
Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.

Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.

Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.

1 Model Checking, Abstraction- Refinement, and Their Implementation Based on slides by: Orna Grumberg Presented by: Yael Meller June 2008.
1 Control Flow Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook Chapter 3

1 Control Flow Analysis Mooly Sagiv Tel Aviv University Textbook Chapter 3
1 Verifying Temporal Heap Properties Specified via Evolution Logic Eran Yahav, Tom Reps, Mooly Sagiv and Reinhard Wilhelm

1 Verifying Temporal Heap Properties Specified via Evolution Logic Eran Yahav, Tom Reps, Mooly Sagiv and Reinhard Wilhelm
1 Eran Yahav and Mooly Sagiv School of Computer Science Tel-Aviv University Verifying Safety Properties.

1 Eran Yahav and Mooly Sagiv School of Computer Science Tel-Aviv University Verifying Safety Properties.
Search in the semantic domain. Some definitions atomic formula: smallest formula possible (no sub- formulas) literal: atomic formula or negation of an.

Search in the semantic domain. Some definitions atomic formula: smallest formula possible (no sub- formulas) literal: atomic formula or negation of an.
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }

Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
Semantics with Applications Mooly Sagiv Schrirber 317 03-640-7606 html://www.cs.tau.ac.il/~msagiv/courses/sem08.html Textbooks:Winskel The.

Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.
Invisible Invariants: Underapproximating to Overapproximate Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Invisible Invariants: Underapproximating to Overapproximate Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Composing Dataflow Analyses and Transformations Sorin Lerner (University of Washington) David Grove (IBM T.J. Watson) Craig Chambers (University of Washington)

Composing Dataflow Analyses and Transformations Sorin Lerner (University of Washington) David Grove (IBM T.J. Watson) Craig Chambers (University of Washington)
Static Program Analysis via Three-Valued Logic Thomas Reps University of Wisconsin Joint work with M. Sagiv (Tel Aviv) and R. Wilhelm (U. Saarlandes)

Static Program Analysis via Three-Valued Logic Thomas Reps University of Wisconsin Joint work with M. Sagiv (Tel Aviv) and R. Wilhelm (U. Saarlandes)

Similar presentations

Ads by Google