Download presentation
Presentation is loading. Please wait.
1
Static Program Analysis via Three-Valued Logic Thomas Reps University of Wisconsin Joint work with M. Sagiv (Tel Aviv) and R. Wilhelm (U. Saarlandes)
2
... and also IBM Research J. Field D. Goyal H. Kolodner G. Ramalingam M. Rodeh Clarkson W. Hesse Technical Univ. of Denmark H.R. Nielson F. Nielson IRISA B. Jeannet Weizmann Institute A. Pnueli MIT V. Kuncak M. Rinard University of Wisconsin F. DiMaio A. Loginov D. Gopan D. Melski A. Lal A. Mulhern Tel Aviv University G. Arnold N. Rinetzky N. Dor R. Shaham G. Erez A. Warshavsky T. Lev-Ami E. Yahav R. Manevich G. Yorsh A.Rabinovich Universität des Saarlandes J. Bauer R. Biber University of Massachusetts N. Immerman
3
In memoriam, Frank Anger (Deceased July 7, 2004)
4
The administrator of the U.S.S. Yorktown’s Standard Monitoring Control System entered 0 into a data field for the Remote Data Base Manager program. That caused the database to overflow and crash all LAN consoles and miniature remote terminal units. The Yorktown was dead in the water for about two hours and 45 minutes.
5
A sailor on the U.S.S. Yorktown entered a 0 into a data field in a kitchen-inventory program. That caused the database to overflow and crash all LAN consoles and miniature remote terminal units. The Yorktown was dead in the water for about two hours and 45 minutes. Analysis must track numeric information Full Employment for Verification Experts
6
x = 3; y = 1/(x-3); x = 3; px = &x; y = 1/(*px-3); x = 3; p = (int*)malloc(sizeof int); *p = x; q = p; y = 1/(*q-3); need to track values other than 0 need to track pointers need to track heap-allocated storage
7
Flow-Sensitive Points-To Analysis a d b c f e a d b c f e a d b c f e a d b c f e a d b c f e a d b c f e 33 22 11 44 a = &e 55 c = &f *b = c b = ab = a d = *a p = &q; p = q; p = *q; *p = q; pq p r1r1 r2r2 q r1r1 r2r2 q s1s1 s2s2 s3s3 p p s1s1 s2s2 q r1r1 r2r2 pq p r1r1 r2r2 q r1r1 r2r2 q s1s1 s2s2 s3s3 p p s1s1 s2s2 q r1r1 r2r2
8
Flow-Insensitive Points-To Analysis [Andersen 94, Shapiro & Horwitz 97] p = &q; p = q; p = *q; *p = q; pq p r1r1 r2r2 q r1r1 r2r2 q s1s1 s2s2 s3s3 p p s1s1 s2s2 q r1r1 r2r2 a = &e; b = a; c = &f; *b = c; d = *a; a d b c f e
![Flow-Insensitive Points-To Analysis [Andersen 94, Shapiro & Horwitz 97] p = &q; p = q; p = *q; *p = q; pq p r1r1 r2r2 q r1r1 r2r2 q s1s1 s2s2 s3s3 p p s1s1 s2s2 q r1r1 r2r2 a = &e; b = a; c = &f; *b = c; d = *a; a d b c f e](http://images.slideplayer.com/16/4923797/slides/slide_8.jpg "Flow-Insensitive Points-To Analysis [Andersen 94, Shapiro & Horwitz 97] p = &q; p = q; p = *q; *p = q; pq p r1r1 r2r2 q r1r1 r2r2 q s1s1 s2s2 s3s3 p p s1s1 s2s2 q r1r1 r2r2 a = &e; b = a; c = &f; *b = c; d = *a; a d b c f e")
9
Flow-Insensitive Points-To Analysis 33 22 11 44 a = &e 55 c = &f *b = c b = ab = a d = *a 33 22 11 44 a = &e 55 c = &f *b = c b = ab = a d = *a 33 22 11 44 55 a d b c f e a d b c f e a d b c f e a d b c f e a d b c f e a d b c f e a d b c f e
10
What About Malloc? Each malloc site malloc-site variable r p int *p, *q, *r; a: p = (int*)malloc(sizeof(int)); b: q = (int*)malloc(sizeof(int)); r = p; q malloc$b malloc$a
11
What About Malloc? Each malloc site malloc-site variable /* Create a List of length n */ List head; List *p = &head; for (int i = 0; i < n; i++) { *p = (List)malloc(sizeof(List*)); p = &((*p) next); } typedef struct list_cell { int val; struct list_cell *next; } *List; p head
12
Malloc Sites as “Variables” Concrete: Assignments through pointers Abstract: Accumulate edges (“weak update”) Not very accurate q r head s
13
Shape Analysis [Jones and Muchnick 1981] Characterize dynamically allocated data –Identify may-alias relationships –x points to an acyclic list, cyclic list, tree, dag, … –“disjointedness” properties x and y point to structures that do not share cells –show that data-structure invariants hold Account for destructive updates through pointers
![Shape Analysis [Jones and Muchnick 1981] Characterize dynamically allocated data –Identify may-alias relationships –x points to an acyclic list, cyclic list, tree, dag, … – disjointedness properties x and y point to structures that do not share cells –show that data-structure invariants hold Account for destructive updates through pointers](http://images.slideplayer.com/16/4923797/slides/slide_13.jpg "Shape Analysis [Jones and Muchnick 1981] Characterize dynamically allocated data –Identify may-alias relationships –x points to an acyclic list, cyclic list, tree, dag, … – disjointedness properties x and y point to structures that do not share cells –show that data-structure invariants hold Account for destructive updates through pointers")
14
pointer analysis? points-to analysis? alias analysis? shape analysis? Dynamic storage allocation Destructive updating through pointers
15
Applications: Software Tools Static detection of memory errors –dereferencing NULL pointers –dereferencing dangling pointers –memory leaks Static detection of logical errors –Is a data-structure invariant restored?
16
Applications: Code Optimization Parallelization –Operate in parallel on disjoint structures Software prefetching “Compile-time garbage collection” –Insert storage-reclamation operations Eliminate or move “checking code”
17
Why is Shape Analysis Difficult? Destructive updating through pointers –p next = q –Produces complicated aliasing relationships Dynamic storage allocation –No bound on the size of run-time data structures Data-structure invariants typically only hold at the beginning and end of operations –Want to verify that data-structure invariants are re-established
18
Outline Background on pointer analysis Informal introduction to shape analysis Shape analysis via 3-valued logic A lot more than just shape analysis! Extensions, applications Relationships with model checking Wrapup
19
Good Abstractions?
21
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; 123 NULL x yt
22
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; 123 NULL x yt
23
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; 123 NULL x yt
24
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; 123 NULL x yt
25
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; 123 NULL x yt
26
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; 123 NULL x yt
27
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; 123 NULL x yt
28
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; 123 NULL x yt
29
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; 123 NULL x yt
30
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; 123 NULL x yt
31
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; 123 NULL x yt
32
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; 123 NULL x yt
33
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; 123 NULL x yt
34
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; 123 NULL x yt
35
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; 123 NULL x yt
36
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt
37
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
38
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
39
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
40
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL Materialization
41
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
42
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
43
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
44
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
45
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
46
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
47
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt
48
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt
49
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt
50
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt
51
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt
52
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt
53
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt
54
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
55
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
56
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
57
Example: In-Situ List Reversal List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } typedef struct list_cell { int val; struct list_cell *next; } *List; x yt NULL
58
Idea for a List Abstraction represents x y t NULL x y t x y t x y t
59
x yt x y t x y t return y t = y y next = t y = x x = x next x != NULL x yt NULL x yt x y t x y t x y t x y t x y t x y t x y t x y t x y t x y t
60
Properties of reverse(x) On entry, x points to an acyclic list On each iteration, x & y point to disjoint acyclic lists All the pointer dereferences are safe No memory leaks On exit, y points to an acyclic list On exit, x = = NULL All cells reachable from y on exit were reachable from x on entry, and vice versa On exit, the order between neighbors in the y-list is opposite to their order in the x-list on entry
61
A ‘Yacc’ for Shape Analysis: TVLA Parametric framework –Some instantiations known analyses –Other instantiations new analyses Applications beyond shape analysis –Partial correctness of sorting algorithms –Safety of mobile code –Deadlock detection in multi-threaded programs –Partial correctness of mark-and-sweep gc alg. –Correct usage of Java iterators
62
A ‘Yacc’ for Static Analysis: TVLA Parametric framework –Some instantiations known analyses –Other instantiations new analyses Applications beyond shape analysis –Partial correctness of sorting algorithms –Safety of mobile code –Deadlock detection in multi-threaded programs –Partial correctness of mark-and-sweep gc alg. –Correct usage of Java iterators
63
Formalizing “... ” Informal: x Formal: x Summary node
64
The French Recipe for Program Verification [Cousot & Cousot] Concrete operational semantics – st : Collecting semantics – st c : 2 2 Abstract semantics – : 2 A, : A 2 , ( (a)) = a, ( (C)) C – st # : A A –Upper approximation Sound results But may produce false alarms Canonical Abstraction A family of abstractions for use in logic
![The French Recipe for Program Verification [Cousot & Cousot] Concrete operational semantics – st : Collecting semantics – st c : 2 2 Abstract semantics – : 2 A, : A 2 , ( (a)) = a, ( (C)) C – st # : A A –Upper approximation Sound results But may produce false alarms Canonical Abstraction A family of abstractions for use in logic](http://images.slideplayer.com/16/4923797/slides/slide_64.jpg "The French Recipe for Program Verification [Cousot & Cousot] Concrete operational semantics – st : Collecting semantics – st c : 2 2 Abstract semantics – : 2 A, : A 2 , ( (a)) = a, ( (C)) C – st # : A A –Upper approximation Sound results But may produce false alarms Canonical Abstraction A family of abstractions for use in logic")
65
Using Relations to Represent Linked Lists
66
u1u1 u2u2 u3u3 u4u4 x y
67
Formulas: Queries for Observing Properties Are x and y pointer aliases? v: x(v) y(v)
68
x y u1u1 u2u2 u3u3 u4u4 Are x and y Pointer Aliases? v: x(v) y(v) x y u1u1 1 Yes
69
Predicate-Update Formulas for “y = x” x’(v) = x(v) y’(v) = x(v) t’(v) = t(v) n’(v 1,v 2 ) = n(v 1,v 2 )
70
x u1u1 u2u2 u3u3 u4u4 y’(v) = x(v) 10001000 y Predicate-Update Formulas for “y = x”
71
Predicate-Update Formulas for “x = x n” x’(v) = v 1 : x(v 1 ) n(v 1,v) y’(v) = y(v) t’(v) = t(v) n’(v 1, v 2 ) = n(v 1, v 2 )
72
x u1u1 u2u2 u3u3 u4u4 y x’(v) = v 1 : x(v 1 ) n(v 1,v) x Predicate-Update Formulas for “x = x n”
73
Predicate-Update Formulas for “y n = t” x’(v) = x(v) y’(v) = y(v) t’(v) = t(v) n’(v 1,v 2 ) = y(v 1 ) n(v 1,v 2 ) y(v 1 ) t(v 2 )
74
Why is Shape Analysis Difficult? Destructive updating through pointers –p next = q –Produces complicated aliasing relationships Dynamic storage allocation –No bound on the size of run-time data structures Data-structure invariants typically only hold at the beginning and end of operations –Need to verify that data-structure invariants are re-established
75
Two- vs. Three-Valued Logic 01 Two-valued logic {0,1} {0}{1} Three-valued logic {0} {0,1} {1} {0,1}
76
Two- vs. Three-Valued Logic Two-valued logicThree-valued logic
77
Two- vs. Three-Valued Logic 01 Two-valued logic {0}{1} Three-valued logic {0,1}
78
Two- vs. Three-Valued Logic 01 Two-valued logic ½ 01 Three-valued logic 0 ½ 1 ½
79
Boolean Connectives [Kleene]
![Boolean Connectives [Kleene]](http://images.slideplayer.com/16/4923797/slides/slide_79.jpg "Boolean Connectives [Kleene]")
80
Canonical Abstraction u1u1 u2u2 u3u3 u4u4 x u1u1 x u 234
81
Canonical Abstraction u1u1 u2u2 u3u3 u4u4 x u1u1 x u 234
82
Canonical Abstraction u1u1 u2u2 u3u3 u4u4 x u1u1 x u 234
83
Canonical Abstraction Partition the individuals into equivalence classes based on the values of their unary predicates Collapse other predicates via
84
Canonical Abstraction vs. Predicate Abstraction u1u1 u2u2 u3u3 u4u4 x v: x(v) 1 v: y(v) 0 v: x(v) v: x(v) 1 v 1,v 2,v: n(v 1,v) n(v 2,v) (v 1 v 2 ) 0
85
Abstract Value Obtained via Canonical Abstraction u1u1 u2u2 u3u3 u4u4 x u1u1 x u 234 Abstract Value Obtained via Predicate Abstraction u1u1 u2u2 u3u3 u4u4 x 1,0,1,0
86
Abstract Value Obtained via Canonical Abstraction u1u1 u2u2 u3u3 u4u4 x u1u1 x u 234 1,0,1,0 The predicate-abstraction abstract domain is a special case of the canonical- abstraction abstract domain: –map everything to a single summary individual –retain only the nullary predicates
87
1,0,1,0
88
Property-Extraction Principle Questions about a family of two-valued stores can be answered conservatively by evaluating a formula in a three-valued store Formula evaluates to 1 formula holds in every store in the family Formula evaluates to 0 formula does not hold in any store in the family Formula evaluates to 1/2 formula may hold in some; not hold in others
89
Are x and y Pointer Aliases? u1u1 u x y v: x(v) y(v) Yes 1
90
Is Cell u Heap-Shared? v 1,v 2 : n(v 1,u) n(v 2,u) v 1 v 2 u Yes 1 1 1 1
91
Maybe Is Cell u Heap-Shared? v 1,v 2 : n(v 1,u) n(v 2,u) v 1 v 2 u1u1 u x y 1/2 1
92
The Embedding Theorem y x u1u1 u 34 u2u2 y x u1u1 u 234 y x u1u1 u3u3 u2u2 u4u4 x y u 1234 v: x(v) y(v) Maybe No
93
The Embedding Theorem If a structure B can be embedded in a structure S by an onto function f, such that basic predicates are preserved, i.e., p B (u 1,.., u k ) p S (f(u 1 ),..., f(u k )) Then every formula is preserved: –If = 1 in S, then = 1 in B –If = 0 in S, then = 0 in B –If = 1/2 in S, then could be 0 or 1 in B
94
Embedding u1u1 u2u2 u3u3 u4u4 x u5u5 u6u6 u 12 u 34 u 56 x u 123 u 456 x
95
Canonical Abstraction: An Embedding Whose Result is of Bounded Size u1u1 u2u2 u3u3 u4u4 x u1u1 x u 234
96
Predicate-Update Formulas for “y = x” y ’ (v) = x(v) Old: u1u1 u x y New: u1u1 u x
97
Predicate-Update Formulas for “x = x n” x ’ (v) = v 1 : x(v 1 ) n(v 1,v) y Old: u1u1 u x y New: u1u1 u x
98
x yt NULL return y t = y y next = t y = x x = x next x != NULL x yt NULL x yt u1u1 u x y u1u1 u x y ’ (v) = x(v) 1010
99
x yt NULL x y t x y t return y t = y y next = t y = x x = x next x != NULL x yt NULL x yt x y t x y t x y t x y t x y t x y t x y t x y t x y t x y t
100
x’ (v) = v 1 : x(v 1 ) n(v 1,v) Naïve Transformer (x = x n) x y Evaluate update formulas y x
101
Cyclic versus Acyclic Lists x 31 7191 u1u1 u x u1u1 u x
102
How Are We Doing? Conservative Convenient But not very precise –Advancing a pointer down a list loses precision –Cannot distinguish an acyclic list from a cyclic list
103
The Instrumentation Principle Increase precision by storing the truth-value of some chosen formulas
104
Is Cell u Heap-Shared? v 1,v 2 : n(v 1,u) n(v 2,u) v 1 v 2 u
105
is = 0 Example: Heap Sharing x 31 7191 is(v) = v 1,v 2 : n(v 1,v) n(v 2,v) v 1 v 2 u1u1 u x u1u1 u x is = 0
106
Example: Heap Sharing x 31 7191 is(v) = v 1,v 2 : n(v 1,v) n(v 2,v) v 1 v 2 is = 0 is = 1 u1u1 u x u1u1 u x is = 0 is = 1
107
Example: Cyclicity x 31 7191 c(v) = v 1 : n(v,v 1 ) n * (v 1,v) c = 0 is = 0c = 1 u1u1 u x u1u1 u x c = 0 c = 1
108
Is Cell u Heap-Shared? v 1,v 2 : n(v 1,u) n(v 2,u) v 1 v 2 u1u1 u x y is = 0 No! 1/2 1 Maybe
109
Formalizing “... ” Informal: x y Formal: x y
110
Formalizing “... ” Informal: x y t2t2 t1t1 Formal: x y t2t2 t1t1
111
Formalizing “... ” Informal: x y Formal: x y reachable from variable x reachable from variable y r[x]r[x] r[y]r[y] r[x]r[x] r[y]r[y]
112
Formalizing “... ” Informal: x y t2t2 t1t1 Formal: t2t2 t1t1 r[x],r[t 1 ] r[y],r[t 2 ] r[x],r[t 1 ] r[y],r[t 2 ] x y r[y]r[y] r[x]r[x]r[x]r[x] r[y]r[y]
113
Updating Auxiliary Information t1t1 {r[t 1 ],r[x],r[y]}{p[t 1 ],r[x],r[y]} x {p[x],p[y]} {r[x],r[y]} y t1t1 {r[t 1 ],r[x]}{p[t 1 ],r[x]} x {p[x]} {r[x]} y = NULL
![Updating Auxiliary Information t1t1 {r[t 1 ],r[x],r[y]}{p[t 1 ],r[x],r[y]} x {p[x],p[y]} {r[x],r[y]} y t1t1 {r[t 1 ],r[x]}{p[t 1 ],r[x]} x {p[x]} {r[x]} y = NULL](http://images.slideplayer.com/16/4923797/slides/slide_113.jpg "Updating Auxiliary Information t1t1 {r[t 1 ],r[x],r[y]}{p[t 1 ],r[x],r[y]} x {p[x],p[y]} {r[x],r[y]} y t1t1 {r[t 1 ],r[x]}{p[t 1 ],r[x]} x {p[x]} {r[x]} y = NULL")
114
Automatic Generation of Update Formulas for Instrumentation Predicates Where do we get the predicate-update formulas to update the extra predicates?
115
Automatic Generation of Update Formulas for Instrumentation Predicates Originally, user provided –Update formulas for core predicates: c,st (v) –Definitions of instrumentation predicates: p (v) –Update formulas for instrumentation predicates: p,st (v) Now: p,st created from p and the c,st dddd Consistently defined?
116
doubly-linked(v) reachable-from-variable-x(v) acyclic-along-dimension-d(v) tree(v) dag(v) AVL trees: –balanced(v), left-heavy(v), right-heavy(v) –... but not via height arithmetic Useful Instrumentation Predicates Need FO + TC
117
Materialization x = x n Informal: x y y x x = x n Formal: x y x y x y x = x n y x
118
Naïve Transformer (x = x n) x y Evaluate update formulas y x
119
Best Transformer (x = x n) x y y x y x y x y x ...... Evaluate update formulas y x y x......
120
“Focus”-Based Transformer (x = x n) x y y x y x Focus(x n) “Partial ” y x y x Evaluate update formulas y x y x
121
Reps, T., Sagiv, M., and Yorsh, G., Symbolic implementation of the best transformer, VMCAI 2004. Yorsh, G., Reps, T., and Sagiv, M., Symbolically computing most-precise abstract operations for shape analysis, TACAS 2004. Immerman, N, Rabinovitch, A., Reps, T., Sagiv, M., and Yorsh, G., Verification via structure simulation, CAV 2004. Immerman, N, Rabinovitch, A., Reps, T., Sagiv, M., and Yorsh, G., The boundary between decidability and undecidability for transitive-closure logics, CSL 2004. Best Transformers via Decision Procedures
122
Outline Background on pointer analysis Informal introduction to shape analysis Shape analysis via 3-valued logic A lot more than just shape analysis! Extensions, applications Relationships with model checking Wrapup
123
Threads and Concurrency A memory configuration: thread3 inCritical lock1 isAcquired thread1 atStart thread2 atStart thread4 atStart csLock heldBy
124
An abstract memory configuration: thread inCritical lock1 isAcquired thread ’ atStart csLock heldBy Threads and Concurrency
125
Static analysis using 3-valued logic provides a way to explore the (abstract) memory configurations that can arise. Threads and Concurrency
126
Shape + Numeric Abstractions x u1u1 u2u2 x u u’u’’u’’’ (1,2,3,4) u u’ u’’ u’’’ Position in list (1,2) {1} x [2,4] u1u1 u2u2 (1,4)
![Shape + Numeric Abstractions x u1u1 u2u2 x u u’u’’u’’’ (1,2,3,4) u u’ u’’ u’’’ Position in list (1,2) {1} x [2,4] u1u1 u2u2 (1,4)](http://images.slideplayer.com/16/4923797/slides/slide_126.jpg "Shape + Numeric Abstractions x u1u1 u2u2 x u u’u’’u’’’ (1,2,3,4) u u’ u’’ u’’’ Position in list (1,2) {1} x [2,4] u1u1 u2u2 (1,4)")
127
Shape + Numeric Abstractions y = x next (1,2) {1} x [2,4] x u1u1 u2u2 u1u1 u2u2 (1,4) u1u1 u 2.1 u 2.0 x y (1,2,3) {1} x {2} x [3,4] u1u1 u 2.1 u 2.0 (1,2,4)
![Shape + Numeric Abstractions y = x next (1,2) {1} x [2,4] x u1u1 u2u2 u1u1 u2u2 (1,4) u1u1 u 2.1 u 2.0 x y (1,2,3) {1} x {2} x [3,4] u1u1 u 2.1 u 2.0 (1,2,4)](http://images.slideplayer.com/16/4923797/slides/slide_127.jpg "Shape + Numeric Abstractions y = x next (1,2) {1} x [2,4] x u1u1 u2u2 u1u1 u2u2 (1,4) u1u1 u 2.1 u 2.0 x y (1,2,3) {1} x {2} x [3,4] u1u1 u 2.1 u 2.0 (1,2,4)")
128
Example: Sortedness inOrder(v) = v 1 : n(v, v 1 ) ( v v 1 ) x 51 7191 inOrder = 1 xx Yes sorted = v: inOrder(v)
129
Example: Sortedness x 51 4591 inOrder(v) = v 1 : n(v, v 1 ) ( v v 1 ) inOrder = 1inOrder = 0inOrder = 1 sorted = v: inOrder(v) No inOrder = 0inOrder = 1 xx
130
TVLA System Input (FO+TC) –Concrete operational semantics –Definitions of instrumentation predicates –Abstraction predicates –Program (as transition system) –Definitions of error conditions Output –Warnings (possible errors) –The 3-valued structures at every node New version available soon
131
Model Checking vs. TVLA Determine properties of a transition system State-space exploration State labels: 1 st -order structures 3-valued structures represent commonalities Properties checked: Formulas in FO+TC Determine properties of a transition system State-space exploration State labels: Propositions BDDs represent commonalities Properties checked: Formulas in temporal logic TVLAModel checking
132
RedGreen Yellow RedGreenYellow Red Go Clarke, Grumberg, Jha, Lu, Veith, CAV 00
133
RedGreen Yellow RedGreenYellow Red = 0 RedRed = 0 Red Go Clarke, Grumberg, Jha, Lu, Veith, CAV 00 Sagiv, Reps, Wilhelm, POPL 99 CTL * ACTL * FO + TC FO + TC 2 3
134
Why is Shape Analysis Difficult? Destructive updating through pointers –p next = q –Produces complicated aliasing relationships –Track aliasing using 3-valued structures Dynamic storage allocation –No bound on the size of run-time data structures –Canonical abstraction finite-sized 3-valued structures Data-structure invariants typically only hold at the beginning and end of operations –Need to verify that data-structure invariants are re- established –Query the 3-valued structures that arise at the exit
135
What to Take Away A ‘yacc’ for static analysis based on logic Broad scope of potential applicability –Not just linkage properties: predicates are not restricted to be links! –Discrete systems in which a relational (+ numeric) structure evolves –Transition: evolution of relational + numeric state
136
Canonical Abstraction A family of abstractions for use in logic
137
Questions?
Similar presentations
