Program Analysis via 3 Valued Logic Thomas Reps

$Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; }$

Original Problem: Shape Analysis • Characterize dynamically allocated data – x points to an

Formalizing “. . . ” Informal: x Formal: x Summary node

Why is Shape Analysis Difficult? • Destructive updating through pointers – p next =

Applications: Code Optimization • Machine-independent optimizations – constant propagation – loop-invariant code motion –

Applications: Software Tools • Static detection of memory errors (cleanness) – dereferencing NULL pointers

Properties of reverse(x) • On entry: x points to an acyclic list • On

A ‘Yacc’ for Shape Analysis: TVLA • Parametric framework – Some instantiations known analyses

A ‘Yacc’ for Static Analysis: TVLA • Parametric framework – Some instantiations known analyses

A ‘Yacc’ for Static Analysis (Using Logic) • Correctness proofs via inductive-assertion method •

A ‘Yacc’ for Static Analysis (Using Logic) “I learned many things – and equally

A ‘Yacc’ for Static Analysis (Using Logic) • First-order structures (= predicate tables) –

Recorded Information (for reverse) x y u 1 u 2 u 3 u 4

Formulae for Observing Properties • Are x and y pointer aliases? v: x(v) y(v)

Are x and y Pointer Aliases? Yes v: x(v) y(v) 1 = x y

Predicate-Update Formulae for ‘y = NULL’ • • x’(v) = x(v) y’(v) = 0

Predicate-Update Formulae for ‘y = NULL’ y’(v) = 0 x y u 1 0

Predicate-Update Formulae for ‘y = x’ • • x’(v) = x(v) y’(v) = x(v)

Predicate-Update Formulae for ‘y = x’ y’(v) = x(v) x y u 1 1

Predicate-Update Formulae for ‘x = x n’ • • x’(v) = v 1: x(v

Predicate-Update Formulae for ‘x = x n’ x’(v) = v 1: x(v 1) n(v

Predicate-Update Formulae for ‘y n = t’ • • x’(v) = x(v) y’(v) =

Outline • • Logic and box/arrow diagrams Kleene’s 3 -valued logic The abstraction principle

Two- vs. Three-Valued Logic Two-valued logic 0 1 Three-valued logic {0, 1} {0} {1}

Two- vs. Three-Valued Logic Two-valued logic Three-valued logic

Two- vs. Three-Valued Logic Two-valued logic 0 Three-valued logic 1 ½ 0 1 0

Three-Valued Logic • : 1 True • 0: False • 1/2: Unknown • A

The Abstraction Principle x u 1 u 2 u 3 u 4 0 1

What Stores Does a 3 -Valued Structure Represent? • Example 3 -valued structure –

Property-Extraction Principle • Questions about store properties can be answered conservatively by evaluating formulae

Are x and y Pointer Aliases? Yes x y u 1 u v: x(v)

Is Cell u Heap-Shared? Maybe x y u u 1 v 1, v 2:

Abstract Interpretation f (a, b) = (16 * b + 3) * (2 *

Shape Analysis via Abstract Interpretation • Iteratively compute a set of 3 -valued structures

Predicate-Update Formulae for “y = x” y’(v) = x(v) Old: New: x x y

Abstract Interpretation T T# Concrete Sets of stores Abstract Descriptors of sets of stores

Abstract Interpretation T T# Abstract Concrete Ordinarily: Must define both T and T#

Abstract Interpretation T T# Abstract Concrete Ordinarily: Complicated proof of correctness!

Abstract Interpretation T T# Abstract Concrete Our approach: Same formula for T and T#

Abstract Interpretation T T# Abstract Concrete Our approach: No proof! We did it for

The Embedding Theorem x No y v: x(v) y(v) No No Maybe u 1

How Are We Doing? • Conservative • Convenient • But not very precise –

Cyclic versus Acyclic Lists x 31 x u 1 71 u 91

The Instrumentation Principle • Increase precision by storing the truthvalue of some chosen formulae

Example: Heap Sharing is(v) = v 1, v 2: n(v 1, v) n(v 2,

Is Cell u Heap-Shared? is = 0 x y No! is = 0 u

Predicate-Update Formulae for ‘y = NULL’ • • • x’(v) = x(v) y’(v) =

Predicate-Update Formulae for ‘y = x’ • • • x’(v) = x(v) y’(v) =

Predicate-Update Formulae for ‘x = x n’ • • • x’(v) = v 1:

Materialization Formal: x y x x = x n y Informal: x y x

The Focusing Principle • “Bring the structure into better focus” – Selectively force 1/2

(1)Focus on v 1: x(v 1) n(v 1, v) x y u 1 u

(2)Evaluate Predicate-Update Formulae x’ (v) = v 1: x(v 1) n(v 1, v) x

(3)Apply Constraint Solver y y u 1 y u x x y u u

(3)Apply Constraint Solver x y u 1 u. 0 n(v 1, v ) n(v

(3)Apply Constraint Solver x y u 1 u. 0 x(v 1) x(v 2) v

Formalizing “. . . ” Informal: x y Formal: x y Summary node

Formalizing “. . . ” Informal: t 1 x y Formal: t 2 x

Formalizing “. . . ” Informal: x y Formal: reachable from variable x reachable

Formalizing “. . . ” Informal: t 1 x y t 2 Formal: x

A ‘Yacc’ for Shape Analysis %%pointer-field predicates n(v 1, v 2) %%instrumentation-predicate definitions is(v)

$Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; }$

Example: Mark and Sweep void Mark(Node root) { if (root != NULL) { pending

TVLA vs. Model Checking TVLA • Determine properties of a transition system • State-space

Summary • 1/2 arises from abstraction – One-sided analyses (e. g. , 1 means

Slides: 125

Download presentation

Program Analysis via 3 -Valued Logic Thomas Reps University of Wisconsin Joint work with Mooly Sagiv and Reinhard Wilhelm

$Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; }$

Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; } t NULL y 1 2 x 3 NULL

$Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; }$

Original Problem: Shape Analysis • Characterize dynamically allocated data – x points to an acyclic list, tree, dag, etc. – data-structure invariants • Identify may-alias relationships • Establish “disjointedness” properties – x and y point to structures that do not share cells

Formalizing “. . . ” Informal: x Formal: x Summary node

Why is Shape Analysis Difficult? • Destructive updating through pointers – p next = q – Produces complicated aliasing relationships • Dynamic storage allocation – No bound on the size of run-time data structures • Data-structure invariants typically only hold at the beginning and end of operations – Need to verify that data-structure invariants are re-established

Applications: Code Optimization • Machine-independent optimizations – constant propagation – loop-invariant code motion – common subexpression elimination • Machine-dependent optimizations – register allocation – parallelization – software prefetching • Insert storage-reclamation operations • Eliminate or move “checking code”

Applications: Software Tools • Static detection of memory errors (cleanness) – dereferencing NULL pointers – dereferencing dangling pointers – memory leaks • Static detection of logical errors – Is a shape invariant restored? • What is in the heap? – list? doubly-linked list? tree? DAG? – disjoint? intertwined?

Properties of reverse(x) • On entry: x points to an acyclic list • On exit: y points to an acyclic list • On exit: x = = NULL • On each iteration, x and y point to disjoint acyclic lists • All the pointer dereferences are safe • No memory leaks

A ‘Yacc’ for Shape Analysis: TVLA • Parametric framework – Some instantiations known analyses – Other instantiations new analyses

A ‘Yacc’ for Shape Analysis: TVLA • Parametric framework – Some instantiations known analyses – Other instantiations new analyses • Applications beyond shape analysis – Partial correctness of sorting algorithms – Safety of mobile code – Deadlock detection in multi-threaded programs – Partial correctness of mark-and-sweep gc alg.

A ‘Yacc’ for Static Analysis: TVLA • Parametric framework – Some instantiations known analyses – Other instantiations new analyses • Applications beyond shape analysis – Partial correctness of sorting algorithms – Safety of mobile code – Deadlock detection in multi-threaded programs – Partial correctness of mark-and-sweep gc alg.

A ‘Yacc’ for Static Analysis (Using Logic) • Correctness proofs via inductive-assertion method • Proof derivation via weakest-precondition calculus • “Annotate your loops with invariants!”

A ‘Yacc’ for Static Analysis (Using Logic) “I learned many things – and equally important – I unlearned many things. ” — S. K. Allison WP • Correctness proofs via inductive-assertion method • Proof derivation via weakest-precondition calculus • “Annotate your loops with invariants!”

A ‘Yacc’ for Static Analysis (Using Logic) • First-order structures (= predicate tables) – hold recorded information – model-theoretic approach, not proof-theoretic • Formulae – means for observing information • Predicate-update formulae – operational semantics – update recorded information

Recorded Information (for reverse)

Recorded Information (for reverse) x y u 1 u 2 u 3 u 4

Formulae for Observing Properties • Are x and y pointer aliases? v: x(v) y(v) • Does x point to a cell with a self cycle? v : x(v) n(v, v) • Is cell v heap-shared? v 1, v 2 : n(v 1, v) n(v 2, v) v 1 v 2

Are x and y Pointer Aliases? Yes v: x(v) y(v) 1 = x y u 1 u 2 u 3 u 4

Predicate-Update Formulae for ‘y = NULL’ • • x’(v) = x(v) y’(v) = 0 t’(v) = t(v) n’(v 1, v 2) = n(v 1, v 2)

Predicate-Update Formulae for ‘y = NULL’ y’(v) = 0 x y u 1 0 u 2 u 3 u 4

Predicate-Update Formulae for ‘y = x’ • • x’(v) = x(v) y’(v) = x(v) t’(v) = t(v) n’(v 1, v 2) = n(v 1, v 2)

Predicate-Update Formulae for ‘y = x’ y’(v) = x(v) x y u 1 1 u 2 u 3 u 4

Predicate-Update Formulae for ‘x = x n’ • • x’(v) = v 1: x(v 1) n(v 1, v) y’(v) = y(v) t’(v) = t(v) n’(v 1, v 2) = n(v 1, v 2)

Predicate-Update Formulae for ‘x = x n’ x’(v) = v 1: x(v 1) n(v 1, v) x y 0 1 u 2 u 3 u 4

Predicate-Update Formulae for ‘y n = t’ • • x’(v) = x(v) y’(v) = y(v) t’(v) = t(v) n’(v 1, v 2) = y(v 1) n(v 1, v 2) y(v 1) t(v 2)

Outline • • Logic and box/arrow diagrams Kleene’s 3 -valued logic The abstraction principle Using 3 -valued structures to represent sets of stores • Conservative extraction of store properties • Abstract interpretation • More precise abstract interpretation

Two- vs. Three-Valued Logic Two-valued logic 0 1 Three-valued logic {0, 1} {0} {1} {0} {0, 1} {1} {0, 1}

Two- vs. Three-Valued Logic Two-valued logic Three-valued logic

Two- vs. Three-Valued Logic Two-valued logic 0 1 Three-valued logic {0, 1} {0} {1}

Two- vs. Three-Valued Logic Two-valued logic 0 Three-valued logic 1 ½ 0 1 0 3½ 1 3½

Boolean Connectives [Kleene]

Three-Valued Logic • : 1 True • 0: False • 1/2: Unknown • A join semi-lattice: 0 1 = 1/2 Information order

The Abstraction Principle x u 1 u 2 u 3 u 4 0 1 0 0 0 x u 1 u 234

What Stores Does a 3 -Valued Structure Represent? • Example 3 -valued structure – individuals: {u 1} – predicates: • graphical presentation x u 1 • concrete stores represented x 8 x 3 x 37

What Stores Does a 3 -Valued Structure Represent? • Example 3 -valued structure • graphical presentation x u 1 u • concrete stores x 31 71 91

Property-Extraction Principle • Questions about store properties can be answered conservatively by evaluating formulae in three-valued logic • Formula evaluates to 1 formula always holds in every store • Formula evaluates to 0 formula never holds in any store • Formula evaluates to 1/2 don’t know

Are x and y Pointer Aliases? Yes x y u 1 u v: x(v) y(v) 1 1 1

Is Cell u Heap-Shared? Maybe x y u u 1 v 1, v 2: n(v 1, u) n(v 2, u) v 1 v 2 1/2 1/2 1

Abstract Interpretation f (a, b) = (16 * b + 3) * (2 * a + 1) * + 3 * 16 + 0 0 0 1 1 2 2 3 3 1 1 2 3 4 2 2 3 4 5 + b 3. . . 4. . . 5. . . 6. . . 1 * 2 a * 0 0 0 1 0 2 0 3 0 1 2 3 2 0 2 4 6 3. . . 0. . . 3. . . 6. . . 9. . .

Abstract Interpretation f (a, b) = (16 * b + 3) * (2 * a + 1) O O E + O E 3 * E 16 * b ? E + O 1 * 2 O a ? f: _ _ O

Shape Analysis via Abstract Interpretation • Iteratively compute a set of 3 -valued structures for every program point • Every statement transforms structures according to the predicate-update formulae – use 3 -valued logic instead of 2 -valued logic – use exactly the predicate-update formulae of the concrete semantics!!

Predicate-Update Formulae for “y = x” y’(v) = x(v) Old: New: x x y u 1 u 1 u

Predicate-Update Formulae for “x = x n” x’(v) = v 1: x(v 1) n(v 1, v) New: Old: x y u u 1 0 1/2 y u 1 x u

Abstract Interpretation T T# Concrete Sets of stores Abstract Descriptors of sets of stores

Abstract Interpretation T T# Abstract Concrete Ordinarily: Must define both T and T#

Abstract Interpretation T T# Abstract Concrete Ordinarily: Complicated proof of correctness!

Abstract Interpretation T T# Abstract Concrete Our approach: Same formula for T and T#

Abstract Interpretation T T# Abstract Concrete Our approach: No proof! We did it for you!

The Embedding Theorem x No y v: x(v) y(v) No No Maybe u 1 y u 3, 4 u 2 x u 1 x u 4 u 3 u 2 x u 2, 3, 4 y u 1, 2, 3, 4

How Are We Doing? • Conservative • Convenient • But not very precise – Advancing a pointer down a list loses precision – Cannot distinguish an acyclic list from a cyclic list

Cyclic versus Acyclic Lists x 31 x u 1 71 u 91

The Instrumentation Principle • Increase precision by storing the truthvalue of some chosen formulae • Introduce predicate-update formulae to update the extra predicates

Example: Heap Sharing is(v) = v 1, v 2: n(v 1, v) n(v 2, v) v 1 v 2 x 31 71 91 is = 0 x u 1 is = 0 u is = 0

Example: Heap Sharing is(v) = v 1, v 2: n(v 1, v) n(v 2, v) v 1 v 2 x 31 71 91 is = 0 is = 10 is = 0 x u 1 u is = 0 is = 1 is = 0

Is Cell u Heap-Shared? is = 0 x y No! is = 0 u u 1 v 1, v 2: n(v 1, u) n(v 2, u) v 1 v 2 1/2 1/2 1 Maybe

Predicate-Update Formulae for ‘y = NULL’ • • • x’(v) = x(v) y’(v) = 0 t’(v) = t(v) n’(v 1, v 2) = n(v 1, v 2) is’(v) = is(v)

Predicate-Update Formulae for ‘y = x’ • • • x’(v) = x(v) y’(v) = x(v) t’(v) = t(v) n’(v 1, v 2) = n(v 1, v 2) is’(v) = is(v)

Predicate-Update Formulae for ‘x = x n’ • • • x’(v) = v 1: x(v 1) n(v 1, v) y’(v) = y(v) t’(v) = t(v) n’(v 1, v 2) = n(v 1, v 2) is’(v) = is(v)

Predicate-Update Formulae for ‘y n = t’ • • • x’(v) = x(v) y’(v) = y(v) t’(v) = t(v) n’(v 1, v 2) = y(v 1) n(v 1, v 2) y(v 1) t(v 2) is’(v) = v 1, v 2: (is(v) n’(v 1, v) n’(v 2, v) v 1 v 2) (t(v) n(v 1, v) y(v 1((

Materialization Formal: x y x x = x n y Informal: x y x x = x n y Formal: x y x x = x n y

The Focusing Principle • “Bring the structure into better focus” – Selectively force 1/2 to 0 or 1 – Avoid indefiniteness • Then apply the predicate-update formulae

(1)Focus on v 1: x(v 1) n(v 1, v) x y u 1 u x y x y u 1 u. 0

(2)Evaluate Predicate-Update Formulae x’ (v) = v 1: x(v 1) n(v 1, v) x y u 1 y u u 1 u x x y u 1 y u u u 1 x x y u 1 u. 0

(3)Apply Constraint Solver y y u 1 y u x x y u u 1 x u. 1 u. 0 y u 1 u. 0

(3)Apply Constraint Solver x y u 1 u. 0 n(v 1, v ) n(v 2, v) v 1 v 2 is(v) n(v 1, v) v 1 v 2 n(v 2, v) is(v) v) 1 1 1 0

(3)Apply Constraint Solver x y u 1 u. 0

(3)Apply Constraint Solver x y u 1 u. 0 n(v 1, v ) n(v 2, v) v 1 v 2 is(v) n(v 1, v) v 1 v 2 n(v 2, v) 1 1 1 0

(3)Apply Constraint Solver x y u 1 u. 0 x(v 1) x(v 2) v 1 = v 2 1 1 1

(3)Apply Constraint Solver x y u 1 u. 0

Formalizing “. . . ” Informal: x y Formal: x y Summary node

Formalizing “. . . ” Informal: t 1 x y Formal: t 2 x t 1 y t 2

Formalizing “. . . ” Informal: x y Formal: reachable from variable x reachable from variable y x r[x] r[y] y

Formalizing “. . . ” Informal: t 1 x y t 2 Formal: x r[x] r[y] t 1 r[x], r[t 1] r[y], r[t 2] y t 2

A ‘Yacc’ for Shape Analysis %%pointer-field predicates n(v 1, v 2) %%instrumentation-predicate definitions is(v) = v 1, v 2: n(v 1, v) n(v 2, v) v 1 v 2 %%predicate-update formulae stmt : $x = NULL { is’(v) = is(v); } | $x = $t n { is’(v) = is(v); } | $x n = $t { is’(v= ( v 1, v 2: (is(v) n’(v 1, v) n’(v 2, v) v 1 v 2) (t(v) n(v 1, v) y(v 1)); } | $x = malloc(INT) { is’(v) = is(v) NEW(v); } ;

Why is Shape Analysis Difficult? • Destructive updating through pointers – p next = q – Produces complicated aliasing relationships – Track aliasing on 3 -valued structures • Dynamic storage allocation – No bound on the size of run-time data structures – Abstraction principle finite-sized 3 -valued structures • Data-structure invariants typically only hold at the beginning and end of operations – Need to verify that data-structure invariants are reestablished – Evaluate formulas over 3 -valued structures

$Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; }$

Example: In-Situ List Reversal typedef struct list_cell { int val; struct list_cell *next; } *List; Run Demo List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y; }

Example: Mark and Sweep void Mark(Node root) { if (root != NULL) { pending = pending {root} marked = while (pending ) { x = Select. And. Remove(pending) marked = marked {x} t = x left if (t NULL) if (t marked) pending = pending {t} t = x right if (t NULL) if (t marked) pending = pending {t} } } assert(marked = = Reachset(root)) } void Sweep() { unexplored = Universe collected = while (unexplored ) { x = Select. And. Remove(unexplored) if (x marked) collected = collected {x} } assert(collected = = Universe – Reachset(root) ) } Run Demo

TVLA vs. Model Checking TVLA • Determine properties of a transition system • State-space exploration • State labels: 1 st-order structures • 3 -valued structures represent commonalities • Properties checked: Formulas in FO+TC Model checking • Determine properties of a transition system • State-space exploration • State labels: Propositions • BDDs represent commonalities • Properties checked: Formulas in temporal logic

Summary • 1/2 arises from abstraction – One-sided analyses (e. g. , 1 means “true”, 0 means “don’t know”) conflate 0 and 1/2 – 1/2 essential; conflation not essential • For program analysis, 3 -valued logic allows: – Materialization – Conservative extraction of properties