Symbolic Implementation of the Best Transformer Thomas Reps

Symbolic Implementation of the Best Transformer Thomas Reps University of Wisconsin Joint work with M. Sagiv and G. Yorsh (Tel-Aviv) [TR-1468, Comp. Sci. Dept. , Univ. of Wisconsin]

Who Cares? • New approach to using symbolic techniques in abstract interpretation – For shape analysis – For other abstract domains • What does it mean to harness a decision procedure for use in static analysis?

Abstract Interpretation T# T Abstract Concrete Sets of stores Descriptors of sets of stores

Abstract Interpretation T# T Abstract Concrete Sets of stores Descriptors of sets of stores

Best Abstract Transformer T T# Abstract Concrete Sets of stores Descriptors of sets of stores

Best Abstract Transformers • For each abstract domain, there is a best transformer for each program statement – Best possible precision for that abstraction • For predicate-abstraction domains, implementation of best transformer is known – Uses theorem prover • Our work: implement best transformers for non-predicate-abstraction domains – Also uses theorem prover

Symbolic Operations: Three Value-Spaces T Concrete Values T Formulas Abstract Values

Symbolic Operations: Three Value-Spaces T Concrete Values Formulas T# Abstract Values

Symbolic Operations: Three Value-Spaces x x . . . x u 1 u Concrete Values Formulas Abstract Values

Required Primitive Operations Abstraction (S) = ( x s S (s) )={ x u 1 u } Symbolic concretization ( x u 1 u )= v 1, v 2 : nodeu 1(v 1) nodeu (v 2) v 1 ≠ v 2 v : nodeu 1(v) nodeu (v) . . . Theorem prover returning a satisfying structure (store) S For shape analysis, SPASS is mostly satisfactory

Constant-Propagation Domain T (Var ZT) , where ZT =. . . -2 -1 0 1 2. . . Examples: , [x 0, y 43, z 0], [x T, y T, z T] Infinite cardinality, but finite height

Three Value-Spaces [x 0, y 1, z 0] [x 0, y T, z 0] (x = 0) (z = 0) [x 0, y 0, z 0] [x 0, y 2, z 0] Concrete Values Formulas Abstract Values

Three Value-Spaces [x 0, y 1, z 0] (x = 0) (z = 0) [x 0, y 0, z 0] [x 0, y 2, z 0] Concrete Values Formulas Abstract Values

Required Primitive Operations Abstraction (S) = s S (s) ([x 0, y 2, z 0]) = [x 0, y 2, z 0] Symbolic concretization ([x 0, y T, z 0]) = (x = 0) (z = 0) Theorem prover returning a satisfying structure (store) S [x 0, y 2, z 0] (x = 0) (z = 0)

Required Primitive Operations Abstraction (S) = s S (s) ([x 0, y 2, z 0]) = [x 0, y 2, z 0] Symbolic concretization ([x 0, y T, z 0]) = (x = 0) (z = 0) Theorem prover returning a satisfying structure (store) S [x 0, y 2, z 0] (z = 0) (x = y*z)

Constant Propagation [x 3, y 4, z 1] T[x = y * z] x=y*z λe. e[x e(y)*e(z)] [x’ 4, y’ 4, z’ 1] T[x : = y*z] =df (x’ = y * z) (y’ = y) (z’ = z) [x 3, y 4, z 1, x’ 4, y’ 4, z’ 1] (x’ = y * z) (y’ = y) (z’ = z)

Constant Propagation [x 3, y T, z 1] T#[x = y * z] [x’ T, y’ T, z’ 1] x=y*z λe. e[x e(y) # e(z)]

Three Value-Spaces α (x’ = 0) (z’ = 0) [x’ 0, y’ T, z’ 0] αT [x T, y T, z 0] T[x : = y*z] (z = 0) Concrete Values Formulas Abstract Values

Remainder of the Talk • ( ) – best abstract value that represents • Best = T – best abstract transformer

Idea Behind Procedure CP( ) ans Concrete Values Formulas Abstract Values

Idea Behind Procedure CP( ) S (S) ans S Concrete Values Formulas Abstract Values

Idea Behind Procedure CP( ) (ans) S (ans) S ans (ans) Concrete Values (S) Formulas Abstract Values

Idea Behind Procedure CP( ) 1 (ans) 1 S 1 1 (ans) S ans (ans) Concrete Values (S) Formulas Abstract Values

Idea Behind Procedure CP( ) S 2 2 (S) S 2 ans Concrete Values Formulas 2 = 1 (ans) Abstract Values

Idea Behind Procedure CP( ) 2 (ans) S 2 (ans) (S) 2 ans (ans) Concrete Values Formulas Abstract Values

Idea Behind Procedure CP( ) (ans) , (ans) Concrete Values 5 = false Formulas ans Abstract Values

Procedure (formula ) { ans : = while ( is satisfiable) { Select a store S such that S ans : = ans (S) : = (ans) } return ans }

Procedure CP( ) (z = 0) (x = y * z) [x 0, y 43, z 0] ans S [x 0, y 43, z 0] Concrete Values Formulas Abstract Values

Procedure CP( ) (z = 0) (x = y * z) (ans) Concrete Values (x = 0) (y = 43) (z = 0) S (ans) [x 0, y 43, z 0] ans [x 0, y 43, z 0] Formulas Abstract Values

Procedure CP( ) (z = 0) (x = y * z) (y 43) [x 0, y 46, z 0] S [x 0, y 46, z 0] Concrete Values Formulas [x 0, y 43, z 0] Abstract Values

Procedure CP( ) (z = 0) (x = y * z) (y 43) S Concrete Values [x 0, y T, z 0] (x = 0) (z = 0) Formulas ans Abstract Values

The Idea Behind Best = T (a) a (a) T Formulas Abstract Values

The Idea Behind Best = T (a) a (a) T Formulas Abstract Values

The Idea Behind Best = T (a) T (a) a ans (a) T Formulas Abstract Values

The Idea Behind Best = T (a) T (a) a ans (a) T Formulas Abstract Values

Procedure Best(two-store-formula T, abs-store a) { ans’ : = ’ : = (a) T while ( is satisfiable) { Select a store pair (S, S ’) such that (S, S ’) ans’ : = ans’ ’(S ’) : = ’(ans’) } return ans’ }

Best((x’ = y * z) (y’ = y) (z’ = z), [x T, y T, z 0]) Initialization: ans’ : = ’ : = (z = 0) (x’ = y * z) (y’ = y) (z’ = z) Iteration 1: (S, S ’) : = [x 5, y 17, z 0, x’ 0, y’ 17, z’ 0]

The Idea Behind Best = T [ x’ 0, y’ 17, z’ 0] (a) T (a) a (a) [x 5, y 17, z 0] T Formulas Abstract Values

Best((x’ = y * z) (y’ = y) (z’ = z), [x T, y T, z 0]) Iteration 2: (S, S ’) : = [x 12, y 99, z 0, x’ 0, y’ 99, z’ 0] ans’ : = [x’ 0, y’ 17, z’ 0] [x’ 0, y’ 99, z’ 0] = [x’ 0, y’ T, z’ 0] ’(ans’) = (x’= 0) (z’= 0) : = (z = 0) (x’ = y * z) (y’ = y) (z’ = z) (y’ 17) ((x’ 0) (z’ 0)) = false Iteration 3: is unsatisfiable Return value: [x’ 0, y’ T, z’ 0]

Best(y = x next, x ) u u 1 r[x] . . . (y’(v) v 1: x(v 1) n(v 1, v)) . . . y’ r[x]’ x’ x u 1 r[x] x r[x]’, r[y]’ u 2 y r[x] u 3 r[x] u 4 r[x] u 2 u 1 r[x]’, r[y]’ r[x], r[y] u r[x], r[y] r[x]

Predicate Abstraction y : = 3 x : = 4*y + 1 [x 13, y 3] { B 1 (y = 1), B 2 (y = 3), B 3 (y = 4), B 4 (x = 1), B 5 (x = 3), B 6 (x = 4) } B 1 B 2 B 3 B 4 B 5 B 6 y = 3 x {1, 3, 4} [x 13, y 3]

Three Value-Spaces [x 0, y 3] [x 5, y 3] ( B 1, B 2, B 3, B 4, B 5, B 6) (y ≠ 1) (y = 3) (y ≠ 4) (x ≠ 1) (x ≠ 3) (x ≠ 4) Concrete Values [x 17, y 3] Formulas Abstract Values

Three Value-Spaces ( B 1, B 2, B 3, B 6) (y ≠ 1) (y = 3) (y ≠ 4) (x ≠ 4) T[x : = x+1] (y ≠ 1) (y = 3) (y ≠ 4) (x ≠ 1) (x ≠ 3) (x ≠ 4) Concrete Values Formulas α αT ( B 1, B 2, B 3, B 4, B 5, B 6) Abstract Values

Predicate Abstraction • Abstract values ( B 1, B 2, B 3, B 4, B 5, B 6) • Apply , which performs symbolically (y ≠ 1) (y = 3) (y ≠ 4) (x ≠ 1) (x ≠ 3) (x ≠ 4) • Apply T, which implements α T

α PA: Most-Precise Abstract Value [Predicate Abstraction] (y = 3) (x = 4*y + 1) ( B 1, B 2, B 3, B 4, B 5, B 6) αPA Concrete Values Formulas Abstract Values

α PA: Most-Precise Abstract Value [Predicate Abstraction] if is unsatisfiable false PA( ) = k j=1 Bj if j is valid Bj if j is valid true otherwise B 1, B 2, B 3, PA((y = 3) (x = 4*y + 1)) = B 4, B 5, B 6 (y = 3) (x = 4*y + 1) (y = 1) (y = 3) (x = 4*y + 1) (y = 4)

α PA: Most-Precise Abstract Value [Predicate Abstraction] if is unsatisfiable false PA( ) = k j=1 Bj if j is valid Bj if j is valid true otherwise B 1, B 2, B 3, PA((y = 3) (x = 4*y + 1)) = B 4, B 5, B 6 (y = 3) (x = 4*y + 1) (x = 1) (y = 3) (x = 4*y + 1) (x = 3) (y = 3) (x = 4*y + 1) (x = 4)

Procedure PA vs. General PA S i i (ansi-1) i ansi = ansi-1 (S) S Concrete Values Abstract Values Formulas Concrete Values Formulas ansi-1 Abstract Values

Conclusions • Requirements – Finite-height abstract domain – Theorem prover that returns a satisfying structure (store) – (S) = s S (S) – Symbolic-concretization operation ( ) • ( ) – best abstract value that represents • Best(T, a) – best abstract transformer – Best(T 1; T 2; . . . ; Tk, a) – best abstract transformer for a basic block