1 Program Analysis via 3-Valued Logic Mooly Sagiv, Tal Lev-Ami, Roman Manevich Tel Aviv University...

Program Analysisvia 3-Valued Logic

Mooly Sagiv, Tal Lev-Ami, Roman ManevichTel Aviv University

Thomas Reps, University of Wisconsin, MadisonReinhard Wilhelm, Universität des Saarlandes

Interprocedural Analysis, so far

Abstract domains• (Powerset of) fixed set of program entities and

entities from underlying domain • Domains:

– P(Aexp*) Available expressions– P(Var* Lab* ) Reaching Definitions– Var* Val Constant Propagation– Var* Int Interval Analysis

Interprocedural Analysis• Dynamically created procedure incarnations• Domain P(Lab* (Var* …))

– Call strings – strings of labels of call sites– Sufficient to represent recursion because of nested

lifetimes, a call string corresponds to an actual stack– in general of unbounded length

non-computable fixed point– approximated by fixed length, k

Dynamically Created “Objects”• How to represent dynamically created

– heap cells, created by calls to mallocx=malloc();… x=malloc();… x=malloc();

– objects, created by constructors of classesx=new C;… x=new C;… x=new C;

– threads, created by thread constructors• In general,

– unbounded sets– non-nested lifetimes– anonymous

Anonymous Objects (contd.)• Concrete domains: relations reflecting accessibility,

– Stack for program variables – Heap for anonymous, dynamically created objects– pointer variables point from Stack into Heap– Heap consists of a set of functions modelling

references/pointer components• Abstract domains: How to deal with

unboundedness?• How to analyze programs without bounds on

number of objects?

Example: In-Situ List Reversal

List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}

typedef struct list_cell { int val; struct list_cell *next;} *List;

Reverses lists ofarbitrary length

Invariant:x points to head ofnon-reversed suffix,y to head of already reversed prefixor NULL (start)

Questions Posed to the Analysis• Can x be dereferenced while having value NULL

in some execution state?• Can an object leak out of the program’s

execution?• Can an object be freed while being shared?

Freeing a Shared Object

a = malloc(…) ;

b = a;

free (a);

c = malloc (…);

if (b == c) printf(“unexpected equality”);

Dereferencing a NULL pointer

typedef struct element { int value; struct element *next; } Elements

bool search(int value, Elements *c) {Elements *elem;for (elem = c;

c != NULL; elem = elem->next;)

if (elem->val == value)return TRUE;return FALSE

Dereferencing a NULL pointer

bool search(int value, Elements *c) {Elements *elem;for (elem = c;

c != NULL; elem = elem->next;)

if (elem->val == value)return TRUE;return FALSE

potential null de-reference

Memory LeakageElements* strange(Elements *x)

{Elements *y,*g;y = NULL;while (x!= NULL) {

g = x->next;y = x;x->next = y;x = g;

}return y;

Memory LeakageElements* strange (Elements *x)

{Elements *y,*g;y = NULL;while (x!= NULL) {

g = x->next;y = x;x->next = y;x = g;

}return y;

leakage of list elements

class Make { private Worklist worklist; public static void main (String[] args) { Make m = new Make(); m.initializeWorklist(args); m.processWorklist(); } void initializeWorklist(String[] args) { ...; worklist = new Worklist(); ... // add some items to worklist} void processWorklist() { Set s = worklist.unprocessedItems(); for (Iterator i = s.iterator(); i.hasNext()){ Object item = i.next(); if (...) processItem(item); } } void processItem(Object i){ ...; doSubproblem(...);} void doSubproblem(...) { ... worklist.addItem(newitem); ... }}

public class Worklist { Set s; public Worklist() {. ..; s = new HashSet(); ... } public void addItem(Object item) { s.add(item); } public Set unprocessedItems() { return s; }}return rev; }

Concrete execution on a list of length 3

1 2 3 NULL

Original Problem: Shape Analysis

• Characterize dynamically allocated data structures– x points to an acyclic list, cyclic list, tree, dag, etc.– data-structure invariants

• Identify may-alias relationships

• Establish “disjointedness” properties– x and y point to data structures that do not share cells

Properties of reverse(x)• On entry: x points to an acyclic list

• On exit: y points to an acyclic list

• On exit: x = = NULL• Invariant: At the start of while loop,

x points to head of non-reversed suffix, y to head of already reversed prefix or NULL (start)(they are disjoint acyclic lists)

• All the pointer dereferences are safe

• No memory leaks

Abstract execution

could be- the empty list- a non-empty list

Materialization

assuming thatis not the empty list

Materialization

assuming thatis not the empty list

could be- the empty list- a non-empty list

assuming thatstood for the empty list

Why is Shape Analysis Difficult?

• Destructive updating through pointers– pnext = q– Produces complicated aliasing relationships

• Dynamic storage allocation– No bound on the size of run-time data structures– No syntactic names for locations

• Data-structure invariants typically only hold at the beginning and end of operations– Need to verify that data-structure invariants are re-

established

Main Ingredients: Abstract Domain• A new abstract domain for static analysis• Represents dynamically allocated memory• Based on predicate logic• Execution states in concrete semantics coded as

interpretations of sets of predicates over a 2-valued domain (1 true, 0 false) – unary predicate x for pointer variable x –

x(l) if x points to l– binary predicate next for selector next –

next (l1, l2) if next selector of l1 points to l2

Predicates (for reverse)

Predicate Intended Meaning

x(v) Does pointer variable x point to cell v?

y(v) Does pointer variable y point to cell v?

t(v) Does pointer variable t point to cell v?

n(v1,v2) Does the n field of v1 point to v2?

1 2 3 NULL

Coding:t(l2)=1, y(l3)=1, n(l2,l1)=1, predicates with value 0not listed

l1 l2 l3

Main Ingredients: Semantics of Statements

• Predicate-Update Formulae for a statement• Describe how the interpretation of predicates

changes by executing the statement– x = y

changes the interpretation of x to that of y– x -> next = y

changes the interpretation of next such thatn(l1,l2)=1 for some l, l1, l2 with x(l) = 1, n(l, l1)=1, and y(l2)=1

Main Ingredients: Analysis• Abstract interpretation by evaluation over

3-valued domain (1, 0, ½ don’t know)• Kleene’s interpretation of predicate logic• A system TVLA

– Input: • Operational semantics• Input Program

– Output: the result of the analysis

l3l1 l2

x(l3)=1, t(l2)=1, y(l3)=1,n(l2, l1)=1,

n(l1,…) = ?n(l3,…) = ?n(l1,…) = 1/2n(l3,…) = 1/2

Formalizing “. . .”Informal:

Formal:

xSummary

Motivation• SWhile• An SOS for SWhile• An SOS for SWhile using predicate calculus• Simple Abstract interpretation using 3-valued

logics• More precise abstract interpretation+ TVLA (next

meeting)

The SWhile Programming Language Abstract Syntax

a := x | x.sel | null | n | a1 opa a2

b := true | false | not b | b1 opb b2 | a1 opr a2

sel:= car | cdr

Dereferencing NULL pointers

elem := c;found := false; while (c != null && !found) (

if (elem->car= value) then found := true

else elem = elem->cdr)

Structural Operational Semantics• The program state consists of:

– current allocated objects– a mapping from variables into atoms, objects,

and null– a car mapping from objects into atoms,

objects, and null– a cdr mapping from objects into atoms,

objects, and null• malloc() allocates more objects• assignments update the state

Structural Operational Semantics

• The program state S=<O, env, car, cdr>:– current allocated objects O– atoms (integers, Booleans) A– env: Var* A O {null}– car: A A O {null}– cdr: A A O {null}

{l1, l2, l3},

[x l1 ,y null],

[l1 1, l2 2, l3 3],

[l1 l2, l2 l3, l3 null]

null1 2 3x

y null

l1 l2 l3

The meaning of expressions • Aa: S A O {null}

Aat(s) = at

Ax(<O, env, car, cdr>) = env(x)

Ax.cdr(<O, env, car, cdr>) =

cdr(env(x)) env(x) O

undefined otherwise

Ax.car(<O, env, car, cdr>) =

car(env(x)) env(x) O

undefined otherwise

Structural Semantics for SWhileaxioms

[assvsos] <x := a, s=(O, e, car, cdr)> (O, e[x Aas], car, cdr)

[asscarsos] <x.car := a, (O, e, car, cdr)> (O, e, car[e(x) Aas], cdr)

where env(x)O

[asscdrsos] <x.cdr := a, (O, e, car, cdr)> (O, e, car,cdr[e(x)Aas])

where env(x)O

[skipsos] <skip, s> s

[assmsos] <x := malloc(), (O, e, car, cdr)> (O {n}, e[x n], car, cdr)

where nO

Structural Semantics for SWhile(rules)

[comp1sos] <S1 , s> <S’1, s’>

<S1; S2, s> < S’1; S2, s’>

[comp2sos] <S1 , s> s’

<S1; S2, s> < S2, s’>

[ifttsos] <if b then S1 else S2, s> <S1, s> if Bbs=tt

[ifffsos] <if b then S1 else S2, s> <S2, s> if Bbs=ff

Summary• The SOS is natural• Can handle:

– errors, e.g., null dereferences– free– garbage collection

• But does not lead to an analysis– The set of potential objects is unbounded

• Solution: – Semantics coded as interpretation of a set of predicates– Reinterpreted over a Three-Valued domain with Kleene’s

interpretation

Predicate Logic• Vocabulary

– A finite set of predicate symbols Peach with a fixed arity

– A finite set of function symbols• Logical Structures S provide meaning for

predicates – A set of individuals (nodes) U– PS: US {0, 1}

• First-Order Formulas over express logical structure properties

P = {x1, y1, car2, cdr2}

US={l1, l2, l3}

xS=[l1 1, l2 0, l3 0] yS=[l1 0, l2 0, l3 0},

carS=[<l1, l1>0, <l1 , l2>0, <l1,l3 >0, <l2, l1>0, <l2 , l2>0, <l2,l3 >0, <l3, l1>0, <l3 , l2>0, <l3,l3 >0 ]

null1 2 3x

y null

l1 l2 l3{l1, l2, l3},

[x l1 ,y null],

[l1 1, l2 2, l3 3],

[l1 l2, l2 l3, l3 null]

cdrS=[<l1, l1>0, <l1 , l2>1, <l1,l3 >0, <l2, l1>0, <l2 , l2>0, <l2,l3 >1, <l3, l1>0, <l3 , l2>0, <l3,l3 >0 ]

Formal Semantics of First Order Formulae

• For a structure S=<US, PS>• Formulae with LVar free variables• Assignment z: LVarUS

S(z): {0, 1}

1S(z)=10S(z)=1v1=v2S(z) =

1 z(v1) = z(v2)

0 z(v1) z(v2)

p (v1, v2, …, vk)S(z)=pS (z(v1), z(v2), …, z(vk))

Formal Semantics of First Order Formulae

• For a structure S=<US, PS>• Formulae with LVar free variables• Assignment z: LVarUS

S(z): {0, 1}

12S(z)=max (1 S(z), 2 S(z))

12S(z)=min (1 S(z), 2 S(z))

1S(z)=1- 1 S(z)

v: 1S(z)=max {1 S(z[vu]) : u US}

Using Predicate Logic to describe states in SOS

• U=O• For a pointer variable x define a unary predicate

– x(u)=1 when env(x)=u and u is an object• Two binary predicates:

– car(u1, u2) = 1 when car(u1)=u2 and u2 is object

– cdr(u1, u2) = 1 when cdr(u1)=u2 and u2 is object

SOS (Using Predicate Logic)

• First-order structures (= predicate tables)– hold recorded information

• Formulae– means for observing information

• Predicate-update formulae– operational semantics– update recorded information

Recorded Information (for reverse)

Predicate Intended Meaning

x(v) Does pointer variable x point to cell v?

y(v) Does pointer variable y point to cell v?

t(v) Does pointer variable t point to cell v?

n(v1,v2) Does the n field of v1 point to v2?

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

x(u) y(u) t(u)u1 1 1 0u2 0 0 0u3 0 0 0u4 0 0 0

Recorded Information (for reverse)

u1 u2 u3 u4

Formulae for Observing Properties

• Are x and y pointer aliases?v: x(v) y(v)

• Does x point to a cell with a self cycle?v : x(v) n(v,v)

xy u1 u2 u3 u4

Are x and y Pointer Aliases?v: x(v) y(v)

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

x(u) y(u) t(u)u1 1 1 0u2 0 0 0u3 0 0 0u4 0 0 0

Predicate-Update Formulae for ‘y = x’

• x’(v) = x(v)• y’(v) = x(v)• t’(v) = t(v)• n’(v1,v2) = n(v1,v2)

x(u) y(u) t(u)u1 1 0 0u2 0 0 0u3 0 0 0u4 0 0 0

xu1 u2 u3 u4

Predicate-Update Formulae for ‘y = x’

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

y’(v) = x(v)

Predicate-Update Formulae for ‘x = x n’

• x’(v) = v1: x(v1) n(v1,v)• y’(v) = y(v)• t’(v) = t(v)• n’(v1, v2) = n(v1, v2)

xu1 u2 u3 u4

Predicate-Update Formulae for ‘x = x n’

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

x(u) y(u) t(u) u1 1 1 0 u2 0 0 0 u3 0 0 0 u4 0 0 0

x’(v) = v1: x(v1) n(v1,v)

Predicate-Update Formulae for ‘y n = t’

• x’(v) = x(v)• y’(v) = y(v)• t’(v) = t(v)• n’(v1,v2) = y(v1) n(v1,v2) y(v1) t(v2)

Two- vs. Three-Valued Logic

Two-valued logic

{0} {1}

Three-valued logic

{0} {0,1}{1} {0,1}

Two- vs. Three-Valued LogicTwo-valued logic

1 01 1 00 0 0

1 01 1 10 1 0

Three-valued logic {1} {0,1} {0}

{1} {1} {0,1} {0}{0,1} {0,1} {0,1} {0}{0} {0} {0} {0}

{1} {0,1} {0}{1} {1} {1} {1}

{0,1} {1} {0,1} {0,1}{0} {1} {0,1} {0}

Two- vs. Three-Valued LogicThree-valued logic

Two-valued logic 1 01 1 00 0 0

1 01 1 10 1 0

{1} {0,1} {0}{1} {1} {0,1} {0}

{0,1} {0,1} {0,1} {0}{0} {0} {0} {0}

{1} {0,1} {0}{1} {1} {1} {1}

{0,1} {1} {0,1} {0,1}{0} {1} {0,1} {0}

• 1: True• 0: False• 1/2: Unknown • A join semi-lattice: 0 1 = 1/2

Three-Valued Logic

1/2 Information

Boolean Connectives [Kleene] 0 1/2 10 0 0 0

1/2 0 1/2 1/21 0 1/2 1

0 1/2 10 0 1/2 1

1/2 1/2 1/2 11 1 1 1

The Abstraction Principle

• Partition the individuals into equivalence classes based on the values of their unary predicates

• Collapse other predicates via

n u1 u2 u3 u4u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

The Abstraction Principle

u1 u2 u3 u4

x(u) y(u)u1 1 0u2 0 0u3 0 0u4 0 0

n u1 u234

u234 0 1/2

x(u) y(u)u1 1 0

u234 0 0

What StoresDoes a 3-Valued Structure Represent?• Example 3-valued structure

– individuals: {u1}– predicates:

• graphical presentation

• concrete stores represented

x y t u1 1 0 0

n u1 u1 0

3 x8 x 37 x

• Example 3-valued structure

• concrete stores

What StoresDoes a 3-Valued Structure Represent?

x y t u1 1 0 0 u 0 0 0

n u1 u u1 0 1/2 u 0 1/2

x 31 71 91

x y t u1 1 0 0 u 0 0 0

n u1 u u1 0 1/2 u 0 1/2

• Example 3-valued structure

• concrete storesu1 u

x 31 71 91

What StoresDoes a 3-Valued Structure Represent?

Property-Extraction Principle• Questions about store properties can be

answered conservatively by evaluating formulae in three-valued logic

• Formula evaluates to 1 formula always holds in every store

• Formula evaluates to 0 formula never holds in any store

• Formula evaluates to 1/2 don’t know

The Embedding Theorem

• If a big structure B can be embedded in a structure S via a surjective (onto) function f such that basic predicates are preserved, i.e., pB(u1, .., uk) pS (f(u1), ..., f(uk))

• Then, every formula is preserved =1 in S =1 in B =0 in S =0 in B =1/2 in S don’t know

Are x and y Pointer Aliases?

u1 uxy

v: x(v) y(v)

Is Cell u Heap-Shared?

v1,v2: n(v1,u) n(v2,u) v1 v2

MaybeIs Cell u Heap-Shared?

v1,v2: n(v1,u) n(v2,u) v1 v2

u1 uxy

1/21/2 1

The Instrumentation Principle

• Increase precision by storing the truth-value of some designated formulae

• Introduce predicate-update formulae to update the extra predicates

is = 0 is = 0 is = 0 is = 0

Example: Heap Sharing

x 31 71 91

is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2

is = 0 is = 0

is = 1

is = 1/2

is = 0 is = 0 is = 0 is = 0

x 31 71 91

is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2

is = 0 is = 0

is = 0 is = 0 is = 0 is = 0

x 31 71 91

is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2

is = 0 is = 0

is = 1

Is Cell u Heap-Shared?

v1,v2: n(v1,u) n(v2,u) v1 v2

u1 uxy

1/21/2 1

is = 0 is = 0

Example2: SortednessinOrder(v) = v1: n(v,v1) dle(v, v1)

inOrder = 1 inOrder = 1

inOrder = 1

x 51 71 91inOrder = 1 inOrder = 1 inOrder = 1

inOrder = 1

Example2: Sortedness

x 51 45 91

inOrder(v) = v1: n(v,v1) dle(v, v1)

inOrder = 0 inOrder = 1 inOrder = 1

inOrder = 1 inOrder = 1

inOrder = 0

Shape Analysis viaAbstract Interpretation

• Iteratively compute a set of 3-valued structures for every program point

• Every statement transforms structures according to the predicate-update formulae– use 3-valued logic instead of 2-valued logic– use exactly the predicate-update formulae of the

concrete semantics!!

Predicate-Update Formulae for “y = x”y’(v) = x(v)

x(u) y(u) t(u)u1 1 0 0u 0 0 0

n u1 uu1 0 1/2u 0 1/2

Predicate-Update Formulae for “x = x n”

x’(v) = v1: x(v1) n(v1,v)

x(u) y(u) t(u)u1 1 1 0u 0 0 0

n u1 uu1 0 1/2u 0 1/2

Summary

• Predicate logics allows naturally expressing SOS for languages with pointers and dynamically allocated structures

• 3-valued logic provides a sound solution• More precise solution+TVLA

(next meeting)

1 Program Analysis via 3-Valued Logic Mooly Sagiv, Tal Lev-Ami, Roman Manevich Tel Aviv University...

Documents

Garbage Collection Mooly Sagiv msagiv@post.tau.ac.il

Memory Management Chapter 5 Mooly Sagiv msagiv/courses/wcc08.html

Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J

Compiling Object Oriented Programs Mooly Sagiv Chapter 6.2.9, 6.5

Program analysis Mooly Sagiv html://msagiv/courses/wcc08.html

Course Overview Mooly Sagiv msagiv@tau.ac.il TA: Roman Manevich rumster@tau.ac.il msagiv/courses/wcc08.html TA: rumster/wcc07

Register Allocation Mooly Sagiv html://msagiv/courses/wcc02.html

Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 6: Abstract Interpretation 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

Winter 2007-2008 Compiler Construction T6 – semantic analysis part I scopes and symbol tables Mooly Sagiv and Roman Manevich School of Computer Science

Case Studies of Compilers and Future Trends Chapter 21 Mooly Sagiv

Abstract Transformers for Thread Correlation Analysis Michal Segalov, TAU Tal Lev-Ami, TAU Roman Manevich, TAU G. Ramalingam, MSR India Mooly Sagiv, TAU

An Overview on Static Program Analysis Mooly Sagiv

Register Allocation Mooly Sagiv html://msagiv/courses/wcc06.html

Winter 2006-2007 Compiler Construction T8 – semantic analysis recap + IR part 1 Mooly Sagiv and Roman Manevich School of Computer Science Tel-Aviv University

Interprocedural Analysis Noam Rinetzky Mooly Sagiv

Interprocedural Shape Analysis for Recursive Programs Noam Rinetzky Mooly Sagiv

Type Checking in Cool Alex Aiken (Modified by Mooly Sagiv)

Partially Disjunctive Shape Analysis Josh Berdine Byron Cook MSR Cambridge Tal Lev-Ami Roman Manevich Mooly Sagiv Ran Shaham Tel Aviv University Ganesan

Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav

Abstract Interpretation Part I Mooly Sagiv Textbook: Chapter 4