1 Program Analysis via 3-Valued Logic Mooly Sagiv, Tal Lev-Ami, Roman Manevich Tel Aviv University Thomas Reps, University of Wisconsin, Madison Reinhard

1

Program Analysisvia 3-Valued Logic

Mooly Sagiv, Tal Lev-Ami, Roman ManevichTel Aviv University

Thomas Reps, University of Wisconsin, MadisonReinhard Wilhelm, Universität des Saarlandes

2

Interprocedural Analysis, so far

Abstract domains• (Powerset of) fixed set of program entities and

entities from underlying domain • Domains:

– P(Aexp*) Available expressions– P(Var* Lab* ) Reaching Definitions– Var* Val Constant Propagation– Var* Int Interval Analysis

3

Interprocedural Analysis• Dynamically created procedure incarnations• Domain P(Lab* (Var* …))

– Call strings – strings of labels of call sites– Sufficient to represent recursion because of nested

lifetimes, a call string corresponds to an actual stack– in general of unbounded length

non-computable fixed point– approximated by fixed length, k

4

Dynamically Created “Objects”• How to represent dynamically created

– heap cells, created by calls to mallocx=malloc();… x=malloc();… x=malloc();

– objects, created by constructors of classesx=new C;… x=new C;… x=new C;

– threads, created by thread constructors• In general,

– unbounded sets– non-nested lifetimes– anonymous

5

Anonymous Objects (contd.)• Concrete domains: relations reflecting accessibility,

– Stack for program variables – Heap for anonymous, dynamically created objects– pointer variables point from Stack into Heap– Heap consists of a set of functions modelling

references/pointer components• Abstract domains: How to deal with

unboundedness?• How to analyze programs without bounds on

number of objects?

Example: In-Situ List Reversal

List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}

typedef struct list_cell { int val; struct list_cell *next;} *List;

Reverses lists ofarbitrary length

Invariant:x points to head ofnon-reversed suffix,y to head of already reversed prefixor NULL (start)

7

Questions Posed to the Analysis• Can x be dereferenced while having value NULL

in some execution state?• Can an object leak out of the program’s

execution?• Can an object be freed while being shared?

8

Freeing a Shared Object

a = malloc(…) ;

b = a;

free (a);

c = malloc (…);

if (b == c) printf(“unexpected equality”);

9

Dereferencing a NULL pointer

typedef struct element { int value; struct element *next; } Elements

bool search(int value, Elements *c) {Elements *elem;for (elem = c;

c != NULL; elem = elem->next;)

if (elem->val == value)return TRUE;return FALSE

10

Dereferencing a NULL pointer


bool search(int value, Elements *c) {Elements *elem;for (elem = c;

c != NULL; elem = elem->next;)

if (elem->val == value)return TRUE;return FALSE

potential null de-reference

11

Memory LeakageElements* strange(Elements *x)

{Elements *y,*g;y = NULL;while (x!= NULL) {

g = x->next;y = x;x->next = y;x = g;

}return y;


12

Memory LeakageElements* strange (Elements *x)

{Elements *y,*g;y = NULL;while (x!= NULL) {

g = x->next;y = x;x->next = y;x = g;

}return y;

leakage of list elements


13

class Make { private Worklist worklist; public static void main (String[] args) { Make m = new Make(); m.initializeWorklist(args); m.processWorklist(); } void initializeWorklist(String[] args) { ...; worklist = new Worklist(); ... // add some items to worklist} void processWorklist() { Set s = worklist.unprocessedItems(); for (Iterator i = s.iterator(); i.hasNext()){ Object item = i.next(); if (...) processItem(item); } } void processItem(Object i){ ...; doSubproblem(...);} void doSubproblem(...) { ... worklist.addItem(newitem); ... }}

public class Worklist { Set s; public Worklist() {. ..; s = new HashSet(); ... } public void addItem(Object item) { s.add(item); } public Set unprocessedItems() { return s; }}return rev; }

14


Concrete execution on a list of length 3




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL

30

Original Problem: Shape Analysis

• Characterize dynamically allocated data structures– x points to an acyclic list, cyclic list, tree, dag, etc.– data-structure invariants

• Identify may-alias relationships

• Establish “disjointedness” properties– x and y point to data structures that do not share cells

31

Properties of reverse(x)• On entry: x points to an acyclic list

• On exit: y points to an acyclic list

• On exit: x = = NULL• Invariant: At the start of while loop,

x points to head of non-reversed suffix, y to head of already reversed prefix or NULL (start)(they are disjoint acyclic lists)

• All the pointer dereferences are safe

• No memory leaks

32


Abstract execution




x

yt

could be- the empty list- a non-empty list




x

yt

NULL




x

yt

NULL




x

yt

NULL




x

yt

NULL

Materialization

assuming thatis not the empty list




x

yt

NULL




x

yt

NULL




x

yt

NULL




x

yt

NULL

Materialization

assuming thatis not the empty list




x

yt

NULL




x

yt

NULL




x

yt

could be- the empty list- a non-empty list




x

yt




x

yt




x

yt




x

yt




x

yt




x

yt




x

yt




x

yt




x

yt




x

yt




x

yt




x

yt

NULL

assuming thatstood for the empty list




x

yt

NULL




x

yt

NULL




x

yt

NULL

60

Why is Shape Analysis Difficult?

• Destructive updating through pointers– pnext = q– Produces complicated aliasing relationships

• Dynamic storage allocation– No bound on the size of run-time data structures– No syntactic names for locations

• Data-structure invariants typically only hold at the beginning and end of operations– Need to verify that data-structure invariants are re-

established

61

Main Ingredients: Abstract Domain• A new abstract domain for static analysis• Represents dynamically allocated memory• Based on predicate logic• Execution states in concrete semantics coded as

interpretations of sets of predicates over a 2-valued domain (1 true, 0 false) – unary predicate x for pointer variable x –

x(l) if x points to l– binary predicate next for selector next –

next (l1, l2) if next selector of l1 points to l2

62

Predicates (for reverse)

Predicate Intended Meaning

x(v) Does pointer variable x point to cell v?

y(v) Does pointer variable y point to cell v?

t(v) Does pointer variable t point to cell v?

n(v1,v2) Does the n field of v1 point to v2?




1 2 3 NULL

x

yt

NULL

Coding:t(l2)=1, y(l3)=1, n(l2,l1)=1, predicates with value 0not listed

l1 l2 l3

64

Main Ingredients: Semantics of Statements

• Predicate-Update Formulae for a statement• Describe how the interpretation of predicates

changes by executing the statement– x = y

changes the interpretation of x to that of y– x -> next = y

changes the interpretation of next such thatn(l1,l2)=1 for some l, l1, l2 with x(l) = 1, n(l, l1)=1, and y(l2)=1

65

Main Ingredients: Analysis• Abstract interpretation by evaluation over

3-valued domain (1, 0, ½ don’t know)• Kleene’s interpretation of predicate logic• A system TVLA

– Input: • Operational semantics• Input Program

– Output: the result of the analysis




x

yt

l3l1 l2

x(l3)=1, t(l2)=1, y(l3)=1,n(l2, l1)=1,

n(l1,…) = ?n(l3,…) = ?n(l1,…) = 1/2n(l3,…) = 1/2

67

Formalizing “. . .”Informal:

x

Formal:

xSummary

node

68

Plan

Motivation• SWhile• An SOS for SWhile• An SOS for SWhile using predicate calculus• Simple Abstract interpretation using 3-valued

logics• More precise abstract interpretation+ TVLA (next

meeting)

69

The SWhile Programming Language Abstract Syntax

a := x | x.sel | null | n | a1 opa a2

b := true | false | not b | b1 opb b2 | a1 opr a2

S := x := a | x.sel := a | x := malloc() | skip | S1 ; S2 | if b then S1 else S2 | while b do S

sel:= car | cdr

70

Dereferencing NULL pointers

elem := c;found := false; while (c != null && !found) (

if (elem->car= value) then found := true

else elem = elem->cdr)

71

Structural Operational Semantics• The program state consists of:

– current allocated objects– a mapping from variables into atoms, objects,

and null– a car mapping from objects into atoms,

objects, and null– a cdr mapping from objects into atoms,

objects, and null• malloc() allocates more objects• assignments update the state

72

Structural Operational Semantics

• The program state S=<O, env, car, cdr>:– current allocated objects O– atoms (integers, Booleans) A– env: Var* A O {null}– car: A A O {null}– cdr: A A O {null}

{l1, l2, l3},

[x l1 ,y null],

[l1 1, l2 2, l3 3],

[l1 l2, l2 l3, l3 null]

null1 2 3x

y null

l1 l2 l3

73

The meaning of expressions • Aa: S A O {null}

Aat(s) = at

Ax(<O, env, car, cdr>) = env(x)

Ax.cdr(<O, env, car, cdr>) =

cdr(env(x)) env(x) O

undefined otherwise

Ax.car(<O, env, car, cdr>) =

car(env(x)) env(x) O

undefined otherwise

74

Structural Semantics for SWhileaxioms

[assvsos] <x := a, s=(O, e, car, cdr)> (O, e[x Aas], car, cdr)

[asscarsos] <x.car := a, (O, e, car, cdr)> (O, e, car[e(x) Aas], cdr)

where env(x)O

[asscdrsos] <x.cdr := a, (O, e, car, cdr)> (O, e, car,cdr[e(x)Aas])

where env(x)O

[skipsos] <skip, s> s

[assmsos] <x := malloc(), (O, e, car, cdr)> (O {n}, e[x n], car, cdr)

where nO

75

Structural Semantics for SWhile(rules)

[comp1sos] <S1 , s> <S’1, s’>

<S1; S2, s> < S’1; S2, s’>

[comp2sos] <S1 , s> s’

<S1; S2, s> < S2, s’>

[ifttsos] <if b then S1 else S2, s> <S1, s> if Bbs=tt

[ifffsos] <if b then S1 else S2, s> <S2, s> if Bbs=ff

76

Summary• The SOS is natural• Can handle:

– errors, e.g., null dereferences– free– garbage collection

• But does not lead to an analysis– The set of potential objects is unbounded

• Solution: – Semantics coded as interpretation of a set of predicates– Reinterpreted over a Three-Valued domain with Kleene’s

interpretation

77

Predicate Logic• Vocabulary

– A finite set of predicate symbols Peach with a fixed arity

– A finite set of function symbols• Logical Structures S provide meaning for

predicates – A set of individuals (nodes) U– PS: US {0, 1}

• First-Order Formulas over express logical structure properties

78

P = {x1, y1, car2, cdr2}

US={l1, l2, l3}

xS=[l1 1, l2 0, l3 0] yS=[l1 0, l2 0, l3 0},

carS=[<l1, l1>0, <l1 , l2>0, <l1,l3 >0, <l2, l1>0, <l2 , l2>0, <l2,l3 >0, <l3, l1>0, <l3 , l2>0, <l3,l3 >0 ]

null1 2 3x

y null

l1 l2 l3{l1, l2, l3},

[x l1 ,y null],

[l1 1, l2 2, l3 3],

[l1 l2, l2 l3, l3 null]

cdrS=[<l1, l1>0, <l1 , l2>1, <l1,l3 >0, <l2, l1>0, <l2 , l2>0, <l2,l3 >1, <l3, l1>0, <l3 , l2>0, <l3,l3 >0 ]

79

Formal Semantics of First Order Formulae

• For a structure S=<US, PS>• Formulae with LVar free variables• Assignment z: LVarUS

S(z): {0, 1}

1S(z)=10S(z)=1v1=v2S(z) =

1 z(v1) = z(v2)

0 z(v1) z(v2)

p (v1, v2, …, vk)S(z)=pS (z(v1), z(v2), …, z(vk))

80

Formal Semantics of First Order Formulae

• For a structure S=<US, PS>• Formulae with LVar free variables• Assignment z: LVarUS

S(z): {0, 1}

12S(z)=max (1 S(z), 2 S(z))

12S(z)=min (1 S(z), 2 S(z))

1S(z)=1- 1 S(z)

v: 1S(z)=max {1 S(z[vu]) : u US}

81

Using Predicate Logic to describe states in SOS

• U=O• For a pointer variable x define a unary predicate

– x(u)=1 when env(x)=u and u is an object• Two binary predicates:

– car(u1, u2) = 1 when car(u1)=u2 and u2 is object

– cdr(u1, u2) = 1 when cdr(u1)=u2 and u2 is object

82

SOS (Using Predicate Logic)

• First-order structures (= predicate tables)– hold recorded information

• Formulae– means for observing information

• Predicate-update formulae– operational semantics– update recorded information

83

Recorded Information (for reverse)

Predicate Intended Meaning

x(v) Does pointer variable x point to cell v?

y(v) Does pointer variable y point to cell v?

t(v) Does pointer variable t point to cell v?

n(v1,v2) Does the n field of v1 point to v2?

84

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

x(u) y(u) t(u)u1 1 1 0u2 0 0 0u3 0 0 0u4 0 0 0

Recorded Information (for reverse)

u1 u2 u3 u4

xy

85

Formulae for Observing Properties

• Are x and y pointer aliases?v: x(v) y(v)

• Does x point to a cell with a self cycle?v : x(v) n(v,v)

86

xy u1 u2 u3 u4

Are x and y Pointer Aliases?v: x(v) y(v)

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

x(u) y(u) t(u)u1 1 1 0u2 0 0 0u3 0 0 0u4 0 0 0

xy u1

Yes

89

Predicate-Update Formulae for ‘y = x’

• x’(v) = x(v)• y’(v) = x(v)• t’(v) = t(v)• n’(v1,v2) = n(v1,v2)

90

x(u) y(u) t(u)u1 1 0 0u2 0 0 0u3 0 0 0u4 0 0 0

xu1 u2 u3 u4

Predicate-Update Formulae for ‘y = x’

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

y’(v) = x(v)

y

91

Predicate-Update Formulae for ‘x = x n’

• x’(v) = v1: x(v1) n(v1,v)• y’(v) = y(v)• t’(v) = t(v)• n’(v1, v2) = n(v1, v2)

92

xu1 u2 u3 u4

Predicate-Update Formulae for ‘x = x n’

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

x(u) y(u) t(u) u1 1 1 0 u2 0 0 0 u3 0 0 0 u4 0 0 0

y

x’(v) = v1: x(v1) n(v1,v)

x

93

Predicate-Update Formulae for ‘y n = t’

• x’(v) = x(v)• y’(v) = y(v)• t’(v) = t(v)• n’(v1,v2) = y(v1) n(v1,v2) y(v1) t(v2)

94

Two- vs. Three-Valued Logic

0 1

Two-valued logic

{0,1}

{0} {1}

Three-valued logic

{0} {0,1}{1} {0,1}

95

Two- vs. Three-Valued LogicTwo-valued logic

1 01 1 00 0 0

1 01 1 10 1 0

Three-valued logic {1} {0,1} {0}

{1} {1} {0,1} {0}{0,1} {0,1} {0,1} {0}{0} {0} {0} {0}

{1} {0,1} {0}{1} {1} {1} {1}

{0,1} {1} {0,1} {0,1}{0} {1} {0,1} {0}

96

Two- vs. Three-Valued LogicThree-valued logic

0

1

Two-valued logic 1 01 1 00 0 0

1 01 1 10 1 0

{1}

{0,1}

{0}

1

½

0

{1} {0,1} {0}{1} {1} {0,1} {0}

{0,1} {0,1} {0,1} {0}{0} {0} {0} {0}

{1} {0,1} {0}{1} {1} {1} {1}

{0,1} {1} {0,1} {0,1}{0} {1} {0,1} {0}

97

• 1: True• 0: False• 1/2: Unknown • A join semi-lattice: 0 1 = 1/2

Three-Valued Logic

1/2 Information

order

98

Boolean Connectives [Kleene] 0 1/2 10 0 0 0

1/2 0 1/2 1/21 0 1/2 1

0 1/2 10 0 1/2 1

1/2 1/2 1/2 11 1 1 1

99

The Abstraction Principle

• Partition the individuals into equivalence classes based on the values of their unary predicates

• Collapse other predicates via

100

n u1 u2 u3 u4u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

The Abstraction Principle

u1 u2 u3 u4

xu1

xu234

x(u) y(u)u1 1 0u2 0 0u3 0 0u4 0 0

n u1 u234

u1 0

u234 0 1/2

x(u) y(u)u1 1 0

u234 0 0

101

What StoresDoes a 3-Valued Structure Represent?• Example 3-valued structure

– individuals: {u1}– predicates:

• graphical presentation

• concrete stores represented

x y t u1 1 0 0

xu1

n u1 u1 0

3 x8 x 37 x

102

• Example 3-valued structure


• concrete stores

What StoresDoes a 3-Valued Structure Represent?

x y t u1 1 0 0 u 0 0 0

u1 ux

u1 ux

n u1 u u1 0 1/2 u 0 1/2

x 31 71 91

103

x y t u1 1 0 0 u 0 0 0

n u1 u u1 0 1/2 u 0 1/2

• Example 3-valued structure


• concrete storesu1 u

xu1 u

x

x 31 71 91

What StoresDoes a 3-Valued Structure Represent?

104

Property-Extraction Principle• Questions about store properties can be

answered conservatively by evaluating formulae in three-valued logic

• Formula evaluates to 1 formula always holds in every store

• Formula evaluates to 0 formula never holds in any store

• Formula evaluates to 1/2 don’t know

105

The Embedding Theorem

• If a big structure B can be embedded in a structure S via a surjective (onto) function f such that basic predicates are preserved, i.e., pB(u1, .., uk) pS (f(u1), ..., f(uk))

• Then, every formula is preserved =1 in S =1 in B =0 in S =0 in B =1/2 in S don’t know

106

Are x and y Pointer Aliases?

u1 uxy

v: x(v) y(v)

Yes

1

107

Is Cell u Heap-Shared?

v1,v2: n(v1,u) n(v2,u) v1 v2

u

Yes

1 1

1

1

108

MaybeIs Cell u Heap-Shared?

v1,v2: n(v1,u) n(v2,u) v1 v2

u1 uxy

1/21/2 1

1/2

109

The Instrumentation Principle

• Increase precision by storing the truth-value of some designated formulae

• Introduce predicate-update formulae to update the extra predicates

110

is = 0 is = 0 is = 0 is = 0

Example: Heap Sharing

x 31 71 91

is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2

u1 ux

u1 ux

is = 0 is = 0

is = 1

is = 1/2

111

is = 0 is = 0 is = 0 is = 0


x 31 71 91

is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2

u1 ux

u1 ux

is = 0 is = 0

112

is = 0 is = 0 is = 0 is = 0


x 31 71 91

is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2

u1 ux

u1 ux

is = 0 is = 0

is = 1

is = 1

113

Is Cell u Heap-Shared?

v1,v2: n(v1,u) n(v2,u) v1 v2

u1 uxy

1/2

1/21/2 1

is = 0 is = 0

No!

114

Example2: SortednessinOrder(v) = v1: n(v,v1) dle(v, v1)

u1 ux

u1 ux

inOrder = 1 inOrder = 1

n n

inOrder = 1

x 51 71 91inOrder = 1 inOrder = 1 inOrder = 1

n n n

115

inOrder = 1

Example2: Sortedness

x 51 45 91

inOrder(v) = v1: n(v,v1) dle(v, v1)

uxx

inOrder = 0 inOrder = 1 inOrder = 1

inOrder = 1 inOrder = 1

n n n

n n

inOrder = 0

n

116

Shape Analysis viaAbstract Interpretation

• Iteratively compute a set of 3-valued structures for every program point

• Every statement transforms structures according to the predicate-update formulae– use 3-valued logic instead of 2-valued logic– use exactly the predicate-update formulae of the

concrete semantics!!

117

Predicate-Update Formulae for “y = x”y’(v) = x(v)

Old:

u1 ux

x(u) y(u) t(u)u1 1 0 0u 0 0 0

n u1 uu1 0 1/2u 0 1/2

y

New:

u1 ux

118

Predicate-Update Formulae for “x = x n”

x’(v) = v1: x(v1) n(v1,v)

x(u) y(u) t(u)u1 1 1 0u 0 0 0

n u1 uu1 0 1/2u 0 1/2

y

Old:

u1 ux

y

New:

u1 u

x

119

Summary

• Predicate logics allows naturally expressing SOS for languages with pointers and dynamically allocated structures

• 3-valued logic provides a sound solution• More precise solution+TVLA

(next meeting)

Documents

1 Program Analysis via 3-Valued Logic Mooly Sagiv, Tal Lev-Ami, Roman Manevich Tel Aviv University Thomas Reps, University of Wisconsin, Madison Reinhard