Finite Differencing of Logical Formulas for Static Analysis Thomas Reps University of Wisconsin Joint work with M. Sagiv and A. Loginov

Finite Differencing of Logical Formulasfor Static Analysis

Thomas RepsUniversity of Wisconsin

Joint work with M. Sagiv and A. Loginov

Dynamic Algorithms

• This meeting, this community, . . .– Dynamic algorithms for better efficiency

• This talk– Dynamic updates expressed via logical

formulas• DB maintenance of materialized views• Dynamic descriptive complexity

– Dyn-FO [Patnaik & Immerman]– FOIES [Dong & Su]

– Dynamic algorithms for greater precision (avoid loss of information)

• The administrator of the U.S.S. Yorktown’s Standard Monitoring Control System entered 0 into a data field for the Remote Data Base Manager program. That caused the database to overflow and crash all LAN consoles and miniature remote terminal units.

• The Yorktown was dead in the water for about two hours and 45 minutes.

• A sailor on the U.S.S. Yorktown entered a 0 into a data field in a kitchen-inventory program. That caused the database to overflow and crash all LAN consoles and miniature remote terminal units.

• The Yorktown was dead in the water for about two hours and 45 minutes.

Analysis musttrack numericinformation

x = 3;y = 1/(x-3);

x = 3;px = &x;y = 1/(*px-3);

x = 3;p = (int*)malloc(sizeof int);*p = x;q = p;y = 1/(*q-3);

need to track valuesother than 0

need to track pointers

need to track dynamically allocated storage

Static Analysis

• Determine information about the possible situations that can arise at execution time, without actually running the program on particular inputs

• Typically:– Run the program on “aggregate values”,

which describe many stores all at once– For each point in the program, find a

descriptor that represents (a superset of) the stores that could possibly arise at that point

Static Analysis

List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}

typedef struct list_cell { int val; struct list_cell *next;} *List;

Bad

Actual

Static Analysis



Bad

Actual

Example: In-Situ List Reversal



x

yt




x

yt

NULL




x

yt

NULL




x

yt

NULL




x

yt

NULL

Materialization




x

yt

NULL




x

yt

NULL




x

yt

NULL




x

yt

NULL




x

yt

NULL




x

yt

NULL




x

yt




x

yt




x

yt




x

yt




x

yt




x

yt




x

yt




x

yt

NULL




x

yt

NULL




x

yt

NULL




x

yt

NULL

x

yt

NULL

x

yt

NULL

x

yt

return y

t = y

ynext = t

y = x

x = xnext

x != NULL

x

yt

NULL

x

yt

NULL

x

yt

NULL

x

yt

NULL

x

yt

NULL

x

yt

NULL

x

yt

NULL

x

yt

NULL

x

yt

NULL

x

yt

x

yt

x

yt

What Does a List Descriptor Describe?

represents x

yt

NULL

xyt

NULL

xyt

NULL

xyt

NULL

pointer analysis?points-to analysis?

alias analysis?shape analysis?

Dynamic storage allocationDestructive updating through pointers

Why is Shape Analysis Difficult?

• Destructive updating through pointers– p next = q– Produces complicated aliasing relationships

• Dynamic storage allocation– No bound on the size of run-time data

structures

Formalizing “. . .”Informal:

x

Formal:

xSummary

node

Using Relations to Represent Linked Lists

Relation Intended Meaning

x(v) Does pointer variable x point to cell v?

y(v) Does pointer variable y point to cell v?

t(v) Does pointer variable t point to cell v?

n(v1,v2) Does the n field of v1 point to v2?

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

x(u) y(u) t(u)u1 1 1 0u2 0 0 0u3 0 0 0u4 0 0 0

u1 u2 u3 u4

xy

Using Relations to Represent Linked Lists

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

Canonical Abstraction

u1 u2 u3 u4

xu1

xu234

x(u) y(u)u1 1 0u2 0 0u3 0 0u4 0 0

n u1 u234

u1 0

u234 0 1/2

x(u) y(u)u1 1 0

u234 0 0

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0


u1 u2 u3 u4

xu1

xu234

x(u) y(u)u1 1 0u2 0 0u3 0 0u4 0 0

n u1 u234

u1 0

u234 0 1/2

x(u) y(u)u1 1 0

u234 0 0

= u1 u2 u3 u4 u1 1 0 0 0 u2 0 1 0 0 u3 0 0 1 0 u4 0 0 0 1


u1 u2 u3 u4

xu1

xu234

x(u) y(u)u1 1 0u2 0 0u3 0 0u4 0 0

= u1 u234 u1 1

u234 0 1/2

x(u) y(u)u1 1 0

u234 0 0

x

yt

NULL

return y

t = y

ynext = t

y = x

x = xnext

x != NULL

x

yt

NULL

x

yt

NULL

u1 u

x

x(u) y(u) t(u)u1 1 0 0u 0 0 0

n u1 u

u1 0 1/2

u 0 1/2

yu1 u

x

x(u) y(u) t(u) u1 1 1 0 u 0 0 0

n u1 u

u1 0 1/2

u 0 1/2

y’(v) = x(v)

10

x

yt

NULL

x

yt

NULL

x

yt

return y

t = y

ynext = t

y = x

x = xnext

x != NULL

x

yt

NULL

x

yt

NULL

x

yt

NULL

x

yt

NULL

x

yt

NULL

x

yt

NULL

x

yt

NULL

x

yt

NULL

x

yt

NULL

x

yt

x

yt

x

yt

Formalizing “. . .”• Informally x …

• Formally u1x u2

y

y

• Really: tables for x, y, and n

v2v1

u1 u2

u1 0 ½

u2 0 ½

n(v1,v2)x(v)v

u1

1

u2

0

y(v)v

u1 1

u2 0

Good Descriptors?

Good Descriptors?

Formalizing “. . .”

• Informallyx

y …

…

• Formallyu1x

u2yu3


• Informally

• Formally

x

y

… …

…

t

t’

u1x

u2yu3

u4

u5 t’

t

…


• Informally

• Formally

x

y …

…

rxx

ryy …

rx

ry

u1 u2

u3 u4


• Informally

• Formally

x

y

…

…

t

t’

rxrxx

ryy ry ry,rt’

t’

trx,rt

ry,rt’

rx,rtu4

u8u7u6u5

u1 u2 u3

…

…


• Really

• Formally

p (relation) p (definition)

var(v) core

n(v1,v2),

eq(v1,v2)core

rvar(v) v ’ : (var(v’) n*(v’,v))

rxrxx

ryy ry ry,rt’

t’

trx,rt

ry,rt’

rx,rtu4

u8u7u6u5

u1 u2 u3


• Really

• Formally

v2v1

u1 u2 u3

u4

u1 0 ½ 0 0

u2 0 ½ ½ 0

u3 0 0 0 ½

u4 0 0 0 ½

v u1 u2 u3 u4

u5

u6 u7

u8

0 0 1 0 0 0 0 0n(v1,v2)

t(v)

rt(v)v u1 u2 u3 u

4

u5

u6 u7

u8

0 0 1 1 0 0 0 0

rxrxx

ryy ry ry,rt’

t’

trx,rt

ry,rt’

rx,rtu4

u8u7u6u5

u1 u2 u3

Need for Update Formulas

x = xnrx

x

rx

rx

x

rx

rx

• Re-evaluating formulas can be impreciserx(v) = v’ : (x(v’) n*(v’,v))

Need for Update Formulas

• Re-evaluating formulas can be imprecise

rx

rx

x

rx = ½

rx

x

rx = 1

x = xn

rx(v) = v’ : (x(v’) n*(v’,v))

F[rx](v) = rx(v) ¬ x(v)

Goal: Create Update Formulas Automatically

• Originally: users provided all update formulas– A lot of work – Error prone

• Idea: finite differencing of formulas pnew(v) = p(v) ? ¬ :

= F[p, st](v)

negative differencepositive difference

[p, st](v) +[p, st](v)

update formula

F[p]

Finite Differencing of Formulas

F[p](v) = p(v) ? ¬[p](v) : +[p](v)

[p] +[p]

p

Laws for +

+[0] = 0 +[1] = 0

+[¬] = []

+[] = (+[] ¬) (¬ +[])

+[v : ] = (v : +[]) ¬(v : )

Finite Differencing of Formulas

– core update• S’ - updated core

structure p – instrumentation

relation formula• p – instrumentation

relation

S S’

p p

pp

p’

DB

DB’U

V’V

Maintenance of Materialized DB Views

• U – database update• DB’ – updated database - view query• V – view value

UV

DB: efficiencyStatic analysis: avoid loss of precision (½)

TC Maintenance for Single Edge Addition in Arbitrary Graphs

• Let tn(v1,v2) = n*(v1,v2)

• F[tn(v1,v2)] = tn(v1,v2)

v1’,v2’: tn(v1,v1’) +[n(v1’,v2’)] tn(v2’,v2)

TC Maintenance in FO Logic

• 3 special cases [Dong&Su, Immerman]– Acyclic relations– Relations with all nodes of outdegree at most

1– Undirected relationsFor a single edge addition or deletion (not both)

TC Maintenance for Single Edge Deletion in Acyclic Graphs

a b

a b

but

Suspicious Pairs

a b

• Suspicious tn pairs: (a,b)

S(v1,v2) =

v1’,v2’: tn(v1,v1’) [n(v1’,v2’)] tn(v2’,v2)

Suspicious Pairs (cont.)

• Suspicious tn pairs: (a,b) but not (c,d)

S(v1,v2) =

v1’,v2’: tn(v1,v1’) [n(v1’,v2’)] tn(v2’,v2)

a b

c d

Trusty Pairs

• Trusty pairs: (c,d) but not (a,b)– non-suspicious tn pairs (not using the deleted edge).

T(v1,v2) = tn(v1,v2) ¬S(v1,v2)

a b

c d

TC Maintenance for Single Edge Deletion in Acyclic Graphs (cont.)

• Future tn pairs:

F[tn(v1,v2)] = equal(v1,v2)

v1’,v2’: T(v1,v1’) F[n(v1,v2)] T(v2’,v2)

a b

TC Maintenance for Single Edge Deletion in Acyclic Graphs

(cont.)• Future tn pairs:


v1’,v2’: T(v1,v1’) F[n(v1,v2)] T(v2’,v2)

a b

a b


• Future tn pairs:


v1’,v2’: T(v1,v1’) F[n(v1,v2)] T(v2’,v2)

a b


• Future tn paths:


v1’,v2’: T(v1,v1’) F[n(v1,v2)] T(v2’,v2)

a b

c d

Measure of Success

Fraction of automatically generated update formulas that are as precise as existing hand-crafted update

formulas

Evaluation

Data Structure Sample properties

Singly linked list

• Partial correctness of sorting• Absence of insecure information flow• Merge preserves ADT and loses no elements of either list

Doubly linked list Append and Delete preserve ADT

Binary tree Deutsch-Schorr-Waite preserves ADT

Binary-search tree

Insert and Delete preserve ADT

Results

• 100% success (acyclic relations)– Cyclic relations correctly detected in 3 programs

• Performance effect was modest − 4% (decrease) to 44% average: ‹ 15%– Can be improved (e.g., caching of results)

• Optimization of set-theoretic expressions– Paige 79, Paige and Koenig 82

– Fong & Ullman (late 70s)

• DB: view maintenance; enforce integrity

constraints– Stonebraker 75; Paige 81; Horwitz & Teitelbaum 86

– Large body of DB literature in the 90s

• Dynamic descriptive complexity (Dyn-FO, FOIES)– Patnaik & Immerman 94; Dong & Su 93

• “Incrementalizing” functional programs– Liu 95; Liu & Teitelbaum 95

Related Work

For More Information

• Reps, T., Sagiv, M., and Loginov, A., Finite differencing of logical formulas for static analysis. In Proc. European Symp. on Programming, LNCS Vol. 2618, 2003.

• Sagiv, M., Reps, T., and Wilhelm, R., Parametric shape analysis via 3-valued logic. ACM TOPLAS 24, 3 (2002).

• Homepage for the TVLA system: http://www.math.tau.ac.il/~rumster/TVLA/

Finite Differencing of Logical Formulasfor Static Analysis

Thomas RepsUniversity of Wisconsin

Joint work with M. Sagiv and A. Loginov

Documents

Finite Differencing of Logical Formulas for Static Analysis Thomas Reps University of Wisconsin Joint work with M. Sagiv and A. Loginov