Program Analysis via 3-Valued Logic

1

Program Analysisvia 3-Valued Logic

Mooly Sagiv, Tal Lev-Ami, Roman ManevichTel Aviv University

Thomas Reps, University of Wisconsin, MadisonReinhard Wilhelm, Universität des Saarlandes

2

Interprocedural Analysis, so far

Abstract domains• (Powerset of) fixed set of program entities and

entities from underlying domain • Domains:

– P(Aexp*) Available expressions– P(Var* Lab* ) Reaching Definitions– Var* Val Constant Propagation– Var* Int Interval Analysis

3

Interprocedural Analysis• Dynamically created procedure incarnations• Domain P(Lab* (Var* …))

– Call strings – strings of labels of call sites– Sufficient to represent recursion because of nested

lifetimes, a call string corresponds to an actual stack– in general of unbounded length

non-computable fixed point– approximated by fixed length, k

4

Dynamically Created “Objects”• How to represent dynamically created

– heap cells, created by calls to mallocx=malloc();… x=malloc();… x=malloc();

– objects, created by constructors of classesx=new C;… x=new C;… x=new C;

– threads, created by thread constructors• In general,

– unbounded sets– non-nested lifetimes– anonymous

5

Anonymous Objects (contd.)• Concrete domains: relations reflecting accessibility,

– Stack for program variables – Heap for anonymous, dynamically created objects– pointer variables point from Stack into Heap– Heap consists of a set of functions modelling

references/pointer components• Abstract domains: How to deal with

unboundedness?• How to analyze programs without bounds on

number of objects?

Example: In-Situ List Reversal

List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}

typedef struct list_cell { int val; struct list_cell *next;} *List;

Reverses lists ofarbitrary length

Invariant:x points to head ofnon-reversed suffix,y to head of already reversed prefixor NULL (start)

7

Questions Posed to the Analysis• Can x be dereferenced while having value NULL

in some execution state?• Can an object leak out of the program’s

execution?• Can an object be freed while being shared?

8

Freeing a Shared Object

a = malloc(…) ;

b = a;

free (a);

c = malloc (…);

if (b == c) printf(“unexpected equality”);

9

Dereferencing a NULL pointer

typedef struct element { int value; struct element *next; } Elements

bool search(int value, Elements *c) {Elements *elem;for (elem = c;

c != NULL; elem = elem->next;)

if (elem->val == value)return TRUE;return FALSE

10

Dereferencing a NULL pointer


bool search(int value, Elements *c) {Elements *elem;for (elem = c;

c != NULL; elem = elem->next;)

if (elem->val == value)return TRUE;return FALSE

potential null de-reference

11

Memory LeakageElements* strange(Elements *x)

{Elements *y,*g;y = NULL;while (x!= NULL) {

g = x->next;y = x;x->next = y;x = g;

}return y;


12

Memory LeakageElements* strange (Elements *x)

{Elements *y,*g;y = NULL;while (x!= NULL) {

g = x->next;y = x;x->next = y;x = g;

}return y;

leakage of list elements


13

class Make { private Worklist worklist; public static void main (String[] args) { Make m = new Make(); m.initializeWorklist(args); m.processWorklist(); } void initializeWorklist(String[] args) { ...; worklist = new Worklist(); ... // add some items to worklist} void processWorklist() { Set s = worklist.unprocessedItems(); for (Iterator i = s.iterator(); i.hasNext()){ Object item = i.next(); if (...) processItem(item); } } void processItem(Object i){ ...; doSubproblem(...);} void doSubproblem(...) { ... worklist.addItem(newitem); ... }}

public class Worklist { Set s; public Worklist() {. ..; s = new HashSet(); ... } public void addItem(Object item) { s.add(item); } public Set unprocessedItems() { return s; }}return rev; }

14


Concrete execution on a list of length 3




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL

30

Original Problem: Shape Analysis

• Characterize dynamically allocated data structures– x points to an acyclic list, cyclic list, tree, dag, etc.– data-structure invariants

• Identify may-alias relationships

• Establish “disjointedness” properties– x and y point to data structures that do not share cells

31

Properties of reverse(x)• On entry: x points to an acyclic list

• On exit: y points to an acyclic list

• On exit: x = = NULL• Invariant: At the start of while loop,

x points to head of non-reversed suffix, y to head of already reversed prefix or NULL (start)(they are disjoint acyclic lists)

• All the pointer dereferences are safe

• No memory leaks

32


Abstract execution




x

yt

could be- the empty list- a non-empty list




x

yt

NULL




x

yt

NULL




x

yt

NULL




x

yt

NULL

Materialization

assuming thatis not the empty list




x

yt

NULL




x

yt

NULL




x

yt

NULL




x

yt

NULL

Materialization

assuming thatis not the empty list




x

yt

NULL




x

yt

NULL




x

yt

could be- the empty list- a non-empty list




x

yt




x

yt




x

yt




x

yt




x

yt




x

yt




x

yt




x

yt




x

yt




x

yt




x

yt




x

yt

NULL

assuming thatstood for the empty list




x

yt

NULL




x

yt

NULL




x

yt

NULL

60

Why is Shape Analysis Difficult?

• Destructive updating through pointers– pnext = q– Produces complicated aliasing relationships

• Dynamic storage allocation– No bound on the size of run-time data structures– No syntactic names for locations

• Data-structure invariants typically only hold at the beginning and end of operations– Need to verify that data-structure invariants are re-

established

61

Main Ingredients: Abstract Domain• A new abstract domain for static analysis• Represents dynamically allocated memory• Based on predicate logic• Execution states in concrete semantics coded as

interpretations of sets of predicates over a 2-valued domain (1 true, 0 false) – unary predicate x for pointer variable x –

x(l) if x points to l– binary predicate next for selector next –

next (l1, l2) if next selector of l1 points to l2

62

Predicates (for reverse)

Predicate Intended Meaning

x(v) Does pointer variable x point to cell v?

y(v) Does pointer variable y point to cell v?

t(v) Does pointer variable t point to cell v?

n(v1,v2) Does the n field of v1 point to v2?




1 2 3 NULL

x

yt

NULL

Coding:t(l2)=1, y(l3)=1, n(l2,l1)=1, predicates with value 0not listed

l1 l2 l3

64

Main Ingredients: Semantics of Statements

• Predicate-Update Formulae for a statement• Describe how the interpretation of predicates

changes by executing the statement– x = y

changes the interpretation of x to that of y– x -> next = y

changes the interpretation of next such thatn(l1,l2)=1 for some l, l1, l2 with x(l) = 1, n(l, l1)=1, and y(l2)=1

65

Main Ingredients: Analysis• Abstract interpretation by evaluation over

3-valued domain (1, 0, ½ don’t know)• Kleene’s interpretation of predicate logic• A system TVLA

– Input: • Operational semantics• Input Program

– Output: the result of the analysis




x

yt

l3l1 l2

x(l3)=1, t(l2)=1, y(l3)=1,n(l2, l1)=1,

n(l1,…) = ?n(l3,…) = ?n(l1,…) = 1/2n(l3,…) = 1/2

67

Formalizing “. . .”Informal:

x

Formal:

xSummary

node

68

Plan

Motivation• SWhile• An SOS for SWhile• An SOS for SWhile using predicate calculus• Simple Abstract interpretation using 3-valued

logics• More precise abstract interpretation+ TVLA (next

meeting)

69

Repetition

3-valued logic based analysis• computes invariants about data structuresx points to acyclic singly linked list

• Semantics is formulated in 1st order predicate logicx(v) = 1 if x points to v

• 3rd value ½ to express don’t know

70

The SWhile Programming Language Abstract Syntax

a := x | x.sel | null | n | a1 opa a2

b := true | false | not b | b1 opb b2 | a1 opr a2

S := x := a | x.sel := a | x := malloc() | skip | S1 ; S2 | if b then S1 else S2 | while b do S

sel:= car | cdr

78

Predicate Logic• Vocabulary

– A finite set of predicate symbols Peach with a fixed arity

– A finite set of function symbols• Logical Structures S provide meaning for the

predicate symbols– A set of individuals (nodes) U– PS: US {0, 1}

• First-Order Formulas using , , , , express properties

79

P = {x1, y1, car2, cdr2}

US={l1, l2, l3}

xS=[l1 1, l2 0, l3 0] yS=[l1 0, l2 0, l3 0},

carS=[<l1, 1> 1, <l2, 2> 1, <l3, 3> 1, <l1 , 0> 0, <l1,2 > 0, …, <l2 , 1> 0, <l2,3 > 0, … ]

null1 2 3x

y null

l1 l2 l3{l1, l2, l3},

[x l1 ,y null],

[l1 1, l2 2, l3 3],

[l1 l2, l2 l3, l3 null]

cdrS=[<l1, l1> 0, <l1 , l2> 1, <l1,l3 > 0, <l2, l1> 0, <l2 , l2> 0, <l2,l3 > 1, <l3, l1> 0, <l3 , l2> 0, <l3,l3 > 0 ]

80

Formal Semantics of First Order Formulae

• For a structure S=<US, PS>• Formula with free variables from a set LVar• Assignment z: LVarUS

S(z): {0, 1}

1S(z)=10S(z)=1

v1=v2S(z) =1 if z(v1) = z(v2)

0 if z(v1) z(v2)

p (v1, v2, …, vk)S(z)=pS (z(v1), z(v2), …, z(vk))

81

Formal Semantics of 1st Order Formulae

• For a structure S = <US, PS>• Formulae with LVar free variables• Assignment z: LVarUS

S(z): {0, 1}

1 2S(z)=max (1 S(z), 2 S(z))

1 2S(z)=min (1 S(z), 2 S(z))

1S(z)=1- 1 S(z)

v: 1S(z)=max {1 S(z[vu]) : u US}

82

Using Predicate Logic to Describe States

• U=O• For a pointer variable x define a unary predicate

– x(u)=1 when env(x)=u and u is an object• Two binary predicates:

– car(u1, u2) = 1 when car(u1)=u2 and u2 is object

– cdr(u1, u2) = 1 when cdr(u1)=u2 and u2 is object

83

Semantics Described in Predicate Logic

• First-order structures– hold recorded information about states

• Formulae– means for querying structures describing states

• Predicate-update formulae– operational semantics of statements– update recorded information about states

84

Recorded Information (for reverse)

Predicate Intended Meaning

x(v) Does pointer variable x point to cell v?

y(v) Does pointer variable y point to cell v?

t(v) Does pointer variable t point to cell v?

n(v1,v2) Does the n field of v1 point to v2?

85

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

x(u) y(u) t(u)u1 1 1 0u2 0 0 0u3 0 0 0u4 0 0 0

Recorded Information (for reverse)

u1 u2 u3 u4

xy

86

Formulae for Querying Structures

• Are x and y pointer aliases?v: x(v) y(v)

• Does x point to a cell with a self cycle?v : x(v) n(v,v)

87

xy u1 u2 u3 u4

Are x and y Pointer Aliases?v: x(v) y(v)

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

x(u) y(u) t(u)u1 1 1 0u2 0 0 0u3 0 0 0u4 0 0 0

xy u1

Yes

90

Predicate-Update Formulae for ‘y = x’

• x’(v) = x(v)• y’(v) = x(v)• t’(v) = t(v)• n’(v1,v2) = n(v1,v2)

91

x(u) y(u) t(u)u1 1 0 0u2 0 0 0u3 0 0 0u4 0 0 0

xu1 u2 u3 u4

Predicate-Update Formulae for ‘y = x’

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

y’(v) = x(v)

y

92

Predicate-Update Formulae for ‘x = x n’

• x’(v) = v1: x(v1) n(v1,v)• y’(v) = y(v)• t’(v) = t(v)• n’(v1, v2) = n(v1, v2)

93

xu1 u2 u3 u4

Predicate-Update Formulae for ‘x = x n’

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

x(u) y(u) t(u) u1 1 1 0 u2 0 0 0 u3 0 0 0 u4 0 0 0

y

x’(v) = v1: x(v1) n(v1,v)

x

94

Predicate-Update Formulae for ‘y n = t’

• x’(v) = x(v)• y’(v) = y(v)• t’(v) = t(v)• n’(v1,v2) = y(v1) n(v1,v2) y(v1) t(v2)

95

Two- vs. Three-Valued Logic

0 1

Two-valued logic

{0,1}

{0} {1}

Three-valued logic

{0} {0,1}{1} {0,1}

96

Two- vs. Three-Valued LogicTwo-valued logic

1 01 1 00 0 0

1 01 1 10 1 0

Three-valued logic {1} {0,1} {0}

{1} {1} {0,1} {0}{0,1} {0,1} {0,1} {0}{0} {0} {0} {0}

{1} {0,1} {0}{1} {1} {1} {1}

{0,1} {1} {0,1} {0,1}{0} {1} {0,1} {0}

97

Two- vs. Three-Valued LogicThree-valued logic

0

1

Two-valued logic 1 01 1 00 0 0

1 01 1 10 1 0

{1}

{0,1}

{0}

1

½

0

{1} {0,1} {0}{1} {1} {0,1} {0}

{0,1} {0,1} {0,1} {0}{0} {0} {0} {0}

{1} {0,1} {0}{1} {1} {1} {1}

{0,1} {1} {0,1} {0,1}{0} {1} {0,1} {0}

98

• 1: True• 0: False• 1/2: Unknown • A join semi-lattice: 0 1 = 1/2

Three-Valued Logic

1/2 Information

order

99

Boolean Connectives [Kleene] 0 1/2 10 0 0 0

1/2 0 1/2 1/21 0 1/2 1

0 1/2 10 0 1/2 1

1/2 1/2 1/2 11 1 1 1

100

The Abstraction Principle

• Partition the individuals into equivalence classes based on the values of their unary predicates

• Collapse other predicates via

101

n u1 u2 u3 u4u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

The Abstraction Principle

u1 u2 u3 u4

xu1

xu234

x(u) y(u)u1 1 0u2 0 0u3 0 0u4 0 0

n u1 u234

u1 0

u234 0 1/2

x(u) y(u)u1 1 0

u234 0 0

102

What StoresDoes a 3-Valued Structure Represent?• Example 3-valued structure

– individuals: {u1}– predicates:

• graphical presentation

• concrete stores represented

x y t u1 1 0 0

xu1

n u1 u1 0

3 x8 x 37 x

103

• Example 3-valued structure


• concrete stores

What StoresDoes a 3-Valued Structure Represent?

x y t u1 1 0 0 u 0 0 0

u1 ux

u1 ux

n u1 u u1 0 1/2 u 0 1/2

x 31 71 91

104

x y t u1 1 0 0 u 0 0 0

n u1 u u1 0 1/2 u 0 1/2

• Example 3-valued structure


• concrete storesu1 u

xu1 u

x

x 31 71 91

What StoresDoes a 3-Valued Structure Represent?

105

Property-Extraction Principle• Questions about store properties can be

answered conservatively by evaluating formulae in three-valued logic

• Formula evaluates to 1 formula always holds in every store

• Formula evaluates to 0 formula never holds in any store

• Formula evaluates to 1/2 don’t know

106

The Embedding Theorem (Intuition)Property of Canonical Abstraction• definitive information, i.e. with value 0 or 1 is

preserved (conservatism)• allows trading precision for efficiency (up to

surprises)

107

The Embedding Theorem• If a structure B can be embedded into a structure

S via a surjective (onto) function f such that the interpretation of predicates is preserved, i.e., pB(u1, ..., uk) pS (f(u1), ..., f(uk))

• Then, the interpretation of every formula is preserved =1 in S =1 in B =0 in S =0 in B =1/2 in S don’t know

108

Are x and y Pointer Aliases?

u1 uxy

v: x(v) y(v)

Yes

1

109

Is Cell u Heap-Shared?

v1,v2: n(v1,u) n(v2,u) v1 v2

u

Yes

1 1

1

1

110

MaybeIs Cell u Heap-Shared?

v1,v2: n(v1,u) n(v2,u) v1 v2

u1 uxy

1/21/2 1

1/2

111

The Instrumentation Principle

• So far, structures could be queried by evaluating a formula• However, often low precision• Increase precision by storing the truth-value of some

designated formulae• Introduce predicate-update formulae to update the extra

predicates

112

is = 0 is = 0 is = 0 is = 0

Example: Heap Sharing

x 31 71 91

is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2

u1 ux

u1 ux

is = 0 is = 0

is = 1

is = 1/2

113

is = 0 is = 0 is = 0 is = 0


x 31 71 91

is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2

u1 ux

u1 ux

is = 0 is = 0

114

is = 0 is = 0 is = 0 is = 0


x 31 71 91

is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2

u1 ux

u1 ux

is = 0 is = 0

is = 1

is = 1

115

Is Cell u Heap-Shared?

v1,v2: n(v1,u) n(v2,u) v1 v2

u1 uxy

1/2

1/21/2 1

is = 0 is = 0

No!

116

Example2: SortednessinOrder(v) = v1: n(v,v1) dle(v, v1)

u1 ux

u1 ux

inOrder = 1 inOrder = 1

n n

inOrder = 1

x 51 71 91inOrder = 1 inOrder = 1 inOrder = 1

n n n

117

inOrder = 1

Example2: Sortedness

x 51 45 91

inOrder(v) = v1: n(v,v1) dle(v, v1)

uxx

inOrder = 0 inOrder = 1 inOrder = 1

inOrder = 1 inOrder = 1

n n n

n n

inOrder = 0

n

118

Shape Analysis viaAbstract Interpretation

• Iteratively compute a set of 3-valued structures for every program point

• Every statement transforms structures according to the predicate-update formulae– use 3-valued logic instead of 2-valued logic– use exactly the predicate-update formulae of the

concrete semantics!!

119

Predicate-Update Formulae for “y = x”y’(v) = x(v)

Old:

u1 ux

x(u) y(u) t(u)u1 1 0 0u 0 0 0

n u1 uu1 0 1/2u 0 1/2

y

New:

u1 ux

120

Predicate-Update Formulae for “x = x n”

x’(v) = v1: x(v1) n(v1,v)

x(u) y(u) t(u)u1 1 1 0u 0 0 0

n u1 uu1 0 1/2u 0 1/2

y

Old:

u1 ux

y

New:

u1 u

x

121

Summary

• Predicate logics allows to naturally express the operational semantics for languages with pointers and dynamically allocated objects

• 3-valued logic provides a sound solution

Documents

Program Analysis via 3-Valued Logic