1

Shape Analysisvia 3-Valued Logic

Mooly SagivTel Aviv University

Shape analysis with applications

Chapter 4.6

http://www.cs.tau.ac.il/~rumster/TVLA/

2

Outline

• Collecting Semantics using first order logic

• 3-valued logic and embedding

• Simple abstract semantics using logic

• More precise abstract semantics

• TVLA

3

Collecting Semantics using Logic

• Represent states using logical structures• Construct the program control flow graph

with a distinguished node start• Define the set of logical structures at start• Define the meaning of program conditions

using closed first order formulae • Define the meaning of statements using

first order formulae

4

The SWhile Programming Language Abstract Syntax

a := x | x.sel | null | n | a1 opa a2

b := true | false | not b | b1 opb b2 | a1 opr a2

S := [x := a]l | [x.sel := a]l | [x := malloc()]l | [skip] l | S1 ; S2 | if [b]l then S1 else S2 | while [b]l do S

sel:= car | cdr

5

Example

[x := null;]1

while ([count > 0]2) (

[t := malloc();]3

[t.cdr := x;]4

[x :=t;]5

Predicates

• Unary

•x(v)

•t(v)

• Binary

•car(v1, v2)

•cdr(v1, v2)

•eq(v1, v2)

6

([count > 0]2

[x :=t;]5

exit

[x := null;]1

[t.cdr :=x;]4

[t :=malloc();]3

x:=null {x’(v) := 0 }

t:=malloc() {let v0 := new() in t(v) := eq(v, v0)}

t.cdr :=x {message v: t(v) … cdr’(v1, v2) := (t(v1)? x(v2): cdr(v1, v2))}

x:=tx’(v) := t(v) }

(?1:2)

(1)(2)

[count:=count-1;]6

7

The reverse example

[y := null;]1

while ([x !=null]2) (

[t := y;]3

[y := x;]4

[x :=x.cdr;]5

[y.cdr :=t;]6

Predicates

• Unary

•x(v)

•t(v)

•y(v)

• Binary

•car(v1, v2)

•cdr(v1, v2)

•eq(v1, v2)

8

([x!=null]2

[y.cdr :=t;]6

exit

[y:= null;]1

[x :=x.cdr;]5

[t :=y;]3

a3

y:=null={ y’(v) :=0 }

x !=null = v: x(v) t:=y={t(v) :=y(v)}

x:=x.cdr ={ message v:x(v) … x’(v) := v1:x(v1) cdr(v1, v) }

y.cdr :=t ={ cdr’(v1, v2) := y(v1)? t(v2) : cdr(v1, v2) }

[y :=x;]4

y:=x={{ y’(v) :=x(v)}

9

Statement’s Meaning

st st

x:=null {x(v) := 0 }

x:=malloc() {let v0 = new() in

x’(v) := eq(v, v0) }

x := y {x’(v) := y(v)}

x:=y.sel {message v:x(v) …

x’(v) := v1:x(v1) sel(v1, v)

}

x.sel:=y {message v:x(v) …sel’(v1, v2) := (x(v1)? y(v2) : sel(v1, v2))

}

10

Condition’s Meaning

cond condx!=null v:x(v)

x==null v:x(v)

x==y v:x(v)y(v)

x!=y v:x(v)y(v)

11

Collecting Semantics

CS (start) = {<, >}

CS (v) =

{st(u) (S): uv E, S CS(u)} {S : S, uv Et , S cond(u) }

{S: S, uv Ef , S cond(u) }

12

• 1: True

• 0: False

• 1/2: Unknown

• A join semi-lattice: 0 1 = 1/2

Three-Valued Logic

1/2

Information order

13

3-Valued Logical Structures

• A set of individuals (nodes) U

• Predicate meaning– PS: US {0, 1, 1/2}

14

u1 ux

u1 u2

xu3

cdr cdr cdr

US={u1, u2, u3}xS=[u11, u20, u30] yS=[u10, u20, u30]

carS=[<u1 , u1> 0, <u1, u2>0, <u1,u3>0, <u2 , u1> 0, <u2, u2>0, <u2, u3>0 <u3, u1> 0, <u3, u2>0, <u3, u3>0]

cdrS=[<u1 , u1> 0, <u1, u2>1, <u1,u3>0, <u2 , u1> 0, <u2, u2>0, <u2, u3>1/2,

<u3, u1> 0, <u3, u2>0, <u3, u3>1/2]

eqS=[<u1 , u1> 1, <u1, u2>0, <u1,u3>0, <u2 , u1> 0, <u2, u2>1, <u2, u3>0,

<u3, u1> 0, <u3, u2>0, <u3, u3>1/2]

15

Embedding

• A pre-partial order on 3-valued logical structures

• S1 S2 every concrete state represented by S1 is also represented by S2

• The set of nodes in S1 and S2 may be different– No meaning for nodes (abstract locations)

16

Embedding

• S1 f S2 – f maps the individuals of S1 onto S2

– pS1(u1, .., uk) pS

2 (f(u1), ..., f(uk))

• S1 S2 there exists f such that S1 f S2

• Pre partial order• Induces a pre-partial order on P(3-Struct)

– Set-union is a least upper bound • Finite height :3-Struct P(2-Struct)

(S) = {S’ : S’2-Struct, S’ S } :P(3-Struct) P(2-Struct)

(XS) = S XS (S)

17

Tight Embedding

• S=<US, PS>

• f: US U# such that f is onto

• Define S#=<U#, P#>– p#(u#

1, .., u#k) ={pS (u1, ..., uk) : f(ui)=u#

i}

• S f S#

18

The Abstraction Principle

• Partition the individuals into equivalence classes based on the values of their unary predicates

• Collapse other predicates via

19

cdr u1 u2 u3 u4 u1 0 1 0 0 u2 0 0 1 0 u3 0 0 0 1 u4 0 0 0 0

The Abstraction Principle

u1 u2 u3 u4

x

x(u) y(u)u1 1 0u2 0 0u3 0 0u4 0 0

cdr

u1 u234

u1 0 u234 0 1/2

x(u) y(u)u1 1 0

u234 0 0

cdr cdr cdr

u1

xu234

blur cdrcdr

20

Boolean Connectives [Kleene]

0 1/2 1

0 0 0 01/2 0 1/2 1/21 0 1/2 1

0 1/2 1

0 0 1/2 11/2 1/2 1/2 11 1 1 1

21

Formal Semantics of First Order Formulae

• For a structure S=<US, PS>

• Formulae with LVar free variables

• Assignment z: LVarUS

S(z): {0, 1, 1/2}

1S(z)=1

0S(z)=1

p (v1, v2, …, vk)S(z)=pS (z(v1), z(v2), …, z(vk))

22

Formal Semantics of First Order Formulae

• For a structure S=<US, PS>

• Formulae with LVar free variables

• Assignment z: LVarUS

S(z): {0, 1, 1/2}

12S(z)=max (1 S(z), 2 S(z))

12S(z)=min (1 S(z), 2 S(z))

1S(z)=1- 1 S(z)

v: 1S(z)=max {1 S(z[vu]) : u US}

23

The Embedding Theorem

• Evaluating a formula in S is conservative with respect to (S)

• Every formula is preserved =1 in S =1 in every S’(S) =0 in S =0 in every S’(S) =1/2 in S don’t know

24

The Embedding Theorem

• Sf S’

• Formulae with LVar free variables

• Assignment z: LVarUS

S(z) S’(f z)

25

Shape Analysis viaAbstract Interpretation

• Iteratively compute a set of 3-valued structures for every program point

• Every statement transforms structures according to the predicate-update formulae– use 3-valued logic instead of 2-valued logic– use exactly the predicate-update formulae of the

concrete semantics!!

26

Abstract Semantics

AI (start) = {<, >}

CS (v) =

{blur(st(u)3(S)): uv E, S AI(u)} {S : S, uv Et , S3 cond(u) }

{S: S, uv Ef , S3 cond(u) }

27

([count > 0]2

[x :=t;]5

exit a2

[x := null;]1

[t.cdr :=x;]4

[t :=malloc();]3

x:=null {x’(v) := 0 }

t:=malloc() {let v0 := new() in t(v) := eq(v, v0)}

t.cdr :=x {message v: t(v) … cdr’(v1, v2) := (t(v1)? x(v2): cdr(v1, v2))}

x:=tx’(v) := t(v) }

28

([x!=null]2

[y.cdr :=t;]6

exit

[y:= null;]1

[x :=x.cdr;]5

[t :=y;]3

a3

y:=null={ y’(v) :=0 }

x !=null = v: x(v) t:=y={t(v) :=y(v)}

x:=x.cdr ={ message v:x(v) … x’(v) := v1:x(v1) cdr(v1, v) }

y.cdr :=t ={ cdr’(v1, v2) := y(v1)? t(v2) : cdr(v1, v2) }

[y :=x;]4

y:=x={{ y’(v) :=x(v)}

29

Intermediate Summary

• Predicate logics allows naturally expressing SOS for languages with pointers and dynamically allocated structures

• 3-valued logic provides a sound solution– Immediate from Embedding theorem– All you need is to guarantee the SOS

correctness

• But not very precise

30

More precise abstract interpretation

• Refine the abstraction (concretization)

• More precise abstract interpretation of basic statements– But not necessarily the best (induced)

31

The Instrumentation Principle

• Increase precision by storing the truth-value of some designated formulae

• Introduce predicate-update formulae to update the extra predicates

32

is = 0 is = 0 is = 0 is = 0

Example: Heap Sharing

x 31 71 91

is[sel](v) = v1,v2: sel(v1,v) sel(v2,v) eq(v1, v2)

u1 ux

u1 ux

is = 0 is = 0

33

is = 0 is = 0 is = 0 is = 0

Example: Heap Sharing

x 31 71 91

is[sel](v) = v1,v2: sel(v1,v) sel(v2,v) eq(v1 , v2)

u1 ux

u1 ux

is = 0 is = 0

is = 1

is = 1

34

Updating sharing x.sel:=y

is [sel]’(v) := (v1:x(v1)? (y(v)? v2:sel(v2, v) x(v2) :(sel(v1, v)? v2, v3: is[sel](v2, v3, v) x(v2) x(v3) : is[sel](v)) :is[sel](v)) is[sel](v2, v3, v) = sel(v2, v)sel(v3, v) eq(v2, v3)

35

Other Instrumentation

• c[cdr,car](v)=v1: cdr(v, v1)car(v1, v)• c[car,cdr](v)=v1: car(v, v1)cdr(v1, v)• r[sel](v1, v2) = sel*(v1, v2)• r[x, sel](v) = v1: x(v1)sel*(v1, v)• r[x](v) = v1: x(v1)(car|cdr)*(v1, v)• inOrder[sel,dle](v) = v1: sel(v, v1) dle(v, v1)• inROrder[sel,dle](v) = v1: sel(v, v1) dle(v1, v)

36

([x!=null]2

[y.cdr :=t;]6

exit

[y:= null;]1

[x :=x.cdr;]5

[t :=y;]3

a3

y:=null={ y’(v) :=0 }

x !=null = v: x(v) t:=y={t(v) :=y(v)}

x:=x.cdr ={ message v:x(v) … x’(v) := v1:x(v1) cdr(v1, v) }

y.cdr :=t ={ cdr’(v1, v2) := y(v1)? t(v2) : cdr(v1, v2) }

[y :=x;]4

y:=x={{ y’(v) :=x(v)}

37

Semantic Reduction

l

L1

L2 op

• Improve the precision of the analysis by recovering properties of the program semantics

• A Galois connection (L1, , , L2)

• An operation op:L2L2 is a semantic reduction lL2 op(l)l (op(l)) = (l)

• Can be applied before and after basic operations

• Preserve soundness

38

Materialization

x = x cdry u1 ux

u1 ux cdr

cdr

xy u1 uu1 ucdr

cdr

x = x cdry

x

u1 u3u2y u1 ux

u1 ux cdr

cdr

cdr

cdr

39

The Focusing Principle

• To increase precision– “Bring the predicate-update formula into

focus” (Force 1/2 to 0 or 1)

– Then apply the predicate-update formulae

• Generalizes materialization

40

(1) Focus on v1: x(v1) cdr(v1,v)

y u1 ux

u1 ux cdr

cdr

r[cdr]

y u1 ux

u1 ux

cdr

y u1 ux

u1 ux cdr

cdr

yu1 u.1

x

u.0

cdr

cdr cdr

cdr

41

x’(v) = v1: x(v1) cdr(v1,v)

(2) Evaluate Predicate-Update Formulae

y u1 ux

u1 ux

cdr

y u1 uu1 u

cdr

y u1 ux

u1 ux cdr

cdr

yu.0u1 u.1

cdrcdr

y u1 uu1 uxcdr

cdr

cdrcdr

cdr

x

u.0y

u1 u.1

cdr

cdrcdr

cdr

cdr

42

The Focus Operation

• Focus: Formula(P(3-Struct) P(3-Struct))

• For every formula – Focus()(X) yields structure in which evaluates to a

definite values in all assignments

– Focus() is a semantic reduction

– But Focus()(X) may be undefined for some X

43

(1) Focus on v1: x(v1) cdr(v1,v)

y u1 ux

u1 ux cdr

cdr

y u1 ux

u1 ux

cdr

y u1 ux

u1 ux cdr

cdr

yu1 u.1

x

u.0

cdr

cdr cdr

cdr

44

(1) Focus on v1: cdr(v1,v)

y u1 ux

u1 ux cdr

cdr

45

x’(v) = v1: x(v1) cdr(v1,v)

(2) Evaluate Predicate-Update Formulae

y u1 ux

u1 ux

cdr

y u1 uu1 u

cdr

y u1 ux

u1 ux cdr

cdr

yu.0u1 u.1

cdrcdr

y u1 uu1 uxcdr

cdr

cdrcdr

cdr

x

u.0y

u1 u.1

cdr

cdrcdr

cdr

cdr

46

The Coercion Principle

• Another Semantic Reduction• Can be applied after Focus or after Update or both• Increase precision by exploiting some structural

properties possessed by all stores (Global invariants)

• Structural properties captured by constraints

• Apply a constraint solver

47

(3) Apply Constraint Solver

x

u.0y

u1 u.1

cdr

cdrcdr

cdr

cdr

x

u.0y

u1 u.1

cdr cdr

48

Example Constraints

x(v1) x(v2)eq(v1, v2)

sel(v, v1) sel(v,v2)eq(v1, v2)

sel(v1, v) sel(v2,v)eq(v1, v2)is[sel](v)

49

Sources of Constraints

• Properties of the operational semantics

• Domain specific knowledge– Instrumentation predicates

• User supplied

50

Format of Constraints

p(v1, v2, …, vk) ij vivj

p(v1, v2, …, vk) ij vivj

• Interpretation– If LHS is 1 so is RHS– Preserved under tight embedding

51

Example Constraintsx(v1) x(v2)eq(v1, v2) (1)

sel(v, v1) sel(v,v2)eq(v1, v2) (2)

sel(v1, v) sel(v2,v)eq(v1, v2)is[sel](v) (3)

is[sel](v) sel(v1, v) sel(v2,v)eq(v1, v2) (4)

x(v1) eq(v1, v2) x(v2) (1a)

sel(v, v1) eq(v1, v2) sel(v,v2) (2a)

sel(v1, v) sel(v2,v)is[sel](v) eq(v1, v2) (3a)

sel(v1, v) eq(v1, v2) is[sel](v) sel(v2,v) (3b)

52

(3) Apply Constraint Solver

x

u.0y

u1 u.1

cdr

cdrcdr

cdr

cdr

x(v1) x(v2)eq(v1, v2) (1)

x

u.0y

u1 u.1

cdr

cdrcdr

cdr

cdr

x

u.0y

u1 u.1

cdr

cdrcdr

cdr

cdr

sel(v1, v) eq(v1, v2) is[sel](v) sel(v2,v) (3b)

x

u.0y

u1 u.1

cdr

cdrcdr

cdr

cdr

53

Summary

• Predicate logics allows naturally expressing SOS for languages with pointers and dynamically allocated structures

• 3-valued logic provides a sound solution

• Semantic reductions improve precision and preserve soundness

• Next meeting: TVLA + some applications