logic flow analysis of higher order programs
play

Logic-Flow Analysis of Higher-Order Programs Matt Might - PowerPoint PPT Presentation

Logic-Flow Analysis of Higher-Order Programs Matt Might http://matt.might.net/ POPL 2007 1 Why? Tim Sweeney, POPL 2006 Static array-bounds checking. Example ... a[i] ... Will 0 i < a.length always hold? 2 Why? Tim Sweeney, POPL


  1. Tool 3: Restricted first-order logic for states Features ◮ Propositions are facts about concrete machine states. ◮ Ground terms are identities (bindings, locations, constants). Restrictions ◮ No existential quantifiers. ◮ Only outer-level universal quantifiers. ◮ Quantifiers range over abstract identities. 46

  2. Example: Proposition Example “Every value of x bound while calling foo is less than the length of every array bound to a .” 47

  3. Example: Proposition Example “Every value of x bound while calling foo is less than the length of every array bound to a .” In longhand: (forall x : ( x , � t foo ) (forall a : ( a , ⊤ ) (< x (alen a )))) 48

  4. Example: Proposition Example “Every value of x bound while calling foo is less than the length of every array bound to a .” In longhand: (forall x : ( x , � t foo ) (forall a : ( a , ⊤ ) (< x (alen a )))) Or, in convenient (but incomplete) shorthand: (< ( x , � t foo ) (alen ( a , ⊤ ) )) 49

  5. Logic syntax Features ◮ S-Expressions. ◮ Just or , not . ◮ Relations encoded as functions. 50

  6. Logic semantics Question How do we know when proposition φ is true for state ς ? 51

  7. Logic semantics Question How do we know when proposition φ is true for state ς ? Answer When ς | = φ holds. 52

  8. Logic semantics Question How do we know when proposition φ is true for state ς ? Answer When ς | = φ holds. Means exactly what you think it means. 53

  9. Filtered concretization Set of conrete states ( State ) 54

  10. Filtered concretization � ς { ς : | ς | ⊑ � Set of conrete states ( State ) ς } 55

  11. Filtered concretization Π Set of conrete states ( State ) { ς : ς | = Π } 56

  12. Filtered concretization � ς ς/ Π � Π { ς : | ς | ⊑ � Set of conrete states ( State ) ς and ς | = Π } 57

  13. Deriving new propositions Example If ς | = ( = x y ) and ς | = ( = y z ) , does ς | = ( = x z ) hold? 58

  14. Deriving new propositions Example If ς | = ( = x y ) and ς | = ( = y z ) , does ς | = ( = x z ) hold? Answer Yes, if { ( = x y ) , ( = y z ) } ⊢ ( = x z ) holds. 59

  15. Deriving new propositions Example If ς | = ( = x y ) and ς | = ( = y z ) , does ς | = ( = x z ) hold? Answer Yes, if { ( = x y ) , ( = y z ) } ⊢ ( = x z ) holds. Π ⊢ ( = ι ι ′ ) ψ ∈ Π Π ∪ { φ 1 } ⊢ φ 3 Π ∪ { φ 2 } ⊢ φ 3 Π ⊢ ψ [ ι/x ] (Assm) ( ∨ Ant) (Subst) Π ⊢ ψ [ ι ′ /x ] Π ⊢ ψ Π ∪ { (or φ 1 φ 2 ) } ⊢ φ 3 Π ⊢ φ Π ∪ { φ 1 } ⊢ φ 2 Π ∪ { (not φ 1 ) } ⊢ φ 2 Π ⊆ Π ′ (Ant) (Cases) Π ∪ { (not φ 1 ) } ⊢ φ 2 (Contr) Π ∪ { (not φ 1 ) } ⊢ (not φ 2 ) Π ′ ⊢ φ Π ⊢ φ 2 Π ⊢ φ 1 { φ } ⊢ φ ′ Π ⊢ φ 1 Π ⊢ (forall x : � ι φ ) (Eq) Π ⊢ ( = ι ι ) ( ∨ Cons) (Int) Π ⊢ (or φ 1 φ 2 ) , (or φ 2 φ 1 ) Π ⊢ (forall x : � ι (and φ φ ′ )) Π ⊢ ψ x �∈ free ( ψ ) Π ⊢ (forall � x 1 , x 2 � : � � ι 1 , � ι 2 � ψ ) ( ∀ Intro) ( ∀ Swap) Π ⊢ (forall x : � Π ⊢ (forall � x 2 , x 1 � : � � ι 2 , � ι ψ ) ι 1 � ψ ) 60

  16. Trusting the theorem prover Summary ◮ | = : What a proposition means. ◮ ⊢ : What a proposition implies. 61

  17. Trusting the theorem prover Summary ◮ | = : What a proposition means. ◮ ⊢ : What a proposition implies. Question How can we trust an external theorem prover? 62

  18. Trusting the theorem prover Summary ◮ | = : What a proposition means. ◮ ⊢ : What a proposition implies. Question How can we trust an external theorem prover? Theorem (Syntactic soundness) If Π ⊢ φ holds, then Π | = φ holds. 63

  19. All together now 64

  20. Woven state Example (Assumptions, Π ) Example (Machine, � ς ) call site (f x k) f �→ � local env t foo k �→ � t foo x �→ � t foo (forall x : ( x , � t foo ) (forall z : ( z , � t bar ) ( f , � global env t foo ) �→ · · · (< x z ))) ( k , � t foo ) �→ · · · ( x , � t foo ) �→ positive ( z , � t bar ) �→ positive � time t f 65

  21. Woven state Example (Assumptions, Π ) Example (Machine, � ς ) call site (f x k) f �→ � local env t foo k �→ � t foo x �→ � t foo (forall x : ( x , � t foo ) (forall z : ( z , � t bar ) ( f , � global env t foo ) �→ · · · (< x z ))) ( k , � t foo ) �→ · · · ( x , � t foo ) �→ positive ( z , � t bar ) �→ positive � time t f 66

  22. Woven transition relation Old machine state New machine state ( � > ( � ς ′ , Π ′ ) ς, Π) | = Old assumption base New assumption base 67

  23. Example: Transition Example call site (f x k) � time t f 68

  24. Example: Transition Example call site (f x k) f �→ � local env t foo � time t f 69

  25. Example: Transition Example call site (f x k) f �→ � local env t foo ( f , � global env t foo ) �→ a closure over ( λ (a q) ...) � time t f 70

  26. Example: Transition Example call site (f x k) f �→ � local env t foo x �→ � t foo ( f , � global env t foo ) �→ a closure over ( λ (a q) ...) � time t f 71

  27. Example: Transition Example call site (f x k) f �→ � local env t foo x �→ � t foo ( f , � global env t foo ) �→ a closure over ( λ (a q) ...) � time t f New fact? (forall � x, a � : � ( x , � t foo ) , ( a , � t f ) � ( = x a )) 72

  28. It depends. 73

  29. Chaining equal values Candidate for Π ′ φ = (forall � x, a � : � ( x , � t foo ) , ( a , � t f ) � ( = x a )) Prerequisites Can add it if Π ⊢ φ . Chicken and egg How can φ be in there already? 74

  30. Γ CFA: Abstract counting Idea Keep count of concrete counterparts to abstract identities. 75

  31. Γ CFA: Abstract counting Idea Keep count of concrete counterparts to abstract identities. Mechanism ◮ Add counter to every abstract machine state. ◮ Counter maps each binding to times allocated. ◮ Stop counting after 1. 76

  32. Γ CFA: Abstract counting Idea Keep count of concrete counterparts to abstract identities. Mechanism ◮ Add counter to every abstract machine state. ◮ Counter maps each binding to times allocated. ◮ Stop counting after 1. Theorem If { binding 1 } = { binding 2 } , then binding 1 = binding 2 . 77

  33. Chaining equal values Candidate for Π ′ φ = (forall � x, a � : � ( x , � t foo ) , ( a , � t f ) � ( = x a )) Prerequisites ◮ Can add it if Π ⊢ φ . ◮ Or, if count of ( x , � t foo ) is 1 and count of ( a , � t f ) is 0. 78

  34. Γ CFA: Abstract garbage collection Idea Discard unreachable bindings. 79

  35. Γ CFA: Abstract garbage collection Idea Discard unreachable bindings. Mechanism ◮ Start with bindings touched by current state. ◮ Take transitive closure. ◮ Can reset unreachable bindings’ counts to 0. 80

  36. Chaining equal values Candidate for Π ′ φ = (forall � x, a � : � ( x , � t foo ) , ( a , � t f ) � ( = x a )) Prerequisites ◮ Can add it if Π ⊢ φ . ◮ Or, if count of ( x , � t foo ) is 1 and count of ( a , � t f ) is 0. ◮ Or, if count of ( x , � t foo ) is 1 and ( a , � t f ) is unreachable. ◮ (More in paper.) 81

  37. Example: Invertible rebinding Example call site (f (+ x 1) k) f �→ � local env t foo x �→ � t f ( f , � global env t foo ) �→ a closure over ( λ (x q) ...) � time t f Updating assumption base Can replace ( x , � t f ) with (- ( x , � t f ) 1) in Π ? 82

  38. Example: Invertible rebinding Example call site (f (+ x 1) k) f �→ � local env t foo x �→ � t f ( f , � global env t foo ) �→ a closure over ( λ (x q) ...) � time t f Updating assumption base Can replace ( x , � t f ) with (- ( x , � t f ) 1) in Π ? Yes, if ( x , � t f ) is unreachable and its count is 1. ( E.g. tail recursion, for loops.) (More on this in the paper.) 83

  39. Example: Conditional Example call site (if (< i (alen a)) ... ...) 84

  40. � Example: Conditional Example call site (if (< i (alen a)) ... ...) Case 1 Π can (dis)prove (< i (alen a)) . Branch one way. � ς true ς � � � � � � � � � � ς false 85

  41. � � Example: Conditional Example call site (if (< i (alen a)) ... ...) Case 2 (< i (alen a)) has one counterpart. Branch both ways & assert. � ς true � � (< i (alen a)) � � � � � � ς � � � � � � � � (not (< i (alen a))) � � ς false 86

  42. � � Example: Conditional Example call site (if (< i (alen a)) ... ...) Case 3 None of the above. Branch both ways. Don’t touch Π ′ . � ς true � � � � � � � � ς � � � � � � � � � � ς false 87

  43. Walkthrough: Simple for loop Example for (i = 0; i < a.length; i++) print(a[i]) ; Example (CPS) (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Parameters ◮ 0CFA contour set. (Bindings = Variables.) 88

  44. Walkthrough: Simple for loop (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Assumption base, Π (< 0 (alen a)) 89

  45. Walkthrough: Simple for loop (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Assumption base, Π (< 0 (alen a)) 90

  46. Walkthrough: Simple for loop (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Assumption base, Π (< 0 (alen a)) , (= 0 i) 91

  47. Walkthrough: Simple for loop (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Assumption base, Π (< 0 (alen a)) , (= 0 i) 92

  48. Walkthrough: Simple for loop (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Assumption base, Π (< 0 (alen a)) , (= 0 i) Safe 0 ≤ i < (alen a) holds! 93

  49. Walkthrough: Simple for loop (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Assumption base, Π (< 0 (alen a)) , (= 0 i) 94

  50. Walkthrough: Simple for loop (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Assumption base, Π (< 0 (alen a)) , (= 0 i) 95

  51. Walkthrough: Simple for loop (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Assumption base, Π (< 0 (alen a)) , (= 0 (- i 1)) 96

  52. Walkthrough: Simple for loop (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Assumption base, Π (< 0 (alen a)) , ( ≤ 0 i) 97

  53. Walkthrough: Simple for loop (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Assumption base, Π (< 0 (alen a)) , ( ≤ 0 i) , (< i (alen a)) Safe 0 ≤ i < (alen a) holds! 98

  54. Walkthrough: Simple for loop (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Assumption base, Π (< 0 (alen a)) , ( ≤ 0 i) , (< i (alen a)) 99

  55. Walkthrough: Simple for loop (letrec ((loop ( λ (i) (if (< i (alen a)) (print (aget a i) ( λ () (loop (+ i 1)))) ...)))) (loop 0)) Assumption base, Π (< 0 (alen a)) , ( ≤ 0 i) , (< i (alen a)) 100

Recommend


More recommend