Parametric Shape Parametric Shape Analysis via 3- -Valued Valued Analysis via 3 Logic Logic Mooly Sagiv Sagiv, Thomas Reps, , Thomas Reps, Mooly Reinhard Wilhelm Wilhelm Reinhard
Motivation Motivation � Many shape analysis algorithms developed Many shape analysis algorithms developed � � Different abstractions Different abstractions � � Hard to compare Hard to compare � � Parametric Framework Parametric Framework � � yacc yacc for shape analysis? for shape analysis? �
Overview Overview � Use logic structures to represent stores Use logic structures to represent stores � � By choosing different predicates, the framework is By choosing different predicates, the framework is � instantiated into different shape analysis algorithms. instantiated into different shape analysis algorithms. � Previous approach: Previous approach: � � Define abstraction, give transfer function, prove, implement Define abstraction, give transfer function, prove, implement � � With the framework: With the framework: � � Choose predicate, define update formula for instrumentation Choose predicate, define update formula for instrumentation � predicates, prove correctness of the formulae predicates, prove correctness of the formulae � The rest is automatically done by the system The rest is automatically done by the system �
Representation Representation � Logical Structures: Logical Structures: � ι > S=<U, ι � S=<U, > � � U: individuals U: individuals � � ι ι : maps p(u : maps p(u 1 1 , , … … u u k k ) to 0, 1 or 1/2 ) to 0, 1 or 1/2 � � Predicates: Predicates: � � Constituents of shape invariants that can be used to Constituents of shape invariants that can be used to � characterize a data structure characterize a data structure � Core Predicates: Core Predicates: � � Tracking Pointer Variables and Pointer Tracking Pointer Variables and Pointer- -valued fields valued fields � � Common to all the shape analysis Common to all the shape analysis � � Eg Eg: : x(v x(v), n(v1, v2), ), n(v1, v2), sm(v sm(v) ) �
Representation Representation � Predicates Predicates � � Instrumentation predicates: Instrumentation predicates: � � Properties derived from core semantics, not explicitly part Properties derived from core semantics, not explicitly part � of the semantics of pointers in a language, of the semantics of pointers in a language, � Different algorithms use different sets of instrumentation Different algorithms use different sets of instrumentation � � Eg Eg: : is(v is(v) ) (sharing), (sharing), r r x (v) ) ( (reachability reachability) ) x (v � � Defining formulae: Defining formulae: �
Representation Representation � Property Property- -Extraction Principle Extraction Principle � � Concrete Store: 2 Concrete Store: 2- -Valued Logic Valued Logic � � Questions about properties of stores can be answered by Questions about properties of stores can be answered by � evaluating formulae: 1=>hold, 0=>doesn ’ t hold evaluating formulae: 1=>hold, 0=>doesn ’ t hold � Abstract store: 3 Abstract store: 3- -Valued Logic Valued Logic � � A formulae can evaluate to 1, 0, or A formulae can evaluate to 1, 0, or ½ . ½ . � � 1=>hold 1=>hold � � 0=>doesn 0=>doesn ’ t hold ’ t hold � ½ => don => don ’ t know ’ t know � ½ �
Representation Representation � Examples Examples �
Bounded Structures Bounded Structures � Bounded Structures: Bounded Structures: � � A logical structure where no two individuals A logical structure where no two individuals � evaluates to the same value for all predicates evaluates to the same value for all predicates � Upper bound on the size of bounded structures: Upper bound on the size of bounded structures: � � Canonical Abstraction: Canonical Abstraction: �
Embedding Theorem Embedding Theorem � Embedding: Embedding: � � A way to relate 2 A way to relate 2- -valued and 3 valued and 3- -valued structures valued structures � � S can be embedded in S S can be embedded in S ’ : ’ : � S � � Surjective Surjective function f: U function f: U S � U U S S ’ ’ � � � � Embedding Theorem: Embedding Theorem: � � If S can be embedded in S If S can be embedded in S ’ , every piece of information ’ , every piece of information � extracted from S ’ ’ via a formula is a conservative via a formula is a conservative extracted from S approximation of the information extracted from S. approximation of the information extracted from S.
Predicate- -update formula update formula Predicate � Expressing semantics using logic Expressing semantics using logic � st : Define the new ϕ p formulae ϕ � Predicate Predicate- -update update formulae : Define the new pst � value of p for every statement st st value of p for every statement � Transfer function: Transfer function: �
Predicate- -update formula update formula Predicate � Core Predicates: the predicate Core Predicates: the predicate- -update formulae is update formulae is � exactly the same for 3- -valued logic and 2 valued logic and 2- -valued valued exactly the same for 3 logic logic � Instrumentation Predicate: Instrumentation Predicate: � � Trivial update formula: usually unsatisfactory Trivial update formula: usually unsatisfactory � � User supplied formula: need to prove it maintains correct User supplied formula: need to prove it maintains correct � instrumentation. instrumentation.
Predicate- -update formula update formula Predicate � Core Predicates: Core Predicates: �
Predicate- -update formula update formula Predicate � Instrumentation predicate Instrumentation predicate �
The Shape Analysis Algorithm The Shape Analysis Algorithm � When analyzing a single procedure, allow an When analyzing a single procedure, allow an � arbitrary set of 3- -valued structures to hold at the valued structures to hold at the arbitrary set of 3 entry of the procedure entry of the procedure
The Shape Analysis Algorithm The Shape Analysis Algorithm � Example: Example: �
A More Precise Abstract Semantics A More Precise Abstract Semantics � Overview Overview � � Focus Focus � � Apply transfer function Apply transfer function � � coerce coerce �
A More Precise Abstract Semantics A More Precise Abstract Semantics � Focus: forces a given formula to a definite value Focus: forces a given formula to a definite value �
A More Precise Abstract Semantics A More Precise Abstract Semantics � Focus Example: Focus Example: �
A More Precise Abstract Semantics A More Precise Abstract Semantics � Coerce Coerce � � Sharpen a structure according to Compatibility Sharpen a structure according to Compatibility � Constraints Constraints � Compatibility Constraints from Instrumentation Compatibility Constraints from Instrumentation � Predicates Predicates � Compatibility Constraints from Compatibility Constraints from Hygience Hygience Conditions Conditions �
A More Precise Abstract Semantics A More Precise Abstract Semantics � An algorithm to generate compatibility constraints An algorithm to generate compatibility constraints � � Definition Formula: Definition Formula: � � Extended Horn Clause: Extended Horn Clause: � � Compatibility constraints: Compatibility constraints: �
A More Precise Abstract Semantics A More Precise Abstract Semantics � Coerce Example: Coerce Example: �
Related work Related work � K K- -limiting limiting � � Use instrumentation predicates Use instrumentation predicates “ reachable- -from from- -x x- - “ reachable � α ” α |<=k - α , for | α via- -access access- -path path- |<=k via ” , for | � Storage Shape Graphs [CWZ Storage Shape Graphs [CWZ ’ 90] ’ 90] � � Use core predicates that record the allocation sites of Use core predicates that record the allocation sites of � heap cells heap cells � Doubly Doubly- -linked list linked list � � Use Instrument Predicate Use Instrument Predicate c c f.b (v) and ) and c c b.f (v) ) f.b (v b.f (v �
Related Work Related Work � Biased versus unbiased static program analysis Biased versus unbiased static program analysis � � Conventional analysis has one Conventional analysis has one- -sided bias: sided bias: � � May Analysis: May Analysis: � � false => false => false false � � true => may be true/ may be false true => may be true/ may be false � � Must Analysis: Must Analysis: � � true => true => true true � � false => may be true/ may be false false => may be true/ may be false � � 3 3- -Valued Logic: Valued Logic: � � unbiased unbiased �
Summary Summary � A parametric framework A parametric framework � � Easy to experiment with new algorithms Easy to experiment with new algorithms � � For core predicates, abstract semantics falls out For core predicates, abstract semantics falls out � from the concrete semantics from the concrete semantics � No need for a proof for a particular instantiation No need for a proof for a particular instantiation �
Recommend
More recommend
