symbolic shape analysis
play

Symbolic Shape Analysis Thomas Wies University of Freiburg, Germany - PowerPoint PPT Presentation

Oct 06, 2022 •273 likes •939 views

Symbolic Shape Analysis Thomas Wies University of Freiburg, Germany Motivation class SortedList { private static Node f i r s t ; public static specvar content / : : : objset ; vardefs v = n u l l next " content ==

  1. Symbolic Shape Analysis Thomas Wies University of Freiburg, Germany

  2. Motivation class SortedList { private static Node f i r s t ; public static specvar content / ∗ : : : objset ; vardefs v � = n u l l ∧ next ∗ " content == { v . f i r s t v } " ; invariant " tree [ next ] " ; invariant " ∀ v . v ∈ content ∧ v . next � = n u l l − → v . . Node . data ≤ v . next . data " ; ∗ / public static void i n s e r t (Node n ) requires / ∗ : "n � = n u l l ∧ n / ∈ content " modifies content ensures " content = old content ∪ { n } " ∗ / { Node prev = n u l l ; Node curr = f i r s t ; while ( ( curr ! = n u l l ) && ( curr . data < n . data ) ) { prev = curr ; curr = curr . next ; } n . next = curr ; i f ( prev ! = n u l l ) prev . next = n ; else f i r s t = n ; } } Thomas Wies Symbolic Shape Analysis 2 / 34

  3. Motivation Bohne, Symbolic Shape Analysis Implementation Properties verified in previous example: • correctly inserts the element into the list (relates pre- and post states of procedure) • list remains sorted • data structure remains acyclic list • no null pointer dereferences Bohne • accepts annotated Java programs as input • annotations are user-specied formulae: • data structure invariants • procedure contracts (pre- and post conditions) • automatically computes quantified loop invariants • proves desired properties and absence of errors Thomas Wies Symbolic Shape Analysis 3 / 34

  4. Motivation Predicate Abstraction • take transition graph (nodes are states) • define partitioning of nodes through state predicates • abstract transition graph is graph of abstract nodes • abstract nodes are equivalence classes of concrete nodes infinite state space Thomas Wies Symbolic Shape Analysis 4 / 34

  5. Motivation Predicate Abstraction • take transition graph (nodes are states) • define partitioning of nodes through state predicates • abstract transition graph is graph of abstract nodes • abstract nodes are equivalence classes of concrete nodes P 1 ∧ ¬ P 2 ∧ P 3 infinite state space state predicates: P 1 , P 2 , P 3 Thomas Wies Symbolic Shape Analysis 4 / 34

  6. Motivation Shape Analysis à la Sagiv, Reps, and Wilhelm • states are graphs • define partitioning of nodes through predicates on nodes • abstract states are graphs of abstract nodes • abstract nodes are equivalence classes of concrete nodes next next next x next next next y Thomas Wies Symbolic Shape Analysis 5 / 34

  7. Motivation Shape Analysis à la Sagiv, Reps, and Wilhelm • states are graphs • define partitioning of nodes through predicates on nodes • abstract states are graphs of abstract nodes • abstract nodes are equivalence classes of concrete nodes next next next x next next next y Thomas Wies Symbolic Shape Analysis 5 / 34

  8. Motivation shape analysis = 2 predicate abstraction Thomas Wies Symbolic Shape Analysis 6 / 34

  9. Motivation Why go symbolic? Thomas Wies Symbolic Shape Analysis 7 / 34

  10. Motivation Apply not only idea, but also techniques of predicate abstraction. Thomas Wies Symbolic Shape Analysis 8 / 34

  11. Motivation Generic Benefits of Predicate Abstraction • use formulae to represent infinite sets of states • no need to define meaning of abstract values • abstract domain ⊆ concrete domain | • abstraction = entailment = Thomas Wies Symbolic Shape Analysis 9 / 34

  12. Motivation Generic Benefits of Predicate Abstraction • use formulae to represent infinite sets of states • no need to define meaning of abstract values • abstract domain ⊆ concrete domain | • abstraction = entailment = • use reasoning procedures • automation • separation of concerns (black-boxing) • soundness by construction, loss of precision identifiable • get leverage from theorem proving community ⊢ • abstraction = provable entailments Thomas Wies Symbolic Shape Analysis 9 / 34

  13. Motivation Generic Benefits of Predicate Abstraction • use formulae to represent infinite sets of states • no need to define meaning of abstract values • abstract domain ⊆ concrete domain | • abstraction = entailment = • use reasoning procedures • automation • separation of concerns (black-boxing) • soundness by construction, loss of precision identifiable • get leverage from theorem proving community ⊢ • abstraction = provable entailments • abstraction refinement • more automation • symbolic execution of counterexamples • abstract domain ⊂ refined abstract domain Thomas Wies Symbolic Shape Analysis 9 / 34

  14. Symbolic Shape Analysis Outline 1 Boolean heaps (abstract domain) 2 Cartesian post (abstract transformer) 3 Abstraction refinement Thomas Wies Symbolic Shape Analysis 10 / 34

  15. Boolean Heaps Boolean Heaps Partition heap according to finitely many predicates on heap objects. P 1 = { v | v = x } P 2 = { v | v = null } P 3 = { v | next ∗ ( x , v ) } P 1 ∧ ¬ P 2 ∧ P 3 ¬ P 1 ∧ ¬ P 2 ∧ P 3 ¬ P 1 ∧ P 2 ∧ P 3 next next next next x . . . null Describe partitioning as a universally quantified formula ∀ v . P 1 ∧ ¬ P 2 ∧ P 3 ∨ ¬ P 1 ∧ ¬ P 2 ∧ P 3 ∨ ¬ P 1 ∧ P 2 ∧ P 3 ➜ Boolean heaps Thomas Wies Symbolic Shape Analysis 11 / 34

  16. Boolean Heaps Abstract domain = {sets of Boolean heaps} Abstract element Boolean heap � � � � �� � ∀ v . P i , j , k ( v ) abstract node i j k � �� � abstract node ∨ � �� � Boolean heap � �� � ∨ set of Boolean heaps � �� � set of Boolean heaps Thomas Wies Symbolic Shape Analysis 12 / 34

  17. Boolean Heaps Symbolic shape analysis � � � ∀ v . P i , j , k ( v ) i j k ➜ sets of sets of bit-vectors � �� � abstract node (sets of BDDs) � �� � Boolean heap ∼ = abstract state � �� � set of Boolean heaps Predicate abstraction � � P i , j i j ➜ sets of bit-vectors (BDDs) � �� � abstract state � �� � sets of abstract states ➜ Boolean heaps provide extra precision needed for shape analysis. Thomas Wies Symbolic Shape Analysis 13 / 34

  18. Abstract Transformer Cartesian Post Abstract Post on Boolean Heaps How to compute abstract post on Boolean heaps? post # ( H ) = ? Thomas Wies Symbolic Shape Analysis 14 / 34

  19. Abstract Transformer Cartesian Post Abstract Post on Boolean Heaps How to compute abstract post on Boolean heaps? post # ( H ) = α ◦ post ◦ γ ( H ) post # is most precise abstract post, but it is also hard to compute. Thomas Wies Symbolic Shape Analysis 14 / 34

  20. Abstract Transformer Cartesian Post Abstract Post on Boolean Heaps How to compute abstract post on Boolean heaps? post # ( H ) = α ◦ post ◦ γ ( H ) post # is most precise abstract post, but it is also hard to compute. Bohne implements an abstraction of post # that can be computed efficiently. Next slides: Cartesian post. Thomas Wies Symbolic Shape Analysis 14 / 34

  21. Abstract Transformer Cartesian Post Abstract Post on Boolean Heaps P 1 = { v | v = x } P 2 = { v | next ∗ ( v , null ) } P 3 = { v | next ∗ ( x , v ) } P 1 ∧ P 2 ∧ P 3 ¬ P 1 ∧ P 2 ∧ P 3 next next next x null ∀ v . P 1 ∧ P 2 ∧ P 3 ∨ ¬ P 1 ∧ P 2 ∧ P 3 Thomas Wies Symbolic Shape Analysis 15 / 34

  22. Abstract Transformer Cartesian Post Abstract Post on Boolean Heaps P 1 = { v | v = x } P 2 = { v | next ∗ ( v , null ) } P 3 = { v | next ∗ ( x , v ) } P 1 ∧ P 2 ∧ P 3 ¬ P 1 ∧ P 2 ∧ P 3 next next next x null α ◦ post c ◦ γ ( ∀ v . P 1 ∧ P 2 ∧ P 3 ∨ ¬ P 1 ∧ P 2 ∧ P 3 ) for command c = ( x:=x.next ) Thomas Wies Symbolic Shape Analysis 15 / 34

  23. Abstract Transformer Cartesian Post Abstract Post on Boolean Heaps P 1 = { v | v = x } P 2 = { v | next ∗ ( v , null ) } P 3 = { v | next ∗ ( x , v ) } P 1 ∧ P 2 ∧ P 3 ¬ P 1 ∧ P 2 ∧ P 3 next next next x null α ◦ post c ◦ γ ( ∀ v . P 1 ∧ P 2 ∧ P 3 ∨ ¬ P 1 ∧ P 2 ∧ P 3 ) for command c = ( x:=x.next ) next next next x null Thomas Wies Symbolic Shape Analysis 15 / 34

  24. Abstract Transformer Cartesian Post Abstract Post on Boolean Heaps P 1 = { v | v = x } P 2 = { v | next ∗ ( v , null ) } P 3 = { v | next ∗ ( x , v ) } P 1 ∧ P 2 ∧ P 3 ¬ P 1 ∧ P 2 ∧ P 3 next next next x null α ◦ post c ◦ γ ( ∀ v . P 1 ∧ P 2 ∧ P 3 ∨ ¬ P 1 ∧ P 2 ∧ P 3 ) for command c = ( x:=x.next ) ¬ P 1 ∧ P 2 ∧ ¬ P 3 P 1 ∧ P 2 ∧ P 3 ¬ P 1 ∧ P 2 ∧ P 3 next next next x null ∀ v . ¬ P 1 ∧ P 2 ∧ ¬ P 3 ∨ P 1 ∧ P 2 ∧ P 3 ∨ ¬ P 1 ∧ P 2 ∧ P 3 Thomas Wies Symbolic Shape Analysis 15 / 34

  25. Abstract Transformer Cartesian Post Abstract Post on Boolean Heaps P 1 = { v | v = x } P 2 = { v | next ∗ ( v , null ) } P 3 = { v | next ∗ ( x , v ) } P 1 ∧ P 2 ∧ P 3 ¬ P 1 ∧ P 2 ∧ P 3 next next next x null CartesianPost c ( ∀ v . P 1 ∧ P 2 ∧ P 3 ∨ ¬ P 1 ∧ P 2 ∧ P 3 ) for command c = ( x:=x.next ) ¬ P 1 ∧ P 2 ∧ ¬ P 3 P 2 ∧ P 3 next next next x null ∀ v . ¬ P 1 ∧ P 2 ∧ ¬ P 3 ∨ P 2 ∧ P 3 Thomas Wies Symbolic Shape Analysis 15 / 34

Recommend

Shape Analysis via Symbolic Memory Graphs and Conversion from Pointers to Containers Kamil Dudka

Shape Analysis via Symbolic Memory Graphs and Conversion from Pointers to Containers Kamil Dudka

Shape Analysis via Symbolic Memory Graphs and Conversion from Pointers to Containers Kamil Dudka Luk a s Hol k Petr Peringer Marek Trt k Tom a s Vojnar Brno University of Technology, Czech Republic Dagstuhl, 2/11/2015

516 views • 50 slides
Computer Vision Statistical Shape Analysis Shape Shape is the geometric information that

Computer Vision Statistical Shape Analysis Shape Shape is the geometric information that

Computer Vision Statistical Shape Analysis Shape Shape is the geometric information that remains when translation, rotation, and scale are factored out. Landmark points. D'Arcy Thompson. David George Kendall Fred Bookstein.

248 views • 9 slides
Symbolic data analysis Symbolic data analysis Clustering of large data sets of mixed units

Symbolic data analysis Symbolic data analysis Clustering of large data sets of mixed units

Symbolic data analysis V. Batagelj Symbolic data analysis Symbolic data analysis Clustering of large data sets of mixed units Clustering and optimization Leaders method Vladimir Batagelj Agglomerative method Examples IMFM Ljubljana

871 views • 33 slides
Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps

Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps

Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps Symbolic Stamps Hui Xu, Guoyong Shi and Xiaopeng Li School of Microelectronics, Shanghai Jiao Tong Univ. Shanghai, China Presentation at Asia

655 views • 36 slides
Transient Analysis Lightning Phenomena HV Transient Analysis Classes and shape of overvoltages

Transient Analysis Lightning Phenomena HV Transient Analysis Classes and shape of overvoltages

Chapter 8 Overvoltage Phenomenon &amp; HV Transient Analysis Lightning Phenomena HV Transient Analysis Classes and shape of overvoltages and standard voltage shape Analysis of overvoltages in power system includes a study of their:

1.04k views • 35 slides
Signatures in Shape Analysis Nikolas Tapia (WIAS/TU Berlin) joint with E. Celledoni &amp; P . E.

Signatures in Shape Analysis Nikolas Tapia (WIAS/TU Berlin) joint with E. Celledoni &amp; P . E.

Signatures in Shape Analysis Nikolas Tapia (WIAS/TU Berlin) joint with E. Celledoni &amp; P . E. Lystad FG6 (NTNU) Weierstra-Institut fr angewandte Analysis und Stochastik August 27, 2019 Shape Analysis: Practical Setup The problem is to

481 views • 20 slides
Shape Co-analysis and constrained clustering Daniel Cohen-Or Tel-Aviv University 1 High-level

Shape Co-analysis and constrained clustering Daniel Cohen-Or Tel-Aviv University 1 High-level

Shape Co-analysis and constrained clustering Daniel Cohen-Or Tel-Aviv University 1 High-level Shape analysis [Mehra et al. 08] [Fu et al. 08] [Kalograkis et al. 10] Shape abstraction Upright orientation Learning segmentation [Kim et al.

1.03k views • 81 slides
Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2.

Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2.

Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2. CPAchecker and Symbolic Memory Graphs 3. Abstractions of Symbolic Memory Graphs 4. Using counterexample guided abstraction refinement with Symbolic

412 views • 24 slides
Pulse Shape Analysis A/E for GERDA experiment Outline : Motivation Pulse Shape

Pulse Shape Analysis A/E for GERDA experiment Outline : Motivation Pulse Shape

Pulse Shape Analysis A/E for GERDA experiment Outline : Motivation Pulse Shape Discrimination for GERDA BEGes Systematic uncertainty on PSA Outlook &amp; Summary Heng-Ye Liao photo o by *EvrWccn Wccn for the GERDA collaboration

188 views • 18 slides
CS711 Advanced Programming Languages Shape Analysis With Tracked Locations Radu Rugina 22 Sep

CS711 Advanced Programming Languages Shape Analysis With Tracked Locations Radu Rugina 22 Sep

CS711 Advanced Programming Languages Shape Analysis With Tracked Locations Radu Rugina 22 Sep 2005 Shape Analysis with Local Reasoning All previous abstractions: Describe the entire heap at once Makes inter-procedural analysis

544 views • 30 slides
Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan

Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan

Symbolic String Verification: Combining String Analysis and Size Analysis Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan Oscar H. Ibarra Deptartment of Computer Science University of California

477 views • 36 slides
NEW ADVANCES IN SYMBOLIC DATA ANALYSIS and SPATIAL CLASSIFICATION. Edwin Diday Paris Dauphine

NEW ADVANCES IN SYMBOLIC DATA ANALYSIS and SPATIAL CLASSIFICATION. Edwin Diday Paris Dauphine

NEW ADVANCES IN SYMBOLIC DATA ANALYSIS and SPATIAL CLASSIFICATION. Edwin Diday Paris Dauphine University Remembering Suzanne WINSBERG This talk is dedicated to her OUTLINE PART 1: SYMBOLIC DATA ANALYSIS The two levels of

1.29k views • 89 slides
Symbolic local Fourier Analysis Veronika Pillwein RISC Challenges in 21st Century Experimental

Symbolic local Fourier Analysis Veronika Pillwein RISC Challenges in 21st Century Experimental

Symbolic local Fourier Analysis Veronika Pillwein RISC Challenges in 21st Century Experimental Mathematical Computation, July 2125, 2014, ICERM, Brown University Symbolic local Fourier Analysis (and some Special Functions Inequalities)

1.21k views • 82 slides
Isogeometric Shape Optimization: A brief introduction about shape sensitivity analysis and search

Isogeometric Shape Optimization: A brief introduction about shape sensitivity analysis and search

Isogeometric Shape Optimization: A brief introduction about shape sensitivity analysis and search direction normalization Wang Zhenpei NUS 2018 3 23 GAMES Webinar 2018 (37) on IGA Wang Zhenpei (NUS) Isogeometric Shape

566 views • 53 slides
Symbolic Data Analysis Tools Symbolic Data Analysis Tools for Recommendation Systems for

Symbolic Data Analysis Tools Symbolic Data Analysis Tools for Recommendation Systems for

Symbolic Data Analysis Tools Symbolic Data Analysis Tools for Recommendation Systems for Recommendation Systems Byron Leite Dantas Bezerra Byron Leite Dantas Bezerra bldb@dsc.upe.br bldb@dsc.upe.br Francisco Assis Tenrio Carvalho

708 views • 34 slides
Shape Analysis Tal Zelmanovich Seminar in automatic tools for analyzing programs with dynamic

Shape Analysis Tal Zelmanovich Seminar in automatic tools for analyzing programs with dynamic

Shape Analysis Tal Zelmanovich Seminar in automatic tools for analyzing programs with dynamic memory 2013/2014B Subjects Introducing shape analysis TVLA method Cutpoint-free method Separation logic method Conclusion &amp;

1.38k views • 70 slides
Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS

Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS

Introduction / Motivation Symbolic Method Experiments Conclusion Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS In` es Ben El Ouahma Quentin Meunier Karine Heydemann Emmanuelle Encrenaz

271 views • 25 slides
Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Pascal

Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Pascal

Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Pascal Lafourcade (with St ephanie Delaune, Denis Lugiez &amp; Ralf Treinen)

983 views • 33 slides
Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90: Software Security Symbolic Execution Ahmed Rezine Hoare Triples and Deductive Reasoning IDA, Linkpings Universitet Hsttermin 2014 Static

373 views • 6 slides
2d-shape Analysis using Complex Analysis Alexander Yu. Solynin Texas Tech University New

2d-shape Analysis using Complex Analysis Alexander Yu. Solynin Texas Tech University New

2d-shape Analysis using Complex Analysis Alexander Yu. Solynin Texas Tech University New Developments in Complex Analysis and Function Theory University of Crete, Heraklion, Greece July 4, 2018 Acknowledgements: The author thanks Prof.

902 views • 74 slides
Shape Analysis Lasse Riis stergaard Dept. of Health Science and Technology Shape Analysis

Shape Analysis Lasse Riis stergaard Dept. of Health Science and Technology Shape Analysis

Shape Analysis Lasse Riis stergaard Dept. of Health Science and Technology Shape Analysis Active contour models - snakes Theory Applications Active shape models Theory Applications Active Contour Example Active

517 views • 24 slides
X-ray pulse-shape analysis on pulse-shape analysis on X-ray bridge-type microcalorimeters

X-ray pulse-shape analysis on pulse-shape analysis on X-ray bridge-type microcalorimeters

ETL ETL X-ray pulse-shape analysis on pulse-shape analysis on X-ray bridge-type microcalorimeters microcalorimeters with with bridge-type Ti-Au transition-edge sensors transition-edge sensors Ti-Au Masahiro Ukibe *a , Keiichi Tanaka b ,

413 views • 19 slides
Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security Ahmed Rezine IDA, Linkpings Universitet Hsttermin 2020 Outline Overview Symbolic Execution Hoare Triples and Deductive Reasoning Outline

767 views • 33 slides
Shape Analysis Syntax of the pointer language p | n | a 1 op a a 2 | nil a ::= Goal: to obtain

Shape Analysis Syntax of the pointer language p | n | a 1 op a a 2 | nil a ::= Goal: to obtain

Shape Analysis Syntax of the pointer language p | n | a 1 op a a 2 | nil a ::= Goal: to obtain a finite representation of the shape of the heap of a ::= x | x. sel p language with pointers. b ::= true | false | not b | b 1 op b b 2 | a 1 op

430 views • 11 slides

More recommend