![Page 1: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/1.jpg)
Static Program Analysisvia Three-Valued Logic
Mooly Sagiv (Tel Aviv), Thomas Reps (Madison),
Reinhard Wilhelm (Saarbrücken)
![Page 2: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/2.jpg)
• A sailor on the U.S.S. Yorktown entered a 0 into a data field in a kitchen-inventory program. That caused the database to overflow and crash all LAN consoles and miniature remote terminal units.
• The Yorktown was dead in the water for about two hours and 45 minutes.
Analysis musttrack
numericinformation
Full Employmentfor Verification Experts
![Page 3: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/3.jpg)
x = 3;y = 1/(x-3);
x = 3;px = &x;y = 1/(*px-3);
x = 3;p = (int*)malloc(sizeof int);*p = x;q = p;y = 1/(*q-3);
need to track valuesother than 0
need to track pointers
need to track heap-allocatedstorage
![Page 4: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/4.jpg)
Flow-SensitivePoints-To Analysis
a
d
bc
f
e
a
d
bc
f
e
a
d
bc
f
e
a
d
bc
f
e
a
d
bc
f
e
a
d
bc
f
e
3
2
1
4
a = &e
5
c = &f
*b = c
b = a
d = *a
p = &q;
p = q;
p = *q;
*p = q;
p q
pr1
r2
q
r1
r2
qs1
s2
s3
p
ps1
s2
qr1
r2
p q
pr1
r2
q
r1
r2
qs1
s2
s3
p
ps1
s2
qr1
r2
![Page 5: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/5.jpg)
Flow-InsensitivePoints-ToAnalysis
3
2
1
4
a = &e
5
c = &f
*b = c
b = a
d = *a
3
2
1
4
a = &e
5
c = &f
*b = c
b = a
d = *a
3
21
4
5
a
d
bc
f
e
a
d
bc
f
e
a
d
bc
f
e
a
d
bc
f
e
a
d
bc
f
e
a
d
bc
f
e
a
d
b
cf
e
![Page 6: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/6.jpg)
Shape Analysis [Jones and Muchnick 1981]
• Characterize dynamically allocated data– Identify may-alias relationships
– x points to an acyclic list, cyclic list, tree, dag, …
– “disjointedness” properties• x and y point to structures that do not share cells
– show that data-structure invariants hold
• Account for destructive updates through pointers
![Page 7: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/7.jpg)
Applications: Software Tools
• Static detection of memory errors– dereferencing NULL pointers– dereferencing dangling pointers– memory leaks
• Static detection of logical errors– Is a data-structure invariant restored?
![Page 8: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/8.jpg)
Applications: Code Optimization
• Parallelization– Operate in parallel on disjoint
structures
• Software prefetching
• “Compile-time garbage collection”– Insert storage-reclamation operations
• Eliminate or move “checking code”
![Page 9: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/9.jpg)
Why is Shape Analysis Difficult?
• Destructive updating through pointers– p next = q– Produces complicated aliasing relationships
• Dynamic storage allocation– No bound on the size of run-time data structures
• Data-structure invariants typically only hold at the beginning and end of operations– Want to verify that data-structure invariants are
re-established
![Page 10: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/10.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
![Page 11: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/11.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
![Page 12: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/12.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
![Page 13: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/13.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
![Page 14: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/14.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
![Page 15: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/15.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
![Page 16: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/16.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
![Page 17: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/17.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
![Page 18: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/18.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
![Page 19: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/19.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
![Page 20: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/20.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
![Page 21: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/21.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
![Page 22: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/22.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
![Page 23: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/23.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
![Page 24: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/24.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
![Page 25: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/25.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
![Page 26: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/26.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
![Page 27: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/27.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
![Page 28: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/28.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
![Page 29: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/29.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
Materialization
![Page 30: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/30.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
![Page 31: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/31.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
![Page 32: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/32.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
![Page 33: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/33.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
![Page 34: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/34.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
![Page 35: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/35.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
![Page 36: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/36.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
![Page 37: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/37.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
![Page 38: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/38.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
![Page 39: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/39.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
![Page 40: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/40.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
![Page 41: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/41.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
![Page 42: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/42.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
![Page 43: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/43.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
![Page 44: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/44.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
![Page 45: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/45.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
![Page 46: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/46.jpg)
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
![Page 47: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/47.jpg)
Idea for a List Abstraction
represents x
yt
NULL
xyt
NULL
xyt
NULL
xyt
NULL
![Page 48: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/48.jpg)
x
yt
NULL
x
yt
NULL
x
yt
return y
t = y
ynext = t
y = x
x = xnext
x != NULL
x
yt
NULL
x
yt
NULL
x
yt
NULL
x
yt
NULL
x
yt
NULL
x
yt
NULL
x
yt
NULL
x
yt
NULL
x
yt
NULL
x
yt
x
yt
x
yt
![Page 49: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/49.jpg)
Properties of reverse(x)• On entry, x points to an acyclic list• On each iteration, x & y point to disjoint acyclic
lists• All the pointer dereferences are safe• No memory leaks• On exit, y points to an acyclic list• On exit, x = = NULL• All cells reachable from y on exit were reachable from x on entry, and vice versa• On exit, the order between neighbors in the y-list is opposite to their order in the x-list on entry
![Page 50: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/50.jpg)
A ‘Yacc’ for Shape Analysis: TVLA
• Parametric framework– Some instantiations known analyses– Other instantiations new analyses
• Applications beyond shape analysis– Partial correctness of sorting algorithms– Safety of mobile code– Deadlock detection in multi-threaded
programs– Partial correctness of mark-and-sweep gc alg.– Correct usage of Java iterators
![Page 51: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/51.jpg)
A ‘Yacc’ for Static Analysis: TVLA
• Parametric framework– Some instantiations known analyses– Other instantiations new analyses
• Applications beyond shape analysis– Partial correctness of sorting algorithms– Safety of mobile code– Deadlock detection in multi-threaded
programs– Partial correctness of mark-and-sweep gc alg.– Correct usage of Java iterators
![Page 52: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/52.jpg)
Formalizing “. . .”Informal:
x
Formal:
xSummary
node
![Page 53: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/53.jpg)
Using Relations to Represent Linked Lists
Relation Intended Meaning
x(v) Does pointer variable x point to cell v?
y(v) Does pointer variable y point to cell v?
t(v) Does pointer variable t point to cell v?
n(v1,v2) Does the n field of v1 point to v2?
![Page 54: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/54.jpg)
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
x(u) y(u) t(u)u1 1 1 0u2 0 0 0u3 0 0 0u4 0 0 0
u1 u2 u3 u4
xy
Using Relations to Represent Linked Lists
![Page 55: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/55.jpg)
Formulas:Queries for Observing Properties
Are x and y pointer aliases?v: x(v) y(v)
![Page 56: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/56.jpg)
xy u1 u2 u3 u4
Are x and y Pointer Aliases?
v: x(v) y(v)
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
x(u) y(u) t(u)u1 1 1 0u2 0 0 0u3 0 0 0u4 0 0 0
xy u1
1
Yes
![Page 57: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/57.jpg)
Predicate-Update Formulas for “y
= x”
•x’(v) = x(v)•y’(v) = x(v)•t’(v) = t(v)
•n’(v1,v2) = n(v1,v2)
![Page 58: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/58.jpg)
x(u) y(u) t(u)u1 1 0 0u2 0 0 0u3 0 0 0u4 0 0 0
x
u1 u2 u3 u4
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
y’(v) = x(v)
1000
y
Predicate-Update Formulas for “y
= x”
![Page 59: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/59.jpg)
Predicate-Update Formulas for “x = x
n”
•x’(v) = v1: x(v1) n(v1,v)
•y’(v) = y(v)•t’(v) = t(v)
•n’(v1, v2) = n(v1, v2)
![Page 60: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/60.jpg)
x
u1 u2 u3 u4
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
x(u) y(u) t(u) u1 1 1 0 u2 0 0 0 u3 0 0 0 u4 0 0 0
y
x’(v) = v1: x(v1) n(v1,v)
x
Predicate-Update Formulas for “x = x
n”
![Page 61: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/61.jpg)
Why is Shape Analysis Difficult?
• Destructive updating through pointers– pnext = q– Produces complicated aliasing relationships
• Dynamic storage allocation– No bound on the size of run-time data
structures• Data-structure invariants typically only
hold at the beginning and end of operations– Need to verify that data-structure invariants
are re-established
![Page 62: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/62.jpg)
Two- vs. Three-Valued Logic
0 1
Two-valued logic
{0,1}
{0} {1}
Three-valued logic
{0} {0,1}{1} {0,1}
![Page 63: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/63.jpg)
Two- vs. Three-Valued Logic
Two-valued logic
1 01 1 00 0 0
1 01 1 10 1 0
Three-valued logic
{1} {0,1} {0}
{1} {1} {0,1} {0}{0,1} {0,1} {0,1} {0}{0} {0} {0} {0}
{1} {0,1} {0}
{1} {1} {1} {1}{0,1} {1} {0,1} {0,1}{0} {1} {0,1} {0}
![Page 64: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/64.jpg)
Two- vs. Three-Valued Logic
0 1
Two-valued logic
{0} {1}
Three-valued logic
{0,1}
![Page 65: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/65.jpg)
Two- vs. Three-Valued Logic
0 1
Two-valued logic
½
0 1
Three-valued logic
0 ½
1 ½
![Page 66: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/66.jpg)
Boolean Connectives [Kleene]
0 1/2 1
0 0 0 01/2 0 1/2 1/21 0 1/2 1
0 1/2 1
0 0 1/2 11/2 1/2 1/2 11 1 1 1
![Page 67: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/67.jpg)
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
Canonical Abstraction
u1 u2 u3 u4
xu1
xu234
x(u) y(u)u1 1 0u2 0 0u3 0 0u4 0 0
n u1 u234
u1 0
u234 0 1/2
x(u) y(u)u1 1 0
u234 0 0
![Page 68: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/68.jpg)
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
Canonical Abstraction
u1 u2 u3 u4
xu1
xu234
x(u) y(u)u1 1 0u2 0 0u3 0 0u4 0 0
n u1 u234
u1 0
u234 0 1/2
x(u) y(u)u1 1 0
u234 0 0
![Page 69: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/69.jpg)
= u1 u2 u3 u4 u1 1 0 0 0 u2 0 1 0 0 u3 0 0 1 0 u4 0 0 0 1
Canonical Abstraction
u1 u2 u3 u4
xu1
xu234
x(u) y(u)u1 1 0u2 0 0u3 0 0u4 0 0
= u1 u234 u1 1
u234 0 1/2
x(u) y(u)u1 1 0
u234 0 0
![Page 70: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/70.jpg)
Canonical Abstraction
•Partition the individuals into equivalence classes based on the values of their unary predicates
•Collapse other predicates via
![Page 71: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/71.jpg)
Property-Extraction Principle
• Questions about a family of two-valued stores can be answered conservatively by evaluating a formula in a three-valued store
• Formula evaluates to 1 formula holds in every store in the family
• Formula evaluates to 0 formula does not hold in any store in the family
• Formula evaluates to 1/2 formula may hold in some; not hold in others
![Page 72: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/72.jpg)
Are x and y Pointer Aliases?
u1 u
xy
v: x(v) y(v)
Yes
1
![Page 73: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/73.jpg)
Is Cell u Heap-Shared?
v1,v2: n(v1,u) n(v2,u) v1 v2
u
Yes
1 1
1
1
![Page 74: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/74.jpg)
MaybeIs Cell u Heap-Shared?
v1,v2: n(v1,u) n(v2,u) v1 v2
u1 u
xy
1/21/2 1
1/2
![Page 75: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/75.jpg)
The Embedding Theorem
y
x
u1 u34u2
y
x
u1 u234
y
x
u1 u3u2 u4
x
yu1234
v: x(v) y(v)
Maybe
No
No
No
![Page 76: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/76.jpg)
Embedding
u1 u2 u3 u4
xu5 u6
u12 u34 u56
x
u123 u456
x
![Page 77: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/77.jpg)
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
Canonical Abstraction:An Embedding Whose Result is of Bounded Size
u1 u2 u3 u4
xu1
xu234
x(u) y(u)u1 1 0u2 0 0u3 0 0u4 0 0
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
n u1 u234
u1 0
u234 0 1/2
x(u) y(u)u1 1 0u2 0 0u3 0 0u4 0 0
x(u) y(u)u1 1 0
u234 0 0
![Page 78: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/78.jpg)
x
yt
NULL
return y
t = y
ynext = t
y = x
x = xnext
x != NULL
x
yt
NULL
x
yt
NULL
u1 u
x
x(u) y(u) t(u)u1 1 0 0u 0 0 0
n u1 u
u1 0 1/2
u 0 1/2
yu1 u
x
x(u) y(u) t(u) u1 1 1 0 u 0 0 0
n u1 u
u1 0 1/2
u 0 1/2
y’(v) = x(v)
10
![Page 79: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/79.jpg)
x
yt
NULL
x
yt
NULL
x
yt
return y
t = y
ynext = t
y = x
x = xnext
x != NULL
x
yt
NULL
x
yt
NULL
x
yt
NULL
x
yt
NULL
x
yt
NULL
x
yt
NULL
x
yt
NULL
x
yt
NULL
x
yt
NULL
x
yt
x
yt
x
yt
![Page 80: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/80.jpg)
How Are We Doing?
• Conservative • Convenient • But not very precise
– Advancing a pointer down a list loses precision– Cannot distinguish an acyclic list from a cyclic
list
![Page 81: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/81.jpg)
The Instrumentation Principle
• Increase precision by storing the truth-value of some chosen formulas
![Page 82: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/82.jpg)
Is Cell u Heap-Shared?
v1,v2: n(v1,u) n(v2,u) v1 v2
u
![Page 83: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/83.jpg)
is = 0 is = 0 is = 0 is = 0
Example: Heap Sharing
x 31 71 91
is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2
u1 ux
u1 ux
is = 0 is = 0
![Page 84: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/84.jpg)
Example: Heap Sharing
x 31 71 91
is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2
is = 0 is = 0 is = 0 is = 0is = 1
u1 ux
u1 ux
is = 0 is = 0is = 1
![Page 85: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/85.jpg)
Example: Cyclicity
x 31 71 91
c(v) = v1: n(v,v1) n*(v1,v)
c = 0 is = 0 c = 1 c = 1c = 1
u1 ux
u1 ux
c = 0 c = 1
![Page 86: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/86.jpg)
Is Cell u Heap-Shared?
v1,v2: n(v1,u) n(v2,u) v1 v2
u1 u
xy
is = 0 is = 0
No!
1/21/2 1
1/2 Maybe
![Page 87: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/87.jpg)
Formalizing “. . .”Informal:
x
y
Formal:x
y
![Page 88: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/88.jpg)
Formalizing “. . .”Informal:
x
y
t2
t1
Formal:x
y t2
t1
![Page 89: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/89.jpg)
Formalizing “. . .”Informal:
x
y
Formal:x
y
reachable fromvariable x
reachable fromvariable y
r[x]
r[y]
r[x]
r[y]
![Page 90: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/90.jpg)
Formalizing “. . .”Informal:
x
y
t2
t1
Formal:
t2
t1
r[x],r[t1]
r[y],r[t2]
r[x],r[t1]
r[y],r[t2]
x
yr[y]
r[x] r[x]
r[y]
![Page 91: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/91.jpg)
• doubly-linked(v)• reachable-from-variable-x(v)• acyclic-along-dimension-d(v)• tree(v)• dag(v)• AVL trees:
– balanced(v), left-heavy(v), right-heavy(v)
– . . . but not via height arithmetic
Useful Instrumentation Predicates
NeedFO + TC
![Page 92: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/92.jpg)
Materialization
x = xn
Informal:
xy y
x
x = xn
Formal:
xy
x
y
Formal:
xy x = xn y
x
![Page 93: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/93.jpg)
Naïve Transformer (x = x n)
xy
Evaluateupdate
formulas
y
x
![Page 94: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/94.jpg)
Best Transformer (x = x n)
xy
y
x
y
x
yx
yx
...Evaluateupdateformulas
y
x
y
x
...
![Page 95: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/95.jpg)
“Focus”-Based Transformer (x = x n)
xy
yx
yx
Focus(x n)
“Partial ”
y
x
y
x
Evaluateupdateformulas
y
x
y
x
![Page 96: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/96.jpg)
Why is Shape Analysis Difficult?
• Destructive updating through pointers– pnext = q– Produces complicated aliasing relationships– Track aliasing using 3-valued structures
• Dynamic storage allocation– No bound on the size of run-time data structures– Canonical abstraction finite-sized 3-valued
structures
• Data-structure invariants typically only hold at the beginning and end of operations– Need to verify that data-structure invariants are re-
established– Query the 3-valued structures that arise at the exit
![Page 97: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/97.jpg)
What to Take Away
• A ‘yacc’ for static analysis based on logic
• Broad scope of potential applicability– Not just linkage properties:
predicates are not restricted to be links!– Discrete systems in which a relational (+
numeric) structure evolves– Transition: evolution of relational + numeric state
![Page 98: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/98.jpg)
Canonical Abstraction
A family of abstractions for use in
logic
![Page 99: Static Program Analysis via Three-Valued Logic Mooly Sagiv (Tel Aviv), Thomas Reps (Madison), Reinhard Wilhelm (Saarbrücken)](https://reader036.vdocuments.us/reader036/viewer/2022062322/5697c0111a28abf838ccb505/html5/thumbnails/99.jpg)
Questions?