parametric shape analysis via 3-valued logic
DESCRIPTION
Parametric Shape Analysis via 3-Valued Logic. Mooly Sagiv Thomas Reps Reinhard Wilhelm. pointer analysis? points-to analysis? shape analysis? alias analysis?. The Shape-Analysis Problem. - PowerPoint PPT PresentationTRANSCRIPT
Parametric Shape Analysisvia 3-Valued Logic
Mooly Sagiv
Thomas Reps
Reinhard Wilhelm
pointer analysis?points-to analysis?
shape analysis?alias analysis?
The Shape-Analysis Problem
For every program point, compute a finite characterization of the possible “shapes” of the heap-allocated data structures.
Formalizing “. . .”Informal:
x
y
Formal:x
ySummary
Information
Why Shape Analysis?
• Capture storage invariants– x points to an acyclic list, cyclic list, tree, dag, etc.
• May-alias information
• Identify (absence of) sharing– x and y point to structures that do not share cells
• “Dynamization” of static structure-description formalisms– e.g., ADDS annotations [Hendren 94]
What’s New?• Parametric framework for a class of shape-analysis
algorithms
• “Rational reconstruction” of a number of previous shape-analysis methods– [Jones & Muchnick 81]– [Chase, Wegman, & Zadeck 90]– [Stransky 93]– [Assmann & Weinhardt 93]– [Pleyvak, Chien, & Karamcheti 93]– [Wang 94]– [Sagiv, Reps, & Wilhelm 96, 98]
• New shape-analysis methods• General abstraction principle Much simpler proofs• Basis for a tool that generates shape-analysis algorithms
Outline
• Using logic to describe stores
• Using logic to express store transformations
• Forming abstractions of stores
• Three-valued logic
• Using three-valued logic to express transformations of abstract stores
Using Logic to Describe Stores• Predicate Symbols
– Whether variable x points to location u:• x(u)
– Pointer fields:
• n(u1, u2)
• car(u1, u2)
• cdr(u1, u2)
x u
u1 u2
u1 u2
u1
u2
Using Logic to Describe Stores• Formulas: Other Properties of Locations
u3 u4 u1 u2
is(u1) = 0 is(u2) = 0 is(u4) = 0is(u3) = 0
is(v) v1,v2 : n(v1,v) n(v2,v) v1 v2
is(u1) = 0 is(u2) = 1 is(u3) = 0
u3
u1
u2
x y
First-Order Logic (Syntax)• Vocabulary
– Predicate symbols: p1, p2, . . ., pn
– Constant symbols: c1, c2, . . ., cm
– Function symbols: f1, f2, . . ., fk
• Formulas– Variables– Equality-predicate symbol: =– Logical-constant symbols: 0, 1– Connectives: , , – Quantifiers: ,
First-Order Logic (Semantics)
• Truth values: 0, 1• Logical structures
–Individuals: U = {u1, u2, . . ., un}
–Predicates: pi : U arity(pi) {0, 1}
In Our ApplicationLogical structures = Concrete stores
u2
u3
u1
An Example
Individuals: U = {u1, u2, u3}
Predicates:
y
x
x(u) y(u)u1 1 0u2 0 0u3 0 1
n u1 u2 u3
u1 0 1 0u2 0 0 0u3 0 1 0
u1
x
y u3
u2
u3
u1
u3
u2
u3
u1
Example (Cont’d)
Individuals: U = {u1, u2, u3}
Predicates:
y
x
is(u)u1 0u2 1u3 0
u2
u3
u1
First-Order Logic (Semantics)
• Assignments
–Z: free variables individuals
• Meaning of a formula (Z)
Meaning of a Formula
(v,v1,v2) n(v1,v) n(v2,v) v1 v2
u1
u3
u2 y
x
Z = { v u2, v1 u1, v2 u3 }
(v,v1,v2)(Z) = ???
Meaning of a Formula (Z)
0 (Z) = 0
1 (Z) = 1
pi(v1, …, vk) (Z) = pi (Z(v1), …, Z(vk))
1 2(Z) = 1 (Z) 2(Z)
1 2(Z) = 1 (Z) 2(Z)
• Negation, quantification, . . .
Meaning of a Formula
(v,v1,v2) n(v1,v) n(v2,v) v1 v2
u1
u3
u2 y
x
Z = { v u2, v1 u1, v2 u3}
= n(u1, u2) n(u3, u2) u1 u3
= 1= 1
(Z) = n(v1,v) n(v2,v) v1 v2(Z)
1 1
Outline
• Using logic to describe stores
• Using logic to express store transformations
• Forming abstractions of stores
• Three-valued logic
• Using three-valued logic to express transformations of abstract stores
Using Logic to Change Storesx = null
Before: x
u3
u1
u2
y
z
After:
u3
u1
u2
y
z
x(u) y(u) z(u)u1 1 1 0u2 0 0 0u3 0 0 1
n u1 u2 u3
u1 0 1 0u2 0 0 0u3 0 1 0
0
x
x[x = null](v) 0
Predicate-Alteration Formulas for x = nullOld:
x
u3
u1
u2
y
z
New:
u3
u1
u2
x(u) y(u) z(u)u1 1 1 0u2 0 0 0u3 0 0 1
x(u)
y(u) z(u)
u1 0u2 0u3 0
x(u)
y(u) z(u)
u1 0u2 0u3 0
y[x = null](v) y(v)
Predicate-Alteration Formulas for x = nullOld:
x
u3
u1
u2
y
z
New:
u3
u1
u2
y
x(u) y(u) z(u)u1 1 1 0u2 0 0 0u3 0 0 1
x(u)
y(u) z(u)
u1 0 1u2 0 0u3 0 0
x(u)
y(u) z(u)
u1 0 1u2 0 0u3 0 0
x(u)
y(u) z(u)
u1 0 1 0u2 0 0 0u3 0 0 1
z[x = null](v) z(v)
Predicate-Alteration Formulas for x = nullOld:
x
u3
u1
u2
y
z
New:
u3
u1
u2
y
z
x(u) y(u) z(u)u1 1 1 0u2 0 0 0u3 0 0 1
x(u)
y(u) z(u)
u1 0 1 0u2 0 0 0u3 0 0 1
Predicate-Alteration Formulas for x = nullOld:
x
u3
u1
u2
y
z
New:
u3
u1
u2
y
z
x(u) y(u) z(u)u1 1 1 0u2 0 0 0u3 0 0 1
u1 u2 u3
u1
u2
u3
n u1 u2 u3
u1 0 1 0u2 0 0 0u3 0 1 0
n
Predicate-Alteration Formulas for x = nullOld:
x
u3
u1
u2
y
z
New:
u3
u1
u2
y
z
n[x = null](v1,v2) n(v1,v2)
n u1 u2 u3
u1 0 1 0u2 0 0 0u3 0 1 0
u1 u2 u3
u1
u2
u3
n
Predicate-Alteration Formulas for x = nullOld:
x
u3
u1
u2
y
z
New:
u3
u1
u2
y
z
n u1 u2 u3
u1 0 1 0u2 0 0 0u3 0 1 0
u1 u2 u3
u1 0 1 0u2 0 0 0u3 0 1 0
n
u1 u2 u3
u1 0 1 0u2 0 0 0u3 0 1 0
n
x(u) y(u)
z(u)u1 0 1 0u2 0 0 0u3 0 0 1
x(u) y(u) z(u)u1 0 1 0u2 0 0 0u3 0 0 1
n u1 u2 u3
u1 0 1 0u2 0 0 0u3 0 1 0
Predicate-Alteration Formulas for x = nullOld:
x
u3
u1
u2
y
z
New:
u3
u1
u2
y
z
Outline
• Using logic to describe stores
• Using logic to express store transformations
• Forming abstractions of stores
• Three-valued logic
• Using three-valued logic to express transformations of abstract stores
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
n u1 u234
u1 {0} {0,1}
u234 {0} {0,1}
x(u) y(u)u1 1 0u2 0 0u3 0 0u4 0 0
x(u) y(u)u1 {1} {0}
u234 {0} {0}
The Abstraction Principle
u1 u2 u3 u4
x
u1 u234
xSummary
Information{0,1}
= u1 u2 u3 u4
u1 1 0 0 0u2 0 1 0 0u3 0 0 1 0u4 0 0 0 1
= u1 u234
u1 {1} {0}
u234 {0} {0,1}
is(u)u1 0u2 0u3 0u4 0
The Abstraction Principle
u1 u2 u3 u4
x
u1 u234
x
is(u)u1 {0}
u234 {0}
The Abstraction Principle
• Select some subset A of the predicate symbols• Partition the individuals US of structure S into
equivalence classes based on the values of their A predicates– u [u]A
• Form the “union-quotient” of S with respect to {[u]A | u US}
Example
u1 u2 u3 u4
x
• A = {v | v is a program variable}– [Chase, Wegman, & Zadeck 90]
– [Sagiv, Reps, & Wilhelm 96, 98]
[u1]x
[u2]
Quotient w.r.t. {w, x, y, z}
Outline
• Using logic to describe stores
• Using logic to express store transformations
• Forming abstractions of stores
• Three-valued logic
• Using three-valued logic to express transformations of abstract stores
Two- vs. Three-Valued Logic
0 1
Two-valued logic
{0,1}
{0} {1}
Three-valued logic
{0} 3 {0,1}
{1} 3 {0,1}
Two- vs. Three-Valued LogicTwo-valued logic Three-valued logic
0
1
1 01 1 00 0 0
1 01 1 10 1 0
{1}
{0,1}
{0}
1
0
{1} {0,1} {0}
{1} {1} {0,1} {0}{0,1} {0,1} {0,1} {0}{0} {0} {0} {0}
{1} {0,1} {0}
{1} {1} {1} {1}{0,1} {1} {0,1} {0,1}{0} {1} {0,1} {0}
First-Order Logic (Semantics)
• Truth values: 0, 1, • Logical structures
–Individuals: U = {u1, u2, . . ., un}
–Predicates: pi : U arity(pi) {0, 1, }
In Our Application3-valued logical structures = Abstract stores
The Abstraction Principle
• Select some subset A of the predicate symbols• Partition the individuals US of structure S into
equivalence classes based on the values of their A predicates– u [u]A
• Form the “union-quotient” of S with respect to {[u]A | u US}
Abstraction Conserves Predicates
pS (u1, …, uk) 3 pS#
([u1]A, …, [uk]A)
S# = S/[u]ASAbs(A)
u [u]A
“Form the ‘union-quotient’ of Swith respect to {[u]A | u US}”
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
x(u) y(u)u1 1 0u2 0 0u3 0 0u4 0 0
pS (u1,…,uk) 3 pS#
([u1]A,…,[uk]A)
u1 u2 u3 u4
x[u1]
x[u2]
x(u) y(u)[u1] 1 0
[u2] 0 0
n [u1] [u2][u1] 0
[u2] 0 1/2
is(u)u1 0u2 0u3 0u4 0
= u1 u2 u3 u4
u1 1 0 0 0u2 0 1 0 0u3 0 0 1 0u4 0 0 0 1
pS (u1,…,uk) 3 pS#
([u1]A,…,[uk]A)
u1 u2 u3 u4
x[u1]
x[u2]
= [u1] [u2]
[u1] 1 0[u2] 0 1/2
is(u)[u1] 0[u2] 0
Abstraction Conserves Properties
pS (u1, …, uk) 3 pS#
([u1]A, …, [uk]A)
S# = S/[u]ASAbs(A)
u [u]A
Evaluating a formula extracts information conservatively
S (u1, …, uk) 3 S# ([u1]A, …, [uk]A)
S (u1, …, uk) 3 S# ([u1]A, …, [uk]A)
(v) v1,v2 : n(v1,v) n(v2,v) v1 v2
u1 u2 u3 u4
x[u1]
x[u2]
S(u)u1 0u2 0u3 0u4 0
[[]] S#(u)
[u1] 0[u2] 1/2
1 =
For S#([u2]),
let v1 = [u1],and v2 = [u2]
S(u)u1 0u2 0u3 0u4 0
“Tracking Properties” Beats“Inferring Properties”
u1 u2 u3 u4
x[u1]
x[u2]
[[]] S#(u)
[u1] 0[u2] 1/2
is(u)u1 0u2 0u3 0u4 0
is(u)[u1] 0[u2] 0
“Tracking Properties” Beats“Inferring Properties”
u1 u2 u3 u4
x[u1]
x[u2]
pS (u1, …, uk) 3 p
S# ([u1]A, …, [uk]A)
pS (u1, …, uk) 3 pS#
([u1]A, …, [uk]A)
pS (u1, …, uk) = pS (u1, …, uk)
3 pS#
([u1]A, …, [uk]A)
3 pS#
([u1]A, …, [uk]A)
Outline
• Using logic to describe stores
• Using logic to express store transformations
• Forming abstractions of stores
• Three-valued logic
• Using three-valued logic to express transformations of abstract stores
Example
x = y n
“Rational reconstruction” of [Chase, Wegman, & Zadeck 90]
xy
[u1] [u2]y
x
[u1] [u2]
[u1] [u2]
x[x = y n](v) v1 : y(v1) n(v1,v)
x
Example (~[CWZ 90])
x = y nxy
1
[u1] [u2]
[u1] [u2][u1] [u2]
x[x = y n](v) v1 : y(v1) n(v1,v)
y[x = y n](v) y(v)
y
x
Example (~[CWZ 90])
x = y nxy
1
[u1] [u2][u1] [u2]
x[x = y n](v) v1 : y(v1) n(v1,v)
y[x = y n](v) y(v)
y
x
Example (~[CWZ 90])
x = y nxy
n[x = y n](v1,v2) n(v1,v2)
[u1] [u2][u1] [u2]
x[x = y n](v) v1 : y(v1) n(v1,v)
y[x = y n](v) y(v)
y
x
Example (~[CWZ 90])
x = y nxy
n[x = y n](v1,v2) n(v1,v2)
[u1] [u2][u1] [u2]
x
y
Example (~[CWZ 90])
x = y nxy
x[x = y n](v) v1 : y(v1) n(v1,v)
y[x = y n](v) y(v)
n[x = y n](v1,v2) n(v1,v2)
is[x = y n](v) is(v)
Materialization
x = y n
[Chase, Wegman, & Zadeck 90]
xy
[u1] [u2]y
x
[u1] [u2]
x = y n
[Sagiv, Reps, & Wilhelm 96, 98]
xy
[u1] [u2]y
x
[u1] [u3][u2]
x[x = y n](v) v1 : y(v1) n(v1,v)
(1) Triplicate the Structure
xy
[u1] [u2]
xy [u1] [u2.1]
xy
y[u1] [u2.0][u2.1]
x
[u1]
x[x = y n](v) v1 : y(v1) n(v1,v)
(2) Evaluate Predicate-Alteration Formulas
[u1] [u2.1]
xy
y[u1] [u2.0][u2.1]
x
xy
[u1]y
[u1] [u2.1]y
y[u1] [u2.0][u2.1]
[u1]
x
x
• reachable-from-variable-x(v)
• acyclic-along-dimension-d(v)– à la ADDS
• doubly-linked(v)
• tree(v)
• dag(v)
• AVL trees:– balanced(v), left-heavy(v), right-heavy(v)
– . . . but not via height arithmetic
Additional Abstraction Predicates
NeedFO + TC
Formalizing “. . .”
Informal:
x
y
Formal:x
y
Formalizing “. . .”
Informal:
x
y
t2
t1
Formal:x
y t2
t1
Formalizing “. . .”
Informal:
x
y
Formal:x
y{y}
{x} {x}
{y}
reachable fromvariable x
reachable fromvariable y
Formalizing “. . .”
Informal:
x
y
t2
t1
Formal:
t2
t1
{t1,x}
{t2,y}
{t1,x}
{t2,y}
x
y{y}
{x} {x}
{y}
Summary
• Parametric framework
• Three-valued logic arises from abstraction
• Three-valued logic also allows:– Materialization
– Conservative extraction of properties
– Interpretation of program conditions
• Simpler proofs