Post on 11-Jan-2016
transcript
Dagstuhl Seminar "Applied Deductive Verification" November 2003
www.cs.tau.ac.il/~gretay
Symbolically Computing Most-Precise Abstract
Operations for Shape Analysis
Greta YorshJoint work with
Thomas RepsMooly Sagiv
2Dagstuhl Seminar "Applied Deductive Verification" November 2003
Why use theorem prover?
Guarantee the most-precise result w.r.t. the abstraction
Modular reasoning assume guarantee reasoning scalability
3Dagstuhl Seminar "Applied Deductive Verification" November 2003
Outline
BackgroundThe “assume” OperationThe assume Algorithm
canonical abstraction
Main ResultsFuture Work
^
4Dagstuhl Seminar "Applied Deductive Verification" November 2003
Shape Analysis
Static program analysisDetermine “shape invariants”
Verify programs (partially) Detect memory errors Prove properties about dynamically allocated data Detect logical errors Code optimizations
Abstract Interpretation [CC77] Galois Connection (, )
5Dagstuhl Seminar "Applied Deductive Verification" November 2003
a
Concretization Function
Concrete Domain Abstract Domain
(a)
6Dagstuhl Seminar "Applied Deductive Verification" November 2003
C
Concrete Domain Abstract Domain
Abstraction Function
(C)
7Dagstuhl Seminar "Applied Deductive Verification" November 2003
((C))
C
Concrete Domain Abstract Domain
Galois Connection (, )
(C)
8Dagstuhl Seminar "Applied Deductive Verification" November 2003
(a')
((C))
C
Concrete Domain Abstract Domain
Most Precise Abstract Value
(C)
a'
9Dagstuhl Seminar "Applied Deductive Verification" November 2003
New Approach
Use symbolic techniques in abstract interpretation For shape analysis For other abstract domains
What does it mean to employ decision procedure/theorem prover for shape analysis? symbolic concretization decision procedure for satisfiability
(a)
10Dagstuhl Seminar "Applied Deductive Verification" November 2003
Concrete Domain Abstract Domain
Formulas
a2
(a1)a1
store ⊧ (a1)^
store ⊭ (a1)^
Symbolic Concretization (a)^
(a1)
(a2)
S (a) ⇔ S⊧ (a)
^
⊧
11Dagstuhl Seminar "Applied Deductive Verification" November 2003
Outline
BackgroundThe “assume” OperationThe assume Algorithm
canonical abstraction
Main ResultsFuture Work
^
✔
12Dagstuhl Seminar "Applied Deductive Verification" November 2003
Assume-Guarantee Reasoning
T bar();
void foo() {
T p;...
p = bar();
...
}
{prebar, postbar}
{prefoo, postfoo}
assume[prefoo];
assert[prebar];-----------assume[postbar];
assert[postfoo];
^Is (a) ⇒ valid?
assert[](a)assume[](a)
?
<top>
<a1>
<a2>
<a3><a4>
13Dagstuhl Seminar "Applied Deductive Verification" November 2003
a
X
Concrete Domain Abstract Domain
〚〛
The “assume[](a)” Operation
(a)
Formulas
14Dagstuhl Seminar "Applied Deductive Verification" November 2003
a
〚〛
X
Concrete Domain Abstract Domain
(a)
The “assume[](a)” Operation
assume[](a)(X)
15Dagstuhl Seminar "Applied Deductive Verification" November 2003
a
〚〛
X
Concrete Domain Abstract Domain
(a)
The “assume[](a)” Operation
assume[](a)
^assume[](a)
(X)
16Dagstuhl Seminar "Applied Deductive Verification" November 2003
Outline
Shape Analysis
The “assume” OperationThe assume Algorithm
canonical abstraction
Main ResultsFuture Work
^
✔✔
17Dagstuhl Seminar "Applied Deductive Verification" November 2003
a
X
Concrete Domain Abstract Domain
〚〛
The assume[](a) Algorithm
(a)
^
18Dagstuhl Seminar "Applied Deductive Verification" November 2003
a
〚〛
The assume[](a) Algorithm
X
Concrete Domain Abstract Domain
(a)
^
19Dagstuhl Seminar "Applied Deductive Verification" November 2003
a
〚〛
The assume[](a) Algorithm
X
Concrete Domain Abstract Domain
(a)
^
20Dagstuhl Seminar "Applied Deductive Verification" November 2003
assume[](a)
a
〚〛
The assume[](a) Algorithm
X
Concrete Domain Abstract Domain
(a)
^
(X)
21Dagstuhl Seminar "Applied Deductive Verification" November 2003
Outline
Shape Analysis
The “assume” OperationThe assume Algorithm
canonical abstraction
Main ResultsFuture Work
^
✔✔
22Dagstuhl Seminar "Applied Deductive Verification" November 2003
C
Concrete Domain Abstract Domain
Abstraction Function
(C)
(C) = { (S) | S C}
2-valuedlogical structures
sets of 3-valued logical structures
23Dagstuhl Seminar "Applied Deductive Verification" November 2003
Describing Heap Using Logical Structure
Definition of linked list
Cyclic linked list of length 4 pointed to by variable x structure S = < U, x, n, rx>
universe U = {u1, u2, u3, u4},
unary relation x = {u1}
binary relation n = { < u1, u2>, < u2, u3 >, < u3, u4>, <u4,u1>}
unary relation rx = {u1, u2, u3, u4}
unary relation c = {u1, u2, u3, u4}
struct List {int d; struct List *n;
}
x
u1 u2 u3 u4
c,rxc, rxc, rxc, rx
n n n
24Dagstuhl Seminar "Applied Deductive Verification" November 2003
3-Valued Logical Structures
Relation meaning over {0, 1, ½}Kleene
1: True 0: False
½: Unknown
A join semi-lattice: 0 ⊔ 1 = ½
½ Information
order
25Dagstuhl Seminar "Applied Deductive Verification" November 2003
Canonical Abstraction
x
u1 u2 u3 u4
c,rxc,rxc,rxc,rx
xu1 u2
c,rx c,rx
u2 summary node
x
u1 u2 u3 u4
c,rxc,rxc,rxc,rx
26Dagstuhl Seminar "Applied Deductive Verification" November 2003
Canonical Abstraction
x
u1 u2 u3 u4
c,rxc,rxc,rxc,rx
xu1 u2
c,rx c,rx
:
u2 summary node
Unary relations have definite values
x
27Dagstuhl Seminar "Applied Deductive Verification" November 2003
a
Concretization Function
Concrete Domain
Abstract Domain
(a)
(a)
a ≜
∃v1,v2:nodeu1(v1) node⋀ u2(v2)⋀∀w: nodeu1(w) node⋁ u2(w)
⋀ ∀w1,w2:nodeu1(w1) node⋀ u1(w2)
⇒(w1=w2)⋀⌝n(w1,w2)
(a) ≜ a ⋀ IR^
S (a) ⇔ S ⊧ (a) ^
Formulas
^x
u1 u2
c,rx c,rx
28Dagstuhl Seminar "Applied Deductive Verification" November 2003
a
Concretization Function
Concrete Domain
Abstract Domain
(a)
(a) IR = unique[x] ⋀ function[n] ⋀ reachable[x] ⋀ cyclic[n]
reachable[x] ≜∀v:rx(v)⇔ v∃ 1: x(v1) n*(v⋀ 1,v)
cyclic[n] ≜∀v:c(v)⇔ v∃ 1:n(v,v1) n*(v⋀ 1,v)
(a) ≜ a ⋀ IR^
S (a) ⇔ S ⊧ (a) ^
Formulas
^
unique[x] ≜∀v1,v2:x(v1) x(v⋀ 2) v⇒ 1=v2
function[n] ≜∀v,v1,v2:n(v,v1) n(v,v⋀ 2) v⇒ 1=v2
29Dagstuhl Seminar "Applied Deductive Verification" November 2003
Outline
Shape Analysis
The “assume” OperationThe assume Algorithm
canonical abstraction
Main ResultsFuture Work
^
✔✔
✔
30Dagstuhl Seminar "Applied Deductive Verification" November 2003
Example
xu1 u2c,rx c,rx
y==x->n
≜ ∀v1:y(v1) ↔∃v2: x(v2) n(v⋀ 1, v2)
y,ry y,ry
xu1 uy
c,rx ry
xu1 u2
y
uy
yc,rx ry
c,rx ry c,rx ry c,rx ry
a:
assume[](a)^IR = unique[x] ⋀ unique[y] ⋀ reachable[x] ⋀ reachable[y] ⋀ cyclic[n] function[n] ⋀
31Dagstuhl Seminar "Applied Deductive Verification" November 2003
The assume[](a) Algorithm
assume[](a) : set of 3-valued structures// initialization
for all S a∈if (S) ⋀ is satisfiable then WS
// phase 1: node materialization
while there is S W with p(u)=1/2 do∈duplicate nodes and deduce their unary
relations using calls to theorem prover
// phase 2: relation refinement
while there is S W with p(u1,u2)=1/2 do∈duplicate structures and deduce their binary relations using calls to theorem prover
return W
^^
^
32Dagstuhl Seminar "Applied Deductive Verification" November 2003
Example - Materialization
materializationu2 uy, u2
y(uy) = 1, y(u2) =0
xu1 u2
c,rx c,rxy,ry y,ry
S
xu1 u2
c,rxc,rxy,ry y
y(u2)=0
S0
ry
S1
y(u2)=1
xu1 u2
c,rx c,rxy,ryyry
u2
xu1 uy
c,rx c,rxy,ryy rx y ryry
33Dagstuhl Seminar "Applied Deductive Verification" November 2003
Example - Materialization
xu1 uy
c,rxc,rxy,ry y rx y
xu1 u2
c,rx ry c,rxryy
u2
xu1 u2
c,rx c,rxy,ryyry
ryry
xu1 uy
c,rx ry yu2
c,rx ryc,rx ry
34Dagstuhl Seminar "Applied Deductive Verification" November 2003
Example – Refinement
xu1 uy
c,rx ry yu2
c,rxryc,rx ry
n(u2,uy)
xu1 uy
c,rx,ry yu2
c,rx ryc,rx,ry
S0
xu1 uy
c,rx,ry yu2
c,rx,ryc,rx ry
uy
n(u1,uy)
n(uy,uy)
n(u1,u2)
n(uy,u1)
35Dagstuhl Seminar "Applied Deductive Verification" November 2003
Example
xu1 u2c,rx c,rx
y==x->n
≜ ∀v1:y(v1) ↔∃v2: x(v2) n(v⋀ 1, v2)
y,ry y,ry
xu1 uy
c,rx ry
xu1 u2
y
uy
yc,rx ry
c,rx ry c,rx ry c,rx ry
a:
assume[](a)^IR = unique[x] ⋀ unique[y] ⋀ reachable[x] ⋀ reachable[y] ⋀ cyclic[n] function[n] ⋀
36Dagstuhl Seminar "Applied Deductive Verification" November 2003
Algorithm
assume[](a) : set of 3-valued structuresfor all S a∈
if (S)⋀ is satisfiable then WS
// phase 1: materialization
while there is S W with p(u)=1/2 do∈WW/S
if (S)⋀⋀p,u is satisfiable then WS'
if (S0)⋀ is satisfiable then WS0
if (S1)⋀ is satisfiable then WS1
// phase 2: relation refinement
while there is S W with p(u1,u2)=1/2 do∈ if (S)⋀⋀p,u1,u2 is not satisfiable then WW/S
if (S0)⋀ is satisfiable then WS0
if (S1)⋀ is satisfiable then WS1
return W
^
^
^^^
^^^
37Dagstuhl Seminar "Applied Deductive Verification" November 2003
Theorem Prover
Satisfiability of FOTC
Calls to theorem prover need not terminateExperience with SPASSSolutions ?
38Dagstuhl Seminar "Applied Deductive Verification" November 2003
SPASS Experience
Handles arbitrary FO formulasCan divergeConverges in our examples
Captures older shape analysis algorithms
How to handle FOTC? Overapproximations are not good enough
Lead to too many structures
39Dagstuhl Seminar "Applied Deductive Verification" November 2003
Theorem Prover
Satisfiability of FOTC
Calls to theorem prover need not terminateExperience with SPASSSolutions
timeout and return ½ decidable logic
Bad news Even ∃∀TC is undecidable
Reduction to halting problem
40Dagstuhl Seminar "Applied Deductive Verification" November 2003
∃∀DTC[E] Logic
Neil Immerman, Alexander Rabinovich∃∀DTC[E] is subset of FOTC
∃∀ form arbitrary unary relations single binary relation E deterministic transitive closure E*(v,w)
E-path through individuals with at most one successor
Decidable for satisfiability NEXPTIME-complete
41Dagstuhl Seminar "Applied Deductive Verification" November 2003
Simulation Technique
Simulate regular data structures using ∃∀DTC[E] Singly linked list
shared/cyclic/nested
Doubly linked list (Shared) Trees
Preserved under mutations
42Dagstuhl Seminar "Applied Deductive Verification" November 2003
Outline
Shape Analysis
The “assume” Operation
The assume Algorithmcanonical abstraction
Main ResultsFuture Work
^
✔✔
✔✔
43Dagstuhl Seminar "Applied Deductive Verification" November 2003
Most-precise Operations
Most-precise abstract value
Best transformer statement loop-free fragment
() = assume[](<top>)^
BT(a,τ) = assume[τ](<a, top>)^
45Dagstuhl Seminar "Applied Deductive Verification" November 2003
Most-precise Operations
Most-precise abstract value
Best transformer statement loop-free fragment
Meet operation
Assume guarantee reasoning procedure specifications
() = assume[](<top>)^
^ ^ ^m(a,a') = ((a) ⋀ (a'))^
BT(a,τ) = assume[τ](<a, top>)^
46Dagstuhl Seminar "Applied Deductive Verification" November 2003
Conclusions
Employ decision procedure/theorem prover for shape analysis most precise modular - assume guarantee reasoning
47Dagstuhl Seminar "Applied Deductive Verification" November 2003
Future Work
ImplementationAssume guarantee of “real” programs
specification language write procedure specifications
Extend to other domains
Dagstuhl Seminar "Applied Deductive Verification" November 2003
www.cs.tau.ac.il/~gretay
THE ENDTHE END