Abstract Interpretation with Alien Abstract Interpretation with Alien Expressions and Heap StructuresExpressions and Heap Structures

Bor-Yuh Evan Chang K. Rustan M. LeinoUniversity of California, Berkeley Microsoft Research

January 18, 2005

VMCAI 2005Paris, France

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

2

Verifying Object-Oriented ProgramsVerifying Object-Oriented Programs

OO Program Verifier

Inference …Java/C#

Java/C#

Abstract

Interpretation

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

3

Problem and MotivationProblem and Motivation

• Standard abstract interpretation infer properties following a domain specific-schema of relations among (program) variables

– e.g., can infer this with Polyhedra [CH78]

0 · x · yz := 2 ¢ y – 2 ¢ x;

0 0 ·· z z

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

4

Problem and MotivationProblem and Motivation

• But …0 · this.xthis.x · y

z := 2 ¢ y – 2 ¢ this.xthis.x;

0 0 ·· z? z?

0 · length(x)length(x) · yz := 2 ¢ y – 2 ¢ length(x)length(x);

0 0 ·· z? z?

0 · this.xthis.x · y Æ o o this this

o.x := o.x := 2 ¢ yz := 2 ¢ y – 2 ¢ this.xthis.x;

0 0 ·· z? z?

alien expression to Polyhedra

alien expression to Polyhedra

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

5

GoalGoal

Given a Given a base abstract domainbase abstract domain that that can represent certain kind of can represent certain kind of

constraints on variables, use it to constraints on variables, use it to represent constraints on arbitrary represent constraints on arbitrary alien expressionsalien expressions (e.g., fields of (e.g., fields of

objects)objects)

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

6

OutlineOutline

• Overview• Handling Alien Expressions• Handling Heap Updates• Concluding Remarks

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

7

Overview of ContributionsOverview of Contributions

• To extend base domains to work with alien expressions– use a general abstract domain

parameterized by base domains that hide alien expressions as fresh variables (cf. Nelson-Oppen)

– congruence-closure abstract domain

• To deal with heap updates– track successive heaps as a separate

base domain– heap succession abstract domain

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

8

Fooling the Base DomainsFooling the Base Domains

Congruence-Closure Abstract Domain

Polyhedra

Constrain( sel(H,o,f) ¸ 8 )

assume o.f ¸ 8

Constrain( ¸ 8 )

sel(H,o,f)

Base Domains

SymbolicValue

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

9

Understands : FunSymbol £ Expr[] ! bool

Understandable to the Base Understandable to the Base DomainDomain

+

sel

H o f

²

Abs

2 ¢ x + sel(H,o,f) · Abs(y – z)

2 x y z

Yes

Yes

Yes

Yes

NoNo

Understands

·

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

10

Understandable to the Base Understandable to the Base DomainDomain

·

+

²

Abs

2 ¢ x + · Abs(y – z)

2 x y z

Understands : FunSymbol £ Expr[] ! bool

NoNo

NoNo

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

11

Understandable to the Base Understandable to the Base DomainDomain

+

²

2 ¢ x + ·

2 x y z

Understands : FunSymbol £ Expr[] ! bool

NoNo

Yes= y - z

Also, addthis constraint to

Polyhedra

·

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

12

Congruence-Closure DomainCongruence-Closure Domain

• Store mappings in an equivalence graphequivalence graph(e-graph)(e-graph)– give the same symbolic value for equivalent

expressions

• Tracks equalities of uninterpreted functions– an e-graph with abstract domain operations– symbolic values “name” equivalence classes

of expressions– implements congruence closure

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

13

E-GraphE-Graph

• w = f(x) Æ g(x,y) = f(y) Æ w = h(w)• A set of mappings:

w x

f() y g(,) f()

h()

• Always congruence-closed

w

x

g

h

y

f f

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

14

JoinJoin

• Roughly, join the e-graphs, then join the base domains

G0

P0

Base Domains

G1

P1

Base Domains

G0 t G1

P0 t P1

Base Domains

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

15

Join of E-GraphsJoin of E-Graphs• Think of the lattice

over conjunctions of equalities (including infinite ones)

• Let G = Join(G0,G1)

x G h0,0i if x G0

0 and x G1

f(h,i) G h0,0i if f() G0

0 and

if f() G1 0

• Rename distinct pairs to fresh symbolic values

x

f

x

f

f

x

f

f

h,i Ã

h,i Ã

Tell base domains

about renaming

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

16

Join of E-GraphsJoin of E-Graphs

• Complexity: O(n¢m)• Complete? As precise as possible?

– No, e-graphs do not form a lattice!x = y t g(x) = g(y) Æ x = f(x)

Æ y = f(y)= Æi : i ¸ 0 g(fi(x)) = g(fi(y))

– Only relatively complete[Gulwani et al. 2004]

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

17

WidenWiden

• Widen the e-graphs, then widen the base domains

• Widen of e-graphs is a join of e-graphs that limits the number of new names introduced (see paper)

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

18

So Far We Have …So Far We Have …

• Reasoning for uninterpreted functions

• Base domains that work with alien expressions transparently

• What we need for field reads– sel is alien to all base domains

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

19

OutlineOutline

• Overview• Handling Alien Expressions• Handling Heap Updates• Concluding Remarks

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

20

Heap UpdatesHeap Updates

Java/C# if (p.g == 8) { o.f = x; }

Guarded assume H[p,g] == 8;Commands H := H0 where

sel(H0,o,f) = x andH0 ´o,f H

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

21

Heap UpdatesHeap Updates

Guarded assume H[p,g] == 8;Commands H := H0 where

sel(H0,o,f) = x and H0 ´o,f H

Abstract Constrain( sel(H,p,g) = 8 )Interpreter Constrain( sel(H0,o,f) = x )

Constrain( H0 ´o,f H )Eliminate( H )Rename( H0, H )

Tracked by a new base domain:

Heap Succession

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

22

Heap Update ExampleHeap Update Example

Heap SuccessionH0 ´o,f H

E-Graphsel(H,p,g) 8 sel(H0,o,f) x H H p pH0 H0 g go o f f

Constrain( sel(H,p,g) = 8 )Constrain( sel(H0,o,f) = x )Constrain( H0 ´o,f H )Eliminate( H )Rename( H0, H )ToPredicate()

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

23

Constrain( sel(H,p,g) = 8 )Constrain( sel(H0,o,f) = x )Constrain( H0 ´o,f H )Eliminate( H )Rename( H0, H )ToPredicate()

Heap Update ExampleHeap Update Example

Heap SuccessionH0 ´o,f H

E-Graphsel(H,p,g) 8 sel(H0,o,f) x H H p pH0 H0 g go o f f

• Only removes mapping

• “Lazy quantifier elimination”

“Garbage values” remain

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

24

Constrain( sel(H,p,g) = 8 )Constrain( sel(H0,o,f) = x )Constrain( H0 ´o,f H )Eliminate( H )Rename( H0, H )ToPredicate()

Heap Update ExampleHeap Update Example

Heap SuccessionH0 ´o,f H

E-Graphsel(H,p,g) 8 sel(H0,o,f) x H H p pH H0

o o f f

g g

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

25

Constrain( sel(H,p,g) = 8 )Constrain( sel(H0,o,f) = x )Constrain( H0 ´o,f H )Eliminate( H )Rename( H0, H )ToPredicate()

Heap Update ExampleHeap Update Example

Heap SuccessionH0 ´o,f H

E-Graphsel(H,p,g) 8 sel(H0,o,f) x H H p pH H0 g go o f f

1. Do Eliminate (H)• EquivalentExpr

: Queryable £ Expr £ Var ! Expr option

Can you give me anequivalent expressionwithout H?

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

26

Constrain( sel(H,p,g) = 8 )Constrain( sel(H0,o,f) = x )Constrain( H0 ´o,f H )Eliminate( H )Rename( H0, H )ToPredicate()

Heap Update ExampleHeap Update Example

Heap SuccessionH0 ´o,f H

E-Graphsel(H0,p,g) 8 sel(H0,o,f) x H H p pH H0 g go o f f

1. Do Eliminate (H)• EquivalentExpr

: Queryable £ Expr £ Var ! Expr option

• Eliminate(H) on Base

2. ToPredicate() on Base and Convert Expr for Client

3. Conjoin Equalities

Yes, use H0

H0

To query other abstract domains

(e.g., o p?)

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

27

Related WorkRelated Work

• Join for Uninterpreted Functions [Gulwani, Tiwari, Necula 2004]– same as our join for e-graphs

• Shape Analysis [many] andTVLA [Sagiv, Reps, Wilhelm, …]– they abstract heap nodes into summary

nodes– they use special “instrumentation

predicates” whereas we use “off-the-shelf” abstract domains

– could use shape analysis as base domain?

1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures

28

Conclusion and Future WorkConclusion and Future Work

• Extended the power of abstract domains to work with alien expressions using the congruence-closure domain

• Added reasoning about heap updates with the heap succession domain

• Close to having “cooperating abstract interpreters”?– missing propagating back equalities inferred by

base domains

• Implementation and experiments in progress

Thank you!Thank you!

Questions? Comments?