Abstract Interpretation with Alien Abstract Interpretation with Alien Expressions and Heap StructuresExpressions and Heap Structures
Bor-Yuh Evan Chang K. Rustan M. LeinoUC Berkeley Microsoft Research
November 11, 2004OSQ Meeting
11/12/2004 2
Standard Abstract InterpretationStandard Abstract Interpretation
y := 8; x := 0; while (*) {
y := y + x;x++;
}y y ¸̧ 8 8
• Can do this inference with the polyhedra abstract domain [CH79]
11/12/2004 3
Standard Abstract InterpretationStandard Abstract Interpretation
this.y := 8; this.x := 0;while (*) {
this.y := this.y + this.x;this.x++;
}this.y this.y ¸̧ 8? 8?
Goal: Given a Goal: Given a base domainbase domain that can that can infer certain kind of predicates on infer certain kind of predicates on variables, use it to infer predicates variables, use it to infer predicates
on fieldson fields
11/12/2004 4
Achieving the GoalAchieving the Goal
1. Handling Alien Expressions/ Uninterpreted Functions
2. Handling Heap Updates
11/12/2004 5
Abstract DomainsAbstract Domains
interface AbstractDomain {type Elt
Constrain : Elt £ Expr ! EltEliminate : Elt £ Var ! EltRename : Elt £ Var £ Var ! EltToPredicate : Elt ! Expr
Join : Elt £ Elt ! EltAtMost : Elt £ Elt ! bool
}
11/12/2004 6
Fooling the Base DomainsFooling the Base Domains
Congruence-Closure Domain / “Name Service”
Polyhedra
Constrain( sel(H,o,f) ¸ 8 )
assume o.f ¸ 8
Constrain( ¸ 8 )
sel(H,o,f)
Base Domains
SymbolicValue
11/12/2004 7
Understandable to the Base Understandable to the Base DomainDomain
¸
+
sel
H o f
²
| |
2 ¢ x + sel(H,o,f) · |y - z|
2 x y z
Understands : FunSymbol £ Expr[] ! bool
11/12/2004 8
Understandable to the Base Understandable to the Base DomainDomain
¸
+
sel
H o f
²
| |
2 ¢ x + sel(H,o,f) · |y - z|
2 x y z
Understands : FunSymbol £ Expr[] ! bool
Yes
Yes
Yes
Yes
NoNo
11/12/2004 9
Understandable to the Base Understandable to the Base DomainDomain
¸
+
²
| |
2 ¢ x + · |y - z|
2 x y z
Understands : FunSymbol £ Expr[] ! bool
NoNo
NoNo
11/12/2004 10
Understandable to the Base Understandable to the Base DomainDomain
¸
+
²
2 ¢ x + ·
2 x y z
Understands : FunSymbol £ Expr[] ! bool
NoNo
Yes= y - z
11/12/2004 11
Congruence-Closure DomainCongruence-Closure Domain
• Could always choose new names, but …– Should use the same name for syntactically
equivalent expressions– Even Better: same name for known equalities
• Tracks equalities of uninterpreted functions– an E-Graph with abstract domain operations– symbolic values “name” equivalence classes
of expressions– implements congruence closure
11/12/2004 12
E-GraphE-Graph
• w = f(x) Æ g(x,y) = f(y) Æ w = h(w)• A set of mappings:
w x
f() y g(,) f()
h()
• Always congruence-closed
w
x y
g
h
f f
11/12/2004 13
JoinJoin
• Join the e-graphs, then join the base domains
• Think of the lattice over conjunctions of equalities (including infinite ones)
• Let G = Join(G0,G1)
x G h’,’i if x G0 ’ and x G1
’
f(h,i) G h’,’i if f() G0 ’ and f() G1
’
• Rename distinct pairs to fresh symbolic values
11/12/2004 14
JoinJoin
• Complexity: O(n¢m)• Complete? As precise as possible?
– No, e-graphs do not form a lattice!x = y t g(x) = g(y) Æ x = f(x) Æ y = f(y)
= Æi : i ¸ 0 g(fi(x)) = g(fi(y))
– Only relatively complete[Gulwani et al.]
• Tell base domains about renaming
h,i à ConstrainB0( = ), ConstrainB1
( =
)
11/12/2004 15
So Far We Have …So Far We Have …
• Reasoning for uninterpreted functions
• Base domains that work with alien expressions transparently
• What we need for field reads– sel is alien to all base domains
11/12/2004 16
Achieving the GoalAchieving the Goal
1. Handling Alien Expressions/ Uninterpreted Functions
2. Handling Heap Updates
11/12/2004 17
Heap UpdatesHeap Updates
Java/C# if (p.g == 8) { o.f = x; }
Abstract assume H[p,g] == 8;Interpreter H := upd(H,o,f,x);
sel(upd(H,o,f,e),o’,f’) = eif o = o’ and f = f’
sel(upd(H,o,f,e),o’,f’) = sel(H,o’,f’) if o o’ or f f’
11/12/2004 18
Heap UpdatesHeap Updates
Java/C# if (p.g == 8) { o.f = x; }
Abstract assume H[p,g] == 8;Interpreter H := H’ where
H’ ´o,f H and
sel(H’,o,f) = x
11/12/2004 19
Heap UpdatesHeap Updates
Abstract assume H[p,g] == 8;Interpreter H := H’ where
H’ ´o,f H and sel(H’,o,f) = x
Abstract Constrain( sel(H,p,g) = 8 )Domain Constrain( H’ ´o,f H )
Constrain( sel(H’,o,f) = x )Eliminate( H )Rename( H’, H )ToPredicate()
Tracked by a new base domain:
Heap Succession
11/12/2004 20
Heap Update ExampleHeap Update Example
Heap SuccessionH’ ´o,f H
E-Graphsel(H,p,g) 8 sel(H’,o,f) x H H p pH’ H’ g go o f f
Constrain( sel(H,p,g) = 8 )Constrain( H’ ´o,f H )Constrain( sel(H’,o,f) = x )Eliminate( H )Rename( H’, H )ToPredicate()
11/12/2004 21
Heap Update ExampleHeap Update Example
Heap SuccessionH’ ´o,f H
E-Graphsel(H,p,g) 8 sel(H’,o,f) x H H p pH’ H’ g go o f f
Constrain( sel(H,p,g) = 8 )Constrain( H’ ´o,f H )Constrain( sel(H’,o,f) = x )Eliminate( H )Rename( H’, H )ToPredicate()
11/12/2004 22
Heap Update ExampleHeap Update Example
Heap SuccessionH’ ´o,f H
E-Graphsel(H,p,g) 8 sel(H’,o,f) x H H p pH H’ g go o f f
Constrain( sel(H,p,g) = 8 )Constrain( H’ ´o,f H )Constrain( sel(H’,o,f) = x )Eliminate( H )Rename( H’, H )ToPredicate()
11/12/2004 23
Heap Update ExampleHeap Update Example
Heap SuccessionH’ ´o,f H
E-Graphsel(H,p,g) 8 sel(H’,o,f) x H H p pH H’ g go o f f
Constrain( sel(H,p,g) = 8 )Constrain( H’ ´o,f H )Constrain( sel(H’,o,f) = x )Eliminate( H )Rename( H’, H )ToPredicate()
1. “Collect Garbage” (H)• EquivalentExpr
: Queryable £ Expr £ Var ! Expr
Can you give me anequivalent expressionwithout H?
11/12/2004 24
Heap Update ExampleHeap Update Example
Heap SuccessionH’ ´o,f H
E-Graphsel(H’,p,g) 8 sel(H’,o,f) x H H p pH H’ g go o f f
Constrain( sel(H,p,g) = 8 )Constrain( H’ ´o,f H )Constrain( sel(H’,o,f) = x )Eliminate( H )Rename( H’, H )ToPredicate()
1. “Collect Garbage” (H)• EquivalentExpr
: Queryable £ Expr £ Var ! Expr option
• Eliminate(H) on Base
2. ToPredicate() on Base and Convert Expr for Client
3. Add Equalities
Yes, use H’
11/12/2004 25
Related WorkRelated Work
• Join for Uninterpreted Functions [Gulwani, Tiwari, Necula]
• Shape Analysis [many] andTVLA [Sagiv, Reps, Wilhelm, …]
11/12/2004 26
ConclusionConclusion
• Extended the power of abstract domains to work with alien expressions using the congruence-closure domain
• Added reasoning about heap updates with the heap succession domain
• Close to having “cooperating abstract interpreters”?– missing propagating back equalities
inferred by base domains
Thank you!Thank you!
Questions? Comments?