Quantified Data Automata on Skinny Trees:an Abstract Domain for Lists

Pranav Garg1, P. Madhusudan1 and Gennaro Parlato2

1University of Illinois at Urbana-Champaign2University of Southampton, UK

2

Automatic Shapes Static analysis of heap structures

- heaps with a single pointer field Properties: Universally Quantified properties over

heap + data Introduce Automatic Shapes

- abstract domain of automata

Automata are classical ways to capture infinite sets of objects using finite means.

Aim:- Represent properties of the data stored in the heap.- Build automata that can express universally quantified properties

3

Universally Quantified Properties on Lists

5 7 8 9

head

4 2 9 1

head

2 1less

4 9more

fold-split(key) splits input list into two lists.

List pointed to by head is sorted))()(.( 212

*1

*21 ydataydatayyheadyy nextnext

)))(())(.(( 11*

11*

1 keyydataymorekeyydataylessy nextnext

Abstract analysis of heap is hard- unbounded size of the heap- unbounded data stored in the heap

4

Heap Configurations and Skinny Trees

Restrict to heaps with a single pointer field (acyclic). Let P: the program’s pointer variables

- Heap configuration skinny trees labeled by P

k- skinny tree has at most k- branching points. Heap configurations are k- skinny trees (k = number

of pointer vars.)

1 975

head1

2

63 4head2

$nil

41head3 8

5

Quantified Data Automata Extends Quantified Data Automata over lists

[CAV’13] QDAs logically define universally quantified

properties of lists

Example:

)),(),(.(/\ ypDataypGuardy iii

))()(.( 212*

1*

21 ydataydatayyheadyy nextnext

6

Quantified Data AutomataFix P – program pointer variablesFix Y – set of quantified variablesFix F – data domain which forms a lattice

QDA over skinny trees:- reads a tree annotated with pointers P and Y- checks whether data stored at these positions satisfy a data property

QDA accepts a tree T with pointers P if it accepts all possible extensions of T with valuations for Y.

head y1 y2 data(y1) <= data(y2)

))()(.( 212*

1*

21 ydataydatayyheadyy nextnext

7

Valuation Trees Valuation tree = Skinny tree over P + valuation for Y

Skinny Tree

ValuationTrees

Universal Quantification QDA accepts a skinny tree iff it accepts ALL corresponding valuation trees.

1 975head1

2

63 4head2

$nil

1 975head1

2

63 4head2

$nil

y1

y2

1 975head1

2

63 4head2

$nily1

y2

8

Quantified Data Automata Bottom-up, deterministic, register automata over trees

- each state labeled with a data formula f For a valuation tree, QDA reads ptr. and univ. vars. and

stores the data values in the register reg.

At the final state, QDA checks if these data values satisfy the formula labeling the state.- reg satisfies f(q) Accepts the valuation tree- reg does not satisfy f(q) Rejects the valuation tree

1 975head1

2

63 4head2

$nil

y1

y2

1 975head1

2

63 4head2

$nil

y1

y2 head1 5head2 3y1 4y2 7nil $

reg:

f(q) = data(y1) < data(y2)

10

Formula Tree = (Valuation Tree \ data) paired with a data formula

- complete separation of the structure of the heap and its data

Define

Lf (A) = Language of formula trees accepted by A

Formula Tree

, data(y1) < data(y2)

head1

head2

nily1

y2

11

QDAs as a Partial Order Natural Partial Order -- set inclusion over the

language of QDAs- not closed under disjunctions

Alternate partial order: if such that and

- Least upper bound associates every tree to- Infinite sets of QDAs might not have a least upper bound. Hence do not form a complete lattice.

21 AA )(),( 11 ALdft f

)(.. yyy

21 dfdf )(),( 22 ALdft f 21 dfdf

t

12

Elastic QDAs Require a notion of widening for analysis of loops

- Ignore lengths of stretches of the heap not pointed by variables.

QDA:

head nily1

head nily1

211 ),( qbq 21 qq -Restriction: All transitions on blank symbols must be self-loops

head y1

head y1

Elastic QDA:

13

Theorems about EQDAs1. Number of states in a minimal EQDA is bounded

- Finite number of EQDAs modulo the data formulas- widening proc. for EQDAs given widening for data formulas.

2. For every QDA, there is a most-precise over-approximating EQDA (in terms of their accepting languages) elastification

EQDAs form a complete lattice abstract domain

3. EQDAs correspond to decidable STRAND logic [POPL’11] over lists. - Abstract interpretation using EQDAs can be used for checking STRAND assertions.

14

Abstract transformer over EQDAs Strongest post condition involves existential

quantification of the pre-state + constraining post-state acc. to the semantics of the stmt.

Example: strongest-post( ) =

These precise post-conditions are not

expressible by QDAs. Over-approximate the post-condition to:

- eliminate existential quantifier via quantifier elimination for the structure (Guard) using automata, and data-formulas (Data) separately.

/\ Guard => Datajiy ppAy :,.

jiiifi ppppAyp ]'/[.'.

**

jiiifi ppppApy ]'/['..

15

Abstract transformer over EQDAsPointer Assignment statement pi := pj

Similar abstract transformer for structure manipulating statements:Pointer Lookup pi := pj .nextPointer Mutate pi .next := pj

Allocate new pi

…

pi

pj

pi := pj

)()(]/)([.

ji

i

pdatapdatadpdatad

pi

pj

b, pi

Api := pj 'A

16

Abstract transformer over EQDAsData Assignment statement pi .data := data_exp

Slightly more involved: - Also account for all variables which point to the same node as pi

pi

pi .data := data_exp

pi

]/)([.( dpdatad i])/)(exp[_)( dpdatadatapdata ii

17

Abstract transformer over EQDAs

A’ might not be elastic.

Use the most-precise over-approximation result to get an EQDA.

- defines the actual abstract transformer over EQDAs

Fix-point computation of the abstract semantics terminates

- widening for the data domain

Astmt

'A ''Aelastification

EQDA EQDA QDA

18

Experiments Simple programming language consisting of heap

allocation, pointer assignment, pointer lookup, pointer mutate, …

Given a STRAND formula as pre-condition, construct the corresponding EQDA.

Compute the abstract semantics of the program over EQDAs using the abstract transformer.

Fix-point EQDAs are translated to decidable STRAND formulas over lists to verify program assertions, post-conditions.

- Instantiate data-formulas with the octagonal domain (using Apron).

- Prototype implementation available at http://web.engr.illinois.edu/~garg11/qsdas.html

19

ExperimentsPrograms #PV #Y #DV Property #Iter. Max. size of QSDA Time (s)

INIT 2 1 1 Init, List 4 19 0.0

MAX 2 1 1 Max, List 4 19 0.1

CLONE 4 1 1 Init, List 4 44 0.7

FOLD-CLONE 5 1 1 Init, List 5 57 3.2

COPY-GE5 4 1 0 Gek, List 9 53 2.6

FOLD-SPLIT 3 1 1 Gek, List 4 33 0.3

CONCAT 4 1 1 Init, List 5 44 0.7

SORTED-FIND 2 2 2 Sort, List 5 38 0.3

SORTED-INSERT 4 2 1 Sort, List 6 163 5.8

BUBBLE-SORT 4 2 1 Sort, List 5/18 191 42.8

SORTED-REVERSE 3 2 0 Sort, List 5 43 1.5

EXPRESSOS-LOOKUP-PREV 3 2 1 Sort, List 6 73 2.2

GSLIST-CUSTOM-FIND 3 1 1 Gek, List 4 29 0.1

GSLIST-REMOVE-ALL 5 1 1 Gek, List 5 51 0.6

GSLIST-INSERT-SORTED 5 2 1 Sort, List 6 279 27.4

20

Related Work (Shape Analysis) Merges nodes that satisfy the same predicates

- unary + instrumentation predicates Instrumentation predicates provided by the user

- often complex,- very particular to the program being verified

Example: sub-list before pointer i is sorted, that is

- instrumentation predicate required

Clearly,- s(x) too dependent on the property being verified- complex (writing binary property as a unary

predicate)

))()().((, ** ydataxdataiyyxyx nextnext

))()().(()( ** ydataxdataiyyxyxs nextnext

21

Conclusion Automatic Shapes – an abstract domain of automata

- can express universally quantified properties of lists- can prove these properties precisely and efficiently

Future Work Extensions to trees to capture universally quantified

properties like binary-search-tree, max-heap, … Extensions to general graphs using graph

automatons.Thank You !