Shape Analysis via 3-Valued Logic

Shape Analysisvia 3-Valued Logic

Mooly SagivThomas Reps

Reinhard Wilhelm

http://www.cs.tau.ac.il/~msagiv/toplas02.pshttp://www.cs.tau.ac.il/~rumster/TVLA

. . . and also

• Tel-Aviv University– N. Dor– T. Lev-Ami– R. Manevich– E. Yahav

• Universität des Saarlandes– Jörg Bauer– Ronald Biber

• University of Wisconsin– F. DiMaio– D. Gopan– A. Loginov– A. Mulhern

• IBM Research– G. Ramalingam– J. Field– D. Goyal

Example: In-Situ List Reversal

List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}

typedef struct list_cell { int val; struct list_cell *next;} *List;

1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




1 2 3 NULL

x

yt

NULL




x

yt




x

yt

NULL




x

yt

NULL




x

yt

NULL




x

yt

NULL

Materialization




x

yt

NULL




x

yt

NULL




x

yt

NULL




x

yt

NULL




x

yt

NULL




x

yt

NULL




x

yt




x

yt




x

yt




x

yt




x

yt




x

yt




x

yt




x

yt

NULL




x

yt

NULL




x

yt

NULL




x

yt

NULL

Original Problem: Shape Analysis (Jones and Muchnick 1981)

• Characterize dynamically allocated data– x points to an acyclic list, cyclic list, tree, dag, etc.– show that data-structure invariants hold

• Identify may-alias relationships

• Establish “disjointedness” properties– x and y point to structures that do not share cells

Properties of reverse(x)• On entry, x points to an acyclic list

• On each iteration, x & y point to disjoint acyclic lists

• All the pointer dereferences are safe

• No memory leaks

• On exit, y points to an acyclic list

• On exit, x = = NULL• On exit, all cells reachable from y were reachable from x on entry, and vice versa• On exit, the order between neighbors in the y-list is opposite to the order they had in the x-list on entry

Why is Shape Analysis Difficult?

• Destructive updating through pointers–p next = q– Produces complicated aliasing relationships

• Dynamic storage allocation– No bound on the size of run-time data structures

Why is Shape Analysis Difficult?

• Destructive updating through pointers–p next = q– Produces complicated aliasing relationships

• Dynamic storage allocation– No bound on the size of run-time data structures

• Data-structure invariants typically only hold at the beginning and end of operations– Need to verify that data-structure invariants are

re-established

A ‘Yacc’ for Shape Analysis: TVLA

• Parametric framework– Some instantiations known analyses– Other instantiations new analyses

A ‘Yacc’ for Shape Analysis: TVLA

• Parametric framework– Some instantiations known analyses– Other instantiations new analyses

• Applications beyond shape analysis– Partial correctness of sorting algorithms– Safety of mobile code– Deadlock detection in multi-threaded programs– Partial correctness of mark-and-sweep gc alg.– Correct usage of Java iterators

x

yt

NULL

x

yt

NULL

x

yt

return y

t = y

ynext = t

y = x

x = xnext

x != NULL

x

yt

NULL

x

yt

NULL

x

yt

NULL

x

yt

NULL

x

yt

NULL

x

yt

NULL

x

yt

NULL

x

yt

NULL

x

yt

NULL

x

yt

x

yt

x

yt

Plan

• Operational semantics using first order logic

• Canonic Abstraction

• Abstract interpretation using canonic abstraction

• Discussion

Recorded Information (for reverse)

Predicate Intended Meaning

x(v) Does pointer variable x point to cell v?

y(v) Does pointer variable y point to cell v?

t(v) Does pointer variable t point to cell v?

n(v1,v2) Does the n field of v1 point to v2?

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

x(u) y(u) t(u)u1 1 1 0u2 0 0 0u3 0 0 0u4 0 0 0

Recorded Information (for reverse)

u1 u2 u3 u4

xy

Formulas for Observing Properties

• Does x point to a non NULL elementv: x(v)

• Are x and y pointer aliases?v: x(v) y(v)

• Does x point to a cell with a self cycle?v : x(v) n(v,v)

xy u1 u2 u3 u4

Are x and y Pointer Aliases?

v: x(v) y(v)

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

x(u) y(u) t(u)u1 1 1 0u2 0 0 0u3 0 0 0u4 0 0 0

xy u1

Yes

Predicate-Update Formulas for ‘x = x n’

• x’(v) = v1: x(v1) n(v1,v)

• y’(v) = y(v)

• t’(v) = t(v)

• n’(v1, v2) = n(v1, v2)

x

u1 u2 u3 u4

Predicate-Update Formulas for ‘x = x n’

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

x(u) y(u) t(u) u1 1 1 0 u2 0 0 0 u3 0 0 0 u4 0 0 0

y

x’(v) = v1: x(v1) n(v1,v)

x

• 1: True

• 0: False

• 1/2: Unknown

• A join semi-lattice: 0 1 = 1/2

Kleene Three-Valued Logic

1/2 Information

order

Boolean Connectives [Kleene]

0 1/2 1

0 0 0 01/2 0 1/2 1/21 0 1/2 1

0 1/2 1

0 0 1/2 11/2 1/2 1/2 11 1 1 1

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

Canonical Abstraction

u1 u2 u3 u4

xu1

xu234

x(u) y(u)u1 1 0u2 0 0u3 0 0u4 0 0

n u1 u234

u1 0

u234 0 1/2

x(u) y(u)u1 1 0

u234 0 0

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0


u1 u2 u3 u4

xu1

xu234

x(u) y(u)u1 1 0u2 0 0u3 0 0u4 0 0

n u1 u234

u1 0

u234 0 1/2

x(u) y(u)u1 1 0

u234 0 0

= u1 u2 u3 u4 u1 1 0 0 0 u2 0 1 0 0 u3 0 0 1 0 u4 0 0 0 1


u1 u2 u3 u4

xu1

xu234

x(u) y(u)u1 1 0u2 0 0u3 0 0u4 0 0

= u1 u234 u1 1

u234 0 1/2

x(u) y(u)u1 1 0

u234 0 0


• Partition the individuals into equivalence classes based on the values of their unary predicates

• Collapse other predicates via – pS (u’1, ..., u’k) = {pB (u1, ..., uk) | f(u1)=u’1, ..., f(u’k)=u’k) }

• At most 2n abstract individuals

Safety Properties of Concurrent Java Programs

(Eran Yahav, POPL 01)

• Potentially unbounded heap

• Potentially unbounded number of threads

• Defects checked– RW interference– WW interference– Total deadlock– Nested monitors– Illegal thread interactions

l_0: while (true) {l_1: synchronized(sharedLock) {l_C: // critical actionsl_2: }l_3: }

Example - Mutual Exclusion

Concrete Configuration

is_threadat[l_C]

rval[this]

held_by

blocked

is_threadat[l_1]

rval[this]

is_threadat[l_0]

is_threadat[l_0]

is_threadat[l_1]

rval[this]

blocked

is_threadat[l_1]

Abstract Configuration

is_threadat[l_C]

rval[this]

held_byblocked

is_threadat[l_1] rval[this]

is_threadat[l_0]

Embedding

u1 u2 u3 u4

xu5 u6

u12 u34 u56

x

u123 u456

x

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

Canonical Abstraction:An Embedding Whose Result is of Bounded Size

u1 u2 u3 u4

xu1

xu234

x(u) y(u)u1 1 0u2 0 0u3 0 0u4 0 0

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

n u1 u234

u1 0

u234 0 1/2

x(u) y(u)u1 1 0u2 0 0u3 0 0u4 0 0

x(u) y(u)u1 1 0

u234 0 0

The Embedding Theorem

• If a structure B can be embedded in a structure S by an onto function f, such that basic predicates are preserved, i.e., pB(u1, .., uk) pS (f(u1), ..., f(uk))

• Then every formula is preserved:

– If = 1 in S, then = 1 in B

– If = 0 in S, then = 0 in B

– If = 1/2 in S, then could be 0 or 1 in B

The Embedding Theorem

y

x

u1 u34u2

y

x

u1 u234

y

x

u1 u3u2 u4

x

yu1234

v: x(v) y(v)

Maybe

No

No

No

Cyclic versus Acyclic Lists

x 31 71 91

u1 ux

u1 ux

The Instrumentation Principle• Increase precision by storing the truth-value of some chosen

formulas

• Nullary predicates

– Observations on all the concrete stores

• Unary Predicates

– Sets of individuals with designated properties

• Binary Predicates

– Relationships between individuals

Cyclicity Predicate

x 31 71 91

u1 ux

u1 ux

c[x]() = v1,v2: x(v1) n*(v1,v2) n+(v2, v2)

c[x]()=0

c[x]()=0

Cyclicity Predicate

x 31 71 91

u1 ux

u1 ux

c[x]() = v1,v2: x(v1) n*(v1,v2) n+(v2, v2)

c[x]()=1

c[x]()=1

is = 0 is = 0 is = 0 is = 0

Heap Sharing Predicate

x 31 71 91

is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2

u1 ux

u1 ux

is = 0 is = 0

is = 0 is = 0 is = 0 is = 0

Heap Sharing Predicate

x 31 71 91

is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2

u1 ux

u1 ux

is = 0 is = 0

is = 1

is = 1

Sortedness PredicateinOrder(v) = v1: n(v,v1) dle(v, v1)

u1 ux

u1 ux

inOrder = 1 inOrder = 1

n n

inOrder = 1

x 51 71 91

inOrder = 1 inOrder = 1 inOrder = 1

n n n

inOrder = 1

Sortedness Predicate

x 51 45 91

inOrder(v) = v1: n(v,v1) dle(v, v1)

uxx

inOrder = 0 inOrder = 1 inOrder = 1


n n n

n n

inOrder = 0

n

Reachability Predicater(v1, v2) = n*(v1,v2)

u1 ux

u1 ux n n

xn n n

rr

r

r r r

r

r

• reachable-from-variable-x(v)

• acyclic-along-dimension-d(v)– à la ADDS

• cfb(v) = v1: f(v, v1) b(v1, v)

• tree(v)

• dag(v)

• AVL trees:– balanced(v), left-heavy(v), right-heavy(v)

– . . . but not via height arithmetic

Additional Instrumentation Predicates

NeedFO + TC

Shape Analysis viaAbstract Interpretation

• Start with a set of 3-valured structures at the program entry

• Iteratively compute a set of 3-valued structures for every program point

• Apply canonic abstraction after every statement

• Check safety properties against 3-valued structures

Best Transformer (x = x n)

xy

y

x

y

xblur

yx

yx

...Evaluateupdateformulas

y

x

y

x

...

inverse embedding

canonic abstraction

“Focus”-Based Transformer (x = x n)

xy

yx

yx

Focus(x n)

“Partial ”

y

x

y

x

EvaluateupdateFormulas (Kleene)

y

x

y

xblur

Example: InsertSort

Run Demo

List InsertSort(List x) { List r, pr, rn, l, pl; r = x; pr = NULL; while (r != NULL) { l = x; rn = r n; pl = NULL; while (l != r) { if (l data > r data) { pr n = rn; r n = l; if (pl = = NULL) x = r; else pl n = r; r = pr; break; } pl = l; l = l n; } pr = r; r = rn; } return x; }

typedef struct list_cell { int data; struct list_cell *n;} *List;

C:\Users\sagiv\Software\Demos\TVLA_DEMOS\verification\Sort\insertSort.bat

Ongoing Work • Deriving update-formulas (ESOP 03) • Automatic Refinement (A. Loginov)• Exploring encapsulation (J. Bauer & N . Rinezkey) • Integrating arithmetic (F. Dimaio, N. Dor, D. Gopan)• Improving scalability (R. Manevich)

– Using BDDs (SAS 02)

– Widening

• A generic Java front-end (R. Manevich)• Compile-time GC (R. Shaham)• Temporal properties (E. Yahav)• Assume-Guarantee Reasoning (G. Yorsh)• Providing concrete counter examples (G. Erez)

TVLA Experience

• Quite fast on small programs– But runs on medium programs too

• Not a panacea

• More instrumentation may lead to faster (and more precise) analysis

• Manually updating instrumentation predicates is difficult

Why is Shape Analysis Difficult?• Destructive updating through pointers

– pnext = q– Produces complicated aliasing relationships– Track aliasing on 3-valued structures

• Dynamic storage allocation– No bound on the size of run-time data structures– Canonical abstraction finite-sized 3-valued structures

• Data-structure invariants typically only hold at the beginning and end of operations– Need to verify that data-structure invariants are re-

established– Query the 3-valued structures that arise at the exit

• Abstraction via logic – model-based– Logical + numeric abstraction– Finite differencing of logical formulas

• Abstraction via logic – proof-based– Shape analysis using theorem provers

– Symbolic implementation of the best transformer Applications

– Verifying temporal properties of concurrent software

Projects in Progress

Logical + Numeric Abstractions

x u1 u2

x u u’ u’’ u’’’

(1,2,3,4)

u

u’

u’’

u’’’

Position in list

(1,2)

{1} x [2,4]u1

u2 (1,4)


y = x next

(1,2)

{1} x [2,4]

x u1 u2

u1

u2(1,4)

u1 u2.1u2.0x

y

(1,2,3)

{1} x {2} x [3,4]

u1

u2.1

u2.0

(1,2,4)

u1

u2.1

u2.0


u1 u2.1u2.0x

y

Example: SortednessinOrder(v) = v1: n(v, v1) (v v1)

x 51 71 91

inOrder = 1 inOrder = 1 inOrder = 1 inOrder = 1

xx


Yes

sorted = v: inOrder(v)

Example: Sortedness

x 51 45 91

inOrder(v) = v1: n(v, v1) (v v1)

inOrder = 1 inOrder = 0 inOrder = 1 inOrder = 1

sorted = v: inOrder(v)

No

inOrder = 0 inOrder = 1inOrder = 1

xx

Example: InsertSort

Run Demo

List InsertSort(List x) { List r, pr, rn, l, pl; r = x; pr = NULL; while (r != NULL) { l = x; rn = r n; pl = NULL; while (l != r) { if (l data > r data) { pr n = rn; r n = l; if (pl = = NULL) x = r; else pl n = r; r = pr; break; } pl = l; l = l n; } pr = r; r = rn; } return x; }

typedef struct list_cell { int data; struct list_cell *n;} *List;

D:\Software Demos\itvla demos\examples\Sort\analyze-InsertSort.bat

• Abstraction via logic – model-based– Logical + numeric abstraction

– Finite differencing of logical formulas [A. Loginov]

• Abstraction via logic – proof-based– Shape analysis using theorem provers [G. Yorsh]

– Symbolic implementation of the best transformer [T. Reps]

• Applications– Verifying temporal properties of concurrent software [E. Yahav]


Work in Progress: Automatic Generation of Update Formulas

for Instrumentation Predicates

Obligation: Must define predicate-update formulas to update the extra predicates

The Instrumentation Principle

• Increase precision by storing the truth-value of some chosen formulas

Work in Progress:Automatic Generation of Update Formulas

for Instrumentation Predicates

• Currently, user provides– Update formulas for core predicates: c,st(v)

– Definitions of instrumentation predicates: p(v)

– Update formulas for instrumentation predicates: p,st(v)

Consistently defined?

Goal: Create p,st from p and the c,st dd







Abstract

Abstract Interpretation

Concrete

Memoryconfigurations

Descriptors ofmemory configurations

T#

T

Abstract

Best Abstract Transformer

Concrete

T

Memoryconfigurations

Descriptors ofmemory configurations

Symbolic Operations: Three Value-Spaces

FormulasConcreteValues

AbstractValues

TT



AbstractValues

T

T#



AbstractValues

u1

xu

x

x ...







Java Threads Are Heap-Allocated Objects Thread Analysis Shape Analysis

A memory configuration:

thread3inCritical

lock1isAcquired

thread1atStart

thread2atStart

thread4atStart

csLock

csLock

csLock

csLock

heldBy

An abstract memory configuration:

threadinCritical

lock1isAcquired

thread’atStart

csLock

csLock

heldBy


Model checking means:

Explore the space of possible transitionsamong abstract memory configurations


Spatial and Temporal Properties

P Q

P Q

v. u. x(u) n+(u,v) (u. x(u) n+(u,v))

nx

n

yn

xn

y

Spatial and Temporal Properties

• Relate memory locations across program configurations• Specify properties relating to allocation and deallocation• Example: concurrent garbage collection

– Safety: “Only nodes reachable from the roots are collected”

– Liveness: “All garbage nodes are eventually collected”

• Propositional temporal logic is not enough• ETL: a more expressive specification language

Why is Shape Analysis Difficult?• Destructive updating through pointers

– pnext = q– Produces complicated aliasing relationships– Track aliasing on 3-valued structures

• Dynamic storage allocation– No bound on the size of run-time data structures– Canonical abstraction finite-sized 3-valued structures

• Data-structure invariants typically only hold at the beginning and end of operations– Need to verify that data-structure invariants are re-

established– Query the 3-valued structures that arise at the exit

A ‘Yacc’ for Static Analysis Based on Logic:

Who Cares?

Broad scope of potential applicability– Not just shape properties: predicates are not

restricted to be links!

– Discrete systems in which a relational (+ numeric) structure evolves

– Transition: evolution of relational + numeric state

Date post:	01-Jan-2016
Category:	Documents
Upload:	camille-vaughn
View:	34 times
Download:	0 times

Shape Analysis via 3-Valued Logic

Documents