Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M....
-
Upload
jennifer-eastwood -
Category
Documents
-
view
217 -
download
1
Transcript of Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M....
Abstract Interpretation with Alien Abstract Interpretation with Alien Expressions and Heap StructuresExpressions and Heap Structures
Bor-Yuh Evan Chang K. Rustan M. LeinoUniversity of California, Berkeley Microsoft Research
January 18, 2005
VMCAI 2005Paris, France
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
2
Verifying Object-Oriented ProgramsVerifying Object-Oriented Programs
OO Program Verifier
Inference …Java/C#
Java/C#
Abstract
Interpretation
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
3
Problem and MotivationProblem and Motivation
• Standard abstract interpretation infer properties following a domain specific-schema of relations among (program) variables
– e.g., can infer this with Polyhedra [CH78]
0 · x · yz := 2 ¢ y – 2 ¢ x;
0 0 ·· z z
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
4
Problem and MotivationProblem and Motivation
• But …0 · this.xthis.x · y
z := 2 ¢ y – 2 ¢ this.xthis.x;
0 0 ·· z? z?
0 · length(x)length(x) · yz := 2 ¢ y – 2 ¢ length(x)length(x);
0 0 ·· z? z?
0 · this.xthis.x · y Æ o o this this
o.x := o.x := 2 ¢ yz := 2 ¢ y – 2 ¢ this.xthis.x;
0 0 ·· z? z?
alien expression to Polyhedra
alien expression to Polyhedra
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
5
GoalGoal
Given a Given a base abstract domainbase abstract domain that that can represent certain kind of can represent certain kind of
constraints on variables, use it to constraints on variables, use it to represent constraints on arbitrary represent constraints on arbitrary alien expressionsalien expressions (e.g., fields of (e.g., fields of
objects)objects)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
6
OutlineOutline
• Overview• Handling Alien Expressions• Handling Heap Updates• Concluding Remarks
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
7
Overview of ContributionsOverview of Contributions
• To extend base domains to work with alien expressions– use a general abstract domain
parameterized by base domains that hide alien expressions as fresh variables (cf. Nelson-Oppen)
– congruence-closure abstract domain
• To deal with heap updates– track successive heaps as a separate
base domain– heap succession abstract domain
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
8
Fooling the Base DomainsFooling the Base Domains
Congruence-Closure Abstract Domain
Polyhedra
Constrain( sel(H,o,f) ¸ 8 )
assume o.f ¸ 8
Constrain( ¸ 8 )
sel(H,o,f)
Base Domains
SymbolicValue
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
9
Understands : FunSymbol £ Expr[] ! bool
Understandable to the Base Understandable to the Base DomainDomain
+
sel
H o f
²
Abs
2 ¢ x + sel(H,o,f) · Abs(y – z)
2 x y z
Yes
Yes
Yes
Yes
NoNo
Understands
·
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
10
Understandable to the Base Understandable to the Base DomainDomain
·
+
²
Abs
2 ¢ x + · Abs(y – z)
2 x y z
Understands : FunSymbol £ Expr[] ! bool
NoNo
NoNo
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
11
Understandable to the Base Understandable to the Base DomainDomain
+
²
2 ¢ x + ·
2 x y z
Understands : FunSymbol £ Expr[] ! bool
NoNo
Yes= y - z
Also, addthis constraint to
Polyhedra
·
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
12
Congruence-Closure DomainCongruence-Closure Domain
• Store mappings in an equivalence graphequivalence graph(e-graph)(e-graph)– give the same symbolic value for equivalent
expressions
• Tracks equalities of uninterpreted functions– an e-graph with abstract domain operations– symbolic values “name” equivalence classes
of expressions– implements congruence closure
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
13
E-GraphE-Graph
• w = f(x) Æ g(x,y) = f(y) Æ w = h(w)• A set of mappings:
w x
f() y g(,) f()
h()
• Always congruence-closed
w
x
g
h
y
f f
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
14
JoinJoin
• Roughly, join the e-graphs, then join the base domains
G0
P0
Base Domains
G1
P1
Base Domains
G0 t G1
P0 t P1
Base Domains
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
15
Join of E-GraphsJoin of E-Graphs• Think of the lattice
over conjunctions of equalities (including infinite ones)
• Let G = Join(G0,G1)
x G h0,0i if x G0
0 and x G1
f(h,i) G h0,0i if f() G0
0 and
if f() G1 0
• Rename distinct pairs to fresh symbolic values
x
f
x
f
f
x
f
f
h,i Ã
h,i Ã
Tell base domains
about renaming
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
16
Join of E-GraphsJoin of E-Graphs
• Complexity: O(n¢m)• Complete? As precise as possible?
– No, e-graphs do not form a lattice!x = y t g(x) = g(y) Æ x = f(x)
Æ y = f(y)= Æi : i ¸ 0 g(fi(x)) = g(fi(y))
– Only relatively complete[Gulwani et al. 2004]
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
17
WidenWiden
• Widen the e-graphs, then widen the base domains
• Widen of e-graphs is a join of e-graphs that limits the number of new names introduced (see paper)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
18
So Far We Have …So Far We Have …
• Reasoning for uninterpreted functions
• Base domains that work with alien expressions transparently
• What we need for field reads– sel is alien to all base domains
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
19
OutlineOutline
• Overview• Handling Alien Expressions• Handling Heap Updates• Concluding Remarks
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
20
Heap UpdatesHeap Updates
Java/C# if (p.g == 8) { o.f = x; }
Guarded assume H[p,g] == 8;Commands H := H0 where
sel(H0,o,f) = x andH0 ´o,f H
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
21
Heap UpdatesHeap Updates
Guarded assume H[p,g] == 8;Commands H := H0 where
sel(H0,o,f) = x and H0 ´o,f H
Abstract Constrain( sel(H,p,g) = 8 )Interpreter Constrain( sel(H0,o,f) = x )
Constrain( H0 ´o,f H )Eliminate( H )Rename( H0, H )
Tracked by a new base domain:
Heap Succession
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
22
Heap Update ExampleHeap Update Example
Heap SuccessionH0 ´o,f H
E-Graphsel(H,p,g) 8 sel(H0,o,f) x H H p pH0 H0 g go o f f
Constrain( sel(H,p,g) = 8 )Constrain( sel(H0,o,f) = x )Constrain( H0 ´o,f H )Eliminate( H )Rename( H0, H )ToPredicate()
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
23
Constrain( sel(H,p,g) = 8 )Constrain( sel(H0,o,f) = x )Constrain( H0 ´o,f H )Eliminate( H )Rename( H0, H )ToPredicate()
Heap Update ExampleHeap Update Example
Heap SuccessionH0 ´o,f H
E-Graphsel(H,p,g) 8 sel(H0,o,f) x H H p pH0 H0 g go o f f
• Only removes mapping
• “Lazy quantifier elimination”
“Garbage values” remain
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
24
Constrain( sel(H,p,g) = 8 )Constrain( sel(H0,o,f) = x )Constrain( H0 ´o,f H )Eliminate( H )Rename( H0, H )ToPredicate()
Heap Update ExampleHeap Update Example
Heap SuccessionH0 ´o,f H
E-Graphsel(H,p,g) 8 sel(H0,o,f) x H H p pH H0
o o f f
g g
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
25
Constrain( sel(H,p,g) = 8 )Constrain( sel(H0,o,f) = x )Constrain( H0 ´o,f H )Eliminate( H )Rename( H0, H )ToPredicate()
Heap Update ExampleHeap Update Example
Heap SuccessionH0 ´o,f H
E-Graphsel(H,p,g) 8 sel(H0,o,f) x H H p pH H0 g go o f f
1. Do Eliminate (H)• EquivalentExpr
: Queryable £ Expr £ Var ! Expr option
Can you give me anequivalent expressionwithout H?
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
26
Constrain( sel(H,p,g) = 8 )Constrain( sel(H0,o,f) = x )Constrain( H0 ´o,f H )Eliminate( H )Rename( H0, H )ToPredicate()
Heap Update ExampleHeap Update Example
Heap SuccessionH0 ´o,f H
E-Graphsel(H0,p,g) 8 sel(H0,o,f) x H H p pH H0 g go o f f
1. Do Eliminate (H)• EquivalentExpr
: Queryable £ Expr £ Var ! Expr option
• Eliminate(H) on Base
2. ToPredicate() on Base and Convert Expr for Client
3. Conjoin Equalities
Yes, use H0
H0
To query other abstract domains
(e.g., o p?)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
27
Related WorkRelated Work
• Join for Uninterpreted Functions [Gulwani, Tiwari, Necula 2004]– same as our join for e-graphs
• Shape Analysis [many] andTVLA [Sagiv, Reps, Wilhelm, …]– they abstract heap nodes into summary
nodes– they use special “instrumentation
predicates” whereas we use “off-the-shelf” abstract domains
– could use shape analysis as base domain?
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
28
Conclusion and Future WorkConclusion and Future Work
• Extended the power of abstract domains to work with alien expressions using the congruence-closure domain
• Added reasoning about heap updates with the heap succession domain
• Close to having “cooperating abstract interpreters”?– missing propagating back equalities inferred by
base domains
• Implementation and experiments in progress
Thank you!Thank you!
Questions? Comments?