Abstract Interpretation with Alien Expressions and Heap Structures

Abstract Interpretation with Alien Abstract Interpretation with Alien Expressions and Heap StructuresExpressions and Heap Structures

Bor-Yuh Evan Chang K. Rustan M. LeinoUC Berkeley Microsoft Research

November 11, 2004OSQ Meeting

11/12/2004 2

Standard Abstract InterpretationStandard Abstract Interpretation

y := 8; x := 0; while (*) {

y := y + x;x++;

}y y ¸̧ 8 8

• Can do this inference with the polyhedra abstract domain [CH79]

11/12/2004 3

Standard Abstract InterpretationStandard Abstract Interpretation

this.y := 8; this.x := 0;while (*) {

this.y := this.y + this.x;this.x++;

}this.y this.y ¸̧ 8? 8?

Goal: Given a Goal: Given a base domainbase domain that can that can infer certain kind of predicates on infer certain kind of predicates on variables, use it to infer predicates variables, use it to infer predicates

on fieldson fields

11/12/2004 4

Achieving the GoalAchieving the Goal

1. Handling Alien Expressions/ Uninterpreted Functions

2. Handling Heap Updates

11/12/2004 5

Abstract DomainsAbstract Domains

interface AbstractDomain {type Elt

Constrain : Elt £ Expr ! EltEliminate : Elt £ Var ! EltRename : Elt £ Var £ Var ! EltToPredicate : Elt ! Expr

Join : Elt £ Elt ! EltAtMost : Elt £ Elt ! bool

}

11/12/2004 6

Fooling the Base DomainsFooling the Base Domains

Congruence-Closure Domain / “Name Service”

Polyhedra

Constrain( sel(H,o,f) ¸ 8 )

assume o.f ¸ 8

Constrain( ¸ 8 )

sel(H,o,f)

Base Domains

SymbolicValue

11/12/2004 7

Understandable to the Base Understandable to the Base DomainDomain

¸

+

sel

H o f

²

| |

2 ¢ x + sel(H,o,f) · |y - z|

2 x y z

Understands : FunSymbol £ Expr[] ! bool

11/12/2004 8


¸

+

sel

H o f

²

| |

2 ¢ x + sel(H,o,f) · |y - z|

2 x y z


Yes

Yes

Yes

Yes

NoNo

11/12/2004 9


¸

+

²

| |

2 ¢ x + · |y - z|

2 x y z


NoNo

NoNo

11/12/2004 10


¸

+

²

2 ¢ x + ·

2 x y z


NoNo

Yes= y - z

11/12/2004 11

Congruence-Closure DomainCongruence-Closure Domain

• Could always choose new names, but …– Should use the same name for syntactically

equivalent expressions– Even Better: same name for known equalities

• Tracks equalities of uninterpreted functions– an E-Graph with abstract domain operations– symbolic values “name” equivalence classes

of expressions– implements congruence closure

11/12/2004 12

E-GraphE-Graph

• w = f(x) Æ g(x,y) = f(y) Æ w = h(w)• A set of mappings:

w x

f() y g(,) f()

h()

• Always congruence-closed

w

x y

g

h

f f

11/12/2004 13

JoinJoin

• Join the e-graphs, then join the base domains

• Think of the lattice over conjunctions of equalities (including infinite ones)

• Let G = Join(G0,G1)

x G h’,’i if x G0 ’ and x G1

’

f(h,i) G h’,’i if f() G0 ’ and f() G1

’

• Rename distinct pairs to fresh symbolic values

11/12/2004 14

JoinJoin

• Complexity: O(n¢m)• Complete? As precise as possible?

– No, e-graphs do not form a lattice!x = y t g(x) = g(y) Æ x = f(x) Æ y = f(y)

= Æi : i ¸ 0 g(fi(x)) = g(fi(y))

– Only relatively complete[Gulwani et al.]

• Tell base domains about renaming

h,i Ã ConstrainB0( = ), ConstrainB1

( =

)

11/12/2004 15

So Far We Have …So Far We Have …

• Reasoning for uninterpreted functions

• Base domains that work with alien expressions transparently

• What we need for field reads– sel is alien to all base domains

11/12/2004 16

Achieving the GoalAchieving the Goal

1. Handling Alien Expressions/ Uninterpreted Functions

2. Handling Heap Updates

11/12/2004 17

Heap UpdatesHeap Updates

Java/C# if (p.g == 8) { o.f = x; }

Abstract assume H[p,g] == 8;Interpreter H := upd(H,o,f,x);

sel(upd(H,o,f,e),o’,f’) = eif o = o’ and f = f’

sel(upd(H,o,f,e),o’,f’) = sel(H,o’,f’) if o o’ or f f’

11/12/2004 18


Java/C# if (p.g == 8) { o.f = x; }

Abstract assume H[p,g] == 8;Interpreter H := H’ where

H’ ´o,f H and

sel(H’,o,f) = x

11/12/2004 19


Abstract assume H[p,g] == 8;Interpreter H := H’ where

H’ ´o,f H and sel(H’,o,f) = x

Abstract Constrain( sel(H,p,g) = 8 )Domain Constrain( H’ ´o,f H )

Constrain( sel(H’,o,f) = x )Eliminate( H )Rename( H’, H )ToPredicate()

Tracked by a new base domain:

Heap Succession

11/12/2004 20

Heap Update ExampleHeap Update Example

Heap SuccessionH’ ´o,f H

E-Graphsel(H,p,g) 8 sel(H’,o,f) x H H p pH’ H’ g go o f f

Constrain( sel(H,p,g) = 8 )Constrain( H’ ´o,f H )Constrain( sel(H’,o,f) = x )Eliminate( H )Rename( H’, H )ToPredicate()

11/12/2004 21



E-Graphsel(H,p,g) 8 sel(H’,o,f) x H H p pH’ H’ g go o f f


11/12/2004 22



E-Graphsel(H,p,g) 8 sel(H’,o,f) x H H p pH H’ g go o f f


11/12/2004 23



E-Graphsel(H,p,g) 8 sel(H’,o,f) x H H p pH H’ g go o f f


1. “Collect Garbage” (H)• EquivalentExpr

: Queryable £ Expr £ Var ! Expr

Can you give me anequivalent expressionwithout H?

11/12/2004 24



E-Graphsel(H’,p,g) 8 sel(H’,o,f) x H H p pH H’ g go o f f


1. “Collect Garbage” (H)• EquivalentExpr

: Queryable £ Expr £ Var ! Expr option

• Eliminate(H) on Base

2. ToPredicate() on Base and Convert Expr for Client

3. Add Equalities

Yes, use H’

11/12/2004 25

Related WorkRelated Work

• Join for Uninterpreted Functions [Gulwani, Tiwari, Necula]

• Shape Analysis [many] andTVLA [Sagiv, Reps, Wilhelm, …]

11/12/2004 26

ConclusionConclusion

• Extended the power of abstract domains to work with alien expressions using the congruence-closure domain

• Added reasoning about heap updates with the heap succession domain

• Close to having “cooperating abstract interpreters”?– missing propagating back equalities

inferred by base domains

Thank you!Thank you!

Questions? Comments?

Abstract Interpretation with Alien Expressions and Heap Structures

Documents

Transcript of Abstract Interpretation with Alien Expressions and Heap Structures