Parametric Shape Parametric Shape Analysis via 3- -Valued Valued - - PowerPoint PPT Presentation

parametric shape parametric shape analysis via 3 valued
SMART_READER_LITE
LIVE PREVIEW

Parametric Shape Parametric Shape Analysis via 3- -Valued Valued - - PowerPoint PPT Presentation

Oct 17, 2023 279 likes •553 views

Parametric Shape Parametric Shape Analysis via 3- -Valued Valued Analysis via 3 Logic Logic Mooly Sagiv Sagiv, Thomas Reps, , Thomas Reps, Mooly Reinhard Wilhelm Wilhelm Reinhard Motivation Motivation Many shape analysis

slide-1
SLIDE 1

Parametric Shape Parametric Shape Analysis via 3 Analysis via 3-

  • Valued

Valued Logic Logic

Mooly Mooly Sagiv Sagiv, Thomas Reps, , Thomas Reps, Reinhard Reinhard Wilhelm Wilhelm

slide-2
SLIDE 2

Motivation Motivation

  • Many shape analysis algorithms developed

Many shape analysis algorithms developed

  • Different abstractions

Different abstractions

  • Hard to compare

Hard to compare

  • Parametric Framework

Parametric Framework

  • yacc

yacc for shape analysis? for shape analysis?

slide-3
SLIDE 3

Overview Overview

  • Use logic structures to represent stores

Use logic structures to represent stores

  • By choosing different predicates, the framework is

By choosing different predicates, the framework is instantiated into different shape analysis algorithms. instantiated into different shape analysis algorithms.

  • Previous approach:

Previous approach:

  • Define abstraction, give transfer function, prove, implement

Define abstraction, give transfer function, prove, implement

  • With the framework:

With the framework:

  • Choose predicate, define update formula for instrumentation

Choose predicate, define update formula for instrumentation predicates, prove correctness of the formulae predicates, prove correctness of the formulae

  • The rest is automatically done by the system

The rest is automatically done by the system

slide-4
SLIDE 4

Representation Representation

  • Logical Structures:

Logical Structures:

  • S=<U,

S=<U, ι ι> >

  • U: individuals

U: individuals

  • ι

ι: maps p(u : maps p(u1

1,

, … …u uk

k) to 0, 1 or 1/2

) to 0, 1 or 1/2

  • Predicates:

Predicates:

  • Constituents of shape invariants that can be used to

Constituents of shape invariants that can be used to characterize a data structure characterize a data structure

  • Core Predicates:

Core Predicates:

  • Tracking Pointer Variables and Pointer

Tracking Pointer Variables and Pointer-

  • valued fields

valued fields

  • Common to all the shape analysis

Common to all the shape analysis

  • Eg

Eg: : x(v x(v), n(v1, v2), ), n(v1, v2), sm(v sm(v) )

slide-5
SLIDE 5

Representation Representation

  • Predicates

Predicates

  • Instrumentation predicates:

Instrumentation predicates:

  • Properties derived from core semantics, not explicitly part

Properties derived from core semantics, not explicitly part

  • f the semantics of pointers in a language,
  • f the semantics of pointers in a language,
  • Different algorithms use different sets of instrumentation

Different algorithms use different sets of instrumentation

  • Eg

Eg: : is(v is(v) ) (sharing), (sharing), r rx

x(v

(v) ) ( (reachability reachability) )

  • Defining formulae:

Defining formulae:

slide-6
SLIDE 6

Representation Representation

  • Property

Property-

  • Extraction Principle

Extraction Principle

  • Concrete Store: 2

Concrete Store: 2-

  • Valued Logic

Valued Logic

  • Questions about properties of stores can be answered by

Questions about properties of stores can be answered by evaluating formulae: 1=>hold, 0=>doesn evaluating formulae: 1=>hold, 0=>doesn’ ’t hold t hold

  • Abstract store: 3

Abstract store: 3-

  • Valued Logic

Valued Logic

  • A formulae can evaluate to 1, 0, or

A formulae can evaluate to 1, 0, or ½ ½. .

  • 1=>hold

1=>hold

  • 0=>doesn

0=>doesn’ ’t hold t hold

  • ½

½ => don => don’ ’t know t know

slide-7
SLIDE 7

Representation Representation

  • Examples

Examples

slide-8
SLIDE 8

Bounded Structures Bounded Structures

  • Bounded Structures:

Bounded Structures:

  • A logical structure where no two individuals

A logical structure where no two individuals evaluates to the same value for all predicates evaluates to the same value for all predicates

  • Upper bound on the size of bounded structures:

Upper bound on the size of bounded structures:

  • Canonical Abstraction:

Canonical Abstraction:

slide-9
SLIDE 9

Embedding Theorem Embedding Theorem

  • Embedding:

Embedding:

  • A way to relate 2

A way to relate 2-

  • valued and 3

valued and 3-

  • valued structures

valued structures

  • S can be embedded in S

S can be embedded in S’ ’: :

  • Surjective

Surjective function f: U function f: US

S

U US

S’ ’

  • Embedding Theorem:

Embedding Theorem:

  • If S can be embedded in S

If S can be embedded in S’ ’, every piece of information , every piece of information extracted from S extracted from S’ ’ via a formula is a conservative via a formula is a conservative approximation of the information extracted from S. approximation of the information extracted from S.

slide-10
SLIDE 10

Predicate Predicate-

  • update formula

update formula

  • Expressing semantics using logic

Expressing semantics using logic

  • Predicate

Predicate-

  • update

update formulae formulae ϕ ϕp

pst st : Define the new

: Define the new value of p for every statement value of p for every statement st st

  • Transfer function:

Transfer function:

slide-11
SLIDE 11

Predicate Predicate-

  • update formula

update formula

  • Core Predicates: the predicate

Core Predicates: the predicate-

  • update formulae is

update formulae is exactly the same for 3 exactly the same for 3-

  • valued logic and 2

valued logic and 2-

  • valued

valued logic logic

  • Instrumentation Predicate:

Instrumentation Predicate:

  • Trivial update formula: usually unsatisfactory

Trivial update formula: usually unsatisfactory

  • User supplied formula: need to prove it maintains correct

User supplied formula: need to prove it maintains correct instrumentation. instrumentation.

slide-12
SLIDE 12

Predicate Predicate-

  • update formula

update formula

  • Core Predicates:

Core Predicates:

slide-13
SLIDE 13

Predicate Predicate-

  • update formula

update formula

  • Instrumentation predicate

Instrumentation predicate

slide-14
SLIDE 14

The Shape Analysis Algorithm The Shape Analysis Algorithm

  • When analyzing a single procedure, allow an

When analyzing a single procedure, allow an arbitrary set of 3 arbitrary set of 3-

  • valued structures to hold at the

valued structures to hold at the entry of the procedure entry of the procedure

slide-15
SLIDE 15

The Shape Analysis Algorithm The Shape Analysis Algorithm

  • Example:

Example:

slide-16
SLIDE 16

A More Precise Abstract Semantics A More Precise Abstract Semantics

  • Overview

Overview

  • Focus

Focus

  • Apply transfer function

Apply transfer function

  • coerce

coerce

slide-17
SLIDE 17

A More Precise Abstract Semantics A More Precise Abstract Semantics

  • Focus: forces a given formula to a definite value

Focus: forces a given formula to a definite value

slide-18
SLIDE 18

A More Precise Abstract Semantics A More Precise Abstract Semantics

  • Focus Example:

Focus Example:

slide-19
SLIDE 19

A More Precise Abstract Semantics A More Precise Abstract Semantics

  • Coerce

Coerce

  • Sharpen a structure according to Compatibility

Sharpen a structure according to Compatibility Constraints Constraints

  • Compatibility Constraints from Instrumentation

Compatibility Constraints from Instrumentation Predicates Predicates

  • Compatibility Constraints from

Compatibility Constraints from Hygience Hygience Conditions Conditions

slide-20
SLIDE 20

A More Precise Abstract Semantics A More Precise Abstract Semantics

  • An algorithm to generate compatibility constraints

An algorithm to generate compatibility constraints

  • Definition Formula:

Definition Formula:

  • Extended Horn Clause:

Extended Horn Clause:

  • Compatibility constraints:

Compatibility constraints:

slide-21
SLIDE 21

A More Precise Abstract Semantics A More Precise Abstract Semantics

  • Coerce Example:

Coerce Example:

slide-22
SLIDE 22

Related work Related work

  • K

K-

  • limiting

limiting

  • Use instrumentation predicates

Use instrumentation predicates “ “reachable reachable-

  • from

from-

  • x

x-

  • via

via-

  • access

access-

  • path

path-

  • α

α” ”, for | , for |α α|<=k |<=k

  • Storage Shape Graphs [CWZ

Storage Shape Graphs [CWZ’ ’90] 90]

  • Use core predicates that record the allocation sites of

Use core predicates that record the allocation sites of heap cells heap cells

  • Doubly

Doubly-

  • linked list

linked list

  • Use Instrument Predicate

Use Instrument Predicate c cf.b

f.b(v

(v) and ) and c cb.f

b.f(v

(v) )

slide-23
SLIDE 23

Related Work Related Work

  • Biased versus unbiased static program analysis

Biased versus unbiased static program analysis

  • Conventional analysis has one

Conventional analysis has one-

  • sided bias:

sided bias:

  • May Analysis:

May Analysis:

  • false =>

false => false false

  • true => may be true/ may be false

true => may be true/ may be false

  • Must Analysis:

Must Analysis:

  • true =>

true => true true

  • false => may be true/ may be false

false => may be true/ may be false

  • 3

3-

  • Valued Logic:

Valued Logic:

  • unbiased

unbiased

slide-24
SLIDE 24

Summary Summary

  • A parametric framework

A parametric framework

  • Easy to experiment with new algorithms

Easy to experiment with new algorithms

  • For core predicates, abstract semantics falls out

For core predicates, abstract semantics falls out from the concrete semantics from the concrete semantics

  • No need for a proof for a particular instantiation

No need for a proof for a particular instantiation

slide-25
SLIDE 25

Limitations Limitations

  • Size potentially exponential

Size potentially exponential

  • Efficiency

Efficiency

  • Usually need to provide predicate

Usually need to provide predicate-

  • update

update formulae for instrumentation predicates and to formulae for instrumentation predicates and to prove that these formulae maintains the correct prove that these formulae maintains the correct

  • instrumentation. Is it more or less burdensome?
  • instrumentation. Is it more or less burdensome?