Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M....
-
Upload
jennifer-eastwood -
Category
Documents
-
view
220 -
download
1
Transcript of Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M....
![Page 1: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/1.jpg)
Abstract Interpretation with Alien Abstract Interpretation with Alien Expressions and Heap StructuresExpressions and Heap Structures
Bor-Yuh Evan Chang K. Rustan M. LeinoUniversity of California, Berkeley Microsoft Research
January 18, 2005
VMCAI 2005Paris, France
![Page 2: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/2.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
2
Verifying Object-Oriented ProgramsVerifying Object-Oriented Programs
OO Program Verifier
Inference …Java/C#
Java/C#
Abstract
Interpretation
![Page 3: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/3.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
3
Problem and MotivationProblem and Motivation
• Standard abstract interpretation infer properties following a domain specific-schema of relations among (program) variables
– e.g., can infer this with Polyhedra [CH78]
0 · x · yz := 2 ¢ y – 2 ¢ x;
0 0 ·· z z
![Page 4: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/4.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
4
Problem and MotivationProblem and Motivation
• But …0 · this.xthis.x · y
z := 2 ¢ y – 2 ¢ this.xthis.x;
0 0 ·· z? z?
0 · length(x)length(x) · yz := 2 ¢ y – 2 ¢ length(x)length(x);
0 0 ·· z? z?
0 · this.xthis.x · y Æ o o this this
o.x := o.x := 2 ¢ yz := 2 ¢ y – 2 ¢ this.xthis.x;
0 0 ·· z? z?
alien expression to Polyhedra
alien expression to Polyhedra
![Page 5: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/5.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
5
GoalGoal
Given a Given a base abstract domainbase abstract domain that that can represent certain kind of can represent certain kind of
constraints on variables, use it to constraints on variables, use it to represent constraints on arbitrary represent constraints on arbitrary alien expressionsalien expressions (e.g., fields of (e.g., fields of
objects)objects)
![Page 6: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/6.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
6
OutlineOutline
• Overview• Handling Alien Expressions• Handling Heap Updates• Concluding Remarks
![Page 7: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/7.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
7
Overview of ContributionsOverview of Contributions
• To extend base domains to work with alien expressions– use a general abstract domain
parameterized by base domains that hide alien expressions as fresh variables (cf. Nelson-Oppen)
– congruence-closure abstract domain
• To deal with heap updates– track successive heaps as a separate
base domain– heap succession abstract domain
![Page 8: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/8.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
8
Fooling the Base DomainsFooling the Base Domains
Congruence-Closure Abstract Domain
Polyhedra
Constrain( sel(H,o,f) ¸ 8 )
assume o.f ¸ 8
Constrain( ¸ 8 )
sel(H,o,f)
Base Domains
SymbolicValue
![Page 9: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/9.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
9
Understands : FunSymbol £ Expr[] ! bool
Understandable to the Base Understandable to the Base DomainDomain
+
sel
H o f
²
Abs
2 ¢ x + sel(H,o,f) · Abs(y – z)
2 x y z
Yes
Yes
Yes
Yes
NoNo
Understands
·
![Page 10: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/10.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
10
Understandable to the Base Understandable to the Base DomainDomain
·
+
²
Abs
2 ¢ x + · Abs(y – z)
2 x y z
Understands : FunSymbol £ Expr[] ! bool
NoNo
NoNo
![Page 11: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/11.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
11
Understandable to the Base Understandable to the Base DomainDomain
+
²
2 ¢ x + ·
2 x y z
Understands : FunSymbol £ Expr[] ! bool
NoNo
Yes= y - z
Also, addthis constraint to
Polyhedra
·
![Page 12: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/12.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
12
Congruence-Closure DomainCongruence-Closure Domain
• Store mappings in an equivalence graphequivalence graph(e-graph)(e-graph)– give the same symbolic value for equivalent
expressions
• Tracks equalities of uninterpreted functions– an e-graph with abstract domain operations– symbolic values “name” equivalence classes
of expressions– implements congruence closure
![Page 13: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/13.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
13
E-GraphE-Graph
• w = f(x) Æ g(x,y) = f(y) Æ w = h(w)• A set of mappings:
w x
f() y g(,) f()
h()
• Always congruence-closed
w
x
g
h
y
f f
![Page 14: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/14.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
14
JoinJoin
• Roughly, join the e-graphs, then join the base domains
G0
P0
Base Domains
G1
P1
Base Domains
G0 t G1
P0 t P1
Base Domains
![Page 15: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/15.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
15
Join of E-GraphsJoin of E-Graphs• Think of the lattice
over conjunctions of equalities (including infinite ones)
• Let G = Join(G0,G1)
x G h0,0i if x G0
0 and x G1
f(h,i) G h0,0i if f() G0
0 and
if f() G1 0
• Rename distinct pairs to fresh symbolic values
x
f
x
f
f
x
f
f
h,i Ã
h,i Ã
Tell base domains
about renaming
![Page 16: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/16.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
16
Join of E-GraphsJoin of E-Graphs
• Complexity: O(n¢m)• Complete? As precise as possible?
– No, e-graphs do not form a lattice!x = y t g(x) = g(y) Æ x = f(x)
Æ y = f(y)= Æi : i ¸ 0 g(fi(x)) = g(fi(y))
– Only relatively complete[Gulwani et al. 2004]
![Page 17: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/17.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
17
WidenWiden
• Widen the e-graphs, then widen the base domains
• Widen of e-graphs is a join of e-graphs that limits the number of new names introduced (see paper)
![Page 18: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/18.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
18
So Far We Have …So Far We Have …
• Reasoning for uninterpreted functions
• Base domains that work with alien expressions transparently
• What we need for field reads– sel is alien to all base domains
![Page 19: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/19.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
19
OutlineOutline
• Overview• Handling Alien Expressions• Handling Heap Updates• Concluding Remarks
![Page 20: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/20.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
20
Heap UpdatesHeap Updates
Java/C# if (p.g == 8) { o.f = x; }
Guarded assume H[p,g] == 8;Commands H := H0 where
sel(H0,o,f) = x andH0 ´o,f H
![Page 21: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/21.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
21
Heap UpdatesHeap Updates
Guarded assume H[p,g] == 8;Commands H := H0 where
sel(H0,o,f) = x and H0 ´o,f H
Abstract Constrain( sel(H,p,g) = 8 )Interpreter Constrain( sel(H0,o,f) = x )
Constrain( H0 ´o,f H )Eliminate( H )Rename( H0, H )
Tracked by a new base domain:
Heap Succession
![Page 22: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/22.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
22
Heap Update ExampleHeap Update Example
Heap SuccessionH0 ´o,f H
E-Graphsel(H,p,g) 8 sel(H0,o,f) x H H p pH0 H0 g go o f f
Constrain( sel(H,p,g) = 8 )Constrain( sel(H0,o,f) = x )Constrain( H0 ´o,f H )Eliminate( H )Rename( H0, H )ToPredicate()
![Page 23: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/23.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
23
Constrain( sel(H,p,g) = 8 )Constrain( sel(H0,o,f) = x )Constrain( H0 ´o,f H )Eliminate( H )Rename( H0, H )ToPredicate()
Heap Update ExampleHeap Update Example
Heap SuccessionH0 ´o,f H
E-Graphsel(H,p,g) 8 sel(H0,o,f) x H H p pH0 H0 g go o f f
• Only removes mapping
• “Lazy quantifier elimination”
“Garbage values” remain
![Page 24: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/24.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
24
Constrain( sel(H,p,g) = 8 )Constrain( sel(H0,o,f) = x )Constrain( H0 ´o,f H )Eliminate( H )Rename( H0, H )ToPredicate()
Heap Update ExampleHeap Update Example
Heap SuccessionH0 ´o,f H
E-Graphsel(H,p,g) 8 sel(H0,o,f) x H H p pH H0
o o f f
g g
![Page 25: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/25.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
25
Constrain( sel(H,p,g) = 8 )Constrain( sel(H0,o,f) = x )Constrain( H0 ´o,f H )Eliminate( H )Rename( H0, H )ToPredicate()
Heap Update ExampleHeap Update Example
Heap SuccessionH0 ´o,f H
E-Graphsel(H,p,g) 8 sel(H0,o,f) x H H p pH H0 g go o f f
1. Do Eliminate (H)• EquivalentExpr
: Queryable £ Expr £ Var ! Expr option
Can you give me anequivalent expressionwithout H?
![Page 26: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/26.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
26
Constrain( sel(H,p,g) = 8 )Constrain( sel(H0,o,f) = x )Constrain( H0 ´o,f H )Eliminate( H )Rename( H0, H )ToPredicate()
Heap Update ExampleHeap Update Example
Heap SuccessionH0 ´o,f H
E-Graphsel(H0,p,g) 8 sel(H0,o,f) x H H p pH H0 g go o f f
1. Do Eliminate (H)• EquivalentExpr
: Queryable £ Expr £ Var ! Expr option
• Eliminate(H) on Base
2. ToPredicate() on Base and Convert Expr for Client
3. Conjoin Equalities
Yes, use H0
H0
To query other abstract domains
(e.g., o p?)
![Page 27: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/27.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
27
Related WorkRelated Work
• Join for Uninterpreted Functions [Gulwani, Tiwari, Necula 2004]– same as our join for e-graphs
• Shape Analysis [many] andTVLA [Sagiv, Reps, Wilhelm, …]– they abstract heap nodes into summary
nodes– they use special “instrumentation
predicates” whereas we use “off-the-shelf” abstract domains
– could use shape analysis as base domain?
![Page 28: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/28.jpg)
1/18/2005 Chang and Leino: Abstract Interpretation with Alien Expressions and Heap Structures
28
Conclusion and Future WorkConclusion and Future Work
• Extended the power of abstract domains to work with alien expressions using the congruence-closure domain
• Added reasoning about heap updates with the heap succession domain
• Close to having “cooperating abstract interpreters”?– missing propagating back equalities inferred by
base domains
• Implementation and experiments in progress
![Page 29: Abstract Interpretation with Alien Expressions and Heap Structures Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research.](https://reader030.fdocuments.net/reader030/viewer/2022032517/56649cb75503460f9497d99b/html5/thumbnails/29.jpg)
Thank you!Thank you!
Questions? Comments?