Abstract Interpretation with Alien Expressions and Heap Structures
description
Transcript of Abstract Interpretation with Alien Expressions and Heap Structures
![Page 1: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/1.jpg)
Abstract Interpretation with Alien Abstract Interpretation with Alien Expressions and Heap StructuresExpressions and Heap Structures
Bor-Yuh Evan Chang K. Rustan M. LeinoUC Berkeley Microsoft Research
November 11, 2004OSQ Meeting
![Page 2: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/2.jpg)
11/12/2004 2
Standard Abstract InterpretationStandard Abstract Interpretation
y := 8; x := 0; while (*) {
y := y + x;x++;
}y y ¸̧ 8 8
• Can do this inference with the polyhedra abstract domain [CH79]
![Page 3: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/3.jpg)
11/12/2004 3
Standard Abstract InterpretationStandard Abstract Interpretation
this.y := 8; this.x := 0;while (*) {
this.y := this.y + this.x;this.x++;
}this.y this.y ¸̧ 8? 8?
Goal: Given a Goal: Given a base domainbase domain that can that can infer certain kind of predicates on infer certain kind of predicates on variables, use it to infer predicates variables, use it to infer predicates
on fieldson fields
![Page 4: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/4.jpg)
11/12/2004 4
Achieving the GoalAchieving the Goal
1. Handling Alien Expressions/ Uninterpreted Functions
2. Handling Heap Updates
![Page 5: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/5.jpg)
11/12/2004 5
Abstract DomainsAbstract Domains
interface AbstractDomain {type Elt
Constrain : Elt £ Expr ! EltEliminate : Elt £ Var ! EltRename : Elt £ Var £ Var ! EltToPredicate : Elt ! Expr
Join : Elt £ Elt ! EltAtMost : Elt £ Elt ! bool
}
![Page 6: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/6.jpg)
11/12/2004 6
Fooling the Base DomainsFooling the Base Domains
Congruence-Closure Domain / “Name Service”
Polyhedra
Constrain( sel(H,o,f) ¸ 8 )
assume o.f ¸ 8
Constrain( ¸ 8 )
sel(H,o,f)
Base Domains
SymbolicValue
![Page 7: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/7.jpg)
11/12/2004 7
Understandable to the Base Understandable to the Base DomainDomain
¸
+
sel
H o f
²
| |
2 ¢ x + sel(H,o,f) · |y - z|
2 x y z
Understands : FunSymbol £ Expr[] ! bool
![Page 8: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/8.jpg)
11/12/2004 8
Understandable to the Base Understandable to the Base DomainDomain
¸
+
sel
H o f
²
| |
2 ¢ x + sel(H,o,f) · |y - z|
2 x y z
Understands : FunSymbol £ Expr[] ! bool
Yes
Yes
Yes
Yes
NoNo
![Page 9: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/9.jpg)
11/12/2004 9
Understandable to the Base Understandable to the Base DomainDomain
¸
+
²
| |
2 ¢ x + · |y - z|
2 x y z
Understands : FunSymbol £ Expr[] ! bool
NoNo
NoNo
![Page 10: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/10.jpg)
11/12/2004 10
Understandable to the Base Understandable to the Base DomainDomain
¸
+
²
2 ¢ x + ·
2 x y z
Understands : FunSymbol £ Expr[] ! bool
NoNo
Yes= y - z
![Page 11: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/11.jpg)
11/12/2004 11
Congruence-Closure DomainCongruence-Closure Domain
• Could always choose new names, but …– Should use the same name for syntactically
equivalent expressions– Even Better: same name for known equalities
• Tracks equalities of uninterpreted functions– an E-Graph with abstract domain operations– symbolic values “name” equivalence classes
of expressions– implements congruence closure
![Page 12: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/12.jpg)
11/12/2004 12
E-GraphE-Graph
• w = f(x) Æ g(x,y) = f(y) Æ w = h(w)• A set of mappings:
w x
f() y g(,) f()
h()
• Always congruence-closed
w
x y
g
h
f f
![Page 13: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/13.jpg)
11/12/2004 13
JoinJoin
• Join the e-graphs, then join the base domains
• Think of the lattice over conjunctions of equalities (including infinite ones)
• Let G = Join(G0,G1)
x G h’,’i if x G0 ’ and x G1
’
f(h,i) G h’,’i if f() G0 ’ and f() G1
’
• Rename distinct pairs to fresh symbolic values
![Page 14: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/14.jpg)
11/12/2004 14
JoinJoin
• Complexity: O(n¢m)• Complete? As precise as possible?
– No, e-graphs do not form a lattice!x = y t g(x) = g(y) Æ x = f(x) Æ y = f(y)
= Æi : i ¸ 0 g(fi(x)) = g(fi(y))
– Only relatively complete[Gulwani et al.]
• Tell base domains about renaming
h,i à ConstrainB0( = ), ConstrainB1
( =
)
![Page 15: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/15.jpg)
11/12/2004 15
So Far We Have …So Far We Have …
• Reasoning for uninterpreted functions
• Base domains that work with alien expressions transparently
• What we need for field reads– sel is alien to all base domains
![Page 16: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/16.jpg)
11/12/2004 16
Achieving the GoalAchieving the Goal
1. Handling Alien Expressions/ Uninterpreted Functions
2. Handling Heap Updates
![Page 17: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/17.jpg)
11/12/2004 17
Heap UpdatesHeap Updates
Java/C# if (p.g == 8) { o.f = x; }
Abstract assume H[p,g] == 8;Interpreter H := upd(H,o,f,x);
sel(upd(H,o,f,e),o’,f’) = eif o = o’ and f = f’
sel(upd(H,o,f,e),o’,f’) = sel(H,o’,f’) if o o’ or f f’
![Page 18: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/18.jpg)
11/12/2004 18
Heap UpdatesHeap Updates
Java/C# if (p.g == 8) { o.f = x; }
Abstract assume H[p,g] == 8;Interpreter H := H’ where
H’ ´o,f H and
sel(H’,o,f) = x
![Page 19: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/19.jpg)
11/12/2004 19
Heap UpdatesHeap Updates
Abstract assume H[p,g] == 8;Interpreter H := H’ where
H’ ´o,f H and sel(H’,o,f) = x
Abstract Constrain( sel(H,p,g) = 8 )Domain Constrain( H’ ´o,f H )
Constrain( sel(H’,o,f) = x )Eliminate( H )Rename( H’, H )ToPredicate()
Tracked by a new base domain:
Heap Succession
![Page 20: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/20.jpg)
11/12/2004 20
Heap Update ExampleHeap Update Example
Heap SuccessionH’ ´o,f H
E-Graphsel(H,p,g) 8 sel(H’,o,f) x H H p pH’ H’ g go o f f
Constrain( sel(H,p,g) = 8 )Constrain( H’ ´o,f H )Constrain( sel(H’,o,f) = x )Eliminate( H )Rename( H’, H )ToPredicate()
![Page 21: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/21.jpg)
11/12/2004 21
Heap Update ExampleHeap Update Example
Heap SuccessionH’ ´o,f H
E-Graphsel(H,p,g) 8 sel(H’,o,f) x H H p pH’ H’ g go o f f
Constrain( sel(H,p,g) = 8 )Constrain( H’ ´o,f H )Constrain( sel(H’,o,f) = x )Eliminate( H )Rename( H’, H )ToPredicate()
![Page 22: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/22.jpg)
11/12/2004 22
Heap Update ExampleHeap Update Example
Heap SuccessionH’ ´o,f H
E-Graphsel(H,p,g) 8 sel(H’,o,f) x H H p pH H’ g go o f f
Constrain( sel(H,p,g) = 8 )Constrain( H’ ´o,f H )Constrain( sel(H’,o,f) = x )Eliminate( H )Rename( H’, H )ToPredicate()
![Page 23: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/23.jpg)
11/12/2004 23
Heap Update ExampleHeap Update Example
Heap SuccessionH’ ´o,f H
E-Graphsel(H,p,g) 8 sel(H’,o,f) x H H p pH H’ g go o f f
Constrain( sel(H,p,g) = 8 )Constrain( H’ ´o,f H )Constrain( sel(H’,o,f) = x )Eliminate( H )Rename( H’, H )ToPredicate()
1. “Collect Garbage” (H)• EquivalentExpr
: Queryable £ Expr £ Var ! Expr
Can you give me anequivalent expressionwithout H?
![Page 24: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/24.jpg)
11/12/2004 24
Heap Update ExampleHeap Update Example
Heap SuccessionH’ ´o,f H
E-Graphsel(H’,p,g) 8 sel(H’,o,f) x H H p pH H’ g go o f f
Constrain( sel(H,p,g) = 8 )Constrain( H’ ´o,f H )Constrain( sel(H’,o,f) = x )Eliminate( H )Rename( H’, H )ToPredicate()
1. “Collect Garbage” (H)• EquivalentExpr
: Queryable £ Expr £ Var ! Expr option
• Eliminate(H) on Base
2. ToPredicate() on Base and Convert Expr for Client
3. Add Equalities
Yes, use H’
![Page 25: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/25.jpg)
11/12/2004 25
Related WorkRelated Work
• Join for Uninterpreted Functions [Gulwani, Tiwari, Necula]
• Shape Analysis [many] andTVLA [Sagiv, Reps, Wilhelm, …]
![Page 26: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/26.jpg)
11/12/2004 26
ConclusionConclusion
• Extended the power of abstract domains to work with alien expressions using the congruence-closure domain
• Added reasoning about heap updates with the heap succession domain
• Close to having “cooperating abstract interpreters”?– missing propagating back equalities
inferred by base domains
![Page 27: Abstract Interpretation with Alien Expressions and Heap Structures](https://reader035.fdocuments.net/reader035/viewer/2022062301/5681572c550346895dc4c88a/html5/thumbnails/27.jpg)
Thank you!Thank you!
Questions? Comments?