Symbolically Computing Most-Precise Abstract Operations for Shape Analysis

1. Symbolically Computing Most-Precise Abstract Operations for Shape Analysis Greta Yorsh Thomas Reps Mooly Sagiv Tel Aviv University University of Wisconsin Tel Aviv University TACAS’04

2. Motivation • New approach to using symbolic techniques in abstract interpretation • for shape analysis • for other analyses • What does it mean to harness a decision procedure for use in static analysis? • what are the requirements ? • what does it buy us ? Symbolically computing most-precise abstract operations for shape analysis - TACAS'04

3. ^ S ∈ (a) ⇔S ⊧ (a) ^ Is (a) satisfiable? ⇔ a  ^  (a)  Concrete Abstract What are the requirements ? Is (a) empty? Formulas Symbolically computing most-precise abstract operations for shape analysis - TACAS'04

4. What does it buy us ? • Guarantee the most-precise result w.r.t. to the abstraction • best transformer • other abstract operations • Modular reasoning • assume-guarantee reasoning • scalability Symbolically computing most-precise abstract operations for shape analysis - TACAS'04

5. ^ Is (a)⇒ valid? assert[](a) assume[](a) ? Assume-Guarantee Reasoning T bar(); void foo() { T p; ... p = bar(); ... } {prebar, postbar} {prefoo, postfoo} assume[prefoo]; assert[prebar]; ----------- assume[postbar]; assert[postfoo]; <⊤> <a1> <a2> <a3> <a4> Symbolically computing most-precise abstract operations for shape analysis - TACAS'04

6. assume[](a) ^ ^ ( (a) ) X ^ (a)  ^ (a) X    The assume[](a) Operation = ((a)) a  Concrete Formulas Abstract Symbolically computing most-precise abstract operations for shape analysis - TACAS'04

7. ^ ^  a1 a2   Formulas The abstraction operation ()   Concrete Abstract Symbolically computing most-precise abstract operations for shape analysis - TACAS'04

8. ^ ^  a1 Formulas The idea behind () ans ⊤   Concrete Abstract Symbolically computing most-precise abstract operations for shape analysis - TACAS'04

9. Reminder of the talk • Shape analysis • Canonical abstraction • Algorithm for abstraction  - example • Abstract operations using  • Further work ^ ^ Symbolically computing most-precise abstract operations for shape analysis - TACAS'04

10. Shape Analysis • Static program analysis • Determine “shape invariants” • all possible memory configurations • Can be used to • Verify programs (partially) • Detect memory errors • Prove properties about dynamically allocated data • Detect logical errors • Code optimizations Symbolically computing most-precise abstract operations for shape analysis - TACAS'04

11. Why is Shape Analysis Difficult? • Destructive updating through pointers • pnext = q • Produces complicated aliasing relationships • Dynamic memory allocation • No bound on the size of run-time data structures • Abstract domain of 3-valued structures with canonicalabstraction [Sagiv,Reps,Wilhelm] Symbolically computing most-precise abstract operations for shape analysis - TACAS'04

12. 3-Valued Logical Structures • Relation meaning over {0, 1, ½} • Kleene • 1: True • 0: False • ½ : Unknown • A join semi-lattice: 0 ⊔ 1 = ½ ½   Symbolically computing most-precise abstract operations for shape analysis - TACAS'04

13. u1 u2 u3 u4 x x c,rx c,rx c,rx c,rx ^ (a) ≜ ∃v1,v2:nodeu1(v1)⋀nodeu2(v2) ⋀∀w: nodeu1(w)⋁nodeu2(w) ⋀ ∀w1,w2:nodeu1(w1)⋀nodeu1(w2) ⇒(w1=w2)⋀⌝n(w1,w2) ⋀∀v:rx(v)⇔∃v1: x(v1) ⋀ n*(v1,v)⋀∀v:c(v)⇔∃v1:n(v,v1)⋀n*(v1,v) ⋀∀v1,v2:x(v1)⋀x(v2)⇒v1=v2 ⋀ ∀v,v1,v2:n(v,v1)⋀n(v,v2)⇒v1=v2 x c,rx c,rx Canonical Abstraction u2 u1 FOTC Symbolically computing most-precise abstract operations for shape analysis - TACAS'04

14. ^  ≜∀v1:y(v1) ↔∃v2: x(v2) ⋀ n(v2, v1) ans y y x u2 u1 x x uy u2 u1 y y x uy u1 Abstract Formulas Example of () : y == x->n ⊤  ^ ()  Concrete Abstract Symbolically computing most-precise abstract operations for shape analysis - TACAS'04

15. ^ Is (a) satisfiable ?  materialization u2 uy, u2 y(uy) = 1, y(u2) =0 y(u2)=0 y(u2)=1 x x x u2 u2 u1 u1 uy u1 u2 y y y y y y y Example - Materialization y == x->n x u2 u1 y y Symbolically computing most-precise abstract operations for shape analysis - TACAS'04

16. Abstract Operations ^ • () – best abstract value that represents  • What does it buy us ? • assume[](a) = ( (a) ⋀ ) • assume-guarantee reasoning • pre- and post-conditions specified by logical formulas • BT(t,a) = ( (extend(a)) ⋀ t ) • best abstract transformer • parametric abstractions • meet(a1, a2) = ( (a1) ⋀ (a2) ) ^ ^ ^ ^ ^ ^ ^ ^ Symbolically computing most-precise abstract operations for shape analysis - TACAS'04

17. SPASS Experience • Handles arbitrary FO formulas • Can diverge • use timeout • Converges in our examples • Captures older shape analysis algorithms • How to handle FOTC ? • Overapproximations lead to too many structures Symbolically computing most-precise abstract operations for shape analysis - TACAS'04

18. Decidable Transitive-closure Logic • Neil Immerman (UMASS), Alexander Rabinovich (TAU) • ∃∀(TC,f) is subset of FOTC • exist-forall form • arbitrary unary relations • single function f • Decidable for satisfiability • NEXPTIME-complete • Any “reasonable” extension is undecidable • Rather limited Symbolically computing most-precise abstract operations for shape analysis - TACAS'04

19. Simulation Technique – CAV’04 • Neil Immerman (UMASS), Alexander Rabinovich (TAU) • Simulate realistic data structures using decidable logic over tractable structures • Singly linked list - shared/cyclic/nested • Doubly linked list • Trees • Preserved under mutations • Abstract interpretation, Hoare-style verification Symbolically computing most-precise abstract operations for shape analysis - TACAS'04

20. Further Work • Implementation • Decidable logic for shape analysis • Assume-guarantee of “real” programs • case study: Java Collection • specification language • write procedure specifications • Extend to other domains • Infinite-height gretay www.cs.tau.ac.il/~gretay Symbolically computing most-precise abstract operations for shape analysis - TACAS'04