parametric shape analysis via 3-valued logic

Parametric Shape Analysisvia 3-Valued Logic

Mooly Sagiv

Thomas Reps

Reinhard Wilhelm

pointer analysis?points-to analysis?

shape analysis?alias analysis?

The Shape-Analysis Problem

For every program point, compute a finite characterization of the possible “shapes” of the heap-allocated data structures.

Formalizing “. . .”Informal:

x

y

Formal:x

ySummary

Information

Why Shape Analysis?

• Capture storage invariants– x points to an acyclic list, cyclic list, tree, dag, etc.

• May-alias information

• Identify (absence of) sharing– x and y point to structures that do not share cells

• “Dynamization” of static structure-description formalisms– e.g., ADDS annotations [Hendren 94]

What’s New?• Parametric framework for a class of shape-analysis

algorithms

• “Rational reconstruction” of a number of previous shape-analysis methods– [Jones & Muchnick 81]– [Chase, Wegman, & Zadeck 90]– [Stransky 93]– [Assmann & Weinhardt 93]– [Pleyvak, Chien, & Karamcheti 93]– [Wang 94]– [Sagiv, Reps, & Wilhelm 96, 98]

• New shape-analysis methods• General abstraction principle Much simpler proofs• Basis for a tool that generates shape-analysis algorithms

Outline

• Using logic to describe stores

• Using logic to express store transformations

• Forming abstractions of stores

• Three-valued logic

• Using three-valued logic to express transformations of abstract stores

Using Logic to Describe Stores• Predicate Symbols

– Whether variable x points to location u:• x(u)

– Pointer fields:

• n(u1, u2)

• car(u1, u2)

• cdr(u1, u2)

x u

u1 u2

u1 u2

u1

u2

Using Logic to Describe Stores• Formulas: Other Properties of Locations

u3 u4 u1 u2

is(u1) = 0 is(u2) = 0 is(u4) = 0is(u3) = 0

is(v) v1,v2 : n(v1,v) n(v2,v) v1 v2

is(u1) = 0 is(u2) = 1 is(u3) = 0

u3

u1

u2

x y

First-Order Logic (Syntax)• Vocabulary

– Predicate symbols: p1, p2, . . ., pn

– Constant symbols: c1, c2, . . ., cm

– Function symbols: f1, f2, . . ., fk

• Formulas– Variables– Equality-predicate symbol: =– Logical-constant symbols: 0, 1– Connectives: , , – Quantifiers: ,

First-Order Logic (Semantics)

• Truth values: 0, 1• Logical structures

–Individuals: U = {u1, u2, . . ., un}

–Predicates: pi : U arity(pi) {0, 1}

In Our ApplicationLogical structures = Concrete stores

u2

u3

u1

An Example

Individuals: U = {u1, u2, u3}

Predicates:

y

x

x(u) y(u)u1 1 0u2 0 0u3 0 1

n u1 u2 u3

u1 0 1 0u2 0 0 0u3 0 1 0

u1

x

y u3

u2

u3

u1

u3

u2

u3

u1

Example (Cont’d)

Individuals: U = {u1, u2, u3}

Predicates:

y

x

is(u)u1 0u2 1u3 0

u2

u3

u1


• Assignments

–Z: free variables individuals

• Meaning of a formula (Z)

Meaning of a Formula

(v,v1,v2) n(v1,v) n(v2,v) v1 v2

u1

u3

u2 y

x

Z = { v u2, v1 u1, v2 u3 }

(v,v1,v2)(Z) = ???

Meaning of a Formula (Z)

0 (Z) = 0

1 (Z) = 1

pi(v1, …, vk) (Z) = pi (Z(v1), …, Z(vk))

1 2(Z) = 1 (Z) 2(Z)

1 2(Z) = 1 (Z) 2(Z)

• Negation, quantification, . . .

Meaning of a Formula

(v,v1,v2) n(v1,v) n(v2,v) v1 v2

u1

u3

u2 y

x

Z = { v u2, v1 u1, v2 u3}

= n(u1, u2) n(u3, u2) u1 u3

= 1= 1

(Z) = n(v1,v) n(v2,v) v1 v2(Z)

1 1

Outline






Using Logic to Change Storesx = null

Before: x

u3

u1

u2

y

z

After:

u3

u1

u2

y

z

x(u) y(u) z(u)u1 1 1 0u2 0 0 0u3 0 0 1

n u1 u2 u3

u1 0 1 0u2 0 0 0u3 0 1 0

0

x

x[x = null](v) 0

Predicate-Alteration Formulas for x = nullOld:

x

u3

u1

u2

y

z

New:

u3

u1

u2

x(u) y(u) z(u)u1 1 1 0u2 0 0 0u3 0 0 1

x(u)

y(u) z(u)

u1 0u2 0u3 0

x(u)

y(u) z(u)

u1 0u2 0u3 0

y[x = null](v) y(v)


x

u3

u1

u2

y

z

New:

u3

u1

u2

y

x(u) y(u) z(u)u1 1 1 0u2 0 0 0u3 0 0 1

x(u)

y(u) z(u)

u1 0 1u2 0 0u3 0 0

x(u)

y(u) z(u)

u1 0 1u2 0 0u3 0 0

x(u)

y(u) z(u)

u1 0 1 0u2 0 0 0u3 0 0 1

z[x = null](v) z(v)


x

u3

u1

u2

y

z

New:

u3

u1

u2

y

z

x(u) y(u) z(u)u1 1 1 0u2 0 0 0u3 0 0 1

x(u)

y(u) z(u)

u1 0 1 0u2 0 0 0u3 0 0 1


x

u3

u1

u2

y

z

New:

u3

u1

u2

y

z

x(u) y(u) z(u)u1 1 1 0u2 0 0 0u3 0 0 1

u1 u2 u3

u1

u2

u3

n u1 u2 u3

u1 0 1 0u2 0 0 0u3 0 1 0

n


x

u3

u1

u2

y

z

New:

u3

u1

u2

y

z

n[x = null](v1,v2) n(v1,v2)

n u1 u2 u3

u1 0 1 0u2 0 0 0u3 0 1 0

u1 u2 u3

u1

u2

u3

n


x

u3

u1

u2

y

z

New:

u3

u1

u2

y

z

n u1 u2 u3

u1 0 1 0u2 0 0 0u3 0 1 0

u1 u2 u3

u1 0 1 0u2 0 0 0u3 0 1 0

n

u1 u2 u3

u1 0 1 0u2 0 0 0u3 0 1 0

n

x(u) y(u)

z(u)u1 0 1 0u2 0 0 0u3 0 0 1

x(u) y(u) z(u)u1 0 1 0u2 0 0 0u3 0 0 1

n u1 u2 u3

u1 0 1 0u2 0 0 0u3 0 1 0


x

u3

u1

u2

y

z

New:

u3

u1

u2

y

z

Outline






n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

n u1 u234

u1 {0} {0,1}

u234 {0} {0,1}

x(u) y(u)u1 1 0u2 0 0u3 0 0u4 0 0

x(u) y(u)u1 {1} {0}

u234 {0} {0}

The Abstraction Principle

u1 u2 u3 u4

x

u1 u234

xSummary

Information{0,1}

= u1 u2 u3 u4

u1 1 0 0 0u2 0 1 0 0u3 0 0 1 0u4 0 0 0 1

= u1 u234

u1 {1} {0}

u234 {0} {0,1}

is(u)u1 0u2 0u3 0u4 0


u1 u2 u3 u4

x

u1 u234

x

is(u)u1 {0}

u234 {0}


• Select some subset A of the predicate symbols• Partition the individuals US of structure S into

equivalence classes based on the values of their A predicates– u [u]A

• Form the “union-quotient” of S with respect to {[u]A | u US}

Example

u1 u2 u3 u4

x

• A = {v | v is a program variable}– [Chase, Wegman, & Zadeck 90]

– [Sagiv, Reps, & Wilhelm 96, 98]

[u1]x

[u2]

Quotient w.r.t. {w, x, y, z}

Outline






Two- vs. Three-Valued Logic

0 1

Two-valued logic

{0,1}

{0} {1}

Three-valued logic

{0} 3 {0,1}

{1} 3 {0,1}

Two- vs. Three-Valued LogicTwo-valued logic Three-valued logic

0

1

1 01 1 00 0 0

1 01 1 10 1 0

{1}

{0,1}

{0}

1

0

{1} {0,1} {0}

{1} {1} {0,1} {0}{0,1} {0,1} {0,1} {0}{0} {0} {0} {0}

{1} {0,1} {0}

{1} {1} {1} {1}{0,1} {1} {0,1} {0,1}{0} {1} {0,1} {0}


• Truth values: 0, 1, • Logical structures

–Individuals: U = {u1, u2, . . ., un}

–Predicates: pi : U arity(pi) {0, 1, }

In Our Application3-valued logical structures = Abstract stores


• Select some subset A of the predicate symbols• Partition the individuals US of structure S into

equivalence classes based on the values of their A predicates– u [u]A

• Form the “union-quotient” of S with respect to {[u]A | u US}

Abstraction Conserves Predicates

pS (u1, …, uk) 3 pS#

([u1]A, …, [uk]A)

S# = S/[u]ASAbs(A)

u [u]A

“Form the ‘union-quotient’ of Swith respect to {[u]A | u US}”

n u1 u2 u3 u4

u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0

x(u) y(u)u1 1 0u2 0 0u3 0 0u4 0 0

pS (u1,…,uk) 3 pS#

([u1]A,…,[uk]A)

u1 u2 u3 u4

x[u1]

x[u2]

x(u) y(u)[u1] 1 0

[u2] 0 0

n [u1] [u2][u1] 0

[u2] 0 1/2

is(u)u1 0u2 0u3 0u4 0

= u1 u2 u3 u4

u1 1 0 0 0u2 0 1 0 0u3 0 0 1 0u4 0 0 0 1

pS (u1,…,uk) 3 pS#

([u1]A,…,[uk]A)

u1 u2 u3 u4

x[u1]

x[u2]

= [u1] [u2]

[u1] 1 0[u2] 0 1/2

is(u)[u1] 0[u2] 0

Abstraction Conserves Properties

pS (u1, …, uk) 3 pS#

([u1]A, …, [uk]A)

S# = S/[u]ASAbs(A)

u [u]A

Evaluating a formula extracts information conservatively

S (u1, …, uk) 3 S# ([u1]A, …, [uk]A)

S (u1, …, uk) 3 S# ([u1]A, …, [uk]A)

(v) v1,v2 : n(v1,v) n(v2,v) v1 v2

u1 u2 u3 u4

x[u1]

x[u2]

S(u)u1 0u2 0u3 0u4 0

[[]] S#(u)

[u1] 0[u2] 1/2

1 =

For S#([u2]),

let v1 = [u1],and v2 = [u2]

S(u)u1 0u2 0u3 0u4 0

“Tracking Properties” Beats“Inferring Properties”

u1 u2 u3 u4

x[u1]

x[u2]

[[]] S#(u)

[u1] 0[u2] 1/2

is(u)u1 0u2 0u3 0u4 0

is(u)[u1] 0[u2] 0

“Tracking Properties” Beats“Inferring Properties”

u1 u2 u3 u4

x[u1]

x[u2]

pS (u1, …, uk) 3 p

S# ([u1]A, …, [uk]A)

pS (u1, …, uk) 3 pS#

([u1]A, …, [uk]A)

pS (u1, …, uk) = pS (u1, …, uk)

3 pS#

([u1]A, …, [uk]A)

3 pS#

([u1]A, …, [uk]A)

Outline






Example

x = y n

“Rational reconstruction” of [Chase, Wegman, & Zadeck 90]

xy

[u1] [u2]y

x

[u1] [u2]

[u1] [u2]

x[x = y n](v) v1 : y(v1) n(v1,v)

x

Example (~[CWZ 90])

x = y nxy

1

[u1] [u2]

[u1] [u2][u1] [u2]

x[x = y n](v) v1 : y(v1) n(v1,v)

y[x = y n](v) y(v)

y

x

Example (~[CWZ 90])

x = y nxy

1

[u1] [u2][u1] [u2]

x[x = y n](v) v1 : y(v1) n(v1,v)

y[x = y n](v) y(v)

y

x

Example (~[CWZ 90])

x = y nxy

n[x = y n](v1,v2) n(v1,v2)

[u1] [u2][u1] [u2]

x

y

Example (~[CWZ 90])

x = y nxy

x[x = y n](v) v1 : y(v1) n(v1,v)

y[x = y n](v) y(v)

n[x = y n](v1,v2) n(v1,v2)

is[x = y n](v) is(v)

Materialization

x = y n

[Chase, Wegman, & Zadeck 90]

xy

[u1] [u2]y

x

[u1] [u2]

x = y n

[Sagiv, Reps, & Wilhelm 96, 98]

xy

[u1] [u2]y

x

[u1] [u3][u2]

x[x = y n](v) v1 : y(v1) n(v1,v)

(1) Triplicate the Structure

xy

[u1] [u2]

xy [u1] [u2.1]

xy

y[u1] [u2.0][u2.1]

x

[u1]

x[x = y n](v) v1 : y(v1) n(v1,v)

(2) Evaluate Predicate-Alteration Formulas

[u1] [u2.1]

xy

y[u1] [u2.0][u2.1]

x

xy

[u1]y

[u1] [u2.1]y

y[u1] [u2.0][u2.1]

[u1]

x

x

• reachable-from-variable-x(v)

• acyclic-along-dimension-d(v)– à la ADDS

• doubly-linked(v)

• tree(v)

• dag(v)

• AVL trees:– balanced(v), left-heavy(v), right-heavy(v)

– . . . but not via height arithmetic

Additional Abstraction Predicates

NeedFO + TC

Formalizing “. . .”

Informal:

x

y

Formal:x

y


Informal:

x

y

t2

t1

Formal:x

y t2

t1


Informal:

x

y

Formal:x

y{y}

{x} {x}

{y}

reachable fromvariable x

reachable fromvariable y


Informal:

x

y

t2

t1

Formal:

t2

t1

{t1,x}

{t2,y}

{t1,x}

{t2,y}

x

y{y}

{x} {x}

{y}

Summary

• Parametric framework

• Three-valued logic arises from abstraction

• Three-valued logic also allows:– Materialization

– Conservative extraction of properties

– Interpretation of program conditions

• Simpler proofs

parametric shape analysis via 3-valued logic

Documents

u2 u1 u3

formula v

u2using logic

v1 v2z

v1 v2 u1 u3 u2z

shapeanalysis problemfor

alias analysis

u2 nu3