1 shape analysis via 3-valued logic mooly sagiv tel aviv university shape analysis with applications...
Post on 21-Dec-2015
218 views
TRANSCRIPT
1
Shape Analysisvia 3-Valued Logic
Mooly SagivTel Aviv University
Shape analysis with applications
Chapter 4.6
http://www.cs.tau.ac.il/~rumster/TVLA/
2
Main Results• A new abstract domain for static
analysis• Abstract dynamically allocated memory
• Abstract interpretation by Klenee’s 3-valued logic evaluation
• A system TVLA– Input:
• Structural operational semantics
• Input Program
– Output: the result of the analysis
3
Motivation
• Dynamically allocated storage and pointers are an essential programming tools– Object oriented– Modularity– Data structure
• But– Error prone– Inefficient
• Static analysis can be very useful here
4
A Pathological C Program
a = malloc(…) ;
b = a;
free (a);
c = malloc (…);
if (b == c) printf(“unexpected equality”);
5
Dereference of NULL pointers
typedef struct element {
int value;
struct element *next;
} Elements
bool search(int value, Elements *c) {Elements *elem;for (elem = c;
c != NULL;
elem = elem->next;)if (elem->val == value)
return TRUE;
return FALSE
6
Dereference of NULL pointers
typedef struct element {
int value;
struct element *next;
} Elements
bool search(int value, Elements *c) {Elements *elem;for (elem = c;
c != NULL;
elem = elem->next;)if (elem->val == value)
return TRUE;
return FALSE
potential null de-reference
7
Memory leakageElements* reverse(Elements *c)
{
Elements *h,*g;h = NULL;while (c!= NULL) {
g = c->next;h = c;c->next = h;c = g;
}return h;
typedef struct element {
int value;
struct element *next;
} Elements
8
Memory leakageElements* reverse(Elements *c)
{
Elements *h,*g;h = NULL;while (c!= NULL) {
g = c->next;h = c;c->next = h;c = g;
}return h;
leakage of address pointed-by h
typedef struct element {
int value;
struct element *next;
} Elements
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
Materialization
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
52
Original Problem: Shape Analysis
• Characterize dynamically allocated data– x points to an acyclic list, cyclic list, tree, dag, etc.– data-structure invariants
• Identify may-alias relationships
• Establish “disjointedness” properties– x and y point to structures that do not share cells
53
Why is Shape Analysis Difficult?
• Destructive updating through pointers– pnext = q– Produces complicated aliasing relationships
• Dynamic storage allocation– No bound on the size of run-time data structures– No syntactic names for locations
• Data-structure invariants typically only hold at the beginning and end of operations– Need to verify that data-structure invariants are re-
established
55
Applications: Software Tools
• Static detection of memory errors (cleanness)– dereferencing NULL pointers– dereferencing dangling pointers– memory leaks
• What is in the heap?– list? doubly-linked list? tree? DAG?– disjoint? intertwined?
• Static detection of logical errors– Is a shape invariant restored?
56
Properties of reverse(x)
• On entry: x points to an acyclic list
• On exit: y points to an acyclic list
• On exit: x = = NULL
• On each iteration, x and y point to disjoint acyclic lists
• All the pointer dereferences are safe
• No memory leaks
57
Plan
Motivation• SWhile• An SOS for SWhile• An SOS for SWhile using predicate calculus• Simple Abstract interpretation using 3-valued
logics• More precise abstract interpretation+ TVLA (next
meeting)
58
The SWhile Programming Language Abstract Syntax
a := x | x.sel | null | n | a1 opa a2
b := true | false | not b | b1 opb b2 | a1 opr a2
S := [x := a]l | [x.sel := a]l | [x := malloc()]l | [skip] l | S1 ; S2 | if [b]l then S1 else S2 | while [b]l do S
sel:= car | cdr
59
Dereference of NULL pointers
[elem := c;]1
[found := false;]2
while ([c != null]3 && [!found]4) (
if ([elem->car= value]5)
then [found := true]6
else [elem = elem->cdr]7
)
60
Structural Operational Semantics• The program state consists of:
– current allocated objects– a mapping from variables into atoms, objects,
and null– a car mapping from objects into atoms,
objects, and null– a cdr mapping from objects into atoms,
objects, and null
• malloc() allocates more objects
• assignments update the state
61
Structural Operational Semantics
• The program state S=<O, env, car, cdr>:– current allocated objects O– atoms (integers, Booleans) A
– env: Var* A O {null}
– car: A A O {null}– cdr: A A O {null}
{l1, l2, l3},
[x l1 ,y null],
[l1 1, l2 2, l3 3],
[l1 l2, l2 l3, l3 null]
null1 2 3x
y null
l1 l2 l3
62
The meaning of expressions
• Aa: S A O {null}
Aat(s) = at
Ax(<O, env, car, cdr>) = env(x)
Ax.cdr(<O, env, car, cdr>) =
cdr(env(x)) env(x) O
undefined otherwise
Ax.car(<O, env, car, cdr>) =
car(env(x)) env(x) O
undefined otherwise
63
Structural Semantics for SWhileaxioms
[assvsos] <x := a, s=(O, e, car, cdr)> (O, e[x Aas], car, cdr)
[asscarsos] <x.car := a, (O, e, car, cdr)> (O, e, car[e(x) Aas], cdr)
where env(x)O[asscdr
sos] <x.cdr := a, (O, e, car, cdr)> (O, e, car, cdr[e(x) Aas])
where env(x)O
[skipsos] <skip, s> s
[assmsos] <x := malloc(), (O, e, car, cdr)> (O {n}, e[x n], car, cdr)
where nO
64
Structural Semantics for SWhile(rules)
[comp1sos] <S1 , s> <S’1, s’>
<S1; S2, s> < S’1; S2, s’>
[comp2sos] <S1 , s> s’
<S1; S2, s> < S2, s’>
[ifttsos] <if b then S1 else S2, s> <S1, s> if Bbs=tt
[ifffsos] <if b then S1 else S2, s> <S2, s> if Bbs=ff
65
Summary• The SOS is natural
• Can handle: – errors, e.g., null dereferences– free– garbage collection
• But does not lead to an analysis– The set of potential objects is unbounded
• Solution: Three-Valued Kleene Predicate Logic
66
Predicate Logic• Vocabulary
– A finite set of predicate symbols Peach with a fixed arity
– A finite set of function symbols
• Logical Structures S provide meaning for predicates – A set of individuals (nodes) U– PS: US {0, 1}
• First-Order Formulas over express logical structure properties
67
P = {x1, y1, car2, cdr2}
US={l1, l2, l3}
xS=[l1 1, l2 0, l3 0] yS=[l1 0, l2 0, l3 0},
carS=[<l1, l1>0, <l1 , l2>0, <l1,l3 >0, <l2, l1>0, <l2 , l2>0, <l2,l3 >0, <l3, l1>0, <l3 , l2>0, <l3,l3 >0 ]
null1 2 3x
y null
l1 l2 l3{l1, l2, l3},
[x l1 ,y null],
[l1 1, l2 2, l3 3],
[l1 l2, l2 l3, l3 null]
cdrS=[<l1, l1>0, <l1 , l2>1, <l1,l3 >0, <l2, l1>0, <l2 , l2>0, <l2,l3 >1, <l3, l1>0, <l3 , l2>0, <l3,l3 >0 ]
68
Formal Semantics of First Order Formulae
• For a structure S=<US, PS>
• Formulae with LVar free variables
• Assignment z: LVarUS
S(z): {0, 1}
1S(z)=10S(z)=1v1=v2S(z) =
1 z(v1) = z(v2)
0 z(v1) z(v2)
p (v1, v2, …, vk)S(z)=pS (z(v1), z(v2), …, z(vk))
69
Formal Semantics of First Order Formulae
• For a structure S=<US, PS>
• Formulae with LVar free variables
• Assignment z: LVarUS
S(z): {0, 1}
12S(z)=max (1 S(z), 2 S(z))
12S(z)=min (1 S(z), 2 S(z))
1S(z)=1- 1 S(z)
v: 1S(z)=max {1 S(z[vu]) : u US}
70
Using Predicate Logic to describe states in SOS
• U=O• For a pointer variable x define a unary predicate
– x(u)=1 when env(x)=u and u is an object
• Two binary predicates:
– car(u1, u2) = 1 when car(u1)=u2 and u2 is object
– cdr(u1, u2) = 1 when cdr(u1)=u2 and u2 is object
71
SOS (Using Predicate Logic)
• First-order structures (= predicate tables)– hold recorded information
• Formulae– means for observing information
• Predicate-update formulae– operational semantics– update recorded information
72
Recorded Information (for reverse)
Predicate Intended Meaning
x(v) Does pointer variable x point to cell v?
y(v) Does pointer variable y point to cell v?
t(v) Does pointer variable t point to cell v?
n(v1,v2) Does the n field of v1 point to v2?
73
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
x(u) y(u) t(u)u1 1 1 0u2 0 0 0u3 0 0 0u4 0 0 0
Recorded Information (for reverse)
u1 u2 u3 u4
xy
74
Formulae for Observing Properties
• Are x and y pointer aliases?v: x(v) y(v)
• Does x point to a cell with a self cycle?v : x(v) n(v,v)
75
xy u1 u2 u3 u4
Are x and y Pointer Aliases?
v: x(v) y(v)
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
x(u) y(u) t(u)u1 1 1 0u2 0 0 0u3 0 0 0u4 0 0 0
xy u1
Yes
78
Predicate-Update Formulae for ‘y = x’
• x’(v) = x(v)
• y’(v) = x(v)
• t’(v) = t(v)
• n’(v1,v2) = n(v1,v2)
79
x(u) y(u) t(u)u1 1 0 0u2 0 0 0u3 0 0 0u4 0 0 0
x
u1 u2 u3 u4
Predicate-Update Formulae for ‘y = x’
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
y’(v) = x(v)
y
80
Predicate-Update Formulae for ‘x = x n’
• x’(v) = v1: x(v1) n(v1,v)
• y’(v) = y(v)
• t’(v) = t(v)
• n’(v1, v2) = n(v1, v2)
81
x
u1 u2 u3 u4
Predicate-Update Formulae for ‘x = x n’
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
x(u) y(u) t(u) u1 1 1 0 u2 0 0 0 u3 0 0 0 u4 0 0 0
y
x’(v) = v1: x(v1) n(v1,v)
x
82
Predicate-Update Formulae for ‘y n = t’
• x’(v) = x(v)
• y’(v) = y(v)
• t’(v) = t(v)• n’(v1,v2) = y(v1) n(v1,v2) y(v1) t(v2)
83
Two- vs. Three-Valued Logic
0 1
Two-valued logic
{0,1}
{0} {1}
Three-valued logic
{0} {0,1}
{1} {0,1}
84
Two- vs. Three-Valued LogicTwo-valued logic
1 01 1 00 0 0
1 01 1 10 1 0
Three-valued logic
{1} {0,1} {0}
{1} {1} {0,1} {0}{0,1} {0,1} {0,1} {0}{0} {0} {0} {0}
{1} {0,1} {0}
{1} {1} {1} {1}{0,1} {1} {0,1} {0,1}{0} {1} {0,1} {0}
85
Two- vs. Three-Valued LogicThree-valued logic
0
1
Two-valued logic
1 01 1 00 0 0
1 01 1 10 1 0
{1}
{0,1}
{0}
1
½
0
{1} {0,1} {0}
{1} {1} {0,1} {0}{0,1} {0,1} {0,1} {0}{0} {0} {0} {0}
{1} {0,1} {0}
{1} {1} {1} {1}{0,1} {1} {0,1} {0,1}{0} {1} {0,1} {0}
86
• 1: True
• 0: False
• 1/2: Unknown
• A join semi-lattice: 0 1 = 1/2
Three-Valued Logic
1/2
Information order
87
Boolean Connectives [Kleene]
0 1/2 1
0 0 0 01/2 0 1/2 1/21 0 1/2 1
0 1/2 1
0 0 1/2 11/2 1/2 1/2 11 1 1 1
88
The Abstraction Principle
• Partition the individuals into equivalence classes based on the values of their unary predicates
• Collapse other predicates via
89
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
The Abstraction Principle
u1 u2 u3 u4
xu1
xu234
x(u) y(u)u1 1 0u2 0 0u3 0 0u4 0 0
n u1 u234
u1 0
u234 0 1/2
x(u) y(u)u1 1 0
u234 0 0
90
What StoresDoes a 3-Valued Structure Represent?• Example 3-valued structure
– individuals: {u1}
– predicates:
• graphical presentation
• concrete stores represented
x y t u1 1 0 0
xu1
n u1 u1 0
3 x8 x 37 x
91
• Example 3-valued structure
• graphical presentation
• concrete stores
What StoresDoes a 3-Valued Structure Represent?
x y t u1 1 0 0 u 0 0 0
u1 ux
u1 ux
n u1 u u1 0 1/2 u 0 1/2
x 31 71 91
92
x y t u1 1 0 0 u 0 0 0
n u1 u u1 0 1/2 u 0 1/2
• Example 3-valued structure
• graphical presentation
• concrete storesu1 u
xu1 u
x
x 31 71 91
What StoresDoes a 3-Valued Structure Represent?
93
Property-Extraction Principle• Questions about store properties can be
answered conservatively by evaluating formulae in three-valued logic
• Formula evaluates to 1 formula always holds in every store
• Formula evaluates to 0 formula never holds in any store
• Formula evaluates to 1/2 don’t know
94
The Embedding Theorem
• If a big structure B can be embedded in a structure S via a surjective (onto) function f such that basic predicates are preserved, i.e., pB(u1, .., uk) pS (f(u1), ..., f(uk))
• Then, every formula is preserved =1 in S =1 in B =0 in S =0 in B =1/2 in S don’t know
98
The Instrumentation Principle
• Increase precision by storing the truth-value of some designated formulae
• Introduce predicate-update formulae to update the extra predicates
99
is = 0 is = 0 is = 0 is = 0
Example: Heap Sharing
x 31 71 91
is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2
u1 ux
u1 ux
is = 0 is = 0
is = 1
is = 1/2
100
is = 0 is = 0 is = 0 is = 0
Example: Heap Sharing
x 31 71 91
is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2
u1 ux
u1 ux
is = 0 is = 0
101
is = 0 is = 0 is = 0 is = 0
Example: Heap Sharing
x 31 71 91
is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2
u1 ux
u1 ux
is = 0 is = 0
is = 1
is = 1
103
Example2: SortednessinOrder(v) = v1: n(v,v1) dle(v, v1)
u1 ux
u1 ux
inOrder = 1 inOrder = 1
n n
inOrder = 1
x 51 71 91
inOrder = 1 inOrder = 1 inOrder = 1
n n n
104
inOrder = 1
Example2: Sortedness
x 51 45 91
inOrder(v) = v1: n(v,v1) dle(v, v1)
uxx
inOrder = 0 inOrder = 1 inOrder = 1
inOrder = 1 inOrder = 1
n n n
n n
inOrder = 0
n
105
Shape Analysis viaAbstract Interpretation
• Iteratively compute a set of 3-valued structures for every program point
• Every statement transforms structures according to the predicate-update formulae– use 3-valued logic instead of 2-valued logic– use exactly the predicate-update formulae of the
concrete semantics!!
106
Predicate-Update Formulae for “y = x”y’(v) = x(v)
Old:
u1 u
x
x(u) y(u) t(u)u1 1 0 0u 0 0 0
n u1 u
u1 0 1/2
u 0 1/2
y
New:
u1 u
x
107
Predicate-Update Formulae for “x = x n”
x’(v) = v1: x(v1) n(v1,v)
x(u) y(u) t(u)u1 1 1 0u 0 0 0
n u1 u
u1 0 1/2
u 0 1/2
y
Old:
u1 u
xy
New:
u1 u
x