program analysis via 3-valued logic
DESCRIPTION
Program Analysis via 3-Valued Logic. Mooly Sagiv, Tal Lev-Ami, Roman Manevich Tel Aviv University Thomas Reps, University of Wisconsi n, Madison Reinhard Wilhelm, Universität des Saarlandes. Interprocedural Analysis, so far. Abstract domains - PowerPoint PPT PresentationTRANSCRIPT
1
Program Analysisvia 3-Valued Logic
Mooly Sagiv, Tal Lev-Ami, Roman ManevichTel Aviv University
Thomas Reps, University of Wisconsin, MadisonReinhard Wilhelm, Universität des Saarlandes
2
Interprocedural Analysis, so far
Abstract domains• (Powerset of) fixed set of program entities and
entities from underlying domain • Domains:
– P(Aexp*) Available expressions– P(Var* Lab* ) Reaching Definitions– Var* Val Constant Propagation– Var* Int Interval Analysis
3
Interprocedural Analysis• Dynamically created procedure incarnations• Domain P(Lab* (Var* …))
– Call strings – strings of labels of call sites– Sufficient to represent recursion because of nested
lifetimes, a call string corresponds to an actual stack– in general of unbounded length
non-computable fixed point– approximated by fixed length, k
4
Dynamically Created “Objects”• How to represent dynamically created
– heap cells, created by calls to mallocx=malloc();… x=malloc();… x=malloc();
– objects, created by constructors of classesx=new C;… x=new C;… x=new C;
– threads, created by thread constructors• In general,
– unbounded sets– non-nested lifetimes– anonymous
5
Anonymous Objects (contd.)• Concrete domains: relations reflecting accessibility,
– Stack for program variables – Heap for anonymous, dynamically created objects– pointer variables point from Stack into Heap– Heap consists of a set of functions modelling
references/pointer components• Abstract domains: How to deal with
unboundedness?• How to analyze programs without bounds on
number of objects?
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
Reverses lists ofarbitrary length
Invariant:x points to head ofnon-reversed suffix,y to head of already reversed prefixor NULL (start)
7
Questions Posed to the Analysis• Can x be dereferenced while having value NULL
in some execution state?• Can an object leak out of the program’s
execution?• Can an object be freed while being shared?
8
Freeing a Shared Object
a = malloc(…) ;
b = a;
free (a);
c = malloc (…);
if (b == c) printf(“unexpected equality”);
9
Dereferencing a NULL pointer
typedef struct element { int value; struct element *next; } Elements
bool search(int value, Elements *c) {Elements *elem;for (elem = c;
c != NULL; elem = elem->next;)
if (elem->val == value)return TRUE;return FALSE
10
Dereferencing a NULL pointer
typedef struct element { int value; struct element *next; } Elements
bool search(int value, Elements *c) {Elements *elem;for (elem = c;
c != NULL; elem = elem->next;)
if (elem->val == value)return TRUE;return FALSE
potential null de-reference
11
Memory LeakageElements* strange(Elements *x)
{Elements *y,*g;y = NULL;while (x!= NULL) {
g = x->next;y = x;x->next = y;x = g;
}return y;
typedef struct element { int value; struct element *next; } Elements
12
Memory LeakageElements* strange (Elements *x)
{Elements *y,*g;y = NULL;while (x!= NULL) {
g = x->next;y = x;x->next = y;x = g;
}return y;
leakage of list elements
typedef struct element { int value; struct element *next; } Elements
13
class Make { private Worklist worklist; public static void main (String[] args) { Make m = new Make(); m.initializeWorklist(args); m.processWorklist(); } void initializeWorklist(String[] args) { ...; worklist = new Worklist(); ... // add some items to worklist} void processWorklist() { Set s = worklist.unprocessedItems(); for (Iterator i = s.iterator(); i.hasNext()){ Object item = i.next(); if (...) processItem(item); } } void processItem(Object i){ ...; doSubproblem(...);} void doSubproblem(...) { ... worklist.addItem(newitem); ... }}
public class Worklist { Set s; public Worklist() {. ..; s = new HashSet(); ... } public void addItem(Object item) { s.add(item); } public Set unprocessedItems() { return s; }}return rev; }
14
Example: In-Situ List Reversal
Concrete execution on a list of length 3
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
30
Original Problem: Shape Analysis
• Characterize dynamically allocated data structures– x points to an acyclic list, cyclic list, tree, dag, etc.– data-structure invariants
• Identify may-alias relationships
• Establish “disjointedness” properties– x and y point to data structures that do not share cells
31
Properties of reverse(x)• On entry: x points to an acyclic list
• On exit: y points to an acyclic list
• On exit: x = = NULL• Invariant: At the start of while loop,
x points to head of non-reversed suffix, y to head of already reversed prefix or NULL (start)(they are disjoint acyclic lists)
• All the pointer dereferences are safe
• No memory leaks
32
Example: In-Situ List Reversal
Abstract execution
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
could be- the empty list- a non-empty list
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
Materialization
assuming thatis not the empty list
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
Materialization
assuming thatis not the empty list
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
could be- the empty list- a non-empty list
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
assuming thatstood for the empty list
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
NULL
60
Why is Shape Analysis Difficult?
• Destructive updating through pointers– pnext = q– Produces complicated aliasing relationships
• Dynamic storage allocation– No bound on the size of run-time data structures– No syntactic names for locations
• Data-structure invariants typically only hold at the beginning and end of operations– Need to verify that data-structure invariants are re-
established
61
Main Ingredients: Abstract Domain• A new abstract domain for static analysis• Represents dynamically allocated memory• Based on predicate logic• Execution states in concrete semantics coded as
interpretations of sets of predicates over a 2-valued domain (1 true, 0 false) – unary predicate x for pointer variable x –
x(l) if x points to l– binary predicate next for selector next –
next (l1, l2) if next selector of l1 points to l2
62
Predicates (for reverse)
Predicate Intended Meaning
x(v) Does pointer variable x point to cell v?
y(v) Does pointer variable y point to cell v?
t(v) Does pointer variable t point to cell v?
n(v1,v2) Does the n field of v1 point to v2?
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
1 2 3 NULL
x
yt
NULL
Coding:t(l2)=1, y(l3)=1, n(l2,l1)=1, predicates with value 0not listed
l1 l2 l3
64
Main Ingredients: Semantics of Statements
• Predicate-Update Formulae for a statement• Describe how the interpretation of predicates
changes by executing the statement– x = y
changes the interpretation of x to that of y– x -> next = y
changes the interpretation of next such thatn(l1,l2)=1 for some l, l1, l2 with x(l) = 1, n(l, l1)=1, and y(l2)=1
65
Main Ingredients: Analysis• Abstract interpretation by evaluation over
3-valued domain (1, 0, ½ don’t know)• Kleene’s interpretation of predicate logic• A system TVLA
– Input: • Operational semantics• Input Program
– Output: the result of the analysis
Example: In-Situ List Reversal
List reverse (List x) { List y, t; y = NULL; while (x != NULL) { t = y; y = x; x = x next; y next = t; } return y;}
typedef struct list_cell { int val; struct list_cell *next;} *List;
x
yt
l3l1 l2
x(l3)=1, t(l2)=1, y(l3)=1,n(l2, l1)=1,
n(l1,…) = ?n(l3,…) = ?n(l1,…) = 1/2n(l3,…) = 1/2
67
Formalizing “. . .”Informal:
x
Formal:
xSummary
node
68
Plan
Motivation• SWhile• An SOS for SWhile• An SOS for SWhile using predicate calculus• Simple Abstract interpretation using 3-valued
logics• More precise abstract interpretation+ TVLA (next
meeting)
69
Repetition
3-valued logic based analysis• computes invariants about data structuresx points to acyclic singly linked list
• Semantics is formulated in 1st order predicate logicx(v) = 1 if x points to v
• 3rd value ½ to express don’t know
70
The SWhile Programming Language Abstract Syntax
a := x | x.sel | null | n | a1 opa a2
b := true | false | not b | b1 opb b2 | a1 opr a2
S := x := a | x.sel := a | x := malloc() | skip | S1 ; S2 | if b then S1 else S2 | while b do S
sel:= car | cdr
78
Predicate Logic• Vocabulary
– A finite set of predicate symbols Peach with a fixed arity
– A finite set of function symbols• Logical Structures S provide meaning for the
predicate symbols– A set of individuals (nodes) U– PS: US {0, 1}
• First-Order Formulas using , , , , express properties
79
P = {x1, y1, car2, cdr2}
US={l1, l2, l3}
xS=[l1 1, l2 0, l3 0] yS=[l1 0, l2 0, l3 0},
carS=[<l1, 1> 1, <l2, 2> 1, <l3, 3> 1, <l1 , 0> 0, <l1,2 > 0, …, <l2 , 1> 0, <l2,3 > 0, … ]
null1 2 3x
y null
l1 l2 l3{l1, l2, l3},
[x l1 ,y null],
[l1 1, l2 2, l3 3],
[l1 l2, l2 l3, l3 null]
cdrS=[<l1, l1> 0, <l1 , l2> 1, <l1,l3 > 0, <l2, l1> 0, <l2 , l2> 0, <l2,l3 > 1, <l3, l1> 0, <l3 , l2> 0, <l3,l3 > 0 ]
80
Formal Semantics of First Order Formulae
• For a structure S=<US, PS>• Formula with free variables from a set LVar• Assignment z: LVarUS
S(z): {0, 1}
1S(z)=10S(z)=1
v1=v2S(z) =1 if z(v1) = z(v2)
0 if z(v1) z(v2)
p (v1, v2, …, vk)S(z)=pS (z(v1), z(v2), …, z(vk))
81
Formal Semantics of 1st Order Formulae
• For a structure S = <US, PS>• Formulae with LVar free variables• Assignment z: LVarUS
S(z): {0, 1}
1 2S(z)=max (1 S(z), 2 S(z))
1 2S(z)=min (1 S(z), 2 S(z))
1S(z)=1- 1 S(z)
v: 1S(z)=max {1 S(z[vu]) : u US}
82
Using Predicate Logic to Describe States
• U=O• For a pointer variable x define a unary predicate
– x(u)=1 when env(x)=u and u is an object• Two binary predicates:
– car(u1, u2) = 1 when car(u1)=u2 and u2 is object
– cdr(u1, u2) = 1 when cdr(u1)=u2 and u2 is object
83
Semantics Described in Predicate Logic
• First-order structures– hold recorded information about states
• Formulae– means for querying structures describing states
• Predicate-update formulae– operational semantics of statements– update recorded information about states
84
Recorded Information (for reverse)
Predicate Intended Meaning
x(v) Does pointer variable x point to cell v?
y(v) Does pointer variable y point to cell v?
t(v) Does pointer variable t point to cell v?
n(v1,v2) Does the n field of v1 point to v2?
85
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
x(u) y(u) t(u)u1 1 1 0u2 0 0 0u3 0 0 0u4 0 0 0
Recorded Information (for reverse)
u1 u2 u3 u4
xy
86
Formulae for Querying Structures
• Are x and y pointer aliases?v: x(v) y(v)
• Does x point to a cell with a self cycle?v : x(v) n(v,v)
87
xy u1 u2 u3 u4
Are x and y Pointer Aliases?v: x(v) y(v)
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
x(u) y(u) t(u)u1 1 1 0u2 0 0 0u3 0 0 0u4 0 0 0
xy u1
Yes
90
Predicate-Update Formulae for ‘y = x’
• x’(v) = x(v)• y’(v) = x(v)• t’(v) = t(v)• n’(v1,v2) = n(v1,v2)
91
x(u) y(u) t(u)u1 1 0 0u2 0 0 0u3 0 0 0u4 0 0 0
xu1 u2 u3 u4
Predicate-Update Formulae for ‘y = x’
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
y’(v) = x(v)
y
92
Predicate-Update Formulae for ‘x = x n’
• x’(v) = v1: x(v1) n(v1,v)• y’(v) = y(v)• t’(v) = t(v)• n’(v1, v2) = n(v1, v2)
93
xu1 u2 u3 u4
Predicate-Update Formulae for ‘x = x n’
n u1 u2 u3 u4
u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
x(u) y(u) t(u) u1 1 1 0 u2 0 0 0 u3 0 0 0 u4 0 0 0
y
x’(v) = v1: x(v1) n(v1,v)
x
94
Predicate-Update Formulae for ‘y n = t’
• x’(v) = x(v)• y’(v) = y(v)• t’(v) = t(v)• n’(v1,v2) = y(v1) n(v1,v2) y(v1) t(v2)
95
Two- vs. Three-Valued Logic
0 1
Two-valued logic
{0,1}
{0} {1}
Three-valued logic
{0} {0,1}{1} {0,1}
96
Two- vs. Three-Valued LogicTwo-valued logic
1 01 1 00 0 0
1 01 1 10 1 0
Three-valued logic {1} {0,1} {0}
{1} {1} {0,1} {0}{0,1} {0,1} {0,1} {0}{0} {0} {0} {0}
{1} {0,1} {0}{1} {1} {1} {1}
{0,1} {1} {0,1} {0,1}{0} {1} {0,1} {0}
97
Two- vs. Three-Valued LogicThree-valued logic
0
1
Two-valued logic 1 01 1 00 0 0
1 01 1 10 1 0
{1}
{0,1}
{0}
1
½
0
{1} {0,1} {0}{1} {1} {0,1} {0}
{0,1} {0,1} {0,1} {0}{0} {0} {0} {0}
{1} {0,1} {0}{1} {1} {1} {1}
{0,1} {1} {0,1} {0,1}{0} {1} {0,1} {0}
98
• 1: True• 0: False• 1/2: Unknown • A join semi-lattice: 0 1 = 1/2
Three-Valued Logic
1/2 Information
order
99
Boolean Connectives [Kleene] 0 1/2 10 0 0 0
1/2 0 1/2 1/21 0 1/2 1
0 1/2 10 0 1/2 1
1/2 1/2 1/2 11 1 1 1
100
The Abstraction Principle
• Partition the individuals into equivalence classes based on the values of their unary predicates
• Collapse other predicates via
101
n u1 u2 u3 u4u1 0 1 0 0u2 0 0 1 0u3 0 0 0 1u4 0 0 0 0
The Abstraction Principle
u1 u2 u3 u4
xu1
xu234
x(u) y(u)u1 1 0u2 0 0u3 0 0u4 0 0
n u1 u234
u1 0
u234 0 1/2
x(u) y(u)u1 1 0
u234 0 0
102
What StoresDoes a 3-Valued Structure Represent?• Example 3-valued structure
– individuals: {u1}– predicates:
• graphical presentation
• concrete stores represented
x y t u1 1 0 0
xu1
n u1 u1 0
3 x8 x 37 x
103
• Example 3-valued structure
• graphical presentation
• concrete stores
What StoresDoes a 3-Valued Structure Represent?
x y t u1 1 0 0 u 0 0 0
u1 ux
u1 ux
n u1 u u1 0 1/2 u 0 1/2
x 31 71 91
104
x y t u1 1 0 0 u 0 0 0
n u1 u u1 0 1/2 u 0 1/2
• Example 3-valued structure
• graphical presentation
• concrete storesu1 u
xu1 u
x
x 31 71 91
What StoresDoes a 3-Valued Structure Represent?
105
Property-Extraction Principle• Questions about store properties can be
answered conservatively by evaluating formulae in three-valued logic
• Formula evaluates to 1 formula always holds in every store
• Formula evaluates to 0 formula never holds in any store
• Formula evaluates to 1/2 don’t know
106
The Embedding Theorem (Intuition)Property of Canonical Abstraction• definitive information, i.e. with value 0 or 1 is
preserved (conservatism)• allows trading precision for efficiency (up to
surprises)
107
The Embedding Theorem• If a structure B can be embedded into a structure
S via a surjective (onto) function f such that the interpretation of predicates is preserved, i.e., pB(u1, ..., uk) pS (f(u1), ..., f(uk))
• Then, the interpretation of every formula is preserved =1 in S =1 in B =0 in S =0 in B =1/2 in S don’t know
108
Are x and y Pointer Aliases?
u1 uxy
v: x(v) y(v)
Yes
1
109
Is Cell u Heap-Shared?
v1,v2: n(v1,u) n(v2,u) v1 v2
u
Yes
1 1
1
1
110
MaybeIs Cell u Heap-Shared?
v1,v2: n(v1,u) n(v2,u) v1 v2
u1 uxy
1/21/2 1
1/2
111
The Instrumentation Principle
• So far, structures could be queried by evaluating a formula• However, often low precision• Increase precision by storing the truth-value of some
designated formulae• Introduce predicate-update formulae to update the extra
predicates
112
is = 0 is = 0 is = 0 is = 0
Example: Heap Sharing
x 31 71 91
is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2
u1 ux
u1 ux
is = 0 is = 0
is = 1
is = 1/2
113
is = 0 is = 0 is = 0 is = 0
Example: Heap Sharing
x 31 71 91
is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2
u1 ux
u1 ux
is = 0 is = 0
114
is = 0 is = 0 is = 0 is = 0
Example: Heap Sharing
x 31 71 91
is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2
u1 ux
u1 ux
is = 0 is = 0
is = 1
is = 1
115
Is Cell u Heap-Shared?
v1,v2: n(v1,u) n(v2,u) v1 v2
u1 uxy
1/2
1/21/2 1
is = 0 is = 0
No!
116
Example2: SortednessinOrder(v) = v1: n(v,v1) dle(v, v1)
u1 ux
u1 ux
inOrder = 1 inOrder = 1
n n
inOrder = 1
x 51 71 91inOrder = 1 inOrder = 1 inOrder = 1
n n n
117
inOrder = 1
Example2: Sortedness
x 51 45 91
inOrder(v) = v1: n(v,v1) dle(v, v1)
uxx
inOrder = 0 inOrder = 1 inOrder = 1
inOrder = 1 inOrder = 1
n n n
n n
inOrder = 0
n
118
Shape Analysis viaAbstract Interpretation
• Iteratively compute a set of 3-valued structures for every program point
• Every statement transforms structures according to the predicate-update formulae– use 3-valued logic instead of 2-valued logic– use exactly the predicate-update formulae of the
concrete semantics!!
119
Predicate-Update Formulae for “y = x”y’(v) = x(v)
Old:
u1 ux
x(u) y(u) t(u)u1 1 0 0u 0 0 0
n u1 uu1 0 1/2u 0 1/2
y
New:
u1 ux
120
Predicate-Update Formulae for “x = x n”
x’(v) = v1: x(v1) n(v1,v)
x(u) y(u) t(u)u1 1 1 0u 0 0 0
n u1 uu1 0 1/2u 0 1/2
y
Old:
u1 ux
y
New:
u1 u
x
121
Summary
• Predicate logics allows to naturally express the operational semantics for languages with pointers and dynamically allocated objects
• 3-valued logic provides a sound solution