Symbolic Implementation of the Best Transformer Thomas Reps University of Wisconsin Joint work with M. Sagiv and G. Yorsh (Tel-Aviv) [TR-1468, Comp. Sci. Dept., Univ. of
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Symbolic Implementationof the Best Transformer
Thomas RepsUniversity of Wisconsin
Joint work with M. Sagiv and G. Yorsh (Tel-Aviv)[TR-1468, Comp. Sci. Dept., Univ. of Wisconsin]
Who Cares?
• New approach to using symbolic techniques in abstract interpretation– For shape analysis
– For other abstract domains
• What does it mean to harness a decision procedure for use in static analysis?
Abstract
Abstract Interpretation
Concrete
Sets of storesDescriptors ofsets of stores
T#T
Abstract
Abstract Interpretation
Concrete
Sets of storesDescriptors ofsets of stores
T#T
Abstract
Best Abstract Transformer
Concrete
Sets of storesDescriptors ofsets of stores
T#T
Best Abstract Transformers
• For each abstract domain, there is a best transformer for each program statement– Best possible precision for that abstraction
• For predicate-abstraction domains, implementation of best transformer is known– Uses theorem prover
• Our work: implement best transformers for non-predicate-abstraction domains– Also uses theorem prover
Symbolic Operations: Three Value-Spaces
FormulasConcreteValues
AbstractValues
TT
Symbolic Operations: Three Value-Spaces
Formulas AbstractValues
T
T#
ConcreteValues
Symbolic Operations: Three Value-Spaces
FormulasConcreteValues
AbstractValues
u1
xu
x
...x
Required Primitive OperationsAbstraction
(S) = sS (s)
( ) = { }
Symbolic concretization
( ) = v1,v2 : nodeu1(v1) nodeu (v2) v1 ≠ v2
v : nodeu1(v) nodeu (v) . . .
Theorem prover returning a satisfying structure (store)
S For shape analysis, SPASS is mostly satisfactory
u1
xu
xu1
xu
Constant-Propagation Domain
(Var ZT), where ZT =
T
. . . -2 -1 0 1 2 . . .
Examples: , [x0, y43, z0], [xT, yT, z0], [xT, yT, z T]
Infinite cardinality, but finite height
Three Value-Spaces
Formulas AbstractValues
ConcreteValues
[x0, y0, z0]
[x0, y1, z0]
[x0, y2, z0]
(x = 0) (z = 0)
[x0, yT, z0]
Three Value-Spaces
Formulas AbstractValues
ConcreteValues
[x0, y0, z0]
[x0, y1, z0]
[x0, y2, z0]
[x0, y2, z0]
(x = 0) (z = 0)
Required Primitive OperationsAbstraction
(S) = sS (s)
([x 0, y 2, z 0]) = [x0, y2, z0]
Symbolic concretization
([x0, yT, z0]) = (x = 0) (z = 0)
Theorem prover returning a satisfying structure (store)
S [x 0, y 2, z 0] (x = 0) (z = 0)
Required Primitive OperationsAbstraction
(S) = sS (s)
([x 0, y 2, z 0]) = [x0, y2, z0]
Symbolic concretization
([x0, yT, z0]) = (x = 0) (z = 0)
Theorem prover returning a satisfying structure (store)
S [x 0, y 2, z 0] (z = 0) (x = y*z)
Constant Propagation
x = y * z[x3, y4, z1]
[x’4, y’4, z’1]
T[x = y * z] λe.e[x e(y)*e(z)]
T[x := y*z] =df (x’ = y * z) (y’ = y) (z’ = z)
(x’ = y * z) (y’ = y) (z’ = z)[x3, y4, z1, x’4, y’4, z’1]
Constant Propagation
x = y * z[x3, yT, z1]
[x’T, y’T, z’1]
T#[x = y * z] λe.e[x e(y) # e(z)]
Three Value-Spaces
Formulas AbstractValues
ConcreteValues
(z = 0)
[x’0,y’T,z’0]α (x’ = 0) (z’ = 0)
T[x := y*z]
αT [xT,yT,z0]
Remainder of the Talk
() – best abstract value that represents
• Best = T – best abstract transformer
Idea Behind Procedure CP()
FormulasConcreteValues
AbstractValues
ans
Idea Behind Procedure CP()
FormulasConcreteValues
AbstractValues
S
S
(S)
ans
Idea Behind Procedure CP()
FormulasConcreteValues
AbstractValues
S
S
(S)
(ans)
(ans)
(ans)
ans
Idea Behind Procedure CP()
1
FormulasConcreteValues
AbstractValues
S1
(ans)
1 (ans)
(ans)
S 1
ans
(S)
Idea Behind Procedure CP()
2
FormulasConcreteValues
AbstractValues
2
S 2
S
(S)
ans
2 = 1 (ans)
(ans)
S 2
Idea Behind Procedure CP()
2
FormulasConcreteValues
AbstractValues
2
2 (ans)
S
(S)
ans
(ans)
Idea Behind Procedure CP()
5 = false
FormulasConcreteValues
AbstractValues
ans
(ans)
(ans), (ans)
Procedure
(formula ) { ans := := while ( is satisfiable) { Select a store S such that S ans := ans (S) := (ans) } return ans}
Procedure CP()
(z = 0) (x = y * z)
FormulasConcreteValues
AbstractValues
S
ans
[x0,y43,z0]
[x0, y43, z0]
Procedure CP()
FormulasConcreteValues
AbstractValues
(x = 0) (y = 43) (z = 0)
(ans)
(ans)
ans
S
(z = 0) (x = y * z)
[x0,y43,z0]
[x0, y43, z0]
Procedure CP()
(z = 0) (x = y * z) (y 43)
FormulasConcreteValues
AbstractValues
S
[x0,y46,z0]
[x0, y43, z0]
[x0, y46, z0]
Procedure CP()
(z = 0) (x = y * z) (y 43)
FormulasConcreteValues
AbstractValues
S
[x0, yT, z0]
ans
(x = 0) (z = 0)
(x = 0) (z = 0)
(a)T
The Idea Behind Best = T
FormulasT AbstractValues
(a)
(a)
a
(a)T
The Idea Behind Best = T
FormulasT AbstractValues
(a)
(a)
a
(a)T
The Idea Behind Best = T
FormulasT AbstractValues
(a)
(a)
a
ans
(a)T
The Idea Behind Best = T
FormulasT AbstractValues
(a)
(a)
a
ans
Procedure Best
Best(two-store-formula T, abs-store a) { ans’ := ’ := (a) T while ( is satisfiable) { Select a store pair (S,S ’) such that (S,S ’) ans’ := ans’ ’(S ’) := ’(ans’) } return ans’}
Best((x’ = y * z) (y’ = y) (z’ = z), [xT, yT, z0])
Initialization:
ans’ := ’ := (z = 0) (x’ = y * z) (y’ = y) (z’ = z)
Iteration 1:
(S,S ’) := [x 5, y 17, z 0,
x’ 0, y’ 17, z’ 0]
(a)T
The Idea Behind Best = T
FormulasT
AbstractValues
(a)
(a)
a
[x5, y17, z0]
[ x’0, y’17, z’0]
Best((x’ = y * z) (y’ = y) (z’ = z), [xT, yT, z0])
Initialization:
ans’ := ’ := (z = 0) (x’ = y * z) (y’ = y) (z’ = z)
Iteration 1:
(S,S ’) := [x 5, y 17, z 0,
x’ 0, y’ 17, z’ 0]
ans’ := [x’0, y’17, z’0] ’(ans’) = (x’= 0) (y’= 17) (z’= 0)
:= (z = 0) (x’ = y*z) (y’ = y) (z’ = z) (y’ 17)
Best((x’ = y * z) (y’ = y) (z’ = z), [xT, yT, z0])
Iteration 2: (S,S ’) := [x 12, y 99, z 0,
x’ 0, y’ 99, z’ 0] ans’ := [x’0, y’17, z’0] [x’0, y’99, z’0]
= [x’0, y’T, z’0] ’(ans’) = (x’= 0) (z’= 0) := (z = 0) (x’ = y * z) (y’ = y) (z’ = z)
(y’ 17) ((x’ 0) (z’ 0)) = false
Iteration 3: is unsatisfiable
Return value: [x’0, y’T, z’0]
Best(y = x next, )u1
xu
r[x] r[x]
u4
x
r[x]r[x]r[x]r[x]
u1 u2 u3
x’
r[x]’,r[y]’r[x]’,r[y]’r[x]’,r[y]’r[x]’
y’
u2
xu
r[x],r[y] r[x],r[y]
u1
r[x]
y
. . . (y’(v) v1: x(v1) n(v1,v)) . . .
Predicate Abstractiony := 3x := 4*y + 1
B1 B2 B3 B4 B5 B6
[x 13, y 3]
{ B1 (y = 1), B2 (y = 3), B3 (y = 4), B4 (x = 1), B5 (x = 3), B6 (x = 4) }
y = 3 x {1, 3, 4}
[x 13, y 3]
Three Value-Spaces
Formulas AbstractValues
ConcreteValues
(y ≠ 1) (y = 3) (y ≠ 4) (x ≠ 1) (x ≠ 3) (x ≠ 4)
(B1, B2,B3, B4,B5,B6)
[x5, y3]
[x0, y3]
[x17, y3]
Three Value-Spaces
Formulas AbstractValues
ConcreteValues
(y ≠ 1) (y = 3) (y ≠ 4) (x ≠ 1) (x ≠ 3) (x ≠ 4)
(B1, B2,B3, B4,B5,B6)
(B1, B2,B3,B6)
α (y ≠ 1) (y = 3) (y ≠ 4) (x ≠ 4)
T[x := x+1]
αT
Predicate Abstraction
• Abstract values(B1, B2, B3, B4, B5, B6)
• Apply , which performs symbolically(y ≠ 1) (y = 3) (y ≠ 4) (x ≠ 1) (x ≠ 3) (x ≠ 4)
• Apply T, which implements α T
α PA: Most-Precise Abstract Value[Predicate Abstraction]
Formulas AbstractValues
ConcreteValues
(y = 3) (x = 4*y + 1)
(B1, B2,B3, B4,B5,B6)
αPA
α PA: Most-Precise Abstract Value[Predicate Abstraction]
PA() =
false
j = 1
k Bj if j is valid
Bj if j is valid
true otherwise
if isunsatisfiable
otherwise
PA((y = 3) (x = 4*y + 1)) = B1, B2, B3, B4, B5, B6
(y = 3) (x = 4*y + 1) (y = 1)
(y = 3) (x = 4*y + 1) (y = 3)
(y = 3) (x = 4*y + 1) (y = 4)
α PA: Most-Precise Abstract Value[Predicate Abstraction]
PA() =
false
j = 1
k Bj if j is valid
Bj if j is valid
true otherwise
if isunsatisfiable
otherwise
(y = 3) (x = 4*y + 1) (x = 1)
(y = 3) (x = 4*y + 1) (x = 3)
(y = 3) (x = 4*y + 1) (x = 4)
PA((y = 3) (x = 4*y + 1)) = B1, B2, B3, B4, B5, B6
Procedure PA vs. General
ConcreteValues
Formulas AbstractValues
PA
i
FormulasConcreteValues
AbstractValues
i
S i
S
ansi = ansi-1 (S)
ansi-1 (ansi-1)
Conclusions
• Requirements– Finite-height abstract domain– Theorem prover that returns a satisfying structure (store)
(S) = sS (S)– Symbolic-concretization operation ()
() – best abstract value that represents • Best(T,a) – best abstract transformer
– Best(T1; T2; . . .; Tk, a) – best abstract transformer for a basic block
Related Documents
