Interprocedural Shape Analysis for Recursive Programs Noam Rinetzky Mooly Sagiv.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
31
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv
-
Upload
nash-soloway -
Category
Documents
-
view
217 -
download
0
Transcript of 3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
3-Valued Logic Analyzer(TVP)
Tal Lev-Ami and Mooly Sagiv
Motivation Many dataflow problems can be solved using
Monotone Frameworks But Monotone Framework are hard to be used Compiler-writer obligations
– Define the lattice– Define the initial value
» Show that it is sound ({s0})
– Define transfer functions of elementary statements fl
» Show that these functions are monotone x y fl(x) fl(y)
» Show soundness ({[b]l(s) | s CS }) fl ((CS))
» Find an efficient representation
A Different Solution
Write structural operational semantics in a special form
Automatically derive the Monotone Framework from the operational semantics
Monotonicity and soundness is immediate Operational semantics need to be written in a
special form Scarify the generality of Monotone Frameworks The derived solution is not necessarily the induced
one but rather precise
Outline 3-valued proposional logic Parity Analysis in TVLA The Shape Analysis Problem 3-valued predicate logic
May 19, 10-13 Scriber 309
3-Valued Kleene Logic
A logic with 3-values – 0 -false
– 1 - true
– 1/2 - don’t know
Operators are conservatively interpreted– 1/2 means either true or false
0 1
1/2
Logical order
information order 01=1/2
Kleene Interpretation of Operators(logical-and)
0 1 ½
0 0 0 0
1 0 1 ½
½ 0 ½ ½
Kleene Interpretation of Operators(logical-or)
0 1 ½
0 0 1 ½
1 1 1 1
½ ½ 1 ½
Kleene Interpretation of Operators(logical-negation)
0 1
1 0
½ ½
Kleene Interpretation of Operators(logical-implication)
0 1 ½
0 1 1 1
1 0 1 ½
½ ½ 1 ½
baba
3-valued logic program analysis Choose a fixed set of proposional variables P per
program P ={even[x] | x Var} Represent “concrete” states by a truth assignments
from P to {0, 1}[even[x] 0, even[y] 1]
The meaning of every statement (SOS) is expressed using update formulaex := y * z = { even’[x] := even[y] even[y], even’[y] := even[y], even’[z] := even[z] }
Use lattice L=(P{0, 1/2, 1}){} The transformer is obtained by evaluating the
formula in 3-valued logic
Preconditions
The effect of some program conditions can be defined using a precondition formulaif (x % 2 == 0 || y %2 != 0)
even[x] even[y] These conditions are associated with control flow
edges For other program conditions no effect is given If the formula is potentially satisfied 1
the statement is executed May yield overly conservative results due to
missing or naively interpreted conditions
Example Program
while [x !=1]1 doif [ (x %2) = 0]2
then [x := x / 2;]3
else [x := x * 3 + 1;]4
The Focus Operation
It is sometimes possible to improve the precision by maintaining finer distinctions
If a formula evaluates to 1/2 replace the assignment by an equivalent set of assignments in which the formula evaluates to 1 or 0
Formally, Focus[](A)=… Always conservative Can increase the space complexity
Example Focus Formulae
even[x] Input Truth-Assignment
[even[x] 1/2, even[y] 0] Output Truth-Assignments
Example Program
while [x !=1]1 doif [ (x %2) = 0]2
then [x := x / 2;]3
else [x := x * 3 + 1;]4
A TVLA Specification of Parity
There are two files per analyzed program– prgm.tvp -The specification of the control flow graph
and the transfer functions
– prgm.tvs - The specification of the value at the initial node
Propostions are specified in a file (pred.tvp) Conditions are specified in a file (cond.tvp) The meaning of statements is specified in a file
(stat.tvp)
%s Var {x, t}#include "pred.tvp"%%#include "cond.tvp"#include "stat.tvp"%%/* while [x !=1]^1 do */
l_1 Uninterpreted_Cond() l_2 l_1 Uninterpreted_Cond() l_end
/* if [ (x %2) = 0]^2 */l_2 Is_Even(x) l_3l_2 Is_Odd(x) l_4
/* then [x := x / 2;]^3 */l_3 Divide_Even(x,x) l_5l_5 Skip() l_1
/* else [x := x * 3 + 1;]^4 */l_4 Multiply_Odd(t, x) l_41l_41 Add_Odd(x, t) l_6l_6 Skip() l_1
foreach (z in Var) {%p even[z]() {0, 1, 1/2}}
pred.tvp
cond.tvp
%action Uninterpreted_Cond() { %t "uninterpreted-Condition"}
%action Is_Even(x1) { %t x1 + " %2 == 0" %f {even[x1]()} %p even[x1]()}
%action Is_Odd(x1) { %t x1 + " %2 != 0" %f {!even[x1]()} %p !even[x1]()}
stat.tvp (part 1)
%action Skip() { %t "Skip"}%action Set_Even(x1) { %t x1 + " = Even" {
even[x1]() = 1 }}%action Set_Odd(x1) { %t x1 + " = Odd" {
even[x1]() = 0 }}
stat.tvp (part 2)
%action Add(x1, x2, x3) { %t x1 + " = " + x2 + " + " + x3 {even[x1]() = even[x2]() & even[x3]() | !even[x2]() &
!even[x3]() }}%action Add_Even(x1, x2) { %t x1 + " = " + x2 + " + EVEN" {even[x1]() = even[x2]() }}%action Add_Odd(x1, x2) { %t x1 + " = " + x2 + " + ODD" {even[x1]() = !even[x2]() }}
stat.tvp (part 3)
%action Multiply(x1, x2, x3) { %t x1 + " = " + x2 + " * " + x3 {even[x1]() = even[x2]() | even[x3]() }}%action Multiply_Even(x1, x2) { %t x1 + " = " + x2 + " * EVEN" {even[x1]() = 1}}%action Multiply_Odd(x1, x2) { %t x1 + " = " + x2 + " * Odd" {
even[x1]() = even[x2]() }}
stat.tvp (part 4)
%action Divide(x1, x2, x3) { %t x1 + " = " + x2 + " / " + x3 {even[x1]() = 1/2 }}%action Divide_Even(x1, x2) { %t x1 + " = " + x2 + " / EVEN" {even[x1]() = 1/2 }}%action Divide_Odd(x1, x2) { %t x1 + " = " + x2 + " / ODD" {even[x1]() = 1/2}}
%s Var {x, t}#include "pred.tvp"%%#include "cond.tvp"#include "stat.tvp"%%/* while [x !=1]^1 do */
l_1 Uninterpreted_Cond() l_2 l_1 Uninterpreted_Cond() l_end
/* if [ (x %2) = 0]^2 */l_2 Is_Even(x) l_3l_2 Is_Odd(x) l_4
/* then [x := x / 2;]^3 */l_3 Divide_Even(x,x) l_5l_5 Skip() l_1
/* else [x := x * 3 + 1;]^4 */l_4 Multiply_Odd(t, x) l_41l_41 Add_Odd(x, t) l_6l_6 Skip() l_1
prgm.tvs
%n = {}%p = {
even[x] = 1/2even[t] = 1/2
}
Command Prompt
tvla prgm prgm -d -action fpu
Shape Analysis
Determine the possible shapes of a dynamically allocated data structure at given program point
Relevant questions:– Does a variable point to an acyclic list?
– Does a variable point to a doubly-linked list?
– Does a variable point p to an allocated element every time p is dereferenced?
– Can a procedure create a memory-leak
Dereference of NULL pointerstypedef struct element {
int value;
struct element *next;
} Elements
bool search(int value, Elements *c) {Elements *elem;for ( elem = c; c != NULL;elem = elem->next;)
if (elem->val == value)
return TRUE;
return FALSE
NULL dereference
Memory leakage
Elements* reverse(Elements *c){
Elements *h,*g;h = NULL;while (c!= NULL) {
g = c->next;h = c;c->next = h;c = g;}
return h;
leakage of address pointed-by h
The SWhile Programming Language Abstract Syntax
a := x | x.sel | null | n | a1 opa a2
b := true | false | not b | b1 opb b2 | a1 opr a2
S := [x := a]l | [x.sel := a]l | [x := malloc()]l | [skip] l | S1 ; S2 | if [b]l then S1 else S2 | while [b]l do S
sel:= car | cdr
Dereference of NULL pointers
[elem := c;]1
[found := false;]2
while ([c != null]3 && [!found]4) (
if ([elem->car= value]5)
then [found := true]6
else [elem = elem->cdr]7
) NULL dereference
