Modelling, Specification and Formal Analysis of Complex...
Transcript of Modelling, Specification and Formal Analysis of Complex...
![Page 1: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/1.jpg)
Modelling, Specification and Formal Analysis ofComplex Software Systems
Precise Static Analysis of Programs with Dynamic Memory
Mihaela Sighireanu
IRIF, University Paris Diderot & CNRS
VTSA 2015
1 / 149
![Page 2: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/2.jpg)
Outline
1 Introduction
2 Formal Models and Semantics for IMPR
3 Foundations of Static Analysis by Abstract Interpretation
4 Application: Programs with Lists and Data
5 Application: Decision Procedures by Static Analysis
6 Elements of Inter-procedural Analysis
7 Application: Programs with Lists, Data, and Procedures
8 Extension: Programs with Complex Data Structures
9 Extension: Programs with Inductive Data Structures
99 / 149
![Page 3: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/3.jpg)
Formal Semantics for Procedure Call
Stack Stacks , [(CP×P× (DV 7→ D ∪ RV 7→ L)
)∗] 3 S
Memory Mem , Stacks× Heaps 3 mConfigurations Config , CP× (Mem ∪ {merr}) 3 C
∀vi ∈−→vin .(S, H) ` vi ci 6= merr(
`, (S, H))` v=P(
−→vin,−−→vout)
(startP, (push(S, ` + 1, P, v,
−−→vout,−→ci , lvP), H))
top(S) = (`, P, v, . . .) (S, H)(v ′) = c(` ′, (S, H)
)` return v ′
(`, (pop(S), H)[v← c]
)
Another source of infinity is the unbounded stack that usually storeslocations in the heap.
100 / 149
![Page 4: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/4.jpg)
Inter-procedural Analyses
AimCompute an abstraction of the relation between the input and outputconfigurations of a procedure, i.e. the procedure summary or contract.
Context sensitive: the summary depends on an abstraction of thecalling stack
“If p is called before q, it returns 0, otherwise 1.”−→ insight on the full program behaviour, expressive−→ analysis done for each call point
Context insensitive: the summary is independent of the calling stack“If p is called it returns 0 or 1.”−→ insight on the procedure behaviour, but less precise−→ analysis done independently of callers
101 / 149
![Page 5: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/5.jpg)
Context-Sensitive Approaches
Main steps:
Case 1: Compute summary information for each procedure... at each calling point with “equivalent stack” runs
Case 2: Use summary information at procedure calls...... if the abstraction of reaching stack fits the alreadycomputed ones
Classic approaches for summary computation:
Functional approach: [Sharir&Pnueli,81],[Knoop&Steffen,92]
Summary is a function mapping abstract input to abstract output
Relational approach: [Cousot&Cousot,77]
Summary is a relation between input and output
Call string approach: [Sharir&Pnueli,81], [Khedker&Karkare,08]
Maps string abstractions of the call stack to abstract configs.
102 / 149
![Page 6: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/6.jpg)
Context-Sensitive Approaches
Main steps:
Case 1: Compute summary information for each procedure... at each calling point with “equivalent stack” runs
Case 2: Use summary information at procedure calls...... if the abstraction of reaching stack fits the alreadycomputed ones
Classic approaches for summary computation:
Functional approach: [Sharir&Pnueli,81],[Knoop&Steffen,92]
Summary is a function mapping abstract input to abstract output
Relational approach: [Cousot&Cousot,77]
Summary is a relation between input and output
Call string approach: [Sharir&Pnueli,81], [Khedker&Karkare,08]
Maps string abstractions of the call stack to abstract configs.
102 / 149
![Page 7: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/7.jpg)
Functional Context-Sensitive
AimCompute a function summaryP : CP 7→ (AH → AmH) mappingeach control point of the procedure q ∈ CP to afunction which associates every (G0,W0) abstract heap reachable atstartP to the abstract heap (Gq,Wq) reachable at q.
int length(list* l) {1: int len = 0;2: if (l == NULL)3: len=0;4: else {5: len=1+length(l->next);6: }7: return len;8: }
q (G0,W0) (Gq,Wq)
2 l = � l = �ls+(l,�) ls+(l,�)
. . . . . . . . .8 l = � $ret = 0∧ l = �
ls+(l,�) $ret > 1∧ ls+(l,�)
103 / 149
![Page 8: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/8.jpg)
Inter-procedural Analysis with Heap
ProblemThe local heap of a procedure may be accessed from the stackbypassing the actual parameters.
Bad ConsequenceContext sensitive analyses shall track also these interferences!
104 / 149
![Page 9: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/9.jpg)
Particular Case of Programs
ObservationIn a large class of programs with procedure calls, the local heap isreachable from the stack by passing through the actual parameters.
ConsequenceFor this class, the computation of summaries is compositional.
105 / 149
![Page 10: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/10.jpg)
Cut-point Free Programs
[Rinetzky et al,05]
DefinitionA call is cut point free if all local heap cut nodes are reachable fromthe stack through the procedure parameters. A cut point free programhas only cut point free procedure calls.
106 / 149
![Page 11: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/11.jpg)
Abstraction of Summaries
Let V be the set of formal parameters and local variables.
DefinitionA concrete inter-procedural configurations is a pair of heapconfigurations (H0, Hq) where:
H0 is the local heap at startP over a new vocabulary V0
−→ similar to old notation in JML
H is the heap at the control point q of the procedure overV ∪ {$ret}
DefinitionA concrete procedure summary is the set {(H0, HendP)}.
107 / 149
![Page 12: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/12.jpg)
Outline
1 Introduction
2 Formal Models and Semantics for IMPR
3 Foundations of Static Analysis by Abstract Interpretation
4 Application: Programs with Lists and Data
5 Application: Decision Procedures by Static Analysis
6 Elements of Inter-procedural Analysis
7 Application: Programs with Lists, Data, and Procedures
8 Extension: Programs with Complex Data Structures
9 Extension: Programs with Inductive Data Structures
108 / 149
![Page 13: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/13.jpg)
Application
Programs with Lists and Data
— Inter-procedural Analysis —
joint work with A. Bouajjani, C. Drăgoi, C. Enea
PLDI’11
109 / 149
![Page 14: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/14.jpg)
Running Example: Quicksort on Lists (with Copy)
110 / 149
![Page 15: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/15.jpg)
Running Example: Quicksort on Lists (with Copy)
110 / 149
![Page 16: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/16.jpg)
Running Example: Quicksort on Lists (with Copy)
110 / 149
![Page 17: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/17.jpg)
Running Example: Quicksort on Lists (with Copy)
110 / 149
![Page 18: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/18.jpg)
Running Example: Quicksort on Lists (with Copy)
110 / 149
![Page 19: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/19.jpg)
Running Example: Quicksort on Lists (with Copy)
110 / 149
![Page 20: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/20.jpg)
Representing Summaries in AHS
α((H0, H)
), (G0 ∗G, W0 ∧W)
111 / 149
![Page 21: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/21.jpg)
Analysing Quicksort: AU Domain
112 / 149
![Page 22: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/22.jpg)
Analysing Quicksort: AM Domain
113 / 149
![Page 23: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/23.jpg)
Quicksort: Loss of Precision
114 / 149
![Page 24: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/24.jpg)
Quicksort: Loss of Precision
114 / 149
![Page 25: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/25.jpg)
Quicksort: Loss of Precision
114 / 149
![Page 26: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/26.jpg)
Quicksort: Loss of Precision
114 / 149
![Page 27: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/27.jpg)
Strengthen Procedure
115 / 149
![Page 28: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/28.jpg)
Strengthen Procedure: Example
116 / 149
![Page 29: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/29.jpg)
Strengthen Procedure: Example
116 / 149
![Page 30: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/30.jpg)
Strengthen Procedure: Example
116 / 149
![Page 31: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/31.jpg)
Strengthen Procedure: Example
116 / 149
![Page 32: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/32.jpg)
Experimental Results
class fun nesting AM AU Examples of summaries synthesized(loop,rec) t (s) P t (s)
create (0,�) < 1 P=,P1 < 1addfst – < 1 P= < 1
sll addlst (0,1) < 1 P= < 1 �#U(create(&x,�)) : hd(x) = 0⌥len(x) = �⌥⇧y ⌅ tl(x) ⇤ x[y] = 0
delfst – < 1 P= < 1dellst (0,1) < 1 P= < 1init(v) (0,1) < 1 P=,P1 < 1 �#
U(init(v,x)) : len(x0) = len(x)⌥hd(x) = v⌥⇧y ⌅ tl(x). x[y] = vmap initSeq (0,1) < 1 P=,P1 < 1 �#
U(add(v,x)) : len(x0) = len(x)⌥hd(x) = hd(x0)+ v⌥add(v) (0,1) < 1 P= < 1 ⇧y1 ⌅ tl(x),y2 ⌅ tl(x0). y1 = y2 ⇤ x[y1] = x0[y2]+ v
map2 add(v) (0,1) < 1 P= < 1 �#U(add(v,x,z)) : len(x0) = len(x)⌥len(z0) = len(z)⌥ eq(x,x0)⌥
copy (0,1) < 1 P= < 1 ⇧y1 ⌅ tl(x),y2 ⌅ tl(z). y1 = y2 ⇤ x[y1]+ v = z[y2]
delPred (0,1) < 1 P=,P1 < 1 �#M(split(v,x,&l,&u)) : ms(x) = ms(x0) = ms(l)⌃ms(u)
fold max (0,1) < 1 P=,P1 < 1 �#U(split(v,x,&l,&u)) : equal(x,x0)⌥len(x) = len(l)+len(u)⌥
clone (0,1) < 1 P= < 1 l[0] ⇥ v⌥⇧y ⌅ tl(l) ⇤ l[y] ⇥ v⌥split (0,1) < 1 P=,P1 < 1 u[0] > v⌥⇧y ⌅ tl(u) ⇤ u[y] > vequal (0,1) < 1 P= < 1 �#
M(merge(x,z,&r)) : ms(x)⌃ms(z) = ms(r)⌥ms(x0) = ms(x)⌥ . . .
fold2 concat (0,1) < 1 P=,P1,P2 < 3 �#U(merge(x,z,&r)) : equal(x,x0)⌥ equal(z,z0)⌥ sorted(x0)⌥ sorted(z0)⌥
merge (0,1) < 1 P=,P1,P2 < 3 sorted(r)⌥len(x)+len(z) = len(r)bubble (1,�) < 1 P=,P1,P2 < 3
sort insert (1,�) < 1 P=,P1,P2 < 3 �#M(quicksort(x)) : ms(x) = ms(x0) = ms(res)
quick (�,2) < 2 P=,P1,P2 < 4 �#U(quicksort(x)) : equal(x,x0)⌥ sorted(res)
merge (�,2) < 2 P=,P1,P2 < 4
Table 1. Experimental results for functions in our benchmark.
For all experiments, the time needed to check the validity of(C) is negligible compared with the time to compute the proceduresummaries.
8. Related workAutomatic synthesis of assertions about programs with dynamicdata structures has been addressed using different approaches in-cluding abstract interpretation [2, 3, 5, 7, 10–12, 14, 19, 20, 22–26, 28], constraint solving [1, 13], Craig interpolants [17].
In the intra-procedural case, several works consider invariantsynthesis for programs that manipulate dynamic data structures.The generated invariants are either universally-quantified first-order formulas [2, 12, 14, 19] or multiset constraints [2, 20].
Concerning the approaches based on abstract interpretationwhich can handle procedure calls, most of them [3, 7, 22, 24] focuson shape properties and do not consider constraints on sizes anddata. The approach in [23] can synthesize procedure summariesthat describe data if the instrumentation predicates which guidethe abstraction speak about data. Providing patterns is simpler thanproviding instrumentation predicates on data because patterns con-tain only constraints between (universally-quantified) positions (inthe left-hand-side of the implication) and no constraints on data.For example, in [23] the predicate dle(v,u) allows to synthesize thesummary for a procedure that sorts in ascending order, but cannotbe used for a procedure that sorts in descending order. However,using the pattern y1 ⇥ y2 allows with our approach to synthesizethe summaries for both kind of procedures. The same pattern mayalso allow to discover other properties than sortedness. Actually,patterns are in many cases simple (ordering/equality constraints)and can be discovered using natural heuristics based on the pro-gram syntax or proposed/guessed by the user, whereas constraintson data can be more complex. Our approach allows to discover(maybe unpredictable) data constraints for given guard patterns. Toestablish the fact that a procedure preserves the data values in theinput list, the method used in [23] is based on reachability, that is,every cell in the input list remains reachable in the output list. Thismethod can be applied only for programs that never modify/per-mute the contents of data fields. In our approach, using the multiset
domain, we can handle programs that can permute positions of cellsin the list or modify/permute the contents of their data fields.
The approach in [10] considers abstract domains where the el-ements are pairs formed of a graph and a constraint on data. Theinter-procedural analysis based on these domains can not synthe-size constraints in form of universally-quantified formulas as ouranalysis can do. In [25], the authors introduce trace partitioningabstract domains which start from a partition of the set of tracesand compute an invariant for each class. The partitioning can bestatic (usually based on the control structure of the program) ordynamic. From this point of view, the approach in [25] considersmainly statically-defined partitions. The abstract domain in our pa-per, based on the unfolding/folding operations, can be seen as aninstance of a trace partitioning abstract domain with a dynamic par-titioning. The corresponding partitioning puts in the same class allthe traces for which the number of dereferences of the next pointerfield is the same modulo some fixed constant k (which is a parame-ter of the analysis). The approach in [25] considers mainly numer-ical abstract domains and it is not faced to the difficulties raised bya compositional analysis on programs manipulating dynamic datastructures. The analysis in [11] combines a numerical abstract do-main with a shape analysis. It is not restricted by the class of datastructures but it considers only properties related to the shape andto the size of the memory.
9. ConclusionWe have defined an accurate inter-procedural analysis for programswith lists and data. The key contribution of this paper is a techniquefor combining the analysis in different abstract domains and itsuse in compositional analysis techniques that are able to infer nontrivial procedure summaries.
The combination mechanism we propose, based on an unfold-ing/folding technique combined with partial reduction operators,could be applied for other abstract domains than those consid-ered in this paper. In particular, other abstract domains based onfirst-order formulas, e.g., the one defined in [12], can be used tostrengthen the analysis in our domain of universal formulas.
Another interesting aspect of our work is that it allows to ma-nipulate constraints without requirement of decidability, contrary
117 / 149
![Page 33: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/33.jpg)
Outline
1 Introduction
2 Formal Models and Semantics for IMPR
3 Foundations of Static Analysis by Abstract Interpretation
4 Application: Programs with Lists and Data
5 Application: Decision Procedures by Static Analysis
6 Elements of Inter-procedural Analysis
7 Application: Programs with Lists, Data, and Procedures
8 Extension: Programs with Complex Data Structures
9 Extension: Programs with Inductive Data Structures
118 / 149
![Page 34: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/34.jpg)
Application
Reasoning about Composite Data Structures
— using a FO Logic Framework —
joint work with A. Bouajjani, C. Drăgoi, C. Enea
CONCUR’09
119 / 149
![Page 35: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/35.jpg)
Properties of Complex Data Structures
120 / 149
![Page 36: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/36.jpg)
Recall: Heap Graph Model
121 / 149
![Page 37: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/37.jpg)
A Very Expressive Logic
122 / 149
![Page 38: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/38.jpg)
Reachability Predicates
123 / 149
![Page 39: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/39.jpg)
Reachability Predicates
124 / 149
![Page 40: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/40.jpg)
Reachability Predicates
125 / 149
![Page 41: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/41.jpg)
Data Constraints
126 / 149
![Page 42: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/42.jpg)
Properties of Complex Data Structures in gCSL
127 / 149
![Page 43: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/43.jpg)
Satisfiability Problem for gCSL
128 / 149
![Page 44: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/44.jpg)
CSL Fragment
129 / 149
![Page 45: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/45.jpg)
CSL Fragment
130 / 149
![Page 46: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/46.jpg)
CSL Fragment
131 / 149
![Page 47: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/47.jpg)
CSL Specifications
132 / 149
![Page 48: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/48.jpg)
Satisfiability of CSL Formulas
133 / 149
![Page 49: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/49.jpg)
Satisfiability of CSL Formulas
134 / 149
![Page 50: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/50.jpg)
Computing Small Models
135 / 149
![Page 51: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/51.jpg)
Computing Small Models
136 / 149
![Page 52: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/52.jpg)
Computing Small Models
137 / 149
![Page 53: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/53.jpg)
Checking Data Constraints (1/4)
138 / 149
![Page 54: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/54.jpg)
Checking Data Constraints (2/4)
139 / 149
![Page 55: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/55.jpg)
Checking Data Constraints (2/4)
139 / 149
![Page 56: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/56.jpg)
Checking Data Constraints (2/4)
139 / 149
![Page 57: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/57.jpg)
Checking Data Constraints (3/4)
140 / 149
![Page 58: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/58.jpg)
Checking Data Constraints (3/4)
140 / 149
![Page 59: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/59.jpg)
Checking Data Constraints (4/4)
141 / 149
![Page 60: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/60.jpg)
Decision Procedure: Summary
142 / 149
![Page 61: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/61.jpg)
CSL and Program Verification
143 / 149
![Page 62: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/62.jpg)
Outline
1 Introduction
2 Formal Models and Semantics for IMPR
3 Foundations of Static Analysis by Abstract Interpretation
4 Application: Programs with Lists and Data
5 Application: Decision Procedures by Static Analysis
6 Elements of Inter-procedural Analysis
7 Application: Programs with Lists, Data, and Procedures
8 Extension: Programs with Complex Data Structures
9 Extension: Programs with Inductive Data Structures
144 / 149
![Page 63: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/63.jpg)
Separation Logic for Complex Data Structures
ObservationThe limits of specifying complex heap shapes in SL are given by theclass of inductive predicates allowed.
However, the classical data structures may be specified.Exercise: Specify the shape of the following data structures:
Binary trees
Doubly linked lists segments
Tree with linked leaves
145 / 149
![Page 64: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/64.jpg)
Separation Logic for Complex Data Structures
ObservationThe limits of specifying complex heap shapes in SL are given by theclass of inductive predicates allowed.
However, the classical data structures may be specified.Exercise: Specify the shape of the following data structures:
dll(E, L, P, F) , (E = F∧ L = P ∧ emp)∨(E 6= F∧ L 6= P ∧ (1)
∃X. E 7→ {(nxt, X), (prv, P)} ∗ dll(X, L, E, F))
btree(E) , (E = �∧ emp)∨(E 6= �∧ (2)
∃X, Y. E 7→ {(lson, X), (rson, Y)} ∗ btree(X) ∗ btree(Y))
tll(R, P, E, F) , (R = E∧ R 7→ {(lson,�), (rson,�), (parent, P), (nxt, F)}) ∨ (3)(R 6= E∧ ∃X, Y, Z. R 7→ {(lson, X), (rson, Y), (parent, P), (nxt, Z)}∗
tll(X, R, E, Z) ∗ tll(Y, R, Z, F))
145 / 149
![Page 65: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/65.jpg)
Separation Logic for Complex Data Structures
The fragment allowing these specifications has good theoreticalproperties:
decidability of satisfiability [Brotherston et al, 14]
−→ by reduction boolean equations
decidability of the entailment [Iosif et al, 13]
−→ by reduction to MSO on graphs with bounded width
146 / 149
![Page 66: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/66.jpg)
Separation Logic Solvers
Recently, efficient dedicated solvers have been released, e.g.:
Asterix [Perez&Rybalchenko,11]
Cyclist-SL and SAT-SL [Gorogiannis et al,12]
SLEEK [Chin et al, 10]
SLIDE [Iosif et al, 14]
SPEN [Enea,Lengal,S.,Vojnar, 14]
Follow them on SL-COMP competition:
6 solvers involved (freely available on StarExec)
more than 600 benchmarks
www.liafa.univ-paris-diderot.fr/slcomp
147 / 149
![Page 67: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/67.jpg)
Extensions of Separation Logic
Introducing content and size constraints [Chin et al, 10],[S. et al, 15]
Adding pre-field separation to express overlaid data structures[Yang et al,11],[Enea et al, 13]
!
!
!
!
ht
dl
2
1
0
6
4
2
2
2
4
nllβ(h,�,�)~ lsδ(dl,�)∧ β(♦) = δ(♦)
148 / 149
![Page 68: Modelling, Specification and Formal Analysis of Complex ...resources.mpi-inf.mpg.de/departments/rg1/conferences/vtsa15/slides/... · Formal Semantics for Procedure Call Stack Stacks](https://reader036.fdocuments.us/reader036/viewer/2022090607/605d2d919f03d73aab22f44f/html5/thumbnails/68.jpg)
Conclusion of the Part
Shape analysis benefits from Separation Logic compositionalreasoning.
Shape analysis may be extended to content and size analysis.
Efficiency is obtained using sound syntax-oriented procedures.
Sound procedures for undecidable logic fragments may beobtained by applying static analysis.
149 / 149