Quantified Data Automata on Skinny Trees: an Abstract Domain for Lists
description
Transcript of Quantified Data Automata on Skinny Trees: an Abstract Domain for Lists
Quantified Data Automata on Skinny Trees:an Abstract Domain for Lists
Pranav Garg1, P. Madhusudan1 and Gennaro Parlato2
1University of Illinois at Urbana-Champaign2University of Southampton, UK
2
Automatic Shapes Static analysis of heap structures
- heaps with a single pointer field Properties: Universally Quantified properties over
heap + data Introduce Automatic Shapes
- abstract domain of automata
Automata are classical ways to capture infinite sets of objects using finite means.
Aim:- Represent properties of the data stored in the heap.- Build automata that can express universally quantified properties
3
Universally Quantified Properties on Lists
5 7 8 9
head
4 2 9 1
head
2 1less
4 9more
fold-split(key) splits input list into two lists.
List pointed to by head is sorted))()(.( 212
*1
*21 ydataydatayyheadyy nextnext
)))(())(.(( 11*
11*
1 keyydataymorekeyydataylessy nextnext
Abstract analysis of heap is hard- unbounded size of the heap- unbounded data stored in the heap
4
Heap Configurations and Skinny Trees
Restrict to heaps with a single pointer field (acyclic). Let P: the program’s pointer variables
- Heap configuration skinny trees labeled by P
k- skinny tree has at most k- branching points. Heap configurations are k- skinny trees (k = number
of pointer vars.)
1 975
head1
2
63 4head2
$nil
41head3 8
5
Quantified Data Automata Extends Quantified Data Automata over lists
[CAV’13] QDAs logically define universally quantified
properties of lists
Example:
)),(),(.(/\ ypDataypGuardy iii
))()(.( 212*
1*
21 ydataydatayyheadyy nextnext
6
Quantified Data AutomataFix P – program pointer variablesFix Y – set of quantified variablesFix F – data domain which forms a lattice
QDA over skinny trees:- reads a tree annotated with pointers P and Y- checks whether data stored at these positions satisfy a data property
QDA accepts a tree T with pointers P if it accepts all possible extensions of T with valuations for Y.
head y1 y2 data(y1) <= data(y2)
))()(.( 212*
1*
21 ydataydatayyheadyy nextnext
7
Valuation Trees Valuation tree = Skinny tree over P + valuation for Y
Skinny Tree
ValuationTrees
Universal Quantification QDA accepts a skinny tree iff it accepts ALL corresponding valuation trees.
1 975head1
2
63 4head2
$nil
1 975head1
2
63 4head2
$nil
y1
y2
1 975head1
2
63 4head2
$nily1
y2
8
Quantified Data Automata Bottom-up, deterministic, register automata over trees
- each state labeled with a data formula f For a valuation tree, QDA reads ptr. and univ. vars. and
stores the data values in the register reg.
At the final state, QDA checks if these data values satisfy the formula labeling the state.- reg satisfies f(q) Accepts the valuation tree- reg does not satisfy f(q) Rejects the valuation tree
1 975head1
2
63 4head2
$nil
y1
y2
1 975head1
2
63 4head2
$nil
y1
y2 head1 5head2 3y1 4y2 7nil $
reg:
f(q) = data(y1) < data(y2)
10
Formula Tree = (Valuation Tree \ data) paired with a data formula
- complete separation of the structure of the heap and its data
Define
Lf (A) = Language of formula trees accepted by A
Formula Tree
, data(y1) < data(y2)
head1
head2
nily1
y2
11
QDAs as a Partial Order Natural Partial Order -- set inclusion over the
language of QDAs- not closed under disjunctions
Alternate partial order: if such that and
- Least upper bound associates every tree to- Infinite sets of QDAs might not have a least upper bound. Hence do not form a complete lattice.
21 AA )(),( 11 ALdft f
)(.. yyy
21 dfdf )(),( 22 ALdft f 21 dfdf
t
12
Elastic QDAs Require a notion of widening for analysis of loops
- Ignore lengths of stretches of the heap not pointed by variables.
QDA:
head nily1
head nily1
211 ),( qbq 21 qq -Restriction: All transitions on blank symbols must be self-loops
head y1
head y1
Elastic QDA:
13
Theorems about EQDAs1. Number of states in a minimal EQDA is bounded
- Finite number of EQDAs modulo the data formulas- widening proc. for EQDAs given widening for data formulas.
2. For every QDA, there is a most-precise over-approximating EQDA (in terms of their accepting languages) elastification
EQDAs form a complete lattice abstract domain
3. EQDAs correspond to decidable STRAND logic [POPL’11] over lists. - Abstract interpretation using EQDAs can be used for checking STRAND assertions.
14
Abstract transformer over EQDAs Strongest post condition involves existential
quantification of the pre-state + constraining post-state acc. to the semantics of the stmt.
Example: strongest-post( ) =
These precise post-conditions are not
expressible by QDAs. Over-approximate the post-condition to:
- eliminate existential quantifier via quantifier elimination for the structure (Guard) using automata, and data-formulas (Data) separately.
/\ Guard => Datajiy ppAy :,.
jiiifi ppppAyp ]'/[.'.
**
jiiifi ppppApy ]'/['..
15
Abstract transformer over EQDAsPointer Assignment statement pi := pj
Similar abstract transformer for structure manipulating statements:Pointer Lookup pi := pj .nextPointer Mutate pi .next := pj
Allocate new pi
…
pi
pj
pi := pj
)()(]/)([.
ji
i
pdatapdatadpdatad
pi
pj
b, pi
Api := pj 'A
16
Abstract transformer over EQDAsData Assignment statement pi .data := data_exp
Slightly more involved: - Also account for all variables which point to the same node as pi
pi
pi .data := data_exp
pi
]/)([.( dpdatad i])/)(exp[_)( dpdatadatapdata ii
17
Abstract transformer over EQDAs
A’ might not be elastic.
Use the most-precise over-approximation result to get an EQDA.
- defines the actual abstract transformer over EQDAs
Fix-point computation of the abstract semantics terminates
- widening for the data domain
Astmt
'A ''Aelastification
EQDA EQDA QDA
18
Experiments Simple programming language consisting of heap
allocation, pointer assignment, pointer lookup, pointer mutate, …
Given a STRAND formula as pre-condition, construct the corresponding EQDA.
Compute the abstract semantics of the program over EQDAs using the abstract transformer.
Fix-point EQDAs are translated to decidable STRAND formulas over lists to verify program assertions, post-conditions.
- Instantiate data-formulas with the octagonal domain (using Apron).
- Prototype implementation available at http://web.engr.illinois.edu/~garg11/qsdas.html
19
ExperimentsPrograms #PV #Y #DV Property #Iter. Max. size of QSDA Time (s)
INIT 2 1 1 Init, List 4 19 0.0
MAX 2 1 1 Max, List 4 19 0.1
CLONE 4 1 1 Init, List 4 44 0.7
FOLD-CLONE 5 1 1 Init, List 5 57 3.2
COPY-GE5 4 1 0 Gek, List 9 53 2.6
FOLD-SPLIT 3 1 1 Gek, List 4 33 0.3
CONCAT 4 1 1 Init, List 5 44 0.7
SORTED-FIND 2 2 2 Sort, List 5 38 0.3
SORTED-INSERT 4 2 1 Sort, List 6 163 5.8
BUBBLE-SORT 4 2 1 Sort, List 5/18 191 42.8
SORTED-REVERSE 3 2 0 Sort, List 5 43 1.5
EXPRESSOS-LOOKUP-PREV 3 2 1 Sort, List 6 73 2.2
GSLIST-CUSTOM-FIND 3 1 1 Gek, List 4 29 0.1
GSLIST-REMOVE-ALL 5 1 1 Gek, List 5 51 0.6
GSLIST-INSERT-SORTED 5 2 1 Sort, List 6 279 27.4
20
Related Work (Shape Analysis) Merges nodes that satisfy the same predicates
- unary + instrumentation predicates Instrumentation predicates provided by the user
- often complex,- very particular to the program being verified
Example: sub-list before pointer i is sorted, that is
- instrumentation predicate required
Clearly,- s(x) too dependent on the property being verified- complex (writing binary property as a unary
predicate)
))()().((, ** ydataxdataiyyxyx nextnext
))()().(()( ** ydataxdataiyyxyxs nextnext
21
Conclusion Automatic Shapes – an abstract domain of automata
- can express universally quantified properties of lists- can prove these properties precisely and efficiently
Future Work Extensions to trees to capture universally quantified
properties like binary-search-tree, max-heap, … Extensions to general graphs using graph
automatons.Thank You !