An abstract domain for separation logic
formulae
´
Elodie-Jane Sims
Elodie-Jane.Sims@polytechnique.fr
Polytechnique/KSU Projet APRON 8 novembre 2006
Polytechnique/KSU
Plan
1. Introduction
2. Separation logic
3. Introduction to the domain : translations logic → the domain
4. About the domain
5. Comparisons
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 1/ 37
3 Goal: pointer analysis: check dereferencing errors, aliases, ...
3 BI µν a separation logic which permit easy descriptions of the memory,
e.g.
– x points to a list of [1;2;3]
∃x2, x3. (x → 1, x2) ∗ (x2 → 2, x3) ∗ (x3 → 3, nil)
– x and y are aliased pointers
x = y ∧ ∃x1, x2. (x → x1, x2)
– Partitionning: x and y belong to two disjoints parts of the heap which
have no pointers from one to the other...
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 2/ 37
Example of a pointer program with a bug
{(∃z1, z2. nil → z1, z2)≡ F ALSE}
x : = nil;
{∃z1, z2. x → z1, z2}
z : = x;
{∃z1, z2. z → z1, z2}
y : = z · 1;
{T RU E}
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 3/ 37
Point-to analyses: Shape/alias analyses
– Shape analyses: the analysis build a graph where
– the nodes represent locations in the heap
– the edges represent fields between locations
The analysis usually do approximation (represent more or less nodes/fields
than what is in the heap) and computes some more informations about
the nodes or edges of the graph.
Recent examples : TVLA (Sagiv, Reps, Wilhelm,...), Smallfoot (O’Hearn,
Yang, Berdine, Calcagno, Distefano,...)
– Alias analyses: a point-to analysis which computes sets of variables
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 4/ 37
3 Goal: pointer analysis: check dereferencing errors, aliases, ...
3 BI µν a separation logic which permit easy descriptions of the memory,
e.g.
– x points to a list of [1;2;3]
∃x2, x3. (x → 1, x2) ∗ (x2 → 2, x3) ∗ (x3 → 3, nil)
– x and y are aliased pointers
x = y ∧ ∃x1, x2. (x → x1, x2)
– Partitionning: x and y belong to two disjoints parts of the heap which
have no pointers from one to the other...
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 5/ 37
Example for a piece of code inserting a cell in a linked list
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 6/ 37
x y
s
h 1 3 nil
{(x → 1, y) ∗ (y → 3, nil)}
t : = cons(2, y);
x y t
s
h 1 3 nil 2
{(x → 1, y) ∗ (y → 3, nil)∗(t → 2, y)}
x · 2 : = t;
x y t
s
1 3 nil 2
h
{(x → 1, t) ∗ (t → 2, y) ∗ (y → 3, nil)}
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 7/ 37
Local reasoning
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 8/ 37
x y z
s
h 1 3 nil 4
(x → 1, y) ∗ (y → 3, nil)
∗(z → 4, y)
t : = cons(2, y);
x y t z
s
h 1 3 nil 2 4
(x → 1, y) ∗ (y → 3, nil)∗(t → 2, y)
∗(z → 4, y)
x · 2 : = t;
x y t z
s
h 1 3 nil 2 4
(x → 1, t) ∗ (t → 2, y) ∗ (y → 3, nil)
∗(z
Elodie-Jane Sims → 4, y)
´ An abstract domain for separation logic formulae - p. 9/ 37
® We want to use this logic as an interface language for modular analysis
PSfrag replacements
F
function
D
Call
D
F
Analysis 1 → BI µν → Analysis 2
Program → BI µν → Analysis 3
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 10/ 37
We have build an intermediate domain such that:
® it is similar to the existing shape/alias analysis domains to allow trans-
lations from/to those domains
® it comes with a concrete semantics in term of sets of states
which is the same domain as for the formulae’s semantics
® we can translate the formulas into our domain
® it is a cartesian product of different subdomains so that we can cheaply
tune the precision depending on the needs
® the domain is parametrised by a numerical domain
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 11/ 37
Plan
1. Introduction
2. Separation logic
3. Introduction to the domain : translations logic → the domain
4. About the domain
5. Comparisons
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 12/ 37
Domaine of interpretation: State
We have a set of variables V ar.
Val = Int ∪ Bool ∪ Atoms ∪ Loc V alues
S = Var Val Stacks
H = Loc Val × Val Heaps
State = S×H
Rq: stacks can be partial functions
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 13/ 37
The logic: BI µν
Classical connectives
E=E | false
| P ⇒Q | ∃x.P
Spatial connectives
| emp Empty heap | E →E1, E2 Points to
| P ∗Q Spatial conj. ∗
| P→ Q Spatial imp.
Fixpoints connectives
| Xv Variable for formulae | P [E/x] Posponned substitution
| νXv .P Greatest fixpoint | µXv .P Least fixpoint
Varv = {Xv , Yv , ...} infinite set of variables of formulae
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 14/ 37
Semantic of ∗
• dom(h0) ∩ dom(h1) = ∅
P ∗Q ρ = s, h0 · h1 • s, h0 ∈ P ρ
¡
¡
• s, h1 ∈ Q ρ
¡
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 15/ 37
Examples of formulae
Ex. 1 Ex. 2 Ex. 3
s = [x → l1, y → l2 ]
s = [x → l1 , y → l2] s = [x → l1, y → l2 ]
l1 → 3, l2 ,
h1 = [l1 → 3, l2 ] h2 = [l2 → 4, l1 ] h1 · h 2 =
l2 → 4, l1
¡
x y x y x y
s s s
replacements 3 PSfrag replacements PSfrag replacements
4 3 4
h1 h2 h1 ·h2
|= (x → 3, y)∗(y → 4, x)
|= (x → 3, y) |= (y → 4, x)
|= (x → 3, y)∧(y → 4, x)
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 16/ 37
Plan
1. Introduction
2. Separation logic
3. Introduction to the domain : translations logic → the domain
4. About the domain
5. Comparisons
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 17/ 37
Ex1
Formulae x = nil
Semantics {s, h | s(x) = nil},...
Translation x N ilt , , , , , ,
Formulae (x = nil ∨ x = true)
Translation x N ilt , , , , , ,
T ruet
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 18/ 37
Ex2
Formula A∧B
Constraints cheap translation of ∧
Translation T (A ∧ B) T (T ( , A), B)
is the empty graph, representing no information
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 19/ 37
Ex3, Ex4
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 20/ 37
Formula x=y
Constraints refine the information for one variables
while also refining the information of the second one
in a cheap way
Adds infinite set of auxiliary variables T V ar
V AR V ar T V ar
Translation x α , , , , , ,
y
Formula x = y ∧ x = nil
Translation x α N ilt , , , , , ,
y
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 21/ 37
Ex5
Formula x = y ∧ x = nil
Translation x α N ilt , , , , , ,
y
Formula (∃x. x = y ∧ x = nil) ≡ (y = nil)
Translation
α N ilt , , , , , ,
y
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 22/ 37
Ex6
Formula (x < y + 3)
x α N umt
, , , , , , d
Translation
y
β
N umt
d ∈ D encodes that α < β + 3
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 23/ 37
Ex7
Formula “x is a location not allocated”
Semantic {s, h | s(x) ∈ Loc ∧ s(x) ∈ dom(h)}
Translation x Dangling Loc , , , , , ,
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 24/ 37
Ex8
Formula emp
Semantic {s, h | dom(h) = ∅}
Adds HU P(T V ar)
HO P(T V ar) full
Translation ( , , ∅, , , , )
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 25/ 37
Ex9
Formula (x → true, nil)
Semantic {s, h|[s(x) → T rue, nil ] = h}
1
x α • T ruet
Translation , {α}, {α}, , , ,
2
N ilt
Formula (x → true, nil)
Semantic {s, h|[s(x) → T rue, nil ] ⊆ h}
1
x α • T ruet
Translation , {α}, full, , , ,
2
N ilt
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 26/ 37
Ex10
Variables represent at most one value. To allow approximation we
introduce summary nodes which can represent several values.
approx. of (x = true ∧ y = false)
Formula x = true y = false
by ∧
∨x = false ∨y = true
Translation x α T ruet , , , {α}, , ,
y
F alset
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 27/ 37
Ex11: finite acyclic list of T rue starting from x
(x = nil) ∨ ∃x2.
Formula µXv .
x → (true, x2) ∗ Xv [x2/x]
∗2
1
Translation x
α • T ruet , , , {α}, ∅, ,
N ilt
∅ is the set of infinite summary nodes, for infinite list µ would be replaced
by ν and ∅ by {α}).
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 28/ 37
Ex12: increase precision of union
x = nil x = true
Formula ∨
∧y = true ∧y = nil
{†eq }
Translation α1 N ilt N ilt α3
x {†eq } {†eq } y
α2 T ruet T ruet α4
{†eq }
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 29/ 37
Plan
1. Introduction
2. Separation logic
3. Introduction to the domain : translations logic → the domain
4. About the domain
5. Translation of ∗
6. Comparisons
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 30/ 37
4 4
£
£
4
¡
¤
¡
¤
We want x α N umt = x α ∩ α N umt .
¡
¤
¡
¤
¡
¤
¡
¤
¦
§
¡
¤
¡
¤
y y
¢
¥
¢
¥
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 31/ 37
Semantic
V al Z Bool nil Loc V al V al ∪ {ood}
total
S V ar V al S V ar → V al
total
H Loc (V al × V al) F T V ar → P(V al )
R Loc P(Loc)
State S×H MFR P(S × H × F × R)
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 32/ 37
· ∈ AR → P(State)
¡
ar {¯, h | s, h, f, r ∈ ar }
s
¡
¡
· ∈ AR → M F R
¡
(ad, hu, ho, sn, sn∞, t, d) ad 4 ∩ hu 1 ∩ ho 1 ∩ sn 2
∩ sn∞ 2
¡
¡
¡
¡
¡
¡
∩ t 3 ∩ d 7 ∩ sem∗
¡
¡
4
· ∈ AD → M F R
¡
4 5
ad v, ad(v)
¡
¡
v∈V AR
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 33/ 37
Operations
– union, intersection
– extension (replace [v → S] by [v → {v }|v → S] with a fresh v )
used to tune the precision of the union
– merging (replace [v1 → S1 | v2 → S2] by [v2 → (S1 ∪ S2)])
used with the widening/narrowing
– translations from formulae to the domain
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 34/ 37
Plan
1. Introduction
2. Separation logic
3. Introduction to the domain : translations logic → the domain
4. About the domain
5. Translation of ∗
6. Comparisons
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 35/ 37
Comparisons
1
® the • represent nodes in the usual shape graphs
2
® summary nodes as for other shape graphs, seems to give more possibilities
than predicate abstraction (with each time a specific predicate for list,
etc...) but the technics of predicate and their algorithm/heuristics (like
folding/unfolding) could probably also be use on our graphs
® a lonely outgoing edge can be seen as a “must” arrow (or valued 1),
several outgoing edges from a variable can be seen as a “may” arrow
(or valued 1/2, but it is a bit more precise because we know that one of
them should exist), and an edge to ∅ can be seen as a “must not” arrow
(or valued 0)
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 36/ 37
® we deal with numerical (Magill & al. also do)
® we have a formal semantic of our domain, the semantics of auxiliary
variables are formally defined and formally used in the proofs
® we don’t have to check for equalities of variables
® the domain is a cartesian product, we can add or remove some parts
depending on the precision we want
® we directly have in the domain the “Dangling” information which is
suitable for cleaning checking
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 37/ 37
End
´
Elodie-Jane Sims An abstract domain for separation logic formulae - p. 38/ 37