Abstract Interpretation with Alien
Expressions and Heap Structures
Bor-Yuh Evan Chang
UC Berkeley
K. Rustan M. Leino
Microsoft Research
November 11, 2004
OSQ Meeting
Standard Abstract Interpretation
y := 8; x := 0;
while (*) {
y := y + x;
x++;
}
y¸8
• Can do this inference with the polyhedra
abstract domain [CH79]
11/12/2004
2
Standard Abstract Interpretation
this.y := 8; this.x := 0;
while (*) {
this.y := this.y + this.x;
this.x++;
}
this.y ¸ 8?
Goal: Given a base domain that can infer
certain kind of predicates on variables,
use it to infer predicates on fields
11/12/2004
3
Achieving the Goal
1. Handling Alien Expressions
/ Uninterpreted Functions
2. Handling Heap Updates
11/12/2004
4
Abstract Domains
interface AbstractDomain {
type Elt
Constrain : Elt £ Expr ! Elt
Eliminate : Elt £ Var ! Elt
Rename : Elt £ Var £ Var ! Elt
ToPredicate : Elt ! Expr
}
Join : Elt £ Elt ! Elt
AtMost : Elt £ Elt ! bool
11/12/2004
5
Fooling the Base Domains
assume o.f ¸ 8
Constrain( sel(H,o,f) ¸ 8 )
Congruence-Closure Domain / “Name Service”
sel(H,o,f)  
SymbolicValue
Constrain(  ¸ 8 )
Polyhedra
Base Domains
11/12/2004
6
Understandable to the Base Domain
Understands : FunSymbol £ Expr[] ! bool
¸
+
||
sel
²
2
11/12/2004
x
H
o
f
y
2 ¢ x + sel(H,o,f) · |y - z|
z
7
Understandable to the Base Domain
Understands : FunSymbol £ Expr[] ! bool
¸ Yes
+ Yes
sel
² Yes
2
Yes
11/12/2004
x
||
H
o
No
f
y
2 ¢ x + sel(H,o,f) · |y - z|
z
8
Understandable to the Base Domain
Understands : FunSymbol £ Expr[] ! bool
¸
+

²
2
11/12/2004
| | No
No
x
y
2 ¢ x +  · |y - z|
z
9
Understandable to the Base Domain
Understands : FunSymbol £ Expr[] ! bool
¸

+

²
2
11/12/2004
x

Yes
=y-z
y
2¢x+·
No
z
10
Congruence-Closure Domain
• Could always choose new names, but …
– Should use the same name for syntactically
equivalent expressions
– Even Better: same name for known equalities
• Tracks equalities of uninterpreted functions
– an E-Graph with abstract domain operations
– symbolic values “name” equivalence classes of
expressions
– implements congruence closure
11/12/2004
11
E-Graph
• w = f(x) Æ g(x,y) = f(y) Æ w = h(w)
• A set of mappings:
w
x
f()  
y
g(,)  d
f()  d
h()  
x
w

f
h

y

g
f
d
• Always congruence-closed
11/12/2004
12
Join
• Join the e-graphs, then join the base
domains
• Think of the lattice over conjunctions of
equalities (including infinite ones)
• Let G = Join(G0,G1)
x G h’,’i
f(h,i) G h’,’i
if x G0 ’ and x G1 ’
if f() G0 ’ and f() G1 ’
• Rename distinct pairs to fresh symbolic
values
11/12/2004
13
Join
• Complexity: O(n¢m)
• Complete? As precise as possible?
– No, e-graphs do not form a lattice!
x = y t g(x) = g(y) Æ x = f(x) Æ y = f(y)
= Æi : i ¸ 0 g(fi(x)) = g(fi(y))
– Only relatively complete
[Gulwani et al.]
• Tell base domains about renaming
h,i à 
11/12/2004
ConstrainB0( = ), ConstrainB1( = )
14
So Far We Have …
• Reasoning for uninterpreted functions
• Base domains that work with alien
expressions transparently
• What we need for field reads
– sel is alien to all base domains
11/12/2004
15
Achieving the Goal
1. Handling Alien Expressions
/ Uninterpreted Functions
2. Handling Heap Updates
11/12/2004
16
Heap Updates
Java/C#
if (p.g == 8) { o.f = x; }
Abstract
Interpreter
assume H[p,g] == 8;
H := upd(H,o,f,x);
sel(upd(H,o,f,e),o’,f’) = e
if o = o’ and f = f’
sel(upd(H,o,f,e),o’,f’) = sel(H,o’,f’)
if o  o’ or f  f’
11/12/2004
17
Heap Updates
Java/C#
if (p.g == 8) { o.f = x; }
Abstract
Interpreter
assume H[p,g] == 8;
H := H’ where
H’ ´o,f H and
sel(H’,o,f) = x
11/12/2004
18
Heap Updates
Abstract
Interpreter
assume H[p,g] == 8;
H := H’ where
H’ ´o,f H and
sel(H’,o,f) = x
Abstract
Domain
Constrain( sel(H,p,g) = 8 )
Constrain( H’ ´o,f H )
Constrain( sel(H’,o,f) = x )
Eliminate( H )
Tracked by a new
Rename( H’, H )
base domain:
Heap Succession
ToPredicate()
11/12/2004
19
Heap Update Example
Heap Succession
H’ ´o,f H
E-Graph
sel(H,p,g)  
8
sel(H’,o,f)  
x
HH
pp
H’  H’ g  g
oo
ff
11/12/2004
Constrain( sel(H,p,g) = 8 )
Constrain( H’ ´o,f H )
Constrain( sel(H’,o,f) = x )
Eliminate( H )
Rename( H’, H )
ToPredicate()
20
Heap Update Example
Heap Succession
H’ ´o,f H
E-Graph
sel(H,p,g)  
8
sel(H’,o,f)  
x
HH
pp
H’  H’ g  g
oo
ff
11/12/2004
Constrain( sel(H,p,g) = 8 )
Constrain( H’ ´o,f H )
Constrain( sel(H’,o,f) = x )
Eliminate( H )
Rename( H’, H )
ToPredicate()
21
Heap Update Example
Heap Succession
H’ ´o,f H
E-Graph
sel(H,p,g)  
8
sel(H’,o,f)  
x
HH
pp
H  H’
gg
oo
ff
11/12/2004
Constrain( sel(H,p,g) = 8 )
Constrain( H’ ´o,f H )
Constrain( sel(H’,o,f) = x )
Eliminate( H )
Rename( H’, H )
ToPredicate()
22
Heap Update Example
Constrain( sel(H,p,g) = 8 )
Constrain( H’ ´o,f H )
Constrain( sel(H’,o,f) = x )
Eliminate( H )
Rename( H’, H )
ToPredicate()
Heap Succession
H’ ´o,f H
Can you give me an
equivalent expression
without H?
E-Graph
sel(H,p,g)  
8
sel(H’,o,f)  
x
HH
pp
H  H’
gg
oo
ff
11/12/2004
1.
“Collect Garbage” (H)
•
EquivalentExpr
: Queryable £ Expr £ Var
! Expr
23
Heap Update Example
Constrain( sel(H,p,g) = 8 )
Constrain( H’ ´o,f H )
Constrain( sel(H’,o,f) = x )
Eliminate( H )
Rename( H’, H )
ToPredicate()
Heap Succession
H’ ´o,f H
Yes, use H’
E-Graph
sel(H’,p,g)  
8
sel(H’,o,f)  
x
HH
pp
H  H’
gg
oo
ff
11/12/2004
1.
“Collect Garbage” (H)
•
•
2.
3.
EquivalentExpr
: Queryable £ Expr £ Var
! Expr option
Eliminate(H) on Base
ToPredicate() on Base and
Convert Expr for Client
Add Equalities
24
Related Work
• Join for Uninterpreted Functions [Gulwani,
Tiwari, Necula]
• Shape Analysis [many] and
TVLA [Sagiv, Reps, Wilhelm, …]
11/12/2004
25
Conclusion
• Extended the power of abstract domains to
work with alien expressions using the
congruence-closure domain
• Added reasoning about heap updates with
the heap succession domain
• Close to having “cooperating abstract
interpreters”?
– missing propagating back equalities inferred
by base domains
11/12/2004
26
Thank you!
Questions? Comments?