An abstract domain for separation logic
formulae
Élodie-Jane Sims
[email protected]
Polytechnique/KSU
Polytechnique/KSU
Projet APRON
8 novembre 2006
Plan
1. Introduction
2. Separation logic
3. Introduction to the domain : translations logic → the domain
4. About the domain
5. Comparisons
Élodie-Jane Sims
An abstract domain for separation logic formulae - p. 1/ 37
✦ Goal: pointer analysis: check dereferencing errors, aliases, ...
✦ BI µν a separation logic which permit easy descriptions of the memory,
e.g.
– x points to a list of [1;2;3]
∃x2, x3. (x ,→ 1, x2) ∗ (x2 ,→ 2, x3) ∗ (x3 ,→ 3, nil)
– x and y are aliased pointers
x = y ∧ ∃x1, x2. (x ,→ x1, x2)
– Partitionning: x and y belong to two disjoints parts of the heap which
have no pointers from one to the other...
Élodie-Jane Sims
An abstract domain for separation logic formulae - p. 2/ 37
Example of a pointer program with a bug
x
 {(∃z1, z2. nil ,→ z1, z2)≡ F ALSE}


x : = nil;


{∃z1, z2. x ,→ z1, z2}


z : = x;


{∃z1, z2. z ,→ z1, z2}


y : = z · 1;


{T RU E}
Élodie-Jane Sims
An abstract domain for separation logic formulae - p. 3/ 37
Point-to analyses: Shape/alias analyses
– Shape analyses: the analysis build a graph where
– the nodes represent locations in the heap
– the edges represent fields between locations
The analysis usually do approximation (represent more or less nodes/fields
than what is in the heap) and computes some more informations about
the nodes or edges of the graph.
Recent examples : TVLA (Sagiv, Reps, Wilhelm,...), Smallfoot (O’Hearn,
Yang, Berdine, Calcagno, Distefano,...)
– Alias analyses: a point-to analysis which computes sets of variables
Élodie-Jane Sims
An abstract domain for separation logic formulae - p. 4/ 37
✦ Goal: pointer analysis: check dereferencing errors, aliases, ...
✦ BI µν a separation logic which permit easy descriptions of the memory,
e.g.
– x points to a list of [1;2;3]
∃x2, x3. (x ,→ 1, x2) ∗ (x2 ,→ 2, x3) ∗ (x3 ,→ 3, nil)
– x and y are aliased pointers
x = y ∧ ∃x1, x2. (x ,→ x1, x2)
– Partitionning: x and y belong to two disjoints parts of the heap which
have no pointers from one to the other...
Élodie-Jane Sims
An abstract domain for separation logic formulae - p. 5/ 37
Example for a piece of code inserting a cell in a linked list
Élodie-Jane Sims
An abstract domain for separation logic formulae - p. 6/ 37










{(x 7→ 1, y) ∗ (y 7→ 3, nil)}




t : = cons(2, y);








 {(x 7→ 1, y) ∗ (y 7→ 3, nil)∗(t 7→ 2, y)}




x · 2 : = t;









y {(x →
7 1, t) ∗ (t 7→ 2, y) ∗ (y 7→ 3, nil)}
Élodie-Jane Sims
x
y
s
h
1
3 nil
x
t
y
s
h
3 nil
1
x
2
t
y
s
h
1
3 nil
2
An abstract domain for separation logic formulae - p. 7/ 37
Local reasoning
Élodie-Jane Sims
An abstract domain for separation logic formulae - p. 8/ 37


x
y

s





3 nil
h 1

(x 7→ 1, y) ∗ (y 7→ 3, nil)


∗(z 7→ 4, y)




t : = cons(2, y);

t
x
y


s



 h 1
3 nil
2

(x 7→ 1, y) ∗ (y 7→ 3, nil)∗(t 7→ 2, y)


∗(z 7→ 4, y)




x · 2 : = t;


t
x
y

s




 h 1
3 nil
2

t)
∗
(t
→
7
2,
y)
∗
(y
→
7
3,
nil)
(x
→
7
1,

yÉlodie-Jane∗(z
Sims 7→ 4, y)
An abstract domain for separation logic formulae - p. 9/ 37
z
4
z
4
z
4
➤ We want to use this logic as an interface language for modular analysis
PSfrag replacements
F
function
D
Call
D0
F0
Analysis 1 → BI µν → Analysis 2
Program → BI µν → Analysis 3
Élodie-Jane Sims
An abstract domain for separation logic formulae - p. 10/ 37
We have build an intermediate domain such that:
➤ it is similar to the existing shape/alias analysis domains to allow translations from/to those domains
➤ it comes with a concrete semantics in term of sets of states
which is the same domain as for the formulae’s semantics
➤ we can translate the formulas into our domain
➤ it is a cartesian product of different subdomains so that we can cheaply
tune the precision depending on the needs
➤ the domain is parametrised by a numerical domain
Élodie-Jane Sims
An abstract domain for separation logic formulae - p. 11/ 37
Plan
1. Introduction
2. Separation logic
3. Introduction to the domain : translations logic → the domain
4. About the domain
5. Comparisons
Élodie-Jane Sims
An abstract domain for separation logic formulae - p. 12/ 37
Domaine of interpretation: State
We have a set of variables V ar.
Val
S
H
State
=
=
=
=
Int ∪ Bool ∪ Atoms ∪ Loc V alues
Var * Val
Stacks
Loc * Val × Val
Heaps
S×H
Rq: stacks can be partial functions
Élodie-Jane Sims
An abstract domain for separation logic formulae - p. 13/ 37
The logic: BI µν
Classical
E = E0
| P ⇒Q
connectives
Spatial
| emp
| P ∗Q
connectives
Empty heap
Spatial conj.
Fixpoints
| Xv
| νXv .P
connectives
Variable for formulae | P [E/x]
Greatest fixpoint
| µXv .P
| false
| ∃x.P
| E 7→E1, E2 Points to
| P →∗ Q
Spatial imp.
Posponned substitution
Least fixpoint
Varv = {Xv , Yv , ...} infinite set of variables of formulae
Élodie-Jane Sims
An abstract domain for separation logic formulae - p. 14/ 37
Semantic of ∗
Élodie-Jane Sims
ρ
P ∗Q

• dom(h0) ∩ dom(h1) = ∅ 
= s, h0 · h1 • s, h0 ∈ P ρ


• s, h1 ∈ Q ρ


An abstract domain for separation logic formulae - p. 15/ 37
Examples of formulae
Ex. 1
Ex. 2
s = [x → l1 , y → l2]
h1 = [l1 → h3, l2 i]
s = [x → l1, y → l2 ]
h2 = [l2 → h4, l1i]
y
s
replacements
h1
3
|=
y
x
s
s
PSfrag replacements
h2
PSfrag
replacements
4
h1 ·h2
(x 7→ 3, y)
Élodie-Jane Sims
x
s = [x → l1, y → l2 ]
l1 → h3, l2i,
h1 · h 2 =
l2 → h4, l1i
|= (y 7→ 4, x)
3
x
Ex. 3
y
4
|= (x 7→ 3, y)∗(y 7→ 4, x)
6|= (x →
7 3, y)∧(y 7→ 4, x)
An abstract domain for separation logic formulae - p. 16/ 37
Plan
1. Introduction
2. Separation logic
3. Introduction to the domain : translations logic → the domain
4. About the domain
5. Comparisons
Élodie-Jane Sims
An abstract domain for separation logic formulae - p. 17/ 37
Ex1
Formulae
Semantics
Translation
Formulae
Translation
Élodie-Jane Sims
x = nil
{s, h | s(x) = nil},...
x
N ilt , , , , , ,
(x
 = nil ∨ x = true)




 x



N ilt
T ruet





, , , , , , 



An abstract domain for separation logic formulae - p. 18/ 37
Ex2
Formula
Constraints
Translation
A∧B
cheap translation of ∧
T (A ∧ B) , T 0(T 0(>, A), B)
> is the empty graph, representing no information
Élodie-Jane Sims
An abstract domain for separation logic formulae - p. 19/ 37
Ex3, Ex4
Élodie-Jane Sims
An abstract domain for separation logic formulae - p. 20/ 37
Formula
Constraints
Adds
Translation
Formula
Translation
Élodie-Jane Sims
x=y
refine the information for one variables
while also refining the information of the second one
in a cheap way
infinite set of auxiliary variables T V ar
V
AR , V ar ] T V ar



 x


y
α
x
= y ∧ x = nil


 x


y
α


> , , , , , , 





N ilt , , , , , , 


An abstract domain for separation logic formulae - p. 21/ 37
Ex5
Formula
Translation
Formula
Translation
Élodie-Jane Sims
x
= y ∧ x = nil


 x


y
α



N ilt , , , , , , 


(∃x.
 x = y ∧ x = nil) ≡ (y = nil) 





α
y


N ilt , , , , , , 


An abstract domain for separation logic formulae - p. 22/ 37
Ex6
Formula
Translation
Élodie-Jane Sims
(x< y + 3)
 x


 y
α
N umt
β
N umt



, , , , , , d

d ∈ D encodes that α < β + 3
An abstract domain for separation logic formulae - p. 23/ 37
Ex7
Formula
Semantic
Translation
Élodie-Jane Sims
“x is a location not allocated”
{s, h | s(x) ∈ Loc ∧ s(x) 6∈ dom(h)}
x
Dangling Loc , , , , , ,
!
An abstract domain for separation logic formulae - p. 24/ 37
Ex8
Formula
Semantic
Adds
Translation
Élodie-Jane Sims
emp
{s, h | dom(h) = ∅}
HU , P(T V ar)
HO , P(T V ar) ] full
(>, , ∅, , , , )
An abstract domain for separation logic formulae - p. 25/ 37
Ex9
Formula
Semantic
Translation
Formula
Semantic
Translation
Élodie-Jane Sims
(x 7→ true, nil)
{s,
 h|[s(x) → hT rue, nili] = h}
 x



α
1
•
2
T ruet
N ilt
(x ,→ true, nil)
{s,
 h|[s(x) → hT rue, nili] ⊆ h}
 x



α
1
•
2
T ruet
N ilt



, {α}, {α}, , , , 




, {α}, full, , , , 

An abstract domain for separation logic formulae - p. 26/ 37
Ex10
Variables represent at most one value. To allow approximation we
introduce summary nodes which can represent several values.
Formula
Translation
Élodie-Jane Sims
approx.
of (x = true
∧ y= false)
x = true
y = false
by
∧
∨y = true
∨x = false






 x



y
α
T ruet
F alset




, , , {α}, , , 



An abstract domain for separation logic formulae - p. 27/ 37
Ex11: finite acyclic list of T rue starting from x
Formula
Translation
µXv .



 x


(x = nil) ∨ ∃x2.
x ,→ (true, x2) ∗ Xv [x2/x]
∗2
α
•
N ilt
1



T ruet , , , {α}, ∅, , 


∅ is the set of infinite summary nodes, for infinite list µ would be replaced
by ν and ∅ by {α}).
Élodie-Jane Sims
An abstract domain for separation logic formulae - p. 28/ 37
Ex12: increase precision of union
Formula
x = nil
∧y = true
α1
Translation
x
∨
x = true
∧y = nil
{†eq }
N ilt
N ilt
{†eq }
α2
α3
{†eq }
T ruet
T ruet
y
α4
{†eq }
Élodie-Jane Sims
An abstract domain for separation logic formulae - p. 29/ 37
Plan
1. Introduction
2. Separation logic
3. Introduction to the domain : translations logic → the domain
4. About the domain
5. Translation of ∗
6. Comparisons
Élodie-Jane Sims
An abstract domain for separation logic formulae - p. 30/ 37
4
4
α
∩
N umt
y
y
An abstract domain for separation logic formulae - p. 31/ 37
Élodie-Jane Sims
α
x
=
N umt
α
x
We want
4
.
Semantic
V al , Z ] Bool ] nil ] Loc
S
, V ar * V al
H
, Loc * (V al × V al)
State , S × H
Élodie-Jane Sims
V al0 , V al ∪ {ood}
total
S 0 , V ar → V al0
total
F , T V ar → P(V al0)
R , Loc * P(Loc)
M F R , P(S 0 × H × F × R)
An abstract domain for separation logic formulae - p. 32/ 37
∈ AR → P(State)
0
, {s̄, h | s, h, f, r ∈ ar }
·
ar
0
·
(ad, hu, ho, sn, sn∞, t, d)
0
20
∩ sn∞
4
2
4
·
ad
∈ AR → M F R
0
, ad 4 ∩ hu 1 ∩ ho 1 ∩ sn
∩ t 3 ∩ d 7 ∩ sem∗
5
∈ AD → M F R
T
,
v, ad(v)
v∈V AR
Élodie-Jane Sims
An abstract domain for separation logic formulae - p. 33/ 37
Operations
– union, intersection
– extension (replace [v → S] by [v → {v 0}|v 0 → S] with a fresh v 0 )
used to tune the precision of the union
– merging (replace [v1 → S1 | v2 → S2] by [v2 → (S1 ∪ S2)])
used with the widening/narrowing
– translations from formulae to the domain
Élodie-Jane Sims
An abstract domain for separation logic formulae - p. 34/ 37
Plan
1. Introduction
2. Separation logic
3. Introduction to the domain : translations logic → the domain
4. About the domain
5. Translation of ∗
6. Comparisons
Élodie-Jane Sims
An abstract domain for separation logic formulae - p. 35/ 37
Comparisons
1
➤ the •
represent nodes in the usual shape graphs
2
➤ summary nodes as for other shape graphs, seems to give more possibilities
than predicate abstraction (with each time a specific predicate for list,
etc...) but the technics of predicate and their algorithm/heuristics (like
folding/unfolding) could probably also be use on our graphs
➤ a lonely outgoing edge can be seen as a “must” arrow (or valued 1),
several outgoing edges from a variable can be seen as a “may” arrow
(or valued 1/2, but it is a bit more precise because we know that one of
them should exist), and an edge to ∅ can be seen as a “must not” arrow
(or valued 0)
Élodie-Jane Sims
An abstract domain for separation logic formulae - p. 36/ 37
➤ we deal with numerical (Magill & al. also do)
➤ we have a formal semantic of our domain, the semantics of auxiliary
variables are formally defined and formally used in the proofs
➤ we don’t have to check for equalities of variables
➤ the domain is a cartesian product, we can add or remove some parts
depending on the precision we want
➤ we directly have in the domain the “Dangling” information which is
suitable for cleaning checking
Élodie-Jane Sims
An abstract domain for separation logic formulae - p. 37/ 37
End
Élodie-Jane Sims
An abstract domain for separation logic formulae - p. 38/ 37