What s so hard about pointers? Reasoning about Pointer-based Data Structures. Traditional Alias Analysis. Language of Pointer Equalities

Wht s so hrd out pointers? Resoning out Pointer-sed Dt Strutures Sott MPek CS 294-3 1/21/4 1 Indiret ess egs lising question Consider xiom for memory: i j sel(upd(m, i, v), j) = sel(m, j) need to e le to onlude disequlity otherwise, every write invlidtes ll ious info i.e., strong updte 2 Trditionl Alis Anlysis Eh llotion site is n ojet Anlysis finds, for eh vrile, the set of ojets it might point to onservtive dtflow nlysis This is too impreise ells of dt struture re typilly onflted eh strut field is (usully) single vrile Lnguge of Pointer Equlities Clim: we n dequtely hrterize dt strutures with sets of xioms of the form p. pac = prst A,, et. re unry funtion symols pa mens A(p); think p->a or p.a ny # of symols on eh side (in priniple) 3 4 Exmple: Douly-linked List Exmple: Leled List p. p.. = p lel lel lel sys tht is injetive, s is its inverse p. p..lel = p.lel 5 the lel is trnsitively spred throughout the struture 6 1

Exmple: Grid Prolem: Undeidle Theories f f p. p..f = p.f. p. p..f = p.f. The lnguge inludes xiom sets with undeidle theories (onsequenes) Consider rule suh s p. pac = prst Cretes equivlene lsses of strings: xyzacijk f f f is n isomorphism xyzrstijk 7 8 Turing Mhine Enoding Use following funtion symols: A, tpe symols S i r/w hed lo, stte i E tpe end (expndle) C epting onsumer In stte 4, when reding, write A, move left, go to 7. p. pas 4 = ps 7 AA Exmple tpe, in stte i xaaas i AAE symol eing red In stte 6, when reding, ept. p. ps 6 = pc To Prove Theory Deidle Give mthing rules (i.e. when to instntite the xioms) Show mthing/ompletion termintes Show ll equlities mong given finite set of terms re disovered EDAG expnsion rgument Expnd tpe (dding A s) p. pe = pae Collpse to just C p. pca = pc 9 1 Exmple: Injetivity p. pa = p mth: pa Exmple: Trnsitivity mth: pa p. pa = p mth: pa nd p A x 11 A x A x 12 2

Counterexmple: Inj+Trns p. pa = p p. p = p p. pa = p A x 13 Exmple: Grid p. pa = pa Is it omplete? Exerise! Either: - find ounterexmple, or - onvine yourself it is omplete 14 Extension to Conditionls Usully, we need speil ses: p. pa pa = p Mthing with Conditionls In generl: NULL Clim: Mthing rule is intersetion of disjunt mthing rules Proof: If disjunt s rule is not stisfied, it ould e true ut irrelevnt 15 16 A Short Proof Exmple: inry Tree invrint premise gol instntite split ses (ontrdition) (ontrdition) 17 18 3

Exmple: Red-lk Tree Exmple: Linked Leves 19 2 Outline Resoning Aout Pointer-sed Dt Strutures (Prt 2) Sott MPek CS 294-3 1/26/24 First hlf: survey of pprohes Axiomtize trnsitive losure (Nelson) Use grph grmmrs (Shpe Types) Astrt interprettion (TVLA) Proving vi semnti trnsformtion (PALE) Seond hlf: How PALE works 21 22 Generl Themes Need lnguge to desrie dt strutures no info out hep lis nlysis wnt to e here onrete heps only Nelson s Rehility (POPL 83) Everything revolves round one predite: Need resoning engine for tht lnguge Key question: Wht is done with trnsitive losure? 23 u f f f n links... f v x 24 4

Derived Axioms u f(u) v x u v w x u v x u x y z x u y u x y z u f(u) v u v x p 25 Complete? Suffiient to verify Union-find, where equivlene lsses re irulr lists Otherwise, little is known My experiene: even if omplete, hrd to use utomtilly 26 Shpe Types [Frdet/Métyer 97] Exmple: Douly-linked List Hep is set of ojets, reltions unry reltions: progrm vriles inry reltions: pointers mong ojets hed hed = { } = { (,), (,), (,) } = { (,), (,), (,) } Grph grmmrs onstrin legl heps genertive rules for uilding heps 27 28 Exmple: Douly-linked List Exmple: Douly-linked List hed hed = { } = { (,), (,), (,) } = { (,), (,), (,) } hed hed = { } = { (,), (,), (,) } = { (,), (,), (,) } Douly hed x, x, Expnd x Expnd x x y, y x, Expnd y Expnd x x Douly hed x, x, Expnd x Expnd x x y, y x, Expnd y Expnd x x 29 hed = { } = { } = { } Douly 3 5

Exmple: Douly-linked List Exmple: Douly-linked List hed hed = { } = { (,), (,), (,) } = { (,), (,), (,) } hed hed = { } = { (,), (,), (,) } = { (,), (,), (,) } Douly hed x, x, Expnd x Expnd x x y, y x, Expnd y Expnd x x Douly hed x, x, Expnd x Expnd x x y, y x, Expnd y Expnd x x hed hed = { } = { } = { (,) } Expnd 31 hed hed = { } = { (,) } = { (,), (,) } Expnd 32 Exmple: Douly-linked List Exmple: Douly-linked List hed hed = { } = { (,), (,), (,) } = { (,), (,), (,) } hed hed = { } = { (,), (,), (,) } = { (,), (,), (,) } Douly hed x, x, Expnd x Expnd x x y, y x, Expnd y Expnd x x Douly hed x, x, Expnd x Expnd x x y, y x, Expnd y Expnd x x hed hed = { } = { (,), (,) } = { (,), (,), (,) } Expnd 33 hed hed = { } = { (,), (,), (,) } = { (,), (,), (,) } 34 Exmple: Til-linked List hed til Exmple: inry Tree root left right left right left right TilList hed x, til x z, Expnd x z Expnd x z x y, til y z, Expnd y z Expnd x z x z, til z z 35 intree root x, Expnd x Expnd x left x y, right x z, Expnd y, Expnd z Expnd x left x, right x 36 6

Deision Prolem TVLA [Sgiv et l. 2] Assuming the hep onformed to given grph grmmr, nd hnge is pplied to tht hep, does the new hep lso onform? Undeidle in generl Authors suggest restriting the grmmrs to otin deidility Their lim: restritions ok in prtie 37 As in Shpe Types, hep is ojets/reltions Sets of heps denoted y letting inry reltions hve vlue 1/2, unknown Formuls simply evluted (onservtively) Shpe hrterized y dditionl instrumenttion predites Evolution ross updtes still n issue 38 PALE [Møller/Shwrtzh 1] Dt strutures desried vi grph types Certin fields for kone tree Other fields vlues determined y the kone, with routing expressions Grph types trnslted into WSkS, wek seond-order logi of k suessors WSkS formuls deided y redution to Grph Types kone tree simply identify the fields nd roots involved; it is impliit tht they must form tree Routing expressions onstrin non-tree pointers y (in essene) writing little nvigtion progrm tul nottion resemles regulr expressions utomt 39 4 Exmple: Til-linked List Exmple: Tree w/ Linked Leves hed til Tree fields: hed, Routing expression onstrint for til: p. p < *. [λx. x.=null] > p.til 41 ^ = [λx. isroot(x)] $ = [λx. islef(x)] p. p < right *. ( left right ^ ). left *. $ > p. 42 7

WS1S Wek mondi seond order logi of one suessor rek 43 44 WS1S Wek mondi seond order theory of one suessor Definle Conepts in WS1S isempty(x) Y. X Y isequl(x,y) X Y Y X issingleton(x) X Y. Y X Y=X Y= iszero(x) issingleton(x) Y. X = Y+1 45 46 Interprettion Enoding Ide: Use it strings to enode finite sets e.g. 111 = { 1, 3, 4 } Enode severl sets with it vetor strings e.g. mens X 1 = { 1, 3 } nd X 2 = { 2, 3} Evlute Using Automt Given formul φ, wnt to rete n utomton M(φ) s.t. Ψφ M(φ) reognizes Ψ string X 1 X 2 : Note: Not nonil enoding (triling s) 47 48 8

X 1 = X 2 \ X 3 X 2 = X 1 + 1 exmple input: expet expet in X 2 1 in X 2 49 5 φ = θ Propositionl Connetives Let M e utomton for θ Mke sure M is omplete, deterministi Simply invert epting/non-epting sttes φ = φ 1 φ 2 Construt produt utomton Aept wherever oth do 51 X i. φ Let M e utomton for φ Chnge ll ith vetor omponents to * i.e. remove sensitivity to X i result is nondeterministi utomton Let stte s e epting if it n reh n epting stte vi trnsitions 52 X 2. X 2 = X 1 + 1 X 2. X 2 = X 1 + 1 Originl: X 2 = X 1 + 1 Chnge referenes to X 2 to * 53 54 9

X 2. X 2 = X 1 + 1 Automton-Logi Connetion Aept if n reh epting vi trnsitions Conversion to utomt give effetive proedure for deiding formuls: Convert formul to utomton φ is vlid iff M(φ) n only reh epting sttes φ is stisfile iff M(φ) hs rehle epting stte 55 56 Is this mgi? Complexity Originl semntis Not oviously deidle---so how did the utomton do it? Automton is mesure of formul Consider formul:... φ Eh use of quntifier introdues nondeterminism Eh use of negtion requires determiniztion (powerset onstrution) omplexity; ompre to ounting +1 s Cost: O( ), = M(φ) 57 58 2 2 2...2 n n WS2S Interprettion Enoding (WS2S) Two suessor funtions insted of one 59 Ide: represent sets of strings using trees N X 1 = { LLR, LRL, RRR, R } L R N Y L R L R N N N N L R L R L R L R N Y Y N N N N Y 6 1

Evlute With Tree Automt ottom-up tree utomton: Finite set of sttes Q Aepting set of sttes Q F Q Trnsition reltion, elements of form f(q 1, q 2,..., q n ) q where f is tree onstrutor of rity n Exmple: nil 1 N(1,1) 1 Y(1,1) 2 N(1,2) 3 (ept) N(2,2) 3 (ept) else 4 N * Y 61 nil 1 (1,1) 1 (1,1) 1 (1,1) 1 X 1 X 2 (WS2S) (epting) (_,_) 2 (2,_) 2 (_,2) 2 (rejeting) rell the WS1S version: 62 Remining Cses Grph Types WSkS Negtion: determinize, invert Conjuntion: produt, intersetion Set differene: esy, like suset Suessor pplition: esy, like +1 Existentil Nondeterminize the quntified trk Any stte rehle vi prefix is initil 63 kone: p.left orresponds to {p}.l Routing expressions: X is p.left * iff p X y X y y.left X Y....(ove)..Y.. X Y (the ove is tully just guess) ontins left * smllest suh 64 Integrtion into Nelson-Oppen? Conlusion Cn test for unstisfiility? Yes. Cn emit implied equlities? Only(?) y mking seprte queries H x = y Non-onvex theory; n emit se splits? I do not see how. Deision lgorithm is powerful ut opque 65 Dt struture desription lnguge: powerful for uxilliries; hs trnsitive losure wek for kone: must e tree Deision lgorithm: entirely sed on semntis (no proof system) lever use of utomt potentilly very d performne unler how to integrte to shre results 66 11

Referenes Referenes (prt 2) Nelson Rehility Greg Nelson Verifying rehility invrints of linked strutures POPL 83 Shpe Types Psl Frdet, Dniel Le Métyer Shpe Types POPL 97 TVLA Shmuel Sgiv, Thoms W. Reps, Reinhrd Wilhelm Prmetri shpe nlysis vi 3-vlued logi TOPLAS 22 67 PALE Anders Møller, Mihel Shwrtzh The Pointer Assertion Logi Engine PLDI 1 Nils Klrlund, Mihel Shwrtzh Grph Types POPL 93 Nils Klrlund, Anders Møller, Mihel Shwrtzh MONA Implementtion Serets IJFCS (I got my WSkS mteril from here) Nils Klrlund Mon nd Fido: The Logi-Automton Connetion in Prtie CSL 97 (Another WSkS tretment, little less ler) 68 12