Embed Size (px)
Citation preview
양방향 상향식 모양분석
이욱세
HANYANG UNIVERSITY
양방향 상향식 모양분석 (Bi-Directional Bottom-Up Shape Analysis)
이욱세 @ 한양대학교(Oukseh Lee @ Hanyang University)
소프트웨어무결점연구센터 워크샵
16/01/2012
이욱세
양방향 상향식 모양분석 HANYANG UNIVERSITY
시스템 소프트웨어 특화 무결점 검증기?
시스템 소프트웨어의 특징
포인터를 사용한 자료 구조
동시성 (concurrency)
세부과제 중점 연구분야
모양분석 (shape analysis)
동시성 오류 검증 시스템
2
이욱세
양방향 상향식 모양분석 HANYANG UNIVERSITY
차례
모양 분석 (shape analysis)
1996년 이전의 포인터 및 메모리 분석의 한계
분리 논리 (separation logic) 기반 모양 분석
최근의 성과
상향식 모양 분석 (bottom-up shape analysis)
상향식 모양 분석
양방향 상향식 모양 분석
마무리
3
이욱세
양방향 상향식 모양분석 HANYANG UNIVERSITY
포인터 관련 오류
널 포인터 (null pointer)접근 오류
끊어진 포인터 (dangling pointer) 접근 오류
메모리 누수 (memory leak)
4
이욱세
양방향 상향식 모양분석 HANYANG UNIVERSITY
난해한 포인터 분석
변수는 정적, 하지만 주소는 동적
변수는 프로그램에 나타나지만 주소는 나타나지 않음
어느 실행시점에 변수의 개수는 고정, 하지만 주소의 개수는 재귀적
자료구조로 인해 예측 불가
주소의 요약이 필요
태생기반 요약 (Deutsch 1990), 예, 출생지 기반 요약 (Chase, Wegman, Zadeck 1990)
고정된 요약 도메인으로 인해 변화무쌍한 이동을 감지하기 어려움
관계기반 요약, 예, 접근경로 요약 (Deutsch 1992)
하나의 관계가 변할 때 많은 관계가 변함
5
이욱세
양방향 상향식 모양분석 HANYANG UNIVERSITY
확실한 수정 (Strong Update) 문제
[x] := 0 를 제대로 분석할 수 있겠느냐?
게다가 x==y라면 [y]가 0이 되었음을 밝힐 수 있겠느냐?
6
x1
2
3
l
이욱세
양방향 상향식 모양분석 HANYANG UNIVERSITY
주소의 요약 수준 변경
[x] := 0 를 제대로 분석할 수 있겠느냐?
요약 노드에서 꺼내기 (focus) 및 집어넣기 (summarisation) 로 요약
수준을 조절하면서 정확한 분석 가능 (Sagiv, Reps, Wilhelm 1996)
7
x1
2
3
l
x 2
3
l’’
0l’
yy
이욱세
양방향 상향식 모양분석 HANYANG UNIVERSITY
분리논리 (Separation Logic)
분리논리 (Reynolds 2002)
포인터 연산을 쉽게 추적할 수 있도록 호어논리(Hoare logic)를 확
장한 프로그램 논리
특징
분리 논리곱 * 를 사용하여 메모리를 분할하여 속성 기술 가능
P*Q: 현재 메모리를 P를 만족하는 것과 Q를 만족하는 것으로 분리 가능
재귀 자료구조는 재귀 논리식으로 표현가능 lseg(E,F) = E=F ∨ ∃x.E↦x*lseg(x,F)
8
이욱세
양방향 상향식 모양분석 HANYANG UNIVERSITY
분리논리 기반 모양 분석
분리논리에 대한 제한적인 자동증명기
{ P } C { Q } 에서 P가 주어지면 Q를 찾음
확실한 수정의 구현
꺼내기: 재귀 논리식을 펼치기 (unfolding)
lseg(E,F) ⇒ E=F ∨ ∃x.E↦x*lseg(x,F)
집어넣기: 경험적인 알고리즘을 이용하여 접기 (folding)
x↦a*a↦0 ⇒ lseg(x,0)
9
이욱세
양방향 상향식 모양분석 HANYANG UNIVERSITY
정확도 및 성능개선
Lee, Yang, and Yi 2005: 트리모양 자료구조
Distefano, O’Hearn, and Yang 2006: 원형 양방향 리스트
Berdine et al. 2007: 다단계 원형 양방향 리스트
Yang et al. 2008: 성능의 획기적 개선
Lee, Yang, and Petersen 2011: 중첩 자료구조
10
이욱세
양방향 상향식 모양분석 HANYANG UNIVERSITY
상향식 분석
하향식 분석 (top-down program analysis)
{ P } C { Q } 에서 P가 주어지면 그럴 듯한 Q를 찾아 내는 것
상향식 분석 (bottom-up program analysis)
{ P } C { Q } 에서 P, Q를 모두 찾아 내는 것
상향식 분석의 이점과 단점
이점: 프로그램을 부분별로 분석 가능, 부분적인 분석 결과도 유의미
단점: 상향식 분석 자체가 난해, 모든 가능성 계산 필요
11
이욱세
양방향 상향식 모양분석 HANYANG UNIVERSITY
상향식 모양 분석
분리논리에서는 상향식 분석의 가능성 높음
E가 할당되어 있는 경우에만 실행 가능
안전한 실행을 보장하는 전조건 유추 가능
이 아이디어를 사용하여 상향식 모양 분석 구현
Compositional Shape Analysis by means of Bi-AbductionC. Calcagno, D. Distefano, P. W. O’Hearn, and H. YangJournal of the ACM, Dec 2011.
12
The main algorithm is computing fix(F ) with given CFG where F is:
λT.abs(T|N |) where T0 = T and
for all nlk ∈ N where 1 ≤ k ≤ |N |
let {p1, · · · , pn} = in(l) and {q1, · · · , qm} = out(l) inlet K = T (p1)× · · ·× T (pn)× T (q1)× · · ·× T (qm) in
let �P1, · · · ,Pn,Q1, · · · ,Qm� =�
κ∈K BiExec(n,κ)where �a1, · · · , az� ∪ �b1, · · · , bz� = �a1 ∪ b1, · · · , az ∪ bz�
Tk = Tk−1[pi → Pi, qj → Qj ]
In this definition, N is the set of nodes in given CFG excluding start and halt nodes, and
abs is an abstraction function that strengthens the symbolic heaps in T for analysis termination,
which will be discussed later. Function F takes a map from an edge to a set of symbolic heaps,
which is the current analysis result, and returns a new map which is stronger than the current
one. For each node, we update the symbolic heaps of its in-edges and out-edges by using function
BiExec, which returns stronger pre-conditions and post-conditions. Suppose a node n has only
one in-edge and only one out-edge, and the in-edge has {P1, P2} and the out-edge {Q1, Q2}. We
execute n by BiExec with all possible pairs of the pre-conditions and the post-conditions: �P1, Q1�,�P1, Q2�, �P2, Q1�, and �P2, Q2�. Then we got four pairs which are stronger than the input pairs,
respectively. We update the map with separately collecting the pre-conditions and post-conditions
from the results.
Bi-Execution. The analysis for each node is described by function BiExec which defined by
the rules of Figure 1. In the rule, {P ∗R} C {Q ∗ S} denotes that when BiExec(C, �P,Q�) is
called, it returns �{P ∗R} , {Q ∗ S}�. We assume that a disjuction in the result is implicitly
converted to a set of symbolic heaps. For instance, in the case of assume(Π), its result is
�{P ∗ (¬Π ∨R)} , {Q ∗ S}�. By converting a disjuction to a set, the final result is �{P ∧ ¬Π, P ∗R} , {Q ∗ S}�.For multiple pre-conditions and post-conditions, {P1 ∗R1; · · · ;Pn ∗Rn} C {Q1 ∗ S1; · · · ;Qm ∗ Sm}denotes that when BiExec(C, �P1, · · · , Pn, Q1, · · · , Qm�) is called, it returns �P1 ∗R1, · · · , Pn ∗Rn, Q1 ∗ S1, · · · , Qm ∗ Sm�.In the rule, P ∗ R � Q ∗ S denotes that when we call BiAbd(P,Q), it returns �R,S�. The case
that lefthand or righthand side has disjuction or conjuction can be computed as we discussed in
section 2.
Each rule in Figure 1 is in some sense a slight modification or combination of the rules in
separation logic. The rules for the assignment x:=E in separation logic are unidirectional. There
are two uni-directional rules for it which is forward and backward separately:
{P} x:=E {∃a.P {a/x} ∧ x = E {a/x}} {Q {E/x}} x:=E {Q}
Each rule is parameterized only by the pre-condition, or only by the post-condition. However, we
take both pre-condition and post-condition, and have to strengthen them so that they construct a
valid Hoare triple. By mixing forward and backward rules, we can achieve our goal. Suppose given
pre-condtion is P and post-condition is Q. By applying backward rule, we can get the weakest
pre-condition Q {E/x} for Q. Q {E/x} should be weaker than P . If not, we have strengthen
P . Also, Q {E/x} should be as strong as possible so that Q is the strongest post-condition
for P . If not, we have to strenthen Q. Both constraints can be solved by calling bi-abductor:
P ∗ R � Q {E/x} ∗ S, and using P ∗ R and Q {E/x} ∗ S instead of P and Q {E/x}, respectively.Now by applying the forward rule with pre-condition Q {E/x} ∗ S, we can get a valid Hoare
triple: {Q {E/x} ∗ S} x:=E {∃a.Q ∗ (S {a/x} ∧ x = E {a/x})}. Note that P ∗ R is weaker than
the pre-condition of this triple.
Some rules in separation logic have the requirements for their pre-conditions and post-conditions,
so that we can easily find a bi-directional computation. For instance, consider [E]:=F :
{E �→− ∗H} [E]:=F {E �→F ∗H}
It means that the pre-condition and the post-condition should have one cell at location E whose
content is anything and F , respectively. Also it requires that other parts of heap excluding
4
이욱세
양방향 상향식 모양분석 HANYANG UNIVERSITY
핵심 알고리즘: 바이업덕터 (Bi-Abductor)
13
The main algorithm is computing fix(F ) with given CFG where F is:
λT.abs(T|N |) where T0 = T and
for all nlk ∈ N where 1 ≤ k ≤ |N |
let {p1, · · · , pn} = in(l) and {q1, · · · , qm} = out(l) inlet K = T (p1)× · · ·× T (pn)× T (q1)× · · ·× T (qm) in
let �P1, · · · ,Pn,Q1, · · · ,Qm� =�
κ∈K BiExec(n,κ)where �a1, · · · , az� ∪ �b1, · · · , bz� = �a1 ∪ b1, · · · , az ∪ bz�
Tk = Tk−1[pi → Pi, qj → Qj ]
In this definition, N is the set of nodes in given CFG excluding start and halt nodes, and
abs is an abstraction function that strengthens the symbolic heaps in T for analysis termination,
which will be discussed later. Function F takes a map from an edge to a set of symbolic heaps,
which is the current analysis result, and returns a new map which is stronger than the current
one. For each node, we update the symbolic heaps of its in-edges and out-edges by using function
BiExec, which returns stronger pre-conditions and post-conditions. Suppose a node n has only
one in-edge and only one out-edge, and the in-edge has {P1, P2} and the out-edge {Q1, Q2}. We
execute n by BiExec with all possible pairs of the pre-conditions and the post-conditions: �P1, Q1�,�P1, Q2�, �P2, Q1�, and �P2, Q2�. Then we got four pairs which are stronger than the input pairs,
respectively. We update the map with separately collecting the pre-conditions and post-conditions
from the results.
Bi-Execution. The analysis for each node is described by function BiExec which defined by
the rules of Figure 1. In the rule, {P ∗R} C {Q ∗ S} denotes that when BiExec(C, �P,Q�) is
called, it returns �{P ∗R} , {Q ∗ S}�. We assume that a disjuction in the result is implicitly
converted to a set of symbolic heaps. For instance, in the case of assume(Π), its result is
�{P ∗ (¬Π ∨R)} , {Q ∗ S}�. By converting a disjuction to a set, the final result is �{P ∧ ¬Π, P ∗R} , {Q ∗ S}�.For multiple pre-conditions and post-conditions, {P1 ∗R1; · · · ;Pn ∗Rn} C {Q1 ∗ S1; · · · ;Qm ∗ Sm}denotes that when BiExec(C, �P1, · · · , Pn, Q1, · · · , Qm�) is called, it returns �P1 ∗R1, · · · , Pn ∗Rn, Q1 ∗ S1, · · · , Qm ∗ Sm�.In the rule, P ∗ R � Q ∗ S denotes that when we call BiAbd(P,Q), it returns �R,S�. The case
that lefthand or righthand side has disjuction or conjuction can be computed as we discussed in
section 2.
Each rule in Figure 1 is in some sense a slight modification or combination of the rules in
separation logic. The rules for the assignment x:=E in separation logic are unidirectional. There
are two uni-directional rules for it which is forward and backward separately:
{P} x:=E {∃a.P {a/x} ∧ x = E {a/x}} {Q {E/x}} x:=E {Q}
Each rule is parameterized only by the pre-condition, or only by the post-condition. However, we
take both pre-condition and post-condition, and have to strengthen them so that they construct a
valid Hoare triple. By mixing forward and backward rules, we can achieve our goal. Suppose given
pre-condtion is P and post-condition is Q. By applying backward rule, we can get the weakest
pre-condition Q {E/x} for Q. Q {E/x} should be weaker than P . If not, we have strengthen
P . Also, Q {E/x} should be as strong as possible so that Q is the strongest post-condition
for P . If not, we have to strenthen Q. Both constraints can be solved by calling bi-abductor:
P ∗ R � Q {E/x} ∗ S, and using P ∗ R and Q {E/x} ∗ S instead of P and Q {E/x}, respectively.Now by applying the forward rule with pre-condition Q {E/x} ∗ S, we can get a valid Hoare
triple: {Q {E/x} ∗ S} x:=E {∃a.Q ∗ (S {a/x} ∧ x = E {a/x})}. Note that P ∗ R is weaker than
the pre-condition of this triple.
Some rules in separation logic have the requirements for their pre-conditions and post-conditions,
so that we can easily find a bi-directional computation. For instance, consider [E]:=F :
{E �→− ∗H} [E]:=F {E �→F ∗H}
It means that the pre-condition and the post-condition should have one cell at location E whose
content is anything and F , respectively. Also it requires that other parts of heap excluding
4
A note on bi-directional bottom-up shape analysis
Oukseh Lee and Hongseok Yang
January 16, 2012
P ∗R � E �→− ∗ S
1
P 와 E↦- 에 각각 어떤 힙을 더하면 함의관계가 성립할까?
A note on bi-directional bottom-up shape analysis
Oukseh Lee and Hongseok Yang
January 16, 2012
P ∗R � E �→− ∗ S
{P ∗R} [E]:=F {E �→F ∗ S}
1
이욱세
양방향 상향식 모양분석 HANYANG UNIVERSITY
문제의 시작
동시성 논리에 대한 분석기 고안
금지보장논리(deny-guarantee logic)에서 시작
허용 토큰 (permission token) 개념이 있음
허용 토큰의 소지 여부에 따라 증명이 크게 바뀜
하지만, 허용 토큰의 소지 여부도 분석 도중 추론해 내야 함
기존의 상향식 모양분석은 전진하면서 전조건, 후조건을 모아
내기 때문에, 후진할 수가 없음
14
이욱세
양방향 상향식 모양분석 HANYANG UNIVERSITY
아이디어: 양방향 분석
15
emp * true
emp * P * true
emp * P * Q’ * true
emp * P * Q’ * R’ * true
P
Q
R⋮
S
emp * P * Q’ * R’ * S’ * true
이욱세
양방향 상향식 모양분석 HANYANG UNIVERSITY
양방향 분석: 대입
16
The main algorithm is computing fix(F ) with given CFG where F is:
λT.abs(T|N |) where T0 = T and
for all nlk ∈ N where 1 ≤ k ≤ |N |
let {p1, · · · , pn} = in(l) and {q1, · · · , qm} = out(l) inlet K = T (p1)× · · ·× T (pn)× T (q1)× · · ·× T (qm) in
let �P1, · · · ,Pn,Q1, · · · ,Qm� =�
κ∈K BiExec(n,κ)where �a1, · · · , az� ∪ �b1, · · · , bz� = �a1 ∪ b1, · · · , az ∪ bz�
Tk = Tk−1[pi → Pi, qj → Qj ]
In this definition, N is the set of nodes in given CFG excluding start and halt nodes, and
abs is an abstraction function that strengthens the symbolic heaps in T for analysis termination,
which will be discussed later. Function F takes a map from an edge to a set of symbolic heaps,
which is the current analysis result, and returns a new map which is stronger than the current
one. For each node, we update the symbolic heaps of its in-edges and out-edges by using function
BiExec, which returns stronger pre-conditions and post-conditions. Suppose a node n has only
one in-edge and only one out-edge, and the in-edge has {P1, P2} and the out-edge {Q1, Q2}. We
execute n by BiExec with all possible pairs of the pre-conditions and the post-conditions: �P1, Q1�,�P1, Q2�, �P2, Q1�, and �P2, Q2�. Then we got four pairs which are stronger than the input pairs,
respectively. We update the map with separately collecting the pre-conditions and post-conditions
from the results.
Bi-Execution. The analysis for each node is described by function BiExec which defined by
the rules of Figure 1. In the rule, {P ∗R} C {Q ∗ S} denotes that when BiExec(C, �P,Q�) is
called, it returns �{P ∗R} , {Q ∗ S}�. We assume that a disjuction in the result is implicitly
converted to a set of symbolic heaps. For instance, in the case of assume(Π), its result is
�{P ∗ (¬Π ∨R)} , {Q ∗ S}�. By converting a disjuction to a set, the final result is �{P ∧ ¬Π, P ∗R} , {Q ∗ S}�.For multiple pre-conditions and post-conditions, {P1 ∗R1; · · · ;Pn ∗Rn} C {Q1 ∗ S1; · · · ;Qm ∗ Sm}denotes that when BiExec(C, �P1, · · · , Pn, Q1, · · · , Qm�) is called, it returns �P1 ∗R1, · · · , Pn ∗Rn, Q1 ∗ S1, · · · , Qm ∗ Sm�.In the rule, P ∗ R � Q ∗ S denotes that when we call BiAbd(P,Q), it returns �R,S�. The case
that lefthand or righthand side has disjuction or conjuction can be computed as we discussed in
section 2.
Each rule in Figure 1 is in some sense a slight modification or combination of the rules in
separation logic. The rules for the assignment x:=E in separation logic are unidirectional. There
are two uni-directional rules for it which is forward and backward separately:
{P} x:=E {∃a.P {a/x} ∧ x = E {a/x}} {Q {E/x}} x:=E {Q}
Each rule is parameterized only by the pre-condition, or only by the post-condition. However, we
take both pre-condition and post-condition, and have to strengthen them so that they construct a
valid Hoare triple. By mixing forward and backward rules, we can achieve our goal. Suppose given
pre-condtion is P and post-condition is Q. By applying backward rule, we can get the weakest
pre-condition Q {E/x} for Q. Q {E/x} should be weaker than P . If not, we have strengthen
P . Also, Q {E/x} should be as strong as possible so that Q is the strongest post-condition
for P . If not, we have to strenthen Q. Both constraints can be solved by calling bi-abductor:
P ∗ R � Q {E/x} ∗ S, and using P ∗ R and Q {E/x} ∗ S instead of P and Q {E/x}, respectively.Now by applying the forward rule with pre-condition Q {E/x} ∗ S, we can get a valid Hoare
triple: {Q {E/x} ∗ S} x:=E {∃a.Q ∗ (S {a/x} ∧ x = E {a/x})}. Note that P ∗ R is weaker than
the pre-condition of this triple.
Some rules in separation logic have the requirements for their pre-conditions and post-conditions,
so that we can easily find a bi-directional computation. For instance, consider [E]:=F :
{E �→− ∗H} [E]:=F {E �→F ∗H}
It means that the pre-condition and the post-condition should have one cell at location E whose
content is anything and F , respectively. Also it requires that other parts of heap excluding
4
The main algorithm is computing fix(F ) with given CFG where F is:
λT.abs(T|N |) where T0 = T and
for all nlk ∈ N where 1 ≤ k ≤ |N |
let {p1, · · · , pn} = in(l) and {q1, · · · , qm} = out(l) inlet K = T (p1)× · · ·× T (pn)× T (q1)× · · ·× T (qm) in
let �P1, · · · ,Pn,Q1, · · · ,Qm� =�
κ∈K BiExec(n,κ)where �a1, · · · , az� ∪ �b1, · · · , bz� = �a1 ∪ b1, · · · , az ∪ bz�
Tk = Tk−1[pi → Pi, qj → Qj ]
In this definition, N is the set of nodes in given CFG excluding start and halt nodes, and
abs is an abstraction function that strengthens the symbolic heaps in T for analysis termination,
which will be discussed later. Function F takes a map from an edge to a set of symbolic heaps,
which is the current analysis result, and returns a new map which is stronger than the current
one. For each node, we update the symbolic heaps of its in-edges and out-edges by using function
BiExec, which returns stronger pre-conditions and post-conditions. Suppose a node n has only
one in-edge and only one out-edge, and the in-edge has {P1, P2} and the out-edge {Q1, Q2}. We
execute n by BiExec with all possible pairs of the pre-conditions and the post-conditions: �P1, Q1�,�P1, Q2�, �P2, Q1�, and �P2, Q2�. Then we got four pairs which are stronger than the input pairs,
respectively. We update the map with separately collecting the pre-conditions and post-conditions
from the results.
Bi-Execution. The analysis for each node is described by function BiExec which defined by
the rules of Figure 1. In the rule, {P ∗R} C {Q ∗ S} denotes that when BiExec(C, �P,Q�) is
called, it returns �{P ∗R} , {Q ∗ S}�. We assume that a disjuction in the result is implicitly
converted to a set of symbolic heaps. For instance, in the case of assume(Π), its result is
�{P ∗ (¬Π ∨R)} , {Q ∗ S}�. By converting a disjuction to a set, the final result is �{P ∧ ¬Π, P ∗R} , {Q ∗ S}�.For multiple pre-conditions and post-conditions, {P1 ∗R1; · · · ;Pn ∗Rn} C {Q1 ∗ S1; · · · ;Qm ∗ Sm}denotes that when BiExec(C, �P1, · · · , Pn, Q1, · · · , Qm�) is called, it returns �P1 ∗R1, · · · , Pn ∗Rn, Q1 ∗ S1, · · · , Qm ∗ Sm�.In the rule, P ∗ R � Q ∗ S denotes that when we call BiAbd(P,Q), it returns �R,S�. The case
that lefthand or righthand side has disjuction or conjuction can be computed as we discussed in
section 2.
Each rule in Figure 1 is in some sense a slight modification or combination of the rules in
separation logic. The rules for the assignment x:=E in separation logic are unidirectional. There
are two uni-directional rules for it which is forward and backward separately:
{P} x:=E {∃a.P {a/x} ∧ x = E {a/x}} {Q {E/x}} x:=E {Q}
Each rule is parameterized only by the pre-condition, or only by the post-condition. However, we
take both pre-condition and post-condition, and have to strengthen them so that they construct a
valid Hoare triple. By mixing forward and backward rules, we can achieve our goal. Suppose given
pre-condtion is P and post-condition is Q. By applying backward rule, we can get the weakest
pre-condition Q {E/x} for Q. Q {E/x} should be weaker than P . If not, we have strengthen
P . Also, Q {E/x} should be as strong as possible so that Q is the strongest post-condition
for P . If not, we have to strenthen Q. Both constraints can be solved by calling bi-abductor:
P ∗ R � Q {E/x} ∗ S, and using P ∗ R and Q {E/x} ∗ S instead of P and Q {E/x}, respectively.Now by applying the forward rule with pre-condition Q {E/x} ∗ S, we can get a valid Hoare
triple: {Q {E/x} ∗ S} x:=E {∃a.Q ∗ (S {a/x} ∧ x = E {a/x})}. Note that P ∗ R is weaker than
the pre-condition of this triple.
Some rules in separation logic have the requirements for their pre-conditions and post-conditions,
so that we can easily find a bi-directional computation. For instance, consider [E]:=F :
{E �→− ∗H} [E]:=F {E �→F ∗H}
It means that the pre-condition and the post-condition should have one cell at location E whose
content is anything and F , respectively. Also it requires that other parts of heap excluding
4
P ∗R � Q {E/x} ∗ S{P ∗R} x:=E {Q ∗ (S {a/x} ∧ x = E {a/x})}
P {a/x} ∗R � E {a/x} �→b ∗ S (E {a/x} �→b ∗ S) ∗ T � Q {b/x} ∗ U{P ∗ ((R ∗ T ) {x/a})} x:=[E] {Q ∗ U {x/b}}
(P {a/x} ∗ b �→c) ∗R � Q {b/x} ∗ S{P ∗R {x/a}} x:=alloc {Q ∗ S {x/b}}
P ∗R � (Q ∗ E �→a) ∗ S{P ∗R} dispose(E) {Q ∗ S}
P ∗R � E �→a ∗ S (E �→F ∗ S) ∗ T � Q ∗ U{P ∗ (R ∗ T )} [E]:=F {Q ∗ U}
(P ∧ b) ∗R � Q ∗ S{P ∗ (¬b ∨R)} assume b {Q ∗ S}
(P1 ∗R1) ∨ · · · ∨ (Pn ∗Rn) � Q ∗ S{P1 ∗R1; · · · ;Pn ∗Rn} join {Q ∗ S}
P ∗R � (Q1 ∗ S1) ∧ · · · ∧ (Qn ∗ Sn)
{P ∗R} branch {Q1 ∗ S1; · · · ;Qn ∗ Sn}
Figure 1: The Rules Describing Algorithm BiExec.
location E should be same. For given pre-condition P and post-condition Q, we can require theseconstraints by solving bi-abduction questions: P ∗H1 � E �→− ∗H2 and E �→F ∗H2 � Q ∗H3.The problem is H2 is shared between the two questions. Our solution is to find H2 by two steps:first to solve P ∗ R � E �→− ∗ S and then to solve (E �→F ∗ S) ∗ T � Q ∗ U . Then we can find asolution: H1 = R ∗ T , H2 = S ∗ T , and H3 = U . The rules of x:=[E], x:=alloc, and dispose(E)can be explained similarly.
The rule for assume(Π) shows that we whould like to find the weakest pre-condition. Thesemantics of assume(Π) is that when Π holds, it terminates normally but when Π does not holds,it stucks. In order words, assume(Π) is the same as if Pi then skip else infinite loop. From Hoarelogic, we can derive the following forward and backward rule:
{P} assume(Π) {P ∧Π} {¬Π ∨Q} assume(Π) {Q}
For given pre-condition P and Q, we first compute that the strongest post-condition for P bythe forward rule; that is P ∧ Π. This should be weaker than Q. We achieve this by solving bi-abduction: (P ∧Π) ∗R � Q ∗S. Now we apply the backward rule with post-condition (P ∧Π) ∗R,then we get ((P ∧ Π) ∗ R) ∨ ¬Π, which is equivalent to (P ∗ R) ∨ ¬Π. But we have one morerestriction: the pre-condition should be stronger than given P . It can be solved by bi-abductionP ∗ T � ((P ∗ R) ∗ U1) ∨ (¬Π ∗ U2) but the solution is straightforward: T = R ∨ ¬Π, U1 = emp,and U2 = P .
Abstraction. In order for the analysis to terminate, we need a widenning operator called anabstraction algorithm which discovers a recursive predicate.
5
이욱세
양방향 상향식 모양분석 HANYANG UNIVERSITY
양방향 분석: 반납
17
P ∗R � Q {E/x} ∗ S{P ∗R} x:=E {Q ∗ (S {a/x} ∧ x = E {a/x})}
P {a/x} ∗R � E {a/x} �→b ∗ S (E {a/x} �→b ∗ S) ∗ T � Q {b/x} ∗ U{P ∗ ((R ∗ T ) {x/a})} x:=[E] {Q ∗ U {x/b}}
(P {a/x} ∗ b �→c) ∗R � Q {b/x} ∗ S{P ∗R {x/a}} x:=alloc {Q ∗ S {x/b}}
P ∗R � (Q ∗ E �→a) ∗ S{P ∗R} dispose(E) {Q ∗ S}
P ∗R � E �→a ∗ S (E �→F ∗ S) ∗ T � Q ∗ U{P ∗ (R ∗ T )} [E]:=F {Q ∗ U}
(P ∧ b) ∗R � Q ∗ S{P ∗ (¬b ∨R)} assume b {Q ∗ S}
(P1 ∗R1) ∨ · · · ∨ (Pn ∗Rn) � Q ∗ S{P1 ∗R1; · · · ;Pn ∗Rn} join {Q ∗ S}
P ∗R � (Q1 ∗ S1) ∧ · · · ∧ (Qn ∗ Sn)
{P ∗R} branch {Q1 ∗ S1; · · · ;Qn ∗ Sn}
Figure 1: The Rules Describing Algorithm BiExec.
location E should be same. For given pre-condition P and post-condition Q, we can require theseconstraints by solving bi-abduction questions: P ∗H1 � E �→− ∗H2 and E �→F ∗H2 � Q ∗H3.The problem is H2 is shared between the two questions. Our solution is to find H2 by two steps:first to solve P ∗ R � E �→− ∗ S and then to solve (E �→F ∗ S) ∗ T � Q ∗ U . Then we can find asolution: H1 = R ∗ T , H2 = S ∗ T , and H3 = U . The rules of x:=[E], x:=alloc, and dispose(E)can be explained similarly.
The rule for assume(Π) shows that we whould like to find the weakest pre-condition. Thesemantics of assume(Π) is that when Π holds, it terminates normally but when Π does not holds,it stucks. In order words, assume(Π) is the same as if Pi then skip else infinite loop. From Hoarelogic, we can derive the following forward and backward rule:
{P} assume(Π) {P ∧Π} {¬Π ∨Q} assume(Π) {Q}
For given pre-condition P and Q, we first compute that the strongest post-condition for P bythe forward rule; that is P ∧ Π. This should be weaker than Q. We achieve this by solving bi-abduction: (P ∧Π) ∗R � Q ∗S. Now we apply the backward rule with post-condition (P ∧Π) ∗R,then we get ((P ∧ Π) ∗ R) ∨ ¬Π, which is equivalent to (P ∗ R) ∨ ¬Π. But we have one morerestriction: the pre-condition should be stronger than given P . It can be solved by bi-abductionP ∗ T � ((P ∗ R) ∗ U1) ∨ (¬Π ∗ U2) but the solution is straightforward: T = R ∨ ¬Π, U1 = emp,and U2 = P .
Abstraction. In order for the analysis to terminate, we need a widenning operator called anabstraction algorithm which discovers a recursive predicate.
5
A note on bi-directional bottom-up shape analysis
Oukseh Lee and Hongseok Yang
January 16, 2012
P ∗R � E �→− ∗ S
{P ∗R} [E]:=F {E �→F ∗ S}
{E �→− ∗H} dispose(E) {H}
1
이욱세
양방향 상향식 모양분석 HANYANG UNIVERSITY
양방향 분석: 저장
18
The main algorithm is computing fix(F ) with given CFG where F is:
λT.abs(T|N |) where T0 = T and
for all nlk ∈ N where 1 ≤ k ≤ |N |
let {p1, · · · , pn} = in(l) and {q1, · · · , qm} = out(l) inlet K = T (p1)× · · ·× T (pn)× T (q1)× · · ·× T (qm) in
let �P1, · · · ,Pn,Q1, · · · ,Qm� =�
κ∈K BiExec(n,κ)where �a1, · · · , az� ∪ �b1, · · · , bz� = �a1 ∪ b1, · · · , az ∪ bz�
Tk = Tk−1[pi → Pi, qj → Qj ]
In this definition, N is the set of nodes in given CFG excluding start and halt nodes, and
abs is an abstraction function that strengthens the symbolic heaps in T for analysis termination,
which will be discussed later. Function F takes a map from an edge to a set of symbolic heaps,
which is the current analysis result, and returns a new map which is stronger than the current
one. For each node, we update the symbolic heaps of its in-edges and out-edges by using function
BiExec, which returns stronger pre-conditions and post-conditions. Suppose a node n has only
one in-edge and only one out-edge, and the in-edge has {P1, P2} and the out-edge {Q1, Q2}. We
execute n by BiExec with all possible pairs of the pre-conditions and the post-conditions: �P1, Q1�,�P1, Q2�, �P2, Q1�, and �P2, Q2�. Then we got four pairs which are stronger than the input pairs,
respectively. We update the map with separately collecting the pre-conditions and post-conditions
from the results.
Bi-Execution. The analysis for each node is described by function BiExec which defined by
the rules of Figure 1. In the rule, {P ∗R} C {Q ∗ S} denotes that when BiExec(C, �P,Q�) is
called, it returns �{P ∗R} , {Q ∗ S}�. We assume that a disjuction in the result is implicitly
converted to a set of symbolic heaps. For instance, in the case of assume(Π), its result is
�{P ∗ (¬Π ∨R)} , {Q ∗ S}�. By converting a disjuction to a set, the final result is �{P ∧ ¬Π, P ∗R} , {Q ∗ S}�.For multiple pre-conditions and post-conditions, {P1 ∗R1; · · · ;Pn ∗Rn} C {Q1 ∗ S1; · · · ;Qm ∗ Sm}denotes that when BiExec(C, �P1, · · · , Pn, Q1, · · · , Qm�) is called, it returns �P1 ∗R1, · · · , Pn ∗Rn, Q1 ∗ S1, · · · , Qm ∗ Sm�.In the rule, P ∗ R � Q ∗ S denotes that when we call BiAbd(P,Q), it returns �R,S�. The case
that lefthand or righthand side has disjuction or conjuction can be computed as we discussed in
section 2.
Each rule in Figure 1 is in some sense a slight modification or combination of the rules in
separation logic. The rules for the assignment x:=E in separation logic are unidirectional. There
are two uni-directional rules for it which is forward and backward separately:
{P} x:=E {∃a.P {a/x} ∧ x = E {a/x}} {Q {E/x}} x:=E {Q}
Each rule is parameterized only by the pre-condition, or only by the post-condition. However, we
take both pre-condition and post-condition, and have to strengthen them so that they construct a
valid Hoare triple. By mixing forward and backward rules, we can achieve our goal. Suppose given
pre-condtion is P and post-condition is Q. By applying backward rule, we can get the weakest
pre-condition Q {E/x} for Q. Q {E/x} should be weaker than P . If not, we have strengthen
P . Also, Q {E/x} should be as strong as possible so that Q is the strongest post-condition
for P . If not, we have to strenthen Q. Both constraints can be solved by calling bi-abductor:
P ∗ R � Q {E/x} ∗ S, and using P ∗ R and Q {E/x} ∗ S instead of P and Q {E/x}, respectively.Now by applying the forward rule with pre-condition Q {E/x} ∗ S, we can get a valid Hoare
triple: {Q {E/x} ∗ S} x:=E {∃a.Q ∗ (S {a/x} ∧ x = E {a/x})}. Note that P ∗ R is weaker than
the pre-condition of this triple.
Some rules in separation logic have the requirements for their pre-conditions and post-conditions,
so that we can easily find a bi-directional computation. For instance, consider [E]:=F :
{E �→− ∗H} [E]:=F {E �→F ∗H}
It means that the pre-condition and the post-condition should have one cell at location E whose
content is anything and F , respectively. Also it requires that other parts of heap excluding
4
P ∗R � Q {E/x} ∗ S{P ∗R} x:=E {Q ∗ (S {a/x} ∧ x = E {a/x})}
P {a/x} ∗R � E {a/x} �→b ∗ S (E {a/x} �→b ∗ S) ∗ T � Q {b/x} ∗ U{P ∗ ((R ∗ T ) {x/a})} x:=[E] {Q ∗ U {x/b}}
(P {a/x} ∗ b �→c) ∗R � Q {b/x} ∗ S{P ∗R {x/a}} x:=alloc {Q ∗ S {x/b}}
P ∗R � (Q ∗ E �→a) ∗ S{P ∗R} dispose(E) {Q ∗ S}
P ∗R � E �→a ∗ S (E �→F ∗ S) ∗ T � Q ∗ U{P ∗ (R ∗ T )} [E]:=F {Q ∗ U}
(P ∧ b) ∗R � Q ∗ S{P ∗ (¬b ∨R)} assume b {Q ∗ S}
(P1 ∗R1) ∨ · · · ∨ (Pn ∗Rn) � Q ∗ S{P1 ∗R1; · · · ;Pn ∗Rn} join {Q ∗ S}
P ∗R � (Q1 ∗ S1) ∧ · · · ∧ (Qn ∗ Sn)
{P ∗R} branch {Q1 ∗ S1; · · · ;Qn ∗ Sn}
Figure 1: The Rules Describing Algorithm BiExec.
location E should be same. For given pre-condition P and post-condition Q, we can require theseconstraints by solving bi-abduction questions: P ∗H1 � E �→− ∗H2 and E �→F ∗H2 � Q ∗H3.The problem is H2 is shared between the two questions. Our solution is to find H2 by two steps:first to solve P ∗ R � E �→− ∗ S and then to solve (E �→F ∗ S) ∗ T � Q ∗ U . Then we can find asolution: H1 = R ∗ T , H2 = S ∗ T , and H3 = U . The rules of x:=[E], x:=alloc, and dispose(E)can be explained similarly.
The rule for assume(Π) shows that we whould like to find the weakest pre-condition. Thesemantics of assume(Π) is that when Π holds, it terminates normally but when Π does not holds,it stucks. In order words, assume(Π) is the same as if Pi then skip else infinite loop. From Hoarelogic, we can derive the following forward and backward rule:
{P} assume(Π) {P ∧Π} {¬Π ∨Q} assume(Π) {Q}
For given pre-condition P and Q, we first compute that the strongest post-condition for P bythe forward rule; that is P ∧ Π. This should be weaker than Q. We achieve this by solving bi-abduction: (P ∧Π) ∗R � Q ∗S. Now we apply the backward rule with post-condition (P ∧Π) ∗R,then we get ((P ∧ Π) ∗ R) ∨ ¬Π, which is equivalent to (P ∗ R) ∨ ¬Π. But we have one morerestriction: the pre-condition should be stronger than given P . It can be solved by bi-abductionP ∗ T � ((P ∗ R) ∗ U1) ∨ (¬Π ∗ U2) but the solution is straightforward: T = R ∨ ¬Π, U1 = emp,and U2 = P .
Abstraction. In order for the analysis to terminate, we need a widenning operator called anabstraction algorithm which discovers a recursive predicate.
5
이욱세
양방향 상향식 모양분석 HANYANG UNIVERSITY
양방향 분석: 모임
19
P ∗R � Q {E/x} ∗ S{P ∗R} x:=E {Q ∗ (S {a/x} ∧ x = E {a/x})}
P {a/x} ∗R � E {a/x} �→b ∗ S (E {a/x} �→b ∗ S) ∗ T � Q {b/x} ∗ U{P ∗ ((R ∗ T ) {x/a})} x:=[E] {Q ∗ U {x/b}}
(P {a/x} ∗ b �→c) ∗R � Q {b/x} ∗ S{P ∗R {x/a}} x:=alloc {Q ∗ S {x/b}}
P ∗R � (Q ∗ E �→a) ∗ S{P ∗R} dispose(E) {Q ∗ S}
P ∗R � E �→a ∗ S (E �→F ∗ S) ∗ T � Q ∗ U{P ∗ (R ∗ T )} [E]:=F {Q ∗ U}
(P ∧ b) ∗R � Q ∗ S{P ∗ (¬b ∨R)} assume b {Q ∗ S}
(P1 ∗R1) ∨ · · · ∨ (Pn ∗Rn) � Q ∗ S{P1 ∗R1; · · · ;Pn ∗Rn} join {Q ∗ S}
P ∗R � (Q1 ∗ S1) ∧ · · · ∧ (Qn ∗ Sn)
{P ∗R} branch {Q1 ∗ S1; · · · ;Qn ∗ Sn}
Figure 1: The Rules Describing Algorithm BiExec.
location E should be same. For given pre-condition P and post-condition Q, we can require theseconstraints by solving bi-abduction questions: P ∗H1 � E �→− ∗H2 and E �→F ∗H2 � Q ∗H3.The problem is H2 is shared between the two questions. Our solution is to find H2 by two steps:first to solve P ∗ R � E �→− ∗ S and then to solve (E �→F ∗ S) ∗ T � Q ∗ U . Then we can find asolution: H1 = R ∗ T , H2 = S ∗ T , and H3 = U . The rules of x:=[E], x:=alloc, and dispose(E)can be explained similarly.
The rule for assume(Π) shows that we whould like to find the weakest pre-condition. Thesemantics of assume(Π) is that when Π holds, it terminates normally but when Π does not holds,it stucks. In order words, assume(Π) is the same as if Pi then skip else infinite loop. From Hoarelogic, we can derive the following forward and backward rule:
{P} assume(Π) {P ∧Π} {¬Π ∨Q} assume(Π) {Q}
For given pre-condition P and Q, we first compute that the strongest post-condition for P bythe forward rule; that is P ∧ Π. This should be weaker than Q. We achieve this by solving bi-abduction: (P ∧Π) ∗R � Q ∗S. Now we apply the backward rule with post-condition (P ∧Π) ∗R,then we get ((P ∧ Π) ∗ R) ∨ ¬Π, which is equivalent to (P ∗ R) ∨ ¬Π. But we have one morerestriction: the pre-condition should be stronger than given P . It can be solved by bi-abductionP ∗ T � ((P ∗ R) ∗ U1) ∨ (¬Π ∗ U2) but the solution is straightforward: T = R ∨ ¬Π, U1 = emp,and U2 = P .
Abstraction. In order for the analysis to terminate, we need a widenning operator called anabstraction algorithm which discovers a recursive predicate.
5
P1*R1 Pn*Rn
Q*(S1∨…∨Sn)
…
A note on bi-directional bottom-up shape analysis
Oukseh Lee and Hongseok Yang
January 16, 2012
P ∗R � E �→− ∗ S
{P ∗R} [E]:=F {E �→F ∗ S}
{E �→− ∗H} dispose(E) {H}
S = S1 ∨ · · · ∨ Sn
P1 ∗R1 � Q ∗ S1
· · ·Pn ∗Rn � Q ∗ Sn
1
where
A note on bi-directional bottom-up shape analysis
Oukseh Lee and Hongseok Yang
January 16, 2012
P ∗R � E �→− ∗ S
{P ∗R} [E]:=F {E �→F ∗ S}
{E �→− ∗H} dispose(E) {H}
S = S1 ∨ · · · ∨ Sn
P1 ∗R1 � Q ∗ S1
· · ·Pn ∗Rn � Q ∗ Sn
1
P ∗R � Q {E/x} ∗ S{P ∗R} x:=E {Q ∗ (S {a/x} ∧ x = E {a/x})}
P {a/x} ∗R � E {a/x} �→b ∗ S (E {a/x} �→b ∗ S) ∗ T � Q {b/x} ∗ U{P ∗ ((R ∗ T ) {x/a})} x:=[E] {Q ∗ U {x/b}}
(P {a/x} ∗ b �→c) ∗R � Q {b/x} ∗ S{P ∗R {x/a}} x:=alloc {Q ∗ S {x/b}}
P ∗R � (Q ∗ E �→a) ∗ S{P ∗R} dispose(E) {Q ∗ S}
P ∗R � E �→a ∗ S (E �→F ∗ S) ∗ T � Q ∗ U{P ∗ (R ∗ T )} [E]:=F {Q ∗ U}
(P ∧ b) ∗R � Q ∗ S{P ∗ (¬b ∨R)} assume b {Q ∗ S}
(P1 ∗R1) ∨ · · · ∨ (Pn ∗Rn) � Q ∗ S{P1 ∗R1; · · · ;Pn ∗Rn} join {Q ∗ S}
P ∗R � (Q1 ∗ S1) ∧ · · · ∧ (Qn ∗ Sn)
{P ∗R} branch {Q1 ∗ S1; · · · ;Qn ∗ Sn}
Figure 1: The Rules Describing Algorithm BiExec.
location E should be same. For given pre-condition P and post-condition Q, we can require theseconstraints by solving bi-abduction questions: P ∗H1 � E �→− ∗H2 and E �→F ∗H2 � Q ∗H3.The problem is H2 is shared between the two questions. Our solution is to find H2 by two steps:first to solve P ∗ R � E �→− ∗ S and then to solve (E �→F ∗ S) ∗ T � Q ∗ U . Then we can find asolution: H1 = R ∗ T , H2 = S ∗ T , and H3 = U . The rules of x:=[E], x:=alloc, and dispose(E)can be explained similarly.
The rule for assume(Π) shows that we whould like to find the weakest pre-condition. Thesemantics of assume(Π) is that when Π holds, it terminates normally but when Π does not holds,it stucks. In order words, assume(Π) is the same as if Pi then skip else infinite loop. From Hoarelogic, we can derive the following forward and backward rule:
{P} assume(Π) {P ∧Π} {¬Π ∨Q} assume(Π) {Q}
For given pre-condition P and Q, we first compute that the strongest post-condition for P bythe forward rule; that is P ∧ Π. This should be weaker than Q. We achieve this by solving bi-abduction: (P ∧Π) ∗R � Q ∗S. Now we apply the backward rule with post-condition (P ∧Π) ∗R,then we get ((P ∧ Π) ∗ R) ∨ ¬Π, which is equivalent to (P ∗ R) ∨ ¬Π. But we have one morerestriction: the pre-condition should be stronger than given P . It can be solved by bi-abductionP ∗ T � ((P ∗ R) ∗ U1) ∨ (¬Π ∗ U2) but the solution is straightforward: T = R ∨ ¬Π, U1 = emp,and U2 = P .
Abstraction. In order for the analysis to terminate, we need a widenning operator called anabstraction algorithm which discovers a recursive predicate.
5
이욱세
양방향 상향식 모양분석 HANYANG UNIVERSITY
양방향 분석: 갈림
20
Q1*S1
P*??
Qn*Sn…
P ∗R � Q {E/x} ∗ S{P ∗R} x:=E {Q ∗ (S {a/x} ∧ x = E {a/x})}
P {a/x} ∗R � E {a/x} �→b ∗ S (E {a/x} �→b ∗ S) ∗ T � Q {b/x} ∗ U{P ∗ ((R ∗ T ) {x/a})} x:=[E] {Q ∗ U {x/b}}
(P {a/x} ∗ b �→c) ∗R � Q {b/x} ∗ S{P ∗R {x/a}} x:=alloc {Q ∗ S {x/b}}
P ∗R � (Q ∗ E �→a) ∗ S{P ∗R} dispose(E) {Q ∗ S}
P ∗R � E �→a ∗ S (E �→F ∗ S) ∗ T � Q ∗ U{P ∗ (R ∗ T )} [E]:=F {Q ∗ U}
(P ∧ b) ∗R � Q ∗ S{P ∗ (¬b ∨R)} assume b {Q ∗ S}
(P1 ∗R1) ∨ · · · ∨ (Pn ∗Rn) � Q ∗ S{P1 ∗R1; · · · ;Pn ∗Rn} join {Q ∗ S}
P ∗R � (Q1 ∗ S1) ∧ · · · ∧ (Qn ∗ Sn)
{P ∗R} branch {Q1 ∗ S1; · · · ;Qn ∗ Sn}
Figure 1: The Rules Describing Algorithm BiExec.
location E should be same. For given pre-condition P and post-condition Q, we can require theseconstraints by solving bi-abduction questions: P ∗H1 � E �→− ∗H2 and E �→F ∗H2 � Q ∗H3.The problem is H2 is shared between the two questions. Our solution is to find H2 by two steps:first to solve P ∗ R � E �→− ∗ S and then to solve (E �→F ∗ S) ∗ T � Q ∗ U . Then we can find asolution: H1 = R ∗ T , H2 = S ∗ T , and H3 = U . The rules of x:=[E], x:=alloc, and dispose(E)can be explained similarly.
The rule for assume(Π) shows that we whould like to find the weakest pre-condition. Thesemantics of assume(Π) is that when Π holds, it terminates normally but when Π does not holds,it stucks. In order words, assume(Π) is the same as if Pi then skip else infinite loop. From Hoarelogic, we can derive the following forward and backward rule:
{P} assume(Π) {P ∧Π} {¬Π ∨Q} assume(Π) {Q}
For given pre-condition P and Q, we first compute that the strongest post-condition for P bythe forward rule; that is P ∧ Π. This should be weaker than Q. We achieve this by solving bi-abduction: (P ∧Π) ∗R � Q ∗S. Now we apply the backward rule with post-condition (P ∧Π) ∗R,then we get ((P ∧ Π) ∗ R) ∨ ¬Π, which is equivalent to (P ∗ R) ∨ ¬Π. But we have one morerestriction: the pre-condition should be stronger than given P . It can be solved by bi-abductionP ∗ T � ((P ∗ R) ∗ U1) ∨ (¬Π ∗ U2) but the solution is straightforward: T = R ∨ ¬Π, U1 = emp,and U2 = P .
Abstraction. In order for the analysis to terminate, we need a widenning operator called anabstraction algorithm which discovers a recursive predicate.
5
이욱세
양방향 상향식 모양분석 HANYANG UNIVERSITY
양방향 분석: 갈림
21
Q1*S1
P*??
Qn*Sn…
P ∗R � Q {E/x} ∗ S{P ∗R} x:=E {Q ∗ (S {a/x} ∧ x = E {a/x})}
P {a/x} ∗R � E {a/x} �→b ∗ S (E {a/x} �→b ∗ S) ∗ T � Q {b/x} ∗ U{P ∗ ((R ∗ T ) {x/a})} x:=[E] {Q ∗ U {x/b}}
(P {a/x} ∗ b �→c) ∗R � Q {b/x} ∗ S{P ∗R {x/a}} x:=alloc {Q ∗ S {x/b}}
P ∗R � (Q ∗ E �→a) ∗ S{P ∗R} dispose(E) {Q ∗ S}
P ∗R � E �→a ∗ S (E �→F ∗ S) ∗ T � Q ∗ U{P ∗ (R ∗ T )} [E]:=F {Q ∗ U}
(P ∧ b) ∗R � Q ∗ S{P ∗ (¬b ∨R)} assume b {Q ∗ S}
(P1 ∗R1) ∨ · · · ∨ (Pn ∗Rn) � Q ∗ S{P1 ∗R1; · · · ;Pn ∗Rn} join {Q ∗ S}
P ∗R � (Q1 ∗ S1) ∧ · · · ∧ (Qn ∗ Sn)
{P ∗R} branch {Q1 ∗ S1; · · · ;Qn ∗ Sn}
Figure 1: The Rules Describing Algorithm BiExec.
location E should be same. For given pre-condition P and post-condition Q, we can require theseconstraints by solving bi-abduction questions: P ∗H1 � E �→− ∗H2 and E �→F ∗H2 � Q ∗H3.The problem is H2 is shared between the two questions. Our solution is to find H2 by two steps:first to solve P ∗ R � E �→− ∗ S and then to solve (E �→F ∗ S) ∗ T � Q ∗ U . Then we can find asolution: H1 = R ∗ T , H2 = S ∗ T , and H3 = U . The rules of x:=[E], x:=alloc, and dispose(E)can be explained similarly.
The rule for assume(Π) shows that we whould like to find the weakest pre-condition. Thesemantics of assume(Π) is that when Π holds, it terminates normally but when Π does not holds,it stucks. In order words, assume(Π) is the same as if Pi then skip else infinite loop. From Hoarelogic, we can derive the following forward and backward rule:
{P} assume(Π) {P ∧Π} {¬Π ∨Q} assume(Π) {Q}
For given pre-condition P and Q, we first compute that the strongest post-condition for P bythe forward rule; that is P ∧ Π. This should be weaker than Q. We achieve this by solving bi-abduction: (P ∧Π) ∗R � Q ∗S. Now we apply the backward rule with post-condition (P ∧Π) ∗R,then we get ((P ∧ Π) ∗ R) ∨ ¬Π, which is equivalent to (P ∗ R) ∨ ¬Π. But we have one morerestriction: the pre-condition should be stronger than given P . It can be solved by bi-abductionP ∗ T � ((P ∗ R) ∗ U1) ∨ (¬Π ∗ U2) but the solution is straightforward: T = R ∨ ¬Π, U1 = emp,and U2 = P .
Abstraction. In order for the analysis to terminate, we need a widenning operator called anabstraction algorithm which discovers a recursive predicate.
5
A note on bi-directional bottom-up shape analysis
Oukseh Lee and Hongseok Yang
January 16, 2012
P ∗R � E �→− ∗ S
{P ∗R} [E]:=F {E �→F ∗ S}
{E �→− ∗H} dispose(E) {H}
S = S1 ∨ · · · ∨ Sn
P1 ∗R1 � Q ∗ S1
· · ·Pn ∗Rn � Q ∗ Sn
R = R1,n
Si = Ti ∗Ri+1,n
Ri,j =
�Ri ∗Ri+1 ∗ · · · ∗Rj if i ≤ j
emp otherwise(P ∗R1,i−1) ∗Ri � Qi ∗ Ti
1
where
이욱세
양방향 상향식 모양분석 HANYANG UNIVERSITY
양방향 분석: 집어넣기
기존의 집어넣기 함수 abs는 함의의 방향이 반대
대부분의 경우 P=abs(P) 라 문제없지만 P⊢abs(P)인 경우 발생
해결책: 선택적으로 abs 적용
22
A note on bi-directional bottom-up shape analysis
Oukseh Lee and Hongseok Yang
January 16, 2012
P ∗R � E �→− ∗ S
{P ∗R} [E]:=F {E �→F ∗ S}
{E �→− ∗H} dispose(E) {H}
S = S1 ∨ · · · ∨ Sn
P1 ∗R1 � Q ∗ S1
· · ·Pn ∗Rn � Q ∗ Sn
R = R1,n
Si = Ti ∗Ri+1,n
Ri,j =
�Ri ∗Ri+1 ∗ · · · ∗Rj if i ≤ j
emp otherwise(P ∗R1,i−1) ∗Ri � Qi ∗ Ti
P � abs(P ) vs abs(P ) � P
P = x �→a ∨ x �→b ∗ b �→c
abs(P ) = lseg(x, d)
abs�(P ) =
�abs(P ) ∗R if abs(P ) ∗R � P ∗ SP otherwise
1
A note on bi-directional bottom-up shape analysis
Oukseh Lee and Hongseok Yang
January 16, 2012
P ∗R � E �→− ∗ S
{P ∗R} [E]:=F {E �→F ∗ S}
{E �→− ∗H} dispose(E) {H}
S = S1 ∨ · · · ∨ Sn
P1 ∗R1 � Q ∗ S1
· · ·Pn ∗Rn � Q ∗ Sn
R = R1,n
Si = Ti ∗Ri+1,n
Ri,j =
�Ri ∗Ri+1 ∗ · · · ∗Rj if i ≤ j
emp otherwise(P ∗R1,i−1) ∗Ri � Qi ∗ Ti
P � abs(P ) vs abs(P ) � P
P = x �→a ∨ x �→b ∗ b �→c
abs(P ) = lseg(x, d)
abs�(P ) =
�abs(P ) ∗R if abs(P ) ∗R � P ∗ SP otherwise
1
A note on bi-directional bottom-up shape analysis
Oukseh Lee and Hongseok Yang
January 16, 2012
P ∗R � E �→− ∗ S
{P ∗R} [E]:=F {E �→F ∗ S}
{E �→− ∗H} dispose(E) {H}
S = S1 ∨ · · · ∨ Sn
P1 ∗R1 � Q ∗ S1
· · ·Pn ∗Rn � Q ∗ Sn
R = R1,n
Si = Ti ∗Ri+1,n
Ri,j =
�Ri ∗Ri+1 ∗ · · · ∗Rj if i ≤ j
emp otherwise(P ∗R1,i−1) ∗Ri � Qi ∗ Ti
P � abs(P ) vs abs(P ) � P
P = x �→a ∨ x �→b ∗ b �→c
abs(P ) = lseg(x, d)
abs�(P ) =
�abs(P ) ∗R if abs(P ) ∗R � P ∗ SP otherwise
1
이욱세
양방향 상향식 모양분석 HANYANG UNIVERSITY
예제: list_find
{ y=0 ∨ lseg(y,0) }
x:=y; // x is local but returned
while (x!=0 && ??)
x:=[x];
{ x=y=0 ∨ x=0*lseg(y,0) ∨ lseg(y,x)*lseg(x,0) }
23
이욱세
양방향 상향식 모양분석 HANYANG UNIVERSITY
예제: 갈림
{ x=y*x↦a ∨ x↦a*y↦b }
if(?) [x]:=0 else [y]:=0
{ x=y*x↦0 ∨ x↦0*y↦b ∨ x↦a*y↦0 }
24
이욱세
양방향 상향식 모양분석 HANYANG UNIVERSITY
마무리
이론적으로 안전한 양방향 상향식 모양분석기 제안
안전성 확보는
논리곱: 여러 조건을 만족하는 하나의 힙을 찾는 방법
집어넣기: 찾아진 전조건에 대한 안전한 집어넣기
실제 얼마나 개선이 있을지는 미지수
25
