EDIT: This post is concerned with unbounded heap sizes and access paths lengths in the presence of loops. The semantics of theta nodes don't actually construct these, though, so there is no problem. I'm holding on to this post for posterity (pardon the pun)...

Handling Heaps in EGraphs

Cornelius is trying to handle arbitrary Java code, and this means dealing with the heap. Due to the nature of the heap (unbounded, dynamically allocated, etc), Cornelius won’t be able to reason about it fully (…Cornelius works statically). So the question is, how much can we reason about?

To begin with I’m not considering loops. This makes the problem a lot easier. I’m also not considering method calls yet, but I have some ideas for how to handle those in a very rough way.

While my first stab at handling heapy code will elide loops and method calls, I still need to think about the challenges these language features introduce. That is the point of this posting.


Peggy uses sigma nodes as a heap summary, which aren’t really explained very well. Something about lists of reads and writes, where reads commute? I think this seems like the right direction.

Cornelius and Heap Models

There are two primary approaches to modeling the heap: store-based and storeless. Store-based heap models use abstract symbolic addresses to represent concrete addresses. Storeless heap models use access paths. An access path is a variable followed by zero or more field dereferences, such as list.size or x.y.z, or foo. The first item in the access path is a variable that points to the heap (a reference) while each other item is a field name, also pointing to the heap.

Cornelius is a rewrite-based approach and reasons about the syntax of a program. Therefore I think it’s logical to use a storeless heap model. Cornelius will be receiving access paths explicitly in PEG inputs, so I think I should use this form directly.

Here is my first stab at defining a heap:

A heap is a list of writes.

A write takes three arguments: an access path, a value, and a heap. Thus if I have a heap which I know nothing about, represented as nil, and I want to process field assignment x.y = 3;, I will represent the heap after the field assignment as:

(wr "x.y" 3 nil)

The field access path is just a string right now, but later I will need to update it to be a list.

An important point: in this formulation, I’m not tracking allocations explicitly on the heap. Consider the following (not-actually-legal-)Java program:

int example() {
    Foo f = this.foo;
    f.x = 3;
    new Y;        // Create a new Y without a constructor call
    f.y = new Y;

The following table lists the state after each line is executed

Line Heap After Executing Comments
ENTRY nil Start off with unknown heap nil
Foo f = this.foo nil This line didn't update the heap---we don't know anything new about it's structure. You could argue that we now know that there is a something called this.foo, but that doesn't actually matter to our analysis.
f.x = 3 (wr "f.x" 3 nil) write value 3 to access path "f.x"
new Y (wr "f.x" 3 nil) This doesn’t change our heap since we can’t actually access this value through an access path
f.y = new Y
(wr "f.y" (new Y) 
   (wr "f.x" 3 nil))
This time we’ve created a new Y and wr it to access path "f.y"

Creating a new object without invoking a constructor isn’t actually legal in Java (but it is legal in JVM bytecode). In practice, invoking a constructor might actually update the heap in some way, just as any other method invocation might update the heap in some way. I’ll reason about this later, but the easiest (and least precise) thing to do is to replace the heap with nil every time we invoke a method.


There is a problem with the above. nil can mean different things in different places. Consider the following example:

bool nilExample() {
    int x1 = this.x;
    methodThatMessesWithHeap();    // this might change `this.x`
    int x2 = this.x;
    return x1 == x2;
Line Heap After Executing Local Vars
x1 = this.x nil x1 = (rd this.x nil)
methodThatMessesWithHeap() nil x1 = (rd this.x nil)
x3 = this.x nil x1 = (rd this.x nil),
x2 = (rd this.x nil)

In practice we don’t know if this returns true or false, but an EGraph will think that this program alwasy returns true!

Really nil just means “I don’t know anything about this heap”. However, since EGraphs will identify two different nils through deduplication, for now I’ll assume that each nil is parameterized (i.e., (nil 1), (nil 2), etc). Once we introduce loops and method calls this will become a problem due to an arbitrary number of unknown heaps (i.e., every time a method is invoked). This will be a theme in the interplay between EGraphs and heaps: abstract states lead to unsound identifications. This is the fact that I’ll need to overcome.

Cornelius and Heap Summaries

I won’t need to summarize heaps until I include loops or recursion. This is because all access paths will be known statically. However at some point I’ll need to handle access paths of arbitrary length. For instance, consider the following Java code summing the elements of a linked list.

int sum(LLNode<Integer> n) {
  int total = 0;
  while (n != null) {
    total += n.value;
    n = n.next;
  return total;

The following table gives the access path of n for each iteration of the loop condition:

Iteration Access Path k-limiting, k = 2
0 (var n) (var n)
1 (var n).next (var n).next
2 (var n).next.next (var n).next.next
3 (var n).next.next.next (var n).next.next(.next)*
4 (var n).next.next.next.next (var n).next.next(.next)*

It’s plain that once we introduce loops we can get unbounded access paths. To address this we should use some sort of heap summary. A heap summary gives a bounded representation of a potentially unbounded heap model. There are a number of ways to do this, but they all involve the same technique: represent multiple abstract heap locations from the model by a single summary node.


One such summarization technique is called k-limiting. In k-limiting a positive integer k is chosen. All access paths with at most k field dereferences are treated normally. However, if more than k dereferences take place, these are summarized with a Kleene closure *.

Summaries and EGraphs

There is a pretty severe problem with summaries and EGraphs, and it’s a problem we already encountered with nil. Each summary node by definition represents more than a single abstract heap state but has a single syntactic representation. As a result, congruence can misfire! Taking the above table, suppose that we wanted to read the access paths:

Iteration Reading Access Path Reading w/ k-limiting, k = 2
0 (rd (var n)) (rd (var n))
1 (rd (var n).next) (rd (var n).next)
2 (rd (var n).next.next) (rd (var n).next.next)
3 (rd (var n).next.next.next) (rd (var n).next.next(.next)*)
4 (rd (var n).next.next.next.next) (rd (var n).next.next(.next)*)

The main problem with heap summaries as they relate to EGraphs is that they take an infinite set and turn it into a finite set (that’s the point, after all). This means that if I’m not careful I will lose soundness.