Interprocedural shape analysis for cutpoint-free programs

Interprocedural shape analysisfor cutpoint-free programs Noam Rinetzky Tel Aviv University Joint work with Mooly Sagiv Tel Aviv University Eran Yahav IBM Watson

Motivation • Interprocedural shape analysis • Conservative static pointer analysis • Heap intensive programs • Imperative programs with (recursive) procedures • Linked data structures • Challenge • Destructive update • Localized effect of procedures

x x x x x x y g t Main idea • Local heaps call p(x); y g t

x x x x x ? y g t Main idea • Local heaps • Cutpoint freedom POPL ’05 SAS ’05 call p(x); y g t

Cutpoints • An object is a cutpoint for an invocation • Reachable from actual parameters • Not pointed to by an actual parameter • Reachable without going through a parameter call p(y,z) call p(y,z) n n n n y y n n t t x z z

Cutpoint freedom • Cutpoint-free • Invocation: has no cutpoints • Execution: every invocation is cutpoint-free • Program: every execution is cutpoint-free call p(y,z) call p(y,z) n n n n x y n n t y t z x z

n x t t Cutpoint freedom: benefits • Restricted aliasing • Procedure ~function • Input / output relation call p(y,z); call p(y,z); n n n y y x z z Not Cutpoint free Cutpoint free

Main results • Cutpoint freedom • Non-standard concrete semantics • Verifies that an execution is cutpoint-free • Local heaps • Interprocedural shape analysis • Conservatively verifies • program is cutpoint free • Desired properties • Partial correctness of quicksort • Procedure summaries • Prototype implementation

Plan • Cutpoint freedom • Non-standard concrete semantics • Interprocedural shape analysis • Prototype implementation • Related work

Programming model • Single threaded • Procedures • Value parameters • Formal parameters not modified • Recursion • Heap • Recursive data structures • Destructive update • No explicit addressing (&) • No pointer arithmetic

Memory states • A memory state encodes a local heap • Local variables of the current procedure invocation • Relevant part of the heap • Relevant  Reachable main append q p n n x t y z

Memory states • Represented by first-order logical structures

Memory states • Represented by first-order logical structures q p n u1 u2

Operational semantics • Statements modify values of predicates • Specified by predicate-update formulae • Formulae in FO-TC

Procedure call rule • Large step semantics • Procedure ~ input/output relation

q q q p p p n n n n x x t t n n y z 1. Verify cutpoint freedom 2 Compute input … Execute callee … 3 Combine output Procedure call rule • Large step semantics • Procedure ~ input/output relation main() { append(y,z); } append(List p, List q) { … } n y z

Procedure call: 1. Verifying cutpoint-freedom • An object is a cutpoint for an invocation • Reachable from actual parameters • Not pointed to by an actual parameter • Reachable without going through a parameter append(y,z) append(y,z) n n n n y y n x x z z n t t Not Cutpoint free Cutpoint free

Procedure call: 1. Verifying cutpoint-freedom • Invoking append(y,z) in main • R{y,z}(v)=v1:y(v1)n*(v1,v)  v1:z(v1)n*(v1,v) • isCPmain,{y,z}(v)= R{y,z}(v)  (y(v)z(v1))  ( x(v)  t(v)  v1: R{y,z}(v1)n(v1,v)) (main’s locals: x,y,z,t) n n n n y y n x x z z n t t Not Cutpoint free Cutpoint free

Input state n n p q Procedure call: 2. Computing the input local heap • Retain only reachable objects • Bind formal parameters Call state n n y x z n t

n Output state n n p q Procedure body: append(p,q) Input state n n p q

n n p q Procedure call:3. Combine output Output state Call state n n n y x z n t

n n y n z x n t Procedure call:3. Combine output Output state Call state n n n n n y p x z q n t Auxiliary predicates inUc(v) inUx(v)

Observational equivalence • CPF  CPF (Cutpoint free semantics) • GSB  GSB (Standard semantics) CPF and GSBobservationally equivalent when for every access paths AP1, AP2  AP1 = AP2 (CPF)  AP1 = AP2 (GSB)

Observational equivalence • For cutpoint free programs: • CPF  CPF (Cutpoint free semantics) • GSB  GSB (Standard semantics) • CPF and GSB observationally equivalent • It holds that • st, CPF  ’CPF st, GSB  ’GSB • ’CPF and ’GSB are observationally equivalent

Operational semantics Abstract transformer ’ ’ Introducing local heap semantics ~ Local heap Operational semantics

Shape abstraction • Abstract memory states represent unbounded concrete memory states • Conservatively • In a bounded way • Using 3-valued logical structures

3-Valued logic • 1 = true • 0 = false • 1/2 = unknown • A join semi-lattice, 0  1 = 1/2

z y n x n n n n t Canonical abstraction y z n n n n n x n n t

z y n x n n n n t Canonical abstraction y z n n n n n x n n n t

Instrumentation predicates • Record derived properties • Refine the abstraction • Instrumentation principle [SRW, TOPLAS’02] • Reachability is crucial!

z y n n n n n rx rx,ry rz rz rx x n n rt rt t Abstract memory states (with reachability) z y n n n n n rz rx rx rx rx,ry rz rz rz rx rx rx rx,ry rz rz x n n rt rt rt rt rt rt t

z y n x n n n n t The importance of reachability:Call append(y,z) z y n n n n n rz rx rx rx rx,ry rz rz x n n rt rt rt t y z n n n n n x rx rx,ry rz rz rx n n rt rt t

Abstract semantics • Conservatively apply statements on abstract memory states • Same formulae as in concrete semantics • Soundness guaranteed [SRW, TOPLAS’02]

Procedure calls 1. Verify cutpoint freedom 2 Compute input … Analyze callee … 3 Combine output

Conservative verification of cutpoint-freedom • Invoking append(y,z) in main • R{y,z}(v)=v1:y(v1)n*(v1,v)  v1:z(v1)n*(v1,v) • isCPmain,{y,z}(v)= R{y,z}(v)  (y(v)z(v1))  ( x(v)  t(v)  v1: R{y,z}(v1)n(v1,v)) n n n n n ry ry ry ry rx ry rz y y rz n n n n z z x rt rt rt rt t t Not Cutpoint free Cutpoint free

Interprocedural shape analysis

Interprocedural shape analysis p p x x y Tabulation exits call f(x) y

Interprocedural shape analysis p p p x p x y Analyze f Tabulation exits call f(x) y

Interprocedural shape analysis • Procedure  input/output relation Output Input q q rq rq q q p p n rq rp rp rp rq n q n p p … q n n n rp rp rp rq rq rp rp

rh ri rk rg q q p p n rq rp rp rp rq y z z y x x append(y,z) n ry rx rx ry ry rz x x y y z z n n append(y,z) n n n n n ry rx rz rz ry rx rx rx ry rx rx rx g g i i k k h h append(h,i) n n n rk ri rg rh rg rh rg Interprocedural shape analysis • Reusable procedure summaries • Heap modularity

Prototype implementation • TVLA based analyzer • Soot-based Java front-end • Parametric abstraction

Iterative vs. Recursive (SLL) 585

Inline vs. Procedural abstraction // Allocates a list of // length 3 List create3(){ … } main() { List x1 = create3(); List x2 = create3(); List x3 = create3(); List x4 = create3(); … }

Call string vs. Relational vs. CPF[Rinetzky and Sagiv, CC’01] [Jeannet et al., SAS’04]

Related work • Interprocedural shape analysis • Rinetzky and Sagiv, CC ‘01 • Chong and Rugina, SAS ‘03 • Jeannet et al., SAS ‘04 • Hackett and Rugina, POPL ‘05 • Rinetzky et al., POPL ‘05 • Local Reasoning • Ishtiaq and O’Hearn, POPL ‘01 • Reynolds, LICS ‘02 • Encapsulation • Hogg, OOPSLA ‘91 • ...

SAS’ 05 Local heaps Cutpoint: forbidden Simple call rule Automatically detects cutpoint freedom New shape analysis sorting (quicksort) Prototype POPL’ 05 Local heaps Cutpoints: allowed Complicated call rule Cutpoints may hurt precision Justify existing analysis New shape analysis Abstract objects Abstract cutpoints Related work

Restricted local heap sharing Parameters dominate local heap Unrestricted intraprocedural sharing Dynamic domination Technique Abstract interpretation Cutpoint-free programs Hard to scale Automatic Restricted heap sharing Owner(s) dominate heap references Unrestricted stack sharing Static domination Technique Type systems Type-correct programs Scalable User annotation Cutpoint freedom vs. Encapsulation(?)

Interprocedural shape analysis for cutpoint-free programs