1 / 39

Finding Optimum Abstractions in Parametric Dataflow Analysis

Finding Optimum Abstractions in Parametric Dataflow Analysis. Xin Zhang Georgia Tech. Mayur Naik Georgia Tech. Hongseok Yang University of Oxford. A Key Challenge for Static Analysis. Scalability. Precision. Our setting. Abstraction a. assert(x != null). Static Analysis S. Program p.

damita
Download Presentation

Finding Optimum Abstractions in Parametric Dataflow Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Finding Optimum Abstractions in Parametric Dataflow Analysis Xin Zhang Georgia Tech MayurNaik Georgia Tech Hongseok Yang University of Oxford

  2. A Key Challenge for Static Analysis Scalability Precision

  3. Our setting Abstraction a assert(x != null) Static Analysis S Program p Query q p ` q p 0 q

  4. Our setting a1 a2 S S p q1 q2 p ` q1 ? p ` q2 ?

  5. Our setting S S p q1 q2 p ` q1? p ` q2 ?

  6. Example 1: Predicate Abstraction Predicates to use as abstraction predicates Predicates to use in predicate abstraction S S p q1 q2 p ` q1? p ` q2 ?

  7. Example 2: Cloning­‐based Pointer Analysis K value to use for each call and each allocation site Predicates to use in predicate abstraction S S p q1 q2 p ` q1? p ` q2 ?

  8. Problem Statement • An efficient algorithm with: INPUTS: • program p and property q • abstractions A = { a1, …, an } • boolean function S(p, q, a) OUTPUT: • Proof: a 2 A: S(p, q, a) = true 8 a’ 2 A: (a’ · a Æ S(p, q, a’) = true) ) a’ = a • Impossibility: @ a 2 A: S(p, q, a) = true a S p q Optimum Abstraction p ` q ?

  9. Problem Statement 1111 most expensive • An efficient algorithm with: INPUTS: • program p and property q • abstractions A = { a1, …, an } • boolean function S(p, q, a) OUTPUT: • Proof: a 2 A: S(p, q, a) = true 8 a’ 2 A: (a’ · a Æ S(p, q, a’) = true) ) a’ = a • Impossibility: @ a 2 A: S(p, q, a) = true A S(p, q, a) !S(p, q, a) 0110 optimum 0000 least expensive Optimum Abstraction

  10. Example: Typestate Analysis Type-state set ts open() x = new File; <{closed}, {x}> y = x; z = x; x.open(); y.close(); assert1(x, closed); assert2(x, opened); opened closed close() close() open() error

  11. Example: Typestate Analysis Must-alias accesspath set ms x = new File; <{closed}, {x}> y = x; <{closed}, {x}> z = x; <{closed}, {x}> x.open(); <{opened}, {x}> y.close(); <{opened, closed}, {x}> assert1(x, closed); assert2(x, opened); Only allows the accesspaths specified in the abstraction Strong update Weak update Failed Failed

  12. Example: TypestateAnalysis x = new File; y = x; z = x; x.open(); y.close(); assert1(x, closed); assert2(x, opened);

  13. Example: TypestateAnalysis ↑ x = new File; ↓<{closed}, {}> ↑ y = x; ↓<{closed}, {}> ↑ z = x; ↓<{closed}, {}> ↑ x.open(); ↓<{closed, opened}, {}> ↑ y.close(); ↓top ↑ assert1(x, closed); x = new File; y = x; z = x; x.open(); y.close(); assert1(x, closed); assert2(x, opened); {} Failed Naïve approach: calculating weakest precondition (WP)

  14. Example: TypestateAnalysis ↑ x = new File; ↓<{closed}, {}> ↑ y = x; ↓<{closed}, {}> ↑ z = x; ↓<{closed}, {}> ↑ x.open(); ↓<{closed, opened}, {}> ↑ y.close(); ↓top ↑ assert1(x, closed); x = new File; y = x; z = x; x.open(); y.close(); assert1(x, closed); assert2(x, opened); unreachable Exponential Blowup! {} Failed Naïve approach: calculating weakest precondition (WP)

  15. Example: TypestateAnalysis ↑ x = new File; ↓<{closed}, {}> ↑ y = x; ↓<{closed}, {}> ↑ z = x; ↓<{closed}, {}> ↑ x.open(); ↓<{closed, opened}, {}> ↑ y.close(); ↓top ↑ assert1(x, closed); Too large? Let’s ignore part of it!

  16. Example: TypestateAnalysis ↑ x = new File; ↓<{closed}, {}> ↑ y = x; ↓<{closed}, {}> ↑ z = x; ↓<{closed}, {}> ↑ x.open(); ↓<{closed, opened}, {}> ↑ y.close(); ↓top ↑ assert1(x, closed); Unreachable

  17. Example: TypestateAnalysis ↑ x = new File; ↓<{closed}, {}> ↑ y = x; ↓<{closed}, {}> ↑ z = x; ↓<{closed}, {}> ↑ x.open(); ↓<{closed, opened}, {}> ↑ y.close(); ↓top ↑ assert1(x, closed); Intersect with the forward state

  18. Example: TypestateAnalysis ↑ x = new File; ↓<{closed}, {}> ↑ y = x; ↓<{closed}, {}> ↑ z = x; ↓<{closed}, {}> ↑ x.open(); ↓<{closed, opened}, {}> ↑ y.close(); ↓top ↑ assert1(x, closed); Keep as many disjuncts as possible Intersect with forward state

  19. Example: Typestate Analysis x = new File; y = x; z = x; x.open(); y.close(); assert1(x, closed); assert2(x, opened); ↑ x = new File; ↓<{closed}, {}> ↑ y = x; ↓<{closed}, {}> ↑ z = x; ↓<{closed}, {}> ↑ x.open(); ↓<{closed, opened}, {}> ↑ y.close(); ↓top ↑ assert1(x, closed); Failed Our approach: WP + Underapproximation

  20. Example: TypestateAnalysis ↑ x = new File; ↓<{closed}, {}> ↑ y = x; ↓<{closed}, {}> ↑ z = x; ↓<{closed}, {}> ↑ x.open(); ↓<{closed, opened}, {}> ↑ y.close(); ↓top ↑ assert1(x, closed); Failed Our approach: WP + Underapproximation

  21. Example: TypestateAnalysis ↑ x = new File; ↓<{closed}, {x}> ↑ y = x; ↓<{closed}, {x}> ↑ z= x; ↓<{closed}, {x}> ↑ x.open(); ↓<{opened}, {x}> ↑ y.close(); ↓<{opened}, {x}> ↑ assert1(x, closed); Failed Our approach: WP + Underapproximation

  22. Example: TypestateAnalysis ↑ x = new File; ↓<{closed}, {x}> ↑ y = x; ↓<{closed}, {x}> ↑ z= x; ↓<{closed}, {x}> ↑ x.open(); ↓<{opened}, {x}> ↑ y.close(); ↓<{opened}, {x}> ↑ assert1(x, closed); Failed Our approach: WP + Underapproximation

  23. Example: TypestateAnalysis x = new File; ↓<{closed}, {x}> y = x; ↓<{closed}, {x, y}> z = x; ↓<{closed}, {x, y}> x.open(); ↓<{opened}, {x, y}> y.close(); ↓<{closed}, {x, y}> assert1(x, closed); Proof! Our approach: WP + Underapproximation

  24. Example: TypestateAnalysis x = new File; y = x; z = x; x.open(); y.close(); assert1(x, closed); assert2(x, opened); ↑ x = new File; ↓<{closed}, {}> ↑ y = x; ↓<{closed}, {}> ↑ z = x; ↓<{closed}, {}> ↑ x.open(); ↓<{closed, opened}, {}> ↑ y.close(); ↓top ↑ assert2(x, opened); Failed Our approach: WP + Underapproximation

  25. Example: TypestateAnalysis ↑ x = new File; ↓<{closed}, {}> ↑ y = x; ↓<{closed}, {}> ↑ z = x; ↓<{closed}, {}> ↑ x.open(); ↓<{closed, opened}, {}> ↑ y.close(); ↓top ↑ assert2(x, opened); Failed Our approach: WP + Underapproximation

  26. Example: TypestateAnalysis ↑ x = new File; ↓<{closed}, {x}> ↑ y = x; ↓<{closed}, {x}> ↑ z = x; ↓<{closed}, {x}> ↑ x.open(); ↓<{opened}, {x}> ↑ y.close(); ↓<{opened,closed}, {x}> ↑ assert2(x, opened); Failed Our approach: WP + Underapproximation

  27. Example: TypestateAnalysis In paper: a general framework for parametric dataflow analysis Impossibility! ↑ x = new File; ↓<{closed}, {x}> ↑ y = x; ↓<{closed}, {x}> ↑ z = x; ↓<{closed}, {x}> ↑ x.open(); ↓<{opened}, {x}> ↑ y.close(); ↓<{opened,closed}, {x}> ↑ assert2(x, opened); Failed Our approach: WP + Underapproximation

  28. Experiment • Implementation in Chord for Java programs • 2 Client Analyses: Typestate and Thread-Escape • Both fully context- and flow-sensitive analyses • Only scale with sparse parameters • 7 Java Benchmarks

  29. Benchmarks

  30. Precision: Thread-Escape Analysis 209 221 552 658 5857 14322 6726 (Total # Queries) Resolved: ~90% Previous: ~40% [POPL12]

  31. Precision: Typestate Analysis 12 72 170 71 7903 5052 3644 (Total # Queries)

  32. Scalability: Number of iterations

  33. Scalability: Number of iterations

  34. Scalability: Running time

  35. Scalability: Running time

  36. Size of optimal abstractions

  37. Size of optimal abstractions

  38. Related work • Modern pointer analysis • Demand-driven, query-driven, … • Heintze & Tardieu ’01, Guyer & Lin ’03, Sridharan & Bodik’06, ... • CEGAR model checkers: SLAM, BLAST, YOGI, … • Work on concrete counterexamples • Can disprove queries No optimality guarantee – can over-refineand hurt scalability. No impossibility - can cause divergence.

  39. Thank you! Q&A

More Related