1 / 21

Shape Analysis with Structural Invariant Checkers

Shape Analysis with Structural Invariant Checkers. Bor-Yuh Evan Chang Xavier Rival George C. Necula May 10, 2007 OSQ Retreat. +. =. shape analyzer. analyzer. heap-aware analyzer. What’s shape analysis? What’s special?. Shape analysis tracks memory manipulation flow-sensitively.

edison
Download Presentation

Shape Analysis with Structural Invariant Checkers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula May 10, 2007 OSQ Retreat

  2. + = shape analyzer analyzer heap-aware analyzer What’s shape analysis? What’s special? Shape analysis tracks memory manipulation flow-sensitively.

  3. cur = list; while (cur != null) { assert(cur is red); make_purple(cur); cur = cur!next; } list list cur Typestate with shape analysis 1 region “list points to a red region” 1 region “list points to a red region” 1 region “list and cur point to a region that may be red orpurple” 2 regions “list points to a purple region up to cur and cur points to a red region” • make_purple(¢) could be • free(¢) • open(¢) • … lock(cur);

  4. Ç Ç Ç Ç Shape analysis is not yet practical • Scalability • Finding right amount of abstraction difficult Over-reliance on disjunction for precision • Repeated work to transition on each disjunct • Usability • Choosing the abstraction difficult • Depends on the program and the properties to verify

  5. Hypothesis The developer can describe the memory with a small number of abstract descriptions sufficient for the properties of interest. • Good abstraction is program-specific • Developer can only keep a few cases in her head • If only the shape analysis could get the developer’s abstraction (easily)

  6. bool redlist(List* l) { if (l == null) return true; else return l!color == red && redlist(l!next); } l Observation Checking code expresses a shape invariant and an intended usage pattern. red next red next red next

  7. Proposal An automated shape analysis with a memory abstraction based on invariant checkers. • Given: Program + Checker code • Extensible • Abstraction based on the developer-supplied checkers on a per-structure basis • Scalable (hopefully, based on hypothesis)

  8. Outline • Memory abstraction • Challenge: Intermediate invariants • Analysis algorithm • Challenge: Blurring to ensure termination • Comparison with TVLA • Experimental Results

  9. a b next list disjoint memory regions (i.e., sets of fields) values (memory address or null) +next  b list Abstract memory using checkers Graphical Diagram Formula @next  ¤list() “ is a list with at least one element” ¤ disjoint

  10. list() = 9. ( emp Æ= null) Ç ( a@next b¤list(b) Æa null) Checkers as inductive predicates bool list(List* l) { if (l == null) return true; else returnlist(l!next); } • Disjoint memory regions Checker run can dereference a field only once ¤

  11. redlist l purplelist redlist l cur purplelist l Challenge: Intermediate invariants assert(redlist(l)); cur = l; while (cur != null) { make_purple(cur); cur = cur!next; } assert(purplelist(l)); Prefix Segment Described by ? Suffix Described by checkers

  12. a b purplelist c l cur purplelist(l) c(a) purplelist(…) c(…) c(…) purplelist(cur) c(…) c() c(…) c(…) Prefix segments as partial checker runs Abstraction Computation Tree of a Checker Run Formula c() ¤– c()

  13. Outline • Memory abstraction • Challenge: Intermediate invariants • Analysis algorithm • Challenge: Blurring to ensure termination • Comparison with TVLA • Experimental Results

  14. next x next list x materialize: x!next, x!next!next Ç next next list x update: x!next = x!next!next next next list x Flow function: Unfold and update edges x!next = x!next!next; Unfold inductive definition Strong updates using disjointness of regions

  15. next list l, last cur next next list l last cur next next next list l last cur blur list next list list l last cur Challenge: Termination and precision last = l; cur = l!next; while (cur != null) { // … cur, last … if (…) last = cur; cur = cur! next; } Observation Previous iterates are “less unfolded” Fold into checker edges But where and how much?

  16. Traverse starting from variables Match same edges to identify where to fold Apply weakening rules next list next next next list v list list ? list next list last = l; cur = l!next; while (cur != null) { if (…) last = cur; cur = cur! next; } History-guided folding l l, last cur t l last cur v ? ? Yes l last cur

  17. Outline • Memory abstraction • Challenge: Intermediate invariants • Analysis algorithm • Challenge: Blurring to ensure termination • Comparison with TVLA • Experimental Results

  18. list list l cur l l l,cur l, cur l cur l cur l cur l cur Qualitative comparison with TVLA • Scalability • Disjunctions • Expressiveness • Currently, limited in comparison (no data properties) Cost 1: Spec less general Cost 2: Folding complicated Proposal Ç Ç Ç Ç Ç emp TVLA Ç Ç Ç

  19. Preliminary results • Verified structural invariants as given by checkers are preserved across data structure manipulation • Limitations (in scull driver) • Arrays not handled (rewrote as linked list), char arrays ignored • Promising as far as number of disjuncts

  20. + = shape analyzer analyzer heap-aware analyzer Conclusion • Shape analysis can improve higher-level analyses • Invariant checkers can form the basis of a memory abstraction that • Is easily extensible on a per-program basis • Expresses developer intent

More Related