1 / 21

Reduction in End-User Shape Analysis

Reduction in End-User Shape Analysis. Bor-Yuh Evan Chang University of Colorado, Boulder. Dagstuhl - Typing, Analysis, and Verification of Heap-Manipulating Programs – July 24, 2009. Xavier Rival INRIA and ENS Paris.

paniz
Download Presentation

Reduction in End-User Shape Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Reduction inEnd-User Shape Analysis Bor-Yuh Evan Chang University of Colorado,Boulder Dagstuhl - Typing, Analysis, and Verification of Heap-Manipulating Programs – July 24, 2009 Xavier Rival INRIA and ENSParis If some of the symbols are garbled, try either installing TexPoint (http://texpoint.necula.org) or the TeX fonts (http://www.cs.colorado.edu/~bec/texpoint-fonts.zip).

  2. Why think about the analyzer’s end-user? User Tool • Accessibility • end-users are not experts in verification and logic • want adoption of our tools and techniques • Expressivity, Efficiency, and Feasibility • end-users are not completely incompetent either • can provide guidance to tools, understand the code best Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

  3. Shape analysis is an abstract interpretation on abstract memory descriptions with … • Splitting of summaries (materialization) • To reflect updates precisely • Andsummarizingfor termination (summarization) “sorted dl list” l l l Main Design Decision: Summaries and their operations l l cur cur cur cur cur cur l Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

  4. The Wild Wild World of Shape Analysis Choosing the heap abstraction difficult Some representative approaches: Parametric in low-level, analyzer-oriented predicates + Very general and expressive -Harder for non-expert TVLA [Sagiv et al.]  • Built-in high-level predicates • -Harder to extend • + No additional user effort Space Invader [Distefano et al.] Our approach: Parametric in high-level, developer-oriented predicates + Extensible +Targetedtodevelopers Xisa Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

  5. Our Approach: Executable Specifications Utilize “run-time validation code” as specification for static analysis. Build the abstraction for analysis directly out of the developer-supplied validation code • h.dll(p) := • if(h =null) then • true • else • h!prev=pandh!next.dll(h) • h.dll(p) := • h = nullÆemp • Ç9n. • h@prevp¤ • h@next n ¤ • n.dll(h) • assert(l.purple_dll(null)); for each nodecurinlist l { makecurred; } • assert(l.red_dll(null)); l l Automatically generalize checkers for intermediate states (generalized segment) checker l • p specifies where prev should point cur Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

  6. Xisa is … An automated shape analysis with a precise memory abstraction based around invariant checkers. • Extensible and targeted for developers • Parametric in developer-supplied checkers—viewed as inductive definitions in separation logic • Precise yet compact abstraction for efficiency • Data structure-specific based on properties of interest to the developer • h.dll(p) = • if (h =null) then • true • else • h!prev=prevand • h!next.dll(h) checkers Xisa Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

  7. Problem: Non-Unique Representations With user-guided abstraction, different summaries may have the same (or related) concretizations. dll_back(null) dll_back(null) dll(null) dll(null) • l.dll(p) := • if(l =null) then true • else • l!prev= p and l!next.dll(l) • l.dll_back(n) := • if(l =null) then true • else • l!next= n and l!prev.dll_back(l) checker summary h h t t h t concrete instance Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

  8. Need: Convert between related summaries • Prove lemmas about related checkers • e.g., “dll,dll_back” Observation: Our widening operator can derive these facts on an appropriate program Basic Idea: parametric abstract domain summarization (widening) • l.dll(p) := … semantics of dll_back S Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

  9. Need: Convert between related summaries • Find out which lemmas are needed and when to apply them during program analysis • work-in-progress • not in this talk Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

  10. New “Pre-Program Analysis Analysis” checker analysis (“pre-program analysis”) program analysis Derives information about checkers to use them effectively Xisa shape analyzer level-type inference for unfolding abstract interpretation splitting and interpreting update • dll(h, p) = • if (h =null) then • true • else • h!prev=prevand • dll(h!next, h) summarizing lemma proving for reduction checkers S S Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

  11. Outline • Memory abstraction • graphs • segments • A semantics of checker definitions • Example: • a segment of a list, a list segment Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

  12. Abstract memory as graphs Make endpoints and segments explicit ° “dll segment” dll(±, °) l ® ¯ ± l ® memory address (value) memory cell (points-to: °!next =±) checker summary (inductive pred) Some number of memory cells (thin edges) cur segment summary ° ± • h.dll(p) = • if (h =null) then • true • else • h!prev= p andh!next.dll(h) next dll(null) dll(¯) dll(°) prev Segment generalization of a checker (Intuitively, ®.dll(null) up to °.dll(¯).) ¯ cur (®.dll(null)¤=°.dll(¯)) ¤ °@prev¯ ¤ °@next ± ¤±.dll(°) Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

  13. … Segments asPartial Checker “Runs” (conceptually) Summary i 0 0 i dll(¯) ° ® ¯ ® c(°) c0(°0) dll(null) dll(¯) Instance null Complete Checker “Run” ®.dll(null) c(®,°) i next next ¯.dll(®) null i prev … … i= 0 ® = ° ¯ = null prev °.dll(¯) c = c0 ® = ¯ ° = °0 i= 0 ±.dll(°) … c0(¯,°0) next ® ¯ ° ± null next null.dll(±) prev prev [POPL’08] Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

  14. Outline • Memory abstraction • graphs • segments • A semantics of checker definitions • Example: • a segment of a list, a list segment Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

  15. Example: User-Defined List Segments • l.ls(e) := • if(l =e) then true • else • l!next.ls(l) • l.list() := • if(l =null) then true • else • l!next.list() Want a decision procedure for these inclusions: ls(¯) ls(¯) list() list() checker ® ¯ ® ¯ summary l l e e “a list segment” “a segment of a list” v ? ¯ ® ¯ ® list() list() e l l e Can reuse our parametric abstract domain! Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

  16. An Alternative Semantics for Checkers summary generator of “concrete” graphs ® ® ® ls(¯) ® = ¯ ¯ l l l e ° ®0 ®0 = ¯ ¯ ® e ¯ l e ®00 ®0 ®00 = ¯ ¯ e next next next … set of concrete stores e l … addrof(®) addrof(¯) Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

  17. Show v ¯ ® ¯ ® list() list() e l l e • Widening • Properties • Soundness: computes an over-approximation • Termination: ensures chain stabilizes • Algorithm • Iteratively split regions by matching nodes (ok by ¤) • Find common abstraction for matched regions (calling on v to check inclusion) • [SAS’07] ® ® ® ls(¯) ® = ¯ ¯ l l l e r ® ® ¯ ¯ list() list() list() list() ®0 l l e e ®0 = ¯ ¯ e r ®00 ®0 ®00 = ¯ ¯ X e next next next • Our widening • is a non-symmetric binary operator • interleaves region matching and summarizing … Apply abstract interpretation using only list as a checker parameter to the domain Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

  18. Inclusion Check Inclusion Check Algorithm Iteratively split regions by matching nodes Check inclusion by unfolding and matching edges until obvious (empvemp) ®0 ®0 ®0 = ¯ ¯ ® ® ® e l l l v ® ¯ list() list() l e ¯ ®0 ®0 ® ® list() list() e next next next next next l l ®0 = ¯ ¯ e ®0 Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

  19. Summary: Reuse domain to decide relations amongst checker definitions checker analysis (“pre-program analysis”) program analysis Xisa shape analyzer level-type inference for unfolding abstract interpretation splitting and interpreting update • dll(h, p) = • if (h =null) then • true • else • h!prev=prevand • dll(h!next, h) summarizing lemma proving for reduction checkers S S Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

  20. Conclusion and Next Steps • Non-unique representation problem magnified with user-supplied checkers • Need reduction to convert between representations • Ordering on checkers needed to apply reduction • Ordering shown by applying Xisa to a checker def • To put into practice • Needed lemmas: pre-compute ordering or on-demand? • When to apply: level types for unfolding may help • Derive new checkers (e.g., dll_back from dll)? Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

  21. http://xisa.cs.berkeley.edu

More Related