1 / 82

Lazy Abstraction

Lazy Abstraction. Lecture 3 : Partial Analysis. Ranjit Jhala UC San Diego. With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre. A Problem with Program Analysis. Library. Client. Whole Program Analysis not always possible Availability : Client code missing

hayes-bauer
Download Presentation

Lazy Abstraction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lazy Abstraction Lecture3 : Partial Analysis Ranjit Jhala UC San Diego With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre

  2. A Problem with Program Analysis Library Client Whole Program Analysis not always possible • Availability: Client code missing • Scalability: Whole system too large

  3. Partial Program Analysis Library Client Partial Program Analysis • Findinterface for Library • Use interface to verify client

  4. Partial Program Analysis Library Interface Availability: Interface independent of Client Scalability: Interface small, abstraction of Library

  5. Library Legal Error What is an Interface ? API Library States Interface Interface : Constraints on legal uses of API • API Calls after which library is in a legal state

  6. Library Legal Legal e=0 Error Error e!=0 Example Static e=0; Static a=NULL; Interface API Library States rel acq(){ if(a==NULL){ a:= m_new(); } else e:=1; return;} n0 read read(){ if(a!=NULL){ a:= m_rd(a); } else e:=1; return;} acq rel n2 acq n1 rel(){ a:=NULL; return;} read Safe: Interface µ Legal Call Sequences

  7. rel rel/x n0 n0 read write read acq rel acq/x rel/x n2 n2 acq acq/x write n1 n1 read read Safety Not Enough! Interface API Static e=0, a=NULL, x=0; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acqx(){ if(a==NULL){ a:=m_new(); x:=1; } else e:=1;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} write(){ if(x!=0){ m_wr(a); } else e:=1; return;} rel(){ a:=NULL; return;} relx(){ a:=NULL; x:=0;} Disallows calls to write • Useless for Partial Program Analysis

  8. Permissive Interfaces Static e=0, a=NULL, x=0; Interface API rel/x acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acqx(){ if(a==NULL){ a:=m_new(); x:=1; } else e:=1;} n0 acqx acq read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} write(){ if(x!=0){ m_wr(a); } else e:=1; return;} n1 relx n2 n3 rel(){ a:=NULL; return;} relx(){ a:=NULL; x:=0;} read write read Permissive: Legal Call Sequences µ Interface Partial Analysis: Safe + Permissive Interfaces

  9. Plan 1. Motivation 2. Characterizing Safe, Permissive Interfaces 3. Computing Safe, Permissive Interfaces 4. Extensions 5. Experiments

  10. Plan 1. Motivation 2.Characterizing Safe, Permissive Interfaces 3. Computing Safe, Permissive Interfaces 4. Extensions 5. Experiments

  11. (P1) Initial states in r0 n0 r0 f n n’ r r’ (P2) Every edge: Post(r,f) µr’ Typestate Interpretations Interface is a Typestate System - Abstraction of library’s internal state Typestate Interpretation - Overapprox possible internal states rel n0 read a=0 acq rel n2 acq e0 n1 a0 read

  12. f n n’ r r’ (P2) Every edge: Post(r,f) µr’ Typestate Interpretations acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} n0 a=0 acq n2 acq e0 n1 a0

  13. f n n’ r r’ (P2) Every edge: Post(r,f) µr’ Typestate Interpretations read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} rel n0 read a=0 n2 e0 n1 a0 read

  14. f n n’ r r’ (P2) Every edge: Post(r,f) µr’ Typestate Interpretations rel(){ a:=NULL; return;} rel n0 a=0 rel n2 e0 n1 a0

  15. (P1) Initial states in r0 n0 r0 f n n’ r r’ (P2) Every edge: Post(r,f) µr’ Typestate Interpretations Interface is a Typestate System - Abstraction of library’s internal state Typestate Interpretation - Overapprox possible internal states rel n0 read a=0 acq rel n2 acq e0 n1 a0 read

  16. f n n’ r r’ Safe Interpretations Interface is a Typestate System - Abstraction of library’s internal state Typestate Interpretation - Overapprox possible internal states rel n0 read a=0 acq rel n2 (P1) Initial states in r0 n0 r0 acq e0 n1 a0 (P2) Every edge: Post(r,f) µr’ read (P3) Every legal typestate: rµ:Err n r

  17. f n n’ r r’ Safe Interpretations Theorem: Safe Interpretation implies Safe Interface rel n0 read a=0 acq rel n2 (P1) Initial states in r0 n0 r0 acq e0 n1 a0 (P2) Every edge: Post(r,f) µr’ read (P3) Every legal typestate: rµ:Err n r

  18. f n n’ r r’ Permissive Interpretations Interface is a Typestate System - Abstraction of library’s internal state Typestate Interpretation - Overapprox possible internal states rel n0 read a=0 acq rel n2 (P1) Initial states in r0 n0 r0 acq e0 n1 a0 (P2) Every edge: Post(r,f) µr’ read (P4) Every illegal typestate: rµErr n r

  19. f n n’ r r’ Permissive Interpretations Theorem: Permissive Interpretation implies Permissive Interface rel n0 read a=0 acq rel n2 (P1) Initial states in r0 n0 r0 acq e0 n1 a0 (P2) Every edge: Post(r,f) µr’ read (P4) Every illegal typestate: rµErr n r

  20. Sanity Check Static e=0, a=NULL, x=0; API rel/x acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acqx(){ if(a==NULL){ a:=m_new(); x:=1; } else e:=1;} n0 read write a=0 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} write(){ if(x!=0){ m_wr(a); } else e:=1; return;} acq /x rel /x n2 e0 acq/x write n1 a0 rel(){ a:=NULL; return;} relx(){ a:=NULL; x:=0;} read Q: Why not a permissive interface ?

  21. f n n’ r r’ (P2) Every edge: Post(r,f) µr’ Sanity Check write(){ if(x!=0){ m_wr(a); } else e:=1; return;} n2 e0 Ç e=0 e0 write n1 a0 Q: Why not a permissive interface ? A: (P2) fails! Not an Interpretation

  22. Sanity Check (P4) Every illegal typestate: rµErr n r write(){ if(x!=0){ m_wr(a); } else e:=1; return;} n2 e0 Ç e=0 write n1 a0 Q: Why not a permissive interface ? A: (P4) fails! Not Permissive Interpretation

  23. Plan 1. Motivation 2. Characterizing Safe, Permissive Interfaces 3. Computing Safe, Permissive Interfaces 4. Extensions 5. Experiments

  24. Computing Interfaces Problem A: Interface Checking Given Library, candidate interface I, abstraction , Check if I is safe, permissive. Problem B: Interface Reconstruction Given Library, abstraction , Reconstruct a safe, permissive interface I. Problem C: Interface Inference Given Library, Infer a safe, permissive interface I.

  25. A. Interface Checking Check Safe, Permissive independently Problem A: Interface Checking Given Library, candidate interface I, abstraction , Check if I is safe, permissive.

  26. A. Interface Checking [Safe] Static e=0; Static a=NULL; rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} n0 read rel acq n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq n1 read rel(){ a:=NULL; return;} Interface Library Problem A: Interface Checking Given Library, candidate interface I, abstraction , Check if I is safe, permissive.

  27. Legal e=0 Error e!=0 A. Interface Checking [Safe] Static e=0; Static a=NULL; rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} Library States read n0 rel acq n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq n1 read rel(){ a:=NULL; return;} Interface Client Library Idea: Analyze Interface Client + Library Verify assertion: Client in legal location )Library in legal state n

  28. B. Interface Checking [Permissive] Static e=0; Static a=NULL; rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} n0 read rel acq n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq n1 read rel(){ a:=NULL; return;} Interface Library Problem B: Interface Checking Given Library, candidate interface I, abstraction , Check if I is safe, permissive.

  29. Legal e=0 Error e!=0 B. Interface Checking [Permissive] Static e=0; Static a=NULL; rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} Library States read n0 rel acq n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq n1 read rel(){ a:=NULL; return;} Interface Client Library Idea: Analyze Interface Client + Library Verify assertion: Client in illegal location )Library in illegal state n

  30. A. Interface Checking Safe, Permissive checkable by Assertion Verification! Problem A: Interface Checking Given Library, candidate interface I, abstraction , Check if I is safe, permissive.

  31. Abstract Reachability Graphs Safe, Permissive checkable by Assertion Verification! Problem A: Interface Checking Given Library, candidate interface I, abstraction , Check if I is safe, permissive.

  32. Abstract Reachability Graphs Static e=0; Static a=NULL; rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 rel acq n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq n1 read rel(){ a:=NULL; return;} • ={a=0,e=0}

  33. Abstract Reachability Graphs Static e=0; Static a=NULL; rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 acq() rel acq n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq n1 1 : a=0, e=0 read rel(){ a:=NULL; return;} • ={a=0,e=0}

  34. Abstract Reachability Graphs Static e=0; Static a=NULL; rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 rel() acq() rel acq n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq n1 1 0 : a=0, e=0 a=0,e=0 read rel(){ a:=NULL; return;} • ={a=0,e=0}

  35. Abstract Reachability Graphs Static e=0; Static a=NULL; rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 rel() acq() rel acq n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq n1 1 0 : a=0, e=0 a=0,e=0 read rel(){ a:=NULL; return;} • ={a=0,e=0}

  36. Abstract Reachability Graphs Static e=0; Static a=NULL; rel() rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 rel() acq() rel acq n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq n1 1 0 : a=0, e=0 a=0,e=0 read rel(){ a:=NULL; return;} • ={a=0,e=0}

  37. Abstract Reachability Graphs Static e=0; Static a=NULL; rel() rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 read() acq() rel acq 2 : e=0 a=0,: e=0 n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq n1 1 : a=0, e=0 read rel(){ a:=NULL; return;} • ={a=0,e=0}

  38. Abstract Reachability Graphs Static e=0; Static a=NULL; rel() rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 read() acq() rel acq 2 : e=0 n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq n1 1 : a=0, e=0 read acq() rel(){ a:=NULL; return;} 2 : e=0 • ={a=0,e=0}

  39. Abstract Reachability Graphs Static e=0; Static a=NULL; rel() rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 read() acq() rel acq 2 : e=0 n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq() acq n1 1 : a=0, e=0 read rel(){ a:=NULL; return;} • ={a=0,e=0}

  40. Abstract Reachability Graphs Static e=0; Static a=NULL; rel() rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 read() acq() rel acq 2 : e=0 n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq() acq n1 1 : a=0, e=0 read() read 1 rel(){ a:=NULL; return;} : a=0, e=0 • ={a=0,e=0}

  41. Abstract Reachability Graphs Static e=0; Static a=NULL; rel() rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 read() acq() rel acq 2 : e=0 n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq() acq n1 1 : a=0, e=0 read read() rel(){ a:=NULL; return;} • ={a=0,e=0}

  42. Abstract Reachability Graphs Static e=0; Static a=NULL; rel() rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 read() acq() rel acq 2 : e=0 n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq() acq n1 1 : a=0, e=0 read rel() read() rel(){ a:=NULL; return;} 0 a=0,e=0 • ={a=0,e=0}

  43. Abstract Reachability Graphs Static e=0; Static a=NULL; rel() rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 read() acq() rel() rel acq 2 : e=0 n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq() acq n1 1 : a=0, e=0 read read() rel(){ a:=NULL; return;} • ={a=0,e=0}

  44. Legal e=0 Error e!=0 Abstract Reachability Graphs Static e=0; Static a=NULL; rel() rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 read() acq() rel() rel acq 2 : e=0 n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq() acq n1 1 : a=0, e=0 read read() rel(){ a:=NULL; return;} Library States Verify assertion: [Safe] Client in legal location )Library in legal state n

  45. Legal e=0 Error e!=0 Abstract Reachability Graphs Static e=0; Static a=NULL; rel() rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 read() acq() rel() rel acq 2 : e=0 n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq() acq n1 1 : a=0, e=0 read read() rel(){ a:=NULL; return;} Library States Verify assertion: [Safe] Client in legal location )Library in legal state n

  46. Legal e=0 Error e!=0 Abstract Reachability Graphs Static e=0; Static a=NULL; rel() rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 read() acq() rel() rel acq 2 : e=0 n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq() acq n1 1 : a=0, e=0 read read() rel(){ a:=NULL; return;} Library States Verify assertion: [Permissive] Client in illegal location )Library in illegal state n

  47. Legal e=0 Error e!=0 Abstract Reachability Graphs Static e=0; Static a=NULL; rel() rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 read() acq() rel() rel acq 2 : e=0 n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq() acq n1 1 : a=0, e=0 read read() rel(){ a:=NULL; return;} Library States Verify assertion: [Permissive] Client in illegal location )Library in illegal state n

  48. A. Interface Checking rel() rel 0 a=0,e=0 read n0 read() Safe, Permissive acq() rel() rel acq 2 : e=0 n2 acq() acq n1 1 : a=0, e=0 read read() Safe assertion: Client in legal location )Library in legal state Permissive assertion: Client in illegal location )Library in illegal state

  49. A. Interface Checking rel() rel 0 a=0,e=0 read n0 read() Safe, Permissive acq() rel() rel acq 2 : e=0 n2 acq() acq n1 1 : a=0, e=0 read read() Abstract Reach. Graph , Typestate Interpretation Safe Assertion , Safe Interpretation Permissive Assertion , Permissive Interpretation

  50. Computing Interfaces Problem A: Interface Checking Given Library, candidate interface I, abstraction , Check if I is safe, permissive. Problem B: Interface Reconstruction Given Library, abstraction , Reconstruct a safe, permissive interface I. Problem C: Interface Inference Given Library, Infer a safe, permissive interface I. Solution: Assertion verification, Abstract Reach. Graph

More Related