1 / 33

Program analysis & Synthesis

Lecture 08(a ) – Shape Analysis – continued Lecture 08(b ) – Typestate Verification Lecture 08(c) – Predicate Abstraction. Program analysis & Synthesis. Eran Yahav. Previously . Shape Analysis. Today. Shape Analysis – continued Concurrent Shape Analysis Typestate Verification

pavel
Download Presentation

Program analysis & Synthesis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 08(a) – Shape Analysis – continued Lecture 08(b) – TypestateVerification Lecture 08(c) – Predicate Abstraction Program analysis & Synthesis EranYahav

  2. Previously • Shape Analysis

  3. Today • Shape Analysis – continued • Concurrent Shape Analysis • Typestate Verification • Predicate Abstraction (optimistically!)

  4. Shape Analysis Automatically verify properties of programs manipulating dynamically allocated storage Identify all possible shapes (layout) of the heap

  5. Shape Analysis via 3-valued Logic 1) Abstraction • 3-valued logical structure • canonical abstraction 2) Transformers • via logical formulae • soundness by construction • embedding theorem, [SRW02]

  6. Collecting State Semantics if v = entry { <,> } empty interpretation empty universe •  { st(w)(S) | S  CSS[w] }  (w,v)  E(G), w  Assignments(G) set of states at node w all predecessors of v in the CFG effect of the statement at node w •  { S | S  CSS[w] }  (w,v)  E(G), w  Skip(G) CSS [v] = • { S | S  CSS[w] and S  cond(w)}  othrewise (w,v)  True-Branches(G)  { S | S  CSS[w] and S  cond(w)} set of states at node v (w,v)  False-Branches(G)

  7. Collecting Semantics • At every program point – a potentially infinite set of two-valued logical structures • Representing (at least) all possible heaps that can arise at the program point • Next step: find a bounded abstract representation

  8. 3-Valued Logical Structures • A set of individuals (nodes) U • Relation meaning • Interpretation of relation symbols in Pp0()  {0,1, 1/2}p1(v)  {0,1, 1/2}p2(u,v)  {0,1, 1/2} • A join semi-lattice: 01 = 1/2

  9. Property Space • 3-struct[P] = the set of 3-valued logical structures over a vocabulary (set of predicates) P • Abstract domain • (3-Struct[P]) •  is  • We will see alternatives later (maybe)

  10. Canonical Abstraction n n u1 u2 u3 u1 u2 u3 Top Top

  11. Canonical Abstraction () • Merge all nodes with the same unary predicate values into a single summary node • Join predicate values ’(u’1 ,..., u’k) =  {(u1 ,..., uk) | f(u1)=u’1 ,..., f(uk)=u’k } • Converts a state of arbitrary size into a 3-valued abstract state of bounded size • (C) =  { (c) | c  C }

  12. Abstract Semantics ? s = Topn s rTop rTop Top Top rTop rTop s = Top->n s’(v) = v1: Top(v1)  n(v1,v)

  13. Semantic Reduction • Improve the precision of the analysis by recovering properties of the program semantics • A Galois connection (C, , , A) • An operation op:AAis a semantic reduction when • lL2 op(l)l and • (op(l)) = (l)  l op  C A

  14. The Focus Operation • Focus: Formula((3-Struct)  (3-Struct)) • Generalizes materialization • For every formula  • Focus()(X) yields structure in which  evaluates to a definite values in all assignments • Only maximal in terms of embedding • Focus() is a semantic reduction • But Focus()(X) may be undefined for some X

  15. Partial Concretization Based on Transformer (s=Topn) s AbstractSemantics rTop rTop Top Top rTop rTop,rs s Top rTop rTop rTop s’(v) = v1: Top(v1)  n(v1,v) rTop rTop rTop Top Canonical Abstraction Focus (Topn) Partial Concretization u: top(u) n(u, v) s rTop rTop Top AbstractSemantics s Top rTop rTop Top rTop rTop rTop

  16. Partial Concretization Locally refine the abstract domain per statement Soundness is immediate Employed in other shape analysis algorithms [Distefano et.al., TACAS’06, Evan et.al., SAS’07, POPL’08] Emplyed in other analysis algorithms[Typestate verification, ISSTA’06]

  17. The Coercion Principle • Another Semantic Reduction • Can be applied after Focus or after Update or both • Increase precision by exploiting structural properties possessed by all stores (Global invariants) • Structural properties captured by constraints • Apply a constraint solver

  18. Apply Constraint Solver  Top rTop rTop x x Top Top rTop rTop rTop rTop n n n n n n n x x rx rx,ry rx rx,ry rx,ry rx,ry n y y

  19. Sources of Constraints • Properties of the operational semantics • Domain specific knowledge • Instrumentation predicates • User supplied

  20. Example Constraints x(v1) x(v2)eq(v1, v2) n(v, v1) n(v,v2)eq(v1, v2) n(v1, v) n(v2,v)eq(v1, v2)is(v) n*(v3, v4)t[n](v1, v2)

  21. Abstract Transformers: Summary • Kleene evaluation yields sound solution • Focus is a statement-specific partial concretization • Coerce applies global constraints

  22. Abstract Semantics if v = entry { <,> } •  { t_embed(coerce(st(w)3(focusF(w)(SS[w] ))))  (w,v)  E(G), w  Assignments(G) •  { S | S  SS[w] }  othrewise (w,v)  E(G), w  Skip(G) SS [v] = • { t_embed(S) | S  coerce(st(w)3(focusF(w)(SS[w] )))and S 3 cond(w)}  (w,v)  True-Branches(G) • { t_embed(S) | S  coerce(st(w)3(focusF(w)(SS[w] ))) and S 3 cond(w)}  (w,v)  False-Branches(G)

  23. Recap • Abstraction • canonical abstraction • recording derived information • Transformers • partial concretization (focus) • constraint solver (coerce) • sound information extraction

  24. Stack Push emp … Top void push(int v){ Node x = alloc(sizeof(Node)); xd = v; xn = Top; Top = x; } x x x Top v: x(v) v: x(v) x Top x x Top Top Top v1,v2: n(v1, v2) Top(v2) v:c(v) Top

  25. Non-blocking Stack[Treiber 1986] [1] void push(Stack *S, data_type v) {[2] Node *x = alloc(sizeof(Node));[3] x->d = v;[4] do {[5] Node *t = S->Top;[6] x->n = t;[7] } while (!CAS(&S->Top,t,x));[8] } #define EMPTY -1typedefintdata_type;typedefstruct node t {data_typed;struct node t *n} Node;typedefstruct stack t {struct node t *Top;} Stack; [9] data_type pop(Stack *S){[10] do {[11] Node *t = S->Top;[12] if (t == NULL)[13] return EMPTY;[14] Node *s = t->n;[15] data_typer = t->d;[16] } while (!CAS(&S->Top,t,s));[17] return r;[18] }

  26. Concurrent Shape Analysis • a thread is represented as a thread object • add predicates to vocabulary • Recipe • abstraction: canonical abstraction • transformers: interleaving + as before • Bounded threads • Static thread names • Unbounded threads • thread objects abstracted via canonical abstraction

  27. Concrete State U = { u1, u2, u3,…,u7 } isThread = { u1,u2 } at[pc=1] = { } … at[pc=6] = { u3 } at[pc=7]= { u1 } Top = { u5 } … x = { (u1,u4), (u2,u3)} t={ (u1,u5),(u2,u6)} n = { (u5,u6), (u6,u7) } t 1= { u1 }t2 = { u2 } u3 u7 x pc=7 pc=6 n t u2 list object u6 u1 list field n t x n u4 u5 thread object with program counter thread-local variable Top

  28. Exploration [1] void push(Stack *S, data_type v) {[2] Node *x = alloc(sizeof(Node));[3] x->d = v;[4] do {[5] Node *t = S->Top;[6] x->n = t;[7] } while (!CAS(&S->Top,t,x));[8] } n x 5 v: c(v) n x 5 Top n n x x 5 6 t n n t x 6 5 Top Top x x x n n n 6 6 x 6 t n t t n n t x x n 6 7 Top Top x t n 8 Top t n n n x n x n x 7 5 6 … t t t n n n n n n 1 1 1 Top Top Top

  29. Representing an Unbounded Number of Threads pc=5 pc=5 pc=5 pc=5 [1] void push(Stack *S, data_type v) {[2] Node *x = alloc(sizeof(Node));[3] x->d = v;[4] do {[5] Node *t = S->Top;[6] x->n = t;[7] } while (!CAS(&S->Top,t,x));[8] } x n x n x Top

  30. Representing an Unbounded Number of Threads pc=5 pc=5 pc=5 pc=5 pc=5 [1] void push(Stack *S, data_type v) {[2] Node *x = alloc(sizeof(Node));[3] x->d = v;[4] do {[5] Node *t = S->Top;[6] x->n = t;[7] } while (!CAS(&S->Top,t,x));[8] } x n n x n n x x rbyX n Top hasX Top

  31. Abstract Semantics n [1] void push(Stack *S, data_type v) {[2] Node *x = alloc(sizeof(Node));[3] x->d = v;[4] do {[5] Node *t = S->Top;[6] x->n = t;[7] } while (!CAS(&S->Top,t,x));[8] } pc=6 pc=5 pc=5 x rbyX n hasX Top x n rbyX hasX x n rbyX hasX t Top

  32. Example - Mutual Exclusion [1] while (true) { [2]lock(shared) [C]// critical actions [3]unlock(shared) [4] } t1,t2: (t1 t2)  (at[pc=c](t1)  at[pc=c](t2)) C shared C shared shared 1 held_by held_by 1 shared 1 shared 2 shared Initial configuration A thread enters the critical section blocked Other threads may be blocked or just beginning execution

  33. Recap No null dereferences  Structural shape invariants Linearizability [1] void push(Stack *S, data_type v) {[2] Node *x = alloc(sizeof(Node));[3] x->d = v;[4] do {[5] Node *t = S->Top;[6] x->n = t;[7] } while (!CAS(&S->Top,t,x));[8] } #define EMPTY -1typedefintdata_type;typedefstruct node t {data_typed;struct node t *n} Node;typedefstruct stack t {struct node t *Top;} Stack; [9] data_type pop(Stack *S){[10] do {[11] Node *t = S->Top;[12] if (t == NULL)[13] return EMPTY;[14] Node *s = t->n;[15] data_type r = t->d;[16] } while (!CAS(&S->Top,t,s));[17] return r;[18] }  Dynamic Allocation  Destructive Updates  Concurrency

More Related