1 / 20

Extensible Shape Analysis by Designing with the User in Mind

Extensible Shape Analysis by Designing with the User in Mind. Bor-Yuh Evan Chang , Xavier Rival, and George Necula University of California, Berkeley OSQ Retreat May 16, 2008. Motivation. Analyses find many kinds of bugs For example, Reading from a closed file:

harlow
Download Presentation

Extensible Shape Analysis by Designing with the User in Mind

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Extensible Shape Analysisby Designing with the User in Mind Bor-Yuh Evan Chang, Xavier Rival, and George Necula University of California, Berkeley OSQ Retreat May 16, 2008

  2. Motivation Analyses find many kinds of bugs For example, • Reading from a closed file: • Reacquiring a locked lock: But often struggle when objects are put into data structures  acquire( ); read( );  … • Shape Analysis is Data Structure Analysis Bor-Yuh Evan Chang - Extensible Shape Analysis by Designing with the User in Mind

  3. What’s hard about data structures? Abstraction too coarse or not precise enough (e.g., lost x is always unlocked) …code … • // x now points to an unlocked lockin a linked list acquire(x); • … code … ? ideal analysis state analysis state x x x … or or or x  For decidability, must abstract (e.g., merge objects) mislabels good code as buggy Bor-Yuh Evan Chang - Extensible Shape Analysis by Designing with the User in Mind

  4. To address the precision challenge Traditional program analysis mentality: “ Why can’t developers write more specifications for our analysis? Then, we could verify so much more.” “ Since developers won’t write specifications, we will use default abstractions (perhaps coarse) that work hopefully most of the time.” Our approach: “ Can we design program analyses around the user? Developers write testing code. Can we adapt the analysis to use those as specifications?” Bor-Yuh Evan Chang - Extensible Shape Analysis by Designing with the User in Mind

  5. Overview of contributions Precise inference of data structure properties Able to check, for instance, the locking example Targeted to software developers Uses data structure checking code for guidance • Turns testing code into a specification for static analysis Efficient • Builds abstraction out of developer-supplied checking code Bor-Yuh Evan Chang - Extensible Shape Analysis by Designing with the User in Mind

  6. // l is a sorted doubly-linked list for each nodecurinlistl { removecurif duplicate; } assert l is sorted, doubly-linked with no duplicates; Shape analysis by example:Removing duplicates Example/Testing Code Review/Static Analysis program-specific l intermediate state more complicated “segment with no duplicates” “sorted dl list” “sorted dl list” “no duplicates” l l cur cur 2 2 2 4 4 4 2 4 4 l l l Bor-Yuh Evan Chang - Extensible Shape Analysis by Designing with the User in Mind

  7. Shape analysis is not yet practical Choosing the heap abstraction difficult for precision Traditional approaches: Parametric in low-level, analyzer-oriented predicates + Very general and expressive - Hard for non-expert TVLA [Sagiv et al.] 89 • Built-in high-level predicates • - Hard to extend • + No additional user effort (if precise enough) Space Invader [Distefano et al.] Our approach: Parametric in high-level, developer-oriented predicates + Extensible +Targetedtodevelopers Xisa Bor-Yuh Evan Chang - Extensible Shape Analysis by Designing with the User in Mind

  8. Key insightfor being developer-friendly and efficient Utilize “run-time checking code” as specification for static analysis. Contribution: Build the abstraction for analysis out of developer-specified checking code • dll(h, p) = • if(h =null) then • true • else • h!prev= p anddll(h!next, h) • assert(sorted_dll(l,…)); for each nodecurinlistl { removecurif duplicate; } • assert(sorted_dll_nodup(l,…)); l l Contribution: Automatically generalize checkers for complicated intermediate states checker l • p specifies where prev should point cur Bor-Yuh Evan Chang - Extensible Shape Analysis by Designing with the User in Mind

  9. Our framework is … An automated shape analysis with a precise memory abstraction based around invariant checkers. • Extensible and targeted for developers • Parametric in developer-supplied checkers • Precise yet compact abstraction for efficiency • Data structure-specific based on properties of interest to the developer • dll(h, p) = • if (h =null) then • true • else • h!prev=prevand • dll(h!next, h) checkers shape analyzer Bor-Yuh Evan Chang - Extensible Shape Analysis by Designing with the User in Mind

  10. Shape analysis is an abstract interpretation on memory descriptions with … • Splitting of summaries(materialization) • To reflect updates precisely (strong updates) • Andsummarizingfor termination (widening) l l l l l cur cur cur cur cur cur l Bor-Yuh Evan Chang - Extensible Shape Analysis by Designing with the User in Mind

  11. Outline Learn information about the checker to use it as an abstraction shape analyzer abstract interpretation 1 splitting and interpreting update 2 type “pre-analysis” on checker definitions • dll(h, p) = • if (h =null) then • true • else • h!prev=prevand • dll(h!next, h) summarizing checkers Bor-Yuh Evan Chang - Extensible Shape Analysis by Designing with the User in Mind

  12. Overview: Split summariesto interpret updates precisely Want abstract update to be “exact”, that is, to update one “concrete memory cell”. The example at a high-level: iterate using cur changing the doubly-linked list from purple to red. Challenge: How does the analysis “split” summaries and know where to “split”? split at cur l update cur purple to red cur cur cur cur l l l Bor-Yuh Evan Chang - Extensible Shape Analysis by Designing with the User in Mind

  13. Split summaries by unfolding induction dll(cur, p) “dll segment l to cur” l p • Technical Details: • What about unfolding segments? • How are segments unfolded? • (Key: Segments are also inductively defined) [POPL’08] How does the analysis know to do unfolding? l null get: cur!next Analysis doesn’t forget the empty case Ç “dll segment l to cur” • dll(h, p) = • if(h =null) then • true • else • h!prev= p anddll(h!next, h) cur cur cur “dll segment l to cur” dll(n, cur) l p n Bor-Yuh Evan Chang - Extensible Shape Analysis by Designing with the User in Mind

  14. Outline Derives additional information to guide unfolding How do we decide where to unfold? shape analyzer abstract interpretation 1 splitting and interpreting update 2 type “pre-analysis” on checker definitions • dll(h, p) = • if (h =null) then • true • else • h!prev=prevand • dll(h!next, h) summarizing checkers Contribution: Turns testing code into specification for static analysis Bor-Yuh Evan Chang - Extensible Shape Analysis by Designing with the User in Mind

  15. Types for deciding where to unfold Summary If it exists, where is: cur!next ? p!next ? l “dll segment l to cur” dll(cur, p) p 0 Instance -1 l p n Checker Definition • dll(h, p) = • if(h =null) then • true • else • h!prev= p anddll(h!next, h) Checker “Run” (call tree/derivation) dll(l,null) h : {nexth0i, prevh0i } p : {nexth-1i, prevh-1i } -2 cur cur dll(p,l) -1 Says: For h!next/h!prev, unfold from h For p!next/p!prev, unfold before h dll(cur,p) 0 dll(n,cur) 1 dll(null,n) Bor-Yuh Evan Chang - Extensible Shape Analysis by Designing with the User in Mind

  16. Types make the analysis robust with respect to how checkers are written h : {nexth0i, prevh0i } p : {nexth-1i, prevh-1i } Doubly-linked list checker (as before) • dll(h, p) = • if(h =null) then • true • else • h!prev= p anddll(h!next, h) Instance Checker “Run” Alternative doubly-linked list checker cur cur • dll0(h) = • if(h!next=null)then • true • else • h!next!prev= h anddll0(h!next) h : {nexth0i, prevh-1i } ¯.dll(®) -1 ¯.dll0() -1 Instance Checker “Run” Different types for different unfolding °.dll(¯) 0 °.dll0() 0 null.dll(°) cur!prev ? -1 Bor-Yuh Evan Chang - Extensible Shape Analysis by Designing with the User in Mind

  17. Summary of checker parameter types Tell where to unfold for which fields Make analysis robust with respect to how checkers are written Learn where in summaries unfolding won’t help • Can be inferred automatically with a fixed-point computation on the checker definitions Bor-Yuh Evan Chang - Extensible Shape Analysis by Designing with the User in Mind

  18. Results: Performance Times negligible for data structure operations (often in sec or 1/10 sec) Expressiveness: Different data structures TVLA: 290 ms Space Invader only analyzes lists (built-in) TVLA: 850 ms Verified shape invariant as given by the checker is preserved across the operation. Bor-Yuh Evan Chang - Extensible Shape Analysis by Designing with the User in Mind

  19. Conclusion Key Insight: Checkers as specifications Developer View: Global, Expressed in a familiar style Analysis View: Capture developer intent, Not arbitrary inductive definitions Constructing the program analysis Intermediate states: Generalized segment predicates Splitting: Checker parameter types with levels “dll segment l to cur” h : {nexth0i, prevh0i} p : {nexth-1i, prevh-1i} Bor-Yuh Evan Chang - Extensible Shape Analysis by Designing with the User in Mind

  20. What can inductive shape analysis do for you? http://xisa.cs.berkeley.edu

More Related