reduction in end user shape analysis n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Reduction in End-User Shape Analysis PowerPoint Presentation
Download Presentation
Reduction in End-User Shape Analysis

Loading in 2 Seconds...

play fullscreen
1 / 21

Reduction in End-User Shape Analysis - PowerPoint PPT Presentation


  • 113 Views
  • Uploaded on

Reduction in End-User Shape Analysis. Bor-Yuh Evan Chang University of Colorado, Boulder. Dagstuhl - Typing, Analysis, and Verification of Heap-Manipulating Programs – July 24, 2009. Xavier Rival INRIA and ENS Paris.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Reduction in End-User Shape Analysis' - wilkinson


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
reduction in end user shape analysis

Reduction inEnd-User Shape Analysis

Bor-Yuh Evan Chang

University of Colorado,Boulder

Dagstuhl - Typing, Analysis, and Verification of Heap-Manipulating Programs – July 24, 2009

Xavier Rival

INRIA and ENSParis

If some of the symbols are garbled, try either installing TexPoint (http://texpoint.necula.org) or the TeX fonts (http://www.cs.colorado.edu/~bec/texpoint-fonts.zip).

why think about the analyzer s end user
Why think about the analyzer’s end-user?

User

Tool

  • Accessibility
  • end-users are not experts in verification and logic
  • want adoption of our tools and techniques
  • Expressivity, Efficiency, and Feasibility
  • end-users are not completely incompetent either
  • can provide guidance to tools, understand the code best

Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

shape analysis is an abstract interpretation on abstract memory descriptions with
Shape analysis is an abstract interpretation on abstract memory descriptions with …
  • Splitting of summaries (materialization)
  • To reflect updates precisely
  • Andsummarizingfor termination (summarization)

“sorted dl list”

l

l

l

Main Design Decision:

Summaries and their operations

l

l

cur

cur

cur

cur

cur

cur

l

Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

the wild wild world of shape analysis
The Wild Wild World of Shape Analysis

Choosing the heap abstraction difficult

Some representative approaches:

Parametric in low-level, analyzer-oriented predicates

+ Very general and expressive

-Harder for non-expert

TVLA

[Sagiv et al.]



  • Built-in high-level predicates
  • -Harder to extend
  • + No additional user effort

Space Invader [Distefano et al.]

Our approach:

Parametric in high-level, developer-oriented predicates

+ Extensible

+Targetedtodevelopers

Xisa

Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

our approach executable specifications
Our Approach: Executable Specifications

Utilize “run-time validation code” as specification for static analysis.

Build the abstraction for analysis directly out of the developer-supplied validation code

  • h.dll(p) :=
  • if(h =null) then
  • true
  • else
  • h!prev=pandh!next.dll(h)
  • h.dll(p) :=
  • h = nullÆemp
  • Ç9n.
  • h@prevp¤
  • h@next n ¤
  • n.dll(h)
  • assert(l.purple_dll(null));

for each nodecurinlist l {

makecurred;

}

  • assert(l.red_dll(null));

l

l

Automatically generalize checkers for intermediate states (generalized segment)

checker

l

  • p specifies where prev should point

cur

Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

xisa is
Xisa is …

An automated shape analysis with a precise memory abstraction based around invariant checkers.

  • Extensible and targeted for developers
    • Parametric in developer-supplied checkers—viewed as inductive definitions in separation logic
  • Precise yet compact abstraction for efficiency
    • Data structure-specific based on properties of interest to the developer
  • h.dll(p) =
  • if (h =null) then
  • true
  • else
  • h!prev=prevand
  • h!next.dll(h)

checkers

Xisa

Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

problem non unique representations
Problem: Non-Unique Representations

With user-guided abstraction, different summaries may have the same (or related) concretizations.

dll_back(null)

dll_back(null)

dll(null)

dll(null)

  • l.dll(p) :=
  • if(l =null) then true
  • else
  • l!prev= p and l!next.dll(l)
  • l.dll_back(n) :=
  • if(l =null) then true
  • else
  • l!next= n and l!prev.dll_back(l)

checker

summary

h

h

t

t

h

t

concrete

instance

Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

need convert between related summaries
Need: Convert between related summaries
  • Prove lemmas about related checkers
    • e.g., “dll,dll_back”

Observation: Our widening operator can derive these facts on an appropriate program

Basic Idea:

parametric

abstract domain

summarization

(widening)

  • l.dll(p) := …

semantics of dll_back

S

Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

need convert between related summaries1
Need: Convert between related summaries
  • Find out which lemmas are needed and when to apply them during program analysis
    • work-in-progress
    • not in this talk

Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

new pre program analysis analysis
New “Pre-Program Analysis Analysis”

checker analysis

(“pre-program analysis”)

program analysis

Derives information about checkers to use them effectively

Xisa shape analyzer

level-type

inference

for unfolding

abstract interpretation

splitting and

interpreting update

  • dll(h, p) =
  • if (h =null) then
  • true
  • else
  • h!prev=prevand
  • dll(h!next, h)

summarizing

lemma proving for reduction

checkers

S

S

Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

outline
Outline
  • Memory abstraction
    • graphs
    • segments
    • A semantics of checker definitions
  • Example:
    • a segment of a list, a list segment

Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

abstract memory as graphs
Abstract memory as graphs

Make endpoints and segments explicit

°

“dll segment”

dll(±, °)

l

®

¯

±

l

®

memory address (value)

memory cell (points-to: °!next =±)

checker summary (inductive pred)

Some number of memory cells (thin edges)

cur

segment summary

°

±

  • h.dll(p) =
  • if (h =null) then
  • true
  • else
  • h!prev= p andh!next.dll(h)

next

dll(null)

dll(¯)

dll(°)

prev

Segment generalization of a checker

(Intuitively, ®.dll(null) up to °.dll(¯).)

¯

cur

(®.dll(null)¤=°.dll(¯)) ¤

°@prev¯

¤ °@next ±

¤±.dll(°)

Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

segments as partial checker runs conceptually

Segments asPartial Checker “Runs” (conceptually)

Summary

i

0

0

i

dll(¯)

°

®

¯

®

c(°)

c0(°0)

dll(null)

dll(¯)

Instance

null

Complete Checker “Run”

®.dll(null)

c(®,°)

i

next

next

¯.dll(®)

null

i

prev

i= 0

® = °

¯ = null

prev

°.dll(¯)

c = c0

® = ¯

° = °0

i= 0

±.dll(°)

c0(¯,°0)

next

®

¯

°

±

null

next

null.dll(±)

prev

prev

[POPL’08]

Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

outline1
Outline
  • Memory abstraction
    • graphs
    • segments
    • A semantics of checker definitions
  • Example:
    • a segment of a list, a list segment

Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

example user defined list segments
Example: User-Defined List Segments
  • l.ls(e) :=
  • if(l =e) then true
  • else
  • l!next.ls(l)
  • l.list() :=
  • if(l =null) then true
  • else
  • l!next.list()

Want a decision procedure for these inclusions:

ls(¯)

ls(¯)

list()

list()

checker

®

¯

®

¯

summary

l

l

e

e

“a list segment”

“a segment of a list”

v

?

¯

®

¯

®

list()

list()

e

l

l

e

Can reuse our parametric abstract domain!

Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

an alternative semantics for checkers
An Alternative Semantics for Checkers

summary

generator of “concrete” graphs

®

®

®

ls(¯)

® = ¯

¯

l

l

l

e

°

®0

®0 = ¯

¯

®

e

¯

l

e

®00

®0

®00 = ¯

¯

e

next

next

next

set of concrete stores

e

l

addrof(®)

addrof(¯)

Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

slide17
Show

v

¯

®

¯

®

list()

list()

e

l

l

e

  • Widening
  • Properties
  • Soundness: computes an over-approximation
  • Termination: ensures chain stabilizes
  • Algorithm
  • Iteratively split regions by matching nodes (ok by ¤)
  • Find common abstraction for matched regions (calling on v to check inclusion)
  • [SAS’07]

®

®

®

ls(¯)

® = ¯

¯

l

l

l

e

r

®

®

¯

¯

list()

list()

list()

list()

®0

l

l

e

e

®0 = ¯

¯

e

r

®00

®0

®00 = ¯

¯

X

e

next

next

next

  • Our widening
  • is a non-symmetric binary operator
  • interleaves region matching and summarizing

Apply abstract interpretation using only list as a checker parameter to the domain

Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

inclusion check
Inclusion Check

Inclusion Check

Algorithm

Iteratively split regions by matching nodes

Check inclusion by unfolding and matching edges until obvious

(empvemp)

®0

®0

®0 = ¯

¯

®

®

®

e

l

l

l

v

®

¯

list()

list()

l

e

¯

®0

®0

®

®

list()

list()

e

next

next

next

next

next

l

l

®0 = ¯

¯

e

®0

Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

summary reuse domain to decide relations amongst checker definitions
Summary: Reuse domain to decide relations amongst checker definitions

checker analysis

(“pre-program analysis”)

program analysis

Xisa shape analyzer

level-type

inference

for unfolding

abstract interpretation

splitting and

interpreting update

  • dll(h, p) =
  • if (h =null) then
  • true
  • else
  • h!prev=prevand
  • dll(h!next, h)

summarizing

lemma proving for reduction

checkers

S

S

Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

conclusion and next steps
Conclusion and Next Steps
  • Non-unique representation problem magnified with user-supplied checkers
    • Need reduction to convert between representations
    • Ordering on checkers needed to apply reduction
  • Ordering shown by applying Xisa to a checker def
  • To put into practice
    • Needed lemmas: pre-compute ordering or on-demand?
    • When to apply: level types for unfolding may help
    • Derive new checkers (e.g., dll_back from dll)?

Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis