Interprocedural shape analysis for cutpointfree programs - PowerPoint PPT Presentation

1 / 62
About This Presentation
Title:

Interprocedural shape analysis for cutpointfree programs

Description:

append. Memory states. Represented by first-order logical structures. Variable x points to v ... { append(y,z); Large step semantics. Procedure ~ input/output ... – PowerPoint PPT presentation

Number of Views:34
Avg rating:3.0/5.0
Slides: 63
Provided by: NoamRi9
Category:

less

Transcript and Presenter's Notes

Title: Interprocedural shape analysis for cutpointfree programs


1
Interprocedural shape analysisfor cutpoint-free
programs
Noam Rinetzky Tel Aviv University
Joint work with Mooly Sagiv Tel Aviv
University Eran Yahav IBM Watson
2
Motivation
  • Interprocedural shape analysis
  • Conservative static pointer analysis
  • Heap intensive programs
  • Imperative programs with (recursive) procedures
  • Linked data structures
  • Challenge
  • Destructive update
  • Localized effect of procedures

3
Main idea
  • Local heaps

call p(x)
y
g
t
4
Main idea
  • Local heaps
  • Cutpoint freedom

POPL 05
SAS 05
call p(x)
y
g
t
5
Cutpoints
  • An object is a cutpoint for an invocation
  • Reachable from actual parameters
  • Not pointed to by an actual parameter
  • Reachable without going through a parameter

call p(y,z)
call p(y,z)
n
n
n
n
y
y
n
n
t
t
x
z
z
6
Cutpoint freedom
  • Cutpoint-free
  • Invocation has no cutpoints
  • Execution every invocation is cutpoint-free
  • Program every execution is cutpoint-free

call p(y,z)
call p(y,z)
n
n
n
n
x
y
n
n
t
y
t
z
x
z
7
Cutpoint freedom benefits
  • Restricted aliasing
  • Procedure function
  • Input / output relation

call p(y,z)
call p(y,z)
n
n
n
y
y
x
z
z
Not Cutpoint free
Cutpoint free
8
Main results
  • Cutpoint freedom
  • Non-standard concrete semantics
  • Verifies that an execution is cutpoint-free
  • Local heaps
  • Interprocedural shape analysis
  • Conservatively verifies
  • program is cutpoint free
  • Desired properties
  • Partial correctness of quicksort
  • Procedure summaries
  • Prototype implementation

9
Plan
  • Cutpoint freedom
  • Non-standard concrete semantics
  • Interprocedural shape analysis
  • Prototype implementation
  • Related work

10
Programming model
  • Single threaded
  • Procedures
  • Value parameters
  • Formal parameters not modified
  • Recursion
  • Heap
  • Recursive data structures
  • Destructive update
  • No explicit addressing ()
  • No pointer arithmetic

11
Memory states
  • A memory state encodes a local heap
  • Local variables of the current procedure
    invocation
  • Relevant part of the heap
  • Relevant ? Reachable

main
append
q
p
n
n
x
t
y
z
12
Memory states
  • Represented by first-order logical structures

13
Memory states
  • Represented by first-order logical structures

q
p
n
u1
u2
14
Operational semantics
  • Statements modify values of predicates
  • Specified by predicate-update formulae
  • Formulae in FO-TC

15
Procedure call rule
  • Large step semantics
  • Procedure input/output relation

16
Procedure call rule
1. Verify cutpoint freedom 2 Compute
input Execute callee 3 Combine output
  • Large step semantics
  • Procedure input/output relation

main() append(y,z)
append(List p, List q)
n
y
z
17
Procedure call 1. Verifying cutpoint-freedom
  • An object is a cutpoint for an invocation
  • Reachable from actual parameters
  • Not pointed to by an actual parameter
  • Reachable without going through a parameter

append(y,z)
append(y,z)
n
n
n
n
y
y
n
x
x
z
z
n
t
t
Not Cutpoint free
Cutpoint free
18
Procedure call 1. Verifying cutpoint-freedom
  • Invoking append(y,z) in main
  • Ry,z(v)?v1y(v1)?n(v1,v) ? ?v1z(v1)?n(v1,v)
  • isCPmain,y,z(v) Ry,z(v) ? (?y(v)??z(v1)) ?
  • ( x(v) ? t(v) ? ?v1 ?Ry,z(v1)?n(v1,v))

(mains locals x,y,z,t)
n
n
n
n
y
y
n
x
x
z
z
n
t
t
Not Cutpoint free
Cutpoint free
19
Procedure call 2. Computing the input local heap
  • Retain only reachable objects
  • Bind formal parameters

Call state
n
n
y
x
z
n
t
20
Procedure body append(p,q)
Input state
n
n
p
q
21
Procedure call3. Combine output
Output state
Call state
n
n
n
y
x
z
n
t
22
Procedure call3. Combine output
Output state
Call state
n
n
n
n
n
y
p
x
z
q
n
t
Auxiliary predicates
inUc(v)
inUx(v)
23
Observational equivalence
  • ?CPF ? ?CPF (Cutpoint free semantics)
  • ?GSB ? ?GSB (Standard semantics)
  • ?CPF and ?GSB observationally equivalent
  • when for every access paths AP1, AP2

? AP1 AP2 ?(?CPF) ? ? AP1 AP2 ?(?GSB)
24
Observational equivalence
  • For cutpoint free programs
  • ?CPF ? ?CPF (Cutpoint free semantics)
  • ?GSB ? ?GSB (Standard semantics)
  • ?CPF and ?GSB observationally equivalent
  • It holds that
  • ?st, ?CPF? ? ?CPF ? ?st, ?GSB? ? ?GSB
  • ?CPF and ?GSB are observationally equivalent

25
Introducing local heap semantics

Local heap Operational semantics
26
Plan
  • Cutpoint freedom
  • Non-standard concrete semantics
  • Interprocedural shape analysis
  • Prototype implementation
  • Related work

27
Shape abstraction
  • Abstract memory states represent unbounded
    concrete memory states
  • Conservatively
  • In a bounded way
  • Using 3-valued logical structures

28
3-Valued logic
  • 1 true
  • 0 false
  • 1/2 unknown
  • A join semi-lattice, 0 ? 1 1/2

29
Canonical abstraction
y
z
n
n
n
n
n
x
n
n
t
30
Canonical abstraction
y
z
n
n
n
n
n
x
n
n
n
t
31
Instrumentation predicates
  • Record derived properties
  • Refine the abstraction
  • Instrumentation principle SRW, TOPLAS02
  • Reachability is crucial!

32
Abstract memory states (with reachability)
y
z
n
n
n
n
n
rz
rx
rx,ry
rx
rz
rz
rx
rx
rx,ry
rx
rz
rz
rx
rz
x
n
n
rt
rt
rt
rt
rt
rt
t
33
The importance of reachabilityCall append(y,z)
z
y
n
n
n
n
n
rx
rx,ry
rx
rz
rz
rx
rz
x
n
n
rt
rt
rt
t
y
z
n
n
n
n
n
x
rx,ry
rz
rz
rx
rx
n
n
rt
rt
t
34
Abstract semantics
  • Conservatively apply statements on abstract
    memory states
  • Same formulae as in concrete semantics
  • Soundness guaranteed SRW, TOPLAS02

35
Procedure calls
1. Verify cutpoint freedom 2 Compute input
Analyze callee 3 Combine output
36
Conservative verification of cutpoint-freedom
  • Invoking append(y,z) in main
  • Ry,z(v)?v1y(v1)?n(v1,v) ? ?v1z(v1)?n(v1,v)
  • isCPmain,y,z(v) Ry,z(v) ? (?y(v)??z(v1)) ?
  • ( x(v) ? t(v) ? ?v1 ?Ry,z(v1)?n(v1,v))

n
n
n
n
n
ry
ry
ry
ry
rx
ry
rz
y
y
rz
n
n
n
n
z
z
x
rt
rt
rt
rt
t
t
Not Cutpoint free
Cutpoint free
37
Interprocedural shape analysis
38
Interprocedural shape analysis
Tabulation exits
call f(x)
y
39
Interprocedural shape analysis
Analyze f
Tabulation exits
call f(x)
y
40
Interprocedural shape analysis
  • Procedure ? input/output relation

Output
Input
q
q
rq
rq
q
q
p
p
n
rp
rq
rp
rp
rq
n
q
n
p
p
q

n
n
n
rp
rp
rq
rp
rq
rp
rp
41
Interprocedural shape analysis
  • Reusable procedure summaries
  • Heap modularity

42
Plan
  • Cutpoint freedom
  • Non-standard concrete semantics
  • Interprocedural shape analysis
  • Prototype implementation
  • Related work

43
Prototype implementation
  • TVLA based analyzer
  • Soot-based Java front-end
  • Parametric abstraction

44
Iterative vs. Recursive (SLL)
585
45
Inline vs. Procedural abstraction
// Allocates a list of // length 3 List
create3() main() List x1
create3() List x2 create3() List x3
create3() List x4 create3()
46
Call string vs. Relational vs. CPFRinetzky
and Sagiv, CC01 Jeannet et al.,
SAS04
47
Plan
  • Cutpoint freedom
  • Non-standard concrete semantics
  • Interprocedural shape analysis
  • Prototype implementation
  • Related work

48
Related work
  • Interprocedural shape analysis
  • Rinetzky and Sagiv, CC 01
  • Chong and Rugina, SAS 03
  • Jeannet et al., SAS 04
  • Hackett and Rugina, POPL 05
  • Rinetzky et al., POPL 05
  • Local Reasoning
  • Ishtiaq and OHearn, POPL 01
  • Reynolds, LICS 02
  • Encapsulation
  • Hogg, OOPSLA 91
  • ...

49
Related work
  • SAS 05
  • Local heaps
  • Cutpoint forbidden
  • Simple call rule
  • Automatically detects cutpoint freedom
  • New shape analysis
  • sorting (quicksort)
  • Prototype
  • POPL 05
  • Local heaps
  • Cutpoints allowed
  • Complicated call rule
  • Cutpoints may hurt precision
  • Justify existing analysis
  • New shape analysis
  • Abstract objects
  • Abstract cutpoints

50
Cutpoint freedom vs. Encapsulation(?)
  • Restricted local heap sharing
  • Parameters dominate local heap
  • Unrestricted intraprocedural
  • sharing
  • Dynamic domination
  • Technique
  • Abstract interpretation
  • Cutpoint-free programs
  • Hard to scale
  • Automatic
  • Restricted heap sharing
  • Owner(s) dominate heap references
  • Unrestricted stack sharing
  • Static domination
  • Technique
  • Type systems
  • Type-correct programs
  • Scalable
  • User annotation

51
Future work
  • False cutpoints
  • Liveness analysis
  • Cutpoint profiler
  • Guide abstraction design

52
Summary
  • Cutpoint freedom
  • Non-standard operational semantics
  • Interprocedural shape analysis
  • Partial correctness of quicksort
  • Prototype implementation

53
End
Interprocedural shape analysis for cutpoint-free
programs Noam Rinetzky, Mooly Sagiv, and Eran
Yahav SAS, 2005 (To appear)
A Semantics for procedure local heaps and its
abstraction Noam Rinetzky, Jörg Bauer, Thomas
Reps, Mooly Sagiv, and Reinhard Wilhelm POPL,
2005
www.cs.tau.ac.il/maon
54
(No Transcript)
55
quickSort(List p, List q)
56
Quicksort
  • List quickSort(List p, List q)
  • If(pq q null)
  • return p
  • List h partition(p,q)
  • List x p.n
  • p.n null
  • List low quickSort(h, p)
  • List high quickSort(x,null)
  • p.n high
  • Return low

57
Quicksort
  • List quickSort(List p, List q)
  • If(pq q null)
  • return p
  • List h partition(p,q)
  • List x p.n
  • p.n null
  • List low quickSort(h, p)
  • List high quickSort(x,null)
  • p.n high
  • Return low

58
Quicksort
p
tl
hd
8
6

3
5
7
2
1
4
6
8

9
8
9

hd
low
p
tl
Lev Ami et. al. ISSTA00
59
Backup
60
Intraprocedural statements
  • Specified by predicate-update formulae
  • Formulae in FO-TC
  • Example p.nq
  • Assert ?v p(v)
  • n(v1,v2) ? n(v1,v2) ? p(v1)?q(v2)

q
p
61
POPL 05 Procedure call rule
62
SAS 05 Procedure call rule
Write a Comment
User Comments (0)
About PowerShow.com