Title: Interprocedural shape analysis for cutpointfree programs
1Interprocedural shape analysisfor cutpoint-free
programs
Noam Rinetzky Tel Aviv University
Joint work with Mooly Sagiv Tel Aviv
University Eran Yahav IBM Watson
2Motivation
- Interprocedural shape analysis
- Conservative static pointer analysis
- Heap intensive programs
- Imperative programs with (recursive) procedures
- Linked data structures
- Challenge
- Destructive update
- Localized effect of procedures
3Main idea
call p(x)
y
g
t
4Main idea
- Local heaps
- Cutpoint freedom
POPL 05
SAS 05
call p(x)
y
g
t
5Cutpoints
- An object is a cutpoint for an invocation
- Reachable from actual parameters
- Not pointed to by an actual parameter
- Reachable without going through a parameter
call p(y,z)
call p(y,z)
n
n
n
n
y
y
n
n
t
t
x
z
z
6Cutpoint freedom
- Cutpoint-free
- Invocation has no cutpoints
- Execution every invocation is cutpoint-free
- Program every execution is cutpoint-free
call p(y,z)
call p(y,z)
n
n
n
n
x
y
n
n
t
y
t
z
x
z
7Cutpoint freedom benefits
- Restricted aliasing
- Procedure function
- Input / output relation
call p(y,z)
call p(y,z)
n
n
n
y
y
x
z
z
Not Cutpoint free
Cutpoint free
8Main results
- Cutpoint freedom
- Non-standard concrete semantics
- Verifies that an execution is cutpoint-free
- Local heaps
- Interprocedural shape analysis
- Conservatively verifies
- program is cutpoint free
- Desired properties
- Partial correctness of quicksort
- Procedure summaries
- Prototype implementation
9Plan
- Cutpoint freedom
- Non-standard concrete semantics
- Interprocedural shape analysis
- Prototype implementation
- Related work
10Programming model
- Single threaded
- Procedures
- Value parameters
- Formal parameters not modified
- Recursion
- Heap
- Recursive data structures
- Destructive update
- No explicit addressing ()
- No pointer arithmetic
11Memory states
- A memory state encodes a local heap
- Local variables of the current procedure
invocation - Relevant part of the heap
- Relevant ? Reachable
main
append
q
p
n
n
x
t
y
z
12Memory states
- Represented by first-order logical structures
13Memory states
- Represented by first-order logical structures
q
p
n
u1
u2
14Operational semantics
- Statements modify values of predicates
- Specified by predicate-update formulae
- Formulae in FO-TC
15Procedure call rule
- Large step semantics
- Procedure input/output relation
16Procedure call rule
1. Verify cutpoint freedom 2 Compute
input Execute callee 3 Combine output
- Large step semantics
- Procedure input/output relation
main() append(y,z)
append(List p, List q)
n
y
z
17Procedure call 1. Verifying cutpoint-freedom
- An object is a cutpoint for an invocation
- Reachable from actual parameters
- Not pointed to by an actual parameter
- Reachable without going through a parameter
append(y,z)
append(y,z)
n
n
n
n
y
y
n
x
x
z
z
n
t
t
Not Cutpoint free
Cutpoint free
18Procedure call 1. Verifying cutpoint-freedom
- Invoking append(y,z) in main
- Ry,z(v)?v1y(v1)?n(v1,v) ? ?v1z(v1)?n(v1,v)
- isCPmain,y,z(v) Ry,z(v) ? (?y(v)??z(v1)) ?
- ( x(v) ? t(v) ? ?v1 ?Ry,z(v1)?n(v1,v))
-
(mains locals x,y,z,t)
n
n
n
n
y
y
n
x
x
z
z
n
t
t
Not Cutpoint free
Cutpoint free
19Procedure call 2. Computing the input local heap
- Retain only reachable objects
- Bind formal parameters
Call state
n
n
y
x
z
n
t
20Procedure body append(p,q)
Input state
n
n
p
q
21Procedure call3. Combine output
Output state
Call state
n
n
n
y
x
z
n
t
22Procedure call3. Combine output
Output state
Call state
n
n
n
n
n
y
p
x
z
q
n
t
Auxiliary predicates
inUc(v)
inUx(v)
23Observational equivalence
- ?CPF ? ?CPF (Cutpoint free semantics)
- ?GSB ? ?GSB (Standard semantics)
- ?CPF and ?GSB observationally equivalent
- when for every access paths AP1, AP2
? AP1 AP2 ?(?CPF) ? ? AP1 AP2 ?(?GSB)
24Observational equivalence
- For cutpoint free programs
- ?CPF ? ?CPF (Cutpoint free semantics)
- ?GSB ? ?GSB (Standard semantics)
- ?CPF and ?GSB observationally equivalent
- It holds that
- ?st, ?CPF? ? ?CPF ? ?st, ?GSB? ? ?GSB
- ?CPF and ?GSB are observationally equivalent
25Introducing local heap semantics
Local heap Operational semantics
26Plan
- Cutpoint freedom
- Non-standard concrete semantics
- Interprocedural shape analysis
- Prototype implementation
- Related work
27Shape abstraction
- Abstract memory states represent unbounded
concrete memory states - Conservatively
- In a bounded way
- Using 3-valued logical structures
283-Valued logic
- 1 true
- 0 false
- 1/2 unknown
- A join semi-lattice, 0 ? 1 1/2
29Canonical abstraction
y
z
n
n
n
n
n
x
n
n
t
30Canonical abstraction
y
z
n
n
n
n
n
x
n
n
n
t
31Instrumentation predicates
- Record derived properties
- Refine the abstraction
- Instrumentation principle SRW, TOPLAS02
- Reachability is crucial!
32Abstract memory states (with reachability)
y
z
n
n
n
n
n
rz
rx
rx,ry
rx
rz
rz
rx
rx
rx,ry
rx
rz
rz
rx
rz
x
n
n
rt
rt
rt
rt
rt
rt
t
33The importance of reachabilityCall append(y,z)
z
y
n
n
n
n
n
rx
rx,ry
rx
rz
rz
rx
rz
x
n
n
rt
rt
rt
t
y
z
n
n
n
n
n
x
rx,ry
rz
rz
rx
rx
n
n
rt
rt
t
34Abstract semantics
- Conservatively apply statements on abstract
memory states - Same formulae as in concrete semantics
- Soundness guaranteed SRW, TOPLAS02
35Procedure calls
1. Verify cutpoint freedom 2 Compute input
Analyze callee 3 Combine output
36Conservative verification of cutpoint-freedom
- Invoking append(y,z) in main
- Ry,z(v)?v1y(v1)?n(v1,v) ? ?v1z(v1)?n(v1,v)
- isCPmain,y,z(v) Ry,z(v) ? (?y(v)??z(v1)) ?
- ( x(v) ? t(v) ? ?v1 ?Ry,z(v1)?n(v1,v))
n
n
n
n
n
ry
ry
ry
ry
rx
ry
rz
y
y
rz
n
n
n
n
z
z
x
rt
rt
rt
rt
t
t
Not Cutpoint free
Cutpoint free
37Interprocedural shape analysis
38Interprocedural shape analysis
Tabulation exits
call f(x)
y
39Interprocedural shape analysis
Analyze f
Tabulation exits
call f(x)
y
40Interprocedural shape analysis
- Procedure ? input/output relation
Output
Input
q
q
rq
rq
q
q
p
p
n
rp
rq
rp
rp
rq
n
q
n
p
p
q
n
n
n
rp
rp
rq
rp
rq
rp
rp
41Interprocedural shape analysis
- Reusable procedure summaries
- Heap modularity
42Plan
- Cutpoint freedom
- Non-standard concrete semantics
- Interprocedural shape analysis
- Prototype implementation
- Related work
43Prototype implementation
- TVLA based analyzer
- Soot-based Java front-end
- Parametric abstraction
44Iterative vs. Recursive (SLL)
585
45Inline vs. Procedural abstraction
// Allocates a list of // length 3 List
create3() main() List x1
create3() List x2 create3() List x3
create3() List x4 create3()
46Call string vs. Relational vs. CPFRinetzky
and Sagiv, CC01 Jeannet et al.,
SAS04
47Plan
- Cutpoint freedom
- Non-standard concrete semantics
- Interprocedural shape analysis
- Prototype implementation
- Related work
48Related work
- Interprocedural shape analysis
- Rinetzky and Sagiv, CC 01
- Chong and Rugina, SAS 03
- Jeannet et al., SAS 04
- Hackett and Rugina, POPL 05
- Rinetzky et al., POPL 05
- Local Reasoning
- Ishtiaq and OHearn, POPL 01
- Reynolds, LICS 02
- Encapsulation
- Hogg, OOPSLA 91
- ...
49Related work
- SAS 05
- Local heaps
- Cutpoint forbidden
- Simple call rule
- Automatically detects cutpoint freedom
- New shape analysis
- sorting (quicksort)
- Prototype
- POPL 05
- Local heaps
- Cutpoints allowed
- Complicated call rule
- Cutpoints may hurt precision
- Justify existing analysis
- New shape analysis
- Abstract objects
- Abstract cutpoints
50Cutpoint freedom vs. Encapsulation(?)
- Restricted local heap sharing
- Parameters dominate local heap
- Unrestricted intraprocedural
- sharing
- Dynamic domination
- Technique
- Abstract interpretation
- Cutpoint-free programs
- Hard to scale
- Automatic
- Restricted heap sharing
- Owner(s) dominate heap references
- Unrestricted stack sharing
-
- Static domination
- Technique
- Type systems
- Type-correct programs
- Scalable
- User annotation
51Future work
- False cutpoints
- Liveness analysis
- Cutpoint profiler
- Guide abstraction design
52Summary
- Cutpoint freedom
- Non-standard operational semantics
- Interprocedural shape analysis
- Partial correctness of quicksort
- Prototype implementation
53End
Interprocedural shape analysis for cutpoint-free
programs Noam Rinetzky, Mooly Sagiv, and Eran
Yahav SAS, 2005 (To appear)
A Semantics for procedure local heaps and its
abstraction Noam Rinetzky, Jörg Bauer, Thomas
Reps, Mooly Sagiv, and Reinhard Wilhelm POPL,
2005
www.cs.tau.ac.il/maon
54(No Transcript)
55quickSort(List p, List q)
56Quicksort
- List quickSort(List p, List q)
- If(pq q null)
- return p
- List h partition(p,q)
- List x p.n
- p.n null
- List low quickSort(h, p)
- List high quickSort(x,null)
- p.n high
- Return low
57Quicksort
- List quickSort(List p, List q)
- If(pq q null)
- return p
- List h partition(p,q)
- List x p.n
- p.n null
- List low quickSort(h, p)
- List high quickSort(x,null)
- p.n high
- Return low
58Quicksort
p
tl
hd
8
6
3
5
7
2
1
4
6
8
9
8
9
hd
low
p
tl
Lev Ami et. al. ISSTA00
59Backup
60Intraprocedural statements
- Specified by predicate-update formulae
- Formulae in FO-TC
- Example p.nq
- Assert ?v p(v)
- n(v1,v2) ? n(v1,v2) ? p(v1)?q(v2)
q
p
61POPL 05 Procedure call rule
62SAS 05 Procedure call rule