Title: Lazy Abstraction
1Lazy Abstraction
Lecture 3 Partial Analysis
- Ranjit Jhala
- UC San Diego
2A Problem with Program Analysis
Library
Client
- Whole Program Analysis not always possible
- Availability Client code missing
- Scalability Whole system too large
3Partial Program Analysis
Library
Client
- Partial Program Analysis
- Find interface for Library
- Use interface to verify client
4Partial Program Analysis
Library
Interface
Availability Interface independent of
Client Scalability Interface small, abstraction
of Library
5What is an Interface ?
Library States
API
Interface
- Interface Constraints on legal uses of API
- API Calls after which library is in a legal state
6Example
Static e0 Static aNULL
Library States
Interface
API
rel
acq() if(aNULL) a m_new() else
e1 return
n0
read
read() if(a!NULL) a m_rd(a) else
e1 return
acq
rel
n2
acq
n1
rel() aNULL return
read
Safe Interface µ Legal Call Sequences
7Safety Not Enough!
Interface
API
Static e0, aNULL, x0
acq() if(aNULL) am_new() else e1
return
acqx() if(aNULL) am_new() x1
else e1
read() if(a!NULL) am_rd(a) else
e1 return
write() if(x!0) m_wr(a) else e1
return
rel() aNULL return
relx() aNULL x0
- Disallows calls to write
- Useless for Partial Program Analysis
8Permissive Interfaces
Static e0, aNULL, x0
Interface
API
rel/x
acq() if(aNULL) am_new() else e1
return
acqx() if(aNULL) am_new() x1
else e1
n0
acqx
acq
read() if(a!NULL) am_rd(a) else
e1 return
write() if(x!0) m_wr(a) else e1
return
n1
n2
relx
n3
rel() aNULL return
relx() aNULL x0
read
write read
Permissive Legal Call Sequences µ
Interface Partial Analysis Safe Permissive
Interfaces
9Plan
- 1. Motivation
- 2. Characterizing Safe, Permissive Interfaces
- 3. Computing Safe, Permissive Interfaces
- 4. Extensions
- 5. Experiments
10Plan
- 1. Motivation
- 2. Characterizing Safe, Permissive Interfaces
- 3. Computing Safe, Permissive Interfaces
- 4. Extensions
- 5. Experiments
11Typestate Interpretations
Interface is a Typestate System - Abstraction of
librarys internal state Typestate
Interpretation - Overapprox possible internal
states
rel
n0
read
a0
acq
rel
n2
acq
e?0
n1
a?0
read
12Typestate Interpretations
acq() if(aNULL) am_new() else e1
return
n0
a0
acq
n2
acq
e?0
n1
a?0
13Typestate Interpretations
read() if(a!NULL) am_rd(a) else
e1 return
rel
n0
read
a0
n2
e?0
n1
a?0
read
14Typestate Interpretations
rel() aNULL return
rel
n0
a0
rel
n2
e?0
n1
a?0
15Typestate Interpretations
Interface is a Typestate System - Abstraction of
librarys internal state Typestate
Interpretation - Overapprox possible internal
states
rel
n0
read
a0
acq
rel
n2
acq
e?0
n1
a?0
read
16Safe Interpretations
Interface is a Typestate System - Abstraction of
librarys internal state Typestate
Interpretation - Overapprox possible internal
states
rel
n0
read
a0
acq
rel
n2
(P1) Initial states in r0
n0
r0
acq
e?0
n1
a?0
(P2) Every edge Post(r,f) µ r
read
(P3) Every legal typestate r µ Err
n
r
17Safe Interpretations
Theorem Safe Interpretation implies Safe
Interface
rel
n0
read
a0
acq
rel
n2
(P1) Initial states in r0
n0
r0
acq
e?0
n1
a?0
(P2) Every edge Post(r,f) µ r
read
(P3) Every legal typestate r µ Err
n
r
18Permissive Interpretations
Interface is a Typestate System - Abstraction of
librarys internal state Typestate
Interpretation - Overapprox possible internal
states
rel
n0
read
a0
acq
rel
n2
(P1) Initial states in r0
n0
r0
acq
e?0
n1
a?0
(P2) Every edge Post(r,f) µ r
read
(P4) Every illegal typestate r µ Err
n
r
19Permissive Interpretations
Theorem Permissive Interpretation implies
Permissive Interface
rel
n0
read
a0
acq
rel
n2
(P1) Initial states in r0
n0
r0
acq
e?0
n1
a?0
(P2) Every edge Post(r,f) µ r
read
(P4) Every illegal typestate r µ Err
n
r
20Sanity Check
Static e0, aNULL, x0
API
rel/x
acq() if(aNULL) am_new() else e1
return
acqx() if(aNULL) am_new() x1
else e1
n0
read write
a0
read() if(a!NULL) am_rd(a) else
e1 return
write() if(x!0) m_wr(a) else e1
return
acq /x
rel /x
n2
e?0
acq/x write
n1
a?0
rel() aNULL return
relx() aNULL x0
read
Q Why not a permissive interface ?
21Sanity Check
write() if(x!0) m_wr(a) else e1
return
n2
e?0 Ç e0
e?0
write
n1
a?0
Q Why not a permissive interface ?
A (P2) fails! Not an Interpretation
22Sanity Check
(P4) Every illegal typestate r µ Err
n
r
write() if(x!0) m_wr(a) else e1
return
n2
e?0 Ç e0
write
n1
a?0
Q Why not a permissive interface ?
A (P4) fails! Not Permissive Interpretation
23Plan
- 1. Motivation
- 2. Characterizing Safe, Permissive Interfaces
- 3. Computing Safe, Permissive Interfaces
- 4. Extensions
- 5. Experiments
24Computing Interfaces
- Problem A Interface Checking
- Given Library, candidate interface I,
abstraction ?, - Check if I is safe, permissive.
- Problem B Interface Reconstruction
- Given Library, abstraction ?,
- Reconstruct a safe, permissive interface I.
- Problem C Interface Inference
- Given Library,
- Infer a safe, permissive interface I.
25A. Interface Checking
Check Safe, Permissive independently
Problem A Interface Checking Given Library,
candidate interface I, abstraction ?, Check if
I is safe, permissive.
26A. Interface Checking Safe
Static e0 Static aNULL
rel
acq() if(aNULL) am_new() else e1
return
n0
read
rel
acq
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq
n1
read
rel() aNULL return
Interface
Library
Problem A Interface Checking Given Library,
candidate interface I, abstraction ?, Check if
I is safe, permissive.
27A. Interface Checking Safe
Static e0 Static aNULL
rel
acq() if(aNULL) am_new() else e1
return
Library States
n0
read
rel
acq
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq
n1
read
rel() aNULL return
Interface Client
Library
Idea Analyze Interface Client Library Verify
assertion Client in legal location )
Library in legal state
n
28B. Interface Checking Permissive
Static e0 Static aNULL
rel
acq() if(aNULL) am_new() else e1
return
n0
read
rel
acq
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq
n1
read
rel() aNULL return
Interface
Library
Problem B Interface Checking Given Library,
candidate interface I, abstraction ?, Check if
I is safe, permissive.
29B. Interface Checking Permissive
Static e0 Static aNULL
rel
acq() if(aNULL) am_new() else e1
return
Library States
n0
read
rel
acq
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq
n1
read
rel() aNULL return
Interface Client
Library
Idea Analyze Interface Client Library Verify
assertion Client in illegal location
) Library in illegal state
n
30A. Interface Checking
Safe, Permissive checkable by Assertion
Verification!
Problem A Interface Checking Given Library,
candidate interface I, abstraction ?, Check if
I is safe, permissive.
31Abstract Reachability Graphs
Safe, Permissive checkable by Assertion
Verification!
Problem A Interface Checking Given Library,
candidate interface I, abstraction ?, Check if
I is safe, permissive.
32Abstract Reachability Graphs
Static e0 Static aNULL
rel
acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
rel
acq
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq
n1
read
rel() aNULL return
33Abstract Reachability Graphs
Static e0 Static aNULL
rel
acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
acq()
rel
acq
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq
n1
1
a0, e0
read
rel() aNULL return
34Abstract Reachability Graphs
Static e0 Static aNULL
rel
acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
rel()
acq()
rel
acq
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq
n1
1
0
a0, e0
a0,e0
read
rel() aNULL return
35Abstract Reachability Graphs
Static e0 Static aNULL
rel
acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
rel()
acq()
rel
acq
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq
n1
1
0
a0, e0
a0,e0
read
rel() aNULL return
36Abstract Reachability Graphs
Static e0 Static aNULL
rel()
rel
acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
rel()
acq()
rel
acq
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq
n1
1
0
a0, e0
a0,e0
read
rel() aNULL return
37Abstract Reachability Graphs
Static e0 Static aNULL
rel()
rel
acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
read()
acq()
rel
acq
2
a0, e0
e0
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq
n1
1
a0, e0
read
rel() aNULL return
38Abstract Reachability Graphs
Static e0 Static aNULL
rel()
rel
acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
read()
acq()
rel
acq
2
e0
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq
n1
1
a0, e0
read
acq()
rel() aNULL return
2
e0
39Abstract Reachability Graphs
Static e0 Static aNULL
rel()
rel
acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
read()
acq()
rel
acq
2
e0
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
n1
1
a0, e0
read
rel() aNULL return
40Abstract Reachability Graphs
Static e0 Static aNULL
rel()
rel
acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
read()
acq()
rel
acq
2
e0
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
n1
1
a0, e0
read()
read
1
rel() aNULL return
a0, e0
41Abstract Reachability Graphs
Static e0 Static aNULL
rel()
rel
acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
read()
acq()
rel
acq
2
e0
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
n1
1
a0, e0
read
read()
rel() aNULL return
42Abstract Reachability Graphs
Static e0 Static aNULL
rel()
rel
acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
read()
acq()
rel
acq
2
e0
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
n1
1
a0, e0
read
rel()
read()
rel() aNULL return
0
a0,e0
43Abstract Reachability Graphs
Static e0 Static aNULL
rel()
rel
acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
read()
acq()
rel()
rel
acq
2
e0
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
n1
1
a0, e0
read
read()
rel() aNULL return
44Abstract Reachability Graphs
Static e0 Static aNULL
rel()
rel
acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
read()
acq()
rel()
rel
acq
2
e0
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
n1
1
a0, e0
read
read()
rel() aNULL return
Library States
Verify assertion Safe Client in legal
location ) Library in legal state
n
45Abstract Reachability Graphs
Static e0 Static aNULL
rel()
rel
acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
read()
acq()
rel()
rel
acq
2
e0
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
n1
1
a0, e0
read
read()
rel() aNULL return
Library States
Verify assertion Safe Client in legal
location ) Library in legal state
n
46Abstract Reachability Graphs
Static e0 Static aNULL
rel()
rel
acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
read()
acq()
rel()
rel
acq
2
e0
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
n1
1
a0, e0
read
read()
rel() aNULL return
Library States
Verify assertion Permissive Client in
illegal location ) Library in illegal state
n
47Abstract Reachability Graphs
Static e0 Static aNULL
rel()
rel
acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
read()
acq()
rel()
rel
acq
2
e0
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
n1
1
a0, e0
read
read()
rel() aNULL return
Library States
Verify assertion Permissive Client in
illegal location ) Library in illegal state
n
48A. Interface Checking
rel()
rel
0
a0,e0
n0
read
read()
Safe, Permissive
acq()
rel()
rel
acq
2
e0
n2
acq()
acq
n1
1
a0, e0
read
read()
Safe assertion Client in legal location )
Library in legal state
Permissive assertion Client in illegal
location ) Library in illegal state
49A. Interface Checking
rel()
rel
0
a0,e0
n0
read
read()
Safe, Permissive
acq()
rel()
rel
acq
2
e0
n2
acq()
acq
n1
1
a0, e0
read
read()
Abstract Reach. Graph , Typestate Interpretation
Safe Assertion , Safe Interpretation Permissive
Assertion , Permissive Interpretation
50Computing Interfaces
- Problem A Interface Checking
- Given Library, candidate interface I,
abstraction ?, - Check if I is safe, permissive.
- Problem B Interface Reconstruction
- Given Library, abstraction ?,
- Reconstruct a safe, permissive interface I.
- Problem C Interface Inference
- Given Library,
- Infer a safe, permissive interface I.
Solution Assertion verification, Abstract
Reach. Graph
51B. Interface Reconstruction
Static e0 Static aNULL
acq() if(aNULL) am_new() else e1
return
read() if(a!NULL) am_rd(a) else
e1 return
Abstraction
rel() aNULL return
Library
Problem B Interface Reconstruction Given
Library, abstraction ?, Reconstruct a safe,
permissive interface I.
52B. Interface Reconstruction
Static e0 Static aNULL
acq() if(aNULL) am_new() else e1
return
rel
read() if(a!NULL) am_rd(a) else
e1 return
acq
read
Abstraction
Maximal Client
rel() aNULL return
Library
Idea I Abs Reach Graph of Max Client Library
(using ?) ARG Vertices w/ legal library state )
legal typestates ARG Vertices w/ illegal library
state ) illegal typestates
53ARG of MaxLibrary
Static e0 Static aNULL
rel()
acq() if(aNULL) am_new() else e1
return
a0,e0
rel
read()
acq()
rel()
e0
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
read
a0, e0
Maximal Client
rel() aNULL return
read()
Library
Abstract Reach Graph
54ARG of MaxLibrary
Static e0 Static aNULL
rel()
acq() if(aNULL) am_new() else e1
return
a0,e0
rel
read()
acq()
rel()
e0
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
read
a0, e0
Maximal Client
rel() aNULL return
read()
Library
Abstract Reach Graph
ARG Vertices w/ legal library state ) legal
typestates ARG Vertices w/ illegal library state
) illegal typestates
55ARG of MaxLibrary
Static e0 Static aNULL
rel()
acq() if(aNULL) am_new() else e1
return
n0
a0,e0
rel
read()
acq()
rel()
e0
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
read
n1
a0, e0
Maximal Client
rel() aNULL return
read()
Library
Abstract Reach Graph
ARG Vertices w/ legal library state ) legal
typestates ARG Vertices w/ illegal library state
) illegal typestates
56ARG of MaxLibrary
Static e0 Static aNULL
rel()
acq() if(aNULL) am_new() else e1
return
n0
a0,e0
rel
read()
acq()
rel()
n2
e0
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
read
n1
a0, e0
Maximal Client
rel() aNULL return
read()
Library
Abstract Reach Graph
ARG Vertices w/ legal library state ) legal
typestates ARG Vertices w/ illegal library state
) illegal typestates
57ARG of MaxLibrary
Static e0 Static aNULL
rel
acq() if(aNULL) am_new() else e1
return
read
n0
a0,e0
rel
rel
acq
n2
e0
read() if(a!NULL) am_rd(a) else
e1 return
acq
read
acq
n1
a0, e0
Maximal Client
read
rel() aNULL return
Interface !
Library
58ARG of MaxLibrary
rel
read
n0
a0,e0
rel
Predicate Labels Typestate Interpretation
acq
n2
e0
acq
n1
a0, e0
read
Safe, Permissive by construction
Interface
59Computing Interfaces
- Problem A Interface Checking
- Given Library, candidate interface I,
abstraction ?, - Check if I is safe, permissive.
- Problem B Interface Reconstruction
- Given Library, abstraction ?,
- Reconstruct a safe, permissive interface I.
- Problem C Interface Inference
- Given Library,
- Infer a safe, permissive interface I.
Solution Assertion verification, Abstract
Reach. Graph
Solution Interface ARG (w.r.t. ?) of Max
Client Library
60Computing Interfaces
- Problem A Interface Checking
- Given Library, candidate interface I,
abstraction ?, - Check if I is safe, permissive.
- Problem B Interface Reconstruction
- Given Library, abstraction ?,
- Reconstruct a safe, permissive interface I.
- Problem C Interface Inference
- Given Library,
- Infer a safe, permissive interface I.
Solution Assertion verification, Abstract
Reach. Graph
Solution Interface ARG (w.r.t. ?) of Max
Client Library
61C. Interface Inference
Require sufficiently precise abstraction ? -
Then B (reconstruction) suffices
Imprecise abstraction ) imprecise Abstract Reach
Graph - Vertex w/ label containing both legal and
illegal lib states
- Q How to deal w/ imprecise vertices ?
- Idea Any call sequence into vertex is either
legal or illegal - Legal sequence ) Infeasible path to Err
- Illegal sequence ) Infeasible path to Err
- Refine abstraction using call sequence into
imprecise vertex - Repeat until ARG precise, i.e. Interface found
62Example
Static e0, aNULL, x0
rel/x()
acq() if(aNULL) am_new() else e1
return
acqx() if(aNULL) am_new() x1
else e1
e0
acq/x
rel/x
acq/x()
read()
write()
read() if(a!NULL) am_rd(a) else
e1 return
write() if(x!0) m_wr(a) else e1
return
write
read
e0 Ç e0
rel() aNULL return
relx() aNULL x0
Abstract Reach Graph
63Example
Static e0, aNULL, x0
acq() if(aNULL) am_new() else e1
return
acqx() if(aNULL) am_new() x1
else e1
acq/x
rel/x
read()
read() if(a!NULL) am_rd(a) else
e1 return
write() if(x!0) m_wr(a) else e1
return
write
read
e0 Ç e0
Imprecise !
rel() aNULL return
relx() aNULL x0
Call read() is illegal ) Paths to e0 infeasible
- New predicate a0
- New ARG prohibits immediate call to read
64Example
Static e0, aNULL, x0
rel/x()
acq() if(aNULL) am_new() else e1
return
acqx() if(aNULL) am_new() x1
else e1
a0,e0
e0
acq/x
rel/x
rel /x
acq /x
acq /x
read() if(a!NULL) am_rd(a) else
e1 return
write() if(x!0) m_wr(a) else e1
return
write
read
a0, e0
e0 Ç e0
write()
read()
rel() aNULL return
relx() aNULL x0
Abstract Reach Graph
65Example
Static e0, aNULL, x0
acq() if(aNULL) am_new() else e1
return
acqx() if(aNULL) am_new() x1
else e1
acq/x
rel/x
acqx()
read() if(a!NULL) am_rd(a) else
e1 return
write() if(x!0) m_wr(a) else e1
return
write
read
e0 Ç e0
write()
rel() aNULL return
relx() aNULL x0
Sequence acqx()write() is legal ) Paths to e!0
infeasible
- New predicate x0
- New ARG allows sequence acqx write
66Example
Static e0, aNULL, x0
rel/x()
acq() if(aNULL) am_new() else e1
return
acqx() if(aNULL) am_new() x1
else e1
a0,e0,x0
acq/x
rel/x
acqx
acq
read() if(a!NULL) am_rd(a) else
e1 return
write() if(x!0) m_wr(a) else e1
return
rel /x
rel /x
a0 , e0 x0
a0, e0, x0
write
read
read()
write()
rel() aNULL return
relx() aNULL x0
read()
e0
Safe, Permissive Interface
67Example
Static e0, aNULL, x0
acq() if(aNULL) am_new() else e1
return
acqx() if(aNULL) am_new() x1
else e1
read() if(a!NULL) am_rd(a) else
e1 return
write() if(x!0) m_wr(a) else e1
return
rel() aNULL return
relx() aNULL x0
Safe, Permissive Interface
68Computing Interfaces
- Problem A Interface Checking
- Given Library, candidate interface I,
abstraction ?, - Check if I is safe, permissive.
- Problem B Interface Reconstruction
- Given Library, abstraction ?,
- Reconstruct a safe, permissive interface I.
- Problem C Interface Inference
- Given Library,
- Infer a safe, permissive interface I.
Solution Assertion verification, Abstract
Reach. Graph
Solution Interface ARG (w.r.t. ?) of Max
Client Library
Solution Refine abstraction using imprecise ARG
vertices
69Two Requirements, Two Abstractions
- Safe, Permissive Orthogonal
- Different abstractions suffice to prove each
- ? ?safe ?permissive
- ?safe calls allowed µ legal calls
- ?permissive calls disallowed µ illegal calls
- Build largest safe Interface I ,using ?safe
- Build ARG, imprecise vertices illegal
- Check I is permissive, using ?permissive
- Fails possibly legal, prohibited sequence to
imprecise - If sequence illegal then Refine ?permissive
- legal then Refine ?safe
70Safety Verification vs Interface Construction
1. Error reachable 2. Find all legal sequences
Find all illegal sequences 3.
Refine Infeasible path to Error (Safe)
OR Infeasible path to Legal (Perm) 5. Refine
More behaviors
- 1. Error not reachable
- 2. Show always legal
- Find one illegal sequence
- 3. Refine
- Infeasible path to Error
- 5. Refine Fewer behaviors
71Plan
- 1. Motivation
- 2. Characterizing Safe, Permissive Interfaces
- 3. Computing Safe, Permissive Interfaces
- 4. Extensions
- 5. Experiments
72Extensions Outputs
Outputs allow non-determinism in library
rel
acq,0
Static e0 Static aNULL
acq() if (...) return 0 else
if(aNULL) am_new() else e1 return
1
n0
read
read() if(a!NULL) am_rd(a) else
e1 return
acq,1
rel
n2
rel() aNULL return
acq,
n1
read
Safe, Permissive Interface
Library
73Extensions
- Heirarchy
- Library built using of sub-libraries
- Construct interface using sub-interfaces
- Decomposition
- Complex illegal States give large Interface
- Partition small interface per partition
- Multiple Correlated Libraries
- Interface Typestate Hypergraph
74Plan
- 1. Motivation
- 2. Characterizing Safe, Permissive Interfaces
- 3. Computing Safe, Permissive Interfaces
- 4. Extensions
- 5. Experiments
75Experiments
- Find interfaces for Java classes (JDK 1.4)
- Input Class, Error states (Exception raised)
- Tool Automatically finds predicates, interfaces
- Classes
- - Signature, ServerTableEntry, ListItr, Socket
- Private state variables determine interface
- Partition methods by which variables they affect
- Socket 6 Predicates, lt30s
- connect -gt getInputStream -gt shutDownInput -gt
Close
76To sum up
- Partial PA requires Safe,Permissive Interfaces
- Safe I µ legal sequences
- Perm legal sequences µ I
- Interface Typestate Graph
- Safe, Permissive via Typestate Interpretation
- Compute Interface via Abs. Reach. Graph
- Issue Permissive lower bound requirement
- Solution I µ illegal sequences
- Implementation
- Safe, Permissive Interfaces for Java classes
- Automatic synthesis of Typestate Systems
77- So what is Lazy Abstraction ?
- Theorem Proving ?
- Dataflow Analysis ?
- Model Checking ?
78Verification by Theorem Proving
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4 while(new ! old) 5 unlock ()
return
- 1. Loop Invariants
- 2. Logical formula
- 3. Check Validity
Invariant lock Æ new old Ç
lock Æ new ? old
79Verification by Theorem Proving
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4 while(new ! old) 5 unlock ()
return
- 1. Loop Invariants
- 2. Logical formula
- 3. Check Validity
- - Loop Invariants
- Multithreaded Programs
- Behaviors encoded in logic
- Decision Procedures
-
ESC
Precise
80Verification by Program Analysis
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4 while(new ! old) 5 unlock ()
return
1. Dataflow Facts 2. Constraint System 3. Solve
constraints
- Imprecision due to fixed facts Abstraction
Type/Flow Analyses
CQUAL, ESP, MC
Scalable
81Verification by Model Checking
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4 while(new ! old) 5 unlock ()
return
1. (Finite State) Program 2. State Transition
Graph 3. Reachability
- - Pgm ! Finite state model
- State explosion
- State Exploration
- Counterexamples
SPIN, SMV, Bandera,JPF
Precise
82Combining Strengths
Program Analysis - Imprecise
Abstraction Shrink state space
- Theorem Proving
- - loop invariants
- Behaviors encoded in logic
- Refine
- Theorem provers
- Computing Successors,Refine
Lazy Abstraction
Model Checking - Finite-state model, state
explosion State Space Exploration Path
Sensitive Analysis Counterexamples Finding
Relevant Facts
83Thank you
www.cs.ucsd,la.edu/blast/
84Related Work
- Whaley-Lam ISSTA 02
- Use data-flow analysis, Error condition via
exceptions - Bar call to b if a modifies a variable guarding
exn branch - Not permissive
- Alur et. al. POPL 05
- Use machine learning to find set of legal
sequences after - Manually supplied finite abstraction
- Not permissive
- Fahndrich-Deline ECOOP 04
- Typestate interpretation
- Counterexample-Guided Refinement