Lazy Abstraction - PowerPoint PPT Presentation

About This Presentation
Title:

Lazy Abstraction

Description:

Example. Legal. e=0. Error. e!=0. Library States. Interface. API. n0. n1. acq. rel. n2. acq. read ... Abstraction of library's internal state. Typestate Interpretation ... – PowerPoint PPT presentation

Number of Views:54
Avg rating:3.0/5.0
Slides: 83
Provided by: RJ3
Learn more at: https://cseweb.ucsd.edu
Category:
Tags: abstraction | lazy

less

Transcript and Presenter's Notes

Title: Lazy Abstraction


1
Lazy Abstraction
Lecture 3 Partial Analysis
Ranjit Jhala UC San Diego
With Tom Henzinger, Rupak Majumdar, Ken
McMillan, Gregoire Sutre
2
A Problem with Program Analysis
Library
Client
  • Whole Program Analysis not always possible
  • Availability Client code missing
  • Scalability Whole system too large

3
Partial Program Analysis
Library
Client
  • Partial Program Analysis
  • Find interface for Library
  • Use interface to verify client

4
Partial Program Analysis
Library
Interface
Availability Interface independent of
Client Scalability Interface small, abstraction
of Library
5
What is an Interface ?
Library States
API
Interface
  • Interface Constraints on legal uses of API
  • API Calls after which library is in a legal state

6
Example
Static e0 Static aNULL
Library States
Interface
API
rel
acq() if(aNULL) a m_new() else
e1 return
n0
read
read() if(a!NULL) a m_rd(a) else
e1 return
acq
rel
n2
acq
n1
rel() aNULL return
read
Safe Interface µ Legal Call Sequences
7
Safety Not Enough!
Interface
API
Static e0, aNULL, x0
acq() if(aNULL) am_new() else e1
return
acqx() if(aNULL) am_new() x1
else e1
read() if(a!NULL) am_rd(a) else
e1 return
write() if(x!0) m_wr(a) else e1
return
rel() aNULL return
relx() aNULL x0
  • Disallows calls to write
  • Useless for Partial Program Analysis

8
Permissive Interfaces
Static e0, aNULL, x0
Interface
API
rel/x
acq() if(aNULL) am_new() else e1
return
acqx() if(aNULL) am_new() x1
else e1
n0
acqx
acq
read() if(a!NULL) am_rd(a) else
e1 return
write() if(x!0) m_wr(a) else e1
return
n1
n2
relx
n3
rel() aNULL return
relx() aNULL x0
read
write read
Permissive Legal Call Sequences µ
Interface Partial Analysis Safe Permissive
Interfaces
9
Plan
  • 1. Motivation
  • 2. Characterizing Safe, Permissive Interfaces
  • 3. Computing Safe, Permissive Interfaces
  • 4. Extensions
  • 5. Experiments

10
Plan
  • 1. Motivation
  • 2. Characterizing Safe, Permissive Interfaces
  • 3. Computing Safe, Permissive Interfaces
  • 4. Extensions
  • 5. Experiments

11
Typestate Interpretations
Interface is a Typestate System - Abstraction of
librarys internal state Typestate
Interpretation - Overapprox possible internal
states
rel
n0
read
a0
acq
rel
n2
acq
e?0
n1
a?0
read
12
Typestate Interpretations
acq() if(aNULL) am_new() else e1
return
n0
a0
acq
n2
acq
e?0
n1
a?0
13
Typestate Interpretations
read() if(a!NULL) am_rd(a) else
e1 return
rel
n0
read
a0
n2
e?0
n1
a?0
read
14
Typestate Interpretations
rel() aNULL return
rel
n0
a0
rel
n2
e?0
n1
a?0
15
Typestate Interpretations
Interface is a Typestate System - Abstraction of
librarys internal state Typestate
Interpretation - Overapprox possible internal
states
rel
n0
read
a0
acq
rel
n2
acq
e?0
n1
a?0
read
16
Safe Interpretations
Interface is a Typestate System - Abstraction of
librarys internal state Typestate
Interpretation - Overapprox possible internal
states
rel
n0
read
a0
acq
rel
n2
(P1) Initial states in r0
n0
r0
acq
e?0
n1
a?0
(P2) Every edge Post(r,f) µ r
read
(P3) Every legal typestate r µ Err

n
r
17
Safe Interpretations
Theorem Safe Interpretation implies Safe
Interface
rel
n0
read
a0
acq
rel
n2
(P1) Initial states in r0
n0
r0
acq
e?0
n1
a?0
(P2) Every edge Post(r,f) µ r
read
(P3) Every legal typestate r µ Err

n
r
18
Permissive Interpretations
Interface is a Typestate System - Abstraction of
librarys internal state Typestate
Interpretation - Overapprox possible internal
states
rel
n0
read
a0
acq
rel
n2
(P1) Initial states in r0
n0
r0
acq
e?0
n1
a?0
(P2) Every edge Post(r,f) µ r
read
(P4) Every illegal typestate r µ Err

n
r
19
Permissive Interpretations
Theorem Permissive Interpretation implies
Permissive Interface
rel
n0
read
a0
acq
rel
n2
(P1) Initial states in r0
n0
r0
acq
e?0
n1
a?0
(P2) Every edge Post(r,f) µ r
read
(P4) Every illegal typestate r µ Err

n
r
20
Sanity Check
Static e0, aNULL, x0
API
rel/x
acq() if(aNULL) am_new() else e1
return
acqx() if(aNULL) am_new() x1
else e1
n0
read write
a0
read() if(a!NULL) am_rd(a) else
e1 return
write() if(x!0) m_wr(a) else e1
return
acq /x
rel /x
n2
e?0
acq/x write
n1
a?0
rel() aNULL return
relx() aNULL x0
read
Q Why not a permissive interface ?
21
Sanity Check
write() if(x!0) m_wr(a) else e1
return
n2
e?0 Ç e0
e?0
write
n1
a?0
Q Why not a permissive interface ?
A (P2) fails! Not an Interpretation
22
Sanity Check
(P4) Every illegal typestate r µ Err

n
r
write() if(x!0) m_wr(a) else e1
return
n2
e?0 Ç e0
write
n1
a?0
Q Why not a permissive interface ?
A (P4) fails! Not Permissive Interpretation
23
Plan
  • 1. Motivation
  • 2. Characterizing Safe, Permissive Interfaces
  • 3. Computing Safe, Permissive Interfaces
  • 4. Extensions
  • 5. Experiments

24
Computing Interfaces
  • Problem A Interface Checking
  • Given Library, candidate interface I,
    abstraction ?,
  • Check if I is safe, permissive.
  • Problem B Interface Reconstruction
  • Given Library, abstraction ?,
  • Reconstruct a safe, permissive interface I.
  • Problem C Interface Inference
  • Given Library,
  • Infer a safe, permissive interface I.

25
A. Interface Checking
Check Safe, Permissive independently
Problem A Interface Checking Given Library,
candidate interface I, abstraction ?, Check if
I is safe, permissive.
26
A. Interface Checking Safe
Static e0 Static aNULL
rel
acq() if(aNULL) am_new() else e1
return
n0
read
rel
acq
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq
n1
read
rel() aNULL return
Interface
Library
Problem A Interface Checking Given Library,
candidate interface I, abstraction ?, Check if
I is safe, permissive.
27
A. Interface Checking Safe
Static e0 Static aNULL
rel

acq() if(aNULL) am_new() else e1
return
Library States
n0
read
rel
acq
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq
n1
read
rel() aNULL return
Interface Client
Library
Idea Analyze Interface Client Library Verify
assertion Client in legal location )
Library in legal state
n
28
B. Interface Checking Permissive
Static e0 Static aNULL
rel
acq() if(aNULL) am_new() else e1
return
n0
read
rel
acq
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq
n1
read
rel() aNULL return
Interface
Library
Problem B Interface Checking Given Library,
candidate interface I, abstraction ?, Check if
I is safe, permissive.
29
B. Interface Checking Permissive
Static e0 Static aNULL
rel

acq() if(aNULL) am_new() else e1
return
Library States
n0
read
rel
acq
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq
n1
read
rel() aNULL return
Interface Client
Library
Idea Analyze Interface Client Library Verify
assertion Client in illegal location
) Library in illegal state
n
30
A. Interface Checking
Safe, Permissive checkable by Assertion
Verification!
Problem A Interface Checking Given Library,
candidate interface I, abstraction ?, Check if
I is safe, permissive.
31
Abstract Reachability Graphs
Safe, Permissive checkable by Assertion
Verification!
Problem A Interface Checking Given Library,
candidate interface I, abstraction ?, Check if
I is safe, permissive.
32
Abstract Reachability Graphs
Static e0 Static aNULL
rel

acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
rel
acq
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq
n1
read
rel() aNULL return
  • a0,e0

33
Abstract Reachability Graphs
Static e0 Static aNULL
rel

acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
acq()
rel
acq
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq
n1
1
a0, e0
read
rel() aNULL return
  • a0,e0

34
Abstract Reachability Graphs
Static e0 Static aNULL
rel

acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
rel()
acq()
rel
acq
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq
n1
1
0
a0, e0
a0,e0
read
rel() aNULL return
  • a0,e0

35
Abstract Reachability Graphs
Static e0 Static aNULL
rel

acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
rel()
acq()
rel
acq
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq
n1
1
0
a0, e0
a0,e0
read
rel() aNULL return
  • a0,e0

36
Abstract Reachability Graphs
Static e0 Static aNULL
rel()
rel

acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
rel()
acq()
rel
acq
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq
n1
1
0
a0, e0
a0,e0
read
rel() aNULL return
  • a0,e0

37
Abstract Reachability Graphs
Static e0 Static aNULL
rel()
rel

acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
read()
acq()
rel
acq
2
a0, e0
e0
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq
n1
1
a0, e0
read
rel() aNULL return
  • a0,e0

38
Abstract Reachability Graphs
Static e0 Static aNULL
rel()
rel

acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
read()
acq()
rel
acq
2
e0
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq
n1
1
a0, e0
read
acq()
rel() aNULL return
2
e0
  • a0,e0

39
Abstract Reachability Graphs
Static e0 Static aNULL
rel()
rel

acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
read()
acq()
rel
acq
2
e0
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
n1
1
a0, e0
read
rel() aNULL return
  • a0,e0

40
Abstract Reachability Graphs
Static e0 Static aNULL
rel()
rel

acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
read()
acq()
rel
acq
2
e0
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
n1
1
a0, e0
read()
read
1
rel() aNULL return
a0, e0
  • a0,e0

41
Abstract Reachability Graphs
Static e0 Static aNULL
rel()
rel

acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
read()
acq()
rel
acq
2
e0
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
n1
1
a0, e0
read
read()
rel() aNULL return
  • a0,e0

42
Abstract Reachability Graphs
Static e0 Static aNULL
rel()
rel

acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
read()
acq()
rel
acq
2
e0
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
n1
1
a0, e0
read
rel()
read()
rel() aNULL return
0
a0,e0
  • a0,e0

43
Abstract Reachability Graphs
Static e0 Static aNULL
rel()
rel

acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
read()
acq()
rel()
rel
acq
2
e0
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
n1
1
a0, e0
read
read()
rel() aNULL return
  • a0,e0

44
Abstract Reachability Graphs
Static e0 Static aNULL
rel()
rel

acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
read()
acq()
rel()
rel
acq
2
e0
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
n1
1
a0, e0
read
read()
rel() aNULL return
Library States
Verify assertion Safe Client in legal
location ) Library in legal state
n
45
Abstract Reachability Graphs
Static e0 Static aNULL
rel()
rel

acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
read()
acq()
rel()
rel
acq
2
e0
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
n1
1
a0, e0
read
read()
rel() aNULL return
Library States
Verify assertion Safe Client in legal
location ) Library in legal state
n
46
Abstract Reachability Graphs
Static e0 Static aNULL
rel()
rel

acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
read()
acq()
rel()
rel
acq
2
e0
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
n1
1
a0, e0
read
read()
rel() aNULL return
Library States
Verify assertion Permissive Client in
illegal location ) Library in illegal state
n
47
Abstract Reachability Graphs
Static e0 Static aNULL
rel()
rel

acq() if(aNULL) am_new() else e1
return
0
a0,e0
n0
read
read()
acq()
rel()
rel
acq
2
e0
n2
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
n1
1
a0, e0
read
read()
rel() aNULL return
Library States
Verify assertion Permissive Client in
illegal location ) Library in illegal state
n
48
A. Interface Checking
rel()
rel
0
a0,e0
n0
read
read()
Safe, Permissive
acq()
rel()
rel
acq
2
e0
n2
acq()
acq
n1
1
a0, e0
read
read()
Safe assertion Client in legal location )
Library in legal state
Permissive assertion Client in illegal
location ) Library in illegal state
49
A. Interface Checking
rel()
rel
0
a0,e0
n0
read
read()
Safe, Permissive
acq()
rel()
rel
acq
2
e0
n2
acq()
acq
n1
1
a0, e0
read
read()
Abstract Reach. Graph , Typestate Interpretation
Safe Assertion , Safe Interpretation Permissive
Assertion , Permissive Interpretation
50
Computing Interfaces
  • Problem A Interface Checking
  • Given Library, candidate interface I,
    abstraction ?,
  • Check if I is safe, permissive.
  • Problem B Interface Reconstruction
  • Given Library, abstraction ?,
  • Reconstruct a safe, permissive interface I.
  • Problem C Interface Inference
  • Given Library,
  • Infer a safe, permissive interface I.

Solution Assertion verification, Abstract
Reach. Graph
51
B. Interface Reconstruction
Static e0 Static aNULL
acq() if(aNULL) am_new() else e1
return
  • a0,e0

read() if(a!NULL) am_rd(a) else
e1 return
Abstraction
rel() aNULL return
Library
Problem B Interface Reconstruction Given
Library, abstraction ?, Reconstruct a safe,
permissive interface I.
52
B. Interface Reconstruction
Static e0 Static aNULL
acq() if(aNULL) am_new() else e1
return
rel
  • a0,e0

read() if(a!NULL) am_rd(a) else
e1 return
acq
read
Abstraction
Maximal Client
rel() aNULL return
Library
Idea I Abs Reach Graph of Max Client Library
(using ?) ARG Vertices w/ legal library state )
legal typestates ARG Vertices w/ illegal library
state ) illegal typestates
53
ARG of MaxLibrary
Static e0 Static aNULL
rel()
acq() if(aNULL) am_new() else e1
return
a0,e0
rel
read()

acq()
rel()
e0
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
read
a0, e0
Maximal Client
rel() aNULL return
read()
Library
Abstract Reach Graph
  • a0,e0

54
ARG of MaxLibrary
Static e0 Static aNULL
rel()
acq() if(aNULL) am_new() else e1
return
a0,e0
rel
read()

acq()
rel()
e0
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
read
a0, e0
Maximal Client
rel() aNULL return
read()
Library
Abstract Reach Graph
ARG Vertices w/ legal library state ) legal
typestates ARG Vertices w/ illegal library state
) illegal typestates
55
ARG of MaxLibrary
Static e0 Static aNULL
rel()
acq() if(aNULL) am_new() else e1
return
n0
a0,e0
rel
read()

acq()
rel()
e0
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
read
n1
a0, e0
Maximal Client
rel() aNULL return
read()
Library
Abstract Reach Graph
ARG Vertices w/ legal library state ) legal
typestates ARG Vertices w/ illegal library state
) illegal typestates
56
ARG of MaxLibrary
Static e0 Static aNULL
rel()
acq() if(aNULL) am_new() else e1
return
n0
a0,e0
rel
read()

acq()
rel()
n2
e0
read() if(a!NULL) am_rd(a) else
e1 return
acq()
acq
read
n1
a0, e0
Maximal Client
rel() aNULL return
read()
Library
Abstract Reach Graph
ARG Vertices w/ legal library state ) legal
typestates ARG Vertices w/ illegal library state
) illegal typestates
57
ARG of MaxLibrary
Static e0 Static aNULL
rel
acq() if(aNULL) am_new() else e1
return
read
n0
a0,e0
rel

rel
acq
n2
e0
read() if(a!NULL) am_rd(a) else
e1 return
acq
read
acq
n1
a0, e0
Maximal Client
read
rel() aNULL return
Interface !
Library
58
ARG of MaxLibrary
rel
read
n0
a0,e0
rel
Predicate Labels Typestate Interpretation
acq
n2
e0
acq
n1
a0, e0
read
Safe, Permissive by construction
Interface
59
Computing Interfaces
  • Problem A Interface Checking
  • Given Library, candidate interface I,
    abstraction ?,
  • Check if I is safe, permissive.
  • Problem B Interface Reconstruction
  • Given Library, abstraction ?,
  • Reconstruct a safe, permissive interface I.
  • Problem C Interface Inference
  • Given Library,
  • Infer a safe, permissive interface I.

Solution Assertion verification, Abstract
Reach. Graph
Solution Interface ARG (w.r.t. ?) of Max
Client Library
60
Computing Interfaces
  • Problem A Interface Checking
  • Given Library, candidate interface I,
    abstraction ?,
  • Check if I is safe, permissive.
  • Problem B Interface Reconstruction
  • Given Library, abstraction ?,
  • Reconstruct a safe, permissive interface I.
  • Problem C Interface Inference
  • Given Library,
  • Infer a safe, permissive interface I.

Solution Assertion verification, Abstract
Reach. Graph
Solution Interface ARG (w.r.t. ?) of Max
Client Library
61
C. Interface Inference
Require sufficiently precise abstraction ? -
Then B (reconstruction) suffices
Imprecise abstraction ) imprecise Abstract Reach
Graph - Vertex w/ label containing both legal and
illegal lib states
  • Q How to deal w/ imprecise vertices ?
  • Idea Any call sequence into vertex is either
    legal or illegal
  • Legal sequence ) Infeasible path to Err
  • Illegal sequence ) Infeasible path to Err
  • Refine abstraction using call sequence into
    imprecise vertex
  • Repeat until ARG precise, i.e. Interface found

62
Example
Static e0, aNULL, x0
rel/x()
acq() if(aNULL) am_new() else e1
return
acqx() if(aNULL) am_new() x1
else e1
e0
acq/x
rel/x

acq/x()
read()
write()
read() if(a!NULL) am_rd(a) else
e1 return
write() if(x!0) m_wr(a) else e1
return
write
read
e0 Ç e0

rel() aNULL return
relx() aNULL x0
Abstract Reach Graph
  • e0

63
Example
Static e0, aNULL, x0
acq() if(aNULL) am_new() else e1
return
acqx() if(aNULL) am_new() x1
else e1
acq/x
rel/x

read()
read() if(a!NULL) am_rd(a) else
e1 return
write() if(x!0) m_wr(a) else e1
return
write
read
e0 Ç e0
Imprecise !
rel() aNULL return
relx() aNULL x0
Call read() is illegal ) Paths to e0 infeasible
  • New predicate a0
  • New ARG prohibits immediate call to read

64
Example
Static e0, aNULL, x0
rel/x()
acq() if(aNULL) am_new() else e1
return
acqx() if(aNULL) am_new() x1
else e1
a0,e0
e0
acq/x
rel/x

rel /x
acq /x
acq /x
read() if(a!NULL) am_rd(a) else
e1 return
write() if(x!0) m_wr(a) else e1
return
write
read
a0, e0
e0 Ç e0
write()
read()
rel() aNULL return
relx() aNULL x0
Abstract Reach Graph
  • e0,a0

65
Example
Static e0, aNULL, x0
acq() if(aNULL) am_new() else e1
return
acqx() if(aNULL) am_new() x1
else e1
acq/x
rel/x

acqx()
read() if(a!NULL) am_rd(a) else
e1 return
write() if(x!0) m_wr(a) else e1
return
write
read
e0 Ç e0
write()
rel() aNULL return
relx() aNULL x0
Sequence acqx()write() is legal ) Paths to e!0
infeasible
  • New predicate x0
  • New ARG allows sequence acqx write

66
Example
Static e0, aNULL, x0
rel/x()
acq() if(aNULL) am_new() else e1
return
acqx() if(aNULL) am_new() x1
else e1
a0,e0,x0
acq/x
rel/x

acqx
acq
read() if(a!NULL) am_rd(a) else
e1 return
write() if(x!0) m_wr(a) else e1
return
rel /x
rel /x
a0 , e0 x0
a0, e0, x0
write
read
read()
write()
rel() aNULL return
relx() aNULL x0
read()
e0
Safe, Permissive Interface
67
Example
Static e0, aNULL, x0
acq() if(aNULL) am_new() else e1
return
acqx() if(aNULL) am_new() x1
else e1
read() if(a!NULL) am_rd(a) else
e1 return
write() if(x!0) m_wr(a) else e1
return
rel() aNULL return
relx() aNULL x0
Safe, Permissive Interface
68
Computing Interfaces
  • Problem A Interface Checking
  • Given Library, candidate interface I,
    abstraction ?,
  • Check if I is safe, permissive.
  • Problem B Interface Reconstruction
  • Given Library, abstraction ?,
  • Reconstruct a safe, permissive interface I.
  • Problem C Interface Inference
  • Given Library,
  • Infer a safe, permissive interface I.

Solution Assertion verification, Abstract
Reach. Graph
Solution Interface ARG (w.r.t. ?) of Max
Client Library
Solution Refine abstraction using imprecise ARG
vertices
69
Two Requirements, Two Abstractions
  • Safe, Permissive Orthogonal
  • Different abstractions suffice to prove each
  • ? ?safe ?permissive
  • ?safe calls allowed µ legal calls
  • ?permissive calls disallowed µ illegal calls
  • Build largest safe Interface I ,using ?safe
  • Build ARG, imprecise vertices illegal
  • Check I is permissive, using ?permissive
  • Fails possibly legal, prohibited sequence to
    imprecise
  • If sequence illegal then Refine ?permissive
  • legal then Refine ?safe

70
Safety Verification vs Interface Construction
1. Error reachable 2. Find all legal sequences
Find all illegal sequences 3.
Refine Infeasible path to Error (Safe)
OR Infeasible path to Legal (Perm) 5. Refine
More behaviors
  • 1. Error not reachable
  • 2. Show always legal
  • Find one illegal sequence
  • 3. Refine
  • Infeasible path to Error
  • 5. Refine Fewer behaviors

71
Plan
  • 1. Motivation
  • 2. Characterizing Safe, Permissive Interfaces
  • 3. Computing Safe, Permissive Interfaces
  • 4. Extensions
  • 5. Experiments

72
Extensions Outputs
Outputs allow non-determinism in library
rel
acq,0
Static e0 Static aNULL
acq() if (...) return 0 else
if(aNULL) am_new() else e1 return
1
n0
read
read() if(a!NULL) am_rd(a) else
e1 return
acq,1
rel
n2
rel() aNULL return
acq,
n1
read
Safe, Permissive Interface
Library
73
Extensions
  • Heirarchy
  • Library built using of sub-libraries
  • Construct interface using sub-interfaces
  • Decomposition
  • Complex illegal States give large Interface
  • Partition small interface per partition
  • Multiple Correlated Libraries
  • Interface Typestate Hypergraph

74
Plan
  • 1. Motivation
  • 2. Characterizing Safe, Permissive Interfaces
  • 3. Computing Safe, Permissive Interfaces
  • 4. Extensions
  • 5. Experiments

75
Experiments
  • Find interfaces for Java classes (JDK 1.4)
  • Input Class, Error states (Exception raised)
  • Tool Automatically finds predicates, interfaces
  • Classes
  • - Signature, ServerTableEntry, ListItr, Socket
  • Private state variables determine interface
  • Partition methods by which variables they affect
  • Socket 6 Predicates, lt30s
  • connect -gt getInputStream -gt shutDownInput -gt
    Close

76
To sum up
  • Partial PA requires Safe,Permissive Interfaces
  • Safe I µ legal sequences
  • Perm legal sequences µ I
  • Interface Typestate Graph
  • Safe, Permissive via Typestate Interpretation
  • Compute Interface via Abs. Reach. Graph
  • Issue Permissive lower bound requirement
  • Solution I µ illegal sequences
  • Implementation
  • Safe, Permissive Interfaces for Java classes
  • Automatic synthesis of Typestate Systems

77
  • So what is Lazy Abstraction ?
  • Theorem Proving ?
  • Dataflow Analysis ?
  • Model Checking ?

78
Verification by Theorem Proving
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4 while(new ! old) 5 unlock ()
return
  • 1. Loop Invariants
  • 2. Logical formula
  • 3. Check Validity

Invariant lock Æ new old Ç
lock Æ new ? old
79
Verification by Theorem Proving
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4 while(new ! old) 5 unlock ()
return
  • 1. Loop Invariants
  • 2. Logical formula
  • 3. Check Validity
  • - Loop Invariants
  • Multithreaded Programs
  • Behaviors encoded in logic
  • Decision Procedures

ESC
Precise
80
Verification by Program Analysis
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4 while(new ! old) 5 unlock ()
return
1. Dataflow Facts 2. Constraint System 3. Solve
constraints
- Imprecision due to fixed facts Abstraction
Type/Flow Analyses
CQUAL, ESP, MC
Scalable
81
Verification by Model Checking
Example ( ) 1 do lock() old
new q q-gtnext 2 if (q ! NULL) 3
q-gtdata new unlock() new
4 while(new ! old) 5 unlock ()
return
1. (Finite State) Program 2. State Transition
Graph 3. Reachability
  • - Pgm ! Finite state model
  • State explosion
  • State Exploration
  • Counterexamples

SPIN, SMV, Bandera,JPF
Precise
82
Combining Strengths
Program Analysis - Imprecise
Abstraction Shrink state space
  • Theorem Proving
  • - loop invariants
  • Behaviors encoded in logic
  • Refine
  • Theorem provers
  • Computing Successors,Refine

Lazy Abstraction
Model Checking - Finite-state model, state
explosion State Space Exploration Path
Sensitive Analysis Counterexamples Finding
Relevant Facts
83
Thank you
www.cs.ucsd,la.edu/blast/
Write a Comment
User Comments (0)
About PowerShow.com