Modular Shape Analysis for Dynamically Encapsulated Programs - PowerPoint PPT Presentation
1 / 73
Title:
Modular Shape Analysis for Dynamically Encapsulated Programs
Description:
inferring precondition for inter-module procedure calls to the module ... compute input states to inter-module procedure calls. from discovered sealed components ... – PowerPoint PPT presentation
Number of Views:31
Avg rating:3.0/5.0
Title: Modular Shape Analysis for Dynamically Encapsulated Programs
1
Modular Shape Analysisfor Dynamically
Encapsulated Programs
Noam Rinetzky Tel Aviv University Arnd
Poetzsch-Heffter Universität Kaiserlauten
Ganesan Ramalingam Microsoft Research
India Mooly Sagiv Tel Aviv University Eran
Yahav IBM Watson
2
modular shape analysis
modular analysis?
shape analysis?
...
3
modular shape analysis
shape analysis
- sound static analysis
- programs
- imperative
- heap-manipulating
- properties
- no memory errors
- no memory leaks
- no null dereferences
- shape invariants
- lists are acyclic
...
4
modular shape analysis
modular analysis
- analyze a program by analyzing its parts
- scalability
- reusability
5
modular shape analysis
modular analysis
shape analysis
- analyze a program by analyzing its parts
- scalability
- reusability
- sound static analysis
- programs
- imperative
- heap-manipulating
- properties
- no memory errors
- no memory leaks
- no null dereferences
- shape invariants
- lists are acyclic
...
6
modular shape analysis
- analyze programs by analyzing their parts
- imperative
- heap-manipulating
Polygon
List
Point
Integer
memory
program
7
modular shape analysis
- imperative
- heap-manipulating
- analyze programs by analyzing their parts
- program modular analysis
- heap modular analysis
Polygon
List
Point
Integer
memory
memory parts
program parts
program
8
modular shape analysis
- analyze programs by analyzing their parts
- program modular analysis
- heap modular analysis
p
Polygon
List
q
Point
Integer
?
program part
relevant heap parts
9
modular shape analysis
- analyze programs by analyzing their parts
- program modular analysis
- heap modular analysis
p
Polygon
List
q
Point
Integer
?
program part
relevant heap parts
10
modular shape analysis
- analyze programs by analyzing their parts
- program modular analysis
- heap modular analysis
p
Polygon
List
?
q
Point
Integer
program part
relevant heap parts
11
modular shape analysis
- analyze programs by analyzing their parts
- program modular analysis
- heap modular analysis
p
Polygon
List
?
q
Point
Integer
program part
relevant heap parts
12
modular shape analysis
- analyze programs by analyzing their parts
- program modular analysis
- heap modular analysis
?
Polygon
List
?
?
Point
Integer
?
?
program
13
approach
- restrict class of programs to well behaved
programs - dynamically encapsulated programs
- compute conditional module invariant
- approximate well behaved clients
use dynamic encapsulation to enable modular shape
analysis, use shape analysis to verify dynamic
encapsulation
14
agenda
- setting
- shape abstraction
- modular shape analysis
15
modules
- simple program model
- program collection of modules
- module types procedures
- module level access control
Point type Point Integer x,y
Point point(int x, int y)
List type List Node hd type Node
Node n, Point d int foo(List s)
Point p p.d int x getX(p)
...
int getX(Point p) Integer I p.x
return value(I)
?
p.x
...
...
...
16
module-local state
- module can only access parts of the heap
comprised of its objects
p
Polygon
Polygon
List
q
Point
Integer
Point
Integer
17
module-local state
- module can only access parts of the heap
comprised of its objects
18
components
- sub-heaps
- objects of one module
- maximal connected subheap
- outgoing references
- incoming references
Polygon
List
Point
Integer
19
components
- sub-heaps
- objects of one module
- maximal connected subheap
- outgoing references
- incoming references
p
Polygon
List
List
q
Point
Integer
Point
20
component graphs
- nodes components
- edges inter-component references
p
Polygon
Polygon
List
q
Point
Integer
Point
Integer
21
(un)sealed components
- unsealed component mutable
- sealed component immutable
p
Polygon
Polygon
List
q
Point
Integer
Point
Integer
22
trimming abstraction
- represents only components of a single module
- forget other components
- forget component graph
23
trimming abstraction
t
z
24
trimming concretization
?
25
trimming concretization
t
z
?
t
z
26
trimming concretization
t
z
?
t
z
27
trimming impossible concretization
t
z
?
?
t
z
28
bounding abstraction (standard)
q
z
trimming
bounding
29
parametric shape abstraction
concrete states
trimmed states
bounded trimmed states
30
modular shape analysis
- main challenges
- inferring precondition for inter-module procedure
calls to the module - determining effect of inter-module procedure
calls by the module
31
inter-module procedure calls
- sealed component immutable
- unsealed component mutable
list_proc(p.list, q)
p
Polygon
Polygon
List
q
Point
Integer
Point
Integer
32
sealed components
- sealed component immutable
- inputs to inter-module procedure calls
list_proc(p.list, q)
Polygon
Polygon
List
List
e
q
s
Point
Integer
33
module invariant
- set of sealed (stable) components
- in all programs
- in all executions
- all possible inputs to inter-module procedure
calls
34
modular shape analysis
- infer module invariant
- analysis
- compute input states to inter-module procedure
calls - from discovered sealed components
- shape analysis within module
- discover new sealed components in output states
35
?abstraction fixpoint are we done?
36
sanity check
List type List Node hd type
Node Node n, Point d void push(List s, Node
e) e.n s.hd s.hd e
...
37
sanity check
List type List Node hd type
Node Node n, Point d void push(List s, Node
e) e.n s.hd s.hd e
n
hd
n
n
d
d
d
d
...
38
sanity check
List type List Node hd type
Node Node n, Point d void push(List s, Node
e) e.n s.hd s.hd e
n
hd
n
n
d
d
d
d
...
39
main difficulty unknown usage
- unknown heap context
- returned references
- incoming references
- worst case assumption
- complicated analysis
- expensive analysis
- non-useful analysis
hd
n
n
n
d
d
d
d
40
our approach
- limit inter-component aliasing
- every sealed component has a single entry point
41
our approach
- limit inter-component aliasing
- every sealed component has a single entry point
- tree of inter-component references
q
p
42
challenge
- enque(p,q)
- challenge reference parameters
- solution ignore unused references
verify q is never used!
q
p
43
lightweight annotations
- specify deadness
- enque(List s, Node e) // e
q
p
44
dynamic encapsulation
- limit inter-component aliasing
- every component has a single entry point
- tree of inter-component references
- ignoring not to be used references
q
p
45
dynamic encapsulation
p
46
dynamic encapsulation
p
p
?
47
dynamic encapsulation
p
p
?
?
q
p
48
dynamic encapsulation
p
p
?
?
q
p
p
q
?
?
49
sanity check revisited
List type List Node hd type
Node Node n, Point d void push(List s, Node
e) // e e.n s.hd s.hd e
n
hd
n
d
d
d
d
...
50
sanity check revisited
List type List Node hd type
Node Node n, Point d void push(List s, Node
e) // e e.n s.hd s.hd e
n
hd
n
n
d
d
d
d
...
51
sanity check revisited
List type List Node hd type
Node Node n, Point d void push(List s, Node
e) // e e.n s.hd s.hd e
n
hd
n
n
d
d
d
d
...
52
our approach
- concentrate on well-behaved programs
- well behaved dynamic encapsulation
- modularly checkable
- program P is well behave if all its modules
respect the specification
53
modular analysis
- for every module
- assume all other modules are well behaved
- guarantee module is well behaved
- verify dynamic encapsulation
- discover (conditional) module invariants
- may not be hold for arbitrary programs
54
summary
- parametric shape abstraction
- dynamic encapsulation
- restriction on programs
- modular shape analysis
enable
dynamic encapsulation
modular
verify
shape analysis
55
related work
- modular analysis
- modular heap analysis
- shape analysis
- interprocedural shape analysis
- encapsulation
- local reasoning
56
closely related work
- modular heap analysis
- Logozzo, SAS03, VMCAI04
- Wies et al., VMCAI06
- encapsulation
- Zaho et al., RTSS04
- Clarke et al., ECOOP03
- modular verification
- Leino et al., ESOP06
57
future work
- relax restrictions
- richer component-graph structures
- implementation
58
END
use dynamic encapsulation to enable modular shape
analysis, use shape analysis to verify dynamic
encapsulation
59
fixpoint
60
dry run
List type List Node hd type
Node Node n, Point d List crtList() ...
Node crtNode(Point p) // p ... void
push(List s, Node e) // e ... Node
pop(List s) ...
analysis
61
dry run
List type List Node hd type
Node Node n, Point d List crtList() ...
Node crtNode(Point p) // p ... void
push(List s, Node e) // e ... Node
pop(List s) ...
analysis
62
dry run
List type List Node hd type
Node Node n, Point d List crtList() ...
Node crtNode(Point p) // p ... void
push(List s, Node e) // e ... Node
pop(List s) ...
e
s
analysis
63
dry run
List type List Node hd type
Node Node n, Point d List crtList() ...
Node crtNode(Point p) // p ... void
push(List s, Node e) // e ... Node
pop(List s) ...
s
e
analysis
64
conditional module invariant
- program dynamically-encapsulated
- ? module invariant holds
65
partitioned module invariant
66
partitioned module invariant
67
partitioned module invariant
68
related work
69
Manevich et al., TACAS07
x
x
y
z
70
ownership types
p
71
trace
72
inter-module procedure calls
- input sealed component
- observation unmodified since last call
73
inter-module procedure calls
- input sealed component
- observation unmodified since last call
