Local Heap Shape Analysis

1
Local Heap Shape Analysis
Noam Rinetzky Tel Aviv University
Joint work with Jörg Bauer Universität des
Saarlandes Thomas Reps University of
Wisconsin Mooly Sagiv Tel Aviv University
Reinhard Wilhelm Universität des
Saarlandes Eran Yahav IBM Watson
2
Motivation

• Verify heap intensive programs
• Imperative programs with procedures
• Recursive data structures
• Lists
• Trees

3
Motivation

• class List
• List n
• main()
• List xnull, ynull
• int k getLen()
• x create(k)
• y reverse(x)

4
What is the problem?

• Recursive procedures
• Unbounded number of activation records
• Dynamic allocation
• Unbounded number of objects

5
Our approach

• Use abstractions
• Over-approximation algorithms
• Effective (termination)
• Every verified property holds (sound)
• May not prove all properties (incomplete)

6
Local heaps
call f(x)
y
g
t
7
Canonical abstraction
n
n
n
x
8
Interprocedural shape analysis
Tabulation exits
call f(x)
y
9
Interprocedural shape analysis
Analyze f
No tabulation
call f(x)
y
10
Cutpoints
?
x
call f(x)
y
g
t
11
Cutpoints and abstraction
n
n
n
y
d
d
d
d
n
n
n
x
call f(x)
Canonical abstraction
12
Abstraction of cutpoints
call f(x)
y
g
t
13
Prototype implementation
14
Related Work

• Interprocedural shape analysis
• Rinetzky and Sagiv, CC 01
• Chong and Rugina, SAS 03
• Jeannet et al., SAS 04
• Hackett and Rugina, POPL 05
• Rinetzky et al., POPL 05
• Local Reasoning
• Ishtiaq and OHearn, POPL 01
• Reynolds, LICS 02
• Encapsulation
• Noble et al. IWACO 03
• ...

15
End
A Semantics for procedure local heaps and its
abstraction Noam Rinetzky, Jörg Bauer, Thomas
Reps, Mooly Sagiv, and Reinhard Wilhelm POPL,
2005
Interprocedural shape analysis for cutpoint-free
programs Noam Rinetzky, Mooly Sagiv, and Eran
Yahav SAS, 2005
www.cs.tau.ac.il/maon