Finding Optimum Abstractions in Parametric Dataflow Analysis

Xin ZhangGeorgia Tech

Mayur NaikGeorgia Tech

Hongseok YangUniversity of Oxford

A Key Challenge for Static Analysis

Precision

Scalability

Our setting

Query qProgram pStatic Analysis S

p ` q p 0 q

Abstraction a

assert(x != null)

p

a1

Sq1

p ` q1 ?

q2S

p ` q2 ?

a2

Our setting

q2p S

p ` q2 ?

Sq1

p ` q1 ?

Our setting

1 0 1 1 0 0 1 0 1 0

q2p S

p ` q2 ?

Sq1

p ` q1 ?

Example 1: Predicate Abstraction

1 0 1 1 0 0 1 0 1 0

Predicates to use in predicate abstractionPredicates to use as

abstraction predicates

q2p S

p ` q2 ?

Sq1

p ` q1 ?

Example 2: Cloning ‐based Pointer Analysis

1 0 1 1 0 0 1 0 1 0

Predicates to use in predicate abstraction

K value to use for each call and each allocation site

Problem StatementAn efficient algorithm with:

INPUTS:– program p and property q– abstractions A = { a1, …, an }

– boolean function S(p, q, a)

OUTPUT:– Proof: a 2 A: S(p, q, a) = true

8 a’ 2 A: (a’ · a Æ S(p, q, a’) = true) ) a’ = a

– Impossibility: @ a 2 A: S(p, q, a) = trueOptimum

Abstraction

qp S

p ` q ?

a

Problem StatementAn efficient algorithm with:

INPUTS:– program p and property q– abstractions A = { a1, …, an }

– boolean function S(p, q, a)

OUTPUT:– Proof: a 2 A: S(p, q, a) = true

8 a’ 2 A: (a’ · a Æ S(p, q, a’) = true) ) a’ = a

– Impossibility: @ a 2 A: S(p, q, a) = trueOptimum

Abstraction

S(p, q, a)

!S(p, q, a)

1111 most expensive

0000 least expensive

0110 optimum

A

Example: Typestate Analysis

x = new File;<{closed}, {x}>y = x;

z = x;

x.open();

y.close();

assert1(x, closed);assert2(x, opened);

openedclosed

error

open()

close()

close() open()

Type-state set ts

Example: Typestate Analysis

x = new File;<{closed}, {x}>y = x;<{closed}, {x}>z = x;<{closed}, {x}>x.open();<{opened}, {x}>y.close();<{opened, closed}, {x}>assert1(x, closed);assert2(x, opened);

Must-alias accesspath set ms

Only allows the accesspaths specified in the abstraction

Strong update

Weak updateFailedFailed

Example: Typestate Analysisx = new File;y = x;z = x;x.open();y.close();assert1(x, closed);assert2(x, opened);

Query Abstraction

assert1 any a

assert2 none

Query Abstraction Our Goal

assert1 any a

assert2 none impossibility

x = new File;y = x;z = x;x.open();y.close();assert1(x, closed);assert2(x, opened);

Example: Typestate Analysis

Query Abstraction

assert1

assert2

↑ x = new File;↓<{closed}, {}>↑ y = x;↓<{closed}, {}>↑

z = x;↓<{closed}, {}>↑

x.open();↓<{closed, opened}, {}>↑y.close();↓top↑assert1(x, closed);

Naïve approach: calculating weakest precondition (WP)

{}

Failed

Example: Typestate Analysis

Query Abstraction

assert1

assert2

↑ x = new File;↓<{closed}, {}>↑ y = x;↓<{closed}, {}>↑

z = x;↓<{closed}, {}>↑

x.open();↓<{closed, opened}, {}>↑y.close();↓top↑assert1(x, closed);

Naïve approach: calculating weakest precondition (WP)

{}

Failed

Exponential Blowup!

unreachablex = new File;y = x;z = x;x.open();y.close();assert1(x, closed);assert2(x, opened);

Example: Typestate Analysis↑ x = new File;↓<{closed}, {}>↑ y = x;↓<{closed}, {}>↑

z = x;↓<{closed}, {}>↑

x.open();↓<{closed, opened}, {}>↑y.close();↓top↑assert1(x, closed);

Too large?

Let’s ignore part of it!

Example: Typestate Analysis↑ x = new File;↓<{closed}, {}>↑ y = x;↓<{closed}, {}>↑

z = x;↓<{closed}, {}>↑

x.open();↓<{closed, opened}, {}>↑y.close();↓top↑assert1(x, closed);

Unreachable

Example: Typestate Analysis↑ x = new File;↓<{closed}, {}>↑ y = x;↓<{closed}, {}>↑

z = x;↓<{closed}, {}>↑

x.open();↓<{closed, opened}, {}>↑y.close();↓top↑assert1(x, closed);

Intersect with the forward state

Example: Typestate Analysis↑ x = new File;↓<{closed}, {}>↑ y = x;↓<{closed}, {}>↑

z = x;↓<{closed}, {}>↑

x.open();↓<{closed, opened}, {}>↑y.close();↓top↑assert1(x, closed);

Keep as many disjuncts as possible

Intersect with forward state

x = new File;y = x;z = x;x.open();y.close();assert1(x, closed);assert2(x, opened);

Example: Typestate Analysis

Query Abstraction

assert1

assert2

↑x = new File;↓<{closed}, {}>↑y = x;↓<{closed}, {}>↑z = x;↓<{closed}, {}>↑x.open();↓<{closed, opened}, {}>↑y.close();↓top↑assert1(x, closed);

Our approach: WP + Underapproximation

Failed

Example: Typestate Analysis

Query Abstraction

assert1

assert2

↑x = new File;↓<{closed}, {}>↑y = x;↓<{closed}, {}>↑z = x;↓<{closed}, {}>↑x.open();↓<{closed, opened}, {}>↑y.close();↓top↑assert1(x, closed);

Our approach: WP + Underapproximation

Failed

𝑥∈𝒂𝑥∉𝒂

𝒚 ∈𝒂

𝒚 ∉𝒂

Example: Typestate Analysis

Query Abstraction

assert1

assert2

↑x = new File;↓<{closed}, {x}>↑

y = x;↓<{closed}, {x}>↑z = x;↓<{closed}, {x}>↑x.open();↓<{opened}, {x}>↑y.close();↓<{opened}, {x}>↑assert1(x, closed);

Our approach: WP + Underapproximation

Failed

𝑥∈𝒂𝑥∉𝒂

𝒚 ∈𝒂

𝒚 ∉𝒂

Example: Typestate Analysis

Query Abstraction

assert1

assert2

↑x = new File;↓<{closed}, {x}>↑

y = x;↓<{closed}, {x}>↑z = x;↓<{closed}, {x}>↑x.open();↓<{opened}, {x}>↑y.close();↓<{opened}, {x}>↑assert1(x, closed);

Our approach: WP + Underapproximation

Failed

𝑥∈𝒂𝑥∉𝒂

𝒚 ∈𝒂

𝒚 ∉𝒂

Example: Typestate Analysisx = new File;↓<{closed}, {x}>

y = x;↓<{closed}, {x, y}>

z = x;↓<{closed}, {x, y}>

x.open();↓<{opened}, {x, y}>

y.close();↓<{closed}, {x, y}>

assert1(x, closed);

Our approach: WP + Underapproximation

Proof!

𝑥∉𝒂

𝒚 ∈𝒂

𝒚 ∉𝒂

Query Abstraction

assert1

assert2

Example: Typestate Analysisx = new File;y = x;z = x;x.open();y.close();assert1(x, closed);assert2(x, opened);

Query Abstraction

assert1

assert2

↑x = new File;↓<{closed}, {}>↑y = x;↓<{closed}, {}>↑z = x;↓<{closed}, {}>↑x.open();↓<{closed, opened}, {}>↑y.close();↓top↑assert2(x, opened);

Our approach: WP + Underapproximation

Failed

Example: Typestate Analysis

Query Abstraction

assert1

assert2

↑x = new File;↓<{closed}, {}>↑y = x;↓<{closed}, {}>↑z = x;↓<{closed}, {}>↑x.open();↓<{closed, opened}, {}>↑y.close();↓top↑assert2(x, opened);

Our approach: WP + Underapproximation

Failed

𝑥∈𝒂𝑥∉𝒂

𝒚 ∈𝒂

𝒚 ∉𝒂

Example: Typestate Analysis

Query Abstraction

assert1

assert2

↑x = new File;↓<{closed}, {x}>↑y = x;↓<{closed}, {x}>↑z = x;↓<{closed}, {x}>↑x.open();↓<{opened}, {x}>↑y.close();↓<{opened,closed}, {x}>↑assert2(x, opened);

Our approach: WP + Underapproximation

Failed

𝑥∈𝒂𝑥∉𝒂

𝒚 ∈𝒂

𝒚 ∉𝒂

Example: Typestate Analysis

Query Abstraction

assert1

assert2

↑x = new File;↓<{closed}, {x}>↑y = x;↓<{closed}, {x}>↑z = x;↓<{closed}, {x}>↑x.open();↓<{opened}, {x}>↑y.close();↓<{opened,closed}, {x}>↑assert2(x, opened);

Our approach: WP + Underapproximation

Failed

Impossibility!

𝑥∈𝒂𝑥∉𝒂

𝒚 ∈𝒂

𝒚 ∉𝒂

In paper: a general framework for parametric

dataflow analysis

Experiment

Implementation in Chord for Java programs

2 Client Analyses: Typestate and Thread-Escape Both fully context- and flow-sensitive analysesOnly scale with sparse parameters

7 Java Benchmarks

Benchmarks

name bytecode(KB) KLOC log|A|

thread-escape typestate

tsp 391 269 569 6,175

elevator 390 269 352 6,180

hedc 442 283 1,400 7,326

weblech 504 326 2,993 7,663

antlr 532 303 16,563 7,748

avrora 634 340 37,797 10,151

lusearch 511 314 14,508 7,395

Precision: Thread-Escape Analysis

tsp

elev

ator

hedc

web

lech

antlr

avro

ra

luse

arch

AVG.

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Unresolved

Impossible

Proven

% Q

ue

rie

s

209 221 552 658 5857 14322 6726 (Total # Queries)

Resolved: ~90%Previous: ~40%

[POPL12]

Precision: Typestate Analysis

tsp

elev

ator

hedc

web

lech

antlr

avro

ra

luse

arch

AVG.

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Impossible

Proven

% Q

ue

rie

s

12 72 170 71 7903 5052 3644 (Total # Queries)

Scalability: Number of iterations

1 2 3 4 5 6 7 8 9 10 11-970

1000

2000

3000

4000

5000

6000

avrora

Proven

Impossible

# analysis iterations

# q

uer

ies

Scalability: Number of iterations

1 2 3 4 5 6 7 8 9 10 11-88

0

400

800

1200

antlr

# analysis iterations

# q

uer

ies

1 2 3 4 5 6 7 8 9 10 11-20

0500

1000150020002500

lusearch

# analysis iterations

# q

uer

ies

1 2 3 4 5 6 7 8 9 10 11-97

0100020003000400050006000

avroraProven

# analysis iterations

# q

uer

ies

Scalability: Running time

0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10 10-1730

1000

2000

3000

4000

5000

6000

avrora

Proven Impossible

analysis time (minutes)

# q

uer

ies

Scalability: Running time

0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10

10-76

0

400

800

1200

antlr

Analysis Time (minutes)

# q

ue

rie

s

0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10

10-44

0

500

1000

1500

2000

lusearch

analysis time (minutes)

# q

uer

ies

0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10

10-173

0

2000

4000

6000

avroraProvenImpossible

analysis time (minutes)

# q

uer

ies

Size of optimal abstractions

1 2 3 4 5 6 7 8 9 10 11-960

1000

2000

3000

4000

5000

60005436

954 892

164 68 110 13 181 41 13 123

avrora

size of abstraction |a|

# p

rove

n q

uer

ies

Size of optimal abstractions

1 2 3 4 5 6 7 8 9 10 11-87

0

200

400

600

800

1000

1200

1400 1275

706

390

79 39 19 4 2 6 3 13

antlr

1 2 3 4 5 6 7 8 9 10 18-18

0

500

1000

1500

2000

2500 2345

805

295129 86 23 4 3 15 2 1

lusearch

1 2 3 4 5 6 7 8 9 10 11-96

0

1000

2000

3000

4000

5000

6000 5436

954 892

164 68 110 13 181 41 13 123

avrora

size of abstraction |a|

# p

rove

n q

uer

ies

Related workModern pointer analysis

Demand-driven, query-driven, … Heintze & Tardieu ’01, Guyer & Lin ’03, Sridharan & Bodik ’06, ...

CEGAR model checkers: SLAM, BLAST, YOGI, …Work on concrete counterexamples

Can disprove queries

1. No optimality guarantee – can over-refineand hurt scalability.

2. No impossibility - can cause divergence.

Thank you!

Q&A