Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced...
-
Upload
rudolf-perry -
Category
Documents
-
view
220 -
download
0
Transcript of Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced...
![Page 1: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/1.jpg)
Schedule
• 27/12 Shape Analysis• 3/1 Static Analysis in Soot• 10/1 Static Analysis in LLVM• 17/1 Advanced Topics: Concurrent
programs and TAU research topics
![Page 2: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/2.jpg)
Compile-Time Verification of Properties of Heap Intensive Programs
Mooly SagivThomas Reps
Reinhard Wilhelm
http://www.cs.tau.ac.il/~TVLAhttp://www.cs.tau.ac.il/~msagiv/toplas02.pdf
![Page 3: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/3.jpg)
. . . and also• Tel-Aviv University
– G. Arnold– I. Bogudlov– G. Erez– N. Dor– T. Lev-Ami– R. Manevich– R. Shaham– A. Rabinovich– N. Rinetzky– E. Yahav– G. Yorsh– A. Warshavsky
• Universität des Saarlandes– Jörg Bauer– Ronald Biber
• University of Wisconsin– F. DiMaio– D. Gopan– A. Loginov
• IBM Research– J. Field– H. Kolodner – M. Rodeh
• Microsoft Research– G. Ramalingam
• University of Massachusetts– N. Immerman– B. Hesse
• The Technical University of Denmark– H.R. Nielson– F. Nielson
• Weizmann Institute/NYU– A. Pnueli
• Inria– B. Jeannet
![Page 4: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/4.jpg)
Shape Analysis
• Determine the possible shapes of a dynamically allocated data structure at given program point
• Relevant questions:– Does x.next point to a shared element?– Does a variable point p to an allocated element every
time p is dereferenced– Does a variable point to an acyclic list?– Does a variable point to a doubly-linked list? – ?– Can a procedure create a memory-leak
![Page 5: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/5.jpg)
Problem
• Programs with pointers and dynamically allocated data structures are error prone
• Automatically prove correctness• Identify subtle bugs at compile time
![Page 6: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/6.jpg)
Interesting Properties of Heap Manipulating Programs
• No null dereference• No memory leaks• Preservation of data structure invariant• Correct API usage• Partial correctness• Total correctness
![Page 7: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/7.jpg)
Example
rotate(List first, List last) {if ( first != NULL) {
last next = first;
first = first next;
last = last next;
last next = NULL;
}
}
lastfirst n n n
lastfirst n n n
n
lastfirst
n n n
n
lastfirst
n n n
n
lastfirst
n n
n
![Page 8: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/8.jpg)
Interesting Properties
rotate(List first, List last) {if ( first != NULL) {
last next = first;
first = first next;
last = last next;
last next = NULL;
}
}
No null-de references
![Page 9: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/9.jpg)
Interesting Properties
rotate(List first, List last) {if ( first != NULL) {
last next = first;
first = first next;
last = last next;
last next = NULL;
}
}
No null-de references
No memory leaks
![Page 10: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/10.jpg)
Interesting Properties
rotate(List first, List last) {if ( first != NULL) {
last next = first;
first = first next;
last = last next;
last next = NULL;
}
}
No null-de references
No memory leaks
Returns an acyclic linked list
Partially correct
![Page 11: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/11.jpg)
Partial CorrectnessList InsertSort(List x) { List r, pr, rn, l, pl; r = x; pr = NULL; while (r != NULL) { l = x; rn = r n; pl = NULL; while (l != r) { if (l data > r data) { pr n = rn; r n = l; if (pl = = NULL) x = r; else pl n = r; r = pr; break; } pl = l; l = l n; } pr = r; r = rn; } return x; }
typedef struct list_cell { int data; struct list_cell *n;} *List;
![Page 12: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/12.jpg)
Partial CorrectnessList quickSort(List p, List q) {
if(p==q || q == NULL) return p;
List h = partition(p,q);List x = pn;p n = NULL;List low = quickSort(h, p);List high = quickSort(x, NULL);pn = high;return low;}
![Page 13: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/13.jpg)
Challenges
• Specification– Desired properties– Program Semantics
• Automatic Verification– Program Semantics Desired properties– Undecidable even for simple programs and
prooperties
![Page 14: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/14.jpg)
Plan
• Concrete Interpretation of Heap• Canonical Heap Abstraction• Abstract Interpretation using Canonical
Abstraction• The TVLA system• Applications• Techniques for scaling
![Page 15: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/15.jpg)
Logical Structures (Labeled Graphs)• Nullary relation symbols• Unary relation symbols• Binary relation symbols• FOTC over TC, express logical structure
properties• Logical Structures provide meaning for relations
– A set of individuals (nodes) U– Interpretation of relation symbols in P
p0() {0,1}p1(v) {0,1}p2(u,v) {0,1}
Fixed
![Page 16: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/16.jpg)
Representing Stores as Logical Structures• Locations Individuals• Program variables Unary relations• Fields Binary relations• Example
– U = {u1, u2, u3, u4, u5}– x = {u1}, p = {u3} n = {<u1, u2>, <u2, u3>, <u3, u4>, <u4,
u5>}
u1 u2 u3 u4 u5xn n n n
p
n u1 u2 u3 u4 u5
u1 0 1 0 0 0
u2 0 0 1 0 0
u3 0 0 0 1 0
u4 0 0 0 0 1
u5 0 0 0 0 0
x
u1 1
u2 0
u3 0
u4 0
u5 0
p
u1 0
u2 0
u3 1
u4 0
u5 0
![Page 17: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/17.jpg)
Example: List Creationtypedef struct node { int val; struct node *next;} *List;
✔ No null dereferences
✔ No memory leaks
✔ Returns acyclic list
List create (…)
{
List x, t;
x = NULL;
while (…) do {
t = malloc();
t next=x;
x = t ;}
return x;
}
![Page 18: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/18.jpg)
Example: Concrete Interpretation
x
tn n
t
x
n
x
t n
x
tn n
x
tn n
xtt
x
ntt
nt
x
t
x
t
xempty
return x
x = t
t =malloc(..);
tnext=x;
x = NULL
TF
![Page 19: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/19.jpg)
Concrete Interpretation Rules
Statement Update formula
x =NULL x’(v)= 0
x= malloc() x’(v) = IsNew(v)
x=y x’(v)= y(v)
x=y next x’(v)= w: y(w) n(w, v)
x next=y n’(v, w) = (x(v) ? y(w) : n(v, w))
![Page 20: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/20.jpg)
Invariants
• No garbagev: {x PVar} w: x(w) n*(w, v)
• Acyclic list(x)v, w: x(v) n*(v, w) n+(w, w)
• Reverse (x)v, w, r: x(v) n*(v, w) n(w, r) n’(r, w)
![Page 21: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/21.jpg)
Example: Abstract Interpretation
t
x
n
x
t n
x
tn n
xtt
x
ntt
nt
x
t
x
t
xempty
x
tn
n
x
tn
n
n
x
tn
t n
xn
x
tn
nreturn x
x = t
t =malloc(..);
tnext=x;
x = NULL
TF
![Page 22: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/22.jpg)
3-Valued Logical Structures
• A set of individuals (nodes) U• Relation meaning
– Interpretation of relation symbols in Pp0() {0,1, 1/2}p1(v) {0,1, 1/2}p2(u,v) {0,1, 1/2}
• A join semi-lattice: 0 1 = 1/2
![Page 23: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/23.jpg)
Canonical Abstraction ()• Partition the individuals into equivalence classes based on the
values of their unary relations– Every individual is mapped into its equivalence class
• Collapse relations via
– pS (u’1, ..., u’k) = {pB (u1, ..., uk) | f(u1)=u’1, ..., f(uk)=u’k) }
• At most 2A abstract individuals
![Page 24: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/24.jpg)
Canonical Abstraction
x = NULL;
while (…) do {
t = malloc();
t next=x;
x = t
}
u1x
t
u2 u3
u1x
t
u2,3
n n
n
n
![Page 25: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/25.jpg)
x
t
n nu2u1 u3
Canonical Abstraction
x = NULL;
while (…) do {
t = malloc();
t next=x;
x = t
}u1x
t
u2,3n
n
n
![Page 26: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/26.jpg)
Canonical Abstraction and Equality
• Summary nodes may represent more than one element
• (In)equality need not be preserved under abstraction
• Explicitly record equality• Summary nodes are nodes with eq(u, u)=1/2
![Page 27: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/27.jpg)
Canonical Abstraction and Equality
x = NULL;
while (…) do {
t = malloc();
t next=x;
x = t
}
u1x
t
u2 u3
u1x
t
u2,3
eq
n n
n
n
eq eq
eq
eqeq
u2,3
eq
eq
eq
![Page 28: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/28.jpg)
Canonical Abstraction
x = NULL;
while (…) do {
t = malloc();
t next=x;
x = t
}
u1x
t
u2 u3n n
u1x
t
u2,3n
n
![Page 29: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/29.jpg)
Canonical Abstraction• Partition the individuals into equivalence classes based on the
values of their unary relations– Every individual is mapped into its equivalence class
• Collapse relations via
– pS (u’1, ..., u’k) = {pB (u1, ..., uk) | f(u1)=u’1, ..., f(u’k)=uk) }
• At most 2A abstract individuals
![Page 30: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/30.jpg)
Canonical Abstraction
x = NULL;
while (…) do {
t = malloc();
t next=x;
x = t
}
u1x
t
u2 u3n n
u1x
t
u2,3n
n
![Page 31: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/31.jpg)
Limitations
• Information on summary nodes is lost
![Page 32: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/32.jpg)
Increasing Precision
• Global invariants– User-supplied, or consequence of the semantics
of the programming language– Naturally expressed in FOTC
• Record extra information in the concrete interpretation– Tunes the abstraction– Refines the concretization
![Page 33: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/33.jpg)
Cyclicity relationc[x]() = v1,v2: x(v1) n*(v1,v2) n+(v2, v2)
c[x]()=0
c[x]()=0
u1x
t
u2 un…
u1x
t
u2..n
n
n
nn n
![Page 34: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/34.jpg)
Cyclicity relationc[x]() = v1,v2: x(v1) n*(v1,v2) n+(v2, v2)
c[x]()=1
c[x]()=1
u1x
t
u2 un…
u1x
t
u2..n
n
n
nn n
n
![Page 35: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/35.jpg)
Heap Sharing relation
is(v)=0
u1x
t
u2 un…
u1x
t
u2..n
n
n
is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2
is(v)=0 is(v)=0
is(v)=0 is(v)=0
n n n
![Page 36: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/36.jpg)
Heap Sharing relation
is(v)=0
u1x
t
u2 un…
is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2
is(v)=1 is(v)=0
n n
n
n
u1x
t
u2n
is(v)=0 is(v)=1 is(v)=0
n
u3..n
n
n
![Page 37: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/37.jpg)
Concrete Interpretation Rules
Statement Update formula
x =NULL x’(v)= 0
x= malloc() x’(v) = IsNew(v)is’(v) =is(v) IsNew(v)
x=y x’(v)= y(v)
x=y next x’(v)= w: y(w) n(w, v)
x next=NULL n’(v, w) = x(v) n(v, w)is’(v) = is(v) v1, v2: n(v1, v) x(v1) n(v2, v) x(v2) eq(v1, v2)
![Page 38: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/38.jpg)
Reachability relationt[n](v1, v2) = n*(v1,v2)
u1x
t
u2 unn n n
t[n] t[n] t[n]
t[n]
t[n]
t[n]
u1x
t
u2..n
n
n
t[n]
t[n]
t[n]
...
![Page 39: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/39.jpg)
List Segments
u1
x
u2 u5nu3 u4 u6 u7 u8n n n n n n
y
u1
x
u2,3,4,6,7,8 u5n n
y
![Page 40: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/40.jpg)
Reachability from a variable
• r[n,y](v) =w: y(w) n*(w, v)
u1
x
u2 u5nu3 u4 u6 u7 u8n n n n n n
y
r[n,y]=0 r[n,y]=0 r[n,y]=0 r[n,y]=1 r[n,y]=1 r[n,y]=1
u1
x
u2,3,4 u5n n n
y
u6,7,8
![Page 41: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/41.jpg)
• inOrder(v) = w: n(v, w) data(v) data(w)• cfb(v) = w: f(v, w) b(w, v)
• tree(v)• dag(v)• Weakest Precondition
[Ramalingam, PLDI’02]• Learned via Inductive Logic Programming
[Loginov, CAV’05]• Counterexample guided refinement
Additional Instrumentation relations
![Page 42: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/42.jpg)
Instrumentation (Summary)• Refines the abstraction
• Adds global invariants
• But requires update-formulas (generated automatically in TVLA2)
is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2
is(v) v1,v2: n(v1,v) n(v2,v) v1 v2
(S#)={S : S , (S)= S#}
![Page 43: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/43.jpg)
Abstract Interpretation
• Best Transformers• Kleene Evaluation• Kleene Evaluation + semantic reduction
– Focus Based Transformers
![Page 44: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/44.jpg)
yx
yx ...
Evaluateupdateformulas
y
x
y
x
...
inverse canonical
y
x
y
xcanonical abstraction
xy
Best Transformer Transformer (x = x n)
![Page 45: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/45.jpg)
Then aMiracle Occurs
![Page 46: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/46.jpg)
Boolean Connectives [Kleene]
0 1/2 1
0 0 0 01/2 0 1/2 1/21 0 1/2 1
0 1/2 1
0 0 1/2 11/2 1/2 1/2 11 1 1 1
![Page 47: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/47.jpg)
Boolean Connectives [Kleene]
0 1/2 1
0 0 0 01/2 0 1/2 1/21 0 1/2 1
0 1/2 1
0 0 1/2 11/2 1/2 1/2 11 1 1 1
![Page 48: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/48.jpg)
Embedding
• A logical structure B can be embedded into a structure S via an onto function f (B f S) if the basic relations are preserved, i.e., pB(u1, .., uk) pS (f(u1), ..., f(uk))
• S is a tight embedding of B with respect to f if:– S does not lose unnecessary information, i.e.,– pS(u#
1, .., u#k) = {pB (u1 ..., uk) | f(u1)=u#
1, ..., f(uk)=u#k}
• Canonical Abstraction is a tight embedding
![Page 49: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/49.jpg)
Embedding and Concretization
• Two natural choices– B 1(S) if B can be embedded into S via an
onto function f (B f S)– B 2(S) if S is a tight embedding of B
![Page 50: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/50.jpg)
Embedding Theorem
• Assume B f S, pB(u1, .., uk) pS (f(u1), ..., f(uk))
• Then every formula is preserved:– If = 1 in S, then = 1 in B– If = 0 in S, then = 0 in B– If = 1/2 in S, then could be 0 or 1 in
B
![Page 51: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/51.jpg)
Embedding Theorem
u1x
t
u2,3n
n
v: x(v) 1=Yes
v: x(v)t(v) 1=Yes
v: x(v)y(v) 0=No
v1,v2: x(v1)n(v1, v2) ½=Maybe
v1,v2: x(v1)n(v1, v2) n*(v2, v1) 0=No
v1,v2: x(v1) n*(v1,v2) n+(v2, v2) 1/2=Maybe
![Page 52: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/52.jpg)
xy
Kleene Transformer (x = x n)
![Page 53: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/53.jpg)
Semantic Reduction• Improve the precision of the analysis by
recovering properties of the program semantics
• A Galois connection (L1, , , L2)
• An operation op:L2L2 is a semantic reduction– lL2 op(l)l
– (op(l)) = (l)• Can be applied before and
after basic operations
l
L1
L2 op
![Page 54: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/54.jpg)
“Focus”-Based Transformer (x = x n)
Kleene Evaluation
canonical
Focus(x n)
“Partial ”xy
yx
yx
yx
x
x
y
y
yx
x
y
y
y
![Page 55: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/55.jpg)
The Focus Operation
• Focus: Formula(P(3-Struct) P(3-Struct))• Generalizes materialization• For every formula
– Focus()(X) yields structure in which evaluates to a definite values in all assignments
– Only maximal in terms of embedding– Focus() is a semantic reduction– But Focus()(X) may be undefined for some X
![Page 56: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/56.jpg)
“Focus”-Based Transformer (x = x n)
Kleene Evaluation
canonical
Focus(x n)
“Partial ”xy
yx
yx
yx
x
x
y
y
yx
x
y
y
y
w: x(w) n(w, v)
![Page 57: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/57.jpg)
The Coercion Principle
• Another Semantic Reduction• Can be applied after Focus or after Update or both• Increase precision by exploiting some structural
properties possessed by all stores (Global invariants)
• Structural properties captured by constraints
• Apply a constraint solver
![Page 58: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/58.jpg)
Apply Constraint Solver
x
y
yr[n,y](v)=1
x
x
y
is(v)=0 x
yy
is(v)=0
![Page 59: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/59.jpg)
Sources of Constraints
• Properties of the operational semantics• Domain specific knowledge
– Instrumentation predicates
• User supplied
![Page 60: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/60.jpg)
Example Constraints
x(v1) x(v2)eq(v1, v2)
n(v, v1) n(v,v2)eq(v1, v2)
n(v1, v) n(v2,v)eq(v1, v2)is(v)
n*(v3, v4)t[n](v1, v2)
![Page 61: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/61.jpg)
Apply Constraint Solver
y
is(v)=0x
x(v1) x(v2)eq(v1, v2)
y
is(v)=0
x
![Page 62: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/62.jpg)
Apply Constraint Solver
y
is(v)=0x
n(v1, v) n(v2,v)eq(v1, v2)is(v)n(v1, v) is(v)eq(v1, v2) n(v2, v)
y
is(v)=0x
![Page 63: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/63.jpg)
Summary Transformers
• Kleene evaluation yields sound solution• Focus is statement specific implements
partial concretization• Coerce applies global constraints
![Page 64: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/64.jpg)
Three Valued Logic Analysis (TVLA)T. Lev-Ami & R. Manevich
• Input (FOTC)
– Concrete interpretation rules– Definition of instrumentation relations– Definition of safety properties– First Order Transition System (TVP)
• Output– Warnings (text)– The 3-valued structure at every node (invariants)
![Page 65: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/65.jpg)
TVLA inputs
• TVP - Three Valued Program– Predicate declaration– Action definitions SOS
• Statements• Conditions
– Control flow graph
• TVS - Three Valued Structure
Program independent
![Page 66: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/66.jpg)
List reverse(Element head){
List rev, ne;rev = NULL;
while (head != NULL) {ne = head next;
head next = rev; head = ne;
rev = head;
}return rev;
}
Memory Leakage
leakage of address pointed to by head
headn
n
head n
nne
head
ne
n
n
![Page 67: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/67.jpg)
Memory LeakageElement reverse(Element head) {
Element rev, ne;rev = NULL;
while (head != NULL) {ne = head next;
head next = rev;
rev = head;
head = ne;
}return rev;
}
✔ No memory leaks
![Page 68: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/68.jpg)
Mark and Sweepvoid Mark(Node root) { if (root != NULL) { pending = pending = pending {root} marked = while (pending ) { x = SelectAndRemove(pending) marked = marked {x} t = x left if (t NULL) if (t marked) pending = pending {t} t = x right if (t NULL) if (t marked) pending = pending {t} } } assert(marked = = Reachset(root))}
void Sweep() { unexplored = Universe collected = while (unexplored ) { x = SelectAndRemove(unexplored) if (x marked) collected = collected {x} } assert(collected = = Universe – Reachset(root) )}
v: marked(v) reach[root](v)
![Page 69: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/69.jpg)
Markvoid Mark(Node root) { if (root != NULL) { pending = pending = pending {root} marked = while (pending ) { x = SelectAndRemove(pending) marked = marked {x} t = x left if (t NULL) if (t marked) pending = pending {t} t = x right if (t NULL) if (t marked) pending = pending {t} } } }
v: marked(v) reach[root](v)
r: root(r) (p(r)m(r)) v: ((m(v) p(v)) reach[root](v)) (p(v) m(v)) v, w: ((m(v) m(w) p(w)) successor(v, w))
![Page 70: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/70.jpg)
Example: Markvoid Mark(Node root) { if (root != NULL) { pending = pending = pending {root} marked = while (pending ) { x = SelectAndRemove(pending) marked = marked {x} t = x left if (t NULL) if (t marked) pending = pending {t}/* t = x right * if (t NULL) * if (t marked) * pending = pending {t} */ } } assert(marked = = Reachset(root))}
![Page 71: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/71.jpg)
r: root(r) r[root](r) p(r) m(r) e: r[root](e)m(e)root(e) p(e) r, e: (root(r) r[root](r) p(r) m(r) r[root]( e) m(e)) root(e) p(e)) left(r,e)
x
r[root] m
root
r[root]
leftright
right
left right
Bug Found
• There may exist an individual that is reachable from the root, but not marked
![Page 72: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/72.jpg)
Scaling for Larger Programs
• Staged Analyses • Represent 3-valued structures with BDDs [Manevich
SAS’02]• Coercer Abstractions [Manevich SAS’04]• Reduce static costs• Handling procedures• Assume/Guarantee Reasoning
– Use procedure specifications [Yorsh, TACAS’04]– Decision procedures for linked data structures
[Immerman, CAV’04, Lev-Ami, CADE’05, Yorsh FOSSACS06]
![Page 73: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/73.jpg)
Scaling
• Staged analysis• Reduce static costs• Controlled complexity
– More coarse abstractions [Manevich SAS’04]– Counter example based refinement
• Exploit “good” program properties– Encapsulation & Data abstraction
• Handle procedures efficiently
![Page 74: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/74.jpg)
Partially DisjunctiveHeap Abstraction (Manevich, SAS’04)
• Use a heap-similarity criterion– We defined similarity by universe congruence
• Merge similar heaps• Avoid merging dissimilar heaps• The same concrete state can belong to more
than one abstract value
![Page 75: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/75.jpg)
x
t n
x
tn n
Partially Disjunctive Abstraction
x
t n
![Page 76: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/76.jpg)
Running times
02,0004,0006,0008,00010,00012,00014,00016,00018,00020,000
DSW
Inpu
tStre
am5
Inpu
tStre
am5b
Inpu
tStre
am6
SQLExe
cuto
r
Kerne
lBen
ch.1
GC.mar
k
se
co
nd
s
PowersetPartial
![Page 77: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/77.jpg)
Interprocedural Analysis
Noam Rinetzky
www.cs.tau.ac.il/~maon
![Page 78: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/78.jpg)
How to handle procedures?
• Pure functions – Procedure input/output relation– No side-effects
main() { int w=0,x=0,y=0,z=0; w = inc(y); x = inc(z); assert: w+x is even}
int inc(int p) { return 2 + p - 1;}
p ret
0 1
1 2
2 3
.. …
![Page 79: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/79.jpg)
How to handle procedures?
• Pure functions – Procedure input/output relation– No side-effects
main() { int w=0,x=0,y=0,z=0; w = inc(y); x = inc(z); assert: w+x is even}
int inc(int p) { return 2 + p - 1;}
w x y z
p ret
Even Odd
Odd Even
E E E E
O E E E
O O E E
![Page 80: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/80.jpg)
What about global variables?
• Procedures have side-effects • Easy fix
int g = 0;main() { int w=0,x=0,y=0,z=0; w = inc(y); x = inc(z); assert: w+x+g is even}
int inc(int p) { g = p; return 2 + p - 1;}
int g = 0;
g = p;
p g ret g’
0 0 1 0
… … … …
p g ret g’
Even E/O Odd Even
Odd E/O Even Odd
![Page 81: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/81.jpg)
n append(y,z)nn
But what about pointers and heap?
Pointers• Aliasing• Destructive update
Heap• Global resource • Anonymous objects
How to tabulate append?
z
x.n.n ~ y
x.n.n.n ~ z
y.n=z x
y
![Page 82: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/82.jpg)
main() {
append(y,z);
}
• Procedure input/output relation– Not reachable Not effected – proc: local (reachable) heap local heap
How to tabulate procedures?
append(List p, List q) {…
}
nx
n
t
y
n
z
n
p q p q
n
y z
p qn
xn
t
![Page 83: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/83.jpg)
main() {
append(y,z);
}
ynn
z
n
How to handle sharing?• External sharing may break the functional view
append(List p, List q) {…
}
nn
t z
x n
p qnn
p qnn
t
y
p qnn n
x
![Page 84: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/84.jpg)
append(y,z);
What’s the difference?
nn
t z
y
x
1st Example 2nd Example
append(y,z);
nx
n
t y z
![Page 85: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/85.jpg)
Cutpoints
• An object is a cutpoint for an invocation– Reachable from actual parameters– Not pointed to by an actual parameter– Reachable without going through a parameter
append(y,z) append(y,z)
y
x
nn
t z
ynn
t zn n
![Page 86: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/86.jpg)
Main Results(POPL’05)
• Concrete operational semantics– Sequential programs– Local heap– Track cutpoints– Storeless
• good for shape abstractions– Observational equivalent with “standard” global store-based heap
semantics• Java and “clean” C
• Abstractions– Shape Analysis of singly-linked lists– May-alias [Deutsch, PLDI 04]
![Page 87: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/87.jpg)
Introducing local heap semanticsOperational semantics
Abstract transformer
Local heap Operational semantics
~’ ’
![Page 88: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/88.jpg)
Main results(SAS’05)• Cutpoint freedom• Non-standard concrete semantics
– Verifies that an execution is cutpoint-free– Local heaps
• Interprocedural shape analysis– Conservatively verifies
• program is cutpoint free • Desired properties
– Partial correctness of quicksort
– Procedure summaries • Prototype implementation
![Page 89: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/89.jpg)
Cutpoint freedom
• Cutpoint-free – Invocation: has no cutpoints– Execution: every invocation is cutpoint-free– Program: every execution is cutpoint-free
x
y
nn
t z
ynn
t zx
append(y,z) append(y,z)
![Page 90: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/90.jpg)
Programming model• Single threaded• Procedures
Value parameters Formal parameters not modified
Recursion• Heap
Recursive data structuresDestructive updateNo explicit addressing (&)No pointer arithmetic
![Page 91: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/91.jpg)
Memory states
• A memory state encodes a local heap– Local variables of the current procedure
invocation– Relevant part of the heap
• Relevant Reachable
x
y
nn
t z
p q
main append
![Page 92: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/92.jpg)
Abstract semantics
• Conservatively apply statements using 3-valued
logic (with the non-standard semantics)– Use canonical abstraction– Reinterpret FO formulas using Kleene value
![Page 93: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/93.jpg)
1. Verify cutpoint
freedom
2 Compute input
… Execute callee …
3 Combine output
append body
Procedure calls
p q
pn
q
y zxn
y zxn n
append(y,z)
append(p,q)
![Page 94: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/94.jpg)
Tabulation exists?
y
Interprocedural shape analysis
call f(x)px
y
x
p
![Page 95: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/95.jpg)
p
y
Interprocedural shape analysis
call f(x)x
y
p
p
Tabulation exists?
Analyze f
p
x
![Page 96: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/96.jpg)
Interprocedural shape analysis• Procedure input/output relation
p qn
nrqrp rp
qpn
nrp rq
n rp
q q
rqrq
qprp
qprp rq
n rprq
…
Input Output
rp
![Page 97: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/97.jpg)
Interprocedural shape analysis• Reusable procedure summaries
– Heap modularity
qprp rq
n rp
qprp rq
g h i kn n
g h i kn
rgrgrg rh rh rirkrhrgrirk
append(h,i)
yx zn
nn n rx ry rz
yx zn
nn rz rx ryrxrxrx ryrx rx
append(y,z)
yn
zxappend(y,z)y zx
rx ry rzryrx ry
![Page 98: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/98.jpg)
Prototype implementation
• TVLA based analyzer • Soot-based Java front-end• Parametric abstraction
Data structure Verified propertiesSingly linked list Cleanness, acyclicitySorting (of SLL) + Sortedness Unshared binary trees Cleaness, tree-ness
![Page 99: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/99.jpg)
Iterative vs. Recursive (SLL)
0102030405060708090
100
Program
Sec
onds
Iterative
Recursive
585
![Page 100: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/100.jpg)
Inline vs. Procedural abstraction
0
5
10
15
20
1 2 4 8Number of lists
Meg
ab
yte
s
Inline
Proc. call
020406080
100120140160
1 2 4 8Number of lists
Seco
nd
s
Inline
Proc. call
// Allocates a list of// length 3List create3(){ … }
main() { List x1 = create3(); List x2 = create3(); List x3 = create3(); List x4 = create3(); …}
![Page 101: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/101.jpg)
Call string vs. Relational vs. CPF[Rinetzky and Sagiv, CC’01] [Jeannet et al., SAS’04]
0123456789
10
insert delete rev rev8
Meg
abyt
es Call String
Relational
CPF
0
20
40
60
80
100
120
140
160
insert delete rev rev8
Sec
on
ds Call String
Relational
CPF
![Page 102: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/102.jpg)
Summary
• Cutpoint freedom• Non-standard operational semantics• Interprocedural shape analysis
– Partial correctness of quicksort
• Prototype implementation
![Page 103: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/103.jpg)
Suggested Project: Information Flow
• Partition the data structures into two classes– High and Low
• Show that information from high data structure cannot leak to X
![Page 104: Schedule 27/12 Shape Analysis 3/1 Static Analysis in Soot 10/1 Static Analysis in LLVM 17/1 Advanced Topics: Concurrent programs and TAU research topics.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697c0081a28abf838cc6afb/html5/thumbnails/104.jpg)
Summary
• Reasoning about the heap is challenging• [Parametric] Abstraction is necessary • Canonical abstraction is powerful• Useful for programs with arrays [Gopan
POPL’05]• Information lost by canonical abstraction
– Correlations between list lengths