Recap Roman Manevich Mooly Sagiv. Outline Subjects Studied Questions & Answers.
TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm...
-
Upload
russell-dean -
Category
Documents
-
view
218 -
download
0
Transcript of TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm...
![Page 1: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/1.jpg)
TVLA: A system for inferring Quantified Invariants
Tal Lev-Ami
Tom Reps
Mooly Sagiv
Reinhard Wilhelm
Greta Yorsh
![Page 2: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/2.jpg)
Example: Mark and Sweepvoid Mark(Node root) { if (root != NULL) { pending = pending = pending {root} marked = while (pending ) { x = SelectAndRemove(pending) marked = marked {x} t = x left if (t NULL) if (t marked) pending = pending {t} t = x right if (t NULL) if (t marked) pending = pending {t} } } assert(marked = = Reachset(root))}
void Sweep() { unexplored = Universe collected = while (unexplored ) { x = SelectAndRemove(unexplored) if (x marked) collected = collected {x} } assert(collected = = Universe – Reachset(root) )}
v: marked(v)r: root(r) reach(w, v)
![Page 3: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/3.jpg)
Example: Markvoid Mark(Node root) { if (root != NULL) { pending = pending = pending {root} marked = while (pending ) { x = SelectAndRemove(pending) marked = marked {x} t = x left if (t NULL) if (t marked) pending = pending {t} t = x right if (t NULL) if (t marked) pending = pending {t} } } }
v: marked(v)r: root(r) reach(r, v)
r: root(r) (pending(r)marked(r)) v: ((marked(v) pending(v)) reach(r, v)) (pending(v) marked(v)) v, w: ((marked(v) marked(w) pending(w)) successor(v, w))
![Page 4: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/4.jpg)
Example: Markvoid Mark(Node root) { if (root != NULL) { pending = pending = pending {root} marked = while (pending ) { x = SelectAndRemove(pending) marked = marked {x} t = x left if (t NULL) if (t marked) pending = pending {t}/* t = x right * if (t NULL) * if (t marked) * pending = pending {t} */ } } assert(marked = = Reachset(root))}
Run Demo
![Page 5: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/5.jpg)
r: root(r) reach(r, e) pending(r) marked(r)) e: reach(r, e) marked(e)) root(e) pending(v) r, e: ((reach(r, e) marked(e)) root(e) pending(e)) (root(r) reach(r, e) pending(r) marked(r)) left(e, r))
Example: Markvoid Mark(Node root) { if (root != NULL) { pending = pending = pending {root} marked = while (pending ) { x = SelectAndRemove(pending) marked = marked {x} t = x left if (t NULL) if (t marked) pending = pending {t}/* t = x right * if (t NULL) * if (t marked) * pending = pending {t} */ } } assert(marked = = Reachset(root))}
![Page 6: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/6.jpg)
A Singleton Buffer
6
Boolean empty = true;
Object b = null;
produce() {
1: Object p = new();
2: await (empty) then {
b = p;
empty = false;
}
3:
}
consume() {
Object c;
4: await (!empty) then {
c = b;
empty = true;
}
5: use(c);
6: dispose(c);
7:
}
SafeDereference
NoDouble free
![Page 7: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/7.jpg)
7
Boolean empty = true;
Object b = null;
produce() {
1: Object p = new();
2: await (empty) then {
b = p;
empty = false;
}
3:
}
consume() {
Object c;
4: await (!empty) then {
c = b;
empty = true;
}
5: use(c);
6: dispose(c);
7:
}
t, e, v: t e c(t, v) c(e, w) v w
![Page 8: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/8.jpg)
Quantified Invariants are hard
• Corner cases
• Sizes
• Nested loops
• Code updates
• First order reasoning is hard
![Page 9: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/9.jpg)
Our approach
• Automatically infer sound invariants
• Library (PL) designers can define families of interesting invariants
• Limited form of invariants
• Sound but incomplete reasoning– Abstract interpretation over quantified invariants– Parameterized by the
![Page 10: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/10.jpg)
Applications
• Memory safety & preservation of data structure invariants [Dor, SAS’00, Loginov, ISSTA’08]
• Compile-time garbage collection [Shaham, SAS’03]• Correct API usage [Ramalingam, PLDI’02, Yahav.
PLDI’04]• Typestate verification [Yahav, ISSTA’06]• Partial & total correctness
– Sorting implementations [Lev-Ami, ISTTA’00, Rinetzky, SAS’05]
– Deutsch-Shorr-Waite [Loginov, SAS’06]• Thread modular shape analysis [Gotsman, PLDI’07]• Linearizability [Amit, CAV’07, Berdine, CAV’08]
![Page 11: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/11.jpg)
Example: Concrete Interpretation
x
tn n
t
x
n
x
t n
x
tn n
x
tn n
xtt
x
ntt
nt
x
t
x
t
xempty
return x
x = t
t =malloc(..);
tnext=x;
x = NULL
TF
![Page 12: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/12.jpg)
Shape Analysis
t
x
n
x
t n
x
tn n
xtt
x
ntt
nt
x
t
x
t
xempty
x
tn
n
x
tn
n
n
x
tn
t n
xn
x
tn
nreturn x
x = t
t =malloc(..);
tnext=x;
x = NULL
TF
![Page 13: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/13.jpg)
Outline
• Canonical Abstraction [TOPLAS’02]
• Quantified Invariants
• Operating on Abstractions
![Page 14: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/14.jpg)
Abstract Interpretation[Cousot & Cousot]
• Checking interesting program properties is undecidable
• Use abstractions• Every verified property holds (sound)• But may fail to prove properties which
always hold (incomplete)– false alarms
• Minimal false alarms
![Page 15: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/15.jpg)
Simplified Abstract Interpretation
Concrete domain
Abstract domain
(unbounded)
(bounded)
![Page 16: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/16.jpg)
Most Precise Abstract Transformer[Cousot, Cousot POPL 1979]
#
![Page 17: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/17.jpg)
An example predicate abstraction
predicates
{x>0}
x = 3
while (true) {
x = x +1 ;
}x=0, x=-1, x=-2, ..
x=1, x=2, x=3, ..
1
0
x=0, x=-1, x=-2, ..
x=1, x=2, x=3, ..x=3
1
0
![Page 18: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/18.jpg)
An example predicate abstraction
predicates
{x>0}
x = 3
while (true) {
x = x +1 ;
}x=0, x=-1, x=-2, ..
x=1, x=2, x=3, ..
1
0
x=0, x=-1, x=-2, ..
x=1, x=2, x=3, ..x=x+1
1
0
![Page 19: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/19.jpg)
An example predicate abstraction
predicates
{x>0}
x = 3
while (true) {
x = x +1 ;
}
{0, 1}
{1}
{1}{1} {1}
![Page 20: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/20.jpg)
Shape Analysis as Abstract Interpretation
• Represent concrete stores as labeled directed graphs– 2-valued structures {0, 1}– Abstract away
• Concrete locations• Primitive values
– But unbounded • Represent abstract stores as labeled directed graphs
– 3-vaued structures {0, 1, ½}– Several concrete nodes are represented by a summary
node– Abstract away field correlations
![Page 21: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/21.jpg)
Representing Concrete Stores by Logical Structures
• Parametric vocabulary
• Heap – Locations Individuals– Program variables Unary relations– Fields Binary relations
![Page 22: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/22.jpg)
Representing Stores as Logical Structures (Example)
u1 u2 u3 u4 u5xn n n n
p
u1 1
u2 0
u3 0
u4 0
u5 0
xu1 0
u2 0
u3 1
u4 0
u5 0
pu1 u2 u3 u4 u5
u1 0 1 0 0 0
u2 0 0 1 0 0
u3 0 0 0 1 0
u4 0 0 0 0 1
u5 0 0 0 0 0
n
![Page 23: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/23.jpg)
Representing Abstract Stores by 3-Valued Logical Structures
• A join semi-lattice: 0 1 = 1/2• {0, 1, ½} values for relations
![Page 24: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/24.jpg)
Canonical Abstraction ()
• Partition the individuals into equivalence classes based on the values of their unary relations– Every individual is mapped into its equivalence class
• Collapse binary relations via
– pS (u’1, u’2) = {pB (u1, u2) | f(u1)=u’1, f(u2)=u’2) }
• At most 2A abstract individuals
![Page 25: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/25.jpg)
Canonical Abstraction
x = NULL;
while (…) do {
t = malloc();
t next=x;
x = t
}
u1x
t
u2 u3
u1x
t
u2,3
n n
n
n
![Page 26: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/26.jpg)
x
t
n nu2u1 u3
Canonical Abstraction
x = NULL;
while (…) do {
t = malloc();
t next=x;
x = t
} u1x
t
u2,3n
n
n
![Page 27: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/27.jpg)
Canonical Abstraction and Equality
• Summary nodes may represent more than one element
• (In)equality need not be preserved under abstraction
• Explicitly record equality
• Summary nodes are nodes with eq(u, u)=1/2
![Page 28: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/28.jpg)
Canonical Abstraction and Equality
x = NULL;
while (…) do {
t = malloc();
t next=x;
x = t
}
u1x
t
u2 u3
u1x
t
u2,3
eq
n n
n
n
eq eq
eq
eqeq
u2,3
eq
eq
eq
![Page 29: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/29.jpg)
Canonical Abstraction
x = NULL;
while (…) do {
t = malloc();
t next=x;
x = t
}
u1x
t
u2 u3n n
u1x
t
u2,3n
n
![Page 30: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/30.jpg)
Canonical Abstraction
• Partition the individuals into equivalence classes based on the values of their unary relations– Every individual is mapped into its equivalence class
• Collapse relations via
– pS (u’1, ..., u’k) = {pB (u1, ..., uk) | f(u1)=u’1, ..., f(u’k)=uk) }
• At most 2A abstract individuals
![Page 31: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/31.jpg)
Canonical Abstraction
x = NULL;
while (…) do {
t = malloc();
t next=x;
x = t
}
u1x
t
u2 u3n n
u1x
t
u2,3n
n
![Page 32: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/32.jpg)
Limitations
• Information on summary nodes is lost
![Page 33: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/33.jpg)
Increasing Precision
• Global invariants– User-supplied, or consequence of the semantics
of the programming language
• Record extra information in the concrete interpretation– Tunes the abstraction– Refines the concretization
• Naturally expressed in FOTC
![Page 34: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/34.jpg)
Heap Sharing relation
is(v)=0
u1x
t
u2 un…
u1x
t
u2..n
n
n
is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2
is(v)=0 is(v)=0
is(v)=0 is(v)=0
n n n
![Page 35: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/35.jpg)
Heap Sharing relation
is(v)=0
u1x
t
u2 un…
is(v) = v1,v2: n(v1,v) n(v2,v) v1 v2
is(v)=1 is(v)=0
n n
n
n
u1x
t
u2n
is(v)=0 is(v)=1 is(v)=0
n
u3..n
n
n
![Page 36: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/36.jpg)
Reachability relationt[n](v1, v2) = n*(v1,v2)
u1x
t
u2 unn n n
t[n] t[n] t[n]
t[n]
t[n]
t[n]
u1x
t
u2..n
n
n
t[n]
t[n]
t[n]
...
![Page 37: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/37.jpg)
List Segments
u1
x
u2 u5nu3 u4 u6 u7 u8n n n n n n
y
u1
x
u2,3,4,6,7,8 u5n n
y
![Page 38: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/38.jpg)
Reachability from a variable
• r[n,y](v) =w: y(w) n*(w, v)
u1
x
u2 u5nu3 u4 u6 u7 u8n n n n n n
y
r[n,y]=0 r[n,y]=0 r[n,y]=0 r[n,y]=1 r[n,y]=1 r[n,y]=1
u1
x
u2,3,4 u5n n n
y
u6,7,8
![Page 39: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/39.jpg)
• inOrder(v) = w: n(v, w) data(v) data(w)
• cfb(v) = w: f(v, w) b(w, v)
• tree(v)• dag(v)• Weakest Precondition
[Ramalingam, PLDI’02]• Learned via Inductive Logic Programming
[Loginov, CAV’05]• Counterexample guided refinement
Additional Instrumentation relations
![Page 40: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/40.jpg)
Most Precise Abstract Transformer[Cousot, Cousot POPL 1979]
#
![Page 41: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/41.jpg)
Partial Concretization
#
![Page 42: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/42.jpg)
Partial Concretization
#
#
![Page 43: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/43.jpg)
y
x
y
x
yx
yx ...
x
y
y
x
...
xy
Best Transformer (x = x n)
Concrete Semantics
canonical abstraction
![Page 44: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/44.jpg)
y
x
y
xxy
Partial Concretization based Transformer (x = x n)
AbstractSemantics
canonical abstraction
x
y
y
xyx
yx
![Page 45: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/45.jpg)
Partial Concretization
• Employed in other shape analysis algorithms [Distefano, TACAS’06, Evan, SAS’07, POPL’08]
• Soundness is immediate• Can even guarantee precision under certain
conditions [Lev-Ami, VMCAI’07]• Locally refine the abstract domain per statement
![Page 46: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/46.jpg)
y
x
xy
Non-Fixed-Partition
x = xn
yx
y
x
![Page 47: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/47.jpg)
Shape Analysis
t
x
n
x
t n
x
tn n
xtt
x
ntt
nt
x
t
x
t
xempty
x
tn
n
x
tn
n
n
x
tn
t n
xn
x
tn
nreturn x
x = t
t =malloc(..);
tnext=x;
x = NULL
TF
![Page 48: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/48.jpg)
[TOPLAS’02, Lev-Ami, SAS’00]
• Concrete transformers using first order formulas• Effective algorithms for computing transformers
– Partial concretization
– 3-valued logic Kleene evaluation
– Finite differencing & incremental algorithms[Reps, ESOP’03]
• A parametric yacc like system[TVLA]– http://www.cs.tau.ac.il/~tvla
![Page 49: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/49.jpg)
Applications
![Page 50: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/50.jpg)
Proving Correctness of Sorting Implementations (Lev-Ami, Reps, S,
Wilhelm ISSTA 2000)• Partial correctness
– The elements are sorted– The list is a permutation of the original list
• Termination– At every loop iterations the set of elements
reachable from the head is decreased
![Page 51: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/51.jpg)
Sortedness
u1x
t
u2 unn n n
dle dle dle
dle
dle
dle
u1x
t
u2..n
n
n
dle
dle
dle
...
![Page 52: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/52.jpg)
Example: SortednessinOrder(v) = v1: n(v,v1) dle(v, v1)
u1x
t
u2 unn n
dle dle dle
dle
dle
dle
u1x
t
u2..n
n
n
dle
dledle
inOrder = 1 inOrder = 1 inOrder = 1
inOrder = 1 inOrder = 1
n...
![Page 53: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/53.jpg)
Example: InsertSort
Run Demo
List InsertSort(List x) { List r, pr, rn, l, pl; r = x; pr = NULL; while (r != NULL) { l = x; rn = r n; pl = NULL; while (l != r) { if (l data > r data) { pr n = rn; r n = l; if (pl = = NULL) x = r; else pl n = r; r = pr; break; } pl = l; l = l n; } pr = r; r = rn; } return x; }
typedef struct list_cell { int data; struct list_cell *n;} *List;
![Page 54: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/54.jpg)
Example: InsertSort
Run Demo
List InsertSort(List x) { if (x == NULL) return NULL pr = x; r = x->n; while (r != NULL) {
pl = x; rn = r->n; l = x->n; while (l != r) {
pr->n = rn ; r->n = l;
pl->n = r; r = pr; break; }
pl = l; l = l->n;
} pr = r; r = rn;
}
typedef struct list_cell { int data; struct list_cell *n;} *List;
14
![Page 55: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/55.jpg)
Lightweight Specification"correct usage" rules a client must follow
"call open() before read()"
Certificationdoes the client program satisfy the lightweight specification?
Verification of Safety Properties(PLDI’02, 04)
Componenta library with cleanly encapsulated state
Clienta program that uses
the library
The Canvas Project (with IBM Watson)(Component Annotation, Verification and Stuff)
![Page 56: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/56.jpg)
Prototype Implementation
• Applied to several example programs– Up to 5000 lines of Java
• Used to verify– Absence of concurrent modification
exception – JDBC API conformance– IOStreams API conformance
![Page 57: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/57.jpg)
Analysis Times
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000
ISPath InputStream5 InputStream5b inputStream6db KernelBenchmark 1
JDBC Example JDBC Example2
SQLExecutor
IOStreamsIOStreamsIOStreamsIOStreamsIOStreamsCMPJDBCJDBCJDBC
Benchmark
Tim
e (
se
c)
![Page 58: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/58.jpg)
Concurrency
• Models threads as ordinary objects [Yahav, POPL’01]
• Thread-modular shape analysis [Gotsman, PLDI’07]
• Heap decomposition [Manevich, SAS’08]
• Thread quantification [Berdine, CAV’08]
• Enforcing a locking regime [Rinetzkey]
![Page 59: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/59.jpg)
Correctness of concurrent ADT implementations
[Amit CAV’07, Berdine, CAV’08]• Small pointer manipulation programs• Fine grained concurrency• Benign data races• Error prone• Interesting properties
– Memory safety– Partial correctness– Linearizability– Liveness
![Page 60: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/60.jpg)
Treiber’s Non-blocking Stack[1] void push(Stack *S, data_type v) {[2] Node *x = alloc(sizeof(Node));[3] x->d = v;[4] do {[5] Node *t = S->Top;[6] x->n = t;[7] } while (!CAS(&S->Top,t,x));[8] }
[9] data_type pop(Stack *S){[10] do {[11] Node *t = S->Top;[12] if (t == NULL)[13] return EMPTY;[14] Node *s = t->n;[15] data_type r = s->d;[16] } while (!CAS(&S->Top,t,s));[17] return r;[18] }
![Page 61: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/61.jpg)
64
Verified Programs #states time (sec.)
Treiber’s stack[1986]
764 7
Two-lock queue[Michael & Scott, PODC’96]
3,415 17
Non-blocking queue[Doherty & Groves, FORTE’04]
10,333 252
Experimental results
First automatic verification of linearizability for unbounded number of threads
![Page 62: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/62.jpg)
Handling Larger Programs• Staged analysis • Handling procedures• Specialized abstractions
– Counterexample guided refinement [McMillan, POPL’08]• Coercer abstractions
– Weaker summary nodes [Arnold, SAS’06]– Special join operator [Manevich, SAS’04, TACAS’07, SAS’08,
Yang’08] – Heterogeneous abstractions [Yahav, PLDI’04]
• Implementation techniques– Optimizing transformers [Bogodlov, CAV’07]– Optimizing GC– Reducing static size– Partial evaluation– Persistent data structures [Manevich, SAS’04]– …
![Page 63: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/63.jpg)
Handling Procedures
• Complicated sharing patterns [Rinetzky, CC’01]• Relational shape analysis [Jeannet, SAS’04]• New semantics for procedures (Cutpoints)
[Rinetzky, POPL’05]• Tabulation for cutpoint free programs [Rinetzky,
SAS’05]• Handling cutpoints [Gotsman, SAS’06]• Modularity [Rinezky, ESOP’07]
![Page 64: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/64.jpg)
main() {
append(y,z);
}
• Procedure input/output relation– Not reachable Not effected
– proc: local (reachable) heap local heap
How to tabulate procedures?
append(List p, List q) {…
}
nx
n
t
y
n
z
n
p q p q
n
y z
p qn
xn
t
![Page 65: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/65.jpg)
main() {
append(y,z);
}
ynn
z
n
How to handle sharing?• External sharing may break the functional view
append(List p, List q) {…
}
nn
t z
x n
p qnn
p qnn
t
y
p qnn n
x
![Page 66: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/66.jpg)
append(y,z);
What’s the difference?
nn
t z
y
x
1st Example 2nd Example
append(y,z);
nx
n
t y z
![Page 67: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/67.jpg)
Cutpoints
• An object is a cutpoint for an invocation– Reachable from actual parameters– Not pointed to by an actual parameter– Reachable without going through a parameter
append(y,z) append(y,z)
y
x
nn
t z
ynn
t zn n
![Page 68: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/68.jpg)
Introducing local heap semanticsOperational semantics
Abstract transformer
Local heap Operational semantics
~’ ’
![Page 69: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/69.jpg)
Interprocedural shape analysis
• Procedure input/output relation
p qn
nrqrp rp
qpn
nrp rq
n rp
q q
rqrq
qprp
qprp rq
n rprq
…
Input Output
rp
![Page 70: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/70.jpg)
Interprocedural shape analysis• Reusable procedure summaries
– Heap modularity
qprp rq
n rp
qprp rq
g h i kn n
g h i kn
rgrgrg rgrh rh rirkrhrgrirk
append(h,i)
yx zn
nn n rx ry rz
yx zn
nn rz rx ryrxrxrx ryrx rx
append(y,z)
yn
zxappend(y,z)y zx
rx ry rzryrx ryrz
![Page 71: TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.](https://reader035.fdocuments.net/reader035/viewer/2022062423/56649e935503460f94b98973/html5/thumbnails/71.jpg)
Summary
• Canonical abstraction is powerful– Intuitive– Adapts to the property of interest– More instrumentation may mean more efficient
• Used to verify interesting program properties– Very few false alarms
• But scaling is an issue