Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula May 10, 2007 OSQ Retreat.

Published byDayton Meador Modified over 10 years ago

Similar presentations

Presentation on theme: "Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula May 10, 2007 OSQ Retreat."— Presentation transcript:

1 Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula May 10, 2007 OSQ Retreat

2 2 Whats shape analysis? Whats special? memory manipulation Shape analysis tracks memory manipulation flow-sensitively flow-sensitively. + = analyzer shape analyzer heap-aware analyzer

3 3 Typestate with shape analysis cur = list; while (cur != null) { assert(cur is red); make_purple(cur); cur = cur ! next; } list cur list 1 region list points to a red region 1 region list points to a red region 1 region list and cur point to a region that may be red or purple 2 regions list points to a purple region up to cur and cur points to a red region make_purple( ¢ ) could be free( ¢ ) open( ¢ ) … lock(cur);

4 4 Scalability –Finding right amount of abstraction difficult Over-reliance on disjunction for precision Repeated work to transition on each disjunct Usability –Choosing the abstraction difficult Depends on the program and the properties to verify Shape analysis is not yet practical Ç ÇÇÇ …

5 5 Hypothesis Good abstraction is program-specific Developer can only keep a few cases in her head If only the shape analysis could get the developers abstraction (easily) developer small number The developer can describe the memory with a small number of abstract descriptions sufficient for the properties of interest.

6 6 Observation bool redlist(List* l) { if (l == null) return true; else return l ! color == red && redlist(l ! next); } l red Checking code Checking code expresses a shape invariant and an intended usage pattern. next

7 7 Proposal Given: Program + Checker code Extensible –Abstraction based on the developer-supplied checkers on a per-structure basis Scalable (hopefully, based on hypothesis) shape analysis invariant checkers An automated shape analysis with a memory abstraction based on invariant checkers.

8 8 Outline Memory abstraction –Challenge: Intermediate invariants Analysis algorithm –Challenge: Blurring to ensure termination Comparison with TVLA Experimental Results

9 9 Abstract memory using checkers list next @ next ¤ list( ) is a list with at least one element Graphical Diagram Formula +next list values (memory address or null) disjoint memory regions (i.e., sets of fields) ¤ disjoint

10 10 Checkers as inductive predicates Disjoint memory regions Checker run can dereference a field only once bool list(List* l) { if (l == null) return true; else return list(l ! next); } list( ) = 9. (emp Æ null) Ç ( @ next ¤ list( ) Æ null) ¤

11 11 Challenge: Intermediate invariants assert(redlist(l)); cur = l; while (cur != null) { make_purple(cur); cur = cur ! next; } assert(purplelist(l)); l redlist cur purplelist l redlist l purplelist Prefix Segment Described by ? Suffix Described by checkers

12 12 Prefix segments as partial checker runs c(…) lcur purplelist purplelist(l) purplelist(…) purplelist(cur) Abstraction Computation Tree of a Checker Run Formula c( ) ¤ – c( ) c c( ) c(…) c( )

13 13 Outline Memory abstraction –Challenge: Intermediate invariants Analysis algorithm –Challenge: Blurring to ensure termination Comparison with TVLA Experimental Results

14 14 Flow function: Unfold and update edges listnext x materialize: x ! next, x ! next ! next update: x ! next = x ! next ! next list next x x ! next = x ! next ! next; Unfold Unfold inductive definition disjointness Strong updates using disjointness of regions list x next x Ç

15 15 Challenge: Termination and precision last = l; cur = l ! next; while (cur != null) { // … cur, last … if (…) last = cur; cur = cur ! next; } list l, last next cur list l next curlast list l next curlast blur list l next curlast Observation Previous iterates are less unfolded Fold Fold into checker edges But where and how much?

16 16 History-guided folding listnext listnext listnextlist Traverse starting from variables Match same edges to identify where to fold Apply weakening rules l, last last cur l l lastcur l next v ? list ? v ? Yes last = l; cur = l ! next; while (cur != null) { if (…) last = cur; cur = cur ! next; }

17 17 Outline Memory abstraction –Challenge: Intermediate invariants Analysis algorithm –Challenge: Blurring to ensure termination Comparison with TVLA Experimental Results

18 18 Qualitative comparison with TVLA Scalability –Disjunctions Expressiveness –Currently, limited in comparison (no data properties) curl l l ll,cur l l emp ÇÇÇ ÇÇÇ Ç Ç list lcur list Proposal TVLA Cost 1 Cost 1: Spec less general Cost 2 Cost 2: Folding complicated

19 19 Preliminary results BenchmarkLines of Code Analysis Time Max. Num. Graphs at a Program Point Max. Num Iterations at a Program Point list reverse310.007s13 list insertion sort800.021s47 skip list rebalance430.087s67 scull driver8949.710s416 Verified structural invariants as given by checkers are preserved across data structure manipulation Limitations (in scull driver) –Arrays not handled (rewrote as linked list), char arrays ignored Promising as far as number of disjuncts

20 20 Conclusion Shape analysis can improve higher-level analyses Invariant checkers can form the basis of a memory abstraction that –Is easily extensible on a per-program basis –Expresses developer intent + = analyzer shape analyzer heap-aware analyzer

21

Download ppt "Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula May 10, 2007 OSQ Retreat."

Similar presentations

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
A Randomized Satisfiability Procedure for Arithmetic and Uninterpreted Function Symbols Sumit Gulwani George Necula EECS Department University of California,

A Randomized Satisfiability Procedure for Arithmetic and Uninterpreted Function Symbols Sumit Gulwani George Necula EECS Department University of California,
Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,

Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,
Global Value Numbering using Random Interpretation Sumit Gulwani George C. Necula CS Department University of California, Berkeley.

Global Value Numbering using Random Interpretation Sumit Gulwani George C. Necula CS Department University of California, Berkeley.
Mathematical Preliminaries

Mathematical Preliminaries
1 Parametric Heap Usage Analysis for Functional Programs Leena Unnikrishnan Scott D. Stoller.

1 Parametric Heap Usage Analysis for Functional Programs Leena Unnikrishnan Scott D. Stoller.
Chapter 3 Introduction to Quantitative Research

Chapter 3 Introduction to Quantitative Research
Chapter 3 Introduction to Quantitative Research

Chapter 3 Introduction to Quantitative Research
1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.

1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Lecture 4 Towards a Verifying Compiler: Data Abstraction Wolfram Schulte Microsoft Research Formal Methods 2006 Purity, Model fields, Inconsistency _____________.

Lecture 4 Towards a Verifying Compiler: Data Abstraction Wolfram Schulte Microsoft Research Formal Methods 2006 Purity, Model fields, Inconsistency _____________.
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.

By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
0 - 0.

0 - 0.
ALGEBRAIC EXPRESSIONS

ALGEBRAIC EXPRESSIONS
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
MULTIPLYING MONOMIALS TIMES POLYNOMIALS (DISTRIBUTIVE PROPERTY)

MULTIPLYING MONOMIALS TIMES POLYNOMIALS (DISTRIBUTIVE PROPERTY)
ADDING INTEGERS 1. POS. + POS. = POS. 2. NEG. + NEG. = NEG. 3. POS. + NEG. OR NEG. + POS. SUBTRACT TAKE SIGN OF BIGGER ABSOLUTE VALUE.

ADDING INTEGERS 1. POS. + POS. = POS. 2. NEG. + NEG. = NEG. 3. POS. + NEG. OR NEG. + POS. SUBTRACT TAKE SIGN OF BIGGER ABSOLUTE VALUE.
SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION

SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION

Similar presentations

Ads by Google