Presentation is loading. Please wait.

Presentation is loading. Please wait.

Relational Inductive Shape Analysis Bor-Yuh Evan Chang University of California, Berkeley Xavier Rival INRIA POPL 2008.

Published byGeoffrey Baker Modified over 9 years ago

Similar presentations

Presentation on theme: "Relational Inductive Shape Analysis Bor-Yuh Evan Chang University of California, Berkeley Xavier Rival INRIA POPL 2008."— Presentation transcript:

1 Relational Inductive Shape Analysis Bor-Yuh Evan Chang University of California, Berkeley Xavier Rival INRIA POPL 2008

2 2 Example: Removing duplicates cur = l ! next; while (cur != null) { cur = remove_if_dup(cur); cur = cur ! next; } Concrete Example Invariant/Abstraction “sorted dl set” l “sorted dl list” l program-specific predicate l 2244 l 244 cur l 24 “sorted dl list ( v ·² )” l “sorted dl set segment ( ²· v )” cur intermediate state more complicated Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

3 3 Utilize “dynamic checking code” as specification for static analysis Checking code Checking code expresses a precise invariant of interest (but only at “steady states”) sorteddll(l, prev, min) = if (l = null) then true else l ! prev = prev and min · l ! val and sorteddll(l ! next,l,l ! val) assert(sorteddll(l,null,0)); cur = l; while (cur != null) { cur = remove_if_dup(cur); cur = cur ! next; } assert(sorteddlset(l,null,0)); ll cur l automatically generalize for intermediate states Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

4 4 Our framework is … Compact abstraction –Data structure-specific based on properties of interest to the developer Extensible –Parametric in developer-supplied checkers shape analysis invariant checkers An automated shape analysis with a precise memory abstraction based around invariant checkers. shape analyzer sorteddll(l, prev, min) = if (l = null) then true else l ! prev = prev and min · l ! val and sorteddll(l ! next,l,l ! val) checkers Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

5 5 Challenges cur = l ! next; while (cur != null) { cur = remove_if_dup(cur); cur = cur ! next; } “sorted dl list ( v ·² )” l “sorted dl set segment ( ²· v )” cur if (cur ! prev ! val == cur ! val) { cur = cur ! prev;remove_after(cur); } “sorted dl list ( w ·² )” l “sorted dl set segment ( ²· u )” cur vw u < v = wu < v = w “split” segments (back pointers) “split” segments (back pointers) 1 1 numerical constraints (linking shape and data) (see paper) numerical constraints (linking shape and data) (see paper) 2 2 Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

6 6 Materialization Materialization (partial concretization) To perform strong updates widening And widening for termination Shape analysis is an abstract interpretation on memory states with … cur l l l l l l Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

7 7 Outline shape analyzer abstract interpretation materialization and update widening type “pre-analysis” sorteddll(l, prev, min) = if (l = null) then true else l ! prev = prev and min · l ! val and sorteddll(l ! next,l,l ! val) checkers 2 2 1 1 see paper Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

8 8 Abstract memory using inductive predicates cur = l ! next; while (cur != null) { if (cur ! prev ! val == cur ! val) { cur = cur ! prev; remove_after(cur); } cur = cur ! next; } := 9 ´. ¼ dll( ½ ) Ç ¼  null emp ¼  null ¼ next dll( ¼ ) ´ ½ prev dll(l, prev) = if (l = null) then true else l ! prev = prev and dll(l ! next,l) values (e.g., address) values (e.g., address) points-to (memory cell) points-to (memory cell) l ® dll( ± ) dll(null)dll( ¯ ) cur ° ¯ prev next ± prev " segment checker (inductive pred) Edges represent disjoint memory regions Edges represent disjoint memory regions update: cur ! next = cur ! next ! next One traversal parameter with fields traversal parameter One traversal parameter with fields Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

9 9 Materialize by unfolding inductive definition cur = l ! next; while (cur != null) { if (cur ! prev ! val == cur ! val) { cur = cur ! prev; remove_after(cur); } cur = cur ! next; } := 9 ´. ¼ dll( ½ ) Ç ¼  null emp ¼  null ¼ next dll( ¼ ) ´ ½ prev l ® dll(null)dll( ° ) cur ± materialize: cur ! prev l ® dll(null)dll( ° ) Need fields from ° l ® dll(null)dll( ° ) cur ± Ç Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis Need to unfold “backward”

10 10 Segments as partial checkers ®.dll(null) ¯.dll( ® ) °.dll( ¯ ) ±.dll( ° ) null.dll( ± ) Checker “Run” Instance Summary c0(¯,°0)c0(¯,°0) c( ®, ° ) …… ……… ®¯ c( ° )c0(°0)c0(°0) i i i i = 0 ii 00 c = c 0 ® = ¯ ° = ° 0 ® = ° ¯ = null null next ° ± prev null Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

11 11 To unfold backward, split the segment and then unfold forward cur = l ! next; while (cur != null) { if (cur ! prev ! val == cur ! val) { cur = cur ! prev; remove_after(cur); } cur = cur ! next; } := 9 ´. ¼ dll( ½ ) Ç ¼  null emp ¼  null ¼ next dll( ¼ ) ´ ½ prev materialize: cur ! prev ! next l ® dll(null)dll( ° ) cur ° ± prev dll( ± ) next " dll( ± ) next " dll( ± ) next " Ç l, cur ° ± prev ® = ± ° = null ° 0 dll( ¯ ) 1 = unfold Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

12 12 Outline shape analyzer abstract interpretation materialization and update widening type pre-analysis sorteddll(l, prev, min) = if (l = null) then true else l ! prev = prev and min · l ! val and sorteddll(l ! next,l,l ! val) checkers 2 2 1 1 Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

13 13 Types for deciding where to unfold ® dll(null) dll( ¯ ) ° ®.dll(null) ¯.dll( ® ) °.dll( ¯ ) ±.dll( ° ) null.dll( ± ) Checker “Run” Instance Summary If it exists, where is: ° ! next ? ¯ ! next ? If it exists, where is: ° ! next ? ¯ ! next ? := 9 ´. ¼ dll( ½ ) Ç ¼  null emp ¼  null ¼ next dll( ¼ ) ´ ½ prev Checker Definition Types help the analysis decide where to unfold Types can be inferred automatically (see paper) Types help the analysis decide where to unfold Types can be inferred automatically (see paper) Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

14 14 Summary: Given checkers, everything is automatic shape analyzer abstract interpretation materialization and update widening type pre-analysis sorteddll(l, prev, min) = if (l = null) then true else l ! prev = prev and min · l ! val and sorteddll(l ! next,l,l ! val) checkers Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

15 15 Experiments Benchmark Max. Num. Graphs at a Program Point Max. Num Iterations at a Program Point ms Analysis Time (ms) doubly-linked list reverse131.4 doubly-linked list copy235.3 doubly-linked list insert243.8 doubly-linked list remove546.5 doubly-linked list remove and back546.8 search tree with parent insert558.3 search tree with parent insert and back 5547.0 Verified shape invariant as given by a checker is preserved across the operation. Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

16 16 Conclusion Inductive checkers can form the basis of an effective memory abstraction and analysis –Easily extensible on a per-program basis To enable materialization anywhere –Segments defined as partial checker runs –Type pre-analysis on checker definitions to decide where to unfold robustly Numerical reasoning via coordination with a base domain (see paper) Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

17 What can inductive shape analysis do for you?

Download ppt "Relational Inductive Shape Analysis Bor-Yuh Evan Chang University of California, Berkeley Xavier Rival INRIA POPL 2008."

Similar presentations

Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some.

Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some.
Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula May 10, 2007 OSQ Retreat.

Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula May 10, 2007 OSQ Retreat.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.

Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Extensible Shape Analysis by Designing with the User in Mind Bor-Yuh Evan Chang Bor-Yuh Evan Chang, Xavier Rival, and George Necula University of California,

Extensible Shape Analysis by Designing with the User in Mind Bor-Yuh Evan Chang Bor-Yuh Evan Chang, Xavier Rival, and George Necula University of California,
Automated Verification with HIP and SLEEK Asankhaya Sharma.

Automated Verification with HIP and SLEEK Asankhaya Sharma.
Data-Flow Analysis II CS 671 March 13, 2008. CS 671 – Spring 2008 1 Data-Flow Analysis Gather conservative, approximate information about what a program.

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.

Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.

Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Linked Lists. 2 Merge Sorted Lists Write an algorithm that merges two sorted linked lists The function should return a pointer to a single combined list.

Linked Lists. 2 Merge Sorted Lists Write an algorithm that merges two sorted linked lists The function should return a pointer to a single combined list.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.

1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.
Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN 2006 -

Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Reduction of inductive predicates for shape analysis of circular lists Daniel Stutzman April 27, 2010.

Reduction of inductive predicates for shape analysis of circular lists Daniel Stutzman April 27, 2010.
Reduction in End-User Shape Analysis Dagstuhl - Typing, Analysis, and Verification of Heap-Manipulating Programs – July 24, 2009 Xavier Rival INRIA and.

Reduction in End-User Shape Analysis Dagstuhl - Typing, Analysis, and Verification of Heap-Manipulating Programs – July 24, 2009 Xavier Rival INRIA and.
Coolaid: Debugging Compilers with Untrusted Code Verification Bor-Yuh Evan Chang with George Necula, Robert Schneck, and Kun Gao May 14, 2003 OSQ Retreat.

Coolaid: Debugging Compilers with Untrusted Code Verification Bor-Yuh Evan Chang with George Necula, Robert Schneck, and Kun Gao May 14, 2003 OSQ Retreat.
End-User Shape Analysis National Taiwan University – August 11, 2009 Xavier Rival INRIA/ENS Paris Bor-Yuh Evan Chang 張博聿 U of Colorado, Boulder If some.

End-User Shape Analysis National Taiwan University – August 11, 2009 Xavier Rival INRIA/ENS Paris Bor-Yuh Evan Chang 張博聿 U of Colorado, Boulder If some.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
End-User Program Analysis Bor-Yuh Evan Chang University of California, Berkeley Dissertation Talk August 28, 2008 Advisor: George C. Necula, Collaborator:

End-User Program Analysis Bor-Yuh Evan Chang University of California, Berkeley Dissertation Talk August 28, 2008 Advisor: George C. Necula, Collaborator:

Similar presentations

Ads by Google