Download presentation
Presentation is loading. Please wait.
1
Finding Optimum Abstractions in Parametric Dataflow Analysis Xin Zhang Georgia Tech Mayur Naik Georgia Tech Hongseok Yang University of Oxford
2
A Key Challenge for Static Analysis Precision Scalability
3
Our setting Query q Program p Static Analysis S p ` qp 0 q Abstraction a assert(x != null)
4
p a1 S q1 p ` q1 ? q2 S p ` q2 ? a2 Our setting
5
q2 p S p ` q2 ? S q1 p ` q1 ? Our setting 10110 01010
6
q2 p S p ` q2 ? S q1 p ` q1 ? Example 1: Predicate Abstraction 10110 01010 Predicates to use in predicate abstraction Predicates to use as abstraction predicates
7
q2 p S p ` q2 ? S q1 p ` q1 ? Example 2: Cloning ‐ based Pointer Analysis 10110 01010 Predicates to use in predicate abstraction K value to use for each call and each allocation site
8
Problem Statement An efficient algorithm with: INPUTS: – program p and property q – abstractions A = { a 1, …, a n } – boolean function S(p, q, a) OUTPUT: – Proof: a 2 A: S(p, q, a) = true 8 a’ 2 A: (a’ · a Æ S(p, q, a’) = true) ) a’ = a – Impossibility: @ a 2 A: S(p, q, a) = true Optimum Abstraction q p S p ` q ? a
9
Problem Statement An efficient algorithm with: INPUTS: – program p and property q – abstractions A = { a 1, …, a n } – boolean function S(p, q, a) OUTPUT: – Proof: a 2 A: S(p, q, a) = true 8 a’ 2 A: (a’ · a Æ S(p, q, a’) = true) ) a’ = a – Impossibility: @ a 2 A: S(p, q, a) = true Optimum Abstraction S(p, q, a) !S(p, q, a) 1111 most expensive 0000 least expensive 0110 optimum A
10
Example: Typestate Analysis x = new File; y = x; z = x; x.open(); y.close(); assert1(x, closed); assert2(x, opened); opened closed error open() close() open() Type-state set ts
11
Example: Typestate Analysis x = new File; y = x; z = x; x.open(); y.close(); assert1(x, closed); assert2(x, opened); Must-alias accesspath set ms Strong update Weak update Failed
12
Example: Typestate Analysis x = new File; y = x; z = x; x.open(); y.close(); assert1(x, closed); assert2(x, opened); QueryAbstraction assert1 assert2none QueryAbstractionOur Goal assert1 assert2noneimpossibility
13
x = new File; y = x; z = x; x.open(); y.close(); assert1(x, closed); assert2(x, opened); Example: Typestate Analysis QueryAbstraction assert1 assert2 Naïve approach: calculating weakest precondition (WP) {} Failed
14
Example: Typestate Analysis QueryAbstraction assert1 assert2 Naïve approach: calculating weakest precondition (WP) {} Failed Exponential Blowup! unreachable x = new File; y = x; z = x; x.open(); y.close(); assert1(x, closed); assert2(x, opened);
15
Example: Typestate Analysis Too large? Let’s ignore part of it!
16
Example: Typestate Analysis Unreachable
17
Example: Typestate Analysis Intersect with the forward state
18
Example: Typestate Analysis Keep as many disjuncts as possible Intersect with forward state
19
x = new File; y = x; z = x; x.open(); y.close(); assert1(x, closed); assert2(x, opened); Example: Typestate Analysis QueryAbstraction assert1 assert2 Our approach: WP + Underapproximation Failed
20
Example: Typestate Analysis QueryAbstraction assert1 assert2 Our approach: WP + Underapproximation Failed
21
Example: Typestate Analysis QueryAbstraction assert1 assert2 Our approach: WP + Underapproximation Failed
22
Example: Typestate Analysis QueryAbstraction assert1 assert2 Our approach: WP + Underapproximation Failed
23
Example: Typestate Analysis x = new File; ↓ y = x; ↓ z = x; ↓ x.open(); ↓ y.close(); ↓ assert1(x, closed); Our approach: WP + Underapproximation Proof! QueryAbstraction assert1 assert2
24
Example: Typestate Analysis x = new File; y = x; z = x; x.open(); y.close(); assert1(x, closed); assert2(x, opened); QueryAbstraction assert1 assert2 Our approach: WP + Underapproximation Failed
25
Example: Typestate Analysis QueryAbstraction assert1 assert2 Our approach: WP + Underapproximation Failed
26
Example: Typestate Analysis QueryAbstraction assert1 assert2 Our approach: WP + Underapproximation Failed
27
Example: Typestate Analysis QueryAbstraction assert1 assert2 Our approach: WP + Underapproximation Failed Impossibility! In paper: a general framework for parametric dataflow analysis
28
Experiment Implementation in Chord for Java programs 2 Client Analyses: Typestate and Thread-Escape Both fully context- and flow-sensitive analyses Only scale with sparse parameters 7 Java Benchmarks
29
Benchmarks namebytecode(KB)KLOClog|A| thread-escapetypestate tsp3912695696,175 elevator3902693526,180 hedc4422831,4007,326 weblech5043262,9937,663 antlr53230316,5637,748 avrora63434037,79710,151 lusearch51131414,5087,395
30
Precision: Thread-Escape Analysis 209 221 552 658 5857 14322 6726 (Total # Queries) Resolved: ~90% Previous: ~40% [POPL12]
![Precision: Thread-Escape Analysis (Total # Queries) Resolved: ~90% Previous: ~40% [POPL12]](http://images.slideplayer.com/24/6988688/slides/slide_30.jpg "Precision: Thread-Escape Analysis (Total # Queries) Resolved: ~90% Previous: ~40% [POPL12]")
31
Precision: Typestate Analysis 12 72 170 71 7903 5052 3644 (Total # Queries)
32
Scalability: Number of iterations
34
Scalability: Running time
36
Size of optimal abstractions
38
Related work Modern pointer analysis Demand-driven, query-driven, … Heintze & Tardieu ’01, Guyer & Lin ’03, Sridharan & Bodik ’06,... CEGAR model checkers: SLAM, BLAST, YOGI, … Work on concrete counterexamples Can disprove queries 1.No optimality guarantee – can over-refine and hurt scalability. 2.No impossibility - can cause divergence.
39
Thank you!
Similar presentations
