Presentation is loading. Please wait.

Presentation is loading. Please wait.

TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.

Published byRussell Dean Modified over 8 years ago

Similar presentations

Presentation on theme: "TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh."— Presentation transcript:

1 TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh

2 Example: Mark and Sweep void Mark(Node root) { if (root != NULL) { pending =  pending = pending  {root} marked =  while (pending   ) { x = SelectAndRemove(pending) marked = marked  {x} t = x  left if (t  NULL) if (t  marked) pending = pending  {t} t = x  right if (t  NULL) if (t  marked) pending = pending  {t} } assert(marked = = Reachset(root)) } void Sweep() { unexplored = Universe collected =  while (unexplored   ) { x = SelectAndRemove(unexplored) if (x  marked) collected = collected  {x} } assert(collected = = Universe – Reachset(root) ) }  v: marked(v)  r: root(r)  reach(w, v)

3 Example: Mark void Mark(Node root) { if (root != NULL) { pending =  pending = pending  {root} marked =  while (pending   ) { x = SelectAndRemove(pending) marked = marked  {x} t = x  left if (t  NULL) if (t  marked) pending = pending  {t} t = x  right if (t  NULL) if (t  marked) pending = pending  {t} }  v: marked(v)  r: root(r)  reach(r, v)  r: root(r)  (pending(r)  marked(r))   v: ((marked(v)  pending(v))  reach(r, v))   (pending(v)  marked(v))   v, w: ((marked(v)   marked(w)   pending(w))   successor(v, w))

4 Example: Mark void Mark(Node root) { if (root != NULL) { pending =  pending = pending  {root} marked =  while (pending   ) { x = SelectAndRemove(pending) marked = marked  {x} t = x  left if (t  NULL) if (t  marked) pending = pending  {t} /* t = x  right * if (t  NULL) * if (t  marked) * pending = pending  {t} */ } } assert(marked = = Reachset(root)) } Run Demo

5  r: root(r)  reach(r, e)   pending(r)  marked(r))   e: reach(r, e)   marked(e))   root(e)   pending(v)  r, e: (( reach(r, e)   marked(e))   root(e)   pending(e))  ( root(r)  reach(r, e)   pending(r)  marked(r))   left(e, r)) Example: Mark void Mark(Node root) { if (root != NULL) { pending =  pending = pending  {root} marked =  while (pending   ) { x = SelectAndRemove(pending) marked = marked  {x} t = x  left if (t  NULL) if (t  marked) pending = pending  {t} /* t = x  right * if (t  NULL) * if (t  marked) * pending = pending  {t} */ } } assert(marked = = Reachset(root)) }

6 A Singleton Buffer 6 Boolean empty = true; Object b = null; produce() { 1: Object p = new(); 2: await (empty) then { b = p; empty = false; } 3: } consume() { Object c; 4: await (!empty) then { c = b; empty = true; } 5: use(c); 6: dispose(c); 7: } Safe Dereference No Double free

7 7 Boolean empty = true; Object b = null; produce() { 1: Object p = new(); 2: await (empty) then { b = p; empty = false; } 3: } consume() { Object c; 4: await (!empty) then { c = b; empty = true; } 5: use(c); 6: dispose(c); 7: }  t, e, v: t  e  c(t, v)  c(e, w)  v  w

8 Quantified Invariants are hard Corner cases Sizes Nested loops Code updates First order reasoning is hard

9 Our approach Automatically infer sound invariants Library (PL) designers can define families of interesting invariants Limited form of invariants Sound but incomplete reasoning –Abstract interpretation over quantified invariants –Parameterized by the

10 Applications Memory safety & preservation of data structure invariants [Dor, SAS’00, Loginov, ISSTA’08] Compile-time garbage collection [Shaham, SAS’03] Correct API usage [Ramalingam, PLDI’02, Yahav. PLDI’04] Typestate verification [Yahav, ISSTA’06] Partial & total correctness –Sorting implementations [Lev-Ami, ISTTA’00, Rinetzky, SAS’05] –Deutsch-Shorr-Waite [Loginov, SAS’06] Thread modular shape analysis [Gotsman, PLDI’07] Linearizability [Amit, CAV’07, Berdine, CAV’08]

11 Example: Concrete Interpretation x t n n t x n x t n x t n n x t n n x t t x n t t n t x t x t x empty return x x = t t =malloc(..); t  next=x; x = NULL T F

12 Shape Analysis t x n x t n x t n n x t t x n t t n t x t x t x empty x t n n x t n n n x t n t n x n x t n n return x x = t t =malloc(..); t  next=x; x = NULL T F

13 Outline Canonical Abstraction [TOPLAS’02] Quantified Invariants Operating on Abstractions

14 Abstract Interpretation [Cousot & Cousot] Checking interesting program properties is undecidable Use abstractions Every verified property holds (sound) But may fail to prove properties which always hold (incomplete) –false alarms Minimal false alarms

15 Simplified Abstract Interpretation Concrete domain Abstract domain (unbounded) (bounded)    

16 Most Precise Abstract Transformer [Cousot, Cousot POPL 1979]   ## 

17 An example predicate abstraction predicates {x>0} x = 3 while (true) { x = x +1 ; } x=0, x=-1, x=-2,.. x=1, x=2, x=3,.. 1  0  x=0, x=-1, x=-2,.. x=1, x=2, x=3,.. x=3 1  0 

18 An example predicate abstraction predicates {x>0} x = 3 while (true) { x = x +1 ; } x=0, x=-1, x=-2,.. x=1, x=2, x=3,.. 1  0  x=0, x=-1, x=-2,.. x=1, x=2, x=3,.. x=x+1 1  0 

19 An example predicate abstraction predicates {x>0} x = 3 while (true) { x = x +1 ; } {0, 1} {1}

20 Shape Analysis as Abstract Interpretation Represent concrete stores as labeled directed graphs –2-valued structures {0, 1} –Abstract away Concrete locations Primitive values –But unbounded Represent abstract stores as labeled directed graphs –3-vaued structures {0, 1, ½} –Several concrete nodes are represented by a summary node –Abstract away field correlations

21 Representing Concrete Stores by Logical Structures Parametric vocabulary Heap –Locations  Individuals –Program variables  Unary relations –Fields  Binary relations

22 Representing Stores as Logical Structures (Example) u1u2u3u4u5 x n nn n p u1u1 1 u2u2 0 u3u3 0 u4u4 0 u5u5 0 x u1u1 0 u2u2 0 u3u3 1 u4u4 0 u5u5 0 p u1u1 u2u2 u3u3 u4u4 u5u5 u1u1 01000 u2u2 00100 u3u3 00010 u4u4 00001 u5u5 00000 n

23 Representing Abstract Stores by 3-Valued Logical Structures A join semi-lattice: 0  1 = 1/2 {0, 1, ½} values for relations

24 Canonical Abstraction (  ) Partition the individuals into equivalence classes based on the values of their unary relations –Every individual is mapped into its equivalence class Collapse binary relations via  –p S (u’ 1, u’ 2 ) =  {p B (u 1, u 2 ) | f(u 1 )=u’ 1, f(u 2 )=u’ 2 ) } At most 2 A abstract individuals

25 Canonical Abstraction x = NULL; while (…) do { t = malloc(); t  next=x; x = t } u1 x t u2 u3 u1 x t u2,3 n n n n

26 x t n n u2 u1 u3 Canonical Abstraction x = NULL; while (…) do { t = malloc(); t  next=x; x = t } u1 x t u2,3 n n n   

27 Canonical Abstraction and Equality Summary nodes may represent more than one element (In)equality need not be preserved under abstraction Explicitly record equality Summary nodes are nodes with eq(u, u)=1/2

28 Canonical Abstraction and Equality x = NULL; while (…) do { t = malloc(); t  next=x; x = t } u1 x t u2 u3 u1 x t u2,3 eq n n n n  eq eq  u2,3  eq

29 Canonical Abstraction x = NULL; while (…) do { t = malloc(); t  next=x; x = t } u1 x t u2 u3 n n u1 x t u2,3 n n

30 Canonical Abstraction Partition the individuals into equivalence classes based on the values of their unary relations –Every individual is mapped into its equivalence class Collapse relations via  –p S (u’ 1,..., u’ k ) =  {p B (u 1,..., u k ) | f(u 1 )=u’ 1,..., f(u’ k )=u k ) } At most 2 A abstract individuals

31 Canonical Abstraction x = NULL; while (…) do { t = malloc(); t  next=x; x = t } u1 x t u2 u3 n n u1 x t u2,3 n n

32 Limitations Information on summary nodes is lost

33 Increasing Precision Global invariants –User-supplied, or consequence of the semantics of the programming language Record extra information in the concrete interpretation –Tunes the abstraction –Refines the concretization Naturally expressed in FO TC

34 Heap Sharing relation is(v)=0 u1u1 x t u2u2 unun … u1 x t u 2..n n n is(v) =  v 1,v 2 : n(v 1,v)  n(v 2,v)  v 1  v 2 is(v)=0 n n n

35 Heap Sharing relation is(v)=0 u1u1 x t u2u2 unun … is(v) =  v 1,v 2 : n(v 1,v)  n(v 2,v)  v 1  v 2 is(v)=1is(v)=0 n n n n u1 x t u2 n is(v)=0is(v)=1is(v)=0 n u 3..n n n

36 Reachability relation t[n](v1, v2) = n * (v1,v2) u1u1 x t u2u2 unun n n n t[n] u1 x t u 2..n n n t[n]...

37 List Segments u1u1 x u2u2 u5u5 n u3u3 u4u4 u6u6 u7u7 u8u8 n n nn n n y u1u1 x u 2,3,4,6,7,8 u5u5 n n y

38 Reachability from a variable r[n,y](v) =  w: y(w)  n*(w, v) u1u1 x u2u2 u5u5 n u3u3 u4u4 u6u6 u7u7 u8u8 n n nn n n y r[n,y]=0 r[n,y]=1 u1u1 x u 2,3,4 u5u5 n n n y u 6,7,8

39 inOrder(v) =  w: n(v, w)  data(v)  data(w) c fb (v) =  w: f(v, w)  b(w, v) tree(v) dag(v) Weakest Precondition [Ramalingam, PLDI’02] Learned via Inductive Logic Programming [Loginov, CAV’05] Counterexample guided refinement Additional Instrumentation relations

40 Most Precise Abstract Transformer [Cousot, Cousot POPL 1979]   ## 

41 Partial Concretization ##

42 ## ##

43 y x y x y x y x...... x y y x...... x y Best Transformer (x = x  n)  Concrete Semantics canonical abstraction

44 y x y x x y Partial Concretization based Transformer (x = x  n)  Abstract Semantics canonical abstraction x y y x y x y x

45 Partial Concretization Employed in other shape analysis algorithms [Distefano, TACAS’06, Evan, SAS’07, POPL’08] Soundness is immediate Can even guarantee precision under certain conditions [Lev-Ami, VMCAI’07] Locally refine the abstract domain per statement

46 y x x y Non-Fixed-Partition x = x  n y x y x

47 Canonical Abstraction Limited form of quantified invariants –quantifier alternation only in instrumentation Not a static memory partition –The same memory location can be represented by different abstract nodes in different shape graphs

48 Shape Analysis t x n x t n x t n n x t t x n t t n t x t x t x empty x t n n x t n n n x t n t n x n x t n n return x x = t t =malloc(..); t  next=x; x = NULL T F

49 [TOPLAS’02, Lev-Ami, SAS’00] Concrete transformers using first order formulas Effective algorithms for computing transformers –Partial concretization –3-valued logic Kleene evaluation –Finite differencing & incremental algorithms [Reps, ESOP’03] A parametric yacc like system[TVLA] –http://www.cs.tau.ac.il/~tvla

50 Applications

51 Proving Correctness of Sorting Implementations (Lev-Ami, Reps, S, Wilhelm ISSTA 2000) Partial correctness –The elements are sorted –The list is a permutation of the original list Termination –At every loop iterations the set of elements reachable from the head is decreased

52 Sortedness u1u1 x t u2u2 unun n n n dle u1 x t u 2..n n n dle...

53 Example: Sortedness inOrder(v) =  v1: n(v,v1)  dle(v, v1) u1u1 x t u2u2 unun n n dle u1 x t u 2..n n n dle inOrder = 1 n...

54 Example: InsertSort Run Demo List InsertSort(List x) { List r, pr, rn, l, pl; r = x; pr = NULL; while (r != NULL) { l = x; rn = r  n; pl = NULL; while (l != r) { if (l  data > r  data) { pr  n = rn; r  n = l; if (pl = = NULL) x = r; else pl  n = r; r = pr; break; } pl = l; l = l  n; } pr = r; r = rn; } return x; } typedef struct list_cell { int data; struct list_cell *n; } *List;

55 Example: InsertSort Run Demo List InsertSort(List x) { if (x == NULL) return NULL pr = x; r = x->n; while (r != NULL) { pl = x; rn = r->n; l = x->n; while (l != r) { pr->n = rn ; r->n = l; pl->n = r; r = pr; break; } pl = l; l = l->n; } pr = r; r = rn; } typedef struct list_cell { int data; struct list_cell *n; } *List; 14

56 Lightweight Specification  "correct usage" rules a client must follow  "call open() before read()" Certification does the client program satisfy the lightweight specification? Verification of Safety Properties (PLDI’02, 04) Component a library with cleanly encapsulated state Client a program that uses the library The Canvas Project (with IBM Watson) (Component Annotation, Verification and Stuff)

57 Prototype Implementation Applied to several example programs –Up to 5000 lines of Java Used to verify –Absence of concurrent modification exception –JDBC API conformance –IOStreams API conformance

58

59

60

61 Concurrency Models threads as ordinary objects [Yahav, POPL’01] Thread-modular shape analysis [Gotsman, PLDI’07] Heap decomposition [Manevich, SAS’08] Thread quantification [Berdine, CAV’08] Enforcing a locking regime [Rinetzkey]

62 Correctness of concurrent ADT implementations [Amit CAV’07, Berdine, CAV’08] Small pointer manipulation programs Fine grained concurrency Benign data races Error prone Interesting properties –Memory safety –Partial correctness –Linearizability –Liveness

63 Treiber’s Non-blocking Stack [1] void push(Stack *S, data_type v) { [2] Node *x = alloc(sizeof(Node)); [3] x->d = v; [4] do { [5] Node *t = S->Top; [6] x->n = t; [7] } while (!CAS(&S->Top,t,x)); [8] } [9] data_type pop(Stack *S){ [10] do { [11] Node *t = S->Top; [12] if (t == NULL) [13] return EMPTY; [14] Node *s = t->n; [15] data_type r = s->d; [16] } while (!CAS(&S->Top,t,s)); [17] return r; [18] }

64 64 Verified Programs#statestime (sec.) Treiber’s stack [1986] 764 7 Two-lock queue [Michael & Scott, PODC’96] 3,415 17 Non-blocking queue [Doherty & Groves, FORTE’04] 10,333 252 Experimental results First automatic verification of linearizability for unbounded number of threads

65 Handling Larger Programs Staged analysis Handling procedures Specialized abstractions –Counterexample guided refinement [McMillan, POPL’08] Coercer abstractions –Weaker summary nodes [Arnold, SAS’06] –Special join operator [Manevich, SAS’04, TACAS’07, SAS’08, Yang’08] –Heterogeneous abstractions [Yahav, PLDI’04] Implementation techniques –Optimizing transformers [Bogodlov, CAV’07] –Optimizing GC –Reducing static size –Partial evaluation –Persistent data structures [Manevich, SAS’04] –…

66 Handling Procedures Complicated sharing patterns [Rinetzky, CC’01] Relational shape analysis [Jeannet, SAS’04] New semantics for procedures (Cutpoints) [Rinetzky, POPL’05] Tabulation for cutpoint free programs [Rinetzky, SAS’05] Handling cutpoints [Gotsman, SAS’06] Modularity [Rinezky, ESOP’07]

67 main() { append(y,z); } Procedure  input/output relation –Not reachable  Not effected –proc: local (  reachable) heap  local heap How to tabulate procedures? append(List p, List q) { … } n x n t y n z n p q p q n y z p q n x n t

68 main() { append(y,z); } y n n z n How to handle sharing? External sharing may break the functional view append(List p, List q) { … } n n t z x n p q n n p q n n t y p q n n n x

69 append(y,z); What’s the difference? n n t z y x 1 st Example2 nd Example append(y,z); n x n t y z

70 Cutpoints An object is a cutpoint for an invocation –Reachable from actual parameters –Not pointed to by an actual parameter –Reachable without going through a parameter append(y,z) y x n n t z y n n t z n n

71 Introducing local heap semantics Operational semantics Abstract transformer Local heap Operational semantics ~ ’’ ’’

72 Interprocedural shape analysis Procedure  input/output relation p q n n rqrq rprp rprp q p n n rprp rqrq n rprp q q rqrq rqrq q p rprp q p rprp rqrq n rprp rqrq … Input Output rprp

73 Interprocedural shape analysis Reusable procedure summaries –Heap modularity q p rprp rqrq n rprp q p rprp rqrq g h i k n n g h i k n rgrg rgrg rgrg rgrhrgrh rhrh riri rkrk rhrh rgrg riri rkrk append(h,i) y x z n n nn rxrx ryry rzrz y x z n n n rzrz rxrx ryry rxrx rxrx rxrx ryry rxrx rxrx append(y,z) y n z x y z x rxrx ryry rzrz ryry rxrx ryrzryrz

74 Summary Canonical abstraction is powerful –Intuitive –Adapts to the property of interest –More instrumentation may mean more efficient Used to verify interesting program properties –Very few false alarms But scaling is an issue

Download ppt "TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Partially Disjunctive Shape Analysis Josh Berdine Byron Cook MSR Cambridge Tal Lev-Ami Roman Manevich Mooly Sagiv Ran Shaham Tel Aviv University Ganesan.

Partially Disjunctive Shape Analysis Josh Berdine Byron Cook MSR Cambridge Tal Lev-Ami Roman Manevich Mooly Sagiv Ran Shaham Tel Aviv University Ganesan.
Shape Analysis for Fine-Grained Concurrency using Thread Quantification Josh Berdine Microsoft Research Joint work with: Tal Lev-Ami, Roman Manevich, Mooly.

Shape Analysis for Fine-Grained Concurrency using Thread Quantification Josh Berdine Microsoft Research Joint work with: Tal Lev-Ami, Roman Manevich, Mooly.
Abstract Interpretation Part II

Abstract Interpretation Part II
Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.

Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.

Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.
Interprocedural Shape Analysis for Recursive Programs Noam Rinetzky Mooly Sagiv.

Interprocedural Shape Analysis for Recursive Programs Noam Rinetzky Mooly Sagiv.
Heap Decomposition for Concurrent Shape Analysis R. Manevich T. Lev-Ami M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine MSR Cambridge Dagstuhl.

Heap Decomposition for Concurrent Shape Analysis R. Manevich T. Lev-Ami M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine MSR Cambridge Dagstuhl.
Abstract Transformers for Thread Correlation Analysis Michal Segalov, TAU Tal Lev-Ami, TAU Roman Manevich, TAU G. Ramalingam, MSR India Mooly Sagiv, TAU.

Abstract Transformers for Thread Correlation Analysis Michal Segalov, TAU Tal Lev-Ami, TAU Roman Manevich, TAU G. Ramalingam, MSR India Mooly Sagiv, TAU.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
1 Eran Yahav Technion Joint work with Martin Vechev (ETH), Greta Yorsh (ARM), Michael Kuperstein (Technion), Veselin Raychev (ETH)

1 Eran Yahav Technion Joint work with Martin Vechev (ETH), Greta Yorsh (ARM), Michael Kuperstein (Technion), Veselin Raychev (ETH)
1 E. Yahav School of Computer Science Tel-Aviv University Verifying Safety Properties using Separation and Heterogeneous Abstractions G. Ramalingam IBM.

1 E. Yahav School of Computer Science Tel-Aviv University Verifying Safety Properties using Separation and Heterogeneous Abstractions G. Ramalingam IBM.
1 Lecture 07 – Shape Analysis Eran Yahav. Previously  LFP computation and join-over-all-paths  Inter-procedural analysis  call-string approach  functional.

1 Lecture 07 – Shape Analysis Eran Yahav. Previously  LFP computation and join-over-all-paths  Inter-procedural analysis  call-string approach  functional.
1 Lecture 08(a) – Shape Analysis – continued Lecture 08(b) – Typestate Verification Lecture 08(c) – Predicate Abstraction Eran Yahav.

1 Lecture 08(a) – Shape Analysis – continued Lecture 08(b) – Typestate Verification Lecture 08(c) – Predicate Abstraction Eran Yahav.
Compile-Time Verification of Properties of Heap Intensive Programs Mooly Sagiv Thomas Reps Reinhard Wilhelm

Compile-Time Verification of Properties of Heap Intensive Programs Mooly Sagiv Thomas Reps Reinhard Wilhelm
Static Program Analysis via Three-Valued Logic Thomas Reps University of Wisconsin Joint work with M. Sagiv (Tel Aviv) and R. Wilhelm (U. Saarlandes)

Static Program Analysis via Three-Valued Logic Thomas Reps University of Wisconsin Joint work with M. Sagiv (Tel Aviv) and R. Wilhelm (U. Saarlandes)
Local Heap Shape Analysis Noam Rinetzky Tel Aviv University Joint work with Jörg Bauer Universität des Saarlandes Thomas Reps University of Wisconsin Mooly.

Local Heap Shape Analysis Noam Rinetzky Tel Aviv University Joint work with Jörg Bauer Universität des Saarlandes Thomas Reps University of Wisconsin Mooly.
Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University

Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University
Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of.

Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.

Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.

Similar presentations

Ads by Google