Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula May 10, 2007 OSQ Retreat.

Slides:



Advertisements
Similar presentations
TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
Advertisements

A Randomized Satisfiability Procedure for Arithmetic and Uninterpreted Function Symbols Sumit Gulwani George Necula EECS Department University of California,
Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,
Global Value Numbering using Random Interpretation Sumit Gulwani George C. Necula CS Department University of California, Berkeley.
Mathematical Preliminaries
1 Parametric Heap Usage Analysis for Functional Programs Leena Unnikrishnan Scott D. Stoller.
Chapter 3 Introduction to Quantitative Research
Chapter 3 Introduction to Quantitative Research
1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Lecture 4 Towards a Verifying Compiler: Data Abstraction Wolfram Schulte Microsoft Research Formal Methods 2006 Purity, Model fields, Inconsistency _____________.
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
0 - 0.
ALGEBRAIC EXPRESSIONS
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
MULTIPLYING MONOMIALS TIMES POLYNOMIALS (DISTRIBUTIVE PROPERTY)
ADDING INTEGERS 1. POS. + POS. = POS. 2. NEG. + NEG. = NEG. 3. POS. + NEG. OR NEG. + POS. SUBTRACT TAKE SIGN OF BIGGER ABSOLUTE VALUE.
SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts
ALGEBRAIC EXPRESSIONS
Lecture 22, Revision 1 Lecture notes Java code – CodeFromLectures folder* Example class sheets – 4 of these plus solutions Extra examples (quicksort) Lab.
CS4026 Formal Models of Computation Part II The Logic Model Lecture 1 – Programming in Logic.
Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Photo Composition Study Guide Label each photo with the category that applies to that image.
Comp 122, Spring 2004 Order Statistics. order - 2 Lin / Devi Comp 122 Order Statistic i th order statistic: i th smallest element of a set of n elements.
CS16: Introduction to Data Structures & Algorithms
Chapter 14 Software Testing Techniques - Testing fundamentals - White-box testing - Black-box testing - Object-oriented testing methods (Source: Pressman,
Meta Predicate Abstraction for Hierarchical Symbolic Heaps Josh Berdine Microsoft Research, Cambridge joint with Mike Emmi University of California, Los.
Chapter 17 Linked Lists.
Parallel List Ranking Advanced Algorithms & Data Structures Lecture Theme 17 Prof. Dr. Th. Ottmann Summer Semester 2006.
Linked Lists.
Data Structures ADT List
11 Data Structures Foundations of Computer Science ã Cengage Learning.
Copyright © 2007 Pearson Education, Inc. Publishing as Pearson Addison-Wesley. Ver Chapter 4: Linked Lists Data Abstraction & Problem Solving with.
Data Structures Using C++
Chapter 23 Minimum Spanning Tree
COMP 482: Design and Analysis of Algorithms
© S Haughton more than 3?
Two Segments Intersect?
Linking Verb? Action Verb or. Question 1 Define the term: action verb.
Divide and Conquer (Merge Sort)
Past Tense Probe. Past Tense Probe Past Tense Probe – Practice 1.
Addition 1’s to 20.
25 seconds left…...
Test B, 100 Subtraction Facts
Introduction to Science and the Scientific Method
Week 1.
We will resume in: 25 Minutes.
February 12, 2007 WALCOM '2007 1/22 DiskTrie: An Efficient Data Structure Using Flash Memory for Mobile Devices N. M. Mosharaf Kabir Chowdhury Md. Mostofa.
Claus Brabrand, UFPE, Brazil Aug 11, 2010DATA-FLOW ANALYSIS Claus Brabrand ((( ))) Associate Professor, Ph.D. ((( Programming, Logic, and.
Techniques for proving programs with pointers A. Tikhomirov.
Extensible Shape Analysis by Designing with the User in Mind Bor-Yuh Evan Chang Bor-Yuh Evan Chang, Xavier Rival, and George Necula University of California,
Foundations of Data Structures Practical Session #11 Sort properties, Quicksort algorithm.
1 Programming Languages (CS 550) Mini Language Interpreter Jeremy R. Johnson.
Analysis of programs with pointers. Simple example What are the dependences in this program? Problem: just looking at variable names will not give you.
Relational Inductive Shape Analysis Bor-Yuh Evan Chang University of California, Berkeley Xavier Rival INRIA POPL 2008.
Reduction in End-User Shape Analysis Dagstuhl - Typing, Analysis, and Verification of Heap-Manipulating Programs – July 24, 2009 Xavier Rival INRIA and.
Termination Detection Part 1. Goal Study the development of a protocol for termination detection with the help of invariants.
End-User Program Analysis Bor-Yuh Evan Chang University of California, Berkeley Dissertation Talk August 28, 2008 Advisor: George C. Necula, Collaborator:
Pointer analysis. Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis Andersen and.
June 27, 2002 HornstrupCentret1 Using Compile-time Techniques to Generate and Visualize Invariants for Algorithm Explanation Thursday, 27 June :00-13:30.
Materialization in Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula University of California, Berkeley.
Lightweight Support for Magic Wands in an Automatic Verifier Malte Schwerhoff and Alexander J. Summers 10 th July 2015, ECOOP, Prague.
Shape Analysis Termination Analysis Linear Time
Spring 2016 Program Analysis and Verification
Reduction in End-User Shape Analysis
Presentation transcript:

Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula May 10, 2007 OSQ Retreat

2 Whats shape analysis? Whats special? memory manipulation Shape analysis tracks memory manipulation flow-sensitively flow-sensitively. + = analyzer shape analyzer heap-aware analyzer

3 Typestate with shape analysis cur = list; while (cur != null) { assert(cur is red); make_purple(cur); cur = cur ! next; } list cur list 1 region list points to a red region 1 region list points to a red region 1 region list and cur point to a region that may be red or purple 2 regions list points to a purple region up to cur and cur points to a red region make_purple( ¢ ) could be free( ¢ ) open( ¢ ) … lock(cur);

4 Scalability –Finding right amount of abstraction difficult Over-reliance on disjunction for precision Repeated work to transition on each disjunct Usability –Choosing the abstraction difficult Depends on the program and the properties to verify Shape analysis is not yet practical Ç ÇÇÇ …

5 Hypothesis Good abstraction is program-specific Developer can only keep a few cases in her head If only the shape analysis could get the developers abstraction (easily) developer small number The developer can describe the memory with a small number of abstract descriptions sufficient for the properties of interest.

6 Observation bool redlist(List* l) { if (l == null) return true; else return l ! color == red && redlist(l ! next); } l red Checking code Checking code expresses a shape invariant and an intended usage pattern. next

7 Proposal Given: Program + Checker code Extensible –Abstraction based on the developer-supplied checkers on a per-structure basis Scalable (hopefully, based on hypothesis) shape analysis invariant checkers An automated shape analysis with a memory abstraction based on invariant checkers.

8 Outline Memory abstraction –Challenge: Intermediate invariants Analysis algorithm –Challenge: Blurring to ensure termination Comparison with TVLA Experimental Results

9 Abstract memory using checkers list next ¤ list( ) is a list with at least one element Graphical Diagram Formula +next list values (memory address or null) disjoint memory regions (i.e., sets of fields) ¤ disjoint

10 Checkers as inductive predicates Disjoint memory regions Checker run can dereference a field only once bool list(List* l) { if (l == null) return true; else return list(l ! next); } list( ) = 9. (emp Æ null) Ç next ¤ list( ) Æ null) ¤

11 Challenge: Intermediate invariants assert(redlist(l)); cur = l; while (cur != null) { make_purple(cur); cur = cur ! next; } assert(purplelist(l)); l redlist cur purplelist l redlist l purplelist Prefix Segment Described by ? Suffix Described by checkers

12 Prefix segments as partial checker runs c(…) lcur purplelist purplelist(l) purplelist(…) purplelist(cur) Abstraction Computation Tree of a Checker Run Formula c( ) ¤ – c( ) c c( ) c(…) c( )

13 Outline Memory abstraction –Challenge: Intermediate invariants Analysis algorithm –Challenge: Blurring to ensure termination Comparison with TVLA Experimental Results

14 Flow function: Unfold and update edges listnext x materialize: x ! next, x ! next ! next update: x ! next = x ! next ! next list next x x ! next = x ! next ! next; Unfold Unfold inductive definition disjointness Strong updates using disjointness of regions list x next x Ç

15 Challenge: Termination and precision last = l; cur = l ! next; while (cur != null) { // … cur, last … if (…) last = cur; cur = cur ! next; } list l, last next cur list l next curlast list l next curlast blur list l next curlast Observation Previous iterates are less unfolded Fold Fold into checker edges But where and how much?

16 History-guided folding listnext listnext listnextlist Traverse starting from variables Match same edges to identify where to fold Apply weakening rules l, last last cur l l lastcur l next v ? list ? v ? Yes last = l; cur = l ! next; while (cur != null) { if (…) last = cur; cur = cur ! next; }

17 Outline Memory abstraction –Challenge: Intermediate invariants Analysis algorithm –Challenge: Blurring to ensure termination Comparison with TVLA Experimental Results

18 Qualitative comparison with TVLA Scalability –Disjunctions Expressiveness –Currently, limited in comparison (no data properties) curl l l ll,cur l l emp ÇÇÇ ÇÇÇ Ç Ç list lcur list Proposal TVLA Cost 1 Cost 1: Spec less general Cost 2 Cost 2: Folding complicated

19 Preliminary results BenchmarkLines of Code Analysis Time Max. Num. Graphs at a Program Point Max. Num Iterations at a Program Point list reverse s13 list insertion sort s47 skip list rebalance s67 scull driver s416 Verified structural invariants as given by checkers are preserved across data structure manipulation Limitations (in scull driver) –Arrays not handled (rewrote as linked list), char arrays ignored Promising as far as number of disjuncts

20 Conclusion Shape analysis can improve higher-level analyses Invariant checkers can form the basis of a memory abstraction that –Is easily extensible on a per-program basis –Expresses developer intent + = analyzer shape analyzer heap-aware analyzer

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.