Mark Marron IMDEA-Software (Madrid, Spain) 1

 We want to provide basic information about the program heap for supporting a range of client applications IDE tools (query, refactoring, etc.) Optimization Error Detection  Focus on scalable, manageable models/tools even at cost of overall expressivity/analytic power 2

 Fix sharing info extraction  Add disjoint/overlaps for set information  Point out, more than just variable relations is desirable, variables transient 3

 Track basic set relations Membership, Overlapping, Non-Overlapping Subset, Set Equality  Ensure small computational cost  High precision is not required but must handle common cases accurately Iterative subset construction/mutation Set style library operations  Union (AddAll)  Intersection  IsSubset  Contains 4

 Start with existing model that decomposes heap into related regions Reduces the complexity of the set formula that are needed Storage shape graph works well  Nodes represent sets of objects (or data structures), edges represent sets of pointers  Fine grained partitioning is possible  Disjointness properties are natural (and mostly free)  Annotate edges with additional properties to track reference set relations 5

 Key issue for shape graph approach is how to group concrete objects into abstract nodes Too many nodes is confusing and computationally expensive Too few nodes leads to imprecision (as a single node must represent multiple logical structures) Often done via allocation site or types  Solution: nodes are similar sets of objects Recursive type information (recursive vs. non- recursive types) Objects stored in the same collection, array or structure 6

7

8

 Given a set of heap references R the corresponding target set is: {Object o | ∃ r ∈ R that points to o}  The two sets of heap references can be related with ⊆ on the target sets  As the heap is partitioned into regions of objects we also define a notion of coverage A reference set covers a region if every object in the region is in the corresponding target set 9

 Several possible choices for representing these relations Theory of sets over all objects/references Full binary relations on power sets of edges Reduced set of relations  For efficiency we use a reduced set of relations Equality of the reference sets abstracted by pairs of edges (E × E) Relation from sets of edges to nodes that are covered by the abstracted references (℘(E) × N) 10

 Track target set equality of the pointers abstracted by pairs of edges 11

 Track if all nodes in region are contained in the target sets of given edges 12

 There are a number of useful inferences that can be made from these two properties If e, eʹ are edge equivalent and e has an empty concretization then eʹ must have an empty concretization as well If an edge e covers node n then any other in edge represents a target set that is ⊆ to the target set for edge e 13

14

 Note that the proposed reference set relations subsume classic must-alias In the concrete model variables x == y (x, y non- null) iff Target(x) = Target(y) In the abstract model the variables x, y must-alias iff the corresponding edges e x and e y are edge equivalent 15

16... for(int i = 0; i < V.Length; ++i) V[i].f = 0;

17... for(int i = 0; i < V.Length; ++i) V[i].f = 0;

BenchmarkLOCAnalysis TimeAnalysis Mem em3d s<30MB bh s<30MB db s<30MB raytrace s45MB Exp s50MB Interpreter s147MB 18

 Tracking reference set information is computationally inexpensive  Results are precise enough to model many interesting/important relations  In fact surprisingly so Why? Most conditions end up being simple Is this a general property? Are most programs made of simple relations/concepts which are composed into complex concepts (we hope so) Could we use rich set decision procedures, e.g. all conditions are simple ⇒ most proofs easy/fast with right decomposition 19

 Build strong foundation for other tools to utilize  Transform core concepts from prototype to robust tools Finish implementation of static analysis for CLI bytecode + core libraries (also runtime support) Export results to Visual Studio for inspection, spec. generation, or other tools  Apply results in optimization, refactoring, and error detection applications 20

21