Finding Optimum Abstractions in Parametric Dataflow Analysis Xin Zhang Georgia Tech Mayur Naik Georgia Tech Hongseok Yang University of Oxford.

Slides:



Advertisements
Similar presentations
A practical and complete approach to predicate abstraction Ranjit Jhala UCSD Ken McMillan Cadence Berkeley Labs.
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Finding Optimal Program Abstractions Mayur Naik Georgia Tech Xin Zhang (Georgia Tech) Hongseok Yang (Oxford) Percy Liang (Stanford) Mooly Sagiv (Tel-Aviv.
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
Demand-driven Alias Analysis Implementation Based on Open64 Xiaomi An
Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.
Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint.
Proofs from Tests Nels E. Beckman Aditya V. Nori Sriram K. Rajamani Robert J. Simmons Carnegie Mellon UniversityMicrosoft Research India Carnegie Mellon.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
D IAGNOSING A BSTRACTION F AILURE IN S EPARATION L OGIC - BASED A NALYSES Arlen Cox Josh Berdine Samin Ishtiaq Christoph Wintersteiger.
Relatively Complete Verification of Higher- Order Programs (via Automated Refinement Type Inference) Tachio Terauchi Nagoya University TexPoint fonts used.
Relational Inductive Shape Analysis Bor-Yuh Evan Chang University of California, Berkeley Xavier Rival INRIA POPL 2008.
1 E. Yahav School of Computer Science Tel-Aviv University Verifying Safety Properties using Separation and Heterogeneous Abstractions G. Ramalingam IBM.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
The Ant and The Grasshopper Fast and Accurate Pointer Analysis for Millions of Lines of Code Ben Hardekopf and Calvin Lin PLDI 2007 (Best Paper & Best.
Semi-Sparse Flow-Sensitive Pointer Analysis Ben Hardekopf Calvin Lin The University of Texas at Austin POPL ’09 Simplified by Eric Villasenor.
Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
Synergy: A New Algorithm for Property Checking
Mayur Naik Alex Aiken John Whaley Stanford University Effective Static Race Detection for Java.
Speeding Up Dataflow Analysis Using Flow- Insensitive Pointer Analysis Stephen Adams, Tom Ball, Manuvir Das Sorin Lerner, Mark Seigle Westley Weimer Microsoft.
1 Refinement-Based Context-Sensitive Points-To Analysis for Java Manu Sridharan, Rastislav Bodík UC Berkeley PLDI 2006.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Finding the Weakest Characterization of Erroneous Inputs Dzintars Avots and Benjamin Livshits.
ESP [Das et al PLDI 2002] Interface usage rules in documentation –Order of operations, data access –Resource management –Incomplete, wordy, not checked.
An Efficient Inclusion-Based Points-To Analysis for Strictly-Typed Languages John Whaley Monica S. Lam Computer Systems Laboratory Stanford University.
Improving the Precision of Abstract Simulation using Demand-driven Analysis Olatunji Ruwase Suzanne Rivoire CS June 12, 2002.
Composing Dataflow Analyses and Transformations Sorin Lerner (University of Washington) David Grove (IBM T.J. Watson) Craig Chambers (University of Washington)
CSC2108 Lazy Abstraction on Software Model Checking Wai Sum Mong.
Mark Marron IMDEA-Software (Madrid, Spain) 1.
The Quest for Minimal Program Abstractions Mayur Naik Georgia Tech Ravi Mangal and Xin Zhang (Georgia Tech), Percy Liang (Stanford), Mooly Sagiv (Tel-Aviv.
Chapter 25 Formal Methods Formal methods Specify program using math Develop program using math Prove program matches specification using.
Aditya V. Nori, Sriram K. Rajamani Microsoft Research India.
Pointer Analysis Lecture 2 G. Ramalingam Microsoft Research, India.
Convergence of Model Checking & Program Analysis Philippe Giabbanelli CMPT 894 – Spring 2008.
Semantics In Text: Chapter 3.
1 Predicate Abstraction and Refinement for Verifying Hardware Designs Himanshu Jain Joint work with Daniel Kroening, Natasha Sharygina, Edmund M. Clarke.
Author: Alex Groce, Daniel Kroening, and Flavio Lerda Computer Science Department, Carnegie Mellon University Pittsburgh, PA Source: R. Alur and.
Pointer Analysis Lecture 2 G. Ramalingam Microsoft Research, India & K. V. Raghavan.
Generating Precise and Concise Procedure Summaries Greta Yorsh Eran Yahav Satish Chandra.
Effective Static Deadlock Detection Mayur Naik* Chang-Seo Park +, Koushik Sen +, David Gay* *Intel Research, Berkeley + UC Berkeley.
Generating Precise and Concise Procedure Summaries Greta Yorsh Eran Yahav Satish Chandra.
Effective Static Deadlock Detection Mayur Naik (Intel Research) Chang-Seo Park and Koushik Sen (UC Berkeley) David Gay (Intel Research)
Concrete Model Checking with Abstract Matching and Refinement Corina Păsăreanu QSS, NASA Ames Research Center Radek Pelánek Masaryk University, Brno, Czech.
Pointer Analysis – Part I CS Pointer Analysis Answers which pointers can point to which memory locations at run-time Central to many program optimization.
Ranjit Jhala Rupak Majumdar Interprocedural Analysis of Asynchronous Programs.
CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.
Chapter 4 Static Analysis. Summary (1) Building a model of the program:  Lexical analysis  Parsing  Abstract syntax  Semantic Analysis  Tracking.
Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.
#1 Having a BLAST with SLAM. #2 Software Model Checking via Counter-Example Guided Abstraction Refinement Topic: Software Model Checking via Counter-Example.
A User-Guided Approach to Program Analysis Ravi Mangal, Xin Zhang, Mayur Naik Georgia Tech Aditya Nori Microsoft Research.
Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.
TensorFlow– A system for large-scale machine learning
SS 2017 Software Verification Bounded Model Checking, Outlook
Combining Logical and Probabilistic Reasoning in Program Analysis
Harry Xu University of California, Irvine & Microsoft Research
Pointer Analysis Lecture 2
Ravi Mangal Mayur Naik Hongseok Yang
Query-Guided Maximum Satisfiability
Ravi Mangal, Xin Zhang, Mayur Naik
Semantics In Text: Chapter 3.
Pointer Analysis Lecture 2
Presentation transcript:

Finding Optimum Abstractions in Parametric Dataflow Analysis Xin Zhang Georgia Tech Mayur Naik Georgia Tech Hongseok Yang University of Oxford

A Key Challenge for Static Analysis Precision Scalability

Our setting Query q Program p Static Analysis S p ` qp 0 q Abstraction a assert(x != null)

p a1 S q1 p ` q1 ? q2 S p ` q2 ? a2 Our setting

q2 p S p ` q2 ? S q1 p ` q1 ? Our setting

q2 p S p ` q2 ? S q1 p ` q1 ? Example 1: Predicate Abstraction Predicates to use in predicate abstraction Predicates to use as abstraction predicates

q2 p S p ` q2 ? S q1 p ` q1 ? Example 2: Cloning­ ‐ based Pointer Analysis Predicates to use in predicate abstraction K value to use for each call and each allocation site

Problem Statement An efficient algorithm with: INPUTS: – program p and property q – abstractions A = { a 1, …, a n } – boolean function S(p, q, a) OUTPUT: – Proof: a 2 A: S(p, q, a) = true 8 a’ 2 A: (a’ · a Æ S(p, q, a’) = true) ) a’ = a – a 2 A: S(p, q, a) = true Optimum Abstraction q p S p ` q ? a

Problem Statement An efficient algorithm with: INPUTS: – program p and property q – abstractions A = { a 1, …, a n } – boolean function S(p, q, a) OUTPUT: – Proof: a 2 A: S(p, q, a) = true 8 a’ 2 A: (a’ · a Æ S(p, q, a’) = true) ) a’ = a – a 2 A: S(p, q, a) = true Optimum Abstraction S(p, q, a) !S(p, q, a) 1111 most expensive 0000 least expensive 0110 optimum A

Example: Typestate Analysis x = new File; y = x; z = x; x.open(); y.close(); assert1(x, closed); assert2(x, opened); opened closed error open() close() open() Type-state set ts

Example: Typestate Analysis x = new File; y = x; z = x; x.open(); y.close(); assert1(x, closed); assert2(x, opened); Must-alias accesspath set ms Strong update Weak update Failed

Example: Typestate Analysis x = new File; y = x; z = x; x.open(); y.close(); assert1(x, closed); assert2(x, opened); QueryAbstraction assert1 assert2none QueryAbstractionOur Goal assert1 assert2noneimpossibility

x = new File; y = x; z = x; x.open(); y.close(); assert1(x, closed); assert2(x, opened); Example: Typestate Analysis QueryAbstraction assert1 assert2 Naïve approach: calculating weakest precondition (WP) {} Failed

Example: Typestate Analysis QueryAbstraction assert1 assert2 Naïve approach: calculating weakest precondition (WP) {} Failed Exponential Blowup! unreachable x = new File; y = x; z = x; x.open(); y.close(); assert1(x, closed); assert2(x, opened);

Example: Typestate Analysis Too large? Let’s ignore part of it!

Example: Typestate Analysis Unreachable

Example: Typestate Analysis Intersect with the forward state

Example: Typestate Analysis Keep as many disjuncts as possible Intersect with forward state

x = new File; y = x; z = x; x.open(); y.close(); assert1(x, closed); assert2(x, opened); Example: Typestate Analysis QueryAbstraction assert1 assert2 Our approach: WP + Underapproximation Failed

Example: Typestate Analysis QueryAbstraction assert1 assert2 Our approach: WP + Underapproximation Failed

Example: Typestate Analysis QueryAbstraction assert1 assert2 Our approach: WP + Underapproximation Failed

Example: Typestate Analysis QueryAbstraction assert1 assert2 Our approach: WP + Underapproximation Failed

Example: Typestate Analysis x = new File; ↓ y = x; ↓ z = x; ↓ x.open(); ↓ y.close(); ↓ assert1(x, closed); Our approach: WP + Underapproximation Proof! QueryAbstraction assert1 assert2

Example: Typestate Analysis x = new File; y = x; z = x; x.open(); y.close(); assert1(x, closed); assert2(x, opened); QueryAbstraction assert1 assert2 Our approach: WP + Underapproximation Failed

Example: Typestate Analysis QueryAbstraction assert1 assert2 Our approach: WP + Underapproximation Failed

Example: Typestate Analysis QueryAbstraction assert1 assert2 Our approach: WP + Underapproximation Failed

Example: Typestate Analysis QueryAbstraction assert1 assert2 Our approach: WP + Underapproximation Failed Impossibility! In paper: a general framework for parametric dataflow analysis

Experiment Implementation in Chord for Java programs 2 Client Analyses: Typestate and Thread-Escape Both fully context- and flow-sensitive analyses Only scale with sparse parameters 7 Java Benchmarks

Benchmarks namebytecode(KB)KLOClog|A| thread-escapetypestate tsp ,175 elevator ,180 hedc ,4007,326 weblech ,9937,663 antlr ,5637,748 avrora ,79710,151 lusearch ,5087,395

Precision: Thread-Escape Analysis (Total # Queries) Resolved: ~90% Previous: ~40% [POPL12]

Precision: Typestate Analysis (Total # Queries)

Scalability: Number of iterations

Scalability: Running time

Size of optimal abstractions

Related work Modern pointer analysis Demand-driven, query-driven, … Heintze & Tardieu ’01, Guyer & Lin ’03, Sridharan & Bodik ’06,... CEGAR model checkers: SLAM, BLAST, YOGI, … Work on concrete counterexamples Can disprove queries 1.No optimality guarantee – can over-refine and hurt scalability. 2.No impossibility - can cause divergence.

Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.