Presentation is loading. Please wait.

Presentation is loading. Please wait.

Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley."— Presentation transcript:

1 Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley

2 Jeff Foster, PLDI'03, June 9, 20032 Introduction Aliasing: A long-standing problem –Pointers are hard to analyze...*p = 3... what is updated? –We need to know for compilers (optimization) software analysis tools (CQual, Cyclone, Vault, SLAM, ESP,...)

3 Jeff Foster, PLDI'03, June 9, 20033 Alias Analysis What expressions may refer to same location? –To what memory locations do expressions point? Alias analysis abstracts memory with bounded set of locations –Choices affect subsequent analysis Programmer has little input to alias analysis

4 Jeff Foster, PLDI'03, June 9, 20034 Example from CQual: Modeling Arrays lock *locks[n]; // define array of n locks actual memory locks abstraction CQual: All elements of locks[] may alias –Represented with a single abstract location  

5 Jeff Foster, PLDI'03, June 9, 20035 Example from CQual void foo(int i) { do_with_lock(locks[i]); } void do_with_lock(lock *l) { spin_lock(l); work(); spin_unlock(l); }  unlocked ?

6 Jeff Foster, PLDI'03, June 9, 20036 Example from CQual: Weak Update After acquiring lock,  is locked or unlocked –This is a weak update actual memory locks abstraction  UUUL L/U

7 Jeff Foster, PLDI'03, June 9, 20037 Example from CQual void foo(int i) { do_with_lock(locks[i]); } void do_with_lock(lock *l) { spin_lock(l); work(); spin_unlock(l); }  unlocked  locked or unlocked

8 Jeff Foster, PLDI'03, June 9, 20038 Why This Design? Simple, efficient, scalable alias analysis More abstract locations = –Greater precision –Less efficiency Need to model facts about more names at each state Observation: A little extra local information would make a big difference

9 Jeff Foster, PLDI'03, June 9, 20039 Restrict void do_with_lock(lock *restrict l) {... } –Let l point to lock a –Within l’s scope, all accesses to a are through l (Approximately)  In do_with_lock, no other aliases of a used Can use strong updates on state of l

10 Jeff Foster, PLDI'03, June 9, 200310 Contributions of This Work Type and effect system for checking that uses of restrict are safe –Provably sound –Contrast to ANSI C: restrict annotation trusted unchecked, with informal semantics New construct confine –Short-hand for common uses of restrict –Easier to use

11 Jeff Foster, PLDI'03, June 9, 200311 Contributions of This Work (cont’d) Automatic inference of restrict and confine Experiment using confine inference in checking locking in Linux kernel –Recovered strong updates in 95% of cases –Enabled new deadlocks to come to light

12 Jeff Foster, PLDI'03, June 9, 200312 Example from CQual void foo(int i) { do_with_lock(locks[i]); } void do_with_lock(lock *restrict l) { spin_lock(l); work(); spin_unlock(l); }

13 Jeff Foster, PLDI'03, June 9, 200313 Example from CQual void foo(int i) { do_with_lock(locks[i]); } void do_with_lock(lock *restrict l) { spin_lock(l); work(); spin_unlock(l); }  unlocked  U

14 Jeff Foster, PLDI'03, June 9, 200314 Example from CQual void foo(int i) { do_with_lock(locks[i]); } void do_with_lock(lock *restrict l) { spin_lock(l); work(); spin_unlock(l); }  unlocked copy  to   U  U

15 Jeff Foster, PLDI'03, June 9, 200315 Example from CQual void foo(int i) { do_with_lock(locks[i]); } void do_with_lock(lock *restrict l) { spin_lock(l); work(); spin_unlock(l); }  unlocked copy  to   U  U

16 Jeff Foster, PLDI'03, June 9, 200316 Example from CQual void foo(int i) { do_with_lock(locks[i]); } void do_with_lock(lock *restrict l) { spin_lock(l); work(); spin_unlock(l); }  unlocked copy  to   locked strong update  U  L  represents only one location –Safe to perform strong update (replacement)

17 Jeff Foster, PLDI'03, June 9, 200317 Example from CQual void foo(int i) { do_with_lock(locks[i]); } void do_with_lock(lock *restrict l) { spin_lock(l); work(); spin_unlock(l); }  unlocked  unlocked copy  to   locked  U  U  represents only one location –Safe to perform strong update (replacement)

18 Jeff Foster, PLDI'03, June 9, 200318 Example from CQual void foo(int i) { do_with_lock(locks[i]); } void do_with_lock(lock *restrict l) { spin_lock(l); work(); spin_unlock(l); }  unlocked  unlocked copy  to  copy  to   locked  U  U  represents only one location –Safe to perform strong update (replacement)

19 Jeff Foster, PLDI'03, June 9, 200319 Example from CQual void foo(int i) { do_with_lock(locks[i]); } void do_with_lock(lock *restrict l) { spin_lock(l); work(); spin_unlock(l); }  unlocked  unlocked copy  to  copy  to   locked  U  U  represents only one location –Safe to perform strong update (replacement)

20 Jeff Foster, PLDI'03, June 9, 200320 Example from CQual void foo(int i) { do_with_lock(locks[i]); } void do_with_lock(lock *restrict l) { spin_lock(l); work(); spin_unlock(l); }  unlocked  unlocked copy  to  copy  to   locked  U  U  unlocked  represents only one location –Safe to perform strong update (replacement)

21 Jeff Foster, PLDI'03, June 9, 200321 Check Restrict with Type and Effect System Types extended with abstract locations –Flow-insensitive, unification-based may-alias analysis  ::=  | ref  (  )pointer to abstract loc  Effects are sets of locations L ::= Ø | {  }  | L1  L2 | L1  L2

22 Jeff Foster, PLDI'03, June 9, 200322 Type Rules A | e :  ; L –In environment A, expression e has type  –evaluating e has effect L A | e : ref  (  ); L A | *e :  ; L  {  }

23 Jeff Foster, PLDI'03, June 9, 200323 Restrict restrict x = e1 in e2 –x is a pointer initialized to e1 –x is in scope only within e2 –within e2, only x and copies derived from x can be used to access *x –outside of e2, values derived from x cannot be used

24 Jeff Foster, PLDI'03, June 9, 200324 Restrict Rule A | e1 : ref  (  1); L1 A | restrict x = e1 in e2 : A[ref  (  1)\x] | e2 :  2; L2   L2  locs(A  1  2)  2; L1  L2  {  }

25 Jeff Foster, PLDI'03, June 9, 200325 Soundness Type system for checking restrict is sound –Well-typed program doesn’t go wrong according to a formal semantics  uses of restrict are safe Provable using standard subject-reduction techniques

26 Jeff Foster, PLDI'03, June 9, 200326 Improving Restrict Must bind a variable name in restrict spin_lock(locks[i]); work(); spin_unlock(locks[i]);

27 Jeff Foster, PLDI'03, June 9, 200327 Improving Restrict Must bind a variable name in restrict restrict mylock = locks[i] in { spin_lock(mylock) work(); spin_unlock(mylock); } –Time consuming, need to manually check transformation is safe

28 Jeff Foster, PLDI'03, June 9, 200328 Confine Short-hand for previous transformation confine (locks[i]) in { spin_lock(locks[i]) work(); spin_unlock(locks[i]); } –Only need to pick expression, introduce scope

29 Jeff Foster, PLDI'03, June 9, 200329 Confine Inference Assume we know expression to confine –In experiment, given spin_lock(e) try confining e Algorithm –Introduce confine everywhere –Eliminate incorrect confines –Greedily combine adjacent confines (confine e in e1 ; confine e in e2) = confine e in e1;e2 Use heuristics in practice to speed up

30 Jeff Foster, PLDI'03, June 9, 200330 PLDI’02 Results Found a number of locking bugs in Linux kernel –Many weak updates with multi-file analysis In CQual, weak updates to locks yield type errors –Makes it hard to find true locking bugs Can we eliminate weak updates with restrict? –Yes, but painful to put in by hand

31 Jeff Foster, PLDI'03, June 9, 200331 New Experiment: Eliminating Weak Updates How many more strong updates with confine inference? Metric: # lock updates involved in error –Lower bound: Assume all updates are strong But unsound!

32 Jeff Foster, PLDI'03, June 9, 200332 Type Errors No type errors because of weak updates Potential improvement 352/ 60% 85/ 14% 152/ 26% 589 total modules

33 Jeff Foster, PLDI'03, June 9, 200333 Actual Improvement in Strong Updates 138/152: Same as assuming updates strong –Optimal result 14/152: Confine misses some strong updates –See paper for numbers

34 Jeff Foster, PLDI'03, June 9, 200334 Experimental Summary Overall, confine inference gets 95% of cases –Could eliminate 3277 type errors –Does eliminate 3116 type errors –(Includes duplicates from duplicated modules) Remaining type errors –Deadlocks (found 4 new ones) –Aliasing conservatism and lack of path sensitivity

35 Jeff Foster, PLDI'03, June 9, 200335 Conclusion restrict and confine successfully recover local strong updates –Can be used as programmer annotations to document aliasing properties Automatic confine inference works 95% of the time –Large improvement in quality of type errors

Download ppt "Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley."

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Static Analysis for Security

Static Analysis for Security
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.

1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.

“FENDER” AUTOMATIC MEMORY FENCE INFERENCE Presented by Michael Kuperstein, Technion Joint work with Martin Vechev and Eran Yahav, IBM Research 1.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Demand-driven Alias Analysis Implementation Based on Open64 Xiaomi An

Demand-driven Alias Analysis Implementation Based on Open64 Xiaomi An
Inpainting Assigment – Tips and Hints Outline how to design a good test plan selection of dimensions to test along selection of values for each dimension.

Inpainting Assigment – Tips and Hints Outline how to design a good test plan selection of dimensions to test along selection of values for each dimension.
Type Qualifiers CS 6340 1. 2 Software Quality Today Even after large, extensive testing efforts, commercial software is shipped riddled with errors (bugs).

Type Qualifiers CS Software Quality Today Even after large, extensive testing efforts, commercial software is shipped riddled with errors ("bugs").
Background for “KISS: Keep It Simple and Sequential” cs264 Ras Bodik spring 2005.

Background for “KISS: Keep It Simple and Sequential” cs264 Ras Bodik spring 2005.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.

6/14/991 Symbolic verification of systems with state machines David L. Dill Jeffrey Su Jens Skakkebaek Computer System Laboratory Stanford University.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Optimistic Bug Finding David Gupta and Junfeng Yang.

Optimistic Bug Finding David Gupta and Junfeng Yang.
C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.

C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.
Scalable Error Detection using Boolean Satisfiability 1 Yichen Xie and Alex Aiken Stanford University.

Scalable Error Detection using Boolean Satisfiability 1 Yichen Xie and Alex Aiken Stanford University.
Vertically Integrated Analysis and Transformation for Embedded Software John Regehr University of Utah.

Vertically Integrated Analysis and Transformation for Embedded Software John Regehr University of Utah.
Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.

Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.

Similar presentations

Ads by Google