Presentation is loading. Please wait.

Presentation is loading. Please wait.

Patrick M. Rondon, Ming Kawaguchi, Ranjit Jhala University of California, San Diego.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Patrick M. Rondon, Ming Kawaguchi, Ranjit Jhala University of California, San Diego."— Presentation transcript:

1 http://www.flickr.com/photos/fallsroad/6759129/in/set-125319/ Patrick M. Rondon, Ming Kawaguchi, Ranjit Jhala University of California, San Diego

2 Refinement Type Inference (Invariant Discovery) Liquid Types x++; C Program x : positive int … Inferred Refinement Types (Discovered Invariants) How Do We Fit C To Liquid Types?

3 Positive void init (string *s, int n) { s->len = n; s->str = malloc(n); } void reinit (stringlist *sl) { while (sl != NULL) { init (sl->s, random ()); sl = sl->next; } struct string { int len; char *str; } Points To Start Of len Bytes 1. Expressing Invariants? 2. Temporary Violations? 3. Unknown Aliasing? str Hasn’t Been Set Yet sl, sl->next May Alias Challenge Types & Refinement Types Strong Updates Check In, Check Out Discipline Solution Adapt C To Liquid Types + +

4 Refinement Type Inference (Invariant Discovery) Liquid Types C Program x : positive int … Inferred Refinement Types (Discovered Invariants) Automatically Adapt C Programs To Fit Liquid Types C Program + Types + Strong Update + Check In, Check Out x++;

5  Basic Types  Refinement Types  Refinement Types And Collections  Refinement Type Inference  Evaluation

6 We first describe the basic structure of the heap

7 Offset 4 Offset 0 After 4-byte int fst struct pair { int fst; int snd; } p->fst++; p->snd++; p : ref(L, 0 ) 0 : int(4, 0 ) 4 : int(4, 4) Type Given int(4, ⊤ ) L Read/Write int(4, ⊤ ) At Offset 0 In L p + 0 : ref(L, 0 ) At Offset 4 In L p + 4 : ref(L, 4) At Start Of Struct Pointer To Location L At Byte Offset 0 4-Byte Integer With Value 0 Pointer To Location L At Byte Offset 0 4-Byte Integer With Value 4 *(p + 0)++; *(p + 4)++; Pointer To Location L At Byte Offset 4 Read/Write int(4, ⊤ )

8  Basic Types  Refinement Types  Refinement Types And Collections  Refinement Type Inference  Evaluation

9 We use refinement types to express invariants

10 Offset 4 Offset 0 {ν: type | p(ν)}type Refinement Predicate {ν: int(4, ⊤ ) | ν > 0 } {ν: ref(L, 0 ) | ν ≠ 0 } Positive Integer Non-NULL Pointer Pair With snd ≥ fst int(4, ⊤ ) L Denotes fst Field {ν: int(4, ⊤ ) | ν ≥ @ 0 } fst Field snd Field

11 Offset 4 Offset 0 p->fst++; p->snd++; L int{ν ≥ @ 0 } Requires Flow-Sensitivity And Strong Update Temporary Invariant Violation int(4, ⊤ ) L {ν: int(4, ⊤ ) | ν ≥ @ 0 } Invariant Reestablished Invariant Maintained

12 int{ν ≥ @ 0 } L {ν = f 0 }{ν = f 4 } L f 0 : intf 4 : {ν ≥ f 0 } Records Same Invariant With Initial Values Named Change @ 0 to f 0 Env. Rename fst To f 0 Rename snd To f 4

13 f 0 : intf 4 : {ν ≥ f 0 } p->fst++; p->snd++; {ν = f 0 } L {ν = f 4 } Env. {ν = f 0 + 1} L {ν = f 4 } {ν = f 0 + 1} L {ν = f 4 + 1} int L {ν ≥ @ 0 } p->fst = p->fst + 1; Type {ν = f 0 } Type {ν = f 0 + 1} snd Unchanged ☑ Invariant Reestablished! p : ref(L, 0 ) Is Subsumed By:

14  Basic Types  Refinement Types  Refinement Types And Collections  Refinement Type Inference  Evaluation

15 We adapt strong update to handle aliasing

16 struct pair { int fst; int snd; pair *next; } while (p != NULL) { p->fst++; p->snd++; p = p->next; } int L {ν ≥ @ 0 }ref(L, 0 ) Many Items Represented By L int L {ν ≥ @ 0 }ref(L, 0 ) next Field Abstract Location … Strong Updates To Abstract Locations Are Unsound! Their Invariants Are “Locked”

17 All Satisfy L’s Invariant Unfold p … … p “Checked Out” L p Only Allow Accesses To One “Checked Out” L p Must “Check In” (Reestablish Invariant)To Check Out Another Item All Satisfy L’s Invariant … Fold “Check Out” p “Check In” p Accessing Other Items Forbidden

18 p->fst++; p->snd++; int{ν ≥ @ 0 } L {ν = f 0 } Lp Lp {ν = f 4 }int{ν ≥ @ 0 } L {ν = f 0 + 1} Lp Lp {ν = f 4 + 1} Fold int{ν ≥ @ 0 } L Unfold p while (p != NULL) { p->fst++; p->snd++; p = p->next; } Unfold p At Loop Head Fold Ensures Validity At Iteration’s End Fold, Unfold Verify Collection Invariant int{ν ≥ @ 0 } L p : ref(L, 0 ) ☑ Invariant Maintained!

19  Basic Types  Refinement Types  Refinement Types And Collections  Refinement Type Inference  Evaluation

20 p->fst++; p->snd++; {R}{R}{S}{S} L {ν = f 0 } Lp Lp {ν = f 4 } {R}{R}{S}{S} L {ν = f 0 + 1} Lp Lp {ν = f 4 + 1} Fold {R}{R}{S}{S} L Unfold p {R}{R}{S}{S} L ν ≥ * ν = 0 … ν ≥ f 0 ν = 0 … {ν ≥ f 0, ν = 0, …} L L int{ν ≥ @ 0 } L int{ν ≥ @ 0 } L {ν ≥ f 0, ν = 0, …} L int{ν ≥ @ 0 } {ν ≥ f 0, ν = 0, …} L int{ν ≥ @ 0 } L 1. Unknown Refinement Variables 2. Subtyping Constraints Over Variables 3. Solve To Infer Refinements Liquid Types Overview: Hints For Refinement InferenceInstantiate With Value NamesAssign Conjunction To VariablesKeep Only Valid Refinements

21  Basic Types  Refinement Types  Refinement Types And Collections  Refinement Type Inference  Evaluation

22 CSolve C Source void incpairs(pair *p) { while (p != NULL) { *(p + offsetOf(fst)); *(p + offsetOf(snd)); p = p->next; } Hints ν ≥ * ν ≤ * ν = * + 1 ☑ Pointer Safe! Spatial Memory Safety: Array Bounds Pointer Dereferences Field Accesses ☒ Pointer Unsafe!

23 Arrays Graphs Linked Lists

24 2. Temporary Violations? Strong Updates 3. Unknown Aliasing? Check In, Check Out Discipline 4. Annotation Burden? Liquid Types 1. Expressing Invariants? Types & Refinement Types ChallengeSolution

Download ppt "Patrick M. Rondon, Ming Kawaguchi, Ranjit Jhala University of California, San Diego."

Similar presentations

Static Analysis of Heap-manipulating Low-level software Sumit GulwaniAshish Tiwari MSR, Redmond SRI International.

Static Analysis of Heap-manipulating Low-level software Sumit GulwaniAshish Tiwari MSR, Redmond SRI International.
A Framework for describing recursive data structures Kenneth Roe Scott Smith.

A Framework for describing recursive data structures Kenneth Roe Scott Smith.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula May 10, 2007 OSQ Retreat.

Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula May 10, 2007 OSQ Retreat.
Automated Verification with HIP and SLEEK Asankhaya Sharma.

Automated Verification with HIP and SLEEK Asankhaya Sharma.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Array_strcpy void array_strcpy(char dest[], char src[]) { int i = 0; while (src[i] != '\0') { dest[i] = src[i]; i++; } dest[i] = '\0'; }

Array_strcpy void array_strcpy(char dest[], char src[]) { int i = 0; while (src[i] != '\0') { dest[i] = src[i]; i++; } dest[i] = '\0'; }
Dr. Kalpakis CMSC 661, Principles of Database Systems Representing Data Elements [12]

Dr. Kalpakis CMSC 661, Principles of Database Systems Representing Data Elements [12]
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Memory allocation CSE 2451 Matt Boggus. sizeof The sizeof unary operator will return the number of bytes reserved for a variable or data type. Determine:

Memory allocation CSE 2451 Matt Boggus. sizeof The sizeof unary operator will return the number of bytes reserved for a variable or data type. Determine:
Generic programming in Java

Generic programming in Java
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
Introduction The Approach ’ s Overview A Language of Pointers The Type System Operational Semantics Type Safety Type Inference The Rest of C Experiments.

Introduction The Approach ’ s Overview A Language of Pointers The Type System Operational Semantics Type Safety Type Inference The Rest of C Experiments.
Static Analysis for Memory Safety Salvatore Guarnieri

Static Analysis for Memory Safety Salvatore Guarnieri
Dynamic Memory Allocation in C++. Memory Segments in C++ Memory is divided in certain segments – Code Segment Stores application code – Data Segment Holds.

Dynamic Memory Allocation in C++. Memory Segments in C++ Memory is divided in certain segments – Code Segment Stores application code – Data Segment Holds.
CS61C L05 C Structures, Memory Management (1) Garcia, Spring 2005 © UCB Lecturer PSOE Dan Garcia www.cs.berkeley.edu/~ddgarcia inst.eecs.berkeley.edu/~cs61c.

CS61C L05 C Structures, Memory Management (1) Garcia, Spring 2005 © UCB Lecturer PSOE Dan Garcia inst.eecs.berkeley.edu/~cs61c.
Refining Abstract Locations Tachio Terauchi Jeff Foster Alex Aiken.

Refining Abstract Locations Tachio Terauchi Jeff Foster Alex Aiken.
Dynamically Discovering Likely Program Invariants to Support Program Evolution Michael Ernst, Jake Cockrell, William Griswold, David Notkin Presented by.

Dynamically Discovering Likely Program Invariants to Support Program Evolution Michael Ernst, Jake Cockrell, William Griswold, David Notkin Presented by.

Similar presentations

Ads by Google