Presentation is loading. Please wait.

Presentation is loading. Please wait.

Region-Based Model Abstraction Jeremy Condit Jim Larus Sriram Rajamani Jakob Rehof OSQ Lunch 7 September 2003.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Region-Based Model Abstraction Jeremy Condit Jim Larus Sriram Rajamani Jakob Rehof OSQ Lunch 7 September 2003."— Presentation transcript:

1 Region-Based Model Abstraction Jeremy Condit Jim Larus Sriram Rajamani Jakob Rehof OSQ Lunch 7 September 2003

2 Model Checking for C# Want to check properties of a C# program –e.g., conformance checking for web services The model checking approach: –Produce a simplified version of program with respect to the property –Check all possible executions of this model

3 Our Abstraction Technique We abstract a program by throwing away irrelevant code Relevant data is identified by a third party –Programmer annotations –Program analysis –Counterexample-driven refinement Relevant statements and expressions are those that deal with relevant data –Easy, right?

4 Two Problems Problem 1: Aliasing –Statements that affect aliasing can be relevant Problem 2: Indirection –Relevant data can be buried within other nonsense if (…) x = y; x.relevant_field = true; y.relevant_field = false; x.y.z.relevant_field = true;

5 class State { … relevant bool b; … } class Transaction { … State s; … } Example

6 Transaction x; Transaction y; if (…) { Transaction t1 = new Transaction(); t1.s = new State(); t1.s.b = true; x = t1; } else { Transaction t2 = new Transaction(); t2.s = new State(); t2.s.b = false; x = t2; } if (…) { Transaction t3 = new Transaction(); t3.s = new State(); t3.s.b = true; y = t3; } else { Transaction t4 = new Transaction(); t4.s = new State(); t4.s.b = false; y = t4; } if (x.s.b) … if (y.s.b) … if (x.s.b) … Example

7 Include all statements! Transaction x; Transaction y; if (…) { Transaction t1 = new Transaction(); t1.s = new State(); t1.s.b = true; x = t1; } else { Transaction t2 = new Transaction(); t2.s = new State(); t2.s.b = false; x = t2; } if (…) { Transaction t3 = new Transaction(); t3.s = new State(); t3.s.b = true; y = t3; } else { Transaction t4 = new Transaction(); t4.s = new State(); t4.s.b = false; y = t4; } if (x.s.b) … if (y.s.b) … if (x.s.b) … Solution 1: Program slicing

8 Compute alias sets for x and y: x = {t1, t2} y = {t3, t4} if (choose({t1,t2}).s.b) if (choose({t3,t4}).s.b) if (choose({t1,t2}).s.b) Transaction x; Transaction y; if (…) { Transaction t1 = new Transaction(); t1.s = new State(); t1.s.b = true; x = t1; } else { Transaction t2 = new Transaction(); t2.s = new State(); t2.s.b = false; x = t2; } if (…) { Transaction t3 = new Transaction(); t3.s = new State(); t3.s.b = true; y = t3; } else { Transaction t4 = new Transaction(); t4.s = new State(); t4.s.b = false; y = t4; } if (x.s.b) … if (y.s.b) … if (x.s.b) … Solution 2: Alias analysis

9 class State[  ] at  { … relevant bool b; … } class Transaction[  ] { … Stateh  i s; … } Region-Annotated Example

10 Region-Annotated Example Transactionh  1 i x; Transactionh  2 i y; if (…) { Transactionh  1 i t1 = new Transactionh  1 i(); t1.s = new Stateh  1 i(); t1.s.b = true; x = t1; } else { Transactionh  1 i t2 = new Transactionh  1 i(); t2.s = new Stateh  1 i(); t2.s.b = false; x = t2; } if (…) { Transactionh  2 i t3 = new Transactionh  2 i(); t3.s = new Stateh  2 i(); t3.s.b = true; y = t3; } else { Transactionh  2 i t4 = new Transaction(); t4.s = new Stateh  2 i(); t4.s.b = false; y = t4; } if (x.s.b) … if (y.s.b) … if (x.s.b) …

11 if (…) { s = new State(); s.b = true;  1 [= s; } else { s = new State(); s.b = false;  1 [= s; } if (…) { s = new State(); s.b = true;  2 [= s; } else { s = new State(); s.b = false;  2 [= s; } if (choose(  1 ).b) … if (choose(  2 ).b) … if (choose(  1 ).b) … Transactionh  1 i x; Transactionh  2 i y; if (…) { Transactionh  1 i t1 = new Transactionh  1 i(); t1.s = new Stateh  1 i(); t1.s.b = true; x = t1; } else { Transactionh  1 i t2 = new Transactionh  1 i(); t2.s = new Stateh  1 i(); t2.s.b = false; x = t2; } if (…) { Transactionh  2 i t3 = new Transactionh  2 i(); t3.s = new Stateh  2 i(); t3.s.b = true; y = t3; } else { Transactionh  2 i t4 = new Transaction(); t4.s = new Stateh  2 i(); t4.s.b = false; y = t4; } if (x.s.b) … if (y.s.b) … if (x.s.b) … Solution 3: Regions

12 Why Regions? Two phase alias analysis –Static: Identify scope of alias sets –Dynamic: Populate alias sets with objects Beneficial for model checker –Avoid loss of precision when generating models –Produce more precise alias information by exploiting the power of the model checker Solves aliasing and indirection problems Allows fine-grained tuning of trade-off between precision and performance

13 Our Abstraction Based on RegJava –Region type system for a Java-like language –Includes proof of soundness Given a statement or expression p, we define «p¬ to be its abstraction Distinguish three cases: 1. Relevant data 2. References to relevant data 3. All others

14 Example: Expressions Example:

15 Example: Statements Example:

16 Soundness Theorem Theorem: For any execution of the original RegJava program, there is a corresponding execution of the model Proof Sketch: Since we replace occurrences of variables and fields with a choice over the corresponding region, any possible value in the original program will be considered by the model

17 Context-Sensitivity Region type systems make our approach context-sensitive void foo[  1,  2 ](Stateh  1 i s1, Stateh  2 i s2) { s1.b = true; if (s2.b) … } void foo_model(Set  1, Set  2 ) { choose(  1 ).b = true; if (choose(  2 ).b) … }

18 Context-Sensitivity, Part 2 But we still have problems now and then: void foo[  ](Stateh  i s1, Stateh  i s2) { Stateh  i tmp; if (…) { tmp = s1; } else { tmp = s2; } tmp.b = true; } void foo_model(Set  ) { choose(  ).b = true; }

19 Context-Sensitivity, Part 3 We can create an even more dynamic model void foo[  1,  2 ](Stateh  1 i s1, Stateh  2 i s2) { Stateh  i tmp; if (…) { tmp = s1; } else { tmp = s2; } tmp.b = true; } void foo_model(Set  1, Set  2 ) { Set  ; if (…) {  [=  1 ; } else {  [=  2 ; } choose(  ).b = true; }

20 Capturing Correlations Need to represent important correlations in the model –Solution: Introduce local variables Stateh  i s = …; s.b = true; s.f = 42; choose(  ).b = true; choose(  ).f = 42; Stateh  i s = choose(  ); s.b = true; s.f = 42; Source: Model:

21 Implementation Based on Dave Hanson and Todd Proebsting’s research C# compiler Five stages: –Introduce region variables –Gather constraints and solve –Determine live regions at each AST node –Insert letregion statements to limit region scope –Translate to Zing

22 The Fine Print RegJava’s regions use a stack discipline –Letregion statements tend to accumulate near the most general scopes in the program –We’re looking at less restrictive region systems Region parameters accumulate upward in the class hierarchy –Interfaces can’t be modeled properly –We’re looking at alternative approaches to object- oriented region systems

23 Related Work Other model checking projects –SLAM, BLAST, Bandera Regions in Cyclone Flow-sensitive Cqual CqualRBMA abstract locationsregion variables flow-insensitive phasemodel generation flow-sensitive phasemodel checking {0, 1, many} pointers at each location track all pointers in each region

24 Conclusion Region type systems solves several model generation problems: –Aliasing –Indirection Efficient division of labor: –Model generation phase (static) –Model checking phase (dynamic) Other compiler analyses may benefit from this approach!

Download ppt "Region-Based Model Abstraction Jeremy Condit Jim Larus Sriram Rajamani Jakob Rehof OSQ Lunch 7 September 2003."

Similar presentations

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Compilation 2007 Code Generation Michael I. Schwartzbach BRICS, University of Aarhus.

Compilation 2007 Code Generation Michael I. Schwartzbach BRICS, University of Aarhus.
1 Starting a Program The 4 stages that take a C++ program (or any high-level programming language) and execute it in internal memory are: Compiler - C++

1 Starting a Program The 4 stages that take a C++ program (or any high-level programming language) and execute it in internal memory are: Compiler - C++
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.

Automatic Predicate Abstraction of C-Programs T. Ball, R. Majumdar T. Millstein, S. Rajamani.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
Type Checking 66.648 Compiler Design Lecture (02/25/98) Computer Science Rensselaer Polytechnic.

Type Checking Compiler Design Lecture (02/25/98) Computer Science Rensselaer Polytechnic.
Semantic analysis Parsing only verifies that the program consists of tokens arranged in a syntactically-valid combination, we now move on to semantic analysis,

Semantic analysis Parsing only verifies that the program consists of tokens arranged in a syntactically-valid combination, we now move on to semantic analysis,
CS412/413 Introduction to Compilers Radu Rugina Lecture 16: Efficient Translation to Low IR 25 Feb 02.

CS412/413 Introduction to Compilers Radu Rugina Lecture 16: Efficient Translation to Low IR 25 Feb 02.
Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley.

Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley.
Common Sub-expression Elim Want to compute when an expression is available in a var Domain:

Common Sub-expression Elim Want to compute when an expression is available in a var Domain:
Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.

Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.
Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.

Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.
Control Flow Analysis Mooly Sagiv Tel Aviv University 640-6706 Sunday 18-21 Scrieber 8 Monday 10-12 Schrieber.

Control Flow Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Speeding Up Dataflow Analysis Using Flow- Insensitive Pointer Analysis Stephen Adams, Tom Ball, Manuvir Das Sorin Lerner, Mark Seigle Westley Weimer Microsoft.

Speeding Up Dataflow Analysis Using Flow- Insensitive Pointer Analysis Stephen Adams, Tom Ball, Manuvir Das Sorin Lerner, Mark Seigle Westley Weimer Microsoft.

Similar presentations

Ads by Google