Partially Disjunctive Heap Abstraction

Partially DisjunctiveHeap Abstraction

Roman ManevichMooly Sagiv

Tel Aviv University

G. RamalingamJohn Field

IBM T.J. Watson

Motivation Analysis of Object Oriented programs is

hard Recursive data structures Unbounded number of objects Destructive update of references

Scalable heap analyses exist e.g., flow-insensitive Not precise enough for verification

Precise heap analyses exist e.g., SRW shape analysis Scaling is very challenging

Motivating example:verifying mark phase of GC

// @Ensures marked == REACH(root)void mark(Node root, NodeSet marked) { Node x; if (root != null) {

NodeSet pending = new NodeSet();pending.add(root);marked.clear();while (!pending.isEmpty()) { x = pending.selectAndRemove(); marked.add(x); if (x.left != null) if (!marked.contains(x.left))

pending.add(x.left); if (x.right != null) if (!marked.contains(x.right)

pending.add(x.right);}

}}






}}






}}


pending = {root}marked = {}

u1

u2

u3

u4

rootx

left

rightleftleft

right

left

right

u5

u6


pending = {u3,u2}marked = {u1}

u1

u2

u3

u4

root

left

rightleftleft

right

left

right

u5

u6x


pending = {u4,u2}marked = {u1,u3}

u1

u2

u3

u4

root

left

rightleftleft

right

left

right

u5

u6

x


pending = {u2}marked = {u1,u3,u4}

u1

u2

u3

u4

root

x

left

rightleftleft

right

left

right

u5

u6


u1

u2

u3

u4

root

x left

rightleftleft

right

left

right

u5

u6

pending = {}marked = {u1,u3,u4,u2}


u1

u2

u3

u4

root

x left

rightleftleft

right

left

right

u5

u6

DONE



u1

u2

u3

u4

root

x left

rightleftleft

right

left

right

u5

u6


garbagegarbage


u1

u2

u3

u4

root

x

left

right

left

right



Powerset heap abstraction 584 seconds, 189,772 abstract heaps Definitely too expensive Can we verify more efficiently?

Partially disjunctive heap abstraction 3 seconds, 1,133 abstract heaps

TVLA system

Overview and main results

New (parametric) heap abstraction Uses a heap similarity criterion Merges “similar” heaps

Robust implementation Abstraction of choice among TVLA users Suitable for other shape analysis systems

Empirical results Significant speedups (2 orders of

magnitude) Precise in most cases

Talk outline

Shape analysis background Representing heaps via logical structures Disjunctive (powerset) heap abstraction

Partially disjunctive heap abstraction Via universe congruence similarity

Empirical results Related work Future work Conclusions

Shape analysis viaFirst-Order logic

SRW 2002 : Parametric shape analysis via 3-valued logic

Concrete heaps represented by 2-valued structures over predicate symbols P A set of individuals (nodes) U Interpretation of predicate symbols in P

p0() {0,1}p1(v) {0,1}p2(u,v) {0,1}

r[root]set[marked]

r[root]set[marked]

r[root]set[marked]

r[root]set[marked]

root

x

left

rightleftleft

right

left

right

Concrete heap

unary predicatesxrootset[marked]set[pending]r[root]

left right

binary predicates

3-valued structures

2-valued structures abstracted into3-valued structures by merging individuals

p0() {0,1,1/2}p1(v) {0,1,1/2}p2(u,v) {0,1,1/2}

Kleene’s partially ordered set of logical values:

0 1 = 1/2 0 1

1/2

Canonical abstraction

Merge individuals with same values for all unary predicates (canonical name) Bounded structure with at most 2|A|

individuals A = set of unary predicates


r[root]set[marked]

r[root]set[marked]

r[root]set[marked]

r[root]set[marked]

root

x

left

rightleftleft

right

left

right

x(v)root(v)set[marked](v)set[pending](v)r[root](v)

A =


r[root]set[marked]

r[root]set[marked]

r[root]set[marked]

r[root]set[marked]

root

x

left

rightleftleft

right

left

right

x=0,root=0,r[root]=1,set[marked]=1,set[pending]=0


r[root]set[marked]

r[root]set[marked]

r[root]set[marked]

r[root]set[marked]

root

x

left

rightleftleft

right

left

right




r[root]set[marked]

r[root]set[marked]

r[root]set[marked]

r[root]set[marked]

root

x

left

rightleftleft

right

left

right





r[root]set[marked]

r[root]set[marked]

r[root]set[marked]

r[root]set[marked]

root

x

left

rightleftleft

right

left

right





r[root]set[marked]

r[root]set[marked]

r[root]set[marked]

r[root]set[marked]

root

x

left

rightleftleft

right

left

right


r[root]set[marked]

r[root]set[marked]

r[root]set[marked]

root

x

rightleftleft

right

right

left

left

Abstract heapBounded number of individuals

Powerset heap abstraction

= canonical abstraction pow(X) = {(s) | s X} LUB (join) is set union Worst-case is doubly-exponential in |A| Can make unnecessary distinctions

Partially disjunctiveheap abstraction

Use a heap-similarity criterion We defined similarity by universe

congruence Merge similar heaps Avoid merging dissimilar heaps

r[root]set[marked]

r[root]set[marked]

r[root]set[marked]

root

x

right

leftleft

right

left

left

right

Universe congruent heaps

r[root]set[marked]

r[root]set[marked]

r[root]set[marked]

root

x

rightleftleft

right

right

left

left

r[root]set[marked]

r[root]set[marked]

r[root]set[marked]

root

x

right

leftleft

right

left

left

right

Result of merge

left right

left

left

r[root]set[marked]

r[root]set[marked]

r[root]set[pending]

root

x

right

leftleft

right

left

left

right

Non-congruent heaps – no merge

r[root]set[marked]

r[root]set[marked]

r[root]set[marked]

root

x

rightleftleft

right

right

left

left

Definition of partially disjunctiveheap abstraction

Two heaps are similar iff they are universe congruent (same canonical names)

piC = merge universe congruent heaps pi(X) = {piC | C pow(X)}

Characteristics of the partially disjunctive heap abstraction

1. 3-valued structures partially-ordered No LUB over singleton structure sets if S1 pi S2

pi({S1,S2}) = pi{S1,S2} else

pow({S1,S2}) = {S1,S2}

2. Retain definite values of unary predicates

3. Size of set can be reduced exponentially

Running times

02,0004,0006,0008,00010,00012,00014,00016,00018,00020,000

DSW

Inpu

tStre

am5

Inpu

tStre

am5b

Inpu

tStre

am6

SQLExe

cuto

r

Kerne

lBen

ch.1

GC.mar

k

seconds

PowersetPartial

Space consumption

0

20

40

60

80

100

120

DSW

Inpu

tStre

am5

Inpu

tStre

am5b

Inpu

tStre

am6

SQLExe

cuto

r

Kerne

lBen

ch.1

GC.mar

k

Mb

PowersetPartial

Related work

Reducing cost of powerset-based analysis

Function space domain construction ESP [PLDI 02] Deutsch [PLDI 94]

Widening operators [Bagnara et el. VMCAI03]

Future work

Experiment with other similarity criteria Structures with different universes

Deflating operators Widening operators

Conclusions

A new (parametric) heap abstraction Partially disjunctive Merges similar abstract heap descriptors

Significantly more efficient than full powerset Essential for many TVLA analyses

Often no loss of precision in practice

The End

Parametric partial isomorphism

Structures S1=U1,I1 and S2=U2,I2 Isomorphic iff:

Exists bijection f : U1U2

Preserves all predicate values Partially-isomorphic relative to R iff:

Exists bijection f : U1U2

Preserves values of relational predicates A R P

No LUB over singletonsp=1q=1

z=1/2

p=0q=1z=0

p=1q=0z=1

A

p=0q=1z=1

p=1q=0z=0

p=1q=1

z=1/2B

p=1q=0

z=1/2

p=1/2q=1

z=1/2

p=0q=1

z=1/2

p=1q=1/2z=1/2

C is an upper bound D is an upper bound

incomparable

Documents

Partially Disjunctive Heap Abstraction