Embed Size (px)
Citation preview
Relational InductiveRelational InductiveShape AnalysisShape Analysis
Bor-Yuh Evan ChangBor-Yuh Evan ChangUniversity of California, BerkeleyUniversity of California, Berkeley
Xavier RivalINRIA
POPL 2008
2
Example: Removing duplicatesExample: Removing duplicates
cur = l!next;while (cur != null) {
cur = remove_if_dup(cur);cur = cur!next;
}
Concrete ExampleConcrete Example Invariant/AbstractionInvariant/Abstraction
“sorted dl set”l
“sorted dl list”l
program-specific predicate
program-specific predicate
l 2 2 44
l 2 44
cur
l 2 4
“sorted dl list(v·²)”l
“sorted dl setsegment (²·v)”
cur
intermediate state more complicated
intermediate state more complicated
Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis
3
Utilize “dynamic checking code” as Utilize “dynamic checking code” as specification for static analysisspecification for static analysis
Checking codeChecking code expresses a precise invariant of interest (but only at “steady states”)
sorteddll(l, prev, min) =if (l = null) then
trueelse
l!prev = prev and min · l!val and sorteddll(l!next,l,l!val)
assert(sorteddll(l,null,0));cur = l;while (cur != null) {
cur = remove_if_dup(cur);cur = cur!next;
}assert(sorteddlset(l,null,0));
l
l
cur
lautomatically generalize for
intermediate states
automatically generalize for
intermediate states
Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis
4
Our framework is …Our framework is …
• Compact abstraction– Data structure-specific based on properties of
interest to the developer
• Extensible– Parametric in developer-supplied checkers
An automated shape analysisshape analysis with a precise memory abstraction based around invariant invariant checkerscheckers.
shape analyzer
sorteddll(l, prev, min) =if (l = null) then
trueelse
l!prev = prev and min · l!val and
sorteddll(l!next,l,l!val)
checkers
Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis
5
ChallengesChallenges
cur = l!next;while (cur != null) {
cur = remove_if_dup(cur);cur = cur!next;
}
“sorted dl list(v·²)”l
“sorted dl setsegment (²·v)”
cur
if (cur!prev!val == cur!val) {
cur = cur!prev;remove_after(cur);}
“sorted dl list(w·²)”l
“sorted dl setsegment (²·u)”
cur
v w
u < v = w
“split” segments(back pointers)
“split” segments(back pointers)
1
numerical constraints(linking shape and
data)(see paper)
numerical constraints(linking shape and
data)(see paper)
2
Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis
6
MaterializationMaterialization (partial concretization)
To perform strong updates
And wideningwidening for termination
Shape analysis is an abstract Shape analysis is an abstract interpretation on memory states with …interpretation on memory states with …
cur
l
cur
l
cur
l
cur
l
cur
l
cur
l
Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis
7
OutlineOutline
shape analyzer
abstract interpretation
materializationand
update
widening
type“pre-analysis”
sorteddll(l, prev, min) =if (l = null) then
trueelse
l!prev = prev and min · l!val and
sorteddll(l!next,l,l!val)
checkers
2211
see papersee
paper
Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis
8
Abstract memory using inductive Abstract memory using inductive predicatespredicates
cur = l!next;while (cur != null){
if ( cur!prev!val== cur!val
){
cur = cur!prev; remove_after(cur);}cur = cur!next;
}
:= 9´.¼dll(½)
Ǽ nullemp
¼ null
¼next dll(¼)
´½prev
dll(l, prev) =if (l = null) then
trueelse
l!prev = prev and dll(l!next,l)
values(e.g.,
address)
values(e.g.,
address)
points-to(memory
cell)
points-to(memory
cell)l
®dll(±)dll(null) dll(¯)
cur
°
¯ prev
next±
nextprev
"segmen
tsegmen
t
checker (inductive
pred)
checker (inductive
pred)
Edges represent disjoint memory regionsEdges represent disjoint memory regions
update: cur!next = cur!next!next
l®
dll(±)dll(null) dll(¯)
cur°
¯ prev
±next
prev"
One traversal parameter with fieldsOne traversal traversal parameterparameter with fieldsOne traversal traversal parameterparameter with fields
Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis
9
Materialize by unfolding inductive Materialize by unfolding inductive definition definition
cur = l!next;while (cur != null){
if ( cur!prev!val== cur!val
){
cur = cur!prev; remove_after(cur);}cur = cur!next;
}
:= 9´.¼dll(½)
Ǽ nullemp
¼ null
¼next dll(¼)
´½prev
l
®dll(null) dll(°
)dll(°)
cur
±
materialize: cur!prev
l
®dll(null) dll(°)
cur
°
± "
Need fields from °Need fields from °
l
®dll(null) dll(°)
cur
± Ç
Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis
Need to unfold “backward”
Need to unfold “backward”
10
Segments as partial checkersSegments as partial checkers
®.dll(null)
¯.dll(®)
°.dll(¯)
±.dll(°)
null.dll(±)
Checker “Run”Checker “Run”
InstanceInstance
SummarySummary
®dll(¯)
°
c0(¯,°0)
c(®,°)
… …
… ……
® ¯c(°) c0(°0)
iiii
ii = 0
ii = 0
iiii 00
c = c0
® = ¯°° = = °°00
® = °¯̄ = null = null
nullnext
°next
±prevprev
null® ¯
Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis
11
To unfold backward, split the segment To unfold backward, split the segment and then unfold forwardand then unfold forward
cur = l!next;while (cur != null){
if ( cur!prev!val== cur!val
){
cur = cur!prev; remove_after(cur);}cur = cur!next;
}
:= 9´.¼dll(½)
Ǽ nullemp
¼ null
¼next dll(¼)
´½prev
materialize: cur!prev!next
l
®dll(null) dll(°)
cur
°
±
prev
dll(±)next"
l®
cur°
¯
±prev dll(±)next
"
dll(±)next"
Ç
l, cur
°
±
prev
® = ±°° = null = null
° 0dll(¯) dll(¯) 1
==
unfold
unfold
Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis
12
OutlineOutline
shape analyzer
abstract interpretation
materializationand
update
widening
typepre-analysis
sorteddll(l, prev, min) =if (l = null) then
trueelse
l!prev = prev and min · l!val and
sorteddll(l!next,l,l!val)
checkers
2211
Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis
13
Types for deciding Types for deciding wherewhere to unfold to unfold
®dll(null) dll(¯) dll(¯)
°
®.dll(null)
¯.dll(®)
°.dll(¯)
±.dll(°)
null.dll(±)
Checker “Run”Checker “Run”
InstanceInstance
SummarySummary
° ±® ¯ nullnull
If it exists, where is:
°!next ?
¯!next ?
If it exists, where is:
°!next ?
¯!next ?
:= 9´.¼dll(½)
Ǽ nullemp
¼ null
¼next dll(¼)
´½prev
Checker DefinitionChecker Definition
• Types help the analysis decide where to unfold
• Types can be inferred automatically
(see paper)
• Types help the analysis decide where to unfold
• Types can be inferred automatically
(see paper)
Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis
14
Summary:Summary:Given checkers, everything is automaticGiven checkers, everything is automatic
shape analyzer
abstract interpretation
materializationand
update
widening
typepre-analysis
sorteddll(l, prev, min) =if (l = null) then
trueelse
l!prev = prev and min · l!val and
sorteddll(l!next,l,l!val)
checkers
Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis
15
ExperimentsExperiments
Benchmark
Max. Num. Graphs at a
Program Point
Max. Num Iterations
at a Program
Point
Analysis Time (msms)
doubly-linked list reverse 1 3 1.4
doubly-linked list copy 2 3 5.3
doubly-linked list insert 2 4 3.8
doubly-linked list remove 5 4 6.5
doubly-linked list remove and back
5 4 6.8
search tree with parent insert 5 5 8.3
search tree with parent insertand back
5 5 47.0Verified shape invariant as given by a checker is preserved across the operation.
Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis
16
ConclusionConclusion
• Inductive checkers can form the basis of an effective memory abstraction and analysis– Easily extensible on a per-program basis
• To enable materialization anywhere– Segments defined as partial checker runs– Type pre-analysis on checker definitions
to decide where to unfold robustly
• Numerical reasoning via coordination with a base domain (see paper)
Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis
What can inductiveshape analysis do for you?
