38
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge

Shape Analysis by Graph Decomposition

Embed Size (px)

DESCRIPTION

Shape Analysis by Graph Decomposition. R. Manevich M. Sagiv Tel Aviv University. G. Ramalingam MSR India. J. Berdine B. Cook MSR Cambridge. Motivation. Challenge: precise and efficient shape analyses Prove properties of dynamically allocated linked data structures - PowerPoint PPT Presentation

Citation preview

Page 1: Shape Analysis by Graph Decomposition

Shape Analysisby Graph Decomposition

R. ManevichM. Sagiv

Tel Aviv University

G. Ramalingam

MSR India

J. BerdineB. Cook

MSR Cambridge

Page 2: Shape Analysis by Graph Decomposition

2

Motivation Challenge: precise and efficient shape

analyses Prove properties of dynamically allocated

linked data structures Observation: often many correlations

irrelevant for proving shape properties

Our approach: develop a flexible abstraction that takes advantage of this

Page 3: Shape Analysis by Graph Decomposition

3

h1 t1

...

h2 t2

...

h1 t1 h2 t2

Example program – 2 lists// @assume h1!=null && h1==t1 && h1.n==null &&// h2!=null && h2==t2 && h2.n==null//// @loop_invariant Reach(h1,t1) &&// Reach(h2,t2) &&// DisjointLists(h1,h2)

EnqueueEvents() {L1: while (...) { List temp = new List(getEvent()); if (nondet()) { t1.n = temp; t1 = temp; } else { t2.n = temp; t2 = temp; } }}

Correlation between two lists irrelevant for proving loop invariant

Page 4: Shape Analysis by Graph Decomposition

4

size>2

size=2

size=1

size>2size=2size=1

Abstract states - full heaps [VMCAI’05]

h1

>1

t1

h2 t2

1

h2 t2

h1 t1

>1

h2 t2

1

h1 t1

>1

h2 t2

>1

h1 t1

1

h2 t2

1

h1 t1

1

h2 t2

>1

h1 t1

1

h2 t2

h1 t1

>1

h2 t2

h1 t1

h1 t1

h2 t2

Page 5: Shape Analysis by Graph Decomposition

5

Graph decomposition

1

h2 t2

1

h1 t1

>1

h2 t2

1

h1 t1

h1

>1

t1

h2 t2

>1

h2 t2

>1

h1 t1

1

h2 t2

>1

h1 t1

1

h2 t2

h1 t1

1

h2 t2

h1 t1

>1

h2 t2

h1 t1

h1 t1

h2 t2

Page 6: Shape Analysis by Graph Decomposition

6

Connected component 1

Connected component 2

Graph decomposition

1

h2 t2

1

h1 t1

Connected components by undirected reachability

1

h2 t2

1

h1 t1

decompose

Page 7: Shape Analysis by Graph Decomposition

7

Abstract states – decomposed heaps

h1 t1 h1

1

t1 h1

>1

t1

h2 t2 h2

1

t2 h2

>1

t2

For k lists:full heap abstraction generates 3k abstract statesdecomposed heap abstraction generates 3×k abstract states

Coarser abstraction precise enough to prove invariantbut generates fewer states

Page 8: Shape Analysis by Graph Decomposition

8

Overall view

h1 t1

...

h2 t2

...

h1 t1

h2 t2

h1 t1

h2 t2

h1 t1

h2 t2

>1

>1

1

1

h1 t1

h2 t2

h1 t1

h2 t2

>1

>1

1

1

Concrete domain:concrete heaps

Full heaps domain:shape graphs

Decomposed heaps domain:shape subgraphs

FH

FH

GD

GD

Shape graphs trackALL correlations

Shape subgraphs trackSOME correlations

Page 9: Shape Analysis by Graph Decomposition

9

Main results New abstraction for shape analysis reduces

exponential factors by: Connected component decomposition Abstracting away null-value correlations

Sound and sufficiently precise transformers Most precise transformers are FNP-complete Polynomial time efficient transformers Sufficiently precise

Implementation and empirical results Sufficiently precise on set of benchmarks,

including Windows device driver models State space/time reduced by factor of 33/212

Page 10: Shape Analysis by Graph Decomposition

10

Outline Full heap abstraction [VMCAI’05]

Reference abstraction Further abstraction by decomposition

Connected component decomposition Abstracting away null-value correlations

(details in paper) Abstract transformers

Concretization by composition Experimental results

Page 11: Shape Analysis by Graph Decomposition

11

Full heap abstraction [VMCAI’05]

h1 t1

...

h2 t2

...

h1 t1

h2 t2

h1 t1

h2 t2

h1 t1

h2 t2

>1

>1

1

1

h1 t1

h2 t2

h1 t1

h2 t2

>1

>1

1

1

Concrete domain:concrete heaps

Full heaps domain:shape graphs

Decomposed heaps domain:shape subgraphs

FH

FH

GD

GD

Page 12: Shape Analysis by Graph Decomposition

12

Full heap abstraction [VMCAI’05]

Abstraction for singly-linked lists Basic concepts:

Interruptions (bounded number of) Uninterrupted list segments (bounded number of)

Abstraction keeps interruptions and abstracts segment lengths to {1,>1} Result is a shape graph

x

y

Concrete heapx

y

1

>1

>1

>1

Shape graph

βFH

FH by point-wiseextension

Page 13: Shape Analysis by Graph Decomposition

13

Graph decomposition abstraction

h1 t1

...

h2 t2

...

h1 t1

h2 t2

h1 t1

h2 t2

h1 t1

h2 t2

>1

>1

1

1

h1 t1

h2 t2

h1 t1

h2 t2

>1

>1

1

1

Concrete domain:concrete heaps

Full heaps domain:shape graphs

Decomposed heaps domain:shape subgraphs

FH

FH

GD

GD

Page 14: Shape Analysis by Graph Decomposition

14

Graph decomposition abstraction

Abstraction of shape graphs Further abstraction over shape graphs

Decouples connected components Intuitively different components =

different logical data structures Result = set of shape subgraphs

Page 15: Shape Analysis by Graph Decomposition

15

Connected components decomposition

1

h2 t2

h1 t1

h1

>1

t1

h2 t2

GD

h1 t1

h2

1

t2

h1

>1

t1

h2 t2

Page 16: Shape Analysis by Graph Decomposition

17

Concretization GD

h1 t1

...

h2 t2

...

h1 t1

h2 t2

h1 t1

h2 t2

h1 t1

h2 t2

>1

>1

1

1

h1 t1

h2 t2

h1 t1

h2 t2

>1

>1

1

1

Concrete domain:concrete heaps

Full heaps domain:shape graphs

Decomposed heaps domain:shape subgraphs

FH

FH

GD

GD

Page 17: Shape Analysis by Graph Decomposition

18

1

h2 t2

h1 t1

h1

>1

t1

h2 t2

GD

Abstracting correlations

GD

1

h2 t2h1 t1

h1

>1

t1h2 t2

h1 t1 h2 t2

h2

1

t2

h1

>1

t1

h1 t1

h2

1

t2

h1

>1

t1

h2 t2

Page 18: Shape Analysis by Graph Decomposition

19

Abstract transformers Need transformers for program

statements x=new List() x=null x=y x=y.n x.n=y assume(x!=y) assume(x==y) …

Page 19: Shape Analysis by Graph Decomposition

20

Abstract transformers outline Induced transformers by concretization

(from subgraphs and shape graphs) Problem: concretization introduces exponential

space blow-up Most precise transformers by partial

concretization Avoids exponential space blow-up Requires oracle to test strong feasibility Strong feasibility test NP-complete

Conservative transformers Give up on strong feasibility test Avoids exponential time blow-up

Page 20: Shape Analysis by Graph Decomposition

21

Most precise transformer [CC’77]

h1 t1

...

h2 t2

...

h1 t1

h2 t2

Concrete domain:concrete heaps

Full heaps domain:shape graphs

Decomposed heaps domain:shape subgraphs

FH

FH

GD

GD

st st

Problem: concretization is exponential space in worst-case

Page 21: Shape Analysis by Graph Decomposition

22

Partial concretization Compose weakly-feasible subgraphs

Subgraphs that do not share any variables Compose only subgraphs in footprint of

statement Compose at most any 2 or 3 subgraphs

h1 t1h2

1

t2 h1

>1

t1h2

1

t2 h1 t1h1 t1 h1

>1

t1h1 t1

Page 22: Shape Analysis by Graph Decomposition

23

Transformer exampletemp h1 t1 h1

1

t1 h2 t2

t1.n = temp

temph1

1

t1

t1.n = temp

temph1

1

t1

1

t1.n = temp

h2 t2

t1.n = temp

h2 t2temph1

1

t1temph1 t1

Page 23: Shape Analysis by Graph Decomposition

24

Most precise transformer

x z w x y w y z

Can we extend to havevariable w?

M1 M2 M3 M4 M5

x z y

Most precise requires strong feasibility test Check that subgraphs can be extended to

include all variables

Page 24: Shape Analysis by Graph Decomposition

25

Most precise transformer

Inconsistency: shared variable x

x z w x y w y z

M1 M2 M3 M4 M5

x z y

Most precise requires strong feasibility test Check that subgraphs can be extended to

include all variables

Page 25: Shape Analysis by Graph Decomposition

26

Most precise transformer

Inconsistency:shared variable y

Conclusion: can’t extend with w

M1 and M4 are weakly-feasiblebut not strongly-feasible in {M1,…,M5}

Strong feasibility NP-complete Therefore most precise transformer

FNP-complete

x z y

x z w x y w y z

M1 M2 M3 M4 M5

Page 26: Shape Analysis by Graph Decomposition

27

Making the transformers efficient Vanilla transformer inefficient in

practice Incremental transformers

Reuse results of previous iterations Details in paper

Engineering optimizations Avoid unnecessarily composing subgraphs … Optimized transformers linear time in

practice

Page 27: Shape Analysis by Graph Decomposition

28

Prototype implementation Implemented in Java Supports assertions

assertReach(x,y) assertDisjointLists(x,y) assertAcyclicList(x) assertCyclicList(x) assert(x==y) assert(x!=y)

Check cleanness properties Absence of null derefs Absence of memory leaks No misuse of dangling pointers

Page 28: Shape Analysis by Graph Decomposition

29

Experiments – precision Precision lost in just 2/21 benchmarks

getLast Unable to prove x points to last cell Due to imprecise transformer Can be avoided by simple and efficient

heuristics queue_2_stack

Intentionally constructed Loss of correlations important to prove

property

Same precision as full heap analysis on other benchmarks

Page 29: Shape Analysis by Graph Decomposition

30

Experiments – “standard” suite Programs operating on 1-2 lists

insert, delete, reverse, merge… New analysis slightly less efficient But running times < 0.6 seconds so…

Page 30: Shape Analysis by Graph Decomposition

31

Experiments – multiple lists

1.40.5

12.0

33.5

2.44.6

11.6

0.0

5.0

10.0

15.0

20.0

25.0

30.0

35.0

40.0(89,430 / 7,733)

number of shape graphsnumber of subgraphs

x

Page 31: Shape Analysis by Graph Decomposition

32

Experiments – multiple lists

1.00.525.0

95.0

14.621.7

212.5

0.0

50.0

100.0

150.0

200.0

250.0

full shape graph analysis time graph decomposition analysis time

x(552.6 / 2.6)

Page 32: Shape Analysis by Graph Decomposition

33

Properties of the abstraction No loss of precision when connected

components represent completely independent lists Reduces state space exponentially

Loss of precision when mixing abstract statesGD(X1 X2) GD(X1) GD(X2)

So where is this technique useful?

Page 33: Shape Analysis by Graph Decomposition

34

Related work Partial isomorphism join [Manevich et al. SAS’04]

Applied in more generic context but does not reduce exponential blow-ups addressed in this paper

Heap analysis by separation[Yahav et al. PLDI’04] [Hackett et al. POPL’05] Decompose verification problem itself and

conservatively approximate contexts Heap decomposition for interprocedural

analysis [Rinetzky et al. POPL’05] [Rinetzky et al. SAS’05] [Gotsman et al. SAS’06] [Gotsman et al. PLDI’07] Decompose/compose at procedure boundaries

Predicate/variable clustering [Clark et al. CAV’00] Statically-determined decomposition

Page 34: Shape Analysis by Graph Decomposition

35

Conclusions New abstraction scheme to control

precision/cost trade-off for shape analyses Efficient algorithms for abstract domain

operations Abstraction Partial concretization Transformers …

Applicable beyond singly-linked lists E.g., class of graphs supported by Lev-Ami et al.

[CAV’06] Doubly-linked lists Trees …

Page 35: Shape Analysis by Graph Decomposition

36

Ongoing work Extension for concurrent program

analysis Future work:

Tune abstraction by counterexample-guided refinement

Page 36: Shape Analysis by Graph Decomposition

37

Questions?

Page 37: Shape Analysis by Graph Decomposition

38

Conservative transformer Computes superset of subgraph computed

by most precise transformer Algorithm sketch:

Compose components in footprint of statement Apply local st on footprint and decompose

result Test consistency instead of strong feasibility Pass other components as is

Time(st) polynomial in #vars in st x=null : linear x.n=y: quadratic assume(x==y) : cubic

Page 38: Shape Analysis by Graph Decomposition

39

Concretization GD

Maps sets of shape subgraphs to sets of full shape graphs

Mathematically: GD(XG) = {G | β(G) XG} Algorithmically: by composing weakly-

feasible subgraphs Subgraphs that do not share any variables Full shape graph includes all program variables