# Shape Analysis

• View
38

0

Embed Size (px)

### Text of Shape Analysis

• Shape Analysis

Nicola Corti &Alessandro Baroni

IntroductionSyntax

SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

The Analysis[b]` and [skip]`

[x := a]`

[x := y]`

[x := y.sel]`

Case 1Case 2Case 3[x.sel := a]`

[x.sel := y]`

[x.sel := y.sel ]`

[malloc x]`

[malloc x.sel]`

Shape Analysis

Nicola Corti & Alessandro Baroni

University of PisaStatic Analysis Techniques course

8 May 2014

• Shape Analysis

Nicola Corti &Alessandro Baroni

IntroductionSyntax

SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

The Analysis[b]` and [skip]`

[x := a]`

[x := y]`

[x := y.sel]`

Case 1Case 2Case 3[x.sel := a]`

[x.sel := y]`

[x.sel := y.sel ]`

[malloc x]`

[malloc x.sel]`

Index

Introduction

Semantic

Shape Graphs

The Analysis

• Shape Analysis

Nicola Corti &Alessandro Baroni

IntroductionSyntax

SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

The Analysis[b]` and [skip]`

[x := a]`

[x := y]`

[x := y.sel]`

Case 1Case 2Case 3[x.sel := a]`

[x.sel := y]`

[x.sel := y.sel ]`

[malloc x]`

[malloc x.sel]`

What is the Shape Analysis?

Shape AnalysisAn intraprocedural analysis aimed to figure out the shape ofan heap-allocated memory.

1. Extend the While language with command for heapmanagement,

2. Present an abstract representation for the heapmemory,

3. Present the analysis like a monotone framework.

• Shape Analysis

Nicola Corti &Alessandro Baroni

IntroductionSyntax

SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

The Analysis[b]` and [skip]`

[x := a]`

[x := y]`

[x := y.sel]`

Case 1Case 2Case 3[x.sel := a]`

[x.sel := y]`

[x.sel := y.sel ]`

[malloc x]`

[malloc x.sel]`

Use case of the Shape Analysis

I nil-pointer dereferencing,I Checking field existence (e.g. a.sel := 1, what if a

does not have a sel field?),I Validating properties of data structure shape (e.g. a

non-cyclic structure is still non-cyclic after acomputation).

• Shape Analysis

Nicola Corti &Alessandro Baroni

IntroductionSyntax

SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

The Analysis[b]` and [skip]`

[x := a]`

[x := y]`

[x := y.sel]`

Case 1Case 2Case 3[x.sel := a]`

[x.sel := y]`

[x.sel := y.sel ]`

[malloc x]`

[malloc x.sel]`

Selectors and Pointers

Pointers

p PExpp ::= x | x.sel

• Shape Analysis

Nicola Corti &Alessandro Baroni

IntroductionSyntax

SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

The Analysis[b]` and [skip]`

[x := a]`

[x := y]`

[x := y.sel]`

Case 1Case 2Case 3[x.sel := a]`

[x.sel := y]`

[x.sel := y.sel ]`

[malloc x]`

[malloc x.sel]`

Extended Syntax

The extended syntax with pointers

a ::= p | n | a1 opa a2 | nilb ::= true | false | not b | b1 opb b2 | a1 opr a2 | opp pS ::= [p := a]` | [skip]` | S1; S2 | if [b]` then S1 else S2 |

while [b]` do S | [malloc p]`

Note that opr now accept two operands of type a, such astwo pointer (for an operation such as are-equals) and theoperator opp accept one pointer operands (think atoperations like is-nil).The operator [malloc p]` allow to allocate new space in theheap.

• Shape Analysis

Nicola Corti &Alessandro Baroni

IntroductionSyntax

SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

The Analysis[b]` and [skip]`

[x := a]`

[x := y]`

[x := y.sel]`

Case 1Case 2Case 3[x.sel := a]`

[x.sel := y]`

[x.sel := y.sel ]`

[malloc x]`

[malloc x.sel]`

Structural Operational Semantics

Loc

From now on a configuration of the semantics will becomposed by a state and a heap

State = Var (Z + Loc + {})H Heap = (Loc Sel)fin (Z + Loc + {})

Note that the heap H need a Loc and a Sel to return avalue. The fin represent the fact that not all the selectorfields will be defined. The value represent the nil value.

• Shape Analysis

Nicola Corti &Alessandro Baroni

IntroductionSyntax

SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

The Analysis[b]` and [skip]`

[x := a]`

[x := y]`

[x := y.sel]`

Case 1Case 2Case 3[x.sel := a]`

[x.sel := y]`

[x.sel := y.sel ]`

[malloc x]`

[malloc x.sel]`

Structural Operational Semantics

Loc

From now on a configuration of the semantics will becomposed by a state and a heap

State = Var (Z + Loc + {})H Heap = (Loc Sel)fin (Z + Loc + {})

Note that the heap H need a Loc and a Sel to return avalue. The fin represent the fact that not all the selectorfields will be defined. The value represent the nil value.

• Shape Analysis

Nicola Corti &Alessandro Baroni

IntroductionSyntax

SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

The Analysis[b]` and [skip]`

[x := a]`

[x := y]`

[x := y.sel]`

Case 1Case 2Case 3[x.sel := a]`

[x.sel := y]`

[x.sel := y.sel ]`

[malloc x]`

[malloc x.sel]`

Structural Operational Semantics

Loc

From now on a configuration of the semantics will becomposed by a state and a heap

State = Var (Z + Loc + {})H Heap = (Loc Sel)fin (Z + Loc + {})

Note that the heap H need a Loc and a Sel to return avalue. The fin represent the fact that not all the selectorfields will be defined. The value represent the nil value.

• Shape Analysis

Nicola Corti &Alessandro Baroni

IntroductionSyntax

SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

The Analysis[b]` and [skip]`

[x := a]`

[x := y]`

[x := y.sel]`

Case 1Case 2Case 3[x.sel := a]`

[x.sel := y]`

[x.sel := y.sel ]`

[malloc x]`

[malloc x.sel]`

Pointer Expressions

We need to define a new semantic function for pointers

: PExp (StateHeap)fin (Z + Loc + {})

JxK(,H) = (x)

Jx.selK(,H) =

H((x), sel)if (x) Loc H is defined on ((x), sel)

undefif (x) 6 Loc H is undefined on ((x), sel)

• Shape Analysis

Nicola Corti &Alessandro Baroni

IntroductionSyntax

SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

The Analysis[b]` and [skip]`

[x := a]`

[x := y]`

[x := y.sel]`

Case 1Case 2Case 3[x.sel := a]`

[x.sel := y]`

[x.sel := y.sel ]`

[malloc x]`

[malloc x.sel]`

Arithmetic & Boolean Expressions

We need to update the older semantic function to work withthe new heap:

A : AExp (StateHeap)fin (Z + Loc + {})B : BExp (StateHeap)fin T

The new clause for arithmetic function are:

AJpK(,H) = JpK(,H)AJnK(,H) = N JnK

AJa1 opa a2K(,H) = AJa1K(,H) opa AJa2K(,H)AJnilK(,H) =

• Shape Analysis

Nicola Corti &Alessandro Baroni

IntroductionSyntax

SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

The Analysis[b]` and [skip]`

[x := a]`

[x := y]`

[x := y.sel]`

Case 1Case 2Case 3[x.sel := a]`

[x.sel := y]`

[x.sel := y.sel ]`

[malloc x]`

[malloc x.sel]`

Arithmetic & Boolean Expressions

The new clause for boolean function are:

BJa1 opr a2K(,H) = AJa1K(,H) opr AJa2K(,H)BJopp pK(,H) = opp (JpK(,H))

Note that the meaning of opa and opr must be undefined ifthe types are not the same (e.g. two integers or twopointers).

is-nil(v) ={

tt if v = ff otherwise

• Shape Analysis

Nicola Corti &Alessandro Baroni

IntroductionSyntax

SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

The Analysis[b]` and [skip]`

[x := a]`

[x := y]`

[x := y.sel]`

Case 1Case 2Case 3[x.se

Recommended

Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents
Documents