Shape Analysis

  • View
    38

  • Download
    0

Embed Size (px)

Text of Shape Analysis

  • Shape Analysis

    Nicola Corti &Alessandro Baroni

    IntroductionSyntax

    SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

    Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

    The Analysis[b]` and [skip]`

    [x := a]`

    [x := y]`

    [x := y.sel]`

    Case 1Case 2Case 3[x.sel := a]`

    [x.sel := y]`

    [x.sel := y.sel ]`

    [malloc x]`

    [malloc x.sel]`

    Shape Analysis

    Nicola Corti & Alessandro Baroni

    University of PisaStatic Analysis Techniques course

    8 May 2014

  • Shape Analysis

    Nicola Corti &Alessandro Baroni

    IntroductionSyntax

    SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

    Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

    The Analysis[b]` and [skip]`

    [x := a]`

    [x := y]`

    [x := y.sel]`

    Case 1Case 2Case 3[x.sel := a]`

    [x.sel := y]`

    [x.sel := y.sel ]`

    [malloc x]`

    [malloc x.sel]`

    Index

    Introduction

    Semantic

    Shape Graphs

    The Analysis

  • Shape Analysis

    Nicola Corti &Alessandro Baroni

    IntroductionSyntax

    SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

    Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

    The Analysis[b]` and [skip]`

    [x := a]`

    [x := y]`

    [x := y.sel]`

    Case 1Case 2Case 3[x.sel := a]`

    [x.sel := y]`

    [x.sel := y.sel ]`

    [malloc x]`

    [malloc x.sel]`

    What is the Shape Analysis?

    Shape AnalysisAn intraprocedural analysis aimed to figure out the shape ofan heap-allocated memory.

    1. Extend the While language with command for heapmanagement,

    2. Present an abstract representation for the heapmemory,

    3. Present the analysis like a monotone framework.

  • Shape Analysis

    Nicola Corti &Alessandro Baroni

    IntroductionSyntax

    SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

    Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

    The Analysis[b]` and [skip]`

    [x := a]`

    [x := y]`

    [x := y.sel]`

    Case 1Case 2Case 3[x.sel := a]`

    [x.sel := y]`

    [x.sel := y.sel ]`

    [malloc x]`

    [malloc x.sel]`

    Use case of the Shape Analysis

    I nil-pointer dereferencing,I Checking field existence (e.g. a.sel := 1, what if a

    does not have a sel field?),I Validating properties of data structure shape (e.g. a

    non-cyclic structure is still non-cyclic after acomputation).

  • Shape Analysis

    Nicola Corti &Alessandro Baroni

    IntroductionSyntax

    SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

    Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

    The Analysis[b]` and [skip]`

    [x := a]`

    [x := y]`

    [x := y.sel]`

    Case 1Case 2Case 3[x.sel := a]`

    [x.sel := y]`

    [x.sel := y.sel ]`

    [malloc x]`

    [malloc x.sel]`

    Selectors and Pointers

    Selectorssel Sel

    Pointers

    p PExpp ::= x | x.sel

  • Shape Analysis

    Nicola Corti &Alessandro Baroni

    IntroductionSyntax

    SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

    Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

    The Analysis[b]` and [skip]`

    [x := a]`

    [x := y]`

    [x := y.sel]`

    Case 1Case 2Case 3[x.sel := a]`

    [x.sel := y]`

    [x.sel := y.sel ]`

    [malloc x]`

    [malloc x.sel]`

    Extended Syntax

    The extended syntax with pointers

    a ::= p | n | a1 opa a2 | nilb ::= true | false | not b | b1 opb b2 | a1 opr a2 | opp pS ::= [p := a]` | [skip]` | S1; S2 | if [b]` then S1 else S2 |

    while [b]` do S | [malloc p]`

    Note that opr now accept two operands of type a, such astwo pointer (for an operation such as are-equals) and theoperator opp accept one pointer operands (think atoperations like is-nil).The operator [malloc p]` allow to allocate new space in theheap.

  • Shape Analysis

    Nicola Corti &Alessandro Baroni

    IntroductionSyntax

    SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

    Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

    The Analysis[b]` and [skip]`

    [x := a]`

    [x := y]`

    [x := y.sel]`

    Case 1Case 2Case 3[x.sel := a]`

    [x.sel := y]`

    [x.sel := y.sel ]`

    [malloc x]`

    [malloc x.sel]`

    Structural Operational Semantics

    We add values for locations:

    Loc

    From now on a configuration of the semantics will becomposed by a state and a heap

    State = Var (Z + Loc + {})H Heap = (Loc Sel)fin (Z + Loc + {})

    Note that the heap H need a Loc and a Sel to return avalue. The fin represent the fact that not all the selectorfields will be defined. The value represent the nil value.

  • Shape Analysis

    Nicola Corti &Alessandro Baroni

    IntroductionSyntax

    SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

    Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

    The Analysis[b]` and [skip]`

    [x := a]`

    [x := y]`

    [x := y.sel]`

    Case 1Case 2Case 3[x.sel := a]`

    [x.sel := y]`

    [x.sel := y.sel ]`

    [malloc x]`

    [malloc x.sel]`

    Structural Operational Semantics

    We add values for locations:

    Loc

    From now on a configuration of the semantics will becomposed by a state and a heap

    State = Var (Z + Loc + {})H Heap = (Loc Sel)fin (Z + Loc + {})

    Note that the heap H need a Loc and a Sel to return avalue. The fin represent the fact that not all the selectorfields will be defined. The value represent the nil value.

  • Shape Analysis

    Nicola Corti &Alessandro Baroni

    IntroductionSyntax

    SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

    Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

    The Analysis[b]` and [skip]`

    [x := a]`

    [x := y]`

    [x := y.sel]`

    Case 1Case 2Case 3[x.sel := a]`

    [x.sel := y]`

    [x.sel := y.sel ]`

    [malloc x]`

    [malloc x.sel]`

    Structural Operational Semantics

    We add values for locations:

    Loc

    From now on a configuration of the semantics will becomposed by a state and a heap

    State = Var (Z + Loc + {})H Heap = (Loc Sel)fin (Z + Loc + {})

    Note that the heap H need a Loc and a Sel to return avalue. The fin represent the fact that not all the selectorfields will be defined. The value represent the nil value.

  • Shape Analysis

    Nicola Corti &Alessandro Baroni

    IntroductionSyntax

    SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

    Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

    The Analysis[b]` and [skip]`

    [x := a]`

    [x := y]`

    [x := y.sel]`

    Case 1Case 2Case 3[x.sel := a]`

    [x.sel := y]`

    [x.sel := y.sel ]`

    [malloc x]`

    [malloc x.sel]`

    Pointer Expressions

    We need to define a new semantic function for pointers

    : PExp (StateHeap)fin (Z + Loc + {})

    JxK(,H) = (x)

    Jx.selK(,H) =

    H((x), sel)if (x) Loc H is defined on ((x), sel)

    undefif (x) 6 Loc H is undefined on ((x), sel)

  • Shape Analysis

    Nicola Corti &Alessandro Baroni

    IntroductionSyntax

    SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

    Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

    The Analysis[b]` and [skip]`

    [x := a]`

    [x := y]`

    [x := y.sel]`

    Case 1Case 2Case 3[x.sel := a]`

    [x.sel := y]`

    [x.sel := y.sel ]`

    [malloc x]`

    [malloc x.sel]`

    Arithmetic & Boolean Expressions

    We need to update the older semantic function to work withthe new heap:

    A : AExp (StateHeap)fin (Z + Loc + {})B : BExp (StateHeap)fin T

    The new clause for arithmetic function are:

    AJpK(,H) = JpK(,H)AJnK(,H) = N JnK

    AJa1 opa a2K(,H) = AJa1K(,H) opa AJa2K(,H)AJnilK(,H) =

  • Shape Analysis

    Nicola Corti &Alessandro Baroni

    IntroductionSyntax

    SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

    Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

    The Analysis[b]` and [skip]`

    [x := a]`

    [x := y]`

    [x := y.sel]`

    Case 1Case 2Case 3[x.sel := a]`

    [x.sel := y]`

    [x.sel := y.sel ]`

    [malloc x]`

    [malloc x.sel]`

    Arithmetic & Boolean Expressions

    The new clause for boolean function are:

    BJa1 opr a2K(,H) = AJa1K(,H) opr AJa2K(,H)BJopp pK(,H) = opp (JpK(,H))

    Note that the meaning of opa and opr must be undefined ifthe types are not the same (e.g. two integers or twopointers).

    is-nil(v) ={

    tt if v = ff otherwise

  • Shape Analysis

    Nicola Corti &Alessandro Baroni

    IntroductionSyntax

    SemanticPointer ExpressionsArithmetic & BooleanExpressionsStatements

    Shape GraphsAbstract LocationAbstract StateAbstract HeapsExampleSharing InformationsComplete Lattice

    The Analysis[b]` and [skip]`

    [x := a]`

    [x := y]`

    [x := y.sel]`

    Case 1Case 2Case 3[x.se