Lecture 08a Shape Analysis continued Lecture 08b Typestate
Lecture 08(a) – Shape Analysis – continued Lecture 08(b) – Typestate Verification Lecture 08(c) – Predicate Abstraction PROGRAM ANALYSIS & SYNTHESIS Eran Yahav 1
Previously Shape Analysis 2
Today Shape Analysis – continued Concurrent Shape Analysis Typestate Verification Predicate Abstraction (optimistically!) 3
Shape Analysis Automatically verify properties of programs manipulating dynamically allocated storage Identify all possible shapes (layout) of the heap 4
Shape Analysis via 3 -valued Logic 1) Abstraction 3 -valued logical structure canonical abstraction 2) Transformers via logical formulae soundness by construction �embedding theorem, [SRW 02] 5
Collecting State Semantics empty universe { <� , � >} if v = entry empty interpretation � {� st(w)� (S) | S � CSS[w] } � all predecessors of v in the CFG CSS [v] = set of states at node w (w, v) � E(G), w� Assignments(G) � {S|S� CSS[w] } � effect of the statement at node w (w, v) � E(G), w� Skip(G) � {S|S� CSS[w] and S � cond(w)} � othrewise (w, v) � True-Branches(G) set of states at node v � {S|S� CSS[w] and S � � cond(w)} (w, v) � False-Branches(G) 6
Collecting Semantics At every program point – a potentially infinite set of two-valued logical structures Representing (at least) all possible heaps that can arise at the program point Next step: find a bounded abstract representation 7
3 -Valued Logical Structures A set of individuals (nodes) U Relation meaning Interpretation of relation symbols in P p 0() {0, 1, 1/2} p 1(v) {0, 1, 1/2} p 2(u, v) {0, 1, 1/2} A join semi-lattice: 0 1 = 1/2 8
![Property Space 3 -struct[P] = the set of 3 -valued logical structures over a](http://slidetodoc.com/presentation_image_h2/88cd880cdce3fb1468bc171582017b88/image-9.jpg "Property Space 3 -struct[P] = the set of 3 -valued logical structures over a")
Property Space 3 -struct[P] = the set of 3 -valued logical structures over a vocabulary (set of predicates) P Abstract domain � (3 -Struct[P]) � is � �We will see alternatives later (maybe) 9
Canonical Abstraction Top u 1 n u 2 n u 3 Top 10
Canonical Abstraction (� ) Merge all nodes with the same unary predicate values into a single summary node Join predicate values � ’(u’ 1 , . . . , u’k) = {� (u 1 , . . . , uk) | f(u 1)=u’ 1 , . . . , f(uk)=u’k } Converts a state of arbitrary size into a 3 -valued abstract state of bounded size � (C) = � {� (c) | c � C} 11
Abstract Semantics s = Top n Top r. Top � s = Top->n� s’(v) = v 1: Top(v 1) n(v 1, v) ? s r. Top 12
Semantic Reduction Improve the precision of the analysis by recovering properties of the program semantics A Galois connection (C, , , A) An operation op: A A is a semantic reduction when l L 2 op(l) l and (op(l)) = (l) C l op A
The Focus Operation Focus: Formula (� (3 -Struct) � (3 -Struct)) Generalizes materialization For every formula Focus( )(X) yields structure in which evaluates to a definite values in all assignments Only maximal in terms of embedding Focus( ) is a semantic reduction But Focus( )(X) may be undefined for some X
Partial Concretization Based on Transformer (s=Top n) s Top r. Top Abstract Semantics r. Top, rs s Top r. Top Partial Concretization r. Top s’(v) = v 1: Top(v 1) n(v 1, v) r. Top Canonical Abstraction Focus (Top� n) u: top(u) n(u, v) s Abstract Semantics Top Top r. Top s Top r. Top 15
Partial Concretization Locally refine the abstract domain per statement Soundness is immediate Employed in other shape analysis algorithms [Distefano et. al. , TACAS’ 06, Evan et. al. , SAS’ 07, POPL’ 08] Emplyed in other analysis algorithms [Typestate verification, ISSTA’ 06] 16
The Coercion Principle Another Semantic Reduction Can be applied after Focus or after Update or both Increase precision by exploiting structural properties possessed by all stores (Global invariants) Structural properties captured by constraints Apply a constraint solver
Apply Constraint Solver Top r. Top x r. Top n x rx n y rx, ry r. Top n n n rx, ry n x rx n y rx, ry n rx, ry
Sources of Constraints Properties of the operational semantics Domain specific knowledge Instrumentation predicates User supplied
Example Constraints x(v 1) x(v 2) eq(v 1, v 2) n(v, v 1) n(v, v 2) eq(v 1, v 2) n(v 1, v) n(v 2, v) eq(v 1, v 2) is(v) n*(v 3, v 4) t[n](v 1, v 2)
Abstract Transformers: Summary Kleene evaluation yields sound solution Focus is a statement-specific partial concretization Coerce applies global constraints
Abstract Semantics if v = entry { <� , � >} � { t_embed(coerce(� st(w)� 3(focus. F(w)(SS[w] )))) � (w, v) � E(G), w� Assignments(G) � {S|S� SS[w] } � SS [v] = othrewise (w, v) � E(G), w� Skip(G) � { t_embed(S) | S � coerce(� st(w)� 3(focus. F(w)(SS[w] ))) (w, v) � True-Branches(G) and S � 3 cond(w)} � � { t_embed(S) | S � coerce(� st(w)� 3(focus. F(w)(SS[w] ))) (w, v) � False-Branches(G) and S � 3� cond(w)} � 22
Recap Abstraction canonical abstraction recording derived information Transformers partial concretization (focus) constraint solver (coerce) sound information extraction 23
Stack Push emp void push (int v) { Node x = alloc(sizeof(Node)); x … Top x Top � v: x(v) x d = v; � v: x(v) x n = Top; x Top = x; �� v 1, v 2: n(v 1, v 2) Top(v 2) } � v: � c(v) x Top x x Top Top 24
Non-blocking Stack #define EMPTY -1 typedef int data_type; typedef struct node t { data_type d; struct node t *n } Node; typedef struct stack t { struct node t *Top; } Stack; [Treiber 1986] [1] void push(Stack *S, data_type v) { [2] Node *x = alloc(sizeof(Node)); [3] x->d = v; [4] do { [5] Node *t = S->Top; [6] x->n = t; [7] } while (!CAS(&S->Top, t, x)); [8] } [9] data_type pop(Stack *S){ [10] do { [11] Node *t = S->Top; [12] if (t == NULL) [13] return EMPTY; [14] Node *s = t->n; [15] data_type r = t->d; [16] } while (!CAS(&S->Top, t, s)); [17] return r; [18] } 25
Concurrent Shape Analysis a thread is represented as a thread object add predicates to vocabulary Recipe 1) 2) abstraction: canonical abstraction transformers: interleaving + as before Bounded threads Static thread names Unbounded threads thread objects abstracted via canonical abstraction 26
Concrete State u 3 x pc=6 U = { u 1, u 2, u 3, …, u 7 } u 7 is. Thread = { u 1, u 2 } n t u 2 list object u 6 u 1 pc=7 list field n t x thread object with program counter u 4 Top n u 5 thread-local variable at[pc=1] = { } … at[pc=6] = { u 3 } at[pc=7]= { u 1 } Top = { u 5 } … x = { (u 1, u 4), (u 2, u 3)} t={ (u 1, u 5), (u 2, u 6)} n = { (u 5, u 6), (u 6, u 7) } t 1= { u 1 } t 2 = { u 2 } 27
![Exploration [1] void push(Stack *S, data_type v) { [2] Node *x = alloc(sizeof(Node)); [3]](http://slidetodoc.com/presentation_image_h2/88cd880cdce3fb1468bc171582017b88/image-28.jpg "Exploration [1] void push(Stack *S, data_type v) { [2] Node *x = alloc(sizeof(Node)); [3]")
Exploration [1] void push(Stack *S, data_type v) { [2] Node *x = alloc(sizeof(Node)); [3] x->d = v; [4] do { [5] Node *t = S->Top; [6] x->n = t; [7] } while (!CAS(&S->Top, t, x)); [8] } 5 x 6 5 n n Top n x x t 5 n x n t 6 Top x 6 x n t n Top � v: � c(v) 6 6 Top t n 6 t n x x 7 x n n n x t Top 8 x 6 1 n t 7 n n Top 1 x n n t 5 n n Top 1 x n n t n n Top t x n t … 28
![Representing an Unbounded Number of Threads pc=5 x n x [1] void push(Stack *S,](http://slidetodoc.com/presentation_image_h2/88cd880cdce3fb1468bc171582017b88/image-29.jpg "Representing an Unbounded Number of Threads pc=5 x n x [1] void push(Stack *S,")
Representing an Unbounded Number of Threads pc=5 x n x [1] void push(Stack *S, data_type v) { [2] Node *x = alloc(sizeof(Node)); [3] x->d = v; [4] do { [5] Node *t = S->Top; [6] x->n = t; [7] } while (!CAS(&S->Top, t, x)); [8] } n pc=5 x Top 29
Representing an Unbounded Number of Threads pc=5 x xx has. X n rby. X n n [1] void push(Stack *S, data_type v) { [2] Node *x = alloc(sizeof(Node)); [3] x->d = v; [4] do { [5] Node *t = S->Top; [6] x->n = t; [7] } while (!CAS(&S->Top, t, x)); [8] } n pc=5 x Top 30
Abstract Semantics n pc=5 x has. X rby. X n Top pc=5 x has. X pc=6 has. X x n rby. X [1] void push(Stack *S, data_type v) { [2] Node *x = alloc(sizeof(Node)); [3] x->d = v; [4] do { [5] Node *t = S->Top; [6] x->n = t; [7] } while (!CAS(&S->Top, t, x)); [8] } n t Top 31
![Example - Mutual Exclusion [1] while (true) { [2] lock(shared) [C] // critical actions](http://slidetodoc.com/presentation_image_h2/88cd880cdce3fb1468bc171582017b88/image-32.jpg "Example - Mutual Exclusion [1] while (true) { [2] lock(shared) [C] // critical actions")
Example - Mutual Exclusion [1] while (true) { [2] lock(shared) [C] // critical actions [3] unlock(shared) [4] } 1 shared C t 1, t 2: (t 1 t 2) (at[pc=c](t 1) at[pc=c](t 2) shared Initial configuration shared held_by 1 C 1 shared A thread enters the critical section 2 shared blocked Other threads may be blocked or just beginning execution 32
![Recap [1] void push(Stack *S, data_type v) { [2] Node *x = alloc(sizeof(Node)); [3]](http://slidetodoc.com/presentation_image_h2/88cd880cdce3fb1468bc171582017b88/image-33.jpg "Recap [1] void push(Stack *S, data_type v) { [2] Node *x = alloc(sizeof(Node)); [3]")
Recap [1] void push(Stack *S, data_type v) { [2] Node *x = alloc(sizeof(Node)); [3] x->d = v; [4] do { [5] Node *t = S->Top; [6] x->n = t; [7] } while (!CAS(&S->Top, t, x)); [8] } #define EMPTY -1 No null dereferences typedef struct node t { Structural shape invariants data_type d; struct node t *n Linearizability } Node; typedef int data_type; typedef struct stack t { struct node t *Top; } Stack; [9] data_type pop(Stack *S){ [10] do { [11] Node *t = S->Top; [12] if (t == NULL) [13] return EMPTY; [14] Node *s = t->n; [15] data_type r = t->d; [16] } while (!CAS(&S->Top, t, s)); [17] return r; [18] } Dynamic Allocation Destructive Updates Concurrency 33
- Slides: 33
