Reduction in EndUser Shape Analysis BorYuh Evan Chang
Reduction in End-User Shape Analysis Bor-Yuh Evan Chang Xavier Rival University of Colorado, Boulder INRIA and ENS Paris Dagstuhl - Typing, Analysis, and Verification of Heap-Manipulating Programs – July 24, 2009
Why think about the analyzer’s end-user? User Tool Accessibility • end-users are not experts in verification and logic • want adoption of our tools and techniques Expressivity, Efficiency, and Feasibility • end-users are not completely incompetent either • can provide guidance to tools, understand the code best Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis 2
Shape analysis is an abstract interpretation on abstract memory descriptions with … Splitting of summaries (materialization) l “sorted dl list” l cur To reflect updates precisely Main Design Decision: l cur l operations Summaries and their cur And summarizing for termination (summarization) l l cur Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis cur 3
The Wild World of Shape Analysis Choosing the heap abstraction difficult Some representative approaches: approaches Parametric in low-level, analyzer-oriented predicates TVLA [Sagiv et al. ] + Very general and expressive - Harder for non-expert Built-in high-level predicates Space Invader [Distefano et al. ] Our approach: approach - Harder to extend + No additional user effort Parametric in high-level, developer-oriented predicates Xisa + Extensible + Targeted to developers Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis 4
Our Approach: Executable Specifications Utilize “run-time validation code” code as specification for static analysis. h. dll(p) : = if =(hnull = null) then h Æ emp Ç 9 n. true h@prev p ¤ else h!prev =n p ¤and h@next h!next. dll(h) n. dll(h) checker • p specifies where prev should point Build the abstraction for analysis directly assert(l. purple_dll(null)); out of the developerfor each node cur in list l { supplied validation code make cur red; Automatically generalize checkers for intermediate states (generalized segment) } l l assert(l. red_dll(null)); Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis cur l 5
Xisa is … An automated shape analysis with a precise memory abstraction based around invariant checkers h. dll(p) = if (h = null) then true else h!prev = prev and h!next. dll(h) checkers Xisa • Extensible and targeted for developers – Parametric in developer-supplied checkers—viewed as inductive definitions in separation logic • Precise yet compact abstraction for efficiency – Data structure-specific based on properties of interest to the developer Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis 6
Problem: Non-Unique Representations With user-guided abstraction, different summaries may have the same (or related) concretizations. l. dll(p) : = if (l = null) then true checker else l!prev = p and l!next. dll(l) summary h dll(null) concrete instance l. dll_back(n) : = if (l = null) then true else l!next = n and l!prev. dll_back(l) dll_back(null) t h Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis t 7
Need: Convert between related summaries 1. Prove lemmas about related checkers – e. g. , “dll , dll_back” Observation: Observation Our widening operator can derive these facts on an appropriate program Basic Idea: l. dll(p) : = … summarization (widening) semantics of dll_back parametric abstract domain Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis S 8
Need: Convert between related summaries 2. Find out which lemmas are needed and when to apply them during program analysis – – work-in-progress not in this talk Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis 9
New “Pre-Program Analysis” checker analysis program analysis (“pre-program analysis”) Derives information about checkers to use them effectively dll(h, p) = if (h = null) then true else h!prev = prev and dll(h!next, h) checkers level-type inference for unfolding splitting and interpreting update lemma proving for reduction summarizing S abstract interpretation S Xisa shape analyzer Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis 10
Outline • Memory abstraction – graphs – segments • A semantics of checker definitions • Example: – a segment of a list , a list segment Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis 11
Abstract memory as graphs Make endpoints and segments explicit ° l ® “dll segment” ¯ ± dll(±, °) cur memory address (value) l ® memory cell (points-to: °!next = ±) segment summary dll(null) dll(¯) cur ° checker summary (inductive pred) next ± dll(°) prev ¯ Segment generalization of a checker (Intuitively, ®. dll(null) up to °. dll(¯). ) (®. dll(null) ¤= °. dll(¯)) ¤°@prev ¯ ¤ °@next ± ¤ ±. dll(°) Some number of memory cells (thin edges) h. dll(p) = if (h = null) then true else h!prev = p and h!next. dll(h) Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis 12
Segments as Partial Checker “Runs” (conceptually) Summary i 0 ® ° ® dll(¯) i 0 c 0(° 0) c(°) ¯ Instance null ¯ ® ° prev next prev ± next null Complete Checker “Run” c(®, °) ®. dll(null) i ¯. dll(®) i=0 °. dll(¯) ±. dll(°) ®=° ¯ = null i i=0 … … c 0(¯, ° 0) null. dll(±) [POPL’ 08] Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis … c = c 0 ®… = ¯… ° = ° 0 13
Outline • Memory abstraction – graphs – segments • A semantics of checker definitions • Example: – a segment of a list , a list segment Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis 14
Example: User-Defined List Segments l. ls(e) : = if (l = e) then true checker l. list() : = if (l = null) then true else l!next. ls(l) summary ¯ ® e l else l!next. list() ® ls(¯) l list() “a list segment” list() ¯ e “a segment of a list” Want a decision procedure for these inclusions: ¯ ® e l ls(¯) v ® l list() ¯ e ? Can reuse our parametric abstract domain! Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis 15
An Alternative Semantics for Checkers summary ¯ ® e l generator of “concrete” graphs ®=¯ ® ls(¯) l ® l ° ® l ¯ e next ® 0 = ¯ ® 0 ¯ e ® 0 next ® 00 = ¯ ¯ e … set of concrete stores l e addrof(®) … addrof(¯) Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis 16
Show ® l ¯ ® e l Widening v ls(¯) ®=¯ ® l list() ¯ e Properties ® • Soundness: computes an over-approximation l list() ® 0 = ¯ ¯ chain stabilizes • next. Termination: ensures list() ¯ e e ® ¯ Algorithm list() e l 1. Iteratively split regions by matching nodes (ok by ¤) ® ® 00 = ¯ ¯ next 2. Find common abstraction for matched regions l e (calling on v to check inclusion) Our widening • is a non-symmetric binary [SAS’ 07] Apply abstract interpretation operator using only list as a checker • interleaves region parameter to the domain matching and summarizing X … Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis 17
Inclusion Check ® l ® l next ® 0 = ¯ ® 0 e v list() next list() ® 0 list() ¯ list() ® 0 = ¯ ¯ e Inclusion Check Algorithm 1. Iteratively split regions by matching nodes 2. Check inclusion by unfolding and matching edges until obvious (emp v emp) ¯ e Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis 18
Summary: Reuse domain to decide relations amongst checker definitions checker analysis program analysis (“pre-program analysis”) dll(h, p) = if (h = null) then true else h!prev = prev and dll(h!next, h) checkers level-type inference for unfolding splitting and interpreting update lemma proving for reduction summarizing S abstract interpretation S Xisa shape analyzer Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis 19
Conclusion and Next Steps • Non-unique representation problem magnified with user-supplied checkers – Need reduction to convert between representations – Ordering on checkers needed to apply reduction • Ordering shown by applying Xisa to a checker def • To put into practice – Needed lemmas: pre-compute ordering or on-demand? – When to apply: level types for unfolding may help – Derive new checkers (e. g. , dll_back from dll)? Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis 20
http: //xisa. cs. berkeley. edu
- Slides: 21
