Using Checkers for EndUser Shape Analysis BorYuh Evan
Using Checkers for End-User Shape Analysis Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder Collaborators: Xavier Rival (INRIA and ENS Paris), George C. Necula (UC Berkeley) National Taiwan University – August 11, 2009
Why think about the analyzer’s end-user? User Tool Accessibility • end-users are not experts in verification and logic • want adoption of our tools and techniques Expressivity, Efficiency, and Feasibility • end-users are not completely incompetent either • can provide guidance to tools, understand the code best Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 2
Shape analysis is an abstract interpretation on abstract memory descriptions with … Splitting of summaries (materialization) l “sorted dl list” l cur To reflect updates precisely Main Design Decision: l cur l operations Summaries and their cur And summarizing for termination (summarization) l l cur Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 3
Our Approach: Executable Specifications Utilize “run-time validation code” code as specification for static analysis. h. dll(p) : = h Æ emp if =(hnull = null) then Ç 9 n. true h@prev p ¤ else h@next ¤ h!prev = p nand h!next. dll(h) n. dll(h) checker • p specifies where prev should point Build the abstraction for analysis directly assert(l. purple_dll(null)); out of the developerfor each node cur in list l { supplied validation code make cur red; Automatically generalize checkers for intermediate states (generalized segment) } l l assert(l. red_dll(null)); cur l Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 4
Problem: Checkers are incomplete specs checker analysis program analysis (“pre-program analysis”) 1 How do we decide where to unfold? analysis: Derives information Defining a program about checkers to use them effectively 1. The abstraction (e. g. , separation logic splitting and formulas with inductive definitions) and interpreting update operations on the abstraction (e. g. , unfolding, update) summarizing 2. How to effectively apply the operations checkers (harder!) 3 h. dll(p) = if (h = null) then true else h!prev = prev and h!next. dll(h) What about different checkers for the same structure? interpretation 2 abstract How do we decide where to fold? Xisa shape analyzer Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 5
Outline • Memory abstraction • Guide unfolding (materialization) with level-type analysis on checker definitions • Guide folding (summarization) with iteration history – a binary, non-symmetric widening operator • Prove lemmas amongst checkers with our parametric shape domain – for a reduction operator Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 6
Abstract memory as graphs Make endpoints and segments explicit ° l ® “dll segment” ¯ ± dll(±, °) cur memory address (value) l ® memory cell (points-to: °!next = ±) segment summary dll(null) dll(¯) cur ° checker summary (inductive pred) next ± dll(°) prev ¯ Segment generalization of a checker (Intuitively, ®. dll(null) up to °. dll(¯). ) (®. dll(null) ¤= °. dll(¯)) ¤°@prev ¯ ¤ °@next ± ¤ ±. dll(°) Some number of memory cells (thin edges) h. dll(p) = if (h = null) then true else h!prev = p and h!next. dll(h) Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 7
Segments as Partial Checker “Runs” (conceptually) Summary i 0 ® ° Instance null ¯ ® ° prev ® dll(¯) next prev ± next i 0 c 0(° 0) c(°) ¯ null Complete Checker “Run” c(®, °) ®. dll(null) i i=0 ¯. dll(®) °. dll(¯) ±. dll(°) null. dll(±) [POPL’ 08] ®=° ¯ = null i i=0 … … c 0(¯, ° 0) … c = c 0 ® … = ¯ … ° = ° 0 Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 8
Outline • Memory abstraction • Guide unfolding (materialization) with level-type analysis on checker definitions • Guide folding (summarization) with iteration history – a binary, non-symmetric widening operator • Prove lemmas amongst checkers with our parametric shape domain – for a reduction operator Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 9
Types for deciding where to unfold Summary If it exists, where is: ® Instance null dll(null) dll(¯) ° °!next ? dll(¯) ¯!next ? ® ¯ ° ± null Checker “Run” (call tree/derivation) -2 dll(®, null) -1 dll(¯, ®) 0 dll(°, ¯) 1 dll(±, °) dll(null, ±) 0 -1 Checker Definition h : {nexth 0 i, prevh 0 i } p: {nexth-1 i, prevh-1 i } Says: Says For h!next/h!prev, unfold from h For p!next/p!prev, unfold before h h. dll(p) = if (h = null) then true else h!prev = p and h!next. dll(h) Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 10
Types make the analysis robust with respect to how checkers are written Doubly-linked list checker (as before) Summary ¯ dll(®) dll(¯) ° h. dll(p) = if (h = null) then true else h!prev = p and h!next. dll(h) dll(¯) Instance ® ¯ null ° Alternative doubly-linked list checker Summary ¯ Instance ¯ dll 0 °!prev ? dll 0 ° ° -1 dll 0 null h : {nexth 0 i, prevh 0 i } p: {nexth-1 i, prevh-1 i } Different types for different unfolding h : {nexth 0 i, prevh-1 i } h. dll 0() = if (h!next = null) then true else h!next!prev = h and h!next. dll 0() Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 11
Summary of checker parameter types Tell where to unfold for which fields Make analysis robust with respect to how checkers are written Learn where in summaries unfolding won’t help Can be inferred automatically with a fixedpoint computation on the checker definitions Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 12
Outline • Memory abstraction • Guide unfolding (materialization) with level-type analysis on checker definitions • Guide folding (summarization) with iteration history – a binary, non-symmetric widening operator • Prove lemmas amongst checkers with our parametric shape domain – for a reduction operator Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 13
Summarize by folding into inductive predicates last = l; cur = l!next; while (cur != null) { // … cur, last … if (…) last = cur; cur = cur! next; } next l, last l l next cur last list next summarize l list last next cur list Challenge: Precision (e. g. , last, cur separated by at least one step) list cur list Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 14
Use iteration history to guide folding Previous approaches guess where to fold for each graph • i. e. , which nodes to drop • e. g. , not pointed by variables Contribution: Determine where by comparing graphs across history • discover which nodes to drop and edges to fold simultaneously next l, last l l next cur last list next cur list summarize l list last next list cur list Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 15
Outline • Memory abstraction • Guide unfolding (materialization) with level-type analysis on checker definitions • Guide folding (summarization) with iteration history – a binary, non-symmetric widening operator • Prove lemmas amongst checkers with our parametric shape domain – for a reduction operator Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 16
Problem: Non-Unique Representations With user-guided abstraction, different summaries may have the same (or related) concretizations. checker summary concrete instance l. dll(p) : = if (l = null) then true else l!prev = p and l!next. dll(l) h dll(null) h l. dll_back(n) : = if (l = null) then true else l!next = n and l!prev. dll_back(l) dll_back(null) t t Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 17
Need: Convert between related summaries 1. Prove lemmas about related checkers – e. g. , “dll , dll_back” Observation: Observation Our widening operator can derive these facts on an appropriate program Basic Idea: l. dll(p) : = … summarization (widening) semantics of dll_back parametric abstract domain S Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 18
Need: Convert between related summaries 2. Find out which lemmas are needed and when to apply them during program analysis – – work-in-progress not in this talk Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 19
New “Pre-Program Analysis” checker analysis program analysis (“pre-program analysis”) h. dll(p) = if (h = null) then true else h!prev = prev and h!next. dll(h) checkers level-type inference for unfolding splitting and interpreting update lemma proving for reduction summarizing S abstract interpretation S Xisa shape analyzer Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 20
Example: User-Defined List Segments l. ls(e) : = if (l = e) then true else l!next. ls(l) checker summary ¯ ® e l l. list() : = if (l = null) then true else l!next. list() ® l list() ls(¯) “a list segment” list() ¯ e “a segment of a list” Want a decision procedure for these inclusions: ¯ ® e l ls(¯) v ® l list() ¯ e ? Can reuse our parametric abstract domain! Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 21
An Alternative Semantics for Checkers summary ¯ ® e l generator of “concrete” graphs ®=¯ ¯ ® ls(¯) l ® l ° ® l e next ® 0 = ¯ ¯ ® 0 e ® 0 next ® 00 = ¯ ¯ e … set of concrete stores l e addrof(®) … addrof(¯) Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 22
Show ® l ¯ ® e l Widening v ls(¯) ® l list() ¯ list() e ®=¯ ¯ e Properties ® • Soundness: computes an over-approximation l list() ® 0 = ¯ ¯ chain stabilizes ® 0 • next. Termination: ensures list() ¯ e e ® ¯ Algorithm list() e l 1. Iteratively split regions by matching nodes (ok by ¤) ® ® 00 = ¯ ¯ next 2. Find common abstraction for matched regions l e (calling on v to check inclusion) Our widening • is a non-symmetric binary [SAS’ 07] Apply abstract interpretation operator using only list as a checker • interleaves region parameter to the domain matching and summarizing X … Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 23
Inclusion Check ® l ® l next ® 0 = ¯ ¯ ® 0 e v list() next list() ® 0 list() ¯ e Inclusion Check Algorithm 1. Iteratively split regions by matching nodes 2. Check inclusion by unfolding and matching edges until obvious (emp v emp) ® 0 = ¯ ¯ e Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 24
Summary: Reuse domain to decide relations amongst checker definitions checker analysis program analysis (“pre-program analysis”) dll(h, p) = if (h = null) then true else h!prev = prev and dll(h!next, h) checkers level-type inference for unfolding splitting and interpreting update lemma proving for reduction summarizing S abstract interpretation S Xisa shape analyzer Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 25
Reduction: Next steps • Non-unique representation problem magnified with user-supplied checkers – Need reduction to convert between representations – Ordering on checkers needed to apply reduction • Ordering shown by applying Xisa to a checker def • To put into practice – Needed lemmas: pre-compute ordering or on-demand? – When to apply: level types for unfolding may help – Derive new checkers (e. g. , dll_back from dll)? Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 26
Summary: Using checkers as specs Constructing the end-user program analysis Intermediate states: Generalized segment predicates ® c(°) c 0(° 0) ¯ Splitting: Checker parameter types with levels h : {nexth 0 i, prevh 0 i} p : {nexth-1 i, prevh-1 i} Summarizing: History-guided approach list next list Reduction: Prove lemmas by reusing our domain on checkers l. dll(p) : = … semantics of dll_back S Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 27
Conclusion • Checkers are useful specifications Developer View: Global, Expressed in a familiar style Analysis View: Capture developer intent, Not arbitrary inductive definitions • Yet they are incomplete for program analysis – With an executable interpretation, can apply program analysis to checker definitions – Such “pre-analysis” guides the code analysis Bor-Yuh Evan Chang 張博聿, University of Colorado - Using Checkers in End-User Shape Analysis 28
http: //www. cs. colorado. edu/~bec/xisa
- Slides: 29