Embed Size (px)
Citation preview
![Page 1: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/1.jpg)
Shape Analysis
Mooly Sagiv
![Page 2: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/2.jpg)
• Tel-Aviv University– D. Amit– I. Bogudlov– G. Arnold– G. Erez– N. Dor– T. Lev-Ami– R. Manevich– R. Shaham– A. Rabinovich– N. Rinetzky– G. Yorsh– A. Warshavsky
• Universität des Saarlandes– J. Bauer– R. Biber– R. Wilhelm
. . . and also• University of Wisconsin
– F. DiMaio– D. Gopan– A. Loginov– T. Reps
• IBM Research– J. Field– H. Kolodner– M. Rodeh– E. Yahav
• Microsoft Research– J. Berdine– B. Cook– G. Ramalingam
• University of Massachusetts– N. Immerman– B. Hesse
• Inria– B. Jeannet
![Page 3: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/3.jpg)
Shape Analysis [Jones and Muchnick 1981]
• Determine the possible shapes of a dynamically allocated data structureat a given program point
![Page 4: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/4.jpg)
Programs and Properties
• Dynamically allocated memory
• Recursive data structures
• Recursive procedures• Concurrency
• Memory safety• Preservation of Data
structure invariants• Partial correctness• Termination• Linearizability
![Page 5: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/5.jpg)
Outline
• Shape abstractions in a nutshell• Computing transformers• Heap decomposition
![Page 6: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/6.jpg)
Representing Concrete Stores by Logical Structures
• Parametric vocabulary• Heap
– Locations ≈ Individuals– Program variables ≈ Unary relations– Fields ≈ Binary relations
![Page 7: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/7.jpg)
Representing Concrete Storesby Logical Structures
– U = {u1, u2, u3, u4, u5}– x = {u1}, p = {u3}– n = {<u1, u2>, <u2, u3>, <u3, u4>, <u4, u5>}– rx = {u1, u2, u3, u4, u5}– rp = {u3, u4, u5}
u1 u2 u3 u4 u5xn n n n
p
rx rx rx rx rx
rp rp rp
![Page 8: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/8.jpg)
Representing Abstract Stores by 3-Valued Logical Structures
• A join semi-lattice: 0 7 1 = 1/2• {0, 1, ½} values for relations
![Page 9: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/9.jpg)
Canonical Abstraction
rp
a1x a2 a3n n n
p
a4
rp
rxrxrxrx
u1 u2 u4 u5 u6xn n
rx
rp rp
n n
p
rx rx rx rx
u3n
rx
![Page 10: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/10.jpg)
10
Canonical Abstractions as Formulas[Yorsh’03, Kuncak’04, Wies’07 ]
rp
a1
x
a2 a3n n n
p
a4
rp
rxrxrxrx
∀v: (x(v) ∧rx(v)∧¬p(v)∧¬rp(v)) ∨(¬x(v) ∧rx(v)∧¬p(x)∧¬rp(v)) ∨(¬x(v) ∧rx(v)∧p(v)∧rp(v)) ∨
(¬x(v) ∧rx(v)∧¬p(v)∧rp(v)))
∀v:rx(v) ⇔ ∃w: x(w) ∧ n*(w, v)∀v:rp(v) ⇔ ∃w: p(w) ∧ n*(w, v)
![Page 11: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/11.jpg)
Canonical Abstraction
• Limited form of quantified invariants– quantifier alternation only in instrumentation
• Not a static memory partition– The same memory location can be represented
by different abstract nodes in different shape graphs
![Page 12: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/12.jpg)
Most Precise Abstract Transformer[Cousot, Cousot POPL 1979]
γ α
τ#
τ
![Page 13: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/13.jpg)
τ
Partial Concretization
τ#
![Page 14: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/14.jpg)
Partial Concretization
τ#
τ#
![Page 15: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/15.jpg)
yx
yx
yx
yx ...
xy
yx
...
xy
Best Transformer (x = x → n)
γ
Concrete Semantics
canonical abstraction
![Page 16: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/16.jpg)
yx
yx
xy
Partial Concretization based Transformer (x = x → n)
γ
AbstractSemantics
canonical abstraction
xy
yx
yx
yx
![Page 17: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/17.jpg)
Partial Concretization
• Employed in other shape analysis algorithms [Distefano, TACAS’06, Evan, SAS’07, POPL’08]
• Soundness is immediate• Can even guarantee precision under certain
conditions [Lev-Ami, VMCAI’07]• Locally refine the abstract domain per statement
![Page 18: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/18.jpg)
Heap Decomposition for Concurrent Shape Analysis
R. ManevichT. Lev-Ami
Tel Aviv University
G. RamalingamMSR India
J. BerdineMSR Cambridge
Joint work with
![Page 19: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/19.jpg)
Main Results
• New parametric abstraction for heaps– Heap decomposition + Cartesian product
• Exponential state space reduction• Implementation in HeDec (Generalizes TVLA)
– Heap Decomposition + Canonical abstraction• Used to prove interesting properties of heap-
manipulating programs with fine-grained parallelism– Linearizability
![Page 20: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/20.jpg)
Treiber’s Non-blocking Stack[1] void push(Stack *S, data_type v) {[2] Node *x = alloc(sizeof(Node));[3] x->d = v;[4] do {[5] Node *t = S->Top;[6] x->n = t;[7] } while (!CAS(&S->Top,t,x));[8] }
[9] data_type pop(Stack *S){[10] do {[11] Node *t = S->Top;[12] if (t == NULL)[13] return EMPTY;[14] Node *s = t->n;[15] data_type r = s->d;[16] } while (!CAS(&S->Top,t,s));[17] return r;[18] }
![Page 21: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/21.jpg)
pc=16
Full State
Top
nx
n
x
s
t
t
st
t
n
n
n
tr1 tr4
tr2
pc=7
pc=7
pc=16
tr3
![Page 22: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/22.jpg)
n
nt
n
n
n
n
n
n
t
Sub-states
Top
x n
tr1
pc=7
Top
t
n
tr2
pc=7
Top
s
t
tr4
pc=16
Top
n
s
pc=16
tr3
x
![Page 23: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/23.jpg)
n
n
n
n
Cartesian Product of Sub-states
Top
x
t
n
tr1
pc=7
x
t
n
tr2
pc=7
s
t
tr3
pc=16
t
s
n
tr4
x
t
n
tr1
pc=7x
t
n
tr2
pc=7
t
s
n
pc=16
tr3
× × ×Top
TopTop
TopTop
s
t
tr3
pc=16
Top
Top
n
n
n
n
n
n
pc=16
n
n
n
n
n
n
![Page 24: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/24.jpg)
0
50000
100000
150000
200000
250000
0 5 10 15 20
number of threads
num
ber o
f sta
tes Decomp
Full
0
1000
2000
3000
4000
0 10 20
number of threads
time
(sec
.)
Empirical Results
• Exponential time/space reduction– Non-blocking stack + linearizability
![Page 25: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/25.jpg)
and…
More information fromhttp://www.cs.tau.ac.il/~rumster
![Page 26: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/26.jpg)
Thank you Cousot for
• Establishing the right mindset• Galois Connections• Semantic reductions• Domain constructors
![Page 27: Program Analysis via Graph Reachabilityprofs.scienze.univr.it/~giaco/Project(30YAI)/30YAI-Programme/Slides/Mooly.pdf · Shape Analysis [Jones and Muchnick 1981] • Determine the](https://reader033.pdfslide.net/reader033/viewer/2022041608/5e360e037ba2052f963671d0/html5/thumbnails/27.jpg)
Summary
• Shape analysis is an interesting abstract interpretation problem– Handles unbounded memory– Partially disjunctive abstractions
• Partial concretization is useful for transformers• Heap decomposition is useful for scalability
– Generalizes thread-modular analysis• Limited forms of quantified invariants can be
utilized to prove interesting properties
![Semantics-based Code Obfuscation by Abstract Interpretationprofs.sci.univr.it/~giaco/download/JCS09.pdf · lar, Cousot [13] defines a hierarchy of semantics, where sema ntics at](https://img.pdfslide.net/doc/110x75/5f819c4ae86a380c6e097093/semantics-based-code-obfuscation-by-abstract-giacodownloadjcs09pdf-lar-cousot.jpg)
