Partially Disjunctive Shape Analysis

1
Partially DisjunctiveShape Analysis
Roman ManevichMooly SagivGanesan Ramalingam
advisor consultant
2
Non-blocking stack Treiber, 1986
unbounded dynamic memory
1 void push(Stack S, data_type v) 2
Node x alloc(sizeof(Node))3 x-gtd
v4 do 5 Node t S-gtTop6
x-gtn t7 while
(!CAS(S-gtTop,t,x))8
x points to valid memory?can cause memory
leak?does list remain acyclic?
9 data_type pop(Stack S)10 do 11
Node t S-gtTop12 if (t
NULL)13 return EMPTY14
Node s t-gtn15 data_type r
t-gtd16 while (!CAS(S-gtTop,t,s))1
7 return r18
stack linearizable?
lock-freebenign data races
? Automatic proof of linearizability for an
unbounded number of threads
3
Shape abstractions

• Canonical heap abstractionSagiv et al., TOPLAS
  02
• Abstraction for (possibly cyclic) listsM. et
  al., VMCAI 05
• Abstracts length of list segments
• Retains shape of heap

4
Abstraction and concretization
...
5
Abstraction and concretization
Abstract domain(partial order ?)
Concrete domain(partial order ?)
a
6
Sound abstract transformers
tx-gtn
7
Most precise transformerCousot Cousot POPL 77
Concrete domain
Abstract domain
?st
8
Sound abstract transformer
Concrete domain
Abstract domain
?st
?
9
Sound abstract transformers
tx-gtn
10
Inferring safe invariants
1 Node create(int size)2 Node x
NULL3 while (size-- gt 0) 4 Node
t (Node ) malloc(sizeof(Node))5 t-gtn
x6 x t 7 return x

4
7
11

• Disjunctive school
• DNF-like invariants
• ?1(v) ? ? ?n(v)
• Join is disjunction
• Model checking

• Partially disjunctive school
• CNF-like invariants
• ?1(v) ? ? ?n(v)
• ?v ?(v)
• Loss of information in join
• Abstract Interpretation
• Dataflow

12
Research problem

• Problem
• Disjunctive shape abstractions
• Join is disjunction
• Too precise
• Yields exponential blow-ups
• My solution
• Partially disjunctive shape abstractions
• Modular aspects
• Precise enough
• Reduce exponential factors
• Orders of magnitude speed-ups

12
13
Main challenge

• Can we develop useful partially disjunctive
  abstractions for the heap?
• Challenging setting objects threads are
• Anonymous
• Unbounded

13
14
Main thesis results

• Framework for partially disjunctive heap
  abstractions based on heap decomposition
• Correlations within subheap maintained
• Disjunctive maintains correlations in full heap
• Correlations with other parts of heap abstracted
  away
• Smaller subheaps lead to reduced state space
• Reuse subheaps
• System for automatically generating abstract
  interpreters based on user-specified heap
  decomposition SAS 08
• Guaranteed soundness
• Feasible transformers
• Applications
• Sequential programs manipulating multiple data
  structures TACAS 07
• First automatic proof of linearizability for
  fine-grained concurrent programs with an
  unbounded number of threads CAV 08

14
15
Outline

• Disjunctive vs. partially disjunctive
  abstractions
• Partially disjunctive abstraction via heap
  decomposition
• Thread-modular analysis for fine-grained
  concurrency

16
Abstraction by partitioning
concrete state space
17
Abstraction by partitioning
abstract state space
Abstract state(4?x?5?2?y?3) ?(2?x?3?4?y?5)
?(5?x?6?4?y?5) ?(3?x?4?5?y?6) ?(7?x?8?4?y?5)
?(5?x?6?7?y?8) ?(7?x?8?6?y?7)
18
Disjunctive abstraction
(4?x?5?2?y?3) ?(2?x?3?4?y?5) ?(5?x?6?4?y?5)
?(3?x?4?5?y?6)
(7?x?8?4?y?5) ?(5?x?6?7?y?8) ?(7?x?8?6?y?7)
?
19
Disjunctive abstraction
(4?x?5?2?y?3) ?(2?x?3?4?y?5) ?(5?x?6?4?y?5)
?(3?x?4?5?y?6)
(7?x?8?4?y?5) ?(5?x?6?7?y?8) ?(7?x?8?6?y?7)
?
20
Partially disjunctive abstraction
?
21
Partially disjunctive abstraction
2?x?8 ? 2?y?8
Join coarser than disjunction
22
Partially disjunctive abstractions
Disjunctive abstractions

• No information loss from merging control flow
  paths
• Exponential space blowups
• Inferring abstractions
• CEGAR is well-studied

• Loses many correlations
• Drastically reduces state space
• What are the important correlations?
• Learning from multiple traces

23
Partially disjunctive abstraction and the heap

• Scaling is major issue
• Infinite state space
• Existing abstractions are doubly-exponential
• Concurrency drastically increases analysis cost
• Cartesian abstraction for heap non-trivial
• Storeless semantics
• Address of objects and threads coincidental
• Unbounded memory and number of threads
• Which parts of the heap need to be correlated?
• CEGAR-like techniques may help
• The cost of analysis may sometimes increase when
  more correlations are ignored

24
Heap Decomposition idea
25
Heap Decomposition idea
26
Heap Decomposition idea
27
Connected Components Decomposition
28
Disjunctive shape analysis

t
x?n y
y?n z
?
??
assert x?n?n ? z
29
Independent attribute (Cartesian)shape
analysisSagiv et al., TOPLAS 98

t
x?n y
y?n z
?
assert x?n?n ? z
30
Space of heap abstractions
moreprecise
Independent attribute shape analysisSagiv et
al., TOPLAS 98
Connected component decomposition M. et al.,
TACAS 07
Disjunctive shape abstractionsCanonical heap
abstraction Sagiv et al., TOPLAS 02(cyclic)
list abstraction M. et al., VMCAI 05
31
Connected components decomposition

• Abstraction splits heap into set of (disjoint)
  connected components
• Special case of heap decomposition
• What is maintained
• All aliasing relations
• All reachability relations
• What is lost
• Correlations between data structures

32
Connected components decomposition

• Abstraction splits heap into set of (disjoint)
  connected components
• Special case of heap decomposition
• What is maintained
• All aliasing relations
• All reachability relations
• What is lost
• Correlations between data structures

33
What a connected component denotes
y
x
z
ConnComp(x,?y,?z) ? noedges()
ConnComp(?x,y,?z) ? noedges()
ConnComp(?x,?y,z) ? noedges()
34
What a set of components denotes
ConnComp(?x, y,z) ? edges(y,z)
ConnComp(?x,?y,z) ? noedges()
ConnComp(x, y,?z) ? edges(x,y)
ConnComp(x,?y,?z) ? noedges()
35
What a set of components denotes

• Meaning of a set of subheapsfull heaps composed
  from subheaps

36
What a set of components denotes
ConnComp(?x,?y,z) ? ConnComp(x,?y,?z) ?
noedges()

• Meaning of a set of subheapsfull heaps composed
  from subheaps
• Full heap contains all variables

37
What a set of components denotes
ConnComp(x, y,?z) ? ConnComp(?x, y,z) ?
edges(x,y), (y,z)
ConnComp(x, y,?z) ? edges(x,y)
ConnComp(?x, y,z) ? edges(y,z)

• Meaning of a set of subheapsfull heaps composed
  from subheaps
• Full heap contains all variables
• Subheaps with common variables inconsistent

38
Shape example revisited

x.n y
y.n z
?
assert x?n?n ? z
39
Example multiple data structures
// _at_assume h1!NULL h1t1 h1?nNULL //
h2!NULL h2t2 h2?nNULL////
_at_loop_invariant Reach(h1,t1) //
Reach(h2,t2) //
DisjointLists(h1,h2)EnqueueEvents() L1 while
(...) List temp new
List(getEvent()) if (nondet())
t1?n temp t1 temp
else t2?n temp t2
temp
Idea track properties of each list independently
40
Full abstract heaps at loop head
h1
t1
h1
t1
h1
t1
1
gt1
h2
t2
h2
t2
h2
t2
h1
t1
h1
t1
h1
t1
1
gt1
h2
t2
h2
t2
h2
t2
1
1
1
h1
t1
h1
t1
h1
t1
1
gt1
h2
t2
h2
t2
h2
t2
gt1
gt1
gt1
41
Common subgraphs
h1
t1
h1
t1
h1
t1
1
gt1
h2
t2
h2
t2
h2
t2
h1
t1
h1
t1
h1
t1
1
gt1
h2
t2
h2
t2
h2
t2
1
1
1
h1
t1
h1
t1
h1
t1
1
gt1
h2
t2
h2
t2
h2
t2
gt1
gt1
gt1
42
Common subgraphs
h1
t1
h1
t1
h1
t1
1
gt1
h2
t2
h2
t2
h2
t2
h1
t1
h1
t1
h1
t1
1
gt1
h2
t2
h2
t2
h2
t2
1
1
1
h1
t1
h1
t1
h1
t1
1
gt1
h2
t2
h2
t2
h2
t2
gt1
gt1
gt1
43
State space reduction
h1
t1
h1
t1
h1
t1
1
gt1
h2
t2
h2
t2
h2
t2
1
gt1
Connected components abstraction precise enough
to prove invariantreusing subgraphs reduces
exponential blow-ups
For k listsfull heap abstraction generates
3k abstract statesdecomposed heap
abstraction generates 3k abstract states
44
Transformers for connected components
decomposition

• Most precise transformer NP-complete
• Developed efficient transformers
• Polynomial
• Compose at most 2-3 subgraphs
• Useful
• Applied to windows device drivers
• x200 speedup

45
Example with bug
// _at_assume h1!NULL h1t1 h1?nNULL //
h2!NULL h2t2 h2?nNULL////
_at_loop_invariant Reach(h1,t1) //
Reach(h2,t2) //
DisjointLists(h1,h2)EnqueueEvents() L1 while
(...) List temp new
List(getEvent()) if (nondet())
t1?n temp t1 temp
else t2?n temp t1
temp // should be t2 tmp
46
Abstract error trace
List temp new List(getEvent())
t2?n temp
t1 temp
Reach(h1,t1)
47
State space reduction
number of shape graphsnumber of subgraphs
x
(89,430 / 7,733)
48
Time speedup
full shape graph analysis time graph
decomposition analysis time
x
(552.6 / 2.6)
49
Beyond connected component decomposition

• Realistic programs contain complex connected
  components
• Connected component decomposition too coarse
• Multithreading introduces relations between
  threads and objects
• Different threads can access same object
• Sometimes need correlations across connected
  components

• Need more general decompositions

50
HeDec system for Heap Decomposition

• Parametric allows experimenting with different
  decompositions
• Analysis designer specifies decomposition
• Subheaps not necessarily disjoint
• Applicable for states with threads
• Soundness automatically guaranteed for
• Any decomposition specification
• Any transformer specification

51
Space of heap abstractions
Parametric heap decompositionM. et al., SAS 08
Independent attribute shape analysisSagiv et
al., TOPLAS 98
Connected component decomposition M. et al.,
TACAS 07
Disjunctive shape abstractionsCanonical heap
abstraction Sagiv et al., TOPLAS 02(cyclic)
list abstraction M. et al., VMCAI 05
52
Applicationthread-modularshape analysisfor
linearizability
53
Concurrent heap Yahav, POPL 01

• Represent threads and objects
• 3-Valued structure

list object
Top
thread object with program counter
t
pc7
x
t
pc14
n
thread-local variable
list field
54
Concurrent heap Yahav, POPL 01

• Represent threads and objects
• 3-Valued structure
• Formula in subset of FOTC Yorsh et al., TOCL 07

pc(tr1)7 ? pc(tr2)14 ?
?v1,v2. t(tr1,v1) ? x(tr1,v2) ?
t(tr2,v1) ? n(v2,v1)
tr1
Top
t
tr2
pc7
x
t
pc14
n
v1
v2
55
Select subheaps

• Parametrically
• State-sensitive selection

pc(tr1)7 ? pc(tr2)14 ?
?v1,v2. t(tr1,v1) ? x(tr1,v2) ?
t(tr2,v1) ? n(v2,v1)
tr1
Top
t
tr2
pc7
x
t
pc14
n
v1
v2
56
Abstraction by decomposition

• Represent a heap as a conjunction of subheaps
• Subheaps overlap

tr1
Top
pc(tr1)7 ? ?v1. t(tr1,v1) ? x(tr1,v2) ?
n(v2,v1)
t
pc7
x
n
v1
?
v2
Top
tr2
pc(tr2)14 ? ?v2. t(tr2,v1)
t
pc14
v1
57
Intuitive meaning of subheaps
Top
t
Top
pc7
x
t
n
pc14
58
Thread-modular analysis
Non-disjoint resource invariantsM. et al., SAS
08Fine-grained concurrency
Separated resource invariantsGotsman et al.,
PLDI 07Coarse-grained concurrency
Single global resource invariantFlanagan
Qadeer, SPIN 03
59
Toy example
Object g NULL // global variable
threadProc() Object xNULL, yNULL 1 x
new Object() 2 y x 3 assert(x
y) g x 4 assert(g ! NULL)
thread-local invariant
non thread-localinvariant
60
Toy example (one thread)
Object g NULL // global variable
threadProc() Object xNULL, yNULL 1 x
new Object() 2 y x 3 assert(x
y) g x 4 assert(g ! NULL)
61
Toy example (one thread)
Object g NULL // global variable
threadProc() Object xNULL, yNULL 1 x
new Object() 2 y x 3 assert(x
y) g x 4 assert(g ! NULL)
62
Toy example (one thread)
Object g NULL // global variable
pc 1 ? x y g NULL ? pc 2 ? x ? NULL
? y g NULL ? pc 3 ? x y ? NULL ? g
NULL ? pc 4 ? x y g ? g ? NULL
threadProc() Object xNULL, yNULL 1 x
new Object() 2 y x 3 assert(x
y) g x 4 assert(g ! NULL)
What about an unbounded number of threads?
63
State with unbounded number of threads
pc1
pc3
y
y
x
x
y
x
y
x
NULL
NULL
pc2
pc4
y
x
y
y
x
x
y
y
x
x
NULL
NULL
g
64
Conflate threads at same location
pc1
pc3
y
y
x
x
y
x
y
x
NULL
NULL
pc2
pc4
y
x
y
y
x
x
y
y
x
x
NULL
NULL
g
65
Bounded abstract state
threadProc() Object xNULL, yNULL 1 x
new Object() 2 y x 3 assert(x
y) g x 4 assert(g ! NULL)
pc1
pc3
y
x
y
x
NULL
Lost correlations between local variables of same
thread
pc2
pc4
y
x
y
x
xy cannot be proved
NULL
g
66
Quantified (indexed) abstraction
Each disjunct represents an abstractionof state
from the perspective of one thread
Object g NULL // global variable

• pc(t) 1 ?
• ? pc(t) 2 ?
• ? pc(t) 3 ? x(t) y(t)
• pc(t) 4 ? x(t) y(t) ? g?NULL
• pc(t) 4 ? x(t) y(t) g ? g?NULL

threadProc() Object xNULL, yNULL 1 x
new Object() 2 y x 3 assert(x
y) g x 4 assert(g ! NULL)
?t
Lost information number of threads
Indexed predicate
67
Intuition for quantified abstraction
pc1
pc1
pc3
pc3
y
y
x
x
y
x
y
x
NULL
NULL
pc2
pc2
pc4
pc4
pc4
y
x
y
y
x
x
y
y
x
x
NULL
NULL
g
68
Intuition for quantified abstraction
pc(t) 4 ? x(t) y(t) g ? g?NULL
?t

• Information maintained
• (dis)equalities between local variables of each
  thread and global variables (and NULL)

• Information lost
• Number of threads
• (dis)equalities between variables of different
  threads

x
y
pc4
g
69
Invalid assertion
Object g NULL // global variable
threadProc() Object xNULL, yNULL 1 x
new Object() 2 y x 3 assert(x
y) g x 4 assert(g ! NULL) 5
assert(g x)
70
Abstract error trace
1 x new Object()
2 y x
assert(g x) doesnt hold
scheduled thread
non-scheduled thread
g x
71
Non-blocking stack Treiber, 1986
1 void push(Stack S, data_type v) 2
Node x alloc(sizeof(Node))3 x-gtd
v4 do 5 Node t S-gtTop6
x-gtn t7 while
(!CAS(S-gtTop,t,x))8
Prove linearizabilityfor an unboundednumber of
threads
9 data_type pop(Stack S)10 do 11
Node t S-gtTop12 if (t
NULL)13 return EMPTY14
Node s t-gtn15 data_type r
t-gtd16 while (!CAS(S-gtTop,t,s))1
7 return r18
72
Linearizability in a nutshell

• Correctness criterion for concurrent data
  structures Herlihy Wing, TOPLAS 1990
• Provides illusion that each operation is atomic
• Linearization point
• Concurrent execution equivalent to some legal
  sequential execution

S.pop(y)
S.push(x)
S.push(y)
S.pop(x)
time
time
73
Delta abstraction Amit et al. CAV 07

• Tracks bounded differences between concurrent and
  sequential execution
• Limited to bounded number of threads
• Linearization points at successful CAS operations
• Use special Corr predicate to tracks differences
• Correlated objects
• Tracks correlations between all threads
• Feasible up to 4 threads

74
Our approach

• Tracks bounded differences between concurrent and
  sequential executionper thread
• Handles unbounded number of threads
• Linearization points at successful CAS operations
• Tracks enough correlations to detect successful
  CAS operations
• Abstracts correlations between threads
• Thread-modular characteristics

75
Decomposition for linearizability

• For each thread t maintain
• Objects pointed-to by local variables
• Objects pointed-to by global variables
• CAS(S-gtTop,t,x)
• Corr component
• Objects pointed-to by global variables
• Correlated objects

Top
t
pc7
x
t
corr
pc14
n
n
Overlapping subheaps
corr
t
s
pc16
pc6
n
x
t
corr
corr
n
76
Decomposing concurrent states
M1
M3
M4
M5
M2
Top
Top
corr
corr
n
corr
t
s
pc6
pc16
x
t
corr
corr
n

• Information lost
• Number of threads
• Correlations between thread-local variables of
  different threads

• Information maintained
• Correlations between thread-local variables of
  every thread
• Correlations between thread-local variables and
  global variables
• Threads local mutations

Thread-modular analysis characteristics
77
Detecting linearization points
CAS(Top,t,x)fails
CAS(Top,t,x)succeeds
Top
Top
t
pc7
x
corr
corr
n
n
corr
t
pc6
x
78
Experimental results

• First automatic verification of linearizability
  for unbounded number of threads
• Utilized properties
• Mutations occur near data structure access points
• Bounded mutations per data structure operation
  per thread

79
Conclusion

• Partially disjunctive shape abstraction promising
  technique
• Decomposition can be used for more modular
  analysis
• Parametric system
• Handle combination of
• Unbounded number of threads
• Dynamically-allocated memory
• Automatically proves linearizability
• Also useful for sequential programs

80
Other thesis results

• Partial isomorphism join M. et al., SAS 04
• The choice abstraction of TVLA users
• 100X speedups
• Precise abstractions for singly-linked lists M.
  et al., VMCAI 05
• Encoded in predicate abstraction
• Encoded in Canonical heap abstraction
• Employed by Anand et al., SPIN 03 Distefano et
  al., TACAS 06Gotsman et al., SAS 06
• Extended to trees Lev-Ami et al., CAV 07

81
Other results

• Postmortem symbolic evaluationM. et al., FSE
  04
• Explain program failures using crash dump
  information and backward analysis
• Combining Shape Analyses by Intersecting
  Abstractions Arnold et al., VMCAI 06
• Meet algorithm for 3-Valued structures
• Theoretical framework for counterexample-guided
  abstraction refinementM. et al., Reinhard
  Wilhelm Festschrift 07

82
Collaborators

• Stephan Adams MSR
• Gilad Arnold UCB
• Josh Berdine MSR
• Byron Cook MSR
• Manuvir Das MSR
• Tal Lev-Ami TAU
• John Field IBM
• Deepak Goyal IBM

• Tom Henzinger EPFL
• Ramalingam MSR
• Manu Sridharan UCB
• Ran Shaham TAU
• Eran Yahav IBM
• Zhe Yang MSR

83
Thank you

• Mooly Sagiv TAU
• Ramalingam MSR

• Tom Reps WU
• Reinhard Wilhelm Saarbrucken
• Tom Ball MSR
• Shuvendu Lahiri MSR

• Daphna Amit TAU
• Eran Yahav IBM
• Greta Yorsh IBM
• Noam Rinetzky QMUL
• Nurit Dor TAU
• Ohad Shacham TAU
• Ran Shaham TAU
• Tal Lev-Ami TAU

• Nir Andelman Google

84
Related work

• Partial isomorphism join
• Partial isomorphism join for symbolic heaps Yang
  et al., CAV 08
• Heap analysis by separationYahav Ramalingam,
  PLDI 04 Hackett Rugina, POPL 05
• Decompose verification problem itself and
  conservatively approximate contexts
• Predicate/variable clusteringClarke et al., CAV
  00
• Statically-determined decomposition
• Cartesian transformers Ball et al., TACAS 01
• Handling concurrency with shape for an unbounded
  number of threads
• Thread-modular analysis Gotsman et al., PLDI 07
• Rely-guarantee Vafeiadis et al., SAS 07

85
Space of heap abstractions
Parametric heap decompositionM. et al., SAS 08
Independent attribute shape analysisSagiv et
al., TOPLAS 98
Connected component decomposition M. et al.,
TACAS 07
Partial isomorphismjoin M. et al., SAS 04
Disjunctive shape abstractionsCanonical heap
abstraction Sagiv et al., TOPLAS 02(cyclic)
list abstraction M. et al., VMCAI 05
86
Specifying heap decompositions

• Use unary predicates to define decomposition (for
  fixed num of components)
• p1(v), p2(v),

Full heap
Subheaps
p1(v)
?
p2(v)
87
Composing abstractions take 1
Concrete domainconcrete heaps
Decomposedsubheaps
Decomposed boundedsubheaps
?decompose
?bound
h1
t1
h1
t1
gt1
...
h2
t2
h2
t2
...
gt1
h1
t1
h1
t1
1
h2
t2
?compose
?explode
88
Composing abstractions take 2
Concrete domainconcrete heaps
Boundedheaps
Decomposed boundedsubheaps
?bound
?decompose
h1
t1
h1
t1
h1
t1
gt1
gt1
...
h2
t2
h2
t2
h2
t2
gt1
...
gt1
h1
t1
h1
t1
h1
t1
1
1
h2
t2
h2
t2
1
?explode
?compose
89
Unbounded decompositions

• Use indexed binary predicates to define
  decomposition
• Decomposition defined relative to object of
  interest t
• p(t,v)

Full heap
Subheaps
p(t,v)
?t
?
p(t,v)