Partially Disjunctive Heap Abstraction

1
Partially DisjunctiveHeap Abstraction

• Roman ManevichMooly SagivTel Aviv University

G. RamalingamJohn Field IBM T.J. Watson
2
Motivation

• Analysis of Object Oriented programs is hard
• Recursive data structures
• Unbounded number of objects
• Destructive update of references
• Scalable heap analyses exist
• e.g., flow-insensitive
• Not precise enough for verification
• Precise heap analyses exist
• e.g., SRW shape analysis
• Scaling is very challenging

3
Motivating exampleverifying mark phase of GC
// _at_Ensures marked REACH(root) void mark(Node
root, NodeSet marked) Node x if (root
! null) NodeSet pending new
NodeSet() pending.add(root) marked.clear() w
hile (!pending.isEmpty()) x
pending.selectAndRemove() marked.add(x)
if (x.left ! null) if
(!marked.contains(x.left))
pending.add(x.left) if (x.right ! null)
if (!marked.contains(x.right)
pending.add(x.right)
4
Motivating exampleverifying mark phase of GC
// _at_Ensures marked REACH(root) void mark(Node
root, NodeSet marked) Node x if (root
! null) NodeSet pending new
NodeSet() pending.add(root) marked.clear() w
hile (!pending.isEmpty()) x
pending.selectAndRemove() marked.add(x)
if (x.left ! null) if
(!marked.contains(x.left))
pending.add(x.left) if (x.right ! null)
if (!marked.contains(x.right)
pending.add(x.right)
5
Motivating exampleverifying mark phase of GC
// _at_Ensures marked REACH(root) void mark(Node
root, NodeSet marked) Node x if (root
! null) NodeSet pending new
NodeSet() pending.add(root) marked.clear() w
hile (!pending.isEmpty()) x
pending.selectAndRemove() marked.add(x)
if (x.left ! null) if
(!marked.contains(x.left))
pending.add(x.left) if (x.right ! null)
if (!marked.contains(x.right)
pending.add(x.right)
6
Motivating exampleverifying mark phase of GC
root
u6
x
left
u5
left
left
right
pending rootmarked
right
left
right
u4
7
Motivating exampleverifying mark phase of GC
root
u6
x
left
u5
left
left
right
pending u3,u2marked u1
right
left
right
u4
8
Motivating exampleverifying mark phase of GC
root
u6
left
u5
left
left
right
pending u4,u2marked u1,u3
right
left
x
right
u4
9
Motivating exampleverifying mark phase of GC
root
u6
left
u5
left
left
right
pending u2marked u1,u3,u4
right
left
x
right
u4
10
Motivating exampleverifying mark phase of GC
root
u6
left
x
u5
left
left
right
pending marked u1,u3,u4,u2
right
left
right
u4
11
Motivating exampleverifying mark phase of GC
root
u6
left
x
u5
left
left
right
pending marked u1,u3,u4,u2
right
left
DONE
right
u4
12
Motivating exampleverifying mark phase of GC
root
u6
garbage
garbage
left
x
u5
left
left
right
pending marked u1,u3,u4,u2
right
left
right
u4
13
Motivating exampleverifying mark phase of GC
root
x
left
pending marked u1,u3,u4,u2
right
left
right
u4
14
Motivating exampleverifying mark phase of GC

• Powerset heap abstraction
• 584 seconds, 189,772 abstract heaps
• Definitely too expensive
• Can we verify more efficiently?
• Partially disjunctive heap abstraction
• 3 seconds, 1,133 abstract heaps
• TVLA system

15
Overview and main results

• New (parametric) heap abstraction
• Uses a heap similarity criterion
• Merges similar heaps
• Robust implementation
• Abstraction of choice among TVLA users
• Suitable for other shape analysis systems
• Empirical results
• Significant speedups (2 orders of magnitude)
• Precise in most cases

16
Talk outline

• Shape analysis background
• Representing heaps via logical structures
• Disjunctive (powerset) heap abstraction
• Partially disjunctive heap abstraction
• Via universe congruence similarity
• Empirical results
• Related work
• Future work
• Conclusions

17
Shape analysis viaFirst-Order logic

• SRW 2002 Parametric shape analysis via
  3-valued logic
• Concrete heaps represented by 2-valued structures
  over predicate symbols P
• A set of individuals (nodes) U
• Interpretation of predicate symbols in Pp0() ?
  0,1p1(v) ? 0,1p2(u,v) ? 0,1

18
Concrete heap
root
unary predicates
left
x rootsetmarked setpending rroot
left
left
right
right
left
rrootsetmarked
binary predicates
x
left right
right
19
3-valued structures

• 2-valued structures abstracted into3-valued
  structures by merging individuals
• p0() ? 0,1,1/2p1(v) ? 0,1,1/2p2(u,v) ?
  0,1,1/2
• Kleenes partially ordered set of logical values
• 0 ? 1 1/2

1/2
1
0
20
Canonical abstraction

• Merge individuals with same values for all unary
  predicates (canonical name)
• Bounded structure with at most 2A individuals
• A set of unary predicates

21
Canonical abstraction
root
left
A
x(v) root(v)setmarked(v) setpending(v)rroot
(v)
left
left
right
rrootsetmarked
right
left
rrootsetmarked
x
right
rrootsetmarked
22
Canonical abstraction
root
left
left
left
right
rrootsetmarked
right
?x0,root0,rroot1,setmarked1,setpending
0?
left
rrootsetmarked
x
right
rrootsetmarked
23
Canonical abstraction
root
left
left
left
right
rrootsetmarked
right
?x0,root0,rroot1,setmarked1,setpending
0?
?x0,root0,rroot1,setmarked1,setpending
0?
left
rrootsetmarked
x
right
rrootsetmarked
24
Canonical abstraction
root
left
?x0,root0,rroot0,setmarked0,setpending
0?
left
left
right
rrootsetmarked
right
?x0,root0,rroot1,setmarked1,setpending
0?
?x0,root0,rroot1,setmarked1,setpending
0?
left
rrootsetmarked
x
right
rrootsetmarked
25
Canonical abstraction
root
left
?x0,root0,rroot0,setmarked0,setpending
0?
?x0,root0,rroot0,setmarked0,setpending
0?
left
left
right
rrootsetmarked
right
?x0,root0,rroot1,setmarked1,setpending
0?
?x0,root0,rroot1,setmarked1,setpending
0?
left
rrootsetmarked
x
right
rrootsetmarked
26
Canonical abstraction
root
left
left
left
right
rrootsetmarked
right
left
rrootsetmarked
x
right
rrootsetmarked
27
Abstract heap
Bounded number of individuals
root
left
left
left
right
right
rrootsetmarked
x
left
right
rrootsetmarked
28
Powerset heap abstraction

• ? canonical abstraction
• ?pow(X) ?(s) s ? X
• LUB (join) is set union
• Worst-case is doubly-exponential in A
• Can make unnecessary distinctions

29
Partially disjunctiveheap abstraction

• Use a heap-similarity criterion
• We defined similarity by universe congruence
• Merge similar heaps
• Avoid merging dissimilar heaps

30
Universe congruent heaps
root
root
left
left
x
left
left
left
left
right
rrootsetmarked
right
rrootsetmarked
right
right
x
left
left
right
rrootsetmarked
rrootsetmarked
right
31
Result of merge
root
left
x
left
left
rrootsetmarked
right
left
right
left
right
left
rrootsetmarked
left
right
32
Non-congruent heaps no merge
root
root
left
left
x
left
left
left
left
right
rrootsetmarked
right
rrootsetmarked
right
right
x
left
left
right
rrootsetpending
rrootsetmarked
right
33
Definition of partially disjunctiveheap
abstraction

• Two heaps are similar iff they are universe
  congruent (same canonical names)
• ?piC merge universe congruent heaps
• ?pi(X) ?piC C ? ?pow(X)

34
Characteristics of the partially disjunctive heap
abstraction

• 3-valued structures partially-ordered
• No LUB over singleton structure sets
• if S1 ?pi S2 ?pi(S1,S2) ?piS1,S2
  else ?pow(S1,S2) S1,S2
• Retain definite values of unary predicates
• Size of set can be reduced exponentially

35
Running times
36
Space consumption
37
Related work

• Reducing cost of powerset-based analysis
• Function space domain construction
• ESP PLDI 02
• Deutsch PLDI 94
• Widening operators Bagnara et el. VMCAI03

38
Future work

• Experiment with other similarity criteria
• Structures with different universes
• Deflating operators
• Widening operators

39
Conclusions

• A new (parametric) heap abstraction
• Partially disjunctive
• Merges similar abstract heap descriptors
• Significantly more efficient than full powerset
• Essential for many TVLA analyses
• Often no loss of precision in practice

40
The End
41
Parametric partial isomorphism

• Structures S1?U1,I1? and S2?U2,I2?
• Isomorphic iff
• Exists bijection f U1?U2
• Preserves all predicate values
• Partially-isomorphic relative to R iff
• Exists bijection f U1?U2
• Preserves values of relational predicates
• A ? R ? P

42
No LUB over singletons
p1q1 z1/2
p0q1 z0
p1q0 z1
A
p0q1 z1
p1q0 z0
p1q1 z1/2
B
C is an upper bound
D is an upper bound
p1q0 z1/2
p1/2q1 z1/2
p0q1 z1/2
p1q1/2 z1/2
incomparable