Interprocedural shape analysis for cutpoint-free programs

1
Interprocedural shape analysisfor cutpoint-free
programs
????? ????? ???-????? ???????? ?????? ??????-????
Noam Rinetzky Tel Aviv University
Joint work with Mooly Sagiv Tel Aviv
University Eran Yahav IBM Watson
2
Motivation

• Conservative static program analysis
• (Recursive) procedures
• Dynamically allocated data structures
• Applications
• Cleanness
• Verify data structure invariants
• Compile-time garbage collection

3
A crash course in abstract interpretation

• Static analysis Automatic derivation of
  properties which hold on every execution leading
  to a program point

main() int w0,x0,y0,z0 w 2 y -
1 x 2 z - 1 assert wx is even
w x y z
E E E E
O E E E
O O E E
4
How to handle procedures?

• Pure functions
• Procedure ? input/output relation
• No side-effects

p ret
0 1
1 2
2 3
..
main() int w0,x0,y0,z0 w inc(y)
x inc(z) assert wx is even
int inc(int p) return 2 p - 1
5
How to handle procedures?

• Pure functions
• Procedure ? input/output relation
• No side-effects

p ret
Even Odd
Odd Even
main() int w0,x0,y0,z0 w inc(y)
x inc(z) assert wx is even
int inc(int p) return 2 p - 1
w x y z
E E E E
O E E E
O O E E
6
What about global variables?
p g ret g
0 0 1 0

• Procedures have side-effects
• Easy fix

p g ret g
Even E/O Odd Even
Odd E/O Even Odd
int g 0 main() int w0,x0,y0,z0 w
inc(y) x inc(z) assert wxg is
even
int inc(int p) g p return 2 p - 1
7
But what about pointers and heap?

• Pointers
• Aliasing
• Destructive update

• Heap
• Global resource
• Anonymous objects

x.n.n y
n
n
x
y
x.n.n.n z
How to tabulate append?
8
How to tabulate procedures?

• Procedure ? input/output relation
• Not reachable ? Not effected
• proc local (?reachable) heap ? local heap

main() append(y,z)
append(List p, List q)
n
y
z
9
How to handle sharing?

• External sharing may break the functional view

main() append(y,z)
append(List p, List q)
n
n
y
x
z
10
Whats the difference?
1st Example
2nd Example
append(y,z)
append(y,z)
n
n
n
y
y
x
z
z
11
Cutpoints

• An object is a cutpoint for an invocation
• Reachable from actual parameters
• Not pointed to by an actual parameter
• Reachable without going through a parameter

append(y,z)
append(y,z)
n
n
n
n
y
y
n
n
t
t
x
z
z
12
Cutpoint freedom

• Cutpoint-free
• Invocation has no cutpoints
• Execution every invocation is cutpoint-free
• Program every execution is cutpoint-free

append(y,z)
append(y,z)
n
n
n
n
x
y
t
y
t
z
x
z
13
Main results

• Cutpoint freedom
• Non-standard concrete semantics
• Verifies that an execution is cutpoint-free
• Local heaps
• Interprocedural shape analysis
• Conservatively verifies
• program is cutpoint free
• Desired properties
• Partial correctness of quicksort
• Procedure summaries
• Prototype implementation

14
Plan

• Cutpoint freedom
• Non-standard concrete semantics
• Interprocedural shape analysis
• Prototype implementation

15
Programming model

• Single threaded
• Procedures
• Value parameters
• Formal parameters not modified
• Recursion
• Heap
• Recursive data structures
• Destructive update
• No explicit addressing ()
• No pointer arithmetic

16
Memory states

• A memory state encodes a local heap
• Local variables of the current procedure
  invocation
• Relevant part of the heap
• Relevant ? Reachable

main
append
q
p
n
n
x
t
y
z
17
Memory states

• Represented by first-order logical structures

Predicate Meaning
x(v) Variable x points to v
n(v1,v2) Field n of object v1 points to v2
18
Memory states

• Represented by first-order logical structures

Predicate Meaning
x(v) Variable x points to v
n(v1,v2) Field n of object v1 points to v2
n u1 u2
u1 0 1
u2 0 0
p
u1 1
u2 0
q
u1 0
u2 1
q
p
n
u1
u2
19
Operational semantics

• Statements modify values of predicates
• Specified by predicate-update formulae
• Formulae in FO-TC

20
Procedure calls
append(p,q)
1. Verify cutpoint freedom 2 Compute
input Execute callee 3 Combine output
append body
21
Procedure call 1. Verifying cutpoint-freedom

• An object is a cutpoint for an invocation
• Reachable from actual parameters
• Not pointed to by an actual parameter
• Reachable without going through a parameter

append(y,z)
append(y,z)
n
n
n
n
y
y
n
x
x
z
z
n
t
t
Not Cutpoint free
Cutpoint free
22
Procedure call 1. Verifying cutpoint-freedom

• Invoking append(y,z) in main
• Ry,z(v)?v1y(v1)?n(v1,v) ? ?v1z(v1)?n(v1,v)
• isCPmain,y,z(v) Ry,z(v) ? (?y(v)??z(v1)) ?
• ( x(v) ? t(v) ? ?v1 ?Ry,z(v1)?n(v1,v))

(mains locals x,y,z,t)
n
n
n
n
y
y
n
x
x
z
z
n
t
t
Not Cutpoint free
Cutpoint free
23
Procedure call 2. Computing the input local heap

• Retain only reachable objects
• Bind formal parameters

Call state
n
n
y
x
z
n
t
24
Procedure body append(p,q)
Input state
n
n
p
q
25
Procedure call3. Combine output
Output state
Call state
n
n
n
y
x
z
n
t
26
Procedure call3. Combine output
Output state
Call state
n
n
n
n
n
y
p
x
z
q
n
t
Auxiliary predicates
inUc(v)
inUx(v)
27
Observational equivalence

• ?CPF ? ?CPF (Cutpoint free semantics)
• ?GSB ? ?GSB (Standard semantics)
• ?CPF and ?GSB observationally equivalent
• when for every access paths AP1, AP2

? AP1 AP2 ?(?CPF) ? ? AP1 AP2 ?(?GSB)
28
Observational equivalence

• For cutpoint free programs
• ?CPF ? ?CPF (Cutpoint free semantics)
• ?GSB ? ?GSB (Standard semantics)
• ?CPF and ?GSB observationally equivalent
• It holds that
• ?st, ?CPF? ? ?CPF ? ?st, ?GSB? ? ?GSB
• ?CPF and ?GSB are observationally equivalent

29
Introducing local heap semantics

Local heap Operational semantics
30
Plan

• Cutpoint freedom
• Non-standard concrete semantics
• Interprocedural shape analysis
• Prototype implementation

31
Shape abstraction

• Abstract memory states represent unbounded
  concrete memory states
• Conservatively
• In a bounded way
• Using 3-valued logical structures

32
3-Valued logic

• 1 true
• 0 false
• 1/2 unknown
• A join semi-lattice, 0 ? 1 1/2

33
Canonical abstraction
y
z
n
n
n
n
n
x
n
n
t
34
Instrumentation predicates

• Record derived properties
• Refine the abstraction
• Instrumentation principle SRW, TOPLAS02
• Reachability is central!

Predicate Meaning
rx(v) v is reachable from variable x
robj(v1,v2) v2 is reachable from v1
ils(v) v is heap-shared
c(v) v resides on a cycle
35
Abstract memory states (with reachability)
y
z
n
n
n
n
n
rz
rx
rx,ry
rx
rz
rz
rx
rx
rx,ry
rx
rz
rz
rx
rz
x
n
n
rt
rt
rt
rt
rt
rt
t
36
The importance of reachabilityCall append(y,z)
z
y
n
n
n
n
n
rx
rx,ry
rx
rz
rz
rx
rz
x
n
n
rt
rt
rt
t
y
z
n
n
n
n
n
x
rx,ry
rz
rz
rx
rx
n
n
rt
rt
t
37
Abstract semantics

• Conservatively apply statements on abstract
  memory states
• Same formulae as in concrete semantics
• Soundness guaranteed SRW, TOPLAS02

38
Procedure calls
append(p,q)
1. Verify cutpoint freedom 2 Compute
input Execute callee 3 Combine output
append body
39
Conservative verification of cutpoint-freedom

• Invoking append(y,z) in main
• Ry,z(v)?v1y(v1)?n(v1,v) ? ?v1z(v1)?n(v1,v)
• isCPmain,y,z(v) Ry,z(v) ? (?y(v)??z(v1)) ?
• ( x(v) ? t(v) ? ?v1 ?Ry,z(v1)?n(v1,v))

n
n
n
n
n
ry
ry
ry
ry
rx
ry
rz
y
y
rz
n
n
n
n
z
z
x
rt
rt
rt
rt
t
t
Not Cutpoint free
Cutpoint free
40
Interprocedural shape analysis
Tabulation exits
call f(x)
y
41
Interprocedural shape analysis
Analyze f
Tabulation exits
call f(x)
y
42
Interprocedural shape analysis

• Procedure ? input/output relation

Output
Input
q
q
rq
rq
q
q
p
p
n
rp
rq
rp
rp
rq
n
q
n
p
p
q

n
n
n
rp
rp
rq
rp
rq
rp
rp
43
Interprocedural shape analysis

• Reusable procedure summaries
• Heap modularity

44
Plan

• Cutpoint freedom
• Non-standard concrete semantics
• Interprocedural shape analysis
• Prototype implementation

45
Prototype implementation

• TVLA based analyzer
• Soot-based Java front-end
• Parametric abstraction

Data structure Verified properties
Singly linked list Cleanness, acyclicity
Sorting (of SLL) Sortedness
Unshared binary trees Cleaness, tree-ness
46
Iterative vs. Recursive (SLL)
585
47
Inline vs. Procedural abstraction
// Allocates a list of // length 3 List
create3() main() List x1
create3() List x2 create3() List x3
create3() List x4 create3()
48
Call string vs. Relational vs. CPFRinetzky
and Sagiv, CC01 Jeannet et al.,
SAS04
49
Related Work

• Interprocedural shape analysis
• Rinetzky and Sagiv, CC 01
• Chong and Rugina, SAS 03
• Jeannet et al., SAS 04
• Hackett and Rugina, POPL 05
• Rinetzky et al., POPL 05
• Local Reasoning
• Ishtiaq and OHearn, POPL 01
• Reynolds, LICS 02
• Encapsulation
• Noble et al. IWACO 03
• ...

50
Future work

• Bounded number of cutpoints
• False cutpoints
• Liveness analysis

51
Summary

• Cutpoint freedom
• Non-standard operational semantics
• Interprocedural shape analysis
• Partial correctness of quicksort
• Prototype implementation

52
End
A Semantics for procedure local heaps and its
abstraction Noam Rinetzky, Jörg Bauer, Thomas
Reps, Mooly Sagiv, and Reinhard Wilhelm POPL,
2005
Interprocedural shape analysis for cutpoint-free
programs Noam Rinetzky, Mooly Sagiv, and Eran
Yahav To appear in SAS, 2005
www.cs.tau.ac.il/maon
53
(No Transcript)
54
quickSort(List p, List q)
55
Quicksort

• List quickSort(List p, List q)
• If(pq q null)
• return p
• List h partition(p,q)
• List x p.n
• p.n null
• List low quickSort(h, p)
• List high quickSort(x,null)
• p.n high
• Return low

56
Quicksort

• List quickSort(List p, List q)
• If(pq q null)
• return p
• List h partition(p,q)
• List x p.n
• p.n null
• List low quickSort(h, p)
• List high quickSort(x,null)
• p.n high
• Return low

57
Quicksort
p
tl
hd
8
6

3
5
7
2
1
4
6
8

9
8
9

hd
low
p
tl
Lev Ami et. al. ISSTA00