Relational Inductive Shape Analysis Bor-Yuh Evan Chang University of California, Berkeley Xavier Rival INRIA POPL 2008.

Slides:



Advertisements
Similar presentations
Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some.
Advertisements

Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula May 10, 2007 OSQ Retreat.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Extensible Shape Analysis by Designing with the User in Mind Bor-Yuh Evan Chang Bor-Yuh Evan Chang, Xavier Rival, and George Necula University of California,
Automated Verification with HIP and SLEEK Asankhaya Sharma.
Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
Linked Lists. 2 Merge Sorted Lists Write an algorithm that merges two sorted linked lists The function should return a pointer to a single combined list.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.
Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Reduction of inductive predicates for shape analysis of circular lists Daniel Stutzman April 27, 2010.
Reduction in End-User Shape Analysis Dagstuhl - Typing, Analysis, and Verification of Heap-Manipulating Programs – July 24, 2009 Xavier Rival INRIA and.
Coolaid: Debugging Compilers with Untrusted Code Verification Bor-Yuh Evan Chang with George Necula, Robert Schneck, and Kun Gao May 14, 2003 OSQ Retreat.
End-User Shape Analysis National Taiwan University – August 11, 2009 Xavier Rival INRIA/ENS Paris Bor-Yuh Evan Chang 張博聿 U of Colorado, Boulder If some.
Program analysis Mooly Sagiv html://
End-User Program Analysis Bor-Yuh Evan Chang University of California, Berkeley Dissertation Talk August 28, 2008 Advisor: George C. Necula, Collaborator:
1 Control Flow Analysis Mooly Sagiv Tel Aviv University Textbook Chapter 3
Commutativity Analysis: A New Analysis Framework for Parallelizing Compilers Martin C. Rinard Pedro C. Diniz
Compile-Time Deallocation of Individual Objects Sigmund Cherem and Radu Rugina International Symposium on Memory Management June, 2006.
Static Program Analysis via Three-Valued Logic Thomas Reps University of Wisconsin Joint work with M. Sagiv (Tel Aviv) and R. Wilhelm (U. Saarlandes)
Precise Program Analysis with Data Structures Collaborators: George Necula, Xavier Rival (INRIA) Bor-Yuh Evan Chang University of California, Berkeley.
Cristian Gherghina Joint work with: Wei-Ngan Chin, Razvan Voicu, Quang Loc Le Florin Craciun, Shengchao Qin TexPoint fonts used in EMF. Read the TexPoint.
Finding Optimum Abstractions in Parametric Dataflow Analysis Xin Zhang Georgia Tech Mayur Naik Georgia Tech Hongseok Yang University of Oxford.
Automatic Verification of Pointer Programs using Grammar-based Shape Analysis Hongseok Yang Seoul National University (Joint Work with Oukseh Lee and Kwangkeun.
A Parametric Segmentation Functor for Fully Automatic and Scalable Array Content Analysis Patrick Cousot, NYU & ENS Radhia Cousot, CNRS & ENS & MSR Francesco.
Program Analysis with Dynamic Change of Precision Dirk Beyer Tom Henzinger Grégory Théoduloz Presented by: Pashootan Vaezipoor Directed Reading ASE 2008.
Shape Analysis Overview presented by Greta Yorsh.
Checking Reachability using Matching Logic Grigore Rosu and Andrei Stefanescu University of Illinois, USA.
Chapter 1 Object Oriented Programming. OOP revolves around the concept of an objects. Objects are created using the class definition. Programming techniques.
Mark Marron 1, Deepak Kapur 2, Manuel Hermenegildo 1 1 Imdea-Software (Spain) 2 University of New Mexico 1.
Refinements to techniques for verifying shape analysis invariants in Coq Kenneth Roe GBO Presentation 9/30/2013 The Johns Hopkins University.
Mark Marron IMDEA-Software (Madrid, Spain) 1.
CompSci 100e 7.1 Plan for the week l Review:  Union-Find l Understand linked lists from the bottom up and top-down  As clients of java.util.LinkedList.
Materialization in Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula University of California, Berkeley.
1. Circular Linked List In a circular linked list, the last node contains a pointer to the first node of the list. In a circular linked list,
Lightweight Support for Magic Wands in an Automatic Verifier Malte Schwerhoff and Alexander J. Summers 10 th July 2015, ECOOP, Prague.
Adaptive Shape Analysis Thomas Wies joint work with Josh Berdine Cristiano Calcagno TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
Chapter 17: Linked Lists. Objectives In this chapter, you will: – Learn about linked lists – Learn the basic properties of linked lists – Explore insertion.
Program Analysis via 3-Valued Logic Thomas Reps University of Wisconsin Joint work with Mooly Sagiv and Reinhard Wilhelm.
CS212: Object Oriented Analysis and Design Lecture 26: STL Containers.
Linked list: a list of items (nodes), in which the order of the nodes is determined by the address, called the link, stored in each node C++ Programming:
CS5205Semantics1 CS5205: Foundation in Programming Languages Semantics Static Semantics Dynamic Semantics Operational Semantics Big-step Small-Step Denotational.
C++ Programming: Program Design Including Data Structures, Fourth Edition Chapter 17: Linked Lists.
C++ Programming: From Problem Analysis to Program Design, Fourth Edition Chapter 18: Linked Lists.
Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.
ECE 750 Topic 8 Meta-programming languages, systems, and applications Automatic Program Specialization for J ava – U. P. Schultz, J. L. Lawall, C. Consel.
Arrays, Link Lists, and Recursion Chapter 3. Sorting Arrays: Insertion Sort Insertion Sort: Insertion sort is an elementary sorting algorithm that sorts.
  A linked list is a collection of components called nodes  Every node (except the last one) contains the address of the next node  The address of.
LINKED LISTS.
A Static Analyzer for Large Safety-­Critical Software Presented by Dario Bösch, ETH Zürich Research Topics in Software Engineering Dario.
Spring 2017 Program Analysis and Verification
Chapter 16: Linked Lists.
Data Structure By Amee Trivedi.
Shape Analysis Termination Analysis Linear Time
Lectures linked lists Chapter 6 of textbook
Review Deleting an Element from a Linked List Deletion involves:
Midterm Review.
Spring 2016 Program Analysis and Verification
Indexing ? Why ? Need to locate the actual records on disk without having to read the entire table into memory.
DATA STRUCTURES AND OBJECT ORIENTED PROGRAMMING IN C++
Harry Xu University of California, Irvine & Microsoft Research
Chapter 4 Linked Lists.
Linked lists.
Reduction in End-User Shape Analysis
CPS216: Advanced Database Systems
Linked lists.
Presentation transcript:

Relational Inductive Shape Analysis Bor-Yuh Evan Chang University of California, Berkeley Xavier Rival INRIA POPL 2008

2 Example: Removing duplicates cur = l ! next; while (cur != null) { cur = remove_if_dup(cur); cur = cur ! next; } Concrete Example Invariant/Abstraction “sorted dl set” l “sorted dl list” l program-specific predicate l 2244 l 244 cur l 24 “sorted dl list ( v ·² )” l “sorted dl set segment ( ²· v )” cur intermediate state more complicated Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

3 Utilize “dynamic checking code” as specification for static analysis Checking code Checking code expresses a precise invariant of interest (but only at “steady states”) sorteddll(l, prev, min) = if (l = null) then true else l ! prev = prev and min · l ! val and sorteddll(l ! next,l,l ! val) assert(sorteddll(l,null,0)); cur = l; while (cur != null) { cur = remove_if_dup(cur); cur = cur ! next; } assert(sorteddlset(l,null,0)); ll cur l automatically generalize for intermediate states Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

4 Our framework is … Compact abstraction –Data structure-specific based on properties of interest to the developer Extensible –Parametric in developer-supplied checkers shape analysis invariant checkers An automated shape analysis with a precise memory abstraction based around invariant checkers. shape analyzer sorteddll(l, prev, min) = if (l = null) then true else l ! prev = prev and min · l ! val and sorteddll(l ! next,l,l ! val) checkers Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

5 Challenges cur = l ! next; while (cur != null) { cur = remove_if_dup(cur); cur = cur ! next; } “sorted dl list ( v ·² )” l “sorted dl set segment ( ²· v )” cur if (cur ! prev ! val == cur ! val) { cur = cur ! prev;remove_after(cur); } “sorted dl list ( w ·² )” l “sorted dl set segment ( ²· u )” cur vw u < v = wu < v = w “split” segments (back pointers) “split” segments (back pointers) 1 1 numerical constraints (linking shape and data) (see paper) numerical constraints (linking shape and data) (see paper) 2 2 Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

6 Materialization Materialization (partial concretization) To perform strong updates widening And widening for termination Shape analysis is an abstract interpretation on memory states with … cur l l l l l l Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

7 Outline shape analyzer abstract interpretation materialization and update widening type “pre-analysis” sorteddll(l, prev, min) = if (l = null) then true else l ! prev = prev and min · l ! val and sorteddll(l ! next,l,l ! val) checkers see paper Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

8 Abstract memory using inductive predicates cur = l ! next; while (cur != null) { if (cur ! prev ! val == cur ! val) { cur = cur ! prev; remove_after(cur); } cur = cur ! next; } := 9 ´. ¼ dll( ½ ) Ç ¼  null emp ¼  null ¼ next dll( ¼ ) ´ ½ prev dll(l, prev) = if (l = null) then true else l ! prev = prev and dll(l ! next,l) values (e.g., address) values (e.g., address) points-to (memory cell) points-to (memory cell) l ® dll( ± ) dll(null)dll( ¯ ) cur ° ¯ prev next ± prev " segment checker (inductive pred) Edges represent disjoint memory regions Edges represent disjoint memory regions update: cur ! next = cur ! next ! next One traversal parameter with fields traversal parameter One traversal parameter with fields Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

9 Materialize by unfolding inductive definition cur = l ! next; while (cur != null) { if (cur ! prev ! val == cur ! val) { cur = cur ! prev; remove_after(cur); } cur = cur ! next; } := 9 ´. ¼ dll( ½ ) Ç ¼  null emp ¼  null ¼ next dll( ¼ ) ´ ½ prev l ® dll(null)dll( ° ) cur ± materialize: cur ! prev l ® dll(null)dll( ° ) Need fields from ° l ® dll(null)dll( ° ) cur ± Ç Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis Need to unfold “backward”

10 Segments as partial checkers ®.dll(null) ¯.dll( ® ) °.dll( ¯ ) ±.dll( ° ) null.dll( ± ) Checker “Run” Instance Summary c0(¯,°0)c0(¯,°0) c( ®, ° ) …… ……… ®¯ c( ° )c0(°0)c0(°0) i i i i = 0 ii 00 c = c 0 ® = ¯ ° = ° 0 ® = ° ¯ = null null next ° ± prev null Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

11 To unfold backward, split the segment and then unfold forward cur = l ! next; while (cur != null) { if (cur ! prev ! val == cur ! val) { cur = cur ! prev; remove_after(cur); } cur = cur ! next; } := 9 ´. ¼ dll( ½ ) Ç ¼  null emp ¼  null ¼ next dll( ¼ ) ´ ½ prev materialize: cur ! prev ! next l ® dll(null)dll( ° ) cur ° ± prev dll( ± ) next " dll( ± ) next " dll( ± ) next " Ç l, cur ° ± prev ® = ± ° = null ° 0 dll( ¯ ) 1 = unfold Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

12 Outline shape analyzer abstract interpretation materialization and update widening type pre-analysis sorteddll(l, prev, min) = if (l = null) then true else l ! prev = prev and min · l ! val and sorteddll(l ! next,l,l ! val) checkers Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

13 Types for deciding where to unfold ® dll(null) dll( ¯ ) ° ®.dll(null) ¯.dll( ® ) °.dll( ¯ ) ±.dll( ° ) null.dll( ± ) Checker “Run” Instance Summary If it exists, where is: ° ! next ? ¯ ! next ? If it exists, where is: ° ! next ? ¯ ! next ? := 9 ´. ¼ dll( ½ ) Ç ¼  null emp ¼  null ¼ next dll( ¼ ) ´ ½ prev Checker Definition Types help the analysis decide where to unfold Types can be inferred automatically (see paper) Types help the analysis decide where to unfold Types can be inferred automatically (see paper) Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

14 Summary: Given checkers, everything is automatic shape analyzer abstract interpretation materialization and update widening type pre-analysis sorteddll(l, prev, min) = if (l = null) then true else l ! prev = prev and min · l ! val and sorteddll(l ! next,l,l ! val) checkers Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

15 Experiments Benchmark Max. Num. Graphs at a Program Point Max. Num Iterations at a Program Point ms Analysis Time (ms) doubly-linked list reverse131.4 doubly-linked list copy235.3 doubly-linked list insert243.8 doubly-linked list remove546.5 doubly-linked list remove and back546.8 search tree with parent insert558.3 search tree with parent insert and back Verified shape invariant as given by a checker is preserved across the operation. Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

16 Conclusion Inductive checkers can form the basis of an effective memory abstraction and analysis –Easily extensible on a per-program basis To enable materialization anywhere –Segments defined as partial checker runs –Type pre-analysis on checker definitions to decide where to unfold robustly Numerical reasoning via coordination with a base domain (see paper) Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis

What can inductive shape analysis do for you?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.