Reduction in End-User Shape Analysis Dagstuhl - Typing, Analysis, and Verification of Heap-Manipulating Programs – July 24, 2009 Xavier Rival INRIA and.

Slides:



Advertisements
Similar presentations
Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some.
Advertisements

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula May 10, 2007 OSQ Retreat.
Abstract Interpretation Part II
Extensible Shape Analysis by Designing with the User in Mind Bor-Yuh Evan Chang Bor-Yuh Evan Chang, Xavier Rival, and George Necula University of California,
Semantics Static semantics Dynamic semantics attribute grammars
Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
Some Properties of SSA Mooly Sagiv. Outline Why is it called Static Single Assignment form What does it buy us? How much does it cost us? Open questions.
1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
ISBN Chapter 3 Describing Syntax and Semantics.
Automated Soundness Proofs for Dataflow Analyses and Transformations via Local Rules Sorin Lerner* Todd Millstein** Erika Rice* Craig Chambers* * University.
Relational Inductive Shape Analysis Bor-Yuh Evan Chang University of California, Berkeley Xavier Rival INRIA POPL 2008.
Coolaid: Debugging Compilers with Untrusted Code Verification Bor-Yuh Evan Chang with George Necula, Robert Schneck, and Kun Gao May 14, 2003 OSQ Retreat.
Gradual Programming: Bridging the Semantic Gap Bor-Yuh Evan Chang Bor-Yuh Evan Chang Amer Diwan Jeremy G. Siek University of Colorado, Boulder PLDI FIT.
End-User Shape Analysis National Taiwan University – August 11, 2009 Xavier Rival INRIA/ENS Paris Bor-Yuh Evan Chang 張博聿 U of Colorado, Boulder If some.
1 Lecture 08(a) – Shape Analysis – continued Lecture 08(b) – Typestate Verification Lecture 08(c) – Predicate Abstraction Eran Yahav.
Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.
1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Counterexample-Guided Focus TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A A AA A A Thomas Wies Institute of.
Program analysis Mooly Sagiv html://
End-User Program Analysis Bor-Yuh Evan Chang University of California, Berkeley Dissertation Talk August 28, 2008 Advisor: George C. Necula, Collaborator:
Program analysis Mooly Sagiv html://
Abstract Interpretation Part I Mooly Sagiv Textbook: Chapter 4.
Compile-Time Deallocation of Individual Objects Sigmund Cherem and Radu Rugina International Symposium on Memory Management June, 2006.
A Type System for Expressive Security Policies David Walker Cornell University.
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
Finding the Weakest Characterization of Erroneous Inputs Dzintars Avots and Benjamin Livshits.
Overview of program analysis Mooly Sagiv html://
Efficient Software Model Checking of Data Structure Properties Paul T. Darga Chandrasekhar Boyapati The University of Michigan.
Describing Syntax and Semantics
Extensible Untrusted Code Verification Robert Schneck with George Necula and Bor-Yuh Evan Chang May 14, 2003 OSQ Retreat.
Invisible Invariants: Underapproximating to Overapproximate Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Precise Program Analysis with Data Structures Collaborators: George Necula, Xavier Rival (INRIA) Bor-Yuh Evan Chang University of California, Berkeley.
CSC 8310 Programming Languages Meeting 2 September 2/3, 2014.
Impact Analysis of Database Schema Changes Andy Maule, Wolfgang Emmerich and David S. Rosenblum London Software Systems Dept. of Computer Science, University.
Dagstuhl Seminar "Applied Deductive Verification" November Symbolically Computing Most-Precise Abstract Operations for Shape.
June 27, 2002 HornstrupCentret1 Using Compile-time Techniques to Generate and Visualize Invariants for Algorithm Explanation Thursday, 27 June :00-13:30.
Automatic Verification of Pointer Programs using Grammar-based Shape Analysis Hongseok Yang Seoul National University (Joint Work with Oukseh Lee and Kwangkeun.
Program Analysis with Dynamic Change of Precision Dirk Beyer Tom Henzinger Grégory Théoduloz Presented by: Pashootan Vaezipoor Directed Reading ASE 2008.
Shape Analysis Overview presented by Greta Yorsh.
Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.
CS 363 Comparative Programming Languages Semantics.
Checking Reachability using Matching Logic Grigore Rosu and Andrei Stefanescu University of Illinois, USA.
© Andrew IrelandDependable Systems Group Cooperative Reasoning for Automatic Software Verification Andrew Ireland School of Mathematical & Computer Sciences.
Model construction and verification for dynamic programming languages Radu Iosif
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
Semantics In Text: Chapter 3.
Materialization in Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula University of California, Berkeley.
Predicate Abstraction. Abstract state space exploration Method: (1) start in the abstract initial state (2) use to compute reachable states (invariants)
Lightweight Support for Magic Wands in an Automatic Verifier Malte Schwerhoff and Alexander J. Summers 10 th July 2015, ECOOP, Prague.
Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.
1 Proving program termination Lecture 5 · February 4 th, 2008 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A.
Adaptive Shape Analysis Thomas Wies joint work with Josh Berdine Cristiano Calcagno TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
Quantified Data Automata on Skinny Trees: an Abstract Domain for Lists Pranav Garg 1, P. Madhusudan 1 and Gennaro Parlato 2 1 University of Illinois at.
Operational Semantics Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Lecture #1: Introduction to Algorithms and Problem Solving Dr. Hmood Al-Dossari King Saud University Department of Computer Science 6 February 2012.
BITS Pilani Pilani Campus Data Structure and Algorithms Design Dr. Maheswari Karthikeyan Lecture1.
Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.
Formal methods: Lecture
Shape Analysis Termination Analysis Linear Time
Spring 2016 Program Analysis and Verification
(One-Path) Reachability Logic
Symbolic Implementation of the Best Transformer
Reduction in End-User Shape Analysis
Symbolic Characterization of Heap Abstractions
Presentation transcript:

Reduction in End-User Shape Analysis Dagstuhl - Typing, Analysis, and Verification of Heap-Manipulating Programs – July 24, 2009 Xavier Rival INRIA and ENS Paris Bor-Yuh Evan Chang University of Colorado, Boulder If some of the symbols are garbled, try either installing TexPoint ( or the TeX fonts (

2 Why think about the analyzer’s end-user? Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis UserTool Accessibility end-users are not experts in verification and logic want adoption of our tools and techniquesAccessibility end-users are not experts in verification and logic want adoption of our tools and techniques Expressivity, Efficiency, and Feasibility end-users are not completely incompetent either can provide guidance to tools, understand the code best Expressivity, Efficiency, and Feasibility end-users are not completely incompetent either can provide guidance to tools, understand the code best

3 Splitting Splitting of summaries (materialization) To reflect updates precisely summarizing And summarizing for termination (summarization) Shape analysis is an abstract interpretation on abstract memory descriptions with … cur l “sorted dl list” l cur l l l l Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis Main Design Decision: Summaries and their operations Main Design Decision: Summaries and their operations

4 The Wild Wild World of Shape Analysis Choosing the heap abstraction difficult Parametric in high-level, developer-oriented predicates + +Extensible + +Targeted to developers Xisa Built-in high-level predicates - -Harder to extend + +No additional user effort Parametric in low-level, analyzer-oriented predicates + +Very general and expressive - -Harder for non-expert  Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis Some representative approaches Some representative approaches: Our approach Our approach: Space Invader [Distefano et al.] TVLA [Sagiv et al.]

5 Our Approach: Executable Specifications validation code Utilize “run-time validation code” as specification for static analysis. assert(l.purple_dll(null)); for each node cur in list l { make cur red; } assert(l.red_dll(null)); ll cur l Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis h.dll(p) := if (h = null) then true else h ! prev = p and h ! next.dll(h) checker Automatically generalize checkers for intermediate states (generalized segment) p specifies where prev should point h.dll(p) := h = null Æ emp Ç 9 n.  p ¤  n ¤ n.dll(h) Build the abstraction for analysis directly out of the developer- supplied validation code

6 Xisa is … Extensible and targeted for developers –Parametric in developer-supplied checkers—viewed as inductive definitions in separation logic Precise yet compact abstraction for efficiency –Data structure-specific based on properties of interest to the developer shape analysis invariant checkers An automated shape analysis with a precise memory abstraction based around invariant checkers. Xisa h.dll(p) = if (h = null) then true else h ! prev = prev and h ! next.dll(h) checkers Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

7 Problem: Non-Unique Representations With user-guided abstraction, different summaries may have the same (or related) concretizations. Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis l.dll(p) := if (l = null) then true else l ! prev = p and l ! next.dll(l) l.dll_back(n) := if (l = null) then true else l ! next = n and l ! prev.dll_back(l) dll(null) h ht h dll_back(null) t checker summary concrete instance

8 Need: Convert between related summaries 1.Prove lemmas about related checkers –e.g., “dll, dll_back” Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis Observation Observation: Our widening operator can derive these facts on an appropriate program Basic Idea Basic Idea : l.dll(p) := … semantics of dll_back parametric abstract domain summarization (widening) S

9 Need: Convert between related summaries 2.Find out which lemmas are needed and when to apply them during program analysis –work-in-progress –not in this talk Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

10 New “Pre-Program Analysis Analysis” Xisa shape analyzer abstract interpretation splitting and interpreting update summarizing level-type inference for unfolding Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis dll(h, p) = if (h = null) then true else h ! prev = prev and dll(h ! next, h) checkers program analysischecker analysis (“pre-program analysis”) lemma proving for reduction SS Derives information about checkers to use them effectively

11 Outline Memory abstraction –graphs –segments A semantics of checker definitions Example: –a segment of a list, a list segment Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

12 memory cell (points-to: ° ! next = ± ) Abstract memory as graphs h.dll(p) = if (h = null) then true else h ! prev = p and h ! next.dll(h) Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis l ® dll(null) dll( ¯ ) cur ° dll( ° ) ¯ prev next ± Make endpoints and segments explicit ldll( ±, ° ) ± “dll segment” cur ° ® segment summary checker summary (inductive pred) memory address (value) Some number of memory cells (thin edges) ¯  ¯ ¤ ¤  ± ¤ ¤ ±.dll( ° ) ¤ = ¤ ( ®.dll(null) ¤ = °.dll( ¯ )) ¤ Segment generalization of a checker (Intuitively, ®.dll(null) up to °.dll( ¯ ).) Segment generalization of a checker (Intuitively, ®.dll(null) up to °.dll( ¯ ).)

13 Segments as Partial Checker “Runs” (conceptually) ®.dll(null) ¯.dll( ® ) °.dll( ¯ ) ±.dll( ° ) null.dll( ± ) Complete Checker “Run” Instance Summary c0(¯,°0)c0(¯,°0) c( ®, ° ) …… ……… ®¯ c( ° )c0(°0)c0(°0) i i i i = 0 ii 00 c = c 0 ® = ¯ ° = ° 0 ® = ° ¯ = null null next ° ± prev null Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis [POPL’08]

14 Outline Memory abstraction –graphs –segments A semantics of checker definitions Example: –a segment of a list, a list segment Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

15 Example: User-Defined List Segments Want Want a decision procedure for these inclusions: Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis l.ls(e) := if (l = e) then true else l ! next.ls(l) l.list() := if (l = null) then true else l ! next.list() checker summary “a list segment”“a segment of a list” ® list() ¯ le Can reuse our parametric abstract domain! ls( ¯ ) ® l ¯ e v ? ® l ¯ e ® list() ¯ le

16 An Alternative Semantics for Checkers Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis °° set of concrete stores summary ls( ¯ ) ® l ¯ e … le addrof( ® )addrof( ¯ ) generator of “concrete” graphs ® l ¯ e ® = ¯ ® l next ®0®0 ¯ e ® 0 = ¯ ¯ e ® 00 = ¯ ® l next ®0®0 ® 00 …

17 Show Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis ® l ¯ e ® = ¯ ® l next ®0®0 ¯ e ® 0 = ¯ ¯ e ® 00 = ¯ ® l next ®0®0 ® 00 … Apply abstract interpretation using only list as a checker parameter to the domain v ls( ¯ ) ® l ¯ e ® list() ¯ le ® l ¯ e X ® l ¯ e Our widening is a non-symmetric binary operator interleaves region matching and summarizing Our widening is a non-symmetric binary operator interleaves region matching and summarizing Widening Properties Soundness: computes an over-approximation Termination: ensures chain stabilizes Algorithm 1.Iteratively split regions by matching nodes (ok by ¤ ) 2.Find common abstraction for matched regions (calling on v to check inclusion) [SAS’07]Widening Properties Soundness: computes an over-approximation Termination: ensures chain stabilizes Algorithm 1.Iteratively split regions by matching nodes (ok by ¤ ) 2.Find common abstraction for matched regions (calling on v to check inclusion) [SAS’07]

18 Inclusion Check Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis ® l next ®0®0 ¯ e ® 0 = ¯ ® l ¯ e list() v ¯ e ® l next ®0®0 ® 0 = ¯ ¯ e ® l next ®0®0 ® l ®0®0 ® l ®0®0 Inclusion Check Algorithm 1.Iteratively split regions by matching nodes 2.Check inclusion by unfolding and matching edges until obvious (emp v emp) Inclusion Check Algorithm 1.Iteratively split regions by matching nodes 2.Check inclusion by unfolding and matching edges until obvious (emp v emp)

19 Summary: Reuse domain to decide relations amongst checker definitions Xisa shape analyzer abstract interpretation splitting and interpreting update summarizing level-type inference for unfolding Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis dll(h, p) = if (h = null) then true else h ! prev = prev and dll(h ! next, h) checkers program analysischecker analysis (“pre-program analysis”) lemma proving for reduction SS

20 Conclusion and Next Steps Non-unique representation problem magnified with user-supplied checkers –Need reduction to convert between representations –Ordering on checkers needed to apply reduction Ordering shown by applying Xisa to a checker def To put into practice –Needed lemmas: pre-compute ordering or on-demand? –When to apply: level types for unfolding may help –Derive new checkers (e.g., dll_back from dll)? Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.