ISMM Analyzing Memory Resource Bounds for Low-Level Programs Wei-Ngan Chin 1 Huu Hai Nguyen 1 Corneliu Popeea 1 Shengchao Qin 2 1 National Univ. of Singapore 2 Durham University, UK

ISMM Motivation: Memory Bounds Analysis  Given a piece of program code, how much memory will it require for safe execution? Can we know the answer before execution? Applications: Resource constrained embedded devices (limited memory footprint) Safety critical systems

ISMM Simple Example Given a method: int foo (int n) { if (n <= 0) { return 1; } else { c x = new c(); c y = new c(); int v = 2+foo(n-1); dispose(x); return v; } } Derive an upper-bound for the use of: stack memory heap memory

ISMM Three design decisions: low level programs: more accurate bounds analysis. structured control flow: recovered if not available. how to model heap recovery? (next slide) P ::= M 1, …, M n M ::= t m(t 1,..., t n ) { E } E ::= Cmd | E 1 ; E 2 | if E 1 E 2 | while E Cmd ::= load i | store i | invoke m | const k | new c | dispose c What Programs to Analzye? method invocation method definition object deallocation

ISMM Heap Recovery Possible solutions for analyzing heap recovery: use explicit memory disposal. use region-based memory management. Both solutions over-approximate the recovery that can be achieved via GC. Rely on an analysis that inserts dispose commands (Chin-et-al:SAS05) alias annotations for object fields and methods not for cyclic data structures May achieve finer-grained heap recovery.

ISMM Highlights of Our Work Derive both stack and heap bounds with similar apparatus. Automatic and sound analysis of recursion. Precision and efficiency: relational analysis for low-level code. disjunctive invariants for “bounds analysis”.

ISMM Overview of Our Solution A multi-pass analysis automatically infers memory bounds in a modular way 4. heap usage + heap bound 1.frame bound 3.stack bound 2.abstract state t m(t 1,.., t n ) F ; Á ; S ; H ; M {..}

ISMM Frame Bound Inference Stack Frames Simple analysis: l, ¡ ` F E Ã A, ¡ 1, p Embed the current top frame pointer p at each program point:

ISMM Abstract State Inference The abstract states expressed as Presburger formula over values on the stack [  p,..,  1 ] : The inference rule: Abstract states inserted at each program point: Presburger formula Boolean expression arithmetic expression State before State after

ISMM Abstract State Inference: Some Rules make use of top frame pointer p Á po - postcondition of callee m ½ - substitution from formals to actual arguments derive state after call

ISMM Stack Bound Inference Problem: infer stack bound for each method. each elem. denotes a bound s when g is true S - stack bound from method body F - minimum stack bound fixpoint computation

ISMM Stack Bound Inference: Some Rules the position where new frame is built incorporate guarded formula w/ current state tail call optimization retrieve stack bound of callee m 1

ISMM Heap Inference H and M are guarded form: H / H 1 heap usage before/after execution of B M heap bound heap effect

ISMM Example: Fixpoint Analysis Simple example: int foo (int n) { if (n <= 0) { return 1; } else { c x = new c(); c y = new c(); int v = 2+foo(n-1); dispose(x); return v; } } First step: build a constraint abstraction rec(n,r) = (n · 0 Æ r=1) Ç ( 9 r 1 ¢ n>0 Æ rec(n-1,r 1 ) Æ r=2+r 1 ) Next step: derive approximation for its fixpoint.

ISMM Fixpoint Analysis for Abstract State Use disjunctive polyhedron abstract domain: selective hulling: combines related disjuncts. widening: ensures termination of fixpoint analysis. rec 1 (n,r) = (n · 0 Æ r=1) Ç ( 9 r 1 ¢ n>0 Æ rec 0 (n-1,r 1 ) Æ r=2+r 1 ) = (n · 0 Æ r=1) rec 2 (n,r) = (n · 0 Æ r=1) Ç ( 9 r 1 ¢ n>0 Æ rec 1 (n-1,r 1 ) Æ r=2+r 1 ) = (n · 0 Æ r=1) Ç (0 < n · 1 Æ r=2+1) rec 3 (n,r) = (n · 0 Æ r=1) Ç (n=1 Æ r=3) Ç (n=2 Æ r=5) = h (n · 0 Æ r=1) Ç (0 < n · 2 Æ r=2n+1) = w (n · 0 Æ r=1) Ç (0 < n Æ r=2n+1) false

ISMM Fixpoint Analysis: Memory Bounds Constraint abstraction: rec M (n) = {n · 0  {(c,0)}} [ ({n>0  {(c,2)}} + rec M (n-1)) Derive fixpoint: rec M (n) = {n · 0  {(c,0)}} [ {n>0  {(c,2n)}} A similar analysis derives the stack bound.

ISMM Soundness Safety theorem: given memory resources equal to (or more than) its inferred bounds, each method always executes without error due to insufficient memory.

ISMM Experiments A prototype system built in Haskell language. Omega library + disjunctive fixpoint analyzer. Small numerical programs (upto 2kloc).

ISMM Related Work Hughes-Pareto:ICFP99, Hofmann-Jost:POPL03 for first-order functional languages. Cachera-et-al:FM05 - for Java bytecode certifies that memory is bounded (but not what bound) Albert-et-al:ESOP07 - for Java bytecode: derives (only) heap bounds. heap recovery via escape analysis. Braberman-et-al:ISMM08 - Java-like programs: expressive heap bounds (polynomial expressions). heap recovery via region-based memory management. loop invariants inferred dynamically + user annotations.

ISMM Conclusion A sound inference system to predict the amount of memory space needed: Can infer upper bounds for stack and heap spaces. Uses guarded formulae to track both usage and upper bounds in a path sensitive manner. Uses fixpoint analysis in the polyhedron domain to handle both recursion and loops. Prototype system used to infer memory bounds for a set of benchmark programs.

ISMM Thank you!

ISMM References J. Hughes and L. Pareto. Recursion and Dynamic Data-Structures in Bounded Space: Towards Embedded ML Programming [ICFP99] M. Hofmann and S. Jost. Static prediction of heap space usage for first order functional programs [POPL03] D. Cachera, T. Jensen, D. Pichardie, and G. Schneider. Certified Memory Usage Analysis [FM05] W.N. Chin, H.H. Nguyen, S.C. Qin, and M. Rinard. Memory Usage Verification for OO Programs [SAS05] C. Popeea and W.N. Chin. Inferring disjunctive postconditions [ASIAN06] E. Albert, P. Arenas, S. Genaim, G. Puebla, and D. Zanardini. Cost Analysis of Java Bytecode [ESOP07] V. Braberman, F. Fernandez, D. Garbervetsky, and S. Yovine. Parametric Prediction of Heap Memory Requirements [ISMM08]

ISMM Discussion: Abstract States for Objects Inference of abstract states for heap allocated objects not included in the paper Challenge: objects that are mutable & shareable We provided an alias type system which can identify two groups of trackable objects: Unique references whose abstract states may change Immutable references whose abstract states are immutable (but can be freely shared) In current work, abstract states are mainly size- related properties.

ISMM Abstract States for Objects: An Example No. of nodes Height of tree Analysis result for method height Analysis result for mehtod sum