1 E. Yahav School of Computer Science Tel-Aviv University Verifying Safety Properties using Separation and Heterogeneous Abstractions G. Ramalingam IBM.

Slides:



Advertisements
Similar presentations
Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Greta YorshEran YahavMartin Vechev IBM Research. { ……………… …… …………………. ……………………. ………………………… } T1() Challenge: Correct and Efficient Synchronization { ……………………………
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Heap Decomposition for Concurrent Shape Analysis R. Manevich T. Lev-Ami M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine MSR Cambridge Dagstuhl.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
Paraglide Martin Vechev Eran Yahav Martin Vechev Eran Yahav.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
1 E. Yahav School of Computer Science Tel-Aviv University Typestate Verification: Abstraction Techniques and Complexity Results J. Field, D. Goyal, G.
1 Practical Object-sensitive Points-to Analysis for Java Ana Milanova Atanas Rountev Barbara Ryder Rutgers University.
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
Developing Verifiable Concurrent Software Tevfik Bultan Department of Computer Science University of California, Santa Barbara
1 Eran Yahav and Mooly Sagiv School of Computer Science Tel-Aviv University Verifying Safety Properties.
1 Refinement-Based Context-Sensitive Points-To Analysis for Java Manu Sridharan, Rastislav Bodík UC Berkeley PLDI 2006.
Modular Shape Analysis for Dynamically Encapsulated Programs Noam Rinetzky Tel Aviv University Arnd Poetzsch-HeffterUniversität Kaiserlauten Ganesan RamalingamMicrosoft.
Synthesis of Interface Specifications for Java Classes Rajeev Alur University of Pennsylvania Joint work with P. Cerny, G. Gupta, P. Madhusudan, W. Nam,
1 CMSC 132: Object-Oriented Programming II Nelson Padua-Perez William Pugh Department of Computer Science University of Maryland, College Park.
Modular Shape Analysis for Dynamically Encapsulated Programs Noam Rinetzky Tel Aviv University Arnd Poetzsch-HeffterUniversität Kaiserlauten Ganesan RamalingamMicrosoft.
Comparison Under Abstraction for Verifying Linearizability Daphna Amit Noam Rinetzky Mooly Sagiv Tom RepsEran Yahav Tel Aviv UniversityUniversity of Wisconsin.
1 © 1999 Citrix Systems Inc Java on Nemesis Tim Harris.
Composing Dataflow Analyses and Transformations Sorin Lerner (University of Washington) David Grove (IBM T.J. Watson) Craig Chambers (University of Washington)
Static Program Analysis via Three-Valued Logic Thomas Reps University of Wisconsin Joint work with M. Sagiv (Tel Aviv) and R. Wilhelm (U. Saarlandes)
Architectural Design Establishing the overall structure of a software system Objectives To introduce architectural design and to discuss its importance.
Mark Marron IMDEA-Software (Madrid, Spain) 1.
The Quest for Minimal Program Abstractions Mayur Naik Georgia Tech Ravi Mangal and Xin Zhang (Georgia Tech), Percy Liang (Stanford), Mooly Sagiv (Tel-Aviv.
Finding Optimum Abstractions in Parametric Dataflow Analysis Xin Zhang Georgia Tech Mayur Naik Georgia Tech Hongseok Yang University of Oxford.
T. Lev-Ami, R. Manevich, M. Sagiv TVLA: A System for Generating Abstract Interpreters A. Loginov, G. Ramalingam, E. Yahav.
SAMANVITHA RAMAYANAM 18 TH FEBRUARY 2010 CPE 691 LAYERED APPLICATION.
SOFTWARE DESIGN AND ARCHITECTURE LECTURE 09. Review Introduction to architectural styles Distributed architectures – Client Server Architecture – Multi-tier.
Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv University Nathan Bronson Stanford University Alex Aiken Stanford.
Program Analysis with Dynamic Change of Precision Dirk Beyer Tom Henzinger Grégory Théoduloz Presented by: Pashootan Vaezipoor Directed Reading ASE 2008.
Database Systems: Design, Implementation, and Management Tenth Edition
Shape Analysis Overview presented by Greta Yorsh.
Aditya V. Nori, Sriram K. Rajamani Microsoft Research India.
Type Systems CS Definitions Program analysis Discovering facts about programs. Dynamic analysis Program analysis by using program executions.
JDBC Java and Databases. RHS – SOC 2 JDBC JDBC – Java DataBase Connectivity An API (i.e. a set of classes and methods), for working with databases in.
Introduction CS 3358 Data Structures. What is Computer Science? Computer Science is the study of algorithms, including their  Formal and mathematical.
Major objective of this course is: Design and analysis of modern algorithms Different variants Accuracy Efficiency Comparing efficiencies Motivation thinking.
1 Introduction to Software Engineering Lecture 1.
Class 5 Architecture-Based Self-Healing Systems David Garlan Carnegie Mellon University.
Chameleon Automatic Selection of Collections Ohad Shacham Martin VechevEran Yahav Tel Aviv University IBM T.J. Watson Research Center Presented by: Yingyi.
Mark Marron 1, Deepak Kapur 2, Manuel Hermenegildo 1 1 Imdea-Software (Spain) 2 University of New Mexico 1.
Model construction and verification for dynamic programming languages Radu Iosif
Mark Marron IMDEA-Software (Madrid, Spain) 1.
Convergence of Model Checking & Program Analysis Philippe Giabbanelli CMPT 894 – Spring 2008.
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
Lecture 5: Threads process as a unit of scheduling and a unit of resource allocation processes vs. threads what to program with threads why use threads.
Department of Computer Science and Software Engineering
CoCo: Sound and Adaptive Replacement of Java Collections Guoqing (Harry) Xu Department of Computer Science University of California, Irvine.
Mark Marron 1, Deepak Kapur 2, Manuel Hermenegildo 1 1 Imdea-Software (Spain) 2 University of New Mexico 1.
Formal Verification. Background Information Formal verification methods based on theorem proving techniques and model­checking –To prove the absence of.
Pointer Analysis – Part I CS Pointer Analysis Answers which pointers can point to which memory locations at run-time Central to many program optimization.
1PLDI 2000 Off-line Variable Substitution for Scaling Points-to Analysis Atanas (Nasko) Rountev PROLANGS Group Rutgers University Satish Chandra Bell Labs.
Interprocedural shape analysis for cutpoint-free programs Noam Rinetzky Tel Aviv University Joint work with Mooly Sagiv Tel Aviv University Eran Yahav.
Putting Static Analysis to Work for Verification A Case Study Tal Lev-Ami Thomas Reps Mooly Sagiv Reinhard Wilhelm.
David Evans CS201J: Engineering Software University of Virginia Computer Science Lecture 5: Implementing Data Abstractions.
Interprocedural shape analysis for cutpoint-free programs
Partially Disjunctive Heap Abstraction
Chapter ? Quality Assessment
Compactly Representing First-Order Structures for Static Analysis
Spring 2016 Program Analysis and Verification
Input Space Partition Testing CS 4501 / 6501 Software Testing
Objective of This Course
Lecture 4: Data Abstraction CS201j: Engineering Software
ENERGY 211 / CME 211 Lecture 27 November 21, 2008.
Presentation transcript:

1 E. Yahav School of Computer Science Tel-Aviv University Verifying Safety Properties using Separation and Heterogeneous Abstractions G. Ramalingam IBM T.J. Watson Research Center

2 Lightweight Specification  "correct usage" rules a client must follow  "call open() before read()" Certification does the client program satisfy the lightweight specification? Verification of Safety Properties Component a library with cleanly encapsulated state Client a program that uses the library The Canvas Project (IBM Watson and Tel Aviv) (Component Annotation, Verification and Stuff)

3 Quick Overview: Fine Grained Heap Abstraction Heap H Precise but often too expensive

4 Quick Overview: Separation & Heterogeneous Abstraction Fine-grained abstraction Coarse abstraction

5 Separation: The Intuition InputStream ins1 = new InputStream(); InputStream ins2 = new InputStream();... if (?) { ins1.close();... } if (?) { ins2.close();... } … Problem: verify that InputStreams are used correctly: not read after they are closed. Possible states: (1) ins1: open; ins2: open (2) ins1: open; ins2: closed (3) ins1: closed; ins2: open (4) ins1: closed; ins2: closed

6 Separation: The Intuition InputStream ins1 = new InputStream(); InputStream ins2 = new InputStream();... if (?) { ins1.close();... } if (?) { ins2.close();... } … Sub-problems: (1)verify that ins1 is used correctly (2)verify that ins2 is used correctly Possible states (sub-problem 1) (1)ins1: open (2)ins1: closed Possible states (sub-problem 2) (1)ins2: open (2)ins2: closed

7 Separation: The Intuition Basic idea of separation is not new  independent attribute analysis vs. relational analysis  e.g. conventional (compiler) dataflow analyses  e.g. ESP (PLDI 2002) exploits separation

8 Our Contribution: Separation + Heap Analysis Separation for heap analysis integrated with verification Heterogeneous abstraction for heaps Separation for first-order safety properties Separation strategies More focused separation individual object vs. allocation-site

9 Heap (Pointer) Analysis Dynamic object creation (heap allocation) is the primary source of unbounded program state Creating a bounded representation of a potentially unbounded heap is a key aspect of program analysis  by merging multiple objects into a “summary” object  e.g., merge all objects allocated at same allocation site into one summary object

10 A Common Approach to Pointer Analysis in Software Verification Break verification problem into two phases  Preprocessing phase – separate points-to analysis typically no distinction between objects allocated at same site  Verification phase – verification using points-to results May lose precision  May lose ability to perform strong updates  May produce false alarms Program Property Pointer Analysis Verification Analysis

11 Loss of Precision in Two-Phase Approach f = new InputStream(); f.read(); f.close(); Verify f is not read after it is closed Straightforward...

12 Loss of Precision in Two-Phase Approach while (?) { f = new InputStream(); f.read(); f.close(); } f1 f closed False alarm! “read may be erroneous”

13 The TVLA Approach TVLA is a flexible (parametric) system for abstract interpretation and verification 1.parametric heap (i.e., pointer) analysis  user can specify criterion for merging heap-allocated objects  user can specify criterion for merging shape graphs 2.verification integrated with heap analysis  heap analysis (merging criterion) can adapt to verification Program Property Front end First-Order Transition Sys Abstract Interpretation

14 while (?) { f = new InputStream(); f.read(); f.close(); } The TVLA Approach: An Example f closed f f f … Concrete States f closed f f Abstract States

15 Fine Grained Heap Abstraction Heap H Precise but often too expensive

16 Separation & Heterogeneous Abstraction Fine-grained abstraction Coarse abstraction

17 Outline of Our Approach  Decompose verification problem into a set of subproblems  Adapt abstraction to each subproblem

18 Outline of Our Approach  Decompose verification problem into a set of subproblems Analysis-user specifies a separation strategy  Adapt abstraction to each subproblem  Heterogeneous abstraction

19 Example – Input Streams InputStream ins1 = getInputStream(); InputStream ins2 = getInputStream(); InputStream ins3 = getInputStream(); InputStream ins4 = getInputStream(); InputStream ins = ins1; if (?) { ins1.close(); ins = ins2; } if (?) { ins2.close(); ins = ins3; } if (?) { ins3.close(); ins = ins4; } int val = ins.read(); …

20 Separation Strategies choose some i : InputStream() site[1] ins1 site[1] ins2ins3ins4 site[1] ins2 site[1] ins1ins3ins4 site[1] ins3 site[1] ins1ins2ins4 site[1] ins4 site[1] ins1ins2ins3 Without separation site[1] ins1 site[1] ins2 site[1] ins3 site[1] ins4ins1 site[1] ins2ins3ins4 Abstraction 1 (expensive)Abstraction 2 (imprecise) Abstract state after creation of all four InputStream: (with separation)

21 Example – Input Streams InputStream ins1 = getInputStream(); InputStream ins2 = getInputStream(); InputStream ins3 = getInputStream(); InputStream ins4 = getInputStream(); InputStream ins = ins1; if (?) { ins1.close(); ins = ins2; } if (?) { ins2.close(); ins = ins3; } if (?) { ins3.close(); ins = ins4; } int val = ins.read(); … closed site[1] ins1ins site[1] ins2 site[1] ins3 site[1] ins4 site[1] ins1ins site[1] ins2 site[1] ins3 site[1] ins4 … … site[1] ins1ins site[1] ins2 site[1] ins3 site[1] ins4 closed site[1] ins1ins site[1] ins2 site[1] ins3 site[1] ins4 … closed site[1] ins1 closed site[1] ins2 closed site[1] ins3 site[1] ins4ins … … …

22 Example – Input Streams InputStream ins1 = getInputStream(); InputStream ins2 = getInputStream(); InputStream ins3 = getInputStream(); InputStream ins4 = getInputStream(); InputStream ins = ins1; if (?) { ins1.close(); ins = ins2; } if (?) { ins2.close(); ins = ins3; } if (?) { ins3.close(); ins = ins4; } int val = ins.read(); … closed site[1] ins1ins site[1] ins2ins3ins4 site[1] ins1ins site[1] ins2ins3ins4 site[1] ins1ins site[1] ins2ins3ins4 site[1] ins1ins closed = 1/2 site[1] ins2ins3ins4 closed site[1] ins1 closed=1/2 site[1] ins2ins3ins4ins

23 First-Order Safety Properties Involve multiple correlated objects  e.g., JDBC Problem can be decomposed into sub-problems in several different ways Different separation granularity Different efficiency, different precision... ResultSet rs2 = stmt2.executeQuery(...);... ResultSet minRs2 = stmt2.executeQuery(...)... rs2.next();

24 Example: JDBC Specification Class Connection { Set statements; … } class Statement { boolean closed; ResultSet myResultSet; Connection myConnection; Statement(Connection c) { closed = false; myConnection = c; myResultSet = null; } ResultSet executeQuery(String qry) { requires !closed; if (myResultSet != null) myResultSet.closed = true; myResultSet = new ResultSet(this); return myResultSet; } … } class ResultSet { boolean closed; Statement ownerStmt; ResultSet(Statement s) { closed = false ; ownerStmt = s; } void close() { closed = true; } boolean next() { requires !closed; }

25 Single Choice Separation choose some c : Connection() choose all s : Statement(x) / x == c choose all r : ResultSet(y) / y == s con1stmt1rs1 stmt myRS maxRs own con2stmt2minRs2 stmt myRS maxRs2 own rs2 con1stmt1rs1 stmt myRS maxRs own con2stmt2minRs2 stmt myRS maxRs2 own rs2

26 Multiple Choice Separation choose some c : Connection() choose some s : Statement(x) / x == c choose some r : ResultSet(y) / y == s con1stmt1rs1 stmt myRS maxRs own con2stmt2minRs2 stmt myRS maxRs2 own rs2 con1stmt1rs1 stmt myRS maxRs own con2stmt2minRs2 stmt myRS maxRs2 own rs2 + 6 more

27 Strategy Implementation separation strategy + program + property  compiled into TVLA input  using instrumentation predicates  details in paper

28 Prototype Implementation Implemented over TVLA Applied to several example programs  Up to 5000 lines of Java Used to verify  Absence of concurrent modification exception (CME)  JDBC API conformance  IOStreams API conformance Improved performance In some cases improved precision

29

30

31 Other Issues Objects chosen for verification Objects relevant for verification (for chosen object)  Identified via reachability  User hints via separation strategy

32 Related Work Demand-driven analysis  hard for heap analysis Program slicing  an approach to demand-driven analysis  simple slicing can be an effective optimization  precise slicing (for heap) is hard Client-driven pointer analysis (Guyer & Lin, SAS 2003) Counter-example guided abstraction refinement

33 Verification: Recent Work ESC/Modula-3, ESC/Java (CC ’98,...) MC (OSDI 2000,...) Bandera (ICSE 2000,...) SLAM (SPIN 2001,...) Vault (PLDI 2001,...) BLAST (POPL 2002,...) ESP (PLDI 2002,...) Foster, Terauchi and Aiken (PLDI 2002,...)... several others...

34 Some tasks are best done by machine, while others are best done by human insight; and a properly designed system will find the right balance. D. Knuth The End It is of highest importance... to be able to recognize out of a number of facts which are incidental and which vital... Otherwise your energy and attention must be dissipated instead of being concentrated. Arthur Conan Doyle

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.