1 Applications of TVLA Mooly Sagiv Tel Aviv University Shape Analysis with Applications.

Slides:



Advertisements
Similar presentations
Chapter 22 Implementing lists: linked implementations.
Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Abstract Interpretation Part II
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.
Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Automatic Memory Management Noam Rinetzky Schreiber 123A /seminar/seminar1415a.html.
David Notkin Autumn 2009 CSE303 Lecture 13 This space for rent.
Interprocedural Shape Analysis for Recursive Programs Noam Rinetzky Mooly Sagiv.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.
1 Lecture 08(a) – Shape Analysis – continued Lecture 08(b) – Typestate Verification Lecture 08(c) – Predicate Abstraction Eran Yahav.
1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
Program analysis Mooly Sagiv html://
1 Motivation Dynamically allocated storage and pointers are an essential programming tools –Object oriented –Modularity –Data structure But –Error prone.
Programming Language Semantics Java Threads and Locks Informal Introduction The Java Specification Language Chapter 17.
Program analysis Mooly Sagiv html://
1 Verifying Temporal Heap Properties Specified via Evolution Logic Eran Yahav, Tom Reps, Mooly Sagiv and Reinhard Wilhelm
1 Eran Yahav and Mooly Sagiv School of Computer Science Tel-Aviv University Verifying Safety Properties.
Synchronization in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
Overview of program analysis Mooly Sagiv html://
Detecting Memory Errors using Compile Time Techniques Nurit Dor Mooly Sagiv Tel-Aviv University.
1 Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University Shape analysis with applications Chapter 4.6
Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
A Semantics for Procedure Local Heaps and its Abstractions Noam Rinetzky Tel Aviv University Jörg Bauer Universität des Saarlandes Thomas Reps University.
Overview of program analysis Mooly Sagiv html://
Static Program Analysis via Three-Valued Logic Thomas Reps University of Wisconsin Joint work with M. Sagiv (Tel Aviv) and R. Wilhelm (U. Saarlandes)
June 27, 2002 HornstrupCentret1 Using Compile-time Techniques to Generate and Visualize Invariants for Algorithm Explanation Thursday, 27 June :00-13:30.
T. Lev-Ami, R. Manevich, M. Sagiv TVLA: A System for Generating Abstract Interpreters A. Loginov, G. Ramalingam, E. Yahav.
TVLA: A system for inferring Quantified Invariants Tal Lev-Ami Tom Reps Mooly Sagiv Reinhard Wilhelm Greta Yorsh.
Programming Language C++ Xulong Peng CSC415 Programming Languages.
Shape Analysis Overview presented by Greta Yorsh.
Shape Analysis via 3-Valued Logic Mooly Sagiv Thomas Reps Reinhard Wilhelm
Symbolically Computing Most-Precise Abstract Operations for Shape Analysis Greta Yorsh Thomas Reps Mooly Sagiv Tel Aviv University University of Wisconsin.
Static Analysis of Memory Errors Mooly Sagiv Tel Aviv University.
Symbolic Execution with Abstract Subsumption Checking Saswat Anand College of Computing, Georgia Institute of Technology Corina Păsăreanu QSS, NASA Ames.
1 Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University Shape analysis with applications Chapter 4.6
Heap liveness and its usage in automatic memory management Ran Shaham Elliot Kolodner Mooly Sagiv ISMM’02 Unpublished TVLA.
1 Lecture07: Memory Model 5/2/2012 Slides modified from Yin Lou, Cornell CS2022: Introduction to C.
Data Structures and Algorithms for Efficient Shape Analysis by Roman Manevich Prepared under the supervision of Dr. Shmuel (Mooly) Sagiv.
Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications Chapter.
1 Program Analysis via 3-Valued Logic Mooly Sagiv, Tal Lev-Ami, Roman Manevich Tel Aviv University Thomas Reps, University of Wisconsin, Madison Reinhard.
/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model.
Program Analysis via 3-Valued Logic Thomas Reps University of Wisconsin Joint work with Mooly Sagiv and Reinhard Wilhelm.
Roman Manevich Ben-Gurion University Program Analysis and Verification Spring 2015 Program Analysis and Verification Lecture 16: Shape Analysis.
1 Numeric Abstract Domains Mooly Sagiv Tel Aviv University Adapted from Antoine Mine.
MORE POINTERS Plus: Memory Allocation Heap versus Stack.
Operational Semantics Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Interprocedural shape analysis for cutpoint-free programs Noam Rinetzky Tel Aviv University Joint work with Mooly Sagiv Tel Aviv University Eran Yahav.
Agenda  Quick Review  Finish Introduction  Java Threads.
Static Analysis of Concurrent Programs Mooly Sagiv.
Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson
Putting Static Analysis to Work for Verification A Case Study Tal Lev-Ami Thomas Reps Mooly Sagiv Reinhard Wilhelm.
Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson
CSC 143 P 1 CSC 143 Recursion [Chapter 5]. CSC 143 P 2 Recursion  A recursive definition is one which is defined in terms of itself  Example:  Compound.
Interprocedural shape analysis for cutpoint-free programs
Compactly Representing First-Order Structures for Static Analysis
Spring 2016 Program Analysis and Verification
Seminar in automatic tools for analyzing programs with dynamic memory
Compile-Time Verification of Properties of Heap Intensive Programs
Prof. Neary Adapted from slides by Dr. Katherine Gibson
Realizing Concurrency using Posix Threads (pthreads)
Realizing Concurrency using Posix Threads (pthreads)
Realizing Concurrency using the thread model
A Semantics for Procedure Local Heaps and its Abstractions
Foundations and Definitions
Presentation transcript:

1 Applications of TVLA Mooly Sagiv Tel Aviv University Shape Analysis with Applications

2 Outline u Issues –Complexity of TVLA –Weak vs. Strong Updates u Cleanness –Null derefernces –Memory leaks –Freed storage (homework) –The concurrent modification problem u Partial correctness –Sorting –GC u Total Correctenss u Flow dependences u Multithreading u Other

3 Complexity of Shape Analysis x = malloc() if (…) y 1 = x if (…) y 2 = x if (…) y 3 = x  if (…) y n =x

4 Complexity of TVLA analysis u Maximal number of Nodes in Blurred Structures –3 |A | u Size of 3-valued structure representation u Action cost –Focus –Precondition –Coerce –New –Update –Coerce –Blur

5 Weak vs. Strong Updates if (…) x = y else x = z x  n = NULL

6 Detecting Incorrect Library Usages (J. Field, D. Goyal. G. Ramalingam, A. Warshavski) u Java provides libraries for manipulating data structures u Collections –Lists –Hashset –…–… u Iterators over collections allows sequential accesses u Statically detect incorrect library usages Set s = worklist.unprocessedItems(); for (Iterator i = s.iterator(); i.hasNext()){ Object item = i.next(); if (...) processItem(item);

7 The Concurrent Modification Problem u Static analysis of Java programs manipulating Java 2 collections u Inconsistent usages of iterators –An Iterator object i defined on a collection object c –No use of i may be preceded by update to the contents of c, unless the update was also made via I –Guarantees order independence

8 Artificial Example Set v = new Set(); Iterator i1 = v.iterator(); Iterator i2 = v.iterator(); Iterator i3 = i1; i1.next(); i1.remove(); if (...) { i2.next(); } if (...) { i3.next(); } v.add("..."); if (...) { i1.next();}

9 class Make { private Worklist worklist; public static void main (String[] args) { Make m = new Make(); m.initializeWorklist(args); m.processWorklist(); } void initializeWorklist(String[] args) {...; worklist = new Worklist();... // add some items to worklist} void processWorklist() { Set s = worklist.unprocessedItems(); for (Iterator i = s.iterator(); i.hasNext()){ Object item = i.next(); if (...) processItem(item); } } void processItem(Object i){...; doSubproblem(...);} void doSubproblem(...) {... worklist.addItem(newitem);... } } public class Worklist { Set s; public Worklist() {...; s = new HashSet();... } public void addItem(Object item) { s.add(item); } public Set unprocessedItems() { return s; } } return rev; }

10 Static Detection of Concurrent Modifications u Statically Check for CME exceptions u Warn against potential CME u Sound (conservative) solution u Not too many false alarms u Coding in TVLA –Operational Semantics –Vanilla solution is Imprecise (and inefficient) –Derive instrumentation predicates u Java to TVP front-end –Extract potentially relevant client code

11 CME specification in Java’ class Version { /* represents distinct versions of a Set */ } class Collection { Version version; Collection() { version = new Version(); } boolean add(Object o) { version = new Version(); } Iterator iterator() { return new Iterator(this); } } class Iterator { Collection set; Version definingVersion; Iterator (Collection s) { definingVersion = s.version; set = s; } void remove() { requires (definingVersion == set.version); set.ver = new Version(); definingVersion = set.version; } Object next() { requires (definingVersion == set.version); } }

12 Vanilla TVLA Encoding u Local iterators are pointers –Unary predicates u Relevant fields are pointer selectors –Binary predicates

13 Artificial Example Set v = new Set(); Iterator i1 = v.iterator(); Iterator i2 = v.iterator(); Iterator i3 = i1; i1.next(); i1.remove(); if (...) { i2.next(); } if (...) { i3.next(); } v.add("..."); if (...) { i1.next();}

14 Improved TVLA Encodings Use reachability Explicitly maintain relevant information valid[i] = i.defVersion == i.set.Version iterOf[i, v] = i.set == v mutex[i, j] = i.set ==j.set && i != j same[v, w] == v == w Can be automatically derived from the specification Polynomial complexity in programs where iterators are not stored in the client heap Meet over all path solution Adaptive to programs with client heap

15 Empirical Results BenchmarkLoc Err.FATime (sec) Space (MB) Structs. Kernel MapTest Iterator Test JFE

16 Partial Correctness u {P} S {Q} u How to derive loop invariants u Abstract interpretation provides a sound solution u The abstract domain represents a class of program invariants

17 Example Sorting of linked lists u dle(v1, v2) = v1.data  v2.data u inOrder[n, dle](v) =  v1: n(v, v1)  dle(v, v1) u inROrder[n, dle](v) =  v1: n(v, v1)  dle(v1, v) u Captures intermediate invariants as well typedef struct node { struct node *n; int data; } *Elements;

18 typedef struct node { struct node *n; int data; } *Elements; L insert_sort(L x) { L r, pr, rn, l, pl;r = x; pr = NULL; while (r != NULL) { l = x;rn = r ->n; pl = NULL; while (l != r) { if (l->data > r->data) { pr->n = rn; r->n = l; if (pl == NULL) x = r; else pl->n = r; r = pr; break; } pl = l; l = l->n; } pr = r; r = rn; } return x; }

19 L insert_sort(L x) { L r, pr, rn, l, pl; … return x; } n inOrder[dle,n]=½ r[n,x] dle inOrder[dle,n]=1/2 r[n,x] dle n x inOrder[dle,n] r[n,x] dle inOrder[dle,n] r[n,x] dle n x

20 /*pred.tvp */ foreach (z in PVar) { %p z(v_1) unique box } %p n(v_1, v_2) function %i is[n](v) = E(v_1, v_2) ( v_1 != v_2 & n(v_1, v) & n(v_2, v)) foreach (z in PVar) { %i r[n,z](v) = E(v_1) (z(v_1) & n*(v_1, v)) } %i c[n](v) = n+(v, v) %p dle(v1, v2) reflexive transitive %i inOrder[dle,n](v) = A(v_1) n(v, v_1) -> dle(v, v_1) nonabs %i inROrder[dle,n](v) = A(v_1) n(v, v_1) -> dle(v_1, v) nonabs %r !dle(v_1, v_2) ==> dle(v_2, v_1)

21 /* cond.tvp */ %action uninterpreted() { %t "uninterpreted" } %action Is_Not_Null_Var(x1) { %t x1 + " != NULL" %f { x1(v) } %p E(v) x1(v) } %action Is_Null_Var(x1) { %t x1 + " == NULL" %f { x1(v) } %p !(E(v) x1(v)) } %action Is_Eq_Var(x1, x2) { %t x1 + " == " + x2 %f { x1(v), x2(v) } %p A(v) x1(v) x2(v) } %action Is_Not_Eq_Var(x1, x2) { %t x1 + " != " + x2 %f { x1(v), x2(v) } %p !A(v) x1(v) x2(v) }

22 %action Greater_Data_L(x1, x2) { %t x1 + "->data > " + x2 + "->data" %f { x1(v_1) & x2(v_2) & dle(v_1, v_2) } %p !E(v_1, v_2) x1(v_1) & x2(v_2) & dle(v_1, v_2) } %action Less_Equal_Data_L(x1, x2) { %t x1 + "->data data" %f { x1(v_1) & x2(v_2) & dle(v_1, v_2) } %p E(v_1, v_2) x1(v_1) & x2(v_2) & dle(v_1, v_2) }

23 stat.tvp %action Set_Next_Null_L(x1) { %t x1 + "->" + n + " = null" %f { x1(v) } %message !(E(v) x1(v)) -> { n(v_1, v_2) =... is[n](v) =... r[n,x1](v) =... foreach (z in PVar –{x}) { r[n, x](v) =... } c[n](v) = inOrder[dle,n](v) = inOrder[dle,n](v) | x1(v) inROrder[dle,n](v) = inROrder[dle,n](v) | x1(v) }

24 stat.tvp(more) %action Malloc_L(x1) { %t x1 + " = (L) malloc(sizeof(struct node)) " %new { x1(v) = isNew(v) inOrder[dle, n](v1, v2)=… inROrder[dle, n](v1, v2)=… }

25 Abstract interpretation of if x->data <= y.data

26 From Local Outlook to Global Outlook u (Safety) Every time control reaches a given point: –there are no garbage memory cells –the list is acyclic –each cell is locally ordered u (History) The list is a permutation of the original list

27 Bugs Found u Pointer manipulations –null dereferences –memory leaks u Forget to sort the first element u Swap equal elements in bubble sort (non-termination)

28 L insert_sort_b2(L x) { L r, pr, rn, l, pl; if (x == NULL) return NULL; pr = x; r = x->n; while (r != NULL) { pl = x; rn = r->n; l = x->n; while (l != r) { if (l->d > r->d) { pr->n = rn; r->n = l ; pl->n = r; r = pr; break } pl = l;l = l->n; } pr = r; r = rn;} return x; } dle n inOrder[dle,n]=½ dle inOrder[dle,n]=1 dle n x

29 Running Times

30 Properties Not Proved u (Liveness) Termination u Stability

31 Example: Mark and Sweep void Sweep() { unexplored = Universe collected =  while (unexplored   ) { x = SelectAndRemove(unexplored) if (x  marked) collected = collected  {x} } assert(collected = = Universe – Reachset(root) ) } void Mark(Node root) { if (root != NULL) { pending =  pending = pending  {root} marked =  while (pending   ) { x = SelectAndRemove(pending) marked = marked  {x} t = x  left if (t  NULL) if (t  marked) pending = pending  {t} t = x  right if (t  NULL) if (t  marked) pending = pending  {t} } assert(marked = = Reachset(root)) } Run Demo

32 Total Correctness u Usually more complicated u Need to show that something good eventually happens u Difficult for programs with unbounded concrete states u Example linked lists –Show decreased set of reachable locations

33 Program Dependences u A statement s1 depends on s2 if –s2 writes into a location l –s1 reads from location l –There is no intervening write in between u Useful for –Parallelization –Scheduling –Program Slicing u How to compute –Scalars –Stack pointers –Heap allocated pointers

34 int y; List p, q; q = (List) malloc(); p = q; p->d = 5; … y = q->d; Flow Dependences vs. May-Aliases int y; List p, q; q = (List) malloc(); p = q; t=p; p->d = 5; t->d = 7; y = q->d; int y; List p, q; q = (List) malloc(); p = q; t=p; p->d = 5; p=(List) malloc(); y = q->d;

35 void append() { List head, tail, temp; l1: head = (List) malloc(); l2: scanf("%c", &head->d); l3: head->n = NULL; l4: tail = head; l5: if (tail->d == `x') goto l12; l6: temp = (List) malloc(); l7: scanf("%c", &temp->d); l8: temp->n = NULL; l9: tail->n = temp; l10: tail = tail->n l11: goto l_5; l12: printf("%c", head->d); l13: printf("%c", tail->d); exit

36 /*pred.tvp */ foreach (z in PVar) { %p z(v_1) unique box } %p n(v_1, v_2) function %i is[n](v) = E(v_1, v_2) ( v_1 != v_2 & n(v_1, v) & n(v_2, v)) foreach (z in PVar) { %i r[n,z](v) = E(v_1) (z(v_1) & n*(v_1, v)) foreach (l in Label) { %p lst_w_v[l,z]() // l is the last write to into the variable z } foreach (l in Label) { %p lst_w_f[l,n](v_1) box // l is the last write to into the v_1.n %p lst_w_f[l,d](v_1) box// l is the last write to into v_1.data } %i c[n](v) = n+(v, v)

37 Operational Semantics for Statements stupdate l: x=rhslst_w_v[l,x]’ = 1 lst_w_v[l’, x] = 0 l: x->d = rhslst_w_f[l, d](v) = (x(v) ? 1 : lst_w_f[l, d](v)) lst_w_f[l’, d](v) = (x(v)? 0 : lst_w_f[l’, d](v)) l: x->n = rhslst_w_f[l, n](v) = (x(v) ? 1 : lst_w_f[l, n](v)) lst_w_f[l’, n](v) = (x(v)? 0 : lst_w_f[l’, n](v))

38 “Read” Formulae for Statememts expformula l’: x := NULL0 l’: x := ylst_w_v[l,y] l’: x->n =NULLlst_w_v[l, x] l’: x->n= y lst_w_v[l, x]  lst_w_v[l, y] l’: x = y->n lst_w_v[l, y](v)   v: y(v)  lst_w_f[l, n](v)

39 void append() { List head, tail, temp; l1: head = (List) malloc(); l2: scanf("%c", &head->d); l3: head->n = NULL; l4: tail = head; l5: if (tail->d == `x') goto l12; l6: temp = (List) malloc(); l7: scanf("%c", &temp->d); l8: temp->n = NULL; l9: tail->n = temp; l10: tail = tail->n l11: goto l5; l12: printf("%c", head->d); l13: printf("%c", tail->d); exit head temp tail lst_w_v[l1, head] lst_w_v[l10, tail] lst_w_v[l6, temp] lst_w_f[l2, d] lst_w_f[l9,n] lst_w_f[l7,d] lst_w_f[l8,n]

40 Java Concurrency u Threads and locks are just dynamically allocated objects u synchronized implements mutual exclusion u wait, notify and notifyAll coordinate activities across threads

41 l_0: while (true) { l_1:synchronized(sharedLock) { l_C:// critical actions l_2:} l_3: } Two threads: (pc 1,pc 2,lockAcquired 1,lockAcquired 2 ) Example - Mutual Exclusion u Allocate new lock ? u Allocate new thread ?

42 Program Model u Interleaving model of concurrency u Program is modeled as a transition system

43 Configurations u A program configuration encodes: –global store –program-location of every thread –status of locks and threads u First-order logical structures used to represent program configurations

44 Configurations u Predicates model properties of interest –is_thread(t) –{ at[lab](t) : lab  Labels } –{ rval[fld](o 1,o 2 ) : fld  Fields } –held_by(l,t) –blocked(t,l) –waiting(t,l) u Can use the framework with different predicates

45 Configurations is_thread at[l_C] rval[this] held_by blocked is_thread at[l_1] rval[this] is_thread at[l_0] is_thread at[l_0] is_thread at[l_1] rval[this] blocked

46 Configurations u Program control-flow is not separately represented u Program location for each thread is encoded inside the configuration –{ at[lab](t) : lab  Labels }

47 Structural Operational Semantics - actions u An action consists of: –precondition(when) formula –update formulae u Precondition formula may use a free variable t s for “currently scheduled” thread u Semantics is non-deterministic

48 Structural Operational Semantics - actions lock(v)  t  t s : rval[v](t s,l)  held_by(l,t) held_by’(l 1,t 1 ) = held_by(l 1,t 1 )  (l 1 = l  t 1 = t s ) blocked’ (t 1,l 1 ) = blocked(t 1,l 1 )  ((l 1  l)  (t 1  t s )) precondition predicate update

49 Safety Properties u Configuration-local property as logical formula u Example: no total deadlock  t,  l b : is_thread(t)   blocked(t, l b )  t 1,t 2 : (t 1  t 2 )   (at[l crit ](t 1 )  at[l crit ](t 2 )) u Example: mutual exclusion

50 Concrete Configuration is_thread at[l_C] rval[this] held_by blocked is_thread at[l_1] rval[this] is_thread at[l_0] is_thread at[l_0] is_thread at[l_1] rval[this] blocked

51 Abstract Configuration is_thread at[l_C] rval[this] held_by blocked is_thread at[l_1] rval[this] is_thread at[l_0]

52 Safety Properties Revisited u RW interference u WW interference u Total deadlock u Nested monitors u Illegal thread interactions

53 Interprocedural Analysis (Rinetzky) u Model the stack as a linked list (CC 2001) –Observe alias patterns –Handles recursion with pointers from the stack to the heap (but rather slow) u Exploit referential transparency –The part of the store modified by a procedure is limited –Summarize irrelevant calling contexts –Pre-analyze Abstract Data Types »Analyzed parts of LEDA linked lists

54 Other TVLA Applications u Handling trees (G. Yorsh) u Allowing data structure specification (M. Rinard) u Refinement of implementations (A. Mulhren) u Mobile Ambients (F. Nielson & H.R. Nielson)

55 TVLA Generalizations u ITVLA (F. Dimaio, N. Dor) –Support arithmetic operations –Import static domains for integer analysis »Intervals »Polyhedra –Derive Update Formula for Instrumentation Predicates (A. Loginov, T. Reps)

56 Summary u TVLA supports design and prototyping of sophisticated static analyzers –“The heap is your friend” –First order logic specifications is natural –Powerful static domain u But scaling is an issue –Interprocedural analysis –User specification –Predictability –User interface u Debugability of Operational Semantics

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.