1. Reduction in End-User Shape Analysis Dagstuhl - Typing, Analysis, and Verification of Heap-Manipulating Programs – July 24, 2009 Xavier Rival INRIA and ENS Paris Bor-Yuh Evan Chang University of Colorado, Boulder If some of the symbols are garbled, try either installing TexPoint (http://texpoint.necula.org) or the TeX fonts (http://www.cs.colorado.edu/~bec/texpoint-fonts.zip).http://texpoint.necula.orghttp://www.cs.colorado.edu/~bec/texpoint-fonts.zip

2. 2 Why think about the analyzer’s end-user? Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis UserTool Accessibility end-users are not experts in verification and logic want adoption of our tools and techniquesAccessibility end-users are not experts in verification and logic want adoption of our tools and techniques Expressivity, Efficiency, and Feasibility end-users are not completely incompetent either can provide guidance to tools, understand the code best Expressivity, Efficiency, and Feasibility end-users are not completely incompetent either can provide guidance to tools, understand the code best

3. 3 Splitting Splitting of summaries (materialization) To reflect updates precisely summarizing And summarizing for termination (summarization) Shape analysis is an abstract interpretation on abstract memory descriptions with … cur l “sorted dl list” l cur l l l l Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis Main Design Decision: Summaries and their operations Main Design Decision: Summaries and their operations

4. 4 The Wild Wild World of Shape Analysis Choosing the heap abstraction difficult Parametric in high-level, developer-oriented predicates + +Extensible + +Targeted to developers Xisa Built-in high-level predicates - -Harder to extend + +No additional user effort Parametric in low-level, analyzer-oriented predicates + +Very general and expressive - -Harder for non-expert  Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis Some representative approaches Some representative approaches: Our approach Our approach: Space Invader [Distefano et al.] TVLA [Sagiv et al.]

5. 5 Our Approach: Executable Specifications validation code Utilize “run-time validation code” as specification for static analysis. assert(l.purple_dll(null)); for each node cur in list l { make cur red; } assert(l.red_dll(null)); ll cur l Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis h.dll(p) := if (h = null) then true else h ! prev = p and h ! next.dll(h) checker Automatically generalize checkers for intermediate states (generalized segment) p specifies where prev should point h.dll(p) := h = null Æ emp Ç 9 n. h@prev  p ¤ h@next  n ¤ n.dll(h) Build the abstraction for analysis directly out of the developer- supplied validation code

6. 6 Xisa is … Extensible and targeted for developers –Parametric in developer-supplied checkers—viewed as inductive definitions in separation logic Precise yet compact abstraction for efficiency –Data structure-specific based on properties of interest to the developer shape analysis invariant checkers An automated shape analysis with a precise memory abstraction based around invariant checkers. Xisa h.dll(p) = if (h = null) then true else h ! prev = prev and h ! next.dll(h) checkers Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

7. 7 Problem: Non-Unique Representations With user-guided abstraction, different summaries may have the same (or related) concretizations. Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis l.dll(p) := if (l = null) then true else l ! prev = p and l ! next.dll(l) l.dll_back(n) := if (l = null) then true else l ! next = n and l ! prev.dll_back(l) dll(null) h ht h dll_back(null) t checker summary concrete instance

8. 8 Need: Convert between related summaries 1.Prove lemmas about related checkers –e.g., “dll, dll_back” Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis Observation Observation: Our widening operator can derive these facts on an appropriate program Basic Idea Basic Idea : l.dll(p) := … semantics of dll_back parametric abstract domain summarization (widening) S

9. 9 Need: Convert between related summaries 2.Find out which lemmas are needed and when to apply them during program analysis –work-in-progress –not in this talk Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

10. 10 New “Pre-Program Analysis Analysis” Xisa shape analyzer abstract interpretation splitting and interpreting update summarizing level-type inference for unfolding Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis dll(h, p) = if (h = null) then true else h ! prev = prev and dll(h ! next, h) checkers program analysischecker analysis (“pre-program analysis”) lemma proving for reduction SS Derives information about checkers to use them effectively

11. 11 Outline Memory abstraction –graphs –segments A semantics of checker definitions Example: –a segment of a list, a list segment Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

12. 12 memory cell (points-to: ° ! next = ± ) Abstract memory as graphs h.dll(p) = if (h = null) then true else h ! prev = p and h ! next.dll(h) Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis l ® dll(null) dll( ¯ ) cur ° dll( ° ) ¯ prev next ± Make endpoints and segments explicit ldll( ±, ° ) ± “dll segment” cur ° ® segment summary checker summary (inductive pred) memory address (value) Some number of memory cells (thin edges) ¯ ° @prev  ¯ ¤ ¤ ° @next  ± ¤ ¤ ±.dll( ° ) ¤ = ¤ ( ®.dll(null) ¤ = °.dll( ¯ )) ¤ Segment generalization of a checker (Intuitively, ®.dll(null) up to °.dll( ¯ ).) Segment generalization of a checker (Intuitively, ®.dll(null) up to °.dll( ¯ ).)

13. 13 Segments as Partial Checker “Runs” (conceptually) ®.dll(null) ¯.dll( ® ) °.dll( ¯ ) ±.dll( ° ) null.dll( ± ) Complete Checker “Run” Instance Summary c0(¯,°0)c0(¯,°0) c( ®, ° ) …… ……… ®¯ c( ° )c0(°0)c0(°0) i i i i = 0 ii 00 c = c 0 ® = ¯ ° = ° 0 ® = ° ¯ = null null next ° ± prev null Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis [POPL’08]

14. 14 Outline Memory abstraction –graphs –segments A semantics of checker definitions Example: –a segment of a list, a list segment Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

15. 15 Example: User-Defined List Segments Want Want a decision procedure for these inclusions: Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis l.ls(e) := if (l = e) then true else l ! next.ls(l) l.list() := if (l = null) then true else l ! next.list() checker summary “a list segment”“a segment of a list” ® list() ¯ le Can reuse our parametric abstract domain! ls( ¯ ) ® l ¯ e v ? ® l ¯ e ® list() ¯ le

16. 16 An Alternative Semantics for Checkers Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis °° set of concrete stores summary ls( ¯ ) ® l ¯ e … le addrof( ® )addrof( ¯ ) generator of “concrete” graphs ® l ¯ e ® = ¯ ® l next ®0®0 ¯ e ® 0 = ¯ ¯ e ® 00 = ¯ ® l next ®0®0 ® 00 …

17. 17 Show Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis ® l ¯ e ® = ¯ ® l next ®0®0 ¯ e ® 0 = ¯ ¯ e ® 00 = ¯ ® l next ®0®0 ® 00 … Apply abstract interpretation using only list as a checker parameter to the domain v ls( ¯ ) ® l ¯ e ® list() ¯ le ® l ¯ e X ® l ¯ e Our widening is a non-symmetric binary operator interleaves region matching and summarizing Our widening is a non-symmetric binary operator interleaves region matching and summarizing Widening Properties Soundness: computes an over-approximation Termination: ensures chain stabilizes Algorithm 1.Iteratively split regions by matching nodes (ok by ¤ ) 2.Find common abstraction for matched regions (calling on v to check inclusion) [SAS’07]Widening Properties Soundness: computes an over-approximation Termination: ensures chain stabilizes Algorithm 1.Iteratively split regions by matching nodes (ok by ¤ ) 2.Find common abstraction for matched regions (calling on v to check inclusion) [SAS’07]

18. 18 Inclusion Check Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis ® l next ®0®0 ¯ e ® 0 = ¯ ® l ¯ e list() v ¯ e ® l next ®0®0 ® 0 = ¯ ¯ e ® l next ®0®0 ® l ®0®0 ® l ®0®0 Inclusion Check Algorithm 1.Iteratively split regions by matching nodes 2.Check inclusion by unfolding and matching edges until obvious (emp v emp) Inclusion Check Algorithm 1.Iteratively split regions by matching nodes 2.Check inclusion by unfolding and matching edges until obvious (emp v emp)

19. 19 Summary: Reuse domain to decide relations amongst checker definitions Xisa shape analyzer abstract interpretation splitting and interpreting update summarizing level-type inference for unfolding Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis dll(h, p) = if (h = null) then true else h ! prev = prev and dll(h ! next, h) checkers program analysischecker analysis (“pre-program analysis”) lemma proving for reduction SS

20. 20 Conclusion and Next Steps Non-unique representation problem magnified with user-supplied checkers –Need reduction to convert between representations –Ordering on checkers needed to apply reduction Ordering shown by applying Xisa to a checker def To put into practice –Needed lemmas: pre-compute ordering or on-demand? –When to apply: level types for unfolding may help –Derive new checkers (e.g., dll_back from dll)? Bor-Yuh Evan Chang and Xavier Rival - Reduction in End-User Shape Analysis

21. http://xisa.cs.berkeley.edu