Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Applications of TVLA Mooly Sagiv Tel Aviv University Shape Analysis with Applications.

Published byEleanore Jefferson Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Applications of TVLA Mooly Sagiv Tel Aviv University Shape Analysis with Applications."— Presentation transcript:

1 1 Applications of TVLA Mooly Sagiv Tel Aviv University http://www.cs.tau.ac.il/~rumster/TVLA/ Shape Analysis with Applications

2 2 Outline u Issues –Complexity of TVLA –Weak vs. Strong Updates u Cleanness –Null derefernces –Memory leaks –Freed storage (homework) –The concurrent modification problem u Partial correctness –Sorting –GC u Total Correctenss u Flow dependences u Multithreading u Other

3 3 Complexity of Shape Analysis x = malloc() if (…) y 1 = x if (…) y 2 = x if (…) y 3 = x  if (…) y n =x

4 4 Complexity of TVLA analysis u Maximal number of Nodes in Blurred Structures –3 |A | u Size of 3-valued structure representation u Action cost –Focus –Precondition –Coerce –New –Update –Coerce –Blur

5 5 Weak vs. Strong Updates if (…) x = y else x = z x  n = NULL

6 6 Detecting Incorrect Library Usages (J. Field, D. Goyal. G. Ramalingam, A. Warshavski) u Java provides libraries for manipulating data structures u Collections –Lists –Hashset –…–… u Iterators over collections allows sequential accesses u Statically detect incorrect library usages Set s = worklist.unprocessedItems(); for (Iterator i = s.iterator(); i.hasNext()){ Object item = i.next(); if (...) processItem(item);

7 7 The Concurrent Modification Problem u Static analysis of Java programs manipulating Java 2 collections u Inconsistent usages of iterators –An Iterator object i defined on a collection object c –No use of i may be preceded by update to the contents of c, unless the update was also made via I –Guarantees order independence

8 8 Artificial Example Set v = new Set(); Iterator i1 = v.iterator(); Iterator i2 = v.iterator(); Iterator i3 = i1; i1.next(); i1.remove(); if (...) { i2.next(); } if (...) { i3.next(); } v.add("..."); if (...) { i1.next();}

9 9 class Make { private Worklist worklist; public static void main (String[] args) { Make m = new Make(); m.initializeWorklist(args); m.processWorklist(); } void initializeWorklist(String[] args) {...; worklist = new Worklist();... // add some items to worklist} void processWorklist() { Set s = worklist.unprocessedItems(); for (Iterator i = s.iterator(); i.hasNext()){ Object item = i.next(); if (...) processItem(item); } } void processItem(Object i){...; doSubproblem(...);} void doSubproblem(...) {... worklist.addItem(newitem);... } } public class Worklist { Set s; public Worklist() {...; s = new HashSet();... } public void addItem(Object item) { s.add(item); } public Set unprocessedItems() { return s; } } return rev; }

10 10 Static Detection of Concurrent Modifications u Statically Check for CME exceptions u Warn against potential CME u Sound (conservative) solution u Not too many false alarms u Coding in TVLA –Operational Semantics –Vanilla solution is Imprecise (and inefficient) –Derive instrumentation predicates u Java to TVP front-end –Extract potentially relevant client code

11 11 CME specification in Java’ class Version { /* represents distinct versions of a Set */ } class Collection { Version version; Collection() { version = new Version(); } boolean add(Object o) { version = new Version(); } Iterator iterator() { return new Iterator(this); } } class Iterator { Collection set; Version definingVersion; Iterator (Collection s) { definingVersion = s.version; set = s; } void remove() { requires (definingVersion == set.version); set.ver = new Version(); definingVersion = set.version; } Object next() { requires (definingVersion == set.version); } }

12 12 Vanilla TVLA Encoding u Local iterators are pointers –Unary predicates u Relevant fields are pointer selectors –Binary predicates

13 13 Artificial Example Set v = new Set(); Iterator i1 = v.iterator(); Iterator i2 = v.iterator(); Iterator i3 = i1; i1.next(); i1.remove(); if (...) { i2.next(); } if (...) { i3.next(); } v.add("..."); if (...) { i1.next();}

14 14 Improved TVLA Encodings Use reachability Explicitly maintain relevant information valid[i] = i.defVersion == i.set.Version iterOf[i, v] = i.set == v mutex[i, j] = i.set ==j.set && i != j same[v, w] == v == w Can be automatically derived from the specification Polynomial complexity in programs where iterators are not stored in the client heap Meet over all path solution Adaptive to programs with client heap

15 15 Empirical Results BenchmarkLoc Err.FATime (sec) Space (MB) Structs. Kernel68315060194363 MapTest3351061204937 Iterator Test 126000.234208 JFE289611236499878

16 16 Partial Correctness u {P} S {Q} u How to derive loop invariants u Abstract interpretation provides a sound solution u The abstract domain represents a class of program invariants

17 17 Example Sorting of linked lists u dle(v1, v2) = v1.data  v2.data u inOrder[n, dle](v) =  v1: n(v, v1)  dle(v, v1) u inROrder[n, dle](v) =  v1: n(v, v1)  dle(v1, v) u Captures intermediate invariants as well typedef struct node { struct node *n; int data; } *Elements;

18 18 typedef struct node { struct node *n; int data; } *Elements; L insert_sort(L x) { L r, pr, rn, l, pl;r = x; pr = NULL; while (r != NULL) { l = x;rn = r ->n; pl = NULL; while (l != r) { if (l->data > r->data) { pr->n = rn; r->n = l; if (pl == NULL) x = r; else pl->n = r; r = pr; break; } pl = l; l = l->n; } pr = r; r = rn; } return x; }

19 19 L insert_sort(L x) { L r, pr, rn, l, pl; … return x; } n inOrder[dle,n]=½ r[n,x] dle inOrder[dle,n]=1/2 r[n,x] dle n x inOrder[dle,n] r[n,x] dle inOrder[dle,n] r[n,x] dle n x

20 20 /*pred.tvp */ foreach (z in PVar) { %p z(v_1) unique box } %p n(v_1, v_2) function %i is[n](v) = E(v_1, v_2) ( v_1 != v_2 & n(v_1, v) & n(v_2, v)) foreach (z in PVar) { %i r[n,z](v) = E(v_1) (z(v_1) & n*(v_1, v)) } %i c[n](v) = n+(v, v) %p dle(v1, v2) reflexive transitive %i inOrder[dle,n](v) = A(v_1) n(v, v_1) -> dle(v, v_1) nonabs %i inROrder[dle,n](v) = A(v_1) n(v, v_1) -> dle(v_1, v) nonabs %r !dle(v_1, v_2) ==> dle(v_2, v_1)

21 21 /* cond.tvp */ %action uninterpreted() { %t "uninterpreted" } %action Is_Not_Null_Var(x1) { %t x1 + " != NULL" %f { x1(v) } %p E(v) x1(v) } %action Is_Null_Var(x1) { %t x1 + " == NULL" %f { x1(v) } %p !(E(v) x1(v)) } %action Is_Eq_Var(x1, x2) { %t x1 + " == " + x2 %f { x1(v), x2(v) } %p A(v) x1(v) x2(v) } %action Is_Not_Eq_Var(x1, x2) { %t x1 + " != " + x2 %f { x1(v), x2(v) } %p !A(v) x1(v) x2(v) }

22 22 %action Greater_Data_L(x1, x2) { %t x1 + "->data > " + x2 + "->data" %f { x1(v_1) & x2(v_2) & dle(v_1, v_2) } %p !E(v_1, v_2) x1(v_1) & x2(v_2) & dle(v_1, v_2) } %action Less_Equal_Data_L(x1, x2) { %t x1 + "->data data" %f { x1(v_1) & x2(v_2) & dle(v_1, v_2) } %p E(v_1, v_2) x1(v_1) & x2(v_2) & dle(v_1, v_2) }

23 23 stat.tvp %action Set_Next_Null_L(x1) { %t x1 + "->" + n + " = null" %f { x1(v) } %message !(E(v) x1(v)) -> { n(v_1, v_2) =... is[n](v) =... r[n,x1](v) =... foreach (z in PVar –{x}) { r[n, x](v) =... } c[n](v) = inOrder[dle,n](v) = inOrder[dle,n](v) | x1(v) inROrder[dle,n](v) = inROrder[dle,n](v) | x1(v) }

24 24 stat.tvp(more) %action Malloc_L(x1) { %t x1 + " = (L) malloc(sizeof(struct node)) " %new { x1(v) = isNew(v) inOrder[dle, n](v1, v2)=… inROrder[dle, n](v1, v2)=… }

25 25 Abstract interpretation of if x->data <= y.data

26 26 From Local Outlook to Global Outlook u (Safety) Every time control reaches a given point: –there are no garbage memory cells –the list is acyclic –each cell is locally ordered u (History) The list is a permutation of the original list

27 27 Bugs Found u Pointer manipulations –null dereferences –memory leaks u Forget to sort the first element u Swap equal elements in bubble sort (non-termination)

28 28 L insert_sort_b2(L x) { L r, pr, rn, l, pl; if (x == NULL) return NULL; pr = x; r = x->n; while (r != NULL) { pl = x; rn = r->n; l = x->n; while (l != r) { if (l->d > r->d) { pr->n = rn; r->n = l ; pl->n = r; r = pr; break } pl = l;l = l->n; } pr = r; r = rn;} return x; } dle n inOrder[dle,n]=½ dle inOrder[dle,n]=1 dle n x

29 29 Running Times

30 30 Properties Not Proved u (Liveness) Termination u Stability

31 31 Example: Mark and Sweep void Sweep() { unexplored = Universe collected =  while (unexplored   ) { x = SelectAndRemove(unexplored) if (x  marked) collected = collected  {x} } assert(collected = = Universe – Reachset(root) ) } void Mark(Node root) { if (root != NULL) { pending =  pending = pending  {root} marked =  while (pending   ) { x = SelectAndRemove(pending) marked = marked  {x} t = x  left if (t  NULL) if (t  marked) pending = pending  {t} t = x  right if (t  NULL) if (t  marked) pending = pending  {t} } assert(marked = = Reachset(root)) } Run Demo

32 32 Total Correctness u Usually more complicated u Need to show that something good eventually happens u Difficult for programs with unbounded concrete states u Example linked lists –Show decreased set of reachable locations

33 33 Program Dependences u A statement s1 depends on s2 if –s2 writes into a location l –s1 reads from location l –There is no intervening write in between u Useful for –Parallelization –Scheduling –Program Slicing u How to compute –Scalars –Stack pointers –Heap allocated pointers

34 34 int y; List p, q; q = (List) malloc(); p = q; p->d = 5; … y = q->d; Flow Dependences vs. May-Aliases int y; List p, q; q = (List) malloc(); p = q; t=p; p->d = 5; t->d = 7; y = q->d; int y; List p, q; q = (List) malloc(); p = q; t=p; p->d = 5; p=(List) malloc(); y = q->d;

35 35 void append() { List head, tail, temp; l1: head = (List) malloc(); l2: scanf("%c", &head->d); l3: head->n = NULL; l4: tail = head; l5: if (tail->d == `x') goto l12; l6: temp = (List) malloc(); l7: scanf("%c", &temp->d); l8: temp->n = NULL; l9: tail->n = temp; l10: tail = tail->n l11: goto l_5; l12: printf("%c", head->d); l13: printf("%c", tail->d); exit

36 36 /*pred.tvp */ foreach (z in PVar) { %p z(v_1) unique box } %p n(v_1, v_2) function %i is[n](v) = E(v_1, v_2) ( v_1 != v_2 & n(v_1, v) & n(v_2, v)) foreach (z in PVar) { %i r[n,z](v) = E(v_1) (z(v_1) & n*(v_1, v)) foreach (l in Label) { %p lst_w_v[l,z]() // l is the last write to into the variable z } foreach (l in Label) { %p lst_w_f[l,n](v_1) box // l is the last write to into the v_1.n %p lst_w_f[l,d](v_1) box// l is the last write to into v_1.data } %i c[n](v) = n+(v, v)

37 37 Operational Semantics for Statements stupdate l: x=rhslst_w_v[l,x]’ = 1 lst_w_v[l’, x] = 0 l: x->d = rhslst_w_f[l, d](v) = (x(v) ? 1 : lst_w_f[l, d](v)) lst_w_f[l’, d](v) = (x(v)? 0 : lst_w_f[l’, d](v)) l: x->n = rhslst_w_f[l, n](v) = (x(v) ? 1 : lst_w_f[l, n](v)) lst_w_f[l’, n](v) = (x(v)? 0 : lst_w_f[l’, n](v))

38 38 “Read” Formulae for Statememts expformula l’: x := NULL0 l’: x := ylst_w_v[l,y] l’: x->n =NULLlst_w_v[l, x] l’: x->n= y lst_w_v[l, x]  lst_w_v[l, y] l’: x = y->n lst_w_v[l, y](v)   v: y(v)  lst_w_f[l, n](v)

39 39 void append() { List head, tail, temp; l1: head = (List) malloc(); l2: scanf("%c", &head->d); l3: head->n = NULL; l4: tail = head; l5: if (tail->d == `x') goto l12; l6: temp = (List) malloc(); l7: scanf("%c", &temp->d); l8: temp->n = NULL; l9: tail->n = temp; l10: tail = tail->n l11: goto l5; l12: printf("%c", head->d); l13: printf("%c", tail->d); exit head temp tail lst_w_v[l1, head] lst_w_v[l10, tail] lst_w_v[l6, temp] lst_w_f[l2, d] lst_w_f[l9,n] lst_w_f[l7,d] lst_w_f[l8,n]

40 40 Java Concurrency u Threads and locks are just dynamically allocated objects u synchronized implements mutual exclusion u wait, notify and notifyAll coordinate activities across threads

41 41 l_0: while (true) { l_1:synchronized(sharedLock) { l_C:// critical actions l_2:} l_3: } Two threads: (pc 1,pc 2,lockAcquired 1,lockAcquired 2 ) Example - Mutual Exclusion u Allocate new lock ? u Allocate new thread ?

42 42 Program Model u Interleaving model of concurrency u Program is modeled as a transition system

43 43 Configurations u A program configuration encodes: –global store –program-location of every thread –status of locks and threads u First-order logical structures used to represent program configurations

44 44 Configurations u Predicates model properties of interest –is_thread(t) –{ at[lab](t) : lab  Labels } –{ rval[fld](o 1,o 2 ) : fld  Fields } –held_by(l,t) –blocked(t,l) –waiting(t,l) u Can use the framework with different predicates

45 45 Configurations is_thread at[l_C] rval[this] held_by blocked is_thread at[l_1] rval[this] is_thread at[l_0] is_thread at[l_0] is_thread at[l_1] rval[this] blocked

46 46 Configurations u Program control-flow is not separately represented u Program location for each thread is encoded inside the configuration –{ at[lab](t) : lab  Labels }

47 47 Structural Operational Semantics - actions u An action consists of: –precondition(when) formula –update formulae u Precondition formula may use a free variable t s for “currently scheduled” thread u Semantics is non-deterministic

48 48 Structural Operational Semantics - actions lock(v)  t  t s : rval[v](t s,l)  held_by(l,t) held_by’(l 1,t 1 ) = held_by(l 1,t 1 )  (l 1 = l  t 1 = t s ) blocked’ (t 1,l 1 ) = blocked(t 1,l 1 )  ((l 1  l)  (t 1  t s )) precondition predicate update

49 49 Safety Properties u Configuration-local property as logical formula u Example: no total deadlock  t,  l b : is_thread(t)   blocked(t, l b )  t 1,t 2 : (t 1  t 2 )   (at[l crit ](t 1 )  at[l crit ](t 2 )) u Example: mutual exclusion

50 50 Concrete Configuration is_thread at[l_C] rval[this] held_by blocked is_thread at[l_1] rval[this] is_thread at[l_0] is_thread at[l_0] is_thread at[l_1] rval[this] blocked

51 51 Abstract Configuration is_thread at[l_C] rval[this] held_by blocked is_thread at[l_1] rval[this] is_thread at[l_0]

52 52 Safety Properties Revisited u RW interference u WW interference u Total deadlock u Nested monitors u Illegal thread interactions

53 53 Interprocedural Analysis (Rinetzky) u Model the stack as a linked list (CC 2001) –Observe alias patterns –Handles recursion with pointers from the stack to the heap (but rather slow) u Exploit referential transparency –The part of the store modified by a procedure is limited –Summarize irrelevant calling contexts –Pre-analyze Abstract Data Types »Analyzed parts of LEDA linked lists

54 54 Other TVLA Applications u Handling trees (G. Yorsh) u Allowing data structure specification (M. Rinard) u Refinement of implementations (A. Mulhren) u Mobile Ambients (F. Nielson & H.R. Nielson)

55 55 TVLA Generalizations u ITVLA (F. Dimaio, N. Dor) –Support arithmetic operations –Import static domains for integer analysis »Intervals »Polyhedra –Derive Update Formula for Instrumentation Predicates (A. Loginov, T. Reps)

56 56 Summary u TVLA supports design and prototyping of sophisticated static analyzers –“The heap is your friend” –First order logic specifications is natural –Powerful static domain u But scaling is an issue –Interprocedural analysis –User specification –Predictability –User interface u Debugability of Operational Semantics

Download ppt "1 Applications of TVLA Mooly Sagiv Tel Aviv University Shape Analysis with Applications."

Similar presentations

Chapter 22 Implementing lists: linked implementations.

Chapter 22 Implementing lists: linked implementations.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Abstract Interpretation Part II

Abstract Interpretation Part II
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.

Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Automatic Memory Management Noam Rinetzky Schreiber 123A 2015/seminar/seminar1415a.html.

Automatic Memory Management Noam Rinetzky Schreiber 123A /seminar/seminar1415a.html.
David Notkin Autumn 2009 CSE303 Lecture 13 This space for rent.

David Notkin Autumn 2009 CSE303 Lecture 13 This space for rent.
Interprocedural Shape Analysis for Recursive Programs Noam Rinetzky Mooly Sagiv.

Interprocedural Shape Analysis for Recursive Programs Noam Rinetzky Mooly Sagiv.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.

Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.
1 Lecture 08(a) – Shape Analysis – continued Lecture 08(b) – Typestate Verification Lecture 08(c) – Predicate Abstraction Eran Yahav.

1 Lecture 08(a) – Shape Analysis – continued Lecture 08(b) – Typestate Verification Lecture 08(c) – Predicate Abstraction Eran Yahav.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University

Shape Analysis via 3-Valued Logic Mooly Sagiv Tel Aviv University
Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.

Establishing Local Temporal Heap Safety Properties with Applications to Compile-Time Memory Management Ran Shaham Eran Yahav Elliot Kolodner Mooly Sagiv.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
1 Motivation Dynamically allocated storage and pointers are an essential programming tools –Object oriented –Modularity –Data structure But –Error prone.

1 Motivation Dynamically allocated storage and pointers are an essential programming tools –Object oriented –Modularity –Data structure But –Error prone.
Programming Language Semantics Java Threads and Locks Informal Introduction The Java Specification Language Chapter 17.

Programming Language Semantics Java Threads and Locks Informal Introduction The Java Specification Language Chapter 17.

Similar presentations

Ads by Google