Presentation is loading. Please wait.

Presentation is loading. Please wait.

Adaptive Shape Analysis Thomas Wies joint work with Josh Berdine Cristiano Calcagno TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Published byToby Banks Modified over 9 years ago

Similar presentations

Presentation on theme: "Adaptive Shape Analysis Thomas Wies joint work with Josh Berdine Cristiano Calcagno TexPoint fonts used in EMF. Read the TexPoint manual before you delete."— Presentation transcript:

1 Adaptive Shape Analysis Thomas Wies joint work with Josh Berdine Cristiano Calcagno TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAA A A AA A AA A A Byron Cook Dino Distefano Peter O’Hearn Hongseok Yang

2 2 Motivation Shape analysis Analyze programs with heap allocated data structures Goal Make shape analysis applicable to industrial code, e.g. Windows device drivers (100,000 LOC) The good news Device drivers use mainly list-like structures. The bad news They use many variations of lists. (e.g. for proving memory safety)

3 3 Typical data structure found in a Windows device driver DRIVER_OBJECTDEVICE_OBJECT DEVICE_EXTENSION BUS_RESET_IRP Flink Blink DevObj NextDev DevObj DrvObj DevExt

4 4 Parameterized shape analyses Cover all kinds of data structures, but require user interaction to adapt to new data structures (instrumentation predicates,...) Adaptive shape analysis Cover a large variety of data structures with full automation Non-parameterized shape analyses Full automation, but concrete data structures hard-wired into analysis (unnested lists, unnested trees,...) Our approach Hard-wire induction principle rather than concrete data structures and find proper instantiations automatically. Spectrum of shape analyses high frequency low frequency visible

5 5 Overview I.Generic linked lists II.Shape analysis III.Discovering lists IV.Convergence V.Limitations

6 6 Generic linked lists Higher-order list segments possibly empty

7 7 Singly-linked lists next Symbolic heap List predicate

8 8 Doubly-linked lists next Symbolic heap List predicate prev

9 9 Doubly-linked lists with head pointers next Symbolic heap List predicate prev head

10 10 Lists of lists List predicates next down next

11 11 Shape analysis Abstract interpretation based on Symbolic execution with separation logic. C. Calcagno, J. Berdine, P. O’Hearn. APLAS 2005. A local shape analysis based on separation logic. D. Distefano, P. O’Hearn, H. Yang. TACAS 2006.

12 12 Shape Analysis - Setup Abstract interpretation concrete domain abstraction domain abstraction function concretization function sets of symbolic heaps Abstract post

13 13 List abstraction is either or

14 14 List abstraction rules Predicates are discovered on-the-fly

15 15 Discovering list predicates Observation f … … f f f ' ' Simple heuristic try to construct disjoint sub-graph isomorphism starting from any two connected points-to predicates

16 16 Discovery Algorithm L : disjoint sub-graph isomorphism with L µ R (determines spatial part of predicate body) R : non-disjoint sub-graph isomorphism (determines forward and backward pointers) Algorithm computes two relations R and L f n g

17 17 Discovery Algorithm L : R : n n f f g g n f n g start with two connected points-to predicates of the same type

18 18 Discovery Algorithm L : R : n n f f g g n f n g explore disjoint sub-graphs reachable from the two roots

19 19 Discovery Algorithm n n f f g g n L : R : f n g

20 20 Discovery Algorithm n n f f g g n L : R : g f n g

21 21 Discovery Algorithm n n f f g g n L : R : g f n g

22 22 Predicate Body n n f f g g n L : R : g spatial part of predicate body is determined by L f n g

23 23 Forward Pointers n n f f g g n L : R : g Condition for forward pointer coming into and going to f n g

24 24 Backward Pointers n n f f g g n L : R : g Condition for backward pointer coming into and going to f n g

25 25 Final Step n n f f g g n L : R : g project variables that only occur in pred. body f n g

26 26 This was too easy! Right.

27 27 next Convergence Example: Non-deterministic creation of lists of lists down next down... Both abstraction and discovery are too weak.

28 28 List abstraction rules (revised) Frame inference!

29 29 Discovery Algorithm (revised) n n f f n L : R :

30 30 Discovery Algorithm (revised) n n f f n L : R :

31 31 Discovery Algorithm (revised) n n f f n L : R : Frame Inference!

32 32 Implementation generators for data structures found in Windows device drivers programs traversing and manipulating lists of lists a bug in the firewire device driver... We implemented adaptive shape analysis in the SLAyer tool. Benchmarks

33 33 Fun with list reversal y = NULL; while (x != NULL) { list *r; r = x; x = x->next; r->next = y; y = r; } next

34 34 next Fun with list reversal y = NULL; while (x != NULL) { list *r; r = x; x = x->next; r->next = y; y = r; } next 0 next

35 35 Limitations analysis diverges on non-linear structures (trees, grids,..., general graphs) not all linear structures are captured next nextSub two-level skip list

36 36 Limitations next prev cyclic doubly-linked list or is it this one? there is no abstraction refinement non-determinism in discovery may produce spurious counter-examples

37 37 Thank You!

Download ppt "Adaptive Shape Analysis Thomas Wies joint work with Josh Berdine Cristiano Calcagno TexPoint fonts used in EMF. Read the TexPoint manual before you delete."

Similar presentations

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.

Quantified Invariant Generation using an Interpolating Saturation Prover Ken McMillan Cadence Research Labs TexPoint fonts used in EMF: A A A A A.
Meta Predicate Abstraction for Hierarchical Symbolic Heaps Josh Berdine Microsoft Research, Cambridge joint with Mike Emmi University of California, Los.

Meta Predicate Abstraction for Hierarchical Symbolic Heaps Josh Berdine Microsoft Research, Cambridge joint with Mike Emmi University of California, Los.
Towards Shape Analysis for Device Drivers Hongseok Yang (Queen Mary, University of London) (Joint work with Josh Berdine, Cristiano Calcagno, Byron Cook,

Towards Shape Analysis for Device Drivers Hongseok Yang (Queen Mary, University of London) (Joint work with Josh Berdine, Cristiano Calcagno, Byron Cook,
TVLA for System Code Jörg KreikerHelmut SeidlVesal Vojdani TU Munich Dagstuhl, July 2009.

TVLA for System Code Jörg KreikerHelmut SeidlVesal Vojdani TU Munich Dagstuhl, July 2009.
Techniques for proving programs with pointers A. Tikhomirov.

Techniques for proving programs with pointers A. Tikhomirov.
Extensible Shape Analysis by Designing with the User in Mind Bor-Yuh Evan Chang Bor-Yuh Evan Chang, Xavier Rival, and George Necula University of California,

Extensible Shape Analysis by Designing with the User in Mind Bor-Yuh Evan Chang Bor-Yuh Evan Chang, Xavier Rival, and George Necula University of California,
© 2009 Microsoft Corporation. All rights reserved. Automatic Verification of Heap Manipulation using Separation Logic Josh Berdine with thanks to Byron.

© 2009 Microsoft Corporation. All rights reserved. Automatic Verification of Heap Manipulation using Separation Logic Josh Berdine with thanks to Byron.
TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A AAA A A A AA A Proving that non-blocking algorithms don't block.

TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A AAA A A A AA A Proving that non-blocking algorithms don't block.
Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.

Predicate Abstraction and Canonical Abstraction for Singly - linked Lists Roman Manevich Mooly Sagiv Tel Aviv University Eran Yahav G. Ramalingam IBM T.J.
Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.

Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.
Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.

Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Relational Inductive Shape Analysis Bor-Yuh Evan Chang University of California, Berkeley Xavier Rival INRIA POPL 2008.

Relational Inductive Shape Analysis Bor-Yuh Evan Chang University of California, Berkeley Xavier Rival INRIA POPL 2008.
Reduction in End-User Shape Analysis Dagstuhl - Typing, Analysis, and Verification of Heap-Manipulating Programs – July 24, 2009 Xavier Rival INRIA and.

Reduction in End-User Shape Analysis Dagstuhl - Typing, Analysis, and Verification of Heap-Manipulating Programs – July 24, 2009 Xavier Rival INRIA and.
Footprint Analysis: A Shape Analysis that Discovers Preconditions Hongseok Yang (Queen Mary, University of London) (Joint work with Cristiano Calcagno,

Footprint Analysis: A Shape Analysis that Discovers Preconditions Hongseok Yang (Queen Mary, University of London) (Joint work with Cristiano Calcagno,
Reading, Writing and Relations Towards Extensional Semantics for Effect Analyses Andrew Kennedy Microsoft Research Cambridge (joint work with Nick Benton,

Reading, Writing and Relations Towards Extensional Semantics for Effect Analyses Andrew Kennedy Microsoft Research Cambridge (joint work with Nick Benton,

Similar presentations

Ads by Google