Page 1
A Semantics for Procedure Local Heapsand its Abstractions
Noam Rinetzky Tel Aviv University
Jörg Bauer Universität des Saarlandes Thomas Reps University of Wisconsin Mooly Sagiv Tel Aviv University Reinhard Wilhelm Universität des Saarlandes
Joint work with
Noam Rinetzky Tel Aviv University www.cs.tau.ac.il/~maon
Page 2
Motivation
• Interprocedural shape analysis• Conservative static pointer analysis• Heap intensive programs
• Imperative programs with procedures• Recursive data structures
• Goals• Precision• Efficiency
Page 3
Main idea
• Procedures as local heap transformers
y
t
g
X
y
t
g
call p(x);X
xx
Page 4
Main Results
• Concrete operational semantics• Large step
• Functional analysis• Storeless
• Shape abstractions• Local heap• Observationally equivalent to “standard” semantics
• Java and “clean” C
• Abstractions• Shape analysis [Sagiv, Reps, Wilhelm, TOPLAS ‘02]• May-alias [Deutsch, PLDI ‘94]• …
Page 5
Outline
• Motivating example• Why semantics• Localized Heap Storeless Semantics • Shape abstraction
Page 6
static List reverse(List t) {
}
static void main() {
}
Example
p nn
t rn nn
List x = reverse(p);
return r;
nnt
List y = reverse(q);List z = reverse(x);
…
n nn
t rn nn
p x
nn
q nn
q
Page 7
static List reverse(List t) {
}
static void main() {
}
Example
List y = reverse(q);
return r;List z = reverse(x);
List x = reverse(p);n
nt
t rn nnt rn nn
n nn
p x
q y
nn
nnt
q nn
n nn
p x
n nn
Page 8
static List reverse(List t) {
}
static void main() {
}
Example
return r;
nnt
t rn nnt rn nn
n nn
p x
x z
n nn
p x
List z = reverse(x);
List x = reverse(p);List y = reverse(q);
q yn nn
n nn t
n nn t
q yn nn
pn n
n
Page 9
• Separating objects • Not pointed-to by a parameter
Cutpoints
Page 10
• Separating objects • Not pointed-to by a parameter
Cutpoints
p xn nn
n nn
proc(x)
Stack sharing
Page 11
• Separating objects • Not pointed-to by a parameter
xn n
nn n
n
n y
Cutpoints
p x nn n
nn n
n
proc(x)
Stack sharing Heap sharing
proc(x)
Page 12
Sharing patterns
t nn
q n n
p
t nn
p
q yn n n
t nn
n
px
q yn n n
t nn
n
qn n n
x y
Page 13
static List reverse(List t) {
}
static void main() {
}
Example
return r;
r tn nnr tn nn
n nn
p x
z x
n nn
p x
List z = reverse(x);
List x = reverse(p);List y = reverse(q);
q yn nn
n nn t
q yn nn
pn n
n
Page 14
Outline
Motivating example• Why semantics• Localized Heap Storeless Semantics • Shape abstraction
Page 15
Abstract Interpretation[Cousot and Cousot, POPL ’77]
Operational semantics
Abstract transformer
Page 16
Introducing local heap semantics
Operational semantics
Abstract transformer
Local heap Operational semantics
~’ ’
Part I
Part II
Page 17
Outline
Motivating example Why semantics• LSL: Localized Heap Storeless Semantics • Shape abstraction
Page 18
Programming model
• Single threaded• Procedures
Value parametersRecursion
• Heap Recursive data structuresDestructive update No explicit addressing (&, cast)
Page 19
Simplifying assumptions
• No primitive values (reference only)• No globals• Formals not modified
Page 20
0x10
0x12
0x14
0x11
0x12
0x13
0x14
0x00x15
x0x10…
n
n
Store-based semantics
• Object address• Memory state:
• Object: FieldIdAddress• Heap: AddressObject
Natural Addresses do not affect
shape x
~
0x12
0x0
0x10
x0x14…
n
n
Page 21
Storeless semantics
• No addresses• Memory state:
• Object: 2Access paths
• Heap: 2Object
• Alias analysis
y=x
xn n
x x.n x.n.n
x=null
x n nxy
x.ny.n
x.n.ny.n.ny
yn ny y.n y.n.n
Page 22
static void main() {
}
static List reverse(List t) {
return r;}
Example
x
List z = reverse(x);
p x.n.nn nx.n.n.n
pxx.n
n
y.n.nn
yy.nn yq y.n.n
nyy.n
n yq
t.n.nt.n.n.n tt.n
t.n.nn n
t.n.n.n tt.nn t
tn n nList x = reverse(p);List y = reverse(q);
r.nn n
rt
r.n.n.nr.n.n
n t
rr.n
n nr
tr.n.n.n
r.n.nn t
r
z.nn n
zx
z.n.n.nz.n.n
nz x
p?
Page 23
static void main() {
}
static List reverse(List t) {
return r;}
Example
x
List z = reverse(x);
p x.n.nn nx.n.n.n
pxx.n
n
y.n.nn
yy.nn yq y.n.n
nyy.n
n yq
t.n.nt.n.n.n
L t t.n
t.n.nn nt.n.n.n
Ltt.n
nL t
L tn n nList x = reverse(p);List y = reverse(q);
L.nr.n
n nLr
t L.n.n.nr.n.n.n
L.n.nr.n.n
nL t
r
L.nr.n
n nLr
t L.n.n.nr.n.n.n
L.n.nr.n.n
n tL
r
p.nz.n
n npz
x p.n.n.nz.n.n.n
p.n.nz.n.n
nz xp
Page 24
Cutpoint labels
• Relate pre-state with post-state• Additional roots • Mark cutpoints at and throughout an
invocation
Page 25
Cutpoint labels
• Cutpoint label: the set of access paths that point to a cutpoint • when the invoked procedure starts
L t.n.nt.n.n.n
L t t.n t
L {t.n.n.n}
Page 26
Sharing patterns
• Cutpoint labels encode sharing patterns
L tt.n.nn nt.n.n.n
L tt.n
n L tt.n.nn nt.n.n.n
L tt.n
n
p wn
ww.nn
L {t.n.n.n}
Stack sharing Heap sharing
Page 27
Memory states
L = CPL,A
Lr.nL.n
rL
t, r.n.n.nL.n.n.n
r.n.nL.n.n
t
L={h.n.n.n}r n n n
{t.n.n.n} ,{ r ,{t.n.n.n}},
{r.n, {t.n.n.n}.n},{r.n, {t.n.n.n}.n.n},
{ t, r.n.n.n, {t.n.n.n}.n.n.n}
Page 28
Formal semantics Ordinary statements
Page 29
Procedure call semantics
Page 30
Observational equivalence
L L (Local-heap Storeless Semantics)
G G (Global-heap Store-based Semantics)
L and G observationally equivalent
when for every access paths , = (L) = (G)
Page 31
Main theorem: semantics equivalence
L L (Local-heap Storeless Semantics)
G G (Global-heap Store-based Semantics)
L and G observationally equivalent
st, L L st, G G
L and L are observationally equivalent
LSL GSB
Page 32
Corollaries
• Preservation of invariants =
• Detection of memory leaks
Page 33
Application
• Justify soundness of static analysis• May-alias analysis [TAU-TR-26/04]
• Shape Analysis
Page 34
Outline
Motivating example Why semantics LSL: Localized Heap Storeless Semantics • Shape abstraction
Page 35
Shape Abstraction
• Shape descriptors represent unbounded memory states• Conservatively• Bounded way
Page 36
A Shape abstraction
Lr.nL.n
rL
t, r.n.n.nL.n.n.n
r.n.nL.n.n
t
L={t.n.n.n}
r n n n
Page 37
A Shape abstraction
L tr n n nr.n
L.nrL
t, r.n.n.nL.n.n.n
r.n.nL.n.n
L=*
Page 38
A Shape abstraction
Lt
r n nn
L=*
Page 39
A Shape abstraction
Lt
r n nn
Lr.nL.n
rL
t, r.n.n.nL.n.n.n
r.n.nL.n.n
tr n n n
L={t.n.n.n}
L=*
Page 40
L1={h.n}
A Shape abstraction
Lt
r n nn
L1
L1r.n
rt, L2.n, L1.n.n,r.n.n.n
L2, L1.n,r.n.n
tn n n
L2={h.n.n}L2
L=*
Page 41
Application (joint work with Eran Yahav)
• A framework shape analysis using local heaps
• Parametric abstraction• Local heap (lists, trees, …)• Sharing patterns
Page 42
Application
• Single threaded Java programs• Properties proved
• Absence of null derferences• Listness preservation• API conformance
• Recursive Iterative• Procedural abstraction
Page 43
Procedural abstraction
Inline Procedure Call
Program MB Sec MB Sec
crt3 22.3 5.4 22.0 6.4
crt3x3 50.7 27.0 26.2 9.2
Page 44
Recursion vs. Iteration Iterative Recursive
Program MB Sec. MB Sec
create 19.7 10.9 19.3 9.3
find 22.3 21.3 23.5 35.8
insert 23.3 41.2 23.3 41.2
delete 23.2 42.0 24.8 45.3
append 25.1 17.2 25.6 20.2
reverse 23.6 23.7 24.0 33.7
revApp 26.0 45.7 26.5 46.8
merge 25.9 579.7 27.8 91.9
splice 25.5 70.1 26.1 36.9
Page 45
Democlass List {int d; List n; static List reverse(List t) { if (t == null || t.n == null) return t; List tn = t.n; t.n = null; List r = reverse(tn); tn.n = t; return r;}
static void main() { List p = create(4); List q = create(3); List x = reverse(p); List y = reverse(q); List z = reverse(x);}
Page 46
Related work
• Storeless semantics• Jonkers, Algorithmic Languages ‘81 • Deutsch, ICCL ‘92
Page 47
Related work
• Interprocedural shape analysis• Rinetzky and Sagiv, CC ’01
• Global heap
• Jeannet et al., SAS ’04 • Local heap, relational
• Chong and Rugina, SAS ’03• Local heap
• Hackett and Rugina, POPL ’05• Staged analysis
Page 48
Related work
• Local reasoning• Ishtiaq and O’Hearn, POPL ‘01• Reynolds, LICS ’02• •
Page 49
Summary
• Operational semantics • Storeless • Local heap• Cutpoints • Equivalence theorem
• Applications • Shape analysis• May-alias analysis
Page 50
End
www.cs.tau.ac.il/~maon
A Semantics for procedure local heaps and its abstraction
Noam Rinetzky, Jörg Bauer, Thomas Reps, Mooly Sagiv, and Reinhard Wilhelm
AVACS Technical Report 1
Interprocedural functional shape analysis using local heaps
Noam Rinetzky, Mooly Sagiv, and Eran Yahav
School of Computer Science, Tel Aviv University, Technical Report 26/04