Local Heap Semantics and its Applications Noam Rinetzky Tel Aviv University Joint work with Jörg Bauer Universität des Saarlandes Thomas Reps University of Wisconsin Mooly Sagiv Tel Aviv University Reinhard Wilhelm Universität des Saarlandes Eran Yahav IBM Watson
Local Heap Semantics and its Applications. Noam Rinetzky Tel Aviv University. Joint work with Jörg Bauer Universität des Saarlandes Thomas Reps University of Wisconsin Mooly Sagiv Tel Aviv University Reinhard Wilhelm Universität des Saarlandes - PowerPoint PPT Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Local Heap Semanticsand its Applications
Noam RinetzkyTel Aviv University
Joint work with
Jörg Bauer Universität des Saarlandes
Thomas Reps University of Wisconsin
Mooly Sagiv Tel Aviv University
Reinhard Wilhelm Universität des Saarlandes
Eran Yahav IBM Watson
Motivation
Verify heap intensive programs Imperative programs with proceduresRecursive data structures
Lists Trees …
Motivation
class List {
List n;
}
main() {
List x=null, y=null;
int k = getLen();
x = create(k);
y = reverse(x);
}
…
k=4
xy
n n n
k=4
xy
n n n
No null dereferences
No memory leaks
x and y point to
the same list
y points to an acyclic list
k=4
xy
reverse:
reverses
terminates
arbitrary k
What is the problem?
Recursive proceduresUnbounded number of activation records
Dynamic allocationUnbounded number of objects
Checking heap properties is undecidable
Our approach
Use abstractions Over-approximation algorithms
Effective (termination)Every verified property holds (sound)May not prove all properties (incomplete)
Main idea
Procedures as heap transformers
X
y
t
g
X
y
t
g
call p(x);
Main idea
Procedures as local heap transformers
Main idea
Procedures as local heap transformers
y
t
g
X
y
t
g
call p(x);X
xx
Abstract Interpretation[Cousot and Cousot]
Operational semantics
Abstract transformer
Introducing local heap semantics
Operational semantics
Abstract transformer
Local heap Operational semantics
~’ ’
Main Results
Arbitrary programs Complicated
Restriction on aliasing Simple
Non standard concrete operational semantics Sequential programs
Local heap Storeless
Good for heap abstractions Observational equivalent with “standard” global store-based heap
semantics E.g., Java
POPL’05
Abstractions Shape Analysis: singly-linked
lists May-alias [Deutsch, PLDI 04]
Abstractions Shape Analysis: singly-linked
lists an trees Sorting: quickSort
SAS’05
Outline
Motivation Crash course in shape analysis Local heap semantics Local heap abstractions
Collecting semantics
x
tn n
t
x
n
x
t n
x
tn n
x
tn n
xtt
x
ntt
nt
x
t
x
t
xempty
return x
?
x = t
t =new List();
t.n=x;
x = null
TF
class List { List n;}
Canonical abstraction
xnnn
xn
n
t
x
n
x
t n
x
tn n
xtt
x
ntt
nt
x
t
x
t
xempty
x
tn
n
x
tn
n
n
x
tn
t n
xn
return x
?
x = t
t =new List();
t.n=x;
x = null
TF
Shape analysis in action
x
tn
n
class List { List n;}
Outline
Motivation Crash course in shape analysis Local heap semantics Local heap abstractions
Programming Model
Single threaded Procedures
Value parametersRecursion No explicit addressing (&, cast)
Heap Recursive data structuresDestructive update
y
t
g
p
Local heaps
y
t
g
call f(x)xp
p p
x
y
t
g
p
Cutpoints
y
t
g
call f(x)xp
p p
?x
Cutpoints Objects that separate the part of the
heap a procedure can access from the rest of the heapExcluding objects pointed to by a parameter
z=f(x)
y
x
g
n n n
nn
nn
q
0x10
0x12
0x14
0x11
0x12
0x13
0x14
0x00x15
x0x10…
n
n
Store-based semantics
Memory state: Val = Addresses Atoms Env: Var Val Heap: FieldId AddressVal
Natural Easy to identify cutpoint
objects Addresses do not affect
shape
~
0x12
0x0
0x10
x0x14…
n
n
x n n
Storeless semantics [Jonkers’81]
No addresses Memory state:
Object: 2Access paths
Heap: 2Object
Alias Analysis
y=x
xn n
x x.n x.n.n
x=null
yn ny y.n y.n.n
x n nxy
x.ny.n x.n.ny
y.n.n
Storeless semantics [Jonkers’81]
No addresses Memory state:
Object: 2Access paths
Heap: 2Object
Alias Analysis
y=x
xn n
x x.n x.n.n
x=null
yn ny y.n y.n.n
x n nxy
x.ny.n x.n.ny
y.n.n
0x07
0x07
0x07
Cutpoint labels
Relate pre-state with post-state Mark cutpoints at and throughout an
invocation
preverse n n n
z=f(x)
y
x
g
n n n
main
Cutpoint labels Cutpoint label: the set of access paths that point to