Materialization in Shape Materialization in Shape Analysis with Structural Analysis with Structural Invariant Checkers Invariant Checkers Bor-Yuh Evan Chang Bor-Yuh Evan Chang Xavier Rival George C. Necula University of California, Berkeley August 27, 2007 ITU Copenhagen
39
Embed
Materialization in Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula University of California, Berkeley.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Materialization in Shape Materialization in Shape Analysis with Structural Analysis with Structural
• Memory manipulationMemory manipulation– Particularly important in systems code (in C)
• Flow-sensitiveFlow-sensitive– Many important properties
• E.g., Is an object freed? Is a file open?
– Heap abstracted differently at different points• E.g., Not based on allocation site
Shape analysis tracks memory memory manipulationmanipulation in a flow-sensitiveflow-sensitive manner.
3
Example: Typestate with shape Example: Typestate with shape analysisanalysis
cur = l;while (cur != null) {
assert(cur is red);make_purple(cur);
cur = cur!next;}
l
cur
l
Concrete ExampleConcrete Example AbstractionAbstraction
“red list”
l
“purplelist
segment”
“red
list”
l
cur
program-specific predicate
flow-sensitive heap abstractionmake_purple(¢) could
be• lock(¢) • free(¢)• open(¢)• …
4
Shape analysis is not yet practicalShape analysis is not yet practical
UsabilityUsability: Choosing the heap abstraction difficult
TVLA[Sagiv et al.]
“red list”
red(n) Æn 2 reach(l)
“red list”
Space Invader[Distefano et al.]
“red list”
Our Proposal
Built-in high-level predicates
-- Hard to extend
++ No additional user effort
Parametric in low-level, analyzer-oriented predicates++ Very general and expressive
-- Hard for non-expert
Parametric in high-level, developer-oriented predicates++ Extensible
++ Easier for developers
5
Shape analysis is not yet practicalShape analysis is not yet practical
ScalabilityScalability: Finding right level of abstraction difficultOver-reliance on disjunction for precision
“purplelist
segment”
“red
list”
l
curdeveloper
curl curlcurl curl
l,cur l, curl lemp
Ç Ç Ç
Ç Ç Ç Ç Ç
shape analyzer
6
HypothesisHypothesis
The developerdeveloper can describe the memory in a compactcompact manner at an abstraction level sufficient for the properties of interest (at least informally).• Good abstraction is program-specific
• Memory abstraction– Restrictions on checkers– Challenge: Intermediate invariants
• Materialization by forward unfolding– Where and how– Challenge: Unfolding segments
• Materialization by backward unfolding– Challenge: Back pointers
• Deciding where to unfold generically
11
Abstract memory using checkersAbstract memory using checkers
® values(address or null)
points-to relation ®@f ¯
® ¯f
checker run c(®)
®c
partial run ?
® ¯c
GraphsGraphs
ExampleExample“Disjointly, ®!next = ¯, °!next = ¯, and ¯ is a list.”
list¯
next®
°
“Some number of points-to edges
that satisfies checker c”
nextdisjointdisjoint memory regions
(¤¤)
12
Checkers as inductive definitionsCheckers as inductive definitions
bool list(List* l) {if (l == null)
return true;else
return list(l!next);
}
:= 9¯.®list
® null
® ¯next list
® null
Çemp
list(l)
list(…)
DisjointnessDisjointnessChecker run can dereference any object field only once
emp (® null)
…
next® null
next®
nextnull
13
What can a checker do?What can a checker do?
• In this talk, a checker …– is a pure, recursive function– dereferences any object field only once during a run– only one argument can be dereferenced (traversal