local heap semantics and its applications
Post on 02-Feb-2016
32 Views
Preview:
DESCRIPTION
TRANSCRIPT
Local Heap Semanticsand its Applications
Noam RinetzkyTel Aviv University
Joint work with
Jörg Bauer Universität des Saarlandes
Thomas Reps University of Wisconsin
Mooly Sagiv Tel Aviv University
Reinhard Wilhelm Universität des Saarlandes
Eran Yahav IBM Watson
Motivation
Verify heap intensive programs Imperative programs with proceduresRecursive data structures
Lists Trees …
Motivation
class List {
List n;
}
main() {
List x=null, y=null;
int k = getLen();
x = create(k);
y = reverse(x);
}
…
k=4
xy
n n n
k=4
xy
n n n
No null dereferences
No memory leaks
x and y point to
the same list
y points to an acyclic list
k=4
xy
reverse:
reverses
terminates
arbitrary k
What is the problem?
Recursive proceduresUnbounded number of activation records
Dynamic allocationUnbounded number of objects
Checking heap properties is undecidable
Our approach
Use abstractions Over-approximation algorithms
Effective (termination)Every verified property holds (sound)May not prove all properties (incomplete)
Main idea
Procedures as heap transformers
X
y
t
g
X
y
t
g
call p(x);
Main idea
Procedures as local heap transformers
Main idea
Procedures as local heap transformers
y
t
g
X
y
t
g
call p(x);X
xx
Abstract Interpretation[Cousot and Cousot]
Operational semantics
Abstract transformer
Introducing local heap semantics
Operational semantics
Abstract transformer
Local heap Operational semantics
~’ ’
Main Results
Arbitrary programs Complicated
Restriction on aliasing Simple
Non standard concrete operational semantics Sequential programs
Local heap Storeless
Good for heap abstractions Observational equivalent with “standard” global store-based heap
semantics E.g., Java
POPL’05
Abstractions Shape Analysis: singly-linked
lists May-alias [Deutsch, PLDI 04]
Abstractions Shape Analysis: singly-linked
lists an trees Sorting: quickSort
SAS’05
Outline
Motivation Crash course in shape analysis Local heap semantics Local heap abstractions
Collecting semantics
x
tn n
t
x
n
x
t n
x
tn n
x
tn n
xtt
x
ntt
nt
x
t
x
t
xempty
return x
?
x = t
t =new List();
t.n=x;
x = null
TF
class List { List n;}
Canonical abstraction
xnnn
xn
n
t
x
n
x
t n
x
tn n
xtt
x
ntt
nt
x
t
x
t
xempty
x
tn
n
x
tn
n
n
x
tn
t n
xn
return x
?
x = t
t =new List();
t.n=x;
x = null
TF
Shape analysis in action
x
tn
n
class List { List n;}
Outline
Motivation Crash course in shape analysis Local heap semantics Local heap abstractions
Programming Model
Single threaded Procedures
Value parametersRecursion No explicit addressing (&, cast)
Heap Recursive data structuresDestructive update
y
t
g
p
Local heaps
y
t
g
call f(x)xp
p p
x
y
t
g
p
Cutpoints
y
t
g
call f(x)xp
p p
?x
Cutpoints Objects that separate the part of the
heap a procedure can access from the rest of the heapExcluding objects pointed to by a parameter
z=f(x)
y
x
g
n n n
nn
nn
q
0x10
0x12
0x14
0x11
0x12
0x13
0x14
0x00x15
x0x10…
n
n
Store-based semantics
Memory state: Val = Addresses Atoms Env: Var Val Heap: FieldId AddressVal
Natural Easy to identify cutpoint
objects Addresses do not affect
shape
~
0x12
0x0
0x10
x0x14…
n
n
x n n
Storeless semantics [Jonkers’81]
No addresses Memory state:
Object: 2Access paths
Heap: 2Object
Alias Analysis
y=x
xn n
x x.n x.n.n
x=null
yn ny y.n y.n.n
x n nxy
x.ny.n x.n.ny
y.n.n
Storeless semantics [Jonkers’81]
No addresses Memory state:
Object: 2Access paths
Heap: 2Object
Alias Analysis
y=x
xn n
x x.n x.n.n
x=null
yn ny y.n y.n.n
x n nxy
x.ny.n x.n.ny
y.n.n
0x07
0x07
0x07
Cutpoint labels
Relate pre-state with post-state Mark cutpoints at and throughout an
invocation
preverse n n n
z=f(x)
y
x
g
n n n
main
Cutpoint labels Cutpoint label: the set of access paths that point to
a cutpoint when the invoked procedure starts
{p.n} {p.n.n, p.n.n}{p}
nn
nn
{p.n.n.n, p.n.n.n}
preverse n n n
y
x
g
n n n
main
Sharing patterns Cutpoint labels encode sharing patterns
{p.n} {p.n.n, p.n.n}{p}
nn
nn
{p.n.n.n, p.n.n.n}
y
x
g
n n n
main
n
Memory states
L = CPL,A
p.n.n ,
{p},{p.n},
{p.n.n, p.n.n},{p.n.n.n, p.n.n.n}
preverse n n n
Formal semantics Ordinary statements
Procedure call semantics
y
t
g
x
p
Local-heap storeless semantics
y
t
g
call f(x)xp
p
{p.n.n, p.n.n} {p.n.n.n, p.n.n}
{x.n.n.n, y.n.n}
Observational Equivalence
Programs cannot distinguish between global heap store-based semantics and local-heap storeless semanticsSame executionsSame observed equalities
Observational Equivalence
A local store-less state L and a global store-based G are observationally equivalent when for every access paths , = L(L) = G(G)
Main theorem: semantic equivalence
L L (Local-heap Storeless Semantics)
G G (Global-heap Store-based Semantics)
L and G observationally equivalent
st, L ’L st, G ’G’L and ’G are observationally equivalent
LSL GSB
Corollaries
Preservation of invariants Assertions: =
Detection of memory leaks
Outline
Motivation Crash course in shape analysis Local heap semantics Local heap abstractions
Applications
Justify soundness of static analysisMay-alias analysis Shape AnalysisCompile-time garbage collection
Shape abstraction
Abstract memory states represent unbounded concrete memory statesConservatively In a bounded way
Canonical abstractiony z
x
t
nnn n
n n
y z
xn
n
tn
n
n
n
Canonical abstractiony z
x
t
nnn n
n n
y z
xn
n
tn
n
n
n
n
Abstract memory states (with reachability)
y
rx rx,ry rx
nn
z
rz rz x rx
n n
rt t rt
nrt
n
rx rx,ry rx rz rz rx
rt rt rt
rz
n
y
rx rx,ry
nn z
rz rz x rx
n n
rt t rt
nn
n
rz
The importance of reachability:Call append(y,z)
y z
rx rx,ry
nn
rz rz x rx
n n
rt t rt
nn
y z
x n
n
tn
nn
rx rx,ry rx
nnrz rz x rx
n n
rt t rt
nrt
n
rz
n
y z
n
Cutpoints and abstraction
Unbounded state Objects Cutpoint labels
Canonical abstraction Summarizes objects Summarizes labels
xcall f(x)nnn n
y1 y2
p n
nn
n
y
t
g
pp
Cutpoint abstraction: ramifications
y
t
g
call f(x)xp
p
x
y
t
g
x
Cutpoint freedom
y
t
g
call p(x);xx
x x
?POPL ’05SAS ’05
Tabulation exits
y
Interprocedural shape analysis
call f(x)px
y
x
pPOPL’05: marking cutpoint
SAS’05: verifying cutpoint freedom
p
y
Interprocedural shape analysis
call f(x)x
y
p
p
No tabulation
Analyze f
p
x
Prototype implementationData structure Verified properties
Singly linked listInsertdelete reverse …
No memory errors
acyclicity
Sorting (of singly linked lists)insertionquickSort
+ Sortedness
Unshared binary treesInsertDelete…
No memory errors,
tree-ness
Iterative vs. Recursive (SLL)
0102030405060708090
100
Program
Se
cond
s
Iterative
Recursive
585
Inline vs. Procedural abstraction
0
5
10
15
20
1 2 4 8Number of lists
Meg
ab
yte
s
Inline
Proc. call
020406080
100120140160
1 2 4 8Number of lists
Seco
nd
s
Inline
Proc. call
// Allocates a list of
// length 3
List create3(){
…
}
main() {
List x1 = create3();
List x2 = create3();
List x3 = create3();
List x4 = create3();
…
}
Related Work Interprocedural shape analysis
Rinetzky and Sagiv, CC ’01 Chong and Rugina, SAS ’03 Jeannet et al., SAS ’04 Hackett and Rugina, POPL ’05
Local Reasoning Ishtiaq and O’Hearn, POPL ‘01 Reynolds, LICS ’02
Encapsulation Noble et al. IWACO ’03 ...
Cutpoint-freedom as dynamic ownership
z=f(x, y)
y
x
g
n n n
nn
n
h
Cutpoint-freedom as dynamic ownership
z=f(x, y)
y
x
g
n n n
nn
n
h
Conclusions
Local heap operational semantics Deterministic Storeless Observationally equivalent to standard semantics Fully abstract
Abstractions Cutpoint free programs Type base abstractions for cutpoints
Cutpoint-profiler [Shachar Rubinstein , MSc.]
End
www.cs.tau.ac.il/~maon
Interprocedural shape analysis for cutpoint-free programs
Noam Rinetzky, Mooly Sagiv, and Eran Yahav
SAS, 2005
A Semantics for procedure local heaps and its abstraction
Noam Rinetzky, Jörg Bauer, Thomas Reps, Mooly Sagiv, and Reinhard Wilhelm
POPL, 2005
top related