compactly representing first-order structures for static analysis
DESCRIPTION
Compactly Representing First-Order Structures for Static Analysis. Tel-Aviv University Roman Manevich Mooly Sagiv. I.B.M T.J. Watson Ganesan Ramalingam John Field Deepak Goyal. Motivation. TVLA is a powerful and general abstract interpretation system Abstract interpretation in TVLA - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/1.jpg)
Compactly Representing First-Order Structures for
Static Analysis
Tel-Aviv University
Roman Manevich
Mooly Sagiv
I.B.M T.J. Watson
Ganesan RamalingamJohn Field
Deepak Goyal
![Page 2: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/2.jpg)
Motivation
TVLA is a powerful and general abstract interpretation system
Abstract interpretation in TVLA Operational semantics is expressed with
first-order logic formulae Program states are represented as
sets of Evolving First-Order Structures
Space is a major bottleneck
![Page 3: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/3.jpg)
Desired Properties
Sparse data structures Share common sub-structures
Inherited sharing Incidental sharing due to program invariants
But feasible time performance Phase sensitive data structures
![Page 4: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/4.jpg)
Outline
Background First-order structure representations
Base representation (TVLA 0.91)
BDD representation Empirical evaluation Conclusion
![Page 5: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/5.jpg)
First-Order Logical Structures
Generalize shape graphs Arbitrary set of individuals Arbitrary set of predicates on individuals Dynamically evolving
Usually small changes Properties are extracted by evaluating first
order formula: ∃v1 , v: x(v1) ∧ n(v1, v) Join operator requires isomorphism testing
![Page 6: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/6.jpg)
First-Order Structure ADT
Structure : new() /* empty structure */ SetOfNodes : nodeSet(Structure) Node : newNode(Structure) removeNode(Structure, node) Kleene eval(Structure, p(r), <u1, . . . ,ur>)
update(Structure, p(r), <u1, . . . ,ur>, Kleene) Structure copy(Structure)
![Page 7: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/7.jpg)
print_all Example/* list.h */typedef struct node { struct node * n; int data;} * L;
/* print.c */#include “list.h”void print_all(L y) { L x; x = y; while (x != NULL) { /* assert(x != NULL) */ printf(“elem=%d”, xdata); x = xn; }}
![Page 8: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/8.jpg)
print_all Example
S0
copy(S0) : S1
x = yx’(v) := y(v)
nodeset(S0) : {u1, u}eval(S0, y, u1) : 1
update(S1, x, u1, 1)eval(S0, y, u) : 0update(S1, x, u, 0)
u1
y=1u
sm=½n=½
n=½
S1
u1
y=1u
sm=½n=½
n=½
x=1
![Page 9: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/9.jpg)
print_all Example
x = x nfocus : ∃v1 x(v1) ∧ n(v1, v)x’(v) := ∃v1 x(v1) ∧ n(v1, v)
S2.0u1
y=1
usm=½
n=½
S2.1u1
y=1u
x=1n=1
n=½
S2.2u1
y=1u.1x=1
n=1
n=½
n=½
S1
u1
x=1y=1
usm=½
n=½
n=½
n=½
u.0sm=½
while (x != NULL)precondition : ∃v x(v)
![Page 10: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/10.jpg)
Overview and Main Results
1. Two novel representations of first-order structures New BDD representation New representation using functional maps
2. Implementation techniques3. Empirical evaluation
Comparison of different representations Space is reduced by a factor of 4–10 New representations scale better
![Page 11: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/11.jpg)
Base Representation (Tal Lev-Ami SAS 2000)
Two-Level Map : Predicate (Node Tuple Kleene)
Sparse Representation Limited inherited sharing by
“Copy-On-Write”
![Page 12: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/12.jpg)
x1x2x3f
0000
0010
0100
0111
1000
1011
1100
1111
x3 x3 x3 x3
x2 x2
x1
10 0 0 0 1 0 1
BDDs in a Nutshell (Bryant 86) Ordered Binary Decision Diagrams Data structure for Boolean functions Functions are represented as (unique) DAGs
![Page 13: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/13.jpg)
x3 x3 x3 x3
x2 x2
x1
0 1
x3 x3
x2 x2
x1
0 1
x3
x2
x1
0 1
Duplicate Terminals Duplicate Nonterminals Redundant Tests
BDDs in a Nutshell (Bryant 86) Ordered Binary Decision Diagrams Data structure for Boolean functions Functions are represented as (unique) DAGs
Also achieve sharing across functions
![Page 14: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/14.jpg)
Encoding Structures Using Integers
Static encoding of Predicates Kleene values
Dynamic encoding of nodes 0, 1, …, n-1
Encode predicate p’s values as ep(p).en(u1). en(u2) . … . en(un) . ek(Kleene)
![Page 15: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/15.jpg)
BDD Representation of Integer Sets
Characteristic function S={1,5} 1=<001> 5=<101>
S = (¬x1¬x2x3) (x1¬x2x3)
10
x2
x1
x3
x2
![Page 16: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/16.jpg)
BDD Representation of Integer Sets
Characteristic function S={1,5} 1=<001> 5=<101>
S = (¬x1¬x2x3) (x1¬x2x3)
1
x2
x1
x3
x2
![Page 17: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/17.jpg)
1
S0
BDD Representation Example
S0u1
y=1
usm=½
n=½
n=½
![Page 18: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/18.jpg)
1
S0 S1
BDD Representation Example
x=y
S1
u1
x=1y=1
usm=½
n=½
n=½
S0u1
y=1
usm=½
n=½
n=½
![Page 19: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/19.jpg)
1
S0 S1
S2.2
BDD Representation Example
x=y
x=xn
S2.2u1
y=1u.1x=1
n=1
n=½
n=½
n=½
u.0sm=½
S1
u1
x=1y=1
usm=½
n=½
n=½
S0u1
y=1
usm=½
n=½
n=½
![Page 20: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/20.jpg)
1
S0 S1
S2.2
BDD Representation Example
x=y
x=xn
S2.2u1
y=1u.1x=1
n=1
n=½
n=½
n=½
u.0sm=½
S1
u1
x=1y=1
usm=½
n=½
n=½
S0u1
y=1
usm=½
n=½
n=½
![Page 21: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/21.jpg)
Improved BDD Representation Using this representation directly
doesn’t save space Observation
Node names can be arbitrarily remapped without affecting the ADT semantics
Our heuristics Use canonic node names to encode nodes Increases incidental sharing Reduces isomorphism test to pointer comparison
4-10 space reduction
![Page 22: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/22.jpg)
Reducing Time Overhead Current implementation not optimized
Expensive formula evaluation Hybrid representation
Distinguish between phases:mutable phase Join immutable phase
Dynamically switch representations
![Page 23: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/23.jpg)
Functional Representation
Alternative representation for first-order structures Structures represented by maps from integers to
Kleene values Tailored for representing first-order structures Achieves better results than BDDs Techniques similar to the BDD representation More details in the paper
![Page 24: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/24.jpg)
Empirical Evaluation
Benchmarks: Cleanness Analysis (SAS 2000) Garbage Collector CMP (PLDI 2002) of Java Front-End and Kernel
Benchmarks Mobile Ambients (ESOP 2000)
Stress testing the representations We use “relational analysis” Save structures in every CFG location
![Page 25: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/25.jpg)
Space Results
12.8 22.7
168.2187.7
402.8
5.5 16.7 12.9 9.6
51.6
0
50
100
150
200
250
300
350
400
450
JFE KERNEL CA MA GC
Base
OBDD total
Functional
![Page 26: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/26.jpg)
Abstract Counters
Ignore language/implementation details A more reliable measurement technique
Count only crucial space information Independent of C/Java
![Page 27: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/27.jpg)
Abstract Counters Results
0
5,000,000
10,000,000
15,000,000
20,000,000
25,000,000
30,000,000
35,000,000
40,000,000
45,000,000
JFE KERNEL CA MA GC
Base
OBDD
Functional
![Page 28: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/28.jpg)
Trends in theCleanness Analysis Benchmark
505
564
74 54
50 420
100
200
300
400
500
600
1 2 3 4 5 6 7 8 9 10
BaseOBDDFunctional
![Page 29: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/29.jpg)
What’s Missing from this Work?
Investigate other node mapping heuristics Compactly represent sets of structures Time optimizations
![Page 30: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/30.jpg)
Conclusions Two novel representations of first-order structures
New BDD representation New representation using functional maps
Implementation techniques Normalization techniques are crucial
Empirical evaluation Comparison of different representations Space is reduced by a factor of 4–10 New representations scale better
![Page 31: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/31.jpg)
Conclusions The use of BDDs for static analysis
is not a panacea for space saving Domain-specific encoding crucial for saving space Failed attempts
Original implementation of Veith’s encoding PAG
![Page 32: Compactly Representing First-Order Structures for Static Analysis](https://reader034.vdocuments.site/reader034/viewer/2022051316/568150e0550346895dbeff33/html5/thumbnails/32.jpg)
The End