Download - Local Heap Semantics and its Applications
![Page 1: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/1.jpg)
Local Heap Semanticsand its Applications
Noam RinetzkyTel Aviv University
Joint work with
Jörg Bauer Universität des Saarlandes
Thomas Reps University of Wisconsin
Mooly Sagiv Tel Aviv University
Reinhard Wilhelm Universität des Saarlandes
Eran Yahav IBM Watson
![Page 2: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/2.jpg)
Motivation
Verify heap intensive programs Imperative programs with proceduresRecursive data structures
Lists Trees …
![Page 3: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/3.jpg)
Motivation
class List {
List n;
}
main() {
List x=null, y=null;
int k = getLen();
x = create(k);
y = reverse(x);
}
…
k=4
xy
n n n
k=4
xy
n n n
No null dereferences
No memory leaks
x and y point to
the same list
y points to an acyclic list
k=4
xy
reverse:
reverses
terminates
arbitrary k
![Page 4: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/4.jpg)
What is the problem?
Recursive proceduresUnbounded number of activation records
Dynamic allocationUnbounded number of objects
Checking heap properties is undecidable
![Page 5: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/5.jpg)
Our approach
Use abstractions Over-approximation algorithms
Effective (termination)Every verified property holds (sound)May not prove all properties (incomplete)
![Page 6: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/6.jpg)
Main idea
Procedures as heap transformers
X
y
t
g
X
y
t
g
call p(x);
![Page 7: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/7.jpg)
Main idea
Procedures as local heap transformers
![Page 8: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/8.jpg)
Main idea
Procedures as local heap transformers
y
t
g
X
y
t
g
call p(x);X
xx
![Page 9: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/9.jpg)
Abstract Interpretation[Cousot and Cousot]
Operational semantics
Abstract transformer
![Page 10: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/10.jpg)
Introducing local heap semantics
Operational semantics
Abstract transformer
Local heap Operational semantics
~’ ’
![Page 11: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/11.jpg)
Main Results
Arbitrary programs Complicated
Restriction on aliasing Simple
Non standard concrete operational semantics Sequential programs
Local heap Storeless
Good for heap abstractions Observational equivalent with “standard” global store-based heap
semantics E.g., Java
POPL’05
Abstractions Shape Analysis: singly-linked
lists May-alias [Deutsch, PLDI 04]
Abstractions Shape Analysis: singly-linked
lists an trees Sorting: quickSort
SAS’05
![Page 12: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/12.jpg)
Outline
Motivation Crash course in shape analysis Local heap semantics Local heap abstractions
![Page 13: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/13.jpg)
Collecting semantics
x
tn n
t
x
n
x
t n
x
tn n
x
tn n
xtt
x
ntt
nt
x
t
x
t
xempty
return x
?
x = t
t =new List();
t.n=x;
x = null
TF
class List { List n;}
![Page 14: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/14.jpg)
Canonical abstraction
xnnn
xn
n
![Page 15: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/15.jpg)
t
x
n
x
t n
x
tn n
xtt
x
ntt
nt
x
t
x
t
xempty
x
tn
n
x
tn
n
n
x
tn
t n
xn
return x
?
x = t
t =new List();
t.n=x;
x = null
TF
Shape analysis in action
x
tn
n
class List { List n;}
![Page 16: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/16.jpg)
Outline
Motivation Crash course in shape analysis Local heap semantics Local heap abstractions
![Page 17: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/17.jpg)
Programming Model
Single threaded Procedures
Value parametersRecursion No explicit addressing (&, cast)
Heap Recursive data structuresDestructive update
![Page 18: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/18.jpg)
y
t
g
p
Local heaps
y
t
g
call f(x)xp
p p
x
![Page 19: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/19.jpg)
y
t
g
p
Cutpoints
y
t
g
call f(x)xp
p p
?x
![Page 20: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/20.jpg)
Cutpoints Objects that separate the part of the
heap a procedure can access from the rest of the heapExcluding objects pointed to by a parameter
z=f(x)
y
x
g
n n n
nn
nn
q
![Page 21: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/21.jpg)
0x10
0x12
0x14
0x11
0x12
0x13
0x14
0x00x15
x0x10…
n
n
Store-based semantics
Memory state: Val = Addresses Atoms Env: Var Val Heap: FieldId AddressVal
Natural Easy to identify cutpoint
objects Addresses do not affect
shape
~
0x12
0x0
0x10
x0x14…
n
n
x n n
![Page 22: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/22.jpg)
Storeless semantics [Jonkers’81]
No addresses Memory state:
Object: 2Access paths
Heap: 2Object
Alias Analysis
y=x
xn n
x x.n x.n.n
x=null
yn ny y.n y.n.n
x n nxy
x.ny.n x.n.ny
y.n.n
![Page 23: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/23.jpg)
Storeless semantics [Jonkers’81]
No addresses Memory state:
Object: 2Access paths
Heap: 2Object
Alias Analysis
y=x
xn n
x x.n x.n.n
x=null
yn ny y.n y.n.n
x n nxy
x.ny.n x.n.ny
y.n.n
0x07
0x07
0x07
![Page 24: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/24.jpg)
Cutpoint labels
Relate pre-state with post-state Mark cutpoints at and throughout an
invocation
![Page 25: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/25.jpg)
preverse n n n
z=f(x)
y
x
g
n n n
main
Cutpoint labels Cutpoint label: the set of access paths that point to
a cutpoint when the invoked procedure starts
{p.n} {p.n.n, p.n.n}{p}
nn
nn
{p.n.n.n, p.n.n.n}
![Page 26: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/26.jpg)
preverse n n n
y
x
g
n n n
main
Sharing patterns Cutpoint labels encode sharing patterns
{p.n} {p.n.n, p.n.n}{p}
nn
nn
{p.n.n.n, p.n.n.n}
y
x
g
n n n
main
n
![Page 27: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/27.jpg)
Memory states
L = CPL,A
p.n.n ,
{p},{p.n},
{p.n.n, p.n.n},{p.n.n.n, p.n.n.n}
preverse n n n
![Page 28: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/28.jpg)
Formal semantics Ordinary statements
![Page 29: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/29.jpg)
Procedure call semantics
![Page 30: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/30.jpg)
y
t
g
x
p
Local-heap storeless semantics
y
t
g
call f(x)xp
p
{p.n.n, p.n.n} {p.n.n.n, p.n.n}
{x.n.n.n, y.n.n}
![Page 31: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/31.jpg)
Observational Equivalence
Programs cannot distinguish between global heap store-based semantics and local-heap storeless semanticsSame executionsSame observed equalities
![Page 32: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/32.jpg)
Observational Equivalence
A local store-less state L and a global store-based G are observationally equivalent when for every access paths , = L(L) = G(G)
![Page 33: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/33.jpg)
Main theorem: semantic equivalence
L L (Local-heap Storeless Semantics)
G G (Global-heap Store-based Semantics)
L and G observationally equivalent
st, L ’L st, G ’G’L and ’G are observationally equivalent
LSL GSB
![Page 34: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/34.jpg)
Corollaries
Preservation of invariants Assertions: =
Detection of memory leaks
![Page 35: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/35.jpg)
Outline
Motivation Crash course in shape analysis Local heap semantics Local heap abstractions
![Page 36: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/36.jpg)
Applications
Justify soundness of static analysisMay-alias analysis Shape AnalysisCompile-time garbage collection
![Page 37: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/37.jpg)
Shape abstraction
Abstract memory states represent unbounded concrete memory statesConservatively In a bounded way
![Page 38: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/38.jpg)
Canonical abstractiony z
x
t
nnn n
n n
y z
xn
n
tn
n
n
n
![Page 39: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/39.jpg)
Canonical abstractiony z
x
t
nnn n
n n
y z
xn
n
tn
n
n
n
n
![Page 40: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/40.jpg)
Abstract memory states (with reachability)
y
rx rx,ry rx
nn
z
rz rz x rx
n n
rt t rt
nrt
n
rx rx,ry rx rz rz rx
rt rt rt
rz
n
y
rx rx,ry
nn z
rz rz x rx
n n
rt t rt
nn
n
rz
![Page 41: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/41.jpg)
The importance of reachability:Call append(y,z)
y z
rx rx,ry
nn
rz rz x rx
n n
rt t rt
nn
y z
x n
n
tn
nn
rx rx,ry rx
nnrz rz x rx
n n
rt t rt
nrt
n
rz
n
y z
n
![Page 42: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/42.jpg)
Cutpoints and abstraction
Unbounded state Objects Cutpoint labels
Canonical abstraction Summarizes objects Summarizes labels
xcall f(x)nnn n
y1 y2
p n
nn
n
![Page 43: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/43.jpg)
y
t
g
pp
Cutpoint abstraction: ramifications
y
t
g
call f(x)xp
p
x
![Page 44: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/44.jpg)
y
t
g
x
Cutpoint freedom
y
t
g
call p(x);xx
x x
?POPL ’05SAS ’05
![Page 45: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/45.jpg)
Tabulation exits
y
Interprocedural shape analysis
call f(x)px
y
x
pPOPL’05: marking cutpoint
SAS’05: verifying cutpoint freedom
![Page 46: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/46.jpg)
p
y
Interprocedural shape analysis
call f(x)x
y
p
p
No tabulation
Analyze f
p
x
![Page 47: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/47.jpg)
Prototype implementationData structure Verified properties
Singly linked listInsertdelete reverse …
No memory errors
acyclicity
Sorting (of singly linked lists)insertionquickSort
+ Sortedness
Unshared binary treesInsertDelete…
No memory errors,
tree-ness
![Page 48: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/48.jpg)
Iterative vs. Recursive (SLL)
0102030405060708090
100
Program
Se
cond
s
Iterative
Recursive
585
![Page 49: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/49.jpg)
Inline vs. Procedural abstraction
0
5
10
15
20
1 2 4 8Number of lists
Meg
ab
yte
s
Inline
Proc. call
020406080
100120140160
1 2 4 8Number of lists
Seco
nd
s
Inline
Proc. call
// Allocates a list of
// length 3
List create3(){
…
}
main() {
List x1 = create3();
List x2 = create3();
List x3 = create3();
List x4 = create3();
…
}
![Page 50: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/50.jpg)
Related Work Interprocedural shape analysis
Rinetzky and Sagiv, CC ’01 Chong and Rugina, SAS ’03 Jeannet et al., SAS ’04 Hackett and Rugina, POPL ’05
Local Reasoning Ishtiaq and O’Hearn, POPL ‘01 Reynolds, LICS ’02
Encapsulation Noble et al. IWACO ’03 ...
![Page 51: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/51.jpg)
Cutpoint-freedom as dynamic ownership
z=f(x, y)
y
x
g
n n n
nn
n
h
![Page 52: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/52.jpg)
Cutpoint-freedom as dynamic ownership
z=f(x, y)
y
x
g
n n n
nn
n
h
![Page 53: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/53.jpg)
Conclusions
Local heap operational semantics Deterministic Storeless Observationally equivalent to standard semantics Fully abstract
Abstractions Cutpoint free programs Type base abstractions for cutpoints
Cutpoint-profiler [Shachar Rubinstein , MSc.]
![Page 54: Local Heap Semantics and its Applications](https://reader036.vdocuments.site/reader036/viewer/2022070418/56815940550346895dc67fc9/html5/thumbnails/54.jpg)
End
www.cs.tau.ac.il/~maon
Interprocedural shape analysis for cutpoint-free programs
Noam Rinetzky, Mooly Sagiv, and Eran Yahav
SAS, 2005
A Semantics for procedure local heaps and its abstraction
Noam Rinetzky, Jörg Bauer, Thomas Reps, Mooly Sagiv, and Reinhard Wilhelm
POPL, 2005