Local Heap Semanticsand its Applications

Noam RinetzkyTel Aviv University

Joint work with

Jörg Bauer Universität des Saarlandes

Thomas Reps University of Wisconsin

Mooly Sagiv Tel Aviv University

Reinhard Wilhelm Universität des Saarlandes

Eran Yahav IBM Watson

Motivation

Verify heap intensive programs Imperative programs with proceduresRecursive data structures

Lists Trees …

Motivation

class List {

List n;

}

main() {

List x=null, y=null;

int k = getLen();

x = create(k);

y = reverse(x);

}

…

k=4

xy

n n n

k=4

xy

n n n

No null dereferences

No memory leaks

x and y point to

the same list

y points to an acyclic list

k=4

xy

reverse:

reverses

terminates

arbitrary k

What is the problem?

Recursive proceduresUnbounded number of activation records

Dynamic allocationUnbounded number of objects

Checking heap properties is undecidable

Our approach

Use abstractions Over-approximation algorithms

Effective (termination)Every verified property holds (sound)May not prove all properties (incomplete)

Main idea

Procedures as heap transformers

X

y

t

g

X

y

t

g

call p(x);

Main idea

Procedures as local heap transformers

Main idea

Procedures as local heap transformers

y

t

g

X

y

t

g

call p(x);X

xx

Abstract Interpretation[Cousot and Cousot]

Operational semantics

Abstract transformer

Introducing local heap semantics

Operational semantics

Abstract transformer

Local heap Operational semantics

~’ ’

Main Results

Arbitrary programs Complicated

Restriction on aliasing Simple

Non standard concrete operational semantics Sequential programs

Local heap Storeless

Good for heap abstractions Observational equivalent with “standard” global store-based heap

semantics E.g., Java

POPL’05

Abstractions Shape Analysis: singly-linked

lists May-alias [Deutsch, PLDI 04]

Abstractions Shape Analysis: singly-linked

lists an trees Sorting: quickSort

SAS’05

Outline

Motivation Crash course in shape analysis Local heap semantics Local heap abstractions

Collecting semantics

x

tn n

t

x

n

x

t n

x

tn n

x

tn n

xtt

x

ntt

nt

x

t

x

t

xempty

return x

?

x = t

t =new List();

t.n=x;

x = null

TF

class List { List n;}

Canonical abstraction

xnnn

xn

n

t

x

n

x

t n

x

tn n

xtt

x

ntt

nt

x

t

x

t

xempty

x

tn

n

x

tn

n

n

x

tn

t n

xn

return x

?

x = t

t =new List();

t.n=x;

x = null

TF

Shape analysis in action

x

tn

n

class List { List n;}

Outline

Motivation Crash course in shape analysis Local heap semantics Local heap abstractions

Programming Model

Single threaded Procedures

Value parametersRecursion No explicit addressing (&, cast)

Heap Recursive data structuresDestructive update

y

t

g

p

Local heaps

y

t

g

call f(x)xp

p p

x

y

t

g

p

Cutpoints

y

t

g

call f(x)xp

p p

?x

Cutpoints Objects that separate the part of the

heap a procedure can access from the rest of the heapExcluding objects pointed to by a parameter

z=f(x)

y

x

g

n n n

nn

nn

q

0x10

0x12

0x14

0x11

0x12

0x13

0x14

0x00x15

x0x10…

n

n

Store-based semantics

Memory state: Val = Addresses Atoms Env: Var Val Heap: FieldId AddressVal

Natural Easy to identify cutpoint

objects Addresses do not affect

shape

~

0x12

0x0

0x10

x0x14…

n

n

x n n

Storeless semantics [Jonkers’81]

No addresses Memory state:

Object: 2Access paths

Heap: 2Object

Alias Analysis

y=x

xn n

x x.n x.n.n

x=null

yn ny y.n y.n.n

x n nxy

x.ny.n x.n.ny

y.n.n

Storeless semantics [Jonkers’81]

No addresses Memory state:

Object: 2Access paths

Heap: 2Object

Alias Analysis

y=x

xn n

x x.n x.n.n

x=null

yn ny y.n y.n.n

x n nxy

x.ny.n x.n.ny

y.n.n

0x07

0x07

0x07

Cutpoint labels

Relate pre-state with post-state Mark cutpoints at and throughout an

invocation

preverse n n n

z=f(x)

y

x

g

n n n

main

Cutpoint labels Cutpoint label: the set of access paths that point to

a cutpoint when the invoked procedure starts

{p.n} {p.n.n, p.n.n}{p}

nn

nn

{p.n.n.n, p.n.n.n}

preverse n n n

y

x

g

n n n

main

Sharing patterns Cutpoint labels encode sharing patterns

{p.n} {p.n.n, p.n.n}{p}

nn

nn

{p.n.n.n, p.n.n.n}

y

x

g

n n n

main

n

Memory states

L = CPL,A

p.n.n ,

{p},{p.n},

{p.n.n, p.n.n},{p.n.n.n, p.n.n.n}

preverse n n n

Formal semantics Ordinary statements

Procedure call semantics

y

t

g

x

p

Local-heap storeless semantics

y

t

g

call f(x)xp

p

{p.n.n, p.n.n} {p.n.n.n, p.n.n}

{x.n.n.n, y.n.n}

Observational Equivalence

Programs cannot distinguish between global heap store-based semantics and local-heap storeless semanticsSame executionsSame observed equalities

Observational Equivalence

A local store-less state L and a global store-based G are observationally equivalent when for every access paths , = L(L) = G(G)

Main theorem: semantic equivalence

L L (Local-heap Storeless Semantics)

G G (Global-heap Store-based Semantics)

L and G observationally equivalent

st, L ’L st, G ’G’L and ’G are observationally equivalent

LSL GSB

Corollaries

Preservation of invariants Assertions: =

Detection of memory leaks

Outline

Motivation Crash course in shape analysis Local heap semantics Local heap abstractions

Applications

Justify soundness of static analysisMay-alias analysis Shape AnalysisCompile-time garbage collection

Shape abstraction

Abstract memory states represent unbounded concrete memory statesConservatively In a bounded way

Canonical abstractiony z

x

t

nnn n

n n

y z

xn

n

tn

n

n

n

Canonical abstractiony z

x

t

nnn n

n n

y z

xn

n

tn

n

n

n

n

Abstract memory states (with reachability)

y

rx rx,ry rx

nn

z

rz rz x rx

n n

rt t rt

nrt

n

rx rx,ry rx rz rz rx

rt rt rt

rz

n

y

rx rx,ry

nn z

rz rz x rx

n n

rt t rt

nn

n

rz

The importance of reachability:Call append(y,z)

y z

rx rx,ry

nn

rz rz x rx

n n

rt t rt

nn

y z

x n

n

tn

nn

rx rx,ry rx

nnrz rz x rx

n n

rt t rt

nrt

n

rz

n

y z

n

Cutpoints and abstraction

Unbounded state Objects Cutpoint labels

Canonical abstraction Summarizes objects Summarizes labels

xcall f(x)nnn n

y1 y2

p n

nn

n

y

t

g

pp

Cutpoint abstraction: ramifications

y

t

g

call f(x)xp

p

x

y

t

g

x

Cutpoint freedom

y

t

g

call p(x);xx

x x

?POPL ’05SAS ’05

Tabulation exits

y

Interprocedural shape analysis

call f(x)px

y

x

pPOPL’05: marking cutpoint

SAS’05: verifying cutpoint freedom

p

y

Interprocedural shape analysis

call f(x)x

y

p

p

No tabulation

Analyze f

p

x

Prototype implementationData structure Verified properties

Singly linked listInsertdelete reverse …

No memory errors

acyclicity

Sorting (of singly linked lists)insertionquickSort

+ Sortedness

Unshared binary treesInsertDelete…

No memory errors,

tree-ness

Iterative vs. Recursive (SLL)

0102030405060708090

100

Program

Se

cond

s

Iterative

Recursive

585

Inline vs. Procedural abstraction

0

5

10

15

20

1 2 4 8Number of lists

Meg

ab

yte

s

Inline

Proc. call

020406080

100120140160

1 2 4 8Number of lists

Seco

nd

s

Inline

Proc. call

// Allocates a list of

// length 3

List create3(){

…

}

main() {

List x1 = create3();

List x2 = create3();

List x3 = create3();

List x4 = create3();

…

}

Related Work Interprocedural shape analysis

Rinetzky and Sagiv, CC ’01 Chong and Rugina, SAS ’03 Jeannet et al., SAS ’04 Hackett and Rugina, POPL ’05

Local Reasoning Ishtiaq and O’Hearn, POPL ‘01 Reynolds, LICS ’02

Encapsulation Noble et al. IWACO ’03 ...

Cutpoint-freedom as dynamic ownership

z=f(x, y)

y

x

g

n n n

nn

n

h

Cutpoint-freedom as dynamic ownership

z=f(x, y)

y

x

g

n n n

nn

n

h

Conclusions

Local heap operational semantics Deterministic Storeless Observationally equivalent to standard semantics Fully abstract

Abstractions Cutpoint free programs Type base abstractions for cutpoints

Cutpoint-profiler [Shachar Rubinstein , MSc.]

End

www.cs.tau.ac.il/~maon

Interprocedural shape analysis for cutpoint-free programs

Noam Rinetzky, Mooly Sagiv, and Eran Yahav

SAS, 2005

A Semantics for procedure local heaps and its abstraction

Noam Rinetzky, Jörg Bauer, Thomas Reps, Mooly Sagiv, and Reinhard Wilhelm

POPL, 2005