program analysis and design conformance martin rinard laboratory for computer science massachusetts...

Program Analysis and Design Conformance

Martin RinardLaboratory for Computer Science

Massachusetts Institute of Technology

Research OverviewProgram Analysis

• Commutativity Analysis for C++ Programs [PLDI96]

• Memory Disambiguation for Multithreaded C Programs• Pointer Analysis [PLDI99]• Region Analysis [PPoPP99, PLDI00]

• Pointer and Escape Analysis for Multithreaded Java Programs [OOPSLA99, PLDI01, PPoPP01]

Research OverviewTransformations

• Automatic Parallelization• Object-Oriented Programs with Linked Data

Structures [PLDI96]• Divide and Conquer Programs [PPoPP99, PLDI00]

• Synchronization Optimizations• Lock Coarsening [POPL97,PLDI98]• Synchronization Elimination [OOPSLA99] • Optimistic Synchronization Primitives [PPoPP97]

• Memory Management Optimizations• Stack Allocation [OOPSLA99,PLDI01]• Per-Thread Heap Allocation

Research OverviewVerifications of Safety Properties

• Data Race Freedom [PLDI00]• Array Bounds Checks [PLDI00]• Correctness of Region-Based Allocation

[PPoPP01]• Credible Compilation [RTRV99]

• Correctness of Dataflow Analysis Results• Correctness of Standard Compiler

Optimizations

Talk Overview• Memory Disambiguation

• Goal: Verify Data Race Freedom for Multithreaded Divide and Conquer Programs

• Analyses: • Pointer Analysis• Accessed Region Analysis

• Experience integrating information from the developer into the memory disambiguation analysis

• Role Verification• Design Conformance

Basic Memory Disambiguation Problem

*p = v

Without Any Analysis:

*p=v may access any location

*p = v;(write v into the memory location that p points

to)What memory locations may *p=v access?

*p = v;(write v into the memory location that p points

to)What memory location may *p=v access?

*p = v

With Analysis:

*p=v does not access these memory locations !

*p=v may access this location

*p=v may access this location

Basic Memory Disambiguation Problem

Static Memory Disambiguation

Analyze the program to characterize the memory locations that statements

in the program read and write

Fundamental problem in program analysis with many applications

Application: Verify Data Race Freedom

*p = v1;

*q = v2; *q = v2

*p = v1||

*q = v2

*p = v1

Program Does This

NOT This

Example - Divide and Conquer Sort

47 6 1 53 8 2

8 2536 147


47 6 1 53 8 2

Divide

2 8531 674

8 2536 147

47 6 1 53 8 2


Conquer

Divide


2 8531 674 Conquer

8 2536 147 Divide

47 6 1 53 8 2

41 6 7 32 5 8Combine


2 8531 674 Conquer

8 2536 147 Divide

47 6 1 53 8 2

41 6 7 32 5 8Combine

21 3 4 65 7 8

Divide and Conquer Algorithms• Lots of Generated Concurrency

• Solve Subproblems in Parallel

Divide and Conquer Algorithms• Lots of Recursively Generated Concurrency

• Recursively Solve Subproblems in Parallel

Divide and Conquer Algorithms• Lots of Recursively Generated Concurrency

• Recursively Solve Subproblems in Parallel• Combine Results in Parallel

“Sort n Items in d, Using t as Temporary Storage”

void sort(int *d, int *t, int n) if (n > CUTOFF) {

spawn sort(d,t,n/4); spawn sort(d+n/4,t+n/4,n/4);spawn sort(d+2*(n/2),t+2*(n/2),n/4);spawn

sort(d+3*(n/4),t+3*(n/4),n-3*(n/4));sync;spawn merge(d,d+n/4,d+n/2,t);spawn

merge(d+n/2,d+3*(n/4),d+n,t+n/2);sync;merge(t,t+n/2,t+n,d);

} else insertionSort(d,d+n);







Divide array into subarrays and recursively sort subarrays in

parallel







Subproblems Identified

Using Pointers Into Middle of Array

47 6 1 53 8 2d

d+n/4d+n/2

d+3*(n/4)






} else insertionSort(d,d+n); 74 1 6 53 2 8

dd+n/4d+n/2

d+3*(n/4)

Sorted Results Written Back Into

Input Array

“Merge Sorted Quarters of d Into Halves of t”






41 6 7 32 5 8d

tt+n/2

“Merge Sorted Halves of t Back Into d”void sort(int *d, int *t, int n) if (n > CUTOFF) {





41 6 7 32 5 8d

tt+n/2

“Use a Simple Sort for Small Problem Sizes”






dd+n

What Do You Need To Know To Verify Data Race Freedom?

Points-to Information(data blocks that pointers point into)

Region Information(accessed regions within data blocks)

d and t point to different memory blocksCalls to sort access disjoint parts of d and t

Together, calls access [d,d+n-1] and [t,t+n-1]

sort(d,t,n/4);

sort(d+n/4,t+n/4,n/4);

sort(d+n/2,t+n/2,n/4);

sort(d+3*(n/4),t+3*(n/4), n-3*(n/4));

Information Needed To Verify Race Freedom

dt

dt

dt

dt

d+n-1t+n-1

d+n-1t+n-1

d+n-1t+n-1

d+n-1t+n-1

d and t point to different memory blocksFirst two calls to merge access disjoint parts of

d,tTogether, calls access [d,d+n-1] and [t,t+n-1]

merge(d,d+n/4,d+n/2,t);

merge(d+n/2,d+3*(n/4), d+n,t+n/2);

merge(t,t+n/2,t+n,d);

dt

dt

d+n-1t+n-1

d+n-1t+n-1

dt

d+n-1t+n-1


d d+n-1


Calls to insertionSort access [d,d+n-1]

insertionSort(d,d+n);

What Do You Need To Know To Verify Data Race Freedom?

Points-to Information(d and t point to different data

blocks)

Symbolic Region Information(accessed regions within d and t

blocks)

How Hard Is It To Figure These Things Out?

Challenging

How Hard Is It For the Program Analysis To Figure These Things

Out?


Out?void insertionSort(int *l, int *h) {

int *p, *q, k;for (p = l+1; p < h; p++) {

for (k = *p, q = p-1; l <= q && k < *q; q--)*(q+1) = *q;

*(q+1) = k;}

}Not immediately obvious that

insertionSort(l,h) accesses [l,h-1]

void merge(int *l1, int*m, int *h2, int *d) {int *h1 = m; int *l2 = m;while ((l1 < h1) && (l2 < h2))

if (*l1 < *l2) *d++ = *l1++;else *d++ = *l2++;

while (l1 < h1) *d++ = *l1++;while (l2 < h2) *d++ = *l2++;

}

Not immediately obvious that merge(l,m,h,d)

accesses [l,h-1] and [d,d+(h-l)-1]


Out?

Issues• Heavy Use of Pointers

• Pointers into Middle of Arrays• Pointer Arithmetic• Pointer Comparison

• Multiple Procedures• sort(int *d, int *t, n)• insertionSort(int *l, int *h)• merge(int *l, int *m, int *h, int *t)

• Recursion• Multithreading

Pointer Analysis• For each program point, computes

where each pointer may point

e.g. “ p x before statement *p = 1”• Complications

1. Statically unbounded number of locations • recursive data structures (lists, trees)• dynamically allocated arrays

2. Multiple possible executions of the program• may create different dynamic data

structures

Memory Abstraction

Physical Memory

Abstract Memory

Stack Heapp

i

head

r

p head

r

q v

q v

j

i

j

Allocation block for each variable declarationAllocation block for each memory allocation site

Pointer Analysis Summary• Key Challenge for Multithreaded

Programs: Analyzing interactions between threads

• Solution: Interference Edges• Record edges generated by each

thread• Captures effect of parallel threads on

points-to information of other threads

What Pointer Analysis Gives Us

• Disambiguation of Memory Accesses Via Pointers• Pointer-based loads and stores: use pointer analysis

results to derive the allocation block that each pointer-based load or store statement accesses

• MOD-REF or READ-WRITE SETS Analysis:• All loads and stores• Procedures: use the memory access information for

loads and stores to compute the allocation blocks that each procedure accesses

Is This Information Enough?

Is This Information Enough?

NONecessary but not Sufficient

Parallel Tasks Access (Disjoint) Regions of Same Allocated Block of

Memory

Structure of Analysis

Bounds Analysis

Region Analysis

Data Race Freedom

Symbolic Upper and LowerBounds for Each Memory Access in Each Procedure

Symbolic Regions AccessedBy Execution of Each Procedure

Check that Parallel Threads Are Independent

Pointer Analysis Disambiguate Memory at the Granularity of Allocation Blocks

Running Example – Array Increment

void f(char *p, int n) if (n > CUTOFF) {spawn f(p, n/2); /* increment first half */spawn f(p+n/2, n/2); /* increment second half */sync;} else {/* base case: increment small array */int i = 0;while (i < n) { *(p+i) += 1; i++; }}

Bounds Analysis

Region Analysis

Data Race Detection

Symbolic Upper and LowerBounds for Each Memory Access in Each Procedure

Pointer Analysis

Intra-procedural Bounds Analysis

Intraprocedural Bounds Analysis

GOAL: For each pointer and array index variable at each program point, derive lower and upper bounds

E.g. “ 0 i n-1 at statement *(p+i) += 1 ”

• Bounds are symbolic expressions• variables represent initial values of parameters

of enclosing procedure• bounds are combinations of variables• example expression for f(p,n): p+(n/2)-1

What are upper and lower bounds for i at each program point in base case?

int i = 0;while (i < n) { *(p+i) += 1; i++; }

Intraprocedural Bounds Analysis

Bounds Analysis, Step 1Build control flow graph

i = 0

i < n

*(p+i) += 1

i = i+1

Set up bounds at beginning of basic blocks

Bounds Analysis, Step 2

l1 i u1i = 0

i < n

*(p+i) += 1

i = i+1

l2 i u2

l3 i u3

Compute transfer functionsBounds Analysis, Step 3

l1 i u1i = 0

i < n

*(p+i) += 1

i = i+1

l2 i u2

l3 i u3

0 i 0

l3 i u3

l3+1 i u3+1

l2 i n-1 n i u2

l2 i u2

Compute transfer functionsBounds Analysis, Step 3

l1 i u1i = 0

i < n

*(p+i) += 1

i = i+1

l3 i u3

0 i 0

l3 i u3

l3+1 i u3+1

Key Step: set up constraints for boundsBounds Analysis, Step 4

l2 i n-1 n i u2

l2 i u2

i = 0

i < n

*(p+i) += 1

i = i+1

l3 i u3

0 i 0

l3 i u3

l3+1 i u3+1

Build Region Constraints

[ 0, 0 ] [ l2 , u2 ] [ l3+1, u3+1 ] [ l2 ,

u2 ] [ l2 , n-1 ] [ l3 , u3 ]

l1 i u1


l2 i n-1 n i u2

l2 i u2

i = 0

i < n

*(p+i) += 1

i = i+1

l3 i u3

0 i 0

l3 i u3

l3+1 i u3+1


[ 0, 0 ] [ l2 , u2 ] [ l3+1, u3+1 ] [ l2 ,

u2 ] [ l2 , n-1 ] [ l3 , u3 ]

- i +


l2 i n-1 n i u2

l2 i u2

i = 0

i < n

*(p+i) += 1

i = i+1

l3 i u3

0 i 0

l3 i u3

l3+1 i u3+1


[ 0, 0 ] [ l2 , u2 ] [ l3+1, u3+1 ] [ l2 ,

u2 ] [ l2 , n-1 ] [ l3 , u3 ]

- i +

l2 0l2 l3+1l3 l2

0 u2

u3+1 u2

n-1 u3

Inequality Constraints

Generate symbolic expressions for bounds

Goal: express bounds in terms of parameters


l2 = c1p + c2n + c3

l3 = c4p + c5n + c6

u2 = c7p + c8n + c9

u3 = c10p + c11n + c12

Generate symbolic expressions for bounds

Goal: express bounds in terms of parameters

l2 = c1p + c2n + c3

l3 = c4p + c5n + c6


u2 = c7p + c8n + c9

u3 = c10p + c11n + c12

l2 0l2 l3+1l3 l20 u2

u3+1 u2

n-1 u3

c1p + c2n + c3 0c1p + c2n + c3 c4p + c5n + c6 +1c4p + c5n + c6 c1p + c2n + c3

Substitute expressions into constraintsBounds Analysis, Step 6

0 c7p + c8n + c9

c10p + c11n + c12 +1 c7p + c8n + c9

c7p + c8n + c9 c10p + c11n + c12

Reduce symbolic inequalities to linear inequalities

c1p + c2n + c3 c4p + c5n + c6

if

c1 c4, c2 c5, and c3 c6


Apply reduction and generate a linear programc1 0 c2 0 c3 0c1 c4 c2 c5 c3 c6+1c4 c1 c5 c2 c6 c3


0 c7 0 c8 0 c9

c10 c7 c11 c8 c12+1

c9

c7 c10 c8 c11 c9 c12

Apply reduction and generate a linear programc1 0 c2 0 c3 0c1 c4 c2 c5 c3 c6+1c4 c1 c5 c2 c6 c3

lower bounds upper bounds


Objective Function:max: (c1 + ••• + c6) - (c7 + ••• + c12)

0 c7 0 c8 0 c9

c10 c7 c11 c8 c12+1

c9

c7 c10 c8 c11 c9 c12

Solve linear program to extract boundsBounds Analysis, Step 10

c1=0 c2 =0 c3 =0 c4=0 c5 =0 c6 =0 c7=0 c8 =1 c9 =0 c10=0 c11=1 c12=-1

l2 i n-1 n i u2

l2 i u2

- i +i = 0

i < n

*(p+i) += 1

i = i+1

l3 i u3

0 i 0

l3 i u3

l3+1 i u3+1

Solution

Solve linear program to extract boundsBounds Analysis, Step 9

u2 = nu3 = n-1

l2 i n-1 n i u2

l2 i u2

- i +i = 0

i < n

*(p+i) += 1

i = i+1

l3 i u3

0 i 0

l3 i u3

l3+1 i u3+1

l2 = 0l3 = 0

c1=0 c2 =0 c3 =0 c4=0 c5 =0 c6 =0 c7=0 c8 =1 c9 =0 c10=0 c11=1 c12=-1

Solution

Symbolic Bounds

Substitute bounds at each program pointBounds Analysis, Step 10

0 i n-1 n i n

0 i n

- i +i = 0

i < n

*(p+i) += 1

i = i+1

0 i n-1

0 i 0

0 i n-1

1 i n

u2 = nu3 = n-1

l2 = 0l3 = 0

c1=0 c2 =0 c3 =0 c4=0 c5 =0 c6 =0 c7=0 c8 =1 c9 =0 c10=0 c11=1 c12=-1

Solution

Symbolic Bounds

0 i n-1 n i n

0 i n

- i +i = 0

i < n

*(p+i) += 1

i = i+1

0 i n-1

0 i 0

0 i n-1

1 i n

Compute access regions at each load or store

Access Regions

[p,p+n-1] u2 = nu3 = n-1

l2 = 0l3 = 0

c1=0 c2 =0 c3 =0 c4=0 c5 =0 c6 =0 c7=0 c8 =1 c9 =0 c10=0 c11=1 c12=-1

Solution

Symbolic Bounds

Bounds Analysis

Region Analysis

Data Race Detection

Symbolic Regions AccessedBy Execution of Each Procedure

Pointer Analysis

Interprocedural Region Analysis

• Same Approach• Set up target bounds of accessed regions• Build a constraint system to compute these

bounds• Constraint System

Accessed regions for a procedure must include: 1. Regions accessed by statements in the

procedure 2. Regions accessed by invoked procedures

Interprocedural Region AnalysisGOAL: Compute accessed regions of

memory for each procedure E.g. “ f(p,n) accesses [p, p+n-1] ”

void f(char *p, int n) if (n > CUTOFF) {

spawn f(p, n/2);spawn f(p+n/2, n/2);sync;

} else {int i = 0;while (i < n) { *(p+i) += 1; i++; }

}[ p, p+n-1 ]

Region Analysis in Example

f(p,n) accesses[ l(p,n), u(p,n) ]





}[ p, p+n-1 ]

[ l(p,n/2), u(p,n/2) ][ l(p+n/2,n/2), u(p+n/2,n/2) ]





}[ p, p+n-1 ]

f(p,n) accesses[ l(p,n), u(p,n) ]

Derive Constraint System• Region constraints

[ l(p,n/2), u(p,n/2) ] [ l(p,n), u(p,n) ]www [ l(p+n/2,n/2), u(p+n/2,n/2) ] [ l(p,n), u(p,n) ]www

[ p, p+n-1 ] [ l(p,n), u(p,n) ]www

• Reduce to inequalities between lower/upper bounds

• Further reduce to a linear program and solve:l(p,n) = pu(p,n) = p+n-1

• Access region for f(p,n): [p, p+n-1]

Bounds Analysis

Region Analysis

Data Race Freedom Check that Parallel Threads Are Independent

Pointer Analysis

Data Race Freedom

• Dependence testing of two statements• Do accessed regions intersect?• Based on comparing upper and lower

bounds of accessed regions

• Absence of data races• Check that all the statements that execute

in parallel are independent

Data Race Freedom

Data Race Freedom




}

f(p,n) accesses[ p, p+n-1 ]

[ p, p+n/2-1 ][ p+n/2, p+n-1 ]

Data Race Freedom




}

f(p,n) accesses[ p, p+n-1 ]

No data races !

Data Race Freedom




}

Fundamental Property of the Analysis:

No Fixed Point Computations• The analysis does not use fixed-point

computations:• The problem is reduced to a linear program• The solution to the linear program directly gives

the symbolic lower and upper bounds

• Fixed-point approaches:• Termination is not guaranteed: analysis domain of

symbolic expressions has infinite ascending chains

• Use imprecise techniques to ensure termination:• Artificially truncate number of iterations• Use imprecise widening operators

Experience• Set of benchmark programs

• Two versions of each benchmark • Sequential version written in C• Multithreaded version written in Cilk

• Experiments:1. Data Race Freedom for the multithreaded versions2. Array Bounds Violation Detection for both

sequential and multithreaded versions3. Automatic Parallelization for the sequential

version

Data Races and Array Bounds Violations

Application Data races(multithreade

d)

Array Bounds Violations

(multithreaded)

Array Bounds Violations

(sequential)

QuickSort NO NO NO

MergeSort NO NO NO

BlockMul NO NO NO

NoTempMul

NO NO NO

LU NO NO NO

Knapsack YES NO NO

Heat NO NO NO

0

2

4

6

8

0 2 4 6 80

2

4

6

8

0 2 4 6 80

2

4

6

8

0 2 4 6 8

Parallel Performance

Quicksort Mergesort Heat0

2

4

6

8

0 2 4 6 80

2

4

6

8

0 2 4 6 80

2

4

6

8

0 2 4 6 8

BlockMul NoTempMul LU

Summary• Sophisticated Memory Disambiguation

Analysis• Points-to Information• Accessed Region Information

• Automatic • Interprocedural• Handles Multithreaded Programs• Other Uses Besides Data Race Freedom

• Bitwidth Analysis• Array-Bounds Check Elimination• Buffer Overrun Detection

Bigger Picture• Analysis has a very specific goal• Developer understands and cares about

results• Points-to and region information is (implicitly)

part of the interface of each procedure• Developer understands interfaces• Developer has expectations about analysis

results• Analysis can identify serious programming

errors• Developer expectations are implicit

IdeaEnhance procedure interface to make points-to and region information explicit

• Points-to language• Points-to graphs at entry and exit• Effect on points-to relationships

• Region language• Symbolic specification of accessed

regions• Developer provides information• Analysis verifies that it is correct, and

that correctness implies data race freedom

Points-to Languagef(p, q, n) {

context {entry: p->_a, q->_b;exit: p->_a, _a->_c, q->_b, _b->_d;}context {entry: p->_a, q->_a;exit: p->_a, _a->_c, q->_a;}

}

Points-to Languagef(p, q, n) {

context {entry: p->_a, q->_b;exit: p->_a, _a->_c, q->_b, _b->_d;

}context {

entry: p->_a, q->_a;exit: p->_a, _a->_c,

q->_a;}

}

pq

pq

pq

pq

Contexts for f(p,q,n)

entry

exit

Verifying Points-to InformationOne (flow sensitive) analysis per context

f(p,q,n) {...

}

pq

pq

pq

pq


entry

exit

Verifying Points-to InformationStart with entry points-to graph

f(p,q,n) {...

}

pq

pq

pq

pq

entry

exit

pq


Verifying Points-to InformationAnalyze procedure

f(p,q,n) {...

}

pq

pq

pq

pq

entry

exit

pq



f(p,q,n) {...

}

pq

pq

pq

pq

entry

exitpq


Verifying Points-to InformationCheck result against exit points-to graph

f(p,q,n) {...

}

pq

pq

pq

pq

entry

exitpq


Verifying Points-to InformationSimilarly for other context

f(p,q,n) {...

}

pq

pq

pq

pq

entry

exit


Verifying Points-to InformationStart with entry points-to graph

f(p,q,n) {...

}

pq

pq

pq

pq

entry

exit

pq



f(p,q,n) {...

}

pq

pq

pq

pq

entry

exit

pq


Verifying Points-to InformationCheck result against exit points-to graph

f(p,q,n) {...

}

pq

pq

pq

pq

entry

exitpq


Analysis of Call Statements

g(r,n) {..f(r,s,n);..

}

Analysis of Call StatementsAnalysis produces points-graph before call

g(r,n) {..f(r,s,n);..

}

rs

pq

pq

pq

pq

entry

exit


Analysis of Call StatementsRetrieve declared contexts from callee

g(r,n) {..f(r,s,n);..

}

rs

pq

pq

pq

pq

entry

exit


Analysis of Call StatementsFind context with matching entry graph

g(r,n) {..f(r,s,n);..

}

rs

pq

pq

pq

pq

entry

exit


Analysis of Call StatementsApply corresponding exit points-to graph

g(r,n) {..f(r,s,n);..

}

rs

rs

Analysis of Call StatementsContinue analysis after call

g(r,n) {..f(r,s,n);..

}

rs

Analysis of Call Statements

g(r,n) {..f(r,s,n);..

}

rs

Result• Points-to declarations

separate analysis of multiple procedures

• Transformed • global, whole-program

analysis into • local analysis that

operates on each procedure independently

Experience• Implemented points-to and region languages• Integrated with points-to and region

analyses• Divide and Conquer Benchmarks

• Quicksort (QS)• Mergesort (MS)• Matrix multiply (MM)• LU decomposition (LU)• Heat (H)

• We added points-to and region information

Sorting Programs

Dense MatrixComputationsScientific Computation

Programming OverheadProportion of C Code, Region

Declarations, and Points-to Declarations

0.00

0.25

0.50

0.75

1.00

QS MS MM LU H

C Code

RegionDeclarationsPoints-toDeclarations

EvaluationHow difficult is it to provide declarations?

Not that difficult.• Have to write comparatively little code• Must know information anyway

How much benefit does analysis obtain?Substantial benefit.

• Simpler analysis software (no complex interprocedural analysis)

• More scalable, precise analysis

EvaluationSoftware Engineering Benefits of Points-to

and Region Declarations

• Improved communication between developer and analysis

• Analysis reflects developer’s expectations

• Enhanced code reliability • Enhanced interface information• Analyze incomplete programs

•Programs that use libraries•Programs under development

EvaluationDrawbacks of Points-to and Region

Declarations• Have to learn new language• Have to integrate into development

process• Legacy software issues

(programmer may not know points-to and region information)

Steps to Design ConformanceVerify that Program Correctly Implements Key Design

Properties as Expressed by Developer or Designer• Role Verification• Design Conformance for Object Models

(joint with Daniel Jackson, MIT LCS)• Context: Air Traffic Control Software

• MIT LCS (Daniel Jackson, Martin Rinard) MIT Aero-Astro Department (R. John Hansman) NASA Ames Research Center (Michelle Eshow) Kansas State University CS Dept. (David Schmidt)

• CTAS (Center/TRACON Automation System)

Role Verification• Objects play different roles during their

lifetime in computation• Parked Aircraft, Taxiing Aircraft, Cleared for

Takeoff Aircraft, In Flight Aircraft• Roles reflect constraints on activities of object• System actions must respect role constraints

• Parked Aircraft can’t take off• Action violations indicate system confusion

• Goals• Obtain role information from developer• Check that program uses roles correctly

Role Classification

• Two General Kinds of Classification• Content-based (predicate on

object fields determines role) • Relative (points-to relationships

determine role)• Role Classification is Application

Dependent

Aircraft

Flying Aircraft

Parked Aircraft

Taxiing Aircraft

Cleared Aircraft

Class

Roles

Standard View of Object

Fields

OutgoingReferences List of Meter

FixesSequence Of PointsString

RunwayObjectGate

Object

••

•

IncomingReferences

Flight PlanTrajectory

Flight NameRunway

Gate

Relative Role ClassificationPoints-to relationships define roles

• Specify sources of incoming edges• Field of an object playing a given role• Global or local variable

• Specify target of outgoing edges• Specify available fields in each role

Example Roles

Gate Object

Aircraft•••

Parked Aircraft


Flight NameRunway

Gate

Trajectory

Gate

Example Roles

Runway ObjectAircraft

•••

Cleared for Takeoff Aircraft

Flight Plan

RunwayFlight Name

List of MeterFixes

String

Role Verification• Analysis Obtains

• Role Definitions• Method Information

• Roles of parameters and globals on entry• Role changes that method performs• Role of return value

• Intraprocedural Analysis• Simulates potential executions of method• Precise abstraction of heap• Use role information for invoked methods• Verify correctness of role information

Benefits of Roles• Software Engineering Benefits

• Safety checks that take application semantics into account

• Enhanced implementation transparency

• Transformations Enabled By Precise Referencing Behavior• Safe real-time memory management• Parallelization and race detection for

Programs with linked data structures• Optimized Atomic Transactions

Key Issue: Obtaining Role Information

• Range of Developer and Designer Involvement• Some Involvement Reasonable and

Necessary: Roles Reflect Application-Specific Properties

• Primary Focus: Role Definitions• Determine analysis distinctions• Relevance of extracted information

• Secondary Focus: Method Specifications• Developer specifies roles of parameters• Analysis extracts role changes

Design Conformance• Software Development Activities

• Requirements• Design• Implementation

• Design is Partial• Focus on Important Aspects• Omit Many Low-Level Details

• Design and Implementation are Disconnected• No guarantee that code conforms to design

Goal of Design Conformance• Establish and mechanically check

conformance• Use specific design formalism (object

models)• Boxes (objects) and Arrows (relations

between objects)Aircraft

Flying Aircraft

Parked Aircraft

Taxiing Aircraft

Cleared Aircraft

MeterFix

Flight Plan Flight Plan+ +

Key Issue• Establishing correspondence between object

model and implementation• Object models usually at a higher level of

abstraction• Many relations in object model realized as

group of objects and references• Object model may entirely omit some objects

or references• Enables designer to focus on important aspects• But complicates path to conformance analysis

Aircraft

Flying Aircraft

Parked Aircraft

Taxiing Aircraft

Cleared Aircraft

MeterFixFlight Plan Flight Plan

+ +

Gate Object

Aircraft•••


Flight NameRunway

Gate

Trajectory

GateRunway Object

Aircraft•••

Flight Plan

RunwayFlight Name

List of MeterFixes

String

Aircraft

MeterFix

Flight Plan+

AbstractObject Model

ConcreteObject Model

IntermediateObject Model

Roles

Concretization Specifications• Maps Between Object Models• Enables Designer/Developer to Establish

Correspondence Between Object Models• Specify how Object Model is Realized in

Code• Foundation for design conformance

analysis• Guides implementation of object model• Implementation patterns for object

models

Design Conformance Benefits• Higher Confidence in Software

• Promote clean implementation of design

• Guarantee important design properties

• Design becomes useful throughout entire development cycle• Updated as implementation changes• Reliable source of information

• Enables more precise, relevant analysis

Related Work• Pointer Analysis

• Landi, Ryder, Zhang – PLDI93• Emami, Ghiya, Hendren – PLDI94• Wilson, Lam – PLDI96• Rugina, Rinard – PLDI99• Rountev, Ryder – CC01• Salcianu, Rinard – PPoPP01

• Region Analysis• Triolet, Irigoin, Feautrier- PLDI86• Havlak, Kennedy – IEEE TPDS91• Rugina, Rinard – PLDI00

• Pointer Specifications• Hendren, Hummel, Nicolau – PLDI92• Guyer, Lin – LCPC00

Related Work• Shape Analysis

[CWZ90,GH96,FL97,SRW99,MS01]• Extended Type Systems

• FX/87 [GJLS87]• Dependent Types [XF99]

• Program Verification• ESC [DLNS98]• PVS [ORRSS96]

• Implementations of Object Models [HBR00]

Conclusion• Developer and Designer Interact with Analysis• Benefits

• More precise, relevant analysis• Verify key safety and design properties• Enhance utility of design• Enable powerful transformations

• Key Issue:• Determining appropriate abstractions to leverage• Access regions, roles, object models

• Abstractions Share Several Features• Identify important properties of data• Relate properties of data to behavior of

computation

program analysis and design conformance martin rinard laboratory for computer science massachusetts...

Documents