program analysis and verification 0368-4479 noam rinetzky lecture 10: shape analysis 1 slides...
TRANSCRIPT
![Page 1: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/1.jpg)
Program Analysis and Verification
0368-4479
Noam Rinetzky
Lecture 10: Shape Analysis
1
Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav
![Page 2: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/2.jpg)
Abstract Interpretation [Cousot’77]
• Mathematical foundation of static analysis– Abstract domains• Abstract states • Join ()
– Transformer functions• Abstract steps
– Chaotic iteration • Abstract computation • Structured Programs
Lattices(D, , , , , )
Monotonic functions
Fixpoints
![Page 3: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/3.jpg)
The collecting lattice
• Lattice for a given control-flow node v: Lv=(2State, , , , , State)
• Lattice for entire control-flow graph with nodes V:
LCFG = Map(V, Lv)• We will use this lattice as a baseline for static
analysis and define abstractions of its elements
![Page 4: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/4.jpg)
4
Galois Connection
1
c2 (c)
3((c))
The most precise (least) element in A representing c
C A
c ((c))
![Page 5: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/5.jpg)
5
Galois Connection
• Given two complete latticesC = (DC, C, C, C, C, C) – concrete domainA = (DA, A, A, A, A, A) – abstract domain
• A Galois Connection (GC) is quadruple (C, , , A)that relates C and A via the monotone functions– The abstraction function : DC DA
– The concretization function : DA DC
• for every concrete element cDC
and abstract element aDA
((a)) a and c ((c))
• Alternatively (c) a iff c (a)
![Page 6: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/6.jpg)
Abstract (conservative) interpretation
set of states set of statesoperational semantics(concrete semantics)
statement Sset of states
abstract representation abstract semantics
statement S abstract representation
concretization concretization
![Page 7: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/7.jpg)
7
Shape Analysis
Automatically verify properties of programs manipulating dynamically allocated storage
Identify all possible shapes (layout) of the heap
![Page 8: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/8.jpg)
Analyzing Singly Linked Lists
![Page 9: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/9.jpg)
9
Limitations of pointer analysis// Singly-linked list// data type.class SLL { int data; public SLL n; // next cell
SLL(Object data) { this.data = data; this.n = null; }}
// Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
![Page 10: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/10.jpg)
10
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
![Page 11: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/11.jpg)
11
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
null
h
t
![Page 12: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/12.jpg)
12
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
null
h
tL1
n
![Page 13: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/13.jpg)
13
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
tmp
null
h
tL1
n
![Page 14: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/14.jpg)
14
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
tmp
null
h
tL1
n
L2
n
![Page 15: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/15.jpg)
15
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
tmp
null
h
tL1
n
L2
n
![Page 16: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/16.jpg)
16
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
tmp
null
h
tL1
n
L2
n
![Page 17: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/17.jpg)
17
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
tmp
null
h
tL1
n
L2
n
tmp
null
h
tL1
n
tmp != null
tmp == null
![Page 18: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/18.jpg)
18
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
tmp
null
h
tL1
n
L2
n
tmp
null
h
tL1
n
![Page 19: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/19.jpg)
19
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
tmp
null
h
tL1
n
L2
n
tmp == null ?
![Page 20: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/20.jpg)
20
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
tmp
null
h
tL1
n
L2
n
![Page 21: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/21.jpg)
21
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
tmp
null
h
tL1
n
L2
n
Possible null dereference!
![Page 22: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/22.jpg)
22
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
tmp
null
h
tL1
n
L2
n
Fixed-point for first loop
![Page 23: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/23.jpg)
23
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
tmp
null
h
tL1
n
L2
n
![Page 24: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/24.jpg)
24
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
tmp
null
h
tL1
n
L2
n
![Page 25: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/25.jpg)
25
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
tmp
null
h
tL1
n
L2
n
Possible null dereference!
![Page 26: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/26.jpg)
26
What was the problem?
• Pointer analysis abstract all objects allocated at same program location into one summary object. However, objects allocated at same memory location may behave very differently– E.g., object is first/last one in the list– Assign extra predicates to distinguish between objects with different
roles• Number of objects represented by summary object 1 – does
not allow strong updates– Distinguish between concrete objects (#=1) and abstract objects (#1)
• Join operator very coarse – abstracts away important distinctions (tmp=null/tmp!=null)– Apply disjunctive completion
![Page 27: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/27.jpg)
27
Improved solution
• Pointer analysis abstract all objects allocated at same program location into one summary object. However, objects allocated at same memory location may behave very differently– E.g., object is first/last one in the list– Add extra instrumentation predicates to distinguish between objects
with different roles• Number of objects represented by summary object 1 – does
not allow strong updates– Distinguish between concrete objects (#=1) and abstract objects (#1)
• Join operator very coarse – abstracts away important distinctions (tmp=null/tmp!=null)– Apply disjunctive completion
![Page 28: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/28.jpg)
28
Adding properties to objects
• Let’s first drop allocation site information and instead…
• Define a unary predicate x(v) for each pointer variable x meaning x points to x
• Predicate holds for at most one node• Merge together nodes with same sets of
predicates
![Page 29: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/29.jpg)
29
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
null
h
t
![Page 30: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/30.jpg)
30
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
null
h
t{h, t}
n
![Page 31: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/31.jpg)
31
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
null
h
t{h, t}
tmp
n
![Page 32: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/32.jpg)
32
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
null
h
t{h, t}
tmp
n
{tmp}n
No null dereference
![Page 33: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/33.jpg)
33
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
null
h
t{h, t}
tmp
n
{tmp}n
![Page 34: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/34.jpg)
34
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
null
h
t{t}
tmp
n
{h, tmp}n
![Page 35: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/35.jpg)
35
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
nullh
t {t}
tmp
n
{h, tmp}n
nullh
t{h, t}
tmp
n
![Page 36: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/36.jpg)
36
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
nullh
t {t}
tmp
n
{h, tmp}n
nullh
t{h, t}
tmp
n
Do we need to analyze this shape graph again?
![Page 37: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/37.jpg)
37
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
nullh
t {t}
tmp
n
{h, tmp}n
nullh
t{h, t}
tmp
n
![Page 38: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/38.jpg)
38
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
nullh
t {t}
tmp
n
{ h}n
{ tmp}n
No null dereference
![Page 39: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/39.jpg)
39
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
nullh
t {t}
tmp
n
{ h}n
{ tmp}n
![Page 40: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/40.jpg)
40
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
nullh
t {t}
tmp
n
{ }n
{ h, tmp}n
![Page 41: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/41.jpg)
41
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
nullh
t {t}
tmp
n
{ }n
{ h, tmp}n
![Page 42: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/42.jpg)
42
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
nullh
t {t}
tmp
n
{ }n
{ h}n
{ tmp}n
No null dereference
![Page 43: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/43.jpg)
43
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
nullh
t {t}
tmp
n
{ }n
{ h}n
{ tmp}n
![Page 44: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/44.jpg)
44
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
nullh
t {t}
tmp
n
{ }n
{ }n
{h, tmp}n
![Page 45: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/45.jpg)
45
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
nullh
t {t}
tmp
n
{ }n
{h, tmp}n
n
Summarization
How many objects does it represent?
![Page 46: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/46.jpg)
46
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
nullh
t {t}
tmp
n
{ }n
{h}n
n
{ tmp}
No null dereference
n
![Page 47: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/47.jpg)
47
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
nullh
t {t}
tmp
n
{ }n
{h}n
n
{ tmp}n
![Page 48: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/48.jpg)
48
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
nullh
t {t}
tmp
n
{ }n
{h, tmp}n
n
Fixed-point for first loop
![Page 49: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/49.jpg)
49
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
nullh
t {t}
tmp
n
{ }n
{h, tmp}n
n
![Page 50: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/50.jpg)
50
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
nullh
t {t}
tmp
n
{ }n
{h, tmp}n
n
![Page 51: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/51.jpg)
51
Flow&Field-sensitive Analysis // Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
nullh
t {t}
tmp
n
{ tmp?}n
{ tmp}n
n
![Page 52: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/52.jpg)
52
Best (induced) transformer
C A
23f
f#(a)= (f((a)))
1 f#
4
Problem: incomputable directly
![Page 53: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/53.jpg)
53
Best transformer for tmp=tmp.nnull
h
t
{t}
tmp
n
{ }n
{h, tmp}n
n
nullh
t {t}
tmp
n
{ }
n
{h, tmp}
n
nullh
t {t}
tmp
n
{ }
n
{h, tmp}n
{ }
{ }
![Page 54: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/54.jpg)
54
Best transformer for tmp=tmp.n: null
h
t
{t}
tmp
n
{ }n
{h, tmp}n
n
nullh
t {t}
tmp
n
{ }
n
{h, tmp}
n
nullh
t {t}
tmp
n
{ }
n
{h, tmp}n
{ }
{ }
nullh
t {t}
tmp
n
{ }
n
{h, tmp}n
{ }
{ } …
![Page 55: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/55.jpg)
55
Best transformer for tmp=tmp.nnull
h
t
{t}
tmp
n
{ }n
{h, tmp}n
n
nullh
t {t}
tmp
n
{tmp }
n
{h}
n
nullh
t {t}
tmp
n
{ }
n
{h}n
{ }
{tmp }
nullh
t {t}
tmp
n
{ }
n
{h}n
{ }
{tmp } …
![Page 56: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/56.jpg)
56
Best transformer for tmp=tmp.n: null
h
t
{t}
tmp
n
{ }n
{h, tmp}n
n
nullh
t {t}
tmp
n
{tmp }
n
{h}
n
nullh
t {t}
tmp
n
{ }
n
{h}n
{tmp }
nullh
t {t}
tmp
n
{ }
n
{h}n
{tmp } …
![Page 57: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/57.jpg)
57
Handling updates on summary nodes
• Transformers accessing only concrete nodes are easy
• Transformers accessing summary nodes are complicated
• Can’t concretize summary nodes – represents potentially unbounded number of concrete nodes
• We need to split into cases by “materializing” concrete nodes from summary node– Introduce a new temporary predicate tmp.n– Partial concretization
![Page 58: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/58.jpg)
58
Transformer for tmp=tmp.n: ’ null
h
t
{t}
tmp
n
{ }n
{h, tmp}n
n
’
Case 1: Exactly 1 object.Case 2: >1 objects.
![Page 59: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/59.jpg)
59
Transformer for tmp=tmp.n: ’ null
h
t
{t}
tmp
n
{ }n
{h, tmp}n
n
nullh
t {t}
tmp
n
{tmp.n }
n
{h, tmp}
n
nullh
t {t}
tmp
n
{ }
n
{h, tmp}n
{tmp.n }
’
tmp.n is a concrete node
Summary node
spaghetti
![Page 60: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/60.jpg)
60
Transformer tmp=tmp.n
null
h
t
{t}
tmp
n
{ }n
{h, tmp}n
n
nullh
t {t}
tmp
n
{tmp, tmp.n }
n
{h}
n
nullh
t {t}
tmp
n
{ }
n
{h}n
{tmp, tmp.n }
![Page 61: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/61.jpg)
61
Transformer for tmp=tmp.n: nullh
t {t}
tmp
n
{tmp}
n
{h}
n
nullh
t {t}
tmp
n
{ }
n
{h}n
{tmp}
// Build a list SLL h=null, t = null;L1: h=t= new SLL(-1); SLL tmp = null; while (…) { int data = getData(…);L2: tmp = new SLL(data); tmp.n = h; h = tmp; }
// Process elements tmp = h; while (tmp != t) { assert tmp != null; tmp.data += 1; tmp = tmp.n; }
![Page 62: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/62.jpg)
62
Transformer via partial-concretization
C A
23f
f#(a)= ’(f#’(’(a)))
1 f#
4
A’
5 f#’
6
’
’
![Page 63: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/63.jpg)
63
Recap
• Adding more properties to nodes refines abstraction• Can add temporary properties for partial
concretization– Materialize concrete nodes from summary nodes– Allows turning weak updates into strong ones– Focus operation in shape-analysis lingo– Not trivial in general and requires more semantic
reduction to clean up impossible edges– General algorithms available via 3-valued logic and
implemented in TVLA system
![Page 64: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/64.jpg)
3-Value logic based shape analysis
![Page 65: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/65.jpg)
65
Sequential Stackvoid push (int v) { Node x = malloc(sizeof(Node)); x->d = v; x->n = Top; Top = x;}
int pop() {
if (Top == NULL) return EMPTY;
Node *s = Top->n;
int r = Top->d;
Top = s;
return r;
{
Want to VerifyNo Null DereferenceUnderlying list remains acyclic after each operation
![Page 66: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/66.jpg)
66
Shape Analysis via 3-valued Logic
1) Abstraction– 3-valued logical structure– canonical abstraction
2) Transformers– via logical formulae– soundness by construction • embedding theorem, [SRW02]
![Page 67: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/67.jpg)
67
Concrete State• represent a concrete state as a two-valued logical
structure– Individuals = heap allocated objects– Unary predicates = object properties– Binary predicates = relations
• parametric vocabulary
Topn n
u1 u2 u3
(storeless, no heap addresses)
![Page 68: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/68.jpg)
68
Concrete State• S = <U, > over a vocabulary P• U – universe• - interpretation, mapping each predicate from p to its
truth value in S
Topn n
u1 u2 u3
U = { u1, u2, u3} P = { Top, n }
(n)(u1,u2) = 1, (n)(u1,u3)=0, (n)(u2,u1)=0 …,(Top)(u1)=1, (Top)(u2)=0, (Top)(u3)=0
![Page 69: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/69.jpg)
69
v1,v2: n(v1, v2) n*(v2, v1)
Formulae for Observing Properties
void push (int v) { Node x =
malloc(sizeof(Node));
xd = v;
xn = Top;
Top = x;
}
Topn nu1 u2 u3
1
No Cycles
v1,v2: n(v1, v2) n*(v2, v1) 1
w:Top(w)
Top != null
w: x(w)
w: x(w) No node precedes Topv1,v2: n(v1, v2) Top(v2) 1
v1,v2: n(v1, v2) Top(v2)
![Page 70: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/70.jpg)
70
Concrete Interpretation Rules
Statement Update formula
x =NULL x’(v)= 0
x= malloc() x’(v) = IsNew(v)
x=y x’(v)= y(v)
x=y next x’(v)= w: y(w) n(w, v)
x next=y n’(v, w) = (x(v) n(v, w)) (x(v) y(w))
![Page 71: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/71.jpg)
Example: s = Topn
71
Top
s’(v) = v1: Top(v1) n(v1,v)
u1 u2 u3 Top
s
u1 u2 u3
Top
u1 1
u2 0
u3 0
n u1 u2 U3
u1 0 1 0
u2 0 0 1
u3 0 0 0
s
u1 0
u2 0
u3 0
Top
u1 1
u2 0
u3 0
n u1 u2 U3
u1 0 1 0
u2 0 0 1
u3 0 0 0
s
u1 0
u2 1
u3 0
![Page 72: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/72.jpg)
72
Collecting Semantics
{ st(w)(S) | S CSS[w] } (w,v ) E(G),
w Assignments(G)
< {,} >
CSS [v] =
if v = entry
{ S | S CSS[w] } (w,v ) E(G),
w Skip(G)
{ S | S CSS[w] and S cond(w)} (w,v ) True-Branches(G)
{ S | S CSS[w] and S cond(w)}(w,v ) False-Branches(G)
othrewise
![Page 73: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/73.jpg)
73
Collecting Semantics
• At every program point – a potentially infinite set of two-valued logical structures
• Representing (at least) all possible heaps that can arise at the program point
• Next step: find a bounded abstract representation
![Page 74: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/74.jpg)
74
3-Valued Logic
• 1 = true• 0 = false• 1/2 = unknown
A join semi-lattice, 0 1 = 1/2
1/2
0 1
info
rmati
on o
rder
logical order
![Page 75: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/75.jpg)
75
3-Valued Logical Structures
• A set of individuals (nodes) U• Relation meaning– Interpretation of relation symbols in Pp0() {0,1, 1/2}p1(v) {0,1, 1/2}p2(u,v) {0,1, 1/2}
• A join semi-lattice: 0 1 = 1/2
![Page 76: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/76.jpg)
Boolean Connectives [Kleene] 0 1/2 1
0 0 0 01/2 0 1/2 1/21 0 1/2 1
0 1/2 1
0 0 1/2 11/2 1/2 1/2 11 1 1 1
![Page 77: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/77.jpg)
77
Property Space
• 3-struct[P] = the set of 3-valued logical structures over a vocabulary (set of predicates) P
• Abstract domain– (3-Struct[P])– is
![Page 78: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/78.jpg)
78
Embedding Order
• Given two structures S = <U, >, S’ = <U’, ’> and an onto function f : U U’ mapping individuals in U to individuals in U’
• We say that f embeds S in S’ (denoted by S S’) if– for every predicate symbol p P of arity k: u1, …, uk U, (p)
(u1, ..., uk) ’(p)(f(u1), ..., f (uk)) – and for all u’ U’
( | { u | f (u) = u’ } | > 1) ’(sm)(u’)
• We say that S can be embedded in S’ (denoted by S S’) if there exists a function f such that S f S’
![Page 79: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/79.jpg)
![Page 80: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/80.jpg)
80
Tight Embedding
• S’ = <U’, ’> is a tight embedding of S=< U, > with respect to a function f if:– S’ does not lose unnecessary information
’(u’1,…, u’k) = {(u1 ..., uk) | f(u1)=u’1,..., f(uk)=u’k}
• One way to get tight embedding is canonical abstraction
![Page 81: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/81.jpg)
81
Canonical Abstraction
Topn nu1 u2 u3u1 u2 u3
[Sagiv, Reps, Wilhelm, TOPLAS02]
![Page 82: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/82.jpg)
82
Canonical Abstraction
Topn nu1 u2 u3u1 u2 u3
Top
[Sagiv, Reps, Wilhelm, TOPLAS02]
![Page 83: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/83.jpg)
83
Canonical Abstraction
Topn nu1 u2 u3u1 u2 u3
Top
![Page 84: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/84.jpg)
84
Canonical Abstraction
Topn nu1 u2 u3u1 u2 u3
Top
![Page 85: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/85.jpg)
85
Canonical Abstraction
Topn nu1 u2 u3u1 u2 u3
Top
![Page 86: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/86.jpg)
86
Canonical Abstraction
Topn nu1 u2 u3u1 u2 u3
Top
![Page 87: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/87.jpg)
87
Canonical Abstraction ()
• Merge all nodes with the same unary predicate values into a single summary node
• Join predicate values
’(u’1 ,..., u’k) = { (u1 ,..., uk) | f(u1)=u’1 ,..., f(uk)=u’k }
• Converts a state of arbitrary size into a 3-valued abstract state of bounded size
• (C) = { (c) | c C }
![Page 88: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/88.jpg)
88
Information Loss
Topn n
Topn n
n
Top
Top
Top
Canonical abstraction
Topn n
![Page 89: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/89.jpg)
89
Instrumentation Predicates• Record additional derived information via
predicatesrx(v) = v1: x(v1) n*(v1,v)
c(v) = v1: n(v1, v) n*(v, v1)
Topn n
cTop cn n
n
Top
cTop
Canonical abstraction
![Page 90: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/90.jpg)
90
Embedding Theorem: Conservatively Observing Properties
No Cyclesv1,v2: n(v1, v2) n*(v2, v1)1/2
Top rTop rTop
No cycles (derived)v:c(v) 1
![Page 91: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/91.jpg)
91
Operational Semanticsvoid push (int v) { Node x = malloc(sizeof(Node)); x->d = v; x->n = Top; Top = x;}
int pop() {
if (Top == NULL) return EMPTY;
Node *s = Top->n;
int r = Top->d;
Top = s;
return r;
{
s’(v) = v1: Top(v1) n(v1,v)
s = Top->n
Topn nu1 u2 u3
Top n nu1 u2 u3
s
![Page 92: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/92.jpg)
92
Abstract Semantics
Top
s = Topn ?rTop rTop Top rTop rTop
s
s’(v) = v1: Top(v1) n(v1,v)
s = Top->n
![Page 93: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/93.jpg)
93
Top
Best Transformer (s = Topn)Concrete
Semantics
Canonical
Abstraction
AbstractSemantics
?rTop rTop
...
Top rTop rTop
Top rTop rTop rTop
...
Top
s
rTop rTop
Top
s
rTop rTop rTop
Top
s
rTop rTop
Top
s
rTop rTop rTop
s’(v) = v1: Top(v1) n(v1,v)
![Page 94: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/94.jpg)
Semantic Reduction
• Improve the precision of the analysis by recovering properties of the program semantics
• A Galois connection (C, , , A)• An operation op:AA is a semantic reduction
when– lL2 op(l)l and – (op(l)) = (l) l
C A
op
![Page 95: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/95.jpg)
The Focus Operation
• Focus: Formula((3-Struct) (3-Struct))• Generalizes materialization• For every formula – Focus()(X) yields structure in which evaluates to a
definite values in all assignments– Only maximal in terms of embedding– Focus() is a semantic reduction– But Focus()(X) may be undefined for some X
![Page 96: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/96.jpg)
96
Top rTop rTop
Top rTop rTop rTop
Partial Concretization Based on Transformer (s=Topn)
AbstractSemantics
Partial Concretization
Canonical Abstraction
AbstractSemantics
Top
s
rTop rTop
Top
s
rTop rTop rTop
Top rTop rTop rTop
s
Top
s
rTop rTop
Top rTop rTop
s’(v) = v1: Top(v1) n(v1,v)
u: top(u) n(u, v)
Focus (Topn)
![Page 97: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/97.jpg)
97
Partial Concretization
• Locally refine the abstract domain per statement• Soundness is immediate• Employed in other shape analysis algorithms
[Distefano et.al., TACAS’06, Evan et.al., SAS’07, POPL’08]
![Page 98: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/98.jpg)
The Coercion Principle
• Another Semantic Reduction• Can be applied after Focus or after Update or
both• Increase precision by exploiting some
structural properties possessed by all stores (Global invariants)
• Structural properties captured by constraints
• Apply a constraint solver
![Page 99: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/99.jpg)
Apply Constraint Solver
Top rTop rTop
x
Top rTop rTop
x
x rx rx,ryn
rx,ry
n n
ny
n
Top rTop rTop
x rx rx,ryn
rx,ry
n
y
n
![Page 100: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/100.jpg)
Sources of Constraints
• Properties of the operational semantics• Domain specific knowledge– Instrumentation predicates
• User supplied
![Page 101: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/101.jpg)
Example Constraints
x(v1) x(v2)eq(v1, v2)
n(v, v1) n(v,v2)eq(v1, v2)
n(v1, v) n(v2,v)eq(v1, v2)is(v)
n*(v3, v4)t[n](v1, v2)
![Page 102: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/102.jpg)
Abstract Transformers: Summary
• Kleene evaluation yields sound solution• Focus is a statement-specific partial
concretization• Coerce applies global constraints
![Page 103: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/103.jpg)
103
Abstract Semantics
{ t_embed(coerce(st(w)3(focusF(w)(SS[w] )))) (w,v ) E(G),
w Assignments(G)
< {,} >
SS [v] =
if v = entry
{ S | S SS[w] } (w,v ) E(G),
w Skip(G)
{ t_embed(S) | S coerce(st(w)3(focusF(w)(SS[w] ))) and S 3 cond(w)} (w,v ) True-Branches(G)
{ t_embed(S) | S coerce(st(w)3(focusF(w)(SS[w] ))) and S 3 cond(w)}
(w,v ) False-Branches(G)
othrewise
![Page 104: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/104.jpg)
104
Recap
• Abstraction– canonical abstraction – recording derived information
• Transformers–partial concretization (focus)– constraint solver (coerce)– sound information extraction
![Page 105: Program Analysis and Verification 0368-4479 Noam Rinetzky Lecture 10: Shape Analysis 1 Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav](https://reader036.vdocuments.site/reader036/viewer/2022062423/56649e425503460f94b35541/html5/thumbnails/105.jpg)
105
Stack Push
void push (int v) { Node x =
alloc(sizeof(Node));
xd = v;
xn = Top;
Top = x;
}
Top
x
Top
Top
x
Top
Top
x
emp
x
x
x
Top
Topv:c(v)
v: x(v)
v: x(v)
v1,v2: n(v1, v2) Top(v2)
…