using checkers for end-user shape analysis national taiwan university – august 11, 2009 bor-yuh...
TRANSCRIPT
![Page 1: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/1.jpg)
Using Checkers for End-User Shape Analysis
National Taiwan University – August 11, 2009
Bor-Yuh Evan Chang 張博聿
University of Colorado, Boulder
If some of the symbols are garbled, try either installing TexPoint (http://texpoint.necula.org) or the TeX fonts (http://www.cs.colorado.edu/~bec/texpoint-fonts.zip).
Collaborators: Xavier Rival (INRIA and ENS Paris), George C. Necula (UC Berkeley)
![Page 2: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/2.jpg)
2
Why think about the analyzer’s end-user?
Bor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape Analysis
User Tool
Accessibility• end-users are not experts in verification and logic• want adoption of our tools and techniques
Expressivity, Efficiency, and Feasibility• end-users are not completely incompetent either• can provide guidance to tools, understand the code best
![Page 3: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/3.jpg)
3
Splitting of summaries (materialization)
To reflect updates precisely
And summarizing for termination (summarization)
Shape analysis is an abstract interpretation on abstract memory descriptions with …
cur
l
cur
“sorted dl list”l
cur
l
cur
l
cur
l
cur
l
Bor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape Analysis
Main Design Decision:Summaries and their operations
![Page 4: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/4.jpg)
4
Our Approach: Executable Specifications
Utilize “run-time validation code” as specification for static analysis.
assert(l.purple_dll(null));
for each node cur in list l {make cur red;
}
assert(l.red_dll(null));
l
l
cur
l
Bor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape Analysis
h.dll(p) :=if (h = null) then
trueelse
h!prev = p and h!next.dll(h)
checker
Automatically generalize checkers for intermediate states (generalized segment)
• p specifies where prev should point
h.dll(p) :=h = null Æ emp
Ç 9n.h@prev p ¤h@next n ¤n.dll(h)
Build the abstraction for analysis directly out of the developer-supplied validation code
![Page 5: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/5.jpg)
5
Problem: Checkers are incomplete specs
Xisa shape analyzer
abstract interpretation
splitting andinterpreting update
summarizing
Bor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape Analysis
h.dll(p) =if (h = null) then
trueelse
h!prev = prev and h!next.dll(h)
checkers
program analysischecker analysis(“pre-program
analysis”)Derives information about checkers to use them effectively
How do we decide where to unfold?
1
How do we decide where to fold?
2What about different checkers for the same structure?
3
Defining a program analysis:1. The abstraction (e.g., separation logic
formulas with inductive definitions) and operations on the abstraction (e.g., unfolding, update)
2. How to effectively apply the operations (harder!)
![Page 6: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/6.jpg)
6
Outline
• Memory abstraction• Guide unfolding (materialization) with
level-type analysis on checker definitions
• Guide folding (summarization) with iteration history – a binary, non-symmetric widening
operator• Prove lemmas amongst checkers with
our parametric shape domain– for a reduction operatorBor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape
Analysis
![Page 7: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/7.jpg)
7
memory cell (points-to: °!next = ±)
Abstract memory as graphs
h.dll(p) =if (h = null) then
trueelse
h!prev = p and h!next.dll(h)
Bor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape Analysis
l
®dll(null) dll(¯)
cur
°dll(°)
¯prev
next±
Make endpoints and segments explicit
l dll(±, °)±
“dll segment”
cur
°
®
segment summary
checker summary (inductive pred)
memory address (value)
Some number of memory cells (thin edges)
¯
°@prev ¯¤ °@next ±¤ ±.dll(°)
(®.dll(null) ¤= °.dll(¯)) ¤
Segment generalization of a checker(Intuitively, ®.dll(null) up to °.dll(¯).)
![Page 8: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/8.jpg)
8
Segments asPartial Checker “Runs” (conceptually)
®.dll(null)
¯.dll(®)
°.dll(¯)
±.dll(°)
null.dll(±)
Complete Checker “Run”
Instance
Summary
®dll(¯)
°
c0(¯,°0)
c(®,°)
… …
… ……
® ¯c(°) c0(°0)
ii
i = 0
i = 0
ii 00
c = c0
® = ¯° = °0
® = °¯ = null
nullnext
°next
±prevprev
null® ¯
Bor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape Analysis
[POPL’08]
![Page 9: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/9.jpg)
9
Outline
• Memory abstraction• Guide unfolding (materialization) with
level-type analysis on checker definitions
• Guide folding (summarization) with iteration history – a binary, non-symmetric widening
operator• Prove lemmas amongst checkers with
our parametric shape domain– for a reduction operatorBor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape
Analysis
![Page 10: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/10.jpg)
10
0
1
-1
-2
Types for deciding where to unfold
®dll(null) dll(¯) dll(¯)
°
dll(®,null)
dll(¯,®)
dll(°,¯)
dll(±,°)
dll(null,±)
Checker “Run” (call tree/derivation)
Instance
Summary
° ±® ¯ nullnull
h.dll(p) =if (h = null) then
trueelse
h!prev = p and h!next.dll(h)
h:{nexth0i,prevh0i }p:{nexth-1i,prevh-1i }
If it exists, where is:
°!next ?
¯!next ?
Checker Definition
0-1
Says:
For h!next/h!prev, unfold from h
For p!next/p!prev, unfold before h
Bor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape Analysis
![Page 11: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/11.jpg)
11
Types make the analysis robust with respect to how checkers are written
¯dll(®) dll(¯) dll(¯)
°
Instance
Summaryh.dll(p) =
if (h = null) thentrue
elseh!prev = p and h!next.dll(h)
h:{nexth0i,prevh0i }p:{nexth-1i,prevh-1i }
Bor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape Analysis
°¯ null®
¯ ° null
Instance
¯dll0 dll0 dll0
°
Summaryh.dll0() =if (h!next = null)
thentrue
elseh!next!prev = h
and h!next.dll0()
Alternative doubly-linked list checker h:{nexth0i,prevh-1i }
°!prev ? -1
Doubly-linked list checker (as before)
Different types for different unfolding
![Page 12: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/12.jpg)
12
Summary of checker parameter types
Tell where to unfold for which fields
Make analysis robust with respect to how checkers are written
Learn where in summaries unfolding won’t help
Bor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape Analysis
Can be inferred automatically with a fixed-point computation on the checker definitions
![Page 13: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/13.jpg)
13
Outline
• Memory abstraction• Guide unfolding (materialization) with
level-type analysis on checker definitions
• Guide folding (summarization) with iteration history – a binary, non-symmetric widening
operator• Prove lemmas amongst checkers with
our parametric shape domain– for a reduction operatorBor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape
Analysis
![Page 14: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/14.jpg)
14
Summarizeby folding into inductive predicates
last = l;cur = l!next;while (cur != null) {
// … cur, last …if (…) last =
cur;cur = cur! next;
}
listl, last
nextcur
listl
next nextcurlast
listl
next next nextcurlast
summarize
listlast
listnextcur
listl
Challenge: Precision (e.g., last, cur separated by at least one step)
Bor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape Analysis
![Page 15: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/15.jpg)
15
Use iteration history to guide folding
Bor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape Analysis
listl
next next nextcurlast
summarize
listlast
listnextcur
listl
Previous approaches guess where to fold for each graph• i.e., which nodes to
drop• e.g., not pointed by
variables
listl, last
nextcur
listl
next nextcurlast
Contribution: Determine where by comparing graphs across history• discover which
nodes to drop and edges to fold simultaneously
![Page 16: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/16.jpg)
16
Outline
• Memory abstraction• Guide unfolding (materialization) with
level-type analysis on checker definitions
• Guide folding (summarization) with iteration history – a binary, non-symmetric widening
operator• Prove lemmas amongst checkers with
our parametric shape domain– for a reduction operatorBor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape
Analysis
![Page 17: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/17.jpg)
17
Problem: Non-Unique RepresentationsWith user-guided abstraction, different summaries may have the same (or related) concretizations.
Bor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape Analysis
l.dll(p) :=if (l = null) then
trueelse
l!prev = p and l!next.dll(l)
l.dll_back(n) :=if (l = null) then
trueelse
l!next = n and l!prev.dll_back(l)
dll(null)h
h t
dll(null)h dll_back(null) t
checker
summary
concreteinstance
![Page 18: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/18.jpg)
18
Need: Convert between related summaries
1. Prove lemmas about related checkers– e.g., “dll , dll_back”
Bor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape Analysis
Observation: Our widening operator can derive these facts on an appropriate programBasic Idea:
l.dll(p) := …
semantics of dll_backparametricabstract domain
summarization(widening)
S
![Page 19: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/19.jpg)
19
Need: Convert between related summaries
2. Find out which lemmas are needed and when to apply them during program analysis– work-in-progress– not in this talk
Bor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape Analysis
![Page 20: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/20.jpg)
20
New “Pre-Program Analysis Analysis”
Xisa shape analyzer
abstract interpretation
splitting andinterpreting update
summarizing
level-typeinferencefor unfolding
Bor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape Analysis
h.dll(p) =if (h = null) then
trueelse
h!prev = prev and h!next.dll(h)
checkers
program analysischecker analysis(“pre-program
analysis”)
lemma proving for reduction
S S
![Page 21: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/21.jpg)
21
Example: User-Defined List Segments
Want a decision procedure for these inclusions:
Bor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape Analysis
l.ls(e) :=if (l = e) then
trueelse
l!next.ls(l)
l.list() :=if (l = null) then
trueelse
l!next.list()
checker
summary
“a list segment” “a segment of a list”
®list() list()
¯
l e
Can reuse our parametric abstract domain!
ls(¯)®
l
¯
e
v ?ls(¯)®
l
¯
e
®list() list()
¯
l e
![Page 22: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/22.jpg)
22
An Alternative Semantics for Checkers
Bor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape Analysis
°
set of concrete stores
summary
ls(¯)®
l
¯
e
…l e
addrof(®) addrof(¯)
generator of “concrete” graphs
®
l
¯
e
® = ¯
®
lnext
®0 ¯
e
®0 = ¯
¯
e
®00 = ¯®
lnext
®0next
®00
…
![Page 23: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/23.jpg)
23
Show
Bor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape Analysis
®
l
¯
e
® = ¯
®
lnext
®0 ¯
e
®0 = ¯
¯
e
®00 = ¯®
lnext
®0next
®00
…
Apply abstract interpretation using only list as a checker parameter to the domain
vls(¯)®
l
¯
e
®list() list()
¯
l e
®
l
¯
elist() list()
X
®
l
¯
elist() list()
Our widening• is a non-symmetric
binary operator• interleaves region
matching and summarizing
Widening
Properties• Soundness: computes an over-approximation• Termination: ensures chain stabilizes
Algorithm1. Iteratively split regions by matching nodes (ok
by ¤)2. Find common abstraction for matched regions
(calling on v to check inclusion)
[SAS’07]
![Page 24: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/24.jpg)
24
Inclusion Check
Bor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape Analysis
®
lnext
®0 ¯
e
®0 = ¯
®
l
¯
elist() list()
v
¯
elist() list()®
lnext
®0
®0 = ¯ ¯
e
®
lnext
®0
®
lnext
®0
®
lnext
®0
Inclusion Check
Algorithm1. Iteratively split
regions by matching nodes
2. Check inclusion by unfolding and matching edges until obvious(emp v emp)
![Page 25: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/25.jpg)
25
Summary: Reuse domain to decide relations amongst checker definitions
Xisa shape analyzer
abstract interpretation
splitting andinterpreting update
summarizing
level-typeinferencefor unfolding
Bor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape Analysis
dll(h, p) =if (h = null) then
trueelse
h!prev = prev and dll(h!next, h)
checkers
program analysischecker analysis(“pre-program
analysis”)
lemma proving for reduction
S S
![Page 26: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/26.jpg)
26
Reduction: Next steps
• Non-unique representation problem magnified with user-supplied checkers– Need reduction to convert between
representations– Ordering on checkers needed to apply reduction
• Ordering shown by applying Xisa to a checker def
• To put into practice– Needed lemmas: pre-compute ordering or on-
demand?– When to apply: level types for unfolding may
help– Derive new checkers (e.g., dll_back from dll)?
Bor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape Analysis
![Page 27: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/27.jpg)
27
Summary: Using checkers as specs
Constructing the end-user program analysisIntermediate states: Generalized segment predicates
Splitting: Checker parameter types with levels
Summarizing: History-guided approach
Reduction: Prove lemmas by reusing our domain on checkers
next listlist list listlist
® ¯c(°) c0(°0)
h : {nexth0i, prevh0i}p : {nexth-1i, prevh-1i}
Bor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape Analysis
l.dll(p) := …
semantics of dll_backS
![Page 28: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/28.jpg)
28
Conclusion
• Checkers are useful specificationsDeveloper View: Global, Expressed in a familiar
styleAnalysis View: Capture developer intent,
Not arbitrary inductive definitions
• Yet they are incomplete for program analysis– With an executable interpretation, can apply
program analysis to checker definitions– Such “pre-analysis analysis” guides the code
analysis
Bor-Yuh Evan Chang 張博聿 , University of Colorado - Using Checkers in End-User Shape Analysis
![Page 29: Using Checkers for End-User Shape Analysis National Taiwan University – August 11, 2009 Bor-Yuh Evan Chang 張博聿 University of Colorado, Boulder If some](https://reader037.vdocuments.site/reader037/viewer/2022103112/551b1b5c550346cf5a8b5567/html5/thumbnails/29.jpg)
http://www.cs.colorado.edu/~bec/xisa