1 / 122

Noam Rinetzky Lecture 14: Shape Domains & Interprocedural Analysis

Program Analysis and Verification 0368- 4479 http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html. Noam Rinetzky Lecture 14: Shape Domains & Interprocedural Analysis. Slides credit: Roman Manevich , Mooly Sagiv , Eran Yahav. Abstract (conservative) interpretation.

becka
Télécharger la présentation

Noam Rinetzky Lecture 14: Shape Domains & Interprocedural Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Program Analysis and Verification 0368-4479http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html Noam Rinetzky Lecture 14: Shape Domains & Interprocedural Analysis Slides credit: Roman Manevich, MoolySagiv, EranYahav

  2. Abstract (conservative) interpretation abstract representation abstract representation statement S abstract semantics concretization concretization set of states set of states set of states statement S  operational semantics(concrete semantics)

  3. The collecting lattice • Lattice for a given control-flow node v: Lv=(2State, , , , , State) • Lattice for entire control-flow graph with nodes V: LCFG = Map(V, Lv) • We will use this lattice as a baseline for static analysis and define abstractions of its elements

  4. Galois Connection: ((a)) a What a represents in C(its meaning) C A  a (a) 1 2  ((a))  3

  5. Resulting algorithm  • Kleene’s fixed point theorem gives a constructive method for computing the lfp Mathematical definition lfp(f) = nNfn() lfp fn() Algorithm … d := whilef(d)  ddod := d  f(d)returnd f2() f() 

  6. Shape Analysis Automaticallyverify properties of programs manipulating dynamically allocated storage Identify all possible shapes (layout) of the heap

  7. Shape Analysis via 3-valued Logic 1) Abstraction • 3-valued logical structure • canonical abstraction 2) Transformers • via logical formulae • soundness by construction • embedding theorem, [SRW02]

  8. Concrete State • represent a concrete state as a two-valued logical structure • Individuals = heap allocated objects • Unary predicates = object properties • Binary predicates = relations • parametric vocabulary n n u1 u2 u3 Top (storeless, no heap addresses)

  9. Concrete State • S = <U,  > over a vocabulary P • U – universe •  - interpretation, mapping each predicate from p to its truth value in S n n u1 u2 u3 Top • U = { u1, u2, u3} • P = { Top, n } • (n)(u1,u2) = 1, (n)(u1,u3)=0, (n)(u2,u1)=0,… • (Top)(u1)=1, (Top)(u2)=0, (Top)(u3)=0

  10. Collecting Semantics • At every program point – a potentially infinite set of two-valued logical structures • Representing (at least) all possible heaps that can arise at the program point • Challenge: find a bounded abstract representation

  11. Canonical Abstraction: “Abstraction by Partinioning” n n u1 u2 u3 u1 u2 u3 Top Top

  12. 3-Valued Logic • 1 = true • 0 = false • 1/2 = unknown • A join semi-lattice, 0  1 = 1/2 1/2 information order 0 1 logical order

  13. 3-Valued Logical Structures • A set of individuals (nodes) U • Relation meaning • Interpretation of relation symbols in Pp0()  {0,1, 1/2}p1(v)  {0,1, 1/2}p2(u,v)  {0,1, 1/2} • A join semi-lattice: 0  1 = 1/2

  14. Canonical Abstraction () • Merge all nodes with the same unary predicate values into a single summary node • Join predicate values ’(u’1 ,..., u’k) =  {(u1 ,..., uk) | f(u1)=u’1 ,..., f(uk)=u’k } • Converts a state of arbitrary size into a 3-valued abstract state of bounded size • (C) =  { (c) | c  C }

  15. Information Loss n n Top Top Top Top Canonical abstraction n n n Top n n Top

  16. Shape Analysis via 3-valued Logic 1) Abstraction • 3-valued logical structure • canonical abstraction 2) Transformers • via logical formulae • soundness by construction • embedding theorem, [SRW02]

  17. Concrete Interpretation Rules

  18. Example: s = Topn s’(v) = v1: Top(v1)  n(v1,v) s u2 u3 u1 u2 u3 u1 Top Top

  19. Abstract Semantics ? s = Topn s rTop rTop Top Top rTop rTop s = Top->n s’(v) = v1: Top(v1)  n(v1,v)

  20. Problem: Information Loss n n Top Top Top Top Canonical abstraction n n n Top n n Top

  21. Instrumentation Predicates n n Top • Record additional derived information via predicates c Top Top n n n rx(v) = v1: x(v1)  n*(v1,v) c c Top c(v) = v1: n(v1, v)  n*(v, v1) Canonical abstraction

  22. Embedding Theorem: Conservatively Observing Properties Top rTop rTop No Cycles No cycles (derived) 1/2 1 v1,v2: n(v1, v2)  n*(v2, v1) v:c(v)

  23. Best Transformer (s= Topn) s ConcreteSemantics rTop Top rTop Top rTop rTop s rTop rTop rTop Top s’(v) = v1: Top(v1)  n(v1,v) Top rTop rTop rTop . . . . . . Canonical Abstraction  s ? Top rTop rTop AbstractSemantics s rTop Top rTop Top rTop rTop rTop

  24. Abstract Semantics ? s = Topn s rTop rTop Top Top rTop rTop s = Top->n s’(v) = v1: Top(v1)  n(v1,v)

  25. Problem: Imprecise Transformers

  26. Semantic Reduction • Improve the precision of the analysis by recovering properties of the program semantics • A Galois connection (C, , , A) • An operation op:AAis a semantic reduction when • lL2 op(l)l and • (op(l)) = (l)  l op  C A

  27. The Focus Operation • Focus: Formula((3-Struct)  (3-Struct)) • Generalizes materialization • For every formula  • Focus()(X) yields structure in which  evaluates to a definite values in all assignments • Only maximal in terms of embedding • Focus() is a semantic reduction • But Focus()(X) may be undefined for some X

  28. Partial Concretization Based on Transformer (s=Topn) s AbstractSemantics rTop rTop Top Top rTop rTop s Top rTop rTop rTop s’(v) = v1: Top(v1)  n(v1,v) rTop rTop rTop Top Canonical Abstraction Focus (Topn) Partial Concretization u: top(u) n(u, v) s rTop rTop Top AbstractSemantics s Top rTop rTop Top rTop rTop rTop

  29. Partial Concretization Locally refine the abstract domain per statement Soundness is immediate Employed in other shape analysis algorithms [Distefano et.al., TACAS’06, Evan et.al., SAS’07, POPL’08]

  30. The Coercion Principle • Another Semantic Reduction • Can be applied after Focus or after Update or both • Increase precision by exploiting some structural properties possessed by all stores (Global invariants) • Structural properties captured by constraints • Apply a constraint solver

  31. Apply Constraint Solver  Top rTop rTop x x Top Top rTop rTop rTop rTop n n n n n n n x x rx rx,ry rx rx,ry rx,ry rx,ry n y y

  32. Sources of Constraints • Properties of the operational semantics • Domain specific knowledge • Instrumentation predicates • User supplied

  33. Example Constraints x(v1) x(v2)eq(v1, v2) n(v, v1) n(v,v2)eq(v1, v2) n(v1, v) n(v2,v)eq(v1, v2)is(v) n*(v3, v4)t[n](v1, v2)

  34. Abstract Transformers: Summary • Kleene evaluation yields sound solution • Focus is a statement-specific partial concretization • Coerce applies global constraints

  35. Abstract Semantics if v = entry { <,> } •  { t_embed(coerce(st(w)3(focusF(w)(SS[w] ))))  (w,v)  E(G), w  Assignments(G) •  { S | S  SS[w] }  othrewise (w,v)  E(G), w  Skip(G) SS [v] = • { t_embed(S) | S  coerce(st(w)3(focusF(w)(SS[w] )))and S 3 cond(w)}  (w,v)  True-Branches(G) • { t_embed(S) | S  coerce(st(w)3(focusF(w)(SS[w] ))) and S 3cond(w)}  (w,v)  False-Branches(G)

  36. Recap • Abstraction • canonical abstraction • recording derived information • Transformers • partial concretization (focus) • constraint solver (coerce) • sound information extraction

  37. Stack Push emp … Top void push(int v){ Node x = alloc(sizeof(Node)); xd = v; xn = Top; Top = x; } x x x Top v: x(v) v: x(v) x Top x x Top Top Top v1,v2: n(v1, v2) Top(v2) v:c(v) Top

  38. Interprocedural Analysis

  39. Today • Analyzing programs with procedures • Precision (consider calling contexts) • Performance 2

  40. Procedural program void main() { int x; x = p(7); x = p(9); } int p(int a) { return a + 1; }

  41. call bar() Effect of procedures foo() The effect of calling a procedure is the effect of executing its body bar()

  42. call bar() Interprocedural Analysis foo() goal: compute the abstract effect of calling a procedure bar()

  43. Reduction to intraprocedural analysis • Procedure inlining • Naive solution: call-as-goto

  44.  Reminder: Constant Propagation  Variable not a constant -1 0 1 … - …   No information Z

  45.    Reminder: Constant Propagation • L = (Var  Z , ) • 12 iff x: 1(x) ’2(x) • ’ ordering in the Z lattice • Examples: • [x , y  42, z ]  [x , y  42, z  73] • [x , y  42, z  73]  [x , y  42, z ] 13

  46. Reminder: Constant Propagation • Conservative Solution • Every detected constant is indeed constant • But may fail to identify some constants • Every potential impact is identified • Superfluous impacts

  47. Procedure Inlining void main() { int x; x = p(7); x = p(9); } int p(int a) { return a + 1; }

  48. Procedure Inlining void main() { int x; x = p(7); x = p(9); } int p(int a) { return a + 1; } void main() { int a, x, ret; a = 7; ret = a+1; x = ret; a = 9; ret = a+1; x = ret; } [a ⊥, x ⊥, ret ⊥] [a 7, x 8, ret 8] [a 9, x 10, ret 10]

  49. Procedure Inlining • Pros • Simple • Cons • Does not handle recursion • Exponential blow up • Reanalyzing the body of procedures p1 { call p2 … call p2 } p2 { call p3 … call p3 } p3{ }

  50. A Naive Interprocedural solution • Treat procedure calls as gotos

More Related