830 likes | 994 Vues
Lazy Abstraction. Lecture 3 : Partial Analysis. Ranjit Jhala UC San Diego. With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre. A Problem with Program Analysis. Library. Client. Whole Program Analysis not always possible Availability : Client code missing
E N D
Lazy Abstraction Lecture3 : Partial Analysis Ranjit Jhala UC San Diego With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre
A Problem with Program Analysis Library Client Whole Program Analysis not always possible • Availability: Client code missing • Scalability: Whole system too large
Partial Program Analysis Library Client Partial Program Analysis • Findinterface for Library • Use interface to verify client
Partial Program Analysis Library Interface Availability: Interface independent of Client Scalability: Interface small, abstraction of Library
Library Legal Error What is an Interface ? API Library States Interface Interface : Constraints on legal uses of API • API Calls after which library is in a legal state
Library Legal Legal e=0 Error Error e!=0 Example Static e=0; Static a=NULL; Interface API Library States rel acq(){ if(a==NULL){ a:= m_new(); } else e:=1; return;} n0 read read(){ if(a!=NULL){ a:= m_rd(a); } else e:=1; return;} acq rel n2 acq n1 rel(){ a:=NULL; return;} read Safe: Interface µ Legal Call Sequences
rel rel/x n0 n0 read write read acq rel acq/x rel/x n2 n2 acq acq/x write n1 n1 read read Safety Not Enough! Interface API Static e=0, a=NULL, x=0; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acqx(){ if(a==NULL){ a:=m_new(); x:=1; } else e:=1;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} write(){ if(x!=0){ m_wr(a); } else e:=1; return;} rel(){ a:=NULL; return;} relx(){ a:=NULL; x:=0;} Disallows calls to write • Useless for Partial Program Analysis
Permissive Interfaces Static e=0, a=NULL, x=0; Interface API rel/x acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acqx(){ if(a==NULL){ a:=m_new(); x:=1; } else e:=1;} n0 acqx acq read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} write(){ if(x!=0){ m_wr(a); } else e:=1; return;} n1 relx n2 n3 rel(){ a:=NULL; return;} relx(){ a:=NULL; x:=0;} read write read Permissive: Legal Call Sequences µ Interface Partial Analysis: Safe + Permissive Interfaces
Plan 1. Motivation 2. Characterizing Safe, Permissive Interfaces 3. Computing Safe, Permissive Interfaces 4. Extensions 5. Experiments
Plan 1. Motivation 2.Characterizing Safe, Permissive Interfaces 3. Computing Safe, Permissive Interfaces 4. Extensions 5. Experiments
(P1) Initial states in r0 n0 r0 f n n’ r r’ (P2) Every edge: Post(r,f) µr’ Typestate Interpretations Interface is a Typestate System - Abstraction of library’s internal state Typestate Interpretation - Overapprox possible internal states rel n0 read a=0 acq rel n2 acq e0 n1 a0 read
f n n’ r r’ (P2) Every edge: Post(r,f) µr’ Typestate Interpretations acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} n0 a=0 acq n2 acq e0 n1 a0
f n n’ r r’ (P2) Every edge: Post(r,f) µr’ Typestate Interpretations read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} rel n0 read a=0 n2 e0 n1 a0 read
f n n’ r r’ (P2) Every edge: Post(r,f) µr’ Typestate Interpretations rel(){ a:=NULL; return;} rel n0 a=0 rel n2 e0 n1 a0
(P1) Initial states in r0 n0 r0 f n n’ r r’ (P2) Every edge: Post(r,f) µr’ Typestate Interpretations Interface is a Typestate System - Abstraction of library’s internal state Typestate Interpretation - Overapprox possible internal states rel n0 read a=0 acq rel n2 acq e0 n1 a0 read
f n n’ r r’ Safe Interpretations Interface is a Typestate System - Abstraction of library’s internal state Typestate Interpretation - Overapprox possible internal states rel n0 read a=0 acq rel n2 (P1) Initial states in r0 n0 r0 acq e0 n1 a0 (P2) Every edge: Post(r,f) µr’ read (P3) Every legal typestate: rµ:Err n r
f n n’ r r’ Safe Interpretations Theorem: Safe Interpretation implies Safe Interface rel n0 read a=0 acq rel n2 (P1) Initial states in r0 n0 r0 acq e0 n1 a0 (P2) Every edge: Post(r,f) µr’ read (P3) Every legal typestate: rµ:Err n r
f n n’ r r’ Permissive Interpretations Interface is a Typestate System - Abstraction of library’s internal state Typestate Interpretation - Overapprox possible internal states rel n0 read a=0 acq rel n2 (P1) Initial states in r0 n0 r0 acq e0 n1 a0 (P2) Every edge: Post(r,f) µr’ read (P4) Every illegal typestate: rµErr n r
f n n’ r r’ Permissive Interpretations Theorem: Permissive Interpretation implies Permissive Interface rel n0 read a=0 acq rel n2 (P1) Initial states in r0 n0 r0 acq e0 n1 a0 (P2) Every edge: Post(r,f) µr’ read (P4) Every illegal typestate: rµErr n r
Sanity Check Static e=0, a=NULL, x=0; API rel/x acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acqx(){ if(a==NULL){ a:=m_new(); x:=1; } else e:=1;} n0 read write a=0 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} write(){ if(x!=0){ m_wr(a); } else e:=1; return;} acq /x rel /x n2 e0 acq/x write n1 a0 rel(){ a:=NULL; return;} relx(){ a:=NULL; x:=0;} read Q: Why not a permissive interface ?
f n n’ r r’ (P2) Every edge: Post(r,f) µr’ Sanity Check write(){ if(x!=0){ m_wr(a); } else e:=1; return;} n2 e0 Ç e=0 e0 write n1 a0 Q: Why not a permissive interface ? A: (P2) fails! Not an Interpretation
Sanity Check (P4) Every illegal typestate: rµErr n r write(){ if(x!=0){ m_wr(a); } else e:=1; return;} n2 e0 Ç e=0 write n1 a0 Q: Why not a permissive interface ? A: (P4) fails! Not Permissive Interpretation
Plan 1. Motivation 2. Characterizing Safe, Permissive Interfaces 3. Computing Safe, Permissive Interfaces 4. Extensions 5. Experiments
Computing Interfaces Problem A: Interface Checking Given Library, candidate interface I, abstraction , Check if I is safe, permissive. Problem B: Interface Reconstruction Given Library, abstraction , Reconstruct a safe, permissive interface I. Problem C: Interface Inference Given Library, Infer a safe, permissive interface I.
A. Interface Checking Check Safe, Permissive independently Problem A: Interface Checking Given Library, candidate interface I, abstraction , Check if I is safe, permissive.
A. Interface Checking [Safe] Static e=0; Static a=NULL; rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} n0 read rel acq n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq n1 read rel(){ a:=NULL; return;} Interface Library Problem A: Interface Checking Given Library, candidate interface I, abstraction , Check if I is safe, permissive.
Legal e=0 Error e!=0 A. Interface Checking [Safe] Static e=0; Static a=NULL; rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} Library States read n0 rel acq n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq n1 read rel(){ a:=NULL; return;} Interface Client Library Idea: Analyze Interface Client + Library Verify assertion: Client in legal location )Library in legal state n
B. Interface Checking [Permissive] Static e=0; Static a=NULL; rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} n0 read rel acq n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq n1 read rel(){ a:=NULL; return;} Interface Library Problem B: Interface Checking Given Library, candidate interface I, abstraction , Check if I is safe, permissive.
Legal e=0 Error e!=0 B. Interface Checking [Permissive] Static e=0; Static a=NULL; rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} Library States read n0 rel acq n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq n1 read rel(){ a:=NULL; return;} Interface Client Library Idea: Analyze Interface Client + Library Verify assertion: Client in illegal location )Library in illegal state n
A. Interface Checking Safe, Permissive checkable by Assertion Verification! Problem A: Interface Checking Given Library, candidate interface I, abstraction , Check if I is safe, permissive.
Abstract Reachability Graphs Safe, Permissive checkable by Assertion Verification! Problem A: Interface Checking Given Library, candidate interface I, abstraction , Check if I is safe, permissive.
Abstract Reachability Graphs Static e=0; Static a=NULL; rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 rel acq n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq n1 read rel(){ a:=NULL; return;} • ={a=0,e=0}
Abstract Reachability Graphs Static e=0; Static a=NULL; rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 acq() rel acq n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq n1 1 : a=0, e=0 read rel(){ a:=NULL; return;} • ={a=0,e=0}
Abstract Reachability Graphs Static e=0; Static a=NULL; rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 rel() acq() rel acq n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq n1 1 0 : a=0, e=0 a=0,e=0 read rel(){ a:=NULL; return;} • ={a=0,e=0}
Abstract Reachability Graphs Static e=0; Static a=NULL; rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 rel() acq() rel acq n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq n1 1 0 : a=0, e=0 a=0,e=0 read rel(){ a:=NULL; return;} • ={a=0,e=0}
Abstract Reachability Graphs Static e=0; Static a=NULL; rel() rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 rel() acq() rel acq n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq n1 1 0 : a=0, e=0 a=0,e=0 read rel(){ a:=NULL; return;} • ={a=0,e=0}
Abstract Reachability Graphs Static e=0; Static a=NULL; rel() rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 read() acq() rel acq 2 : e=0 a=0,: e=0 n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq n1 1 : a=0, e=0 read rel(){ a:=NULL; return;} • ={a=0,e=0}
Abstract Reachability Graphs Static e=0; Static a=NULL; rel() rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 read() acq() rel acq 2 : e=0 n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq n1 1 : a=0, e=0 read acq() rel(){ a:=NULL; return;} 2 : e=0 • ={a=0,e=0}
Abstract Reachability Graphs Static e=0; Static a=NULL; rel() rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 read() acq() rel acq 2 : e=0 n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq() acq n1 1 : a=0, e=0 read rel(){ a:=NULL; return;} • ={a=0,e=0}
Abstract Reachability Graphs Static e=0; Static a=NULL; rel() rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 read() acq() rel acq 2 : e=0 n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq() acq n1 1 : a=0, e=0 read() read 1 rel(){ a:=NULL; return;} : a=0, e=0 • ={a=0,e=0}
Abstract Reachability Graphs Static e=0; Static a=NULL; rel() rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 read() acq() rel acq 2 : e=0 n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq() acq n1 1 : a=0, e=0 read read() rel(){ a:=NULL; return;} • ={a=0,e=0}
Abstract Reachability Graphs Static e=0; Static a=NULL; rel() rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 read() acq() rel acq 2 : e=0 n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq() acq n1 1 : a=0, e=0 read rel() read() rel(){ a:=NULL; return;} 0 a=0,e=0 • ={a=0,e=0}
Abstract Reachability Graphs Static e=0; Static a=NULL; rel() rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 read() acq() rel() rel acq 2 : e=0 n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq() acq n1 1 : a=0, e=0 read read() rel(){ a:=NULL; return;} • ={a=0,e=0}
Legal e=0 Error e!=0 Abstract Reachability Graphs Static e=0; Static a=NULL; rel() rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 read() acq() rel() rel acq 2 : e=0 n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq() acq n1 1 : a=0, e=0 read read() rel(){ a:=NULL; return;} Library States Verify assertion: [Safe] Client in legal location )Library in legal state n
Legal e=0 Error e!=0 Abstract Reachability Graphs Static e=0; Static a=NULL; rel() rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 read() acq() rel() rel acq 2 : e=0 n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq() acq n1 1 : a=0, e=0 read read() rel(){ a:=NULL; return;} Library States Verify assertion: [Safe] Client in legal location )Library in legal state n
Legal e=0 Error e!=0 Abstract Reachability Graphs Static e=0; Static a=NULL; rel() rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 read() acq() rel() rel acq 2 : e=0 n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq() acq n1 1 : a=0, e=0 read read() rel(){ a:=NULL; return;} Library States Verify assertion: [Permissive] Client in illegal location )Library in illegal state n
Legal e=0 Error e!=0 Abstract Reachability Graphs Static e=0; Static a=NULL; rel() rel acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} 0 a=0,e=0 read n0 read() acq() rel() rel acq 2 : e=0 n2 read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} acq() acq n1 1 : a=0, e=0 read read() rel(){ a:=NULL; return;} Library States Verify assertion: [Permissive] Client in illegal location )Library in illegal state n
A. Interface Checking rel() rel 0 a=0,e=0 read n0 read() Safe, Permissive acq() rel() rel acq 2 : e=0 n2 acq() acq n1 1 : a=0, e=0 read read() Safe assertion: Client in legal location )Library in legal state Permissive assertion: Client in illegal location )Library in illegal state
A. Interface Checking rel() rel 0 a=0,e=0 read n0 read() Safe, Permissive acq() rel() rel acq 2 : e=0 n2 acq() acq n1 1 : a=0, e=0 read read() Abstract Reach. Graph , Typestate Interpretation Safe Assertion , Safe Interpretation Permissive Assertion , Permissive Interpretation
Computing Interfaces Problem A: Interface Checking Given Library, candidate interface I, abstraction , Check if I is safe, permissive. Problem B: Interface Reconstruction Given Library, abstraction , Reconstruct a safe, permissive interface I. Problem C: Interface Inference Given Library, Infer a safe, permissive interface I. Solution: Assertion verification, Abstract Reach. Graph