Interprocedural Shape Analysis for Cutpoint-Free Programs

Interprocedural shape analysisfor cutpoint-free programs ניתוח צורני בין-שגרתי לתוכניות נטולות נקודות-חתוך Noam Rinetzky Tel Aviv University Joint work with Mooly Sagiv Tel Aviv University Eran Yahav IBM Watson

Motivation • Conservative static program analysis • (Recursive) procedures • Dynamically allocated data structures • Applications • Cleanness • Verify data structure invariants • Compile-time garbage collection • …

A crash course in abstract interpretation • Static analysis: Automatic derivation of properties which hold on every execution leading to a program point main() { int w=0,x=0,y=0,z=0; w = 2 + y - 1; x = 2 + z - 1; assert: w+x is even }

How to handle procedures? • Pure functions • Procedure  input/output relation • No side-effects main() { int w=0,x=0,y=0,z=0; w = inc(y); x = inc(z); assert: w+x is even } int inc(int p) { return 2 + p - 1; }

int g = 0; g = p; What about global variables? • Procedures have side-effects • Easy fix int g = 0; main() { int w=0,x=0,y=0,z=0; w = inc(y); x = inc(z); assert: w+x+g is even } int inc(int p) { g = p; return 2 + p - 1; }

Pointers Aliasing Destructive update Heap Global resource Anonymous objects n y.n=z append(y,z) z But what about pointers and heap? x.n.n ~ y n n x y x.n.n.n ~ z How to tabulate append?

q q q p p p n n n n x x t t n n y z How to tabulate procedures? • Procedure  input/output relation • Not reachable  Not effected • proc: local (reachable) heap  local heap main() { append(y,z); } append(List p, List q) { … } n y z

q q p p n n n n t t n n n y q p x z n n n n How to handle sharing? • External sharing may break the functional view main() { append(y,z); } append(List p, List q) { … } n n y x z

n x t t What’s the difference? 1st Example 2nd Example append(y,z); append(y,z); n n n y y x z z

Cutpoints • An object is a cutpoint for an invocation • Reachable from actual parameters • Not pointed to by an actual parameter • Reachable without going through a parameter append(y,z) append(y,z) n n n n y y n n t t x z z

Cutpoint freedom • Cutpoint-free • Invocation: has no cutpoints • Execution: every invocation is cutpoint-free • Program: every execution is cutpoint-free append(y,z) append(y,z) n n n n x y t y t z x z

Main results • Cutpoint freedom • Non-standard concrete semantics • Verifies that an execution is cutpoint-free • Local heaps • Interprocedural shape analysis • Conservatively verifies • program is cutpoint free • Desired properties • Partial correctness of quicksort • Procedure summaries • Prototype implementation

Plan • Cutpoint freedom • Non-standard concrete semantics • Interprocedural shape analysis • Prototype implementation

Programming model • Single threaded • Procedures • Value parameters • Formal parameters not modified • Recursion • Heap • Recursive data structures • Destructive update • No explicit addressing (&) • No pointer arithmetic

Memory states • A memory state encodes a local heap • Local variables of the current procedure invocation • Relevant part of the heap • Relevant  Reachable main append q p n n x t y z

Memory states • Represented by first-order logical structures

Memory states • Represented by first-order logical structures q p n u1 u2

Operational semantics • Statements modify values of predicates • Specified by predicate-update formulae • Formulae in FO-TC

z x y q p n append(y,z) q p n z x y n n Procedure calls append(p,q) 1. Verify cutpoint freedom 2 Compute input … Execute callee … 3 Combine output append body

Procedure call: 1. Verifying cutpoint-freedom • An object is a cutpoint for an invocation • Reachable from actual parameters • Not pointed to by an actual parameter • Reachable without going through a parameter append(y,z) append(y,z) n n n n y y n x x z z n t t Not Cutpoint free Cutpoint free

Procedure call: 1. Verifying cutpoint-freedom • Invoking append(y,z) in main • R{y,z}(v)=v1:y(v1)n*(v1,v)  v1:z(v1)n*(v1,v) • isCPmain,{y,z}(v)= R{y,z}(v)  (y(v)z(v1))  ( x(v)  t(v)  v1: R{y,z}(v1)n(v1,v)) (main’s locals: x,y,z,t) n n n n y y n x x z z n t t Not Cutpoint free Cutpoint free

Input state n n p q Procedure call: 2. Computing the input local heap • Retain only reachable objects • Bind formal parameters Call state n n y x z n t

n Output state n n p q Procedure body: append(p,q) Input state n n p q

n n p q Procedure call:3. Combine output Output state Call state n n n y x z n t

n n y n z x n t Procedure call:3. Combine output Output state Call state n n n n n y p x z q n t Auxiliary predicates inUc(v) inUx(v)

Observational equivalence • CPF  CPF (Cutpoint free semantics) • GSB  GSB (Standard semantics) CPF and GSBobservationally equivalent when for every access paths AP1, AP2  AP1 = AP2 (CPF)  AP1 = AP2 (GSB)

Observational equivalence • For cutpoint free programs: • CPF  CPF (Cutpoint free semantics) • GSB  GSB (Standard semantics) • CPF and GSB observationally equivalent • It holds that • st, CPF  ’CPF st, GSB  ’GSB • ’CPF and ’GSB are observationally equivalent

Operational semantics Abstract transformer ’ ’ Introducing local heap semantics ~ Local heap Operational semantics

Shape abstraction • Abstract memory states represent unbounded concrete memory states • Conservatively • In a bounded way • Using 3-valued logical structures

3-Valued logic • 1 = true • 0 = false • 1/2 = unknown • A join semi-lattice, 0  1 = 1/2

z y n x n n n n t Canonical abstraction y z n n n n n x n n t

Instrumentation predicates • Record derived properties • Refine the abstraction • Instrumentation principle [SRW, TOPLAS’02] • Reachability is central!

z y n n n n n rx rx,ry rz rz rx x n n rt rt t Abstract memory states (with reachability) z y n n n n n rz rx rx rx rx,ry rz rz rz rx rx rx rx,ry rz rz x n n rt rt rt rt rt rt t

z y n x n n n n t The importance of reachability:Call append(y,z) z y n n n n n rz rx rx rx rx,ry rz rz x n n rt rt rt t y z n n n n n x rx rx,ry rz rz rx n n rt rt t

Abstract semantics • Conservatively apply statements on abstract memory states • Same formulae as in concrete semantics • Soundness guaranteed [SRW, TOPLAS’02]

z x y q p n append(y,z) q p n z x y n n Procedure calls append(p,q) 1. Verify cutpoint freedom 2 Compute input … Execute callee … 3 Combine output append body

Conservative verification of cutpoint-freedom • Invoking append(y,z) in main • R{y,z}(v)=v1:y(v1)n*(v1,v)  v1:z(v1)n*(v1,v) • isCPmain,{y,z}(v)= R{y,z}(v)  (y(v)z(v1))  ( x(v)  t(v)  v1: R{y,z}(v1)n(v1,v)) n n n n n ry ry ry ry rx ry rz y y rz n n n n z z x rt rt rt rt t t Not Cutpoint free Cutpoint free

Interprocedural shape analysis p p x x y Tabulation exits call f(x) y

Interprocedural shape analysis p p p x p x y Analyze f Tabulation exits call f(x) y

Interprocedural shape analysis • Procedure  input/output relation Output Input q q rq rq q q p p n rq rp rp rp rq n q n p p … q n n n rp rp rp rq rq rp rp

rh ri rk rg q q p p n rq rp rp rp rq y z z y x x append(y,z) n ry rx rx ry ry rz x x y y z z n n append(y,z) n n n n n ry rx rz rz ry rx rx rx ry rx rx rx g g i i k k h h append(h,i) n n n rk ri rg rh rg rh rg Interprocedural shape analysis • Reusable procedure summaries • Heap modularity

Prototype implementation • TVLA based analyzer • Soot-based Java front-end • Parametric abstraction

Iterative vs. Recursive (SLL) 585

Inline vs. Procedural abstraction // Allocates a list of // length 3 List create3(){ … } main() { List x1 = create3(); List x2 = create3(); List x3 = create3(); List x4 = create3(); … }

Call string vs. Relational vs. CPF[Rinetzky and Sagiv, CC’01] [Jeannet et al., SAS’04]

Related Work • Interprocedural shape analysis • Rinetzky and Sagiv, CC ’01 • Chong and Rugina, SAS ’03 • Jeannet et al., SAS ’04 • Hackett and Rugina, POPL ’05 • Rinetzky et al., POPL ‘05 • Local Reasoning • Ishtiaq and O’Hearn, POPL ‘01 • Reynolds, LICS ’02 • Encapsulation • Noble et al. IWACO ’03 • ...

n n n ry ry append(y,z); x = null; rx ry y rz n n z x rt rt t Future work • Bounded number of cutpoints • False cutpoints • Liveness analysis

Interprocedural Shape Analysis for Cutpoint-Free Programs