Shape Analysis. CS252r Spring 2011

Transcription

1 Shape Analysis CS252r Spring 2011

2 Outline Motivation for shape analysis Three-valued logic Region-based with tracked locations 2

3 Shape analysis [Wilhelm, Sagiv, and Reps, CC 2000] Shape analysis: static program analyses for reasoning about properties of the heap Kinds of questions: Null pointers: Is pointer expression maybe null at program point? May-Alias: Can two pointer expressions reference same heap cell? Must-alias: two pointer expression always reference same heap cell Sharing: is there more than one pointer expression referencing a heap cell? Reachability: is the heap cell reachable from a specific variable? any variable? Disjointness: Do two data structures have any common elements? Cyclicity: Can a heap cell be part of a cycle? Program understanding, debugging, and verification 3

4 Shape analysis Shape analysis is flow-sensitive Computes for each point in program a finite, conservative representation of the heap-allocated data structures that could arise when a path to the program point is executed Finite representation means must be approximate E.g., generally lose info about lengths of lists, depths of trees 4

5 Shape Analysis via 3-valued logic [Sagiv, Reps, Wilhelm, POPL 99] Framework for shape analysis Instantiate by specifying predicates about the heap In concrete execution, these predicates are either true or false In static analysis, approximate the predicates using 3- valued logic True, False, Don t know 5

6 3-valued logic And OR

7 3-valued logic And 0 ½ ½ 0 ½ ½ 1 0 ½ 1 OR 0 ½ ½ 1 ½ ½ ½

8 Individuals and Predicates Universe of individuals U u U represents is an abstract location Represents one or more concrete locations Each concrete location is represented by exactly one abstract location Some predicates pointed-to-by-variable-x(u) Abbreviated to x(u), means that stack variable x points to a concrete location represented by u pointer-component-f-points-to(u 1, u 2 ) Abbreviated to f(u 1, u 2 ), means a concrete object rep. by u 1 has field f that points to concrete object rep by u 2 sm(u) u is summary node, i.e., represents more than 1 concrete location 8

9 Meaning of predicates U,ι is a 3-valued structure U is universe of individuals ι gives valuation to predicates ι : p:pred U arity(p) {0, ½, 1} A 3-valued structure represents zero or more concrete states If formula φ evaluates in U,ι to 1, then φ holds in every concrete store U,ι represents If formula φ evaluates in U,ι to 0, then φ never holds in any concrete store U,ι represents If formula φ evaluates in U,ι to ½, then we don t know anything about φ in any concrete store U,ι represents 9

10 Graphical representation /* 1ist.h */ typedef struct node { struct node *n; int data; } *List; /* reverse.c */ #include 1ist.h List reversetlist x> { List y, t; assert (acyclic-list (x1 > ; y=null; while (x!= NULL) { t = y; y = x; x = x->n; y-h = t; 1 return y; 1 S Structure unary predicates: indiv. x y t sm is so binary predicates:! unary predicates: binary unary predicates: predicates: Graphical Representation Figure 2: The three-valued logical structures that describe all possible acyclic inputs to reverse. 10

11 Graphical representation /* 1ist.h */ typedef struct node { struct node *n; int data; } *List; /* reverse.c */ #include 1ist.h List reversetlist x> { List y, t; assert (acyclic-list (x1 > ; y=null; while (x!= NULL) { t = y; y = x; x = x->n; y-h = t; 1 return y; 1 S Structure unary predicates: indiv. x y t sm is so binary predicates:! unary predicates: binary unary predicates: predicates: Graphical Representation Figure 2: The three-valued logical structures that describe all possible acyclic inputs to reverse. 11

12 Updating formula Key idea: track state of formula at each program point. Just like dataflow unary predicates: statement 1 formula structure that arises just after statement _... st1: y = NULL; y (v) = 0 st2: t = y; t (v) = Y(V) stg: y = x; Y (V) = 4u) st4: x = x->n; z (v) = 3Vl : Z(Q) A n(w1, v) 12 (Ol,212) = (n(v1,vz) A -y(w)) v (Y(W) A t(v2)) sts: y-al = t; is (w) = is(v) A 3Vl,D2 : V (t(v) A 3~1 : n(w, v) A y(w )) Ul # 212 An(v1,v) A7qv2,v) A -y(w) A -y(vz) > : :; 12

13 Updating formula sts: y-al = t; 12 (Ol,212) = (n(v1,vz) A -y(w)) v (Y(W) A t(v2)) is (w) = stz: t = y; t (v) = Y(V) st3: y = x; Y (V) = dv> is(v) A 3Vl,D2 : V (t(v) A 3~1 : n(w, v) A y(w )) Ul # 212 An(v1,v) A7qv2,v) A -y(w) A -y(vz) > : x s*,_.._, st4: x = x->n; z (v) = 3Vl : z(q) A n(v1, v) sts: y-al = t; I n v1,v2 ) = (?z(vl, v2) A -y(v1)) v (y(w) A t(v2)) is (v) = VI #aan(vl,v)an(w,v) is(v) A 3~1,212 : ( A-y(w) A -7y(v2) V (t(v) A 31 : n(w,~) A -y(w)) > st2: t = y; t (v) = Y(V) st3: y = x; Y (V) = 4V) st4: x = x->n; st5: y-h = t; z (w) = 3Vl : 2?(Q) A n(m, tj) n (m, ~2) = (n(vl, ~2) A my) V (y(w) A t(w)) is (v) = is(v) A 3~1, v2 : V (t(v) A 3~1 : n(w,v) A l!/(w)) ( ~1 # ~2 An(w,v) An(vz,v) A ly(m) A T&Z) > I 2011 igure Stephen 3: The Chong, first Harvard three University iterations of the abstract interpretation of reverse (7 via I the simplified framework described in Section 4). is 13

14 Instrumentation predicates Consider formula φ(v) = v 1,v 2 : n(v 1,v) n(v 2, v) v 1 v 2 There are at least two different objects pointing to v What does φ(u) evaluate to, for shape graph above? With v 1 = u 1, v 2 =u, we have n(u 1,u) n(u, u) u 1 u ½ ½ 1 ½ Implies that tail of linked list might be shared But this is not the case for a linked list! 14

15 Instrumentation predicates Maintain precision by using instrumentation predicates predicate is(u) represents truth of predicate for nodes represented by abstract location Is Shared is(u)=0 implies that S 2 can only represent acyclic lists unary predicates: 15

16 Other useful instrumentation predicates 1 Pred. I Intended Meaning I Puruose I Ref.] qq-- TX(v) 44 Cf.6 (v> Cb.f (v) Do two or more fields of heap elements point to v? Is v (transitively) reachable from pointer variable x? Is v reachable from some pointer variable (i.e., is v a non-garbage element)? Is v on a directed cycle? Does a field-f dereference from v, followed by a field-b dereference, yield v? Does a field-b dereference from v, followed by a field-f dereference, yield v? lists *and trees separating disjoint data structures compile-time garbage collection ref. counting WI [ll] doubly-linked [7], lists [I61 doubly-linked [7], lists [16] 16

17 Focus for precision Once the value of a formula is ½, it can be easy to lose precision. stg: y = x; Y (V) = 4u) st4: x = x->n; z (v) = 3Vl : Z(Q) A n(w1, v) Focusing may allow us to maintain precision Key idea: if update formula evaluates to ½, try instantiating it to 0 and 1 Focus attention on each of the possible cases May need to make sure rest of structure is consistent 17

18 Focus example.. 4 ; input struct. s5 a focus formulae {$+(2)) = 31 : 2(w) A n(tj1, v), &qv) = y(v), cp; yv> = t(v)} focused struct. %f,o &4(u) = 0 %f,l pg4 (u) = 1 S&f,2 cp:t (u) = 1 & (21) = 0..m. x,,_@ 4d x,y_@_r x,y_o~~-_:::::::::~.~ update t t pct4(v) PO; 4(v) $4 4(v) formulae t t (PL4(v) cp:4 (v) t cp; 4 (211, v2) 31 : 2(Vl) A n(v1, v)ly(v) It(v) lis(v) m(v) jtz(v1, v2) output struct. ss,o,o SS,o,l X s5,0,2 X y+@ j& 0-A...?a *...: i ). 0 (I,:;:;,::r b 0,: y-u1 Y n, u.1 coerced struct. St?,0 &,l X se,2 y+@ 4& 0-A n Y- Ul U y-o-q..?l@ Figure 5: The first application of the improved transformer for statement st4: x = x->n in reverse. 18

19 Focus example.. 4 ; input struct. s5 a focus formulae {$+(2)) = 31 : 2(w) A n(tj1, v), &qv) = y(v), cp; yv> = t(v)} focused struct. %f,o &4(u) = 0 %f,l pg4 (u) = 1 S&f,2 cp:t (u) = 1 & (21) = 0..m. x,,_@ 4d x,y_@_r x,y_o~~-_:::::::::~.~ update t t pct4(v) PO; 4(v) $4 4(v) formulae t t (PL4(v) cp:4 (v) t cp; 4 (211, v2) 31 : 2(Vl) A n(v1, v)ly(v) It(v) lis(v) m(v) jtz(v1, v2) output struct. ss,o,o SS,o,l X s5,0,2 X y+@ j& 0-A...?a *...: i ). 0 (I,:;:;,::r b 0,: y-u1 Y n, u.1 coerced struct. St?,0 &,l X se,2 y+@ 4& 0-A n Y- Ul U y-o-q..?l@ Figure 5: The first application of the improved transformer for statement st4: x = x->n in reverse. 19

20 Region-based shape analysis with tracked locations Hackett and Rugina, POPL 05 Key idea: reason about one location at a time Allows a decomposition of a state into a set of tracked locations Reason about each tracked location independently of others Better scalability, compact representation, context-sensitive analysis No need to merge abstractions, or keep multiple abstractions of entire heap Easier on-demand and incremental algorithms 20

21 Memory regions Analysis builds on top of a region analysis Each region represents a set of concrete locations Each concrete location represented by exactly one region Points-to relation over regions must be sound Can use a variety of region analyses E.g., flow-sensitive or insensitive In paper, they use a flow-insensitive, context-sensitive analysis that uses an intra-procedural unification-based analysis, and uses procedure summaries for an interprocedural analysis 21

22 Configurations and shape abstractions A configuration is (i, (e +, e - )) i is index, a function from regions to {0,,k, } i(r) = How many locations in r point to tracked location means k+1 e + is hit set: expressions that definitely refer to tracked location e - is miss set: expressions that definitely do not refer to tracked location A shape abstraction is a set of configurations at most one configuration for each index each concrete location should be represented by at least one configuration Treat shape abstraction as partial function from indexes to hit/miss sets 22

23 Example 1: typedef struct list { 2: struct list *n; 3: int data; 4: } List; 5: 6: List *splice(list *x, List *y) { 7: List *t = NULL; 8: List *z = y; 9: while(x!= NULL) { 10: t = x; 11: x = t->n; 12: t->n = y->n; 13: y->n = t; 14: y = y->n->n; 15: } 16: return z; 17: } t x z y Example concrete input t x z y Corresponding output Region Shape Component Points-to Configurations Configurations Component for input memory for output memory T X Z Y n L (X 1, {x}, ) (Y 1, {y}, ) (L 1,, ) (Z 1, {z}, ) (T 1 L 1, {t}, ) (Y 1 L 1, {y}, ) (L 1,, ) 23

24 Intra-procedural analysis (a 1 a 2 )(i) = 8 < : a 1 (i) if i dom(a 2 ) a 2 (i) if i dom(a 1 ) a 1 (i) a 2 (i) if i dom(a 1 ) dom(a 2 ) where (e + 1,e 1 ) (e+ 2,e 2 )=(e+ 1 e+ 2,e 1 e 2 ) and (e +,e )=(e +,e ) =(e +,e ) For all s S asgn,s a S alloc,s e S entry,i I : [JOIN] [TRANSF] Res( s) i = F s pred(s) Res(s ) i Res(s ) i = F i I ([s](ρ, (i, Res( s) i ))) i [ALLOC] Res(s a ) i a h a, where [s a ] gen (ρ) =(i a,h a ) [ENTRY] Res( s e ) i a o i 24

25 Splice example 8: z = y; Y 1 X 1 L 1 9: while (x!= NULL) Y 1 Z 1 X 1 L 1 10: t = x; Y 1 Z 1 Z 1 X 1 T 1 L 1 L 1 Y 1 L 1 Y 1 T 1 L 1 11: x = t->n; 12: t->n = y->n; 13: y->n = t; Y 1 Z 1 Y 1 Z 1 Y 1 Z 1 Z 1 Z 1 Z 1 X 1 T 1 T 1 T 1 L 2 tn yn L 1 L 1 tn L 1 tn yn Y 1 L 1 Y 1 L 1 tn Y 1 L 1 tn yn Y 1 L 2 tn yn X 1 L 1 tn X 1 L 1 tn yn X 1 X 1 Y 1 L 1 tn X 1 Y 1 L 1 tn yn X 1 Y 1 Loop 14: y = y->n->n; Y 1 Z 1 Z 1 T 1 L 1 yn L 1 yn Y 1 L 1 yn X 1 X 1 Y 1 Z 1 T 1 L 1 Y 1 T 1 L 1 L 1 Y 1 L 1 X 1 16: return z; Z 1 L 1 Figure 5: Shape analysis results for splice. Boxes represent configurations and edges show how the state of the tracked location changes during the execution. We only show field access expressions in the hit and miss sets. We use the abbreviations: tn t->n and yn y->n, and we indicate miss expressions using overlines. For readability, back edges from configurations at the end of the loop to the corresponding configurations at the beginning of the loop are omitted. 25

26 Transfer function for assign [e o e 1 ](ρ, (i, (e +,e ))) : case (D [e 0 ](ρ, (i, (e +,e ))), D [e 1 ](ρ, (i, (e +,e )))) of (v 0 {, +}, v 1 {, +}) assign(e 0,e 1, ρ,i,e +,e,v 0 =+,v 1 =+) (?, v 1 {+, }) assign(e 0,e 1, ρ,i,e + {e 0 },e, true,v 1 =+) assign(e 0,e 1, ρ,i,e +,e {e 0 }, false,v 1 =+) (v 0 {, +},?) assign(e 0,e 1, ρ,i,e + {e 1 },e,v 0 =+, true) assign(e 0,e 1, ρ,i,e +,e {e 1 },v 0 =+, false) (?,?) assign(e 0,e 1, ρ,i,e + {e 0,e 1 },e, true, true) assign(e 0,e 1, ρ,i,e + {e 0 },e {e 1 }, true, false) assign(e 0,e 1, ρ,i,e + {e 1 },e {e 0 }, false, true) assign(e 0,e 1, ρ,i,e +,e {e 0,e 1 }, false, false) Figure 10: Transfer function for assignments [e 0 e 1 ]. assign(e 0,e 1, ρ,i,e +,e,b 0,b 1 ): 1 r = L[e 0 ](ρ) 2 if (b 0 b 1 ) then 3 if (i(r) k) then S i = { i[r i(r) 1] } 4 else S i = { i[r k], i[r ] } 5 else if ( b 0 b 1 ) then 6 if (i(r) <k) then S i = { i[r i(r)+1]} 7 else S i = { i[r ] } 8 else S i = { i } 9 10 e + n = {e e + S[e] v (ρ,r) (S [e] l (ρ,r) b 1 )} 11 e n = {e e S[e] v (ρ,r) (S [e] l (ρ,r) b 1 )} if (S [e 0 ] l (ρ,r) b 1 ) then e + n = {e 0 } 14 if (S [e 0 ] l (ρ,r) b 1 ) then e n = {e 0 } if (S [e 0 ] l (ρ,r) S [e 1 ] l (ρ,r)) then 17 e + n = (e + n [ e 0 / e 1 ] E p ) e n = ( e n [ e 0 / e 1 ] E p ) 20 e n = {e e n i S i.i (L[e]ρ) =0} return (S i, (e + n,e n )) Figure 11: Helper function assign. 26

27 Interprocedural analysis Context-sensitive interprocedural analysis A context for a procedure is a single configuration, output is a set of contexts Fine granularity helps scalability Less redundant computation Allows incremental analysis E.g., now calling splice with a cyclic list - Just one new configuration: L 2 z x y t 27

28 Uses and limitations Can be used for memory error detection Double frees, dangling pointer access, memory leak Spurious configurations Configuration that represents concrete states that cannot occur at runtime Better decision procedure would help Complex structural invariants e.g., double linked lists Sensitive to how program is written e.g., x = t->n vs x = x->n treated differently, since analysis doesn t know x = t Exponential 28

29 Verification vs. inference Separation logic has shown a lot of success at verifying programs that destructively update heap To what extent can separation logic be used in inference of heap properties? 29