a semantics for procedure local heaps and its abstractions
DESCRIPTION
Noam Rinetzky Tel Aviv University. A Semantics for Procedure Local Heaps and its Abstractions. Noam Rinetzky Tel Aviv University. www.cs.tau.ac.il/~maon. Joint work with. Jörg Bauer Universität des Saarlandes Thomas Reps University of Wisconsin Mooly Sagiv Tel Aviv University - PowerPoint PPT PresentationTRANSCRIPT
A Semantics for Procedure Local Heapsand its Abstractions
Noam Rinetzky Tel Aviv University
Jörg Bauer Universität des Saarlandes Thomas Reps University of Wisconsin Mooly Sagiv Tel Aviv University Reinhard Wilhelm Universität des Saarlandes
Joint work with
Noam Rinetzky Tel Aviv University www.cs.tau.ac.il/~maon
Motivation
• Interprocedural shape analysis• Conservative static pointer analysis• Heap intensive programs
• Imperative programs with procedures• Recursive data structures
• Goals• Precision• Efficiency
Main idea
• Procedures as local heap transformers
y
t
g
X
y
t
g
call p(x);X
xx
Main Results
• Concrete operational semantics• Large step
• Functional analysis• Storeless
• Shape abstractions• Local heap• Observationally equivalent to “standard” semantics
• Java and “clean” C
• Abstractions• Shape analysis [Sagiv, Reps, Wilhelm, TOPLAS ‘02]• May-alias [Deutsch, PLDI ‘94]• …
Outline
• Motivating example• Why semantics• Localized Heap Storeless Semantics • Shape abstraction
static List reverse(List t) {
}
static void main() {
}
Example
p nn
t rn nn
List x = reverse(p);
return r;
nnt
List y = reverse(q);List z = reverse(x);
…
n nn
t rn nn
p x
nn
q nn
q
static List reverse(List t) {
}
static void main() {
}
Example
List y = reverse(q);
return r;List z = reverse(x);
List x = reverse(p);n
nt
t rn nnt rn nn
n nn
p x
q y
nn
nnt
q nn
n nn
p x
n nn
static List reverse(List t) {
}
static void main() {
}
Example
return r;
nnt
t rn nnt rn nn
n nn
p x
x z
n nn
p x
List z = reverse(x);
List x = reverse(p);List y = reverse(q);
q yn nn
n nn t
n nn t
q yn nn
pn n
n
• Separating objects • Not pointed-to by a parameter
Cutpoints
• Separating objects • Not pointed-to by a parameter
Cutpoints
p xn nn
n nn
proc(x)
Stack sharing
• Separating objects • Not pointed-to by a parameter
xn n
nn n
n
n y
Cutpoints
p x nn n
nn n
n
proc(x)
Stack sharing Heap sharing
proc(x)
Sharing patterns
t nn
q n n
p
t nn
p
q yn n n
t nn
n
px
q yn n n
t nn
n
qn n n
x y
static List reverse(List t) {
}
static void main() {
}
Example
return r;
r tn nnr tn nn
n nn
p x
z x
n nn
p x
List z = reverse(x);
List x = reverse(p);List y = reverse(q);
q yn nn
n nn t
q yn nn
pn n
n
Outline
Motivating example• Why semantics• Localized Heap Storeless Semantics • Shape abstraction
Abstract Interpretation[Cousot and Cousot, POPL ’77]
Operational semantics
Abstract transformer
Introducing local heap semantics
Operational semantics
Abstract transformer
Local heap Operational semantics
~’ ’
Part I
Part II
Outline
Motivating example Why semantics• LSL: Localized Heap Storeless Semantics • Shape abstraction
Programming model
• Single threaded• Procedures
Value parametersRecursion
• Heap Recursive data structuresDestructive update No explicit addressing (&, cast)
Simplifying assumptions
• No primitive values (reference only)• No globals• Formals not modified
0x10
0x12
0x14
0x11
0x12
0x13
0x14
0x00x15
x0x10…
n
n
Store-based semantics
• Object address• Memory state:
• Object: FieldIdAddress• Heap: AddressObject
Natural Addresses do not affect
shape x
~
0x12
0x0
0x10
x0x14…
n
n
Storeless semantics
• No addresses• Memory state:
• Object: 2Access paths
• Heap: 2Object
• Alias analysis
y=x
xn n
x x.n x.n.n
x=null
x n nxy
x.ny.n
x.n.ny.n.ny
yn ny y.n y.n.n
static void main() {
}
static List reverse(List t) {
return r;}
Example
x
List z = reverse(x);
p x.n.nn nx.n.n.n
pxx.n
n
y.n.nn
yy.nn yq y.n.n
nyy.n
n yq
t.n.nt.n.n.n tt.n
t.n.nn n
t.n.n.n tt.nn t
tn n nList x = reverse(p);List y = reverse(q);
r.nn n
rt
r.n.n.nr.n.n
n t
rr.n
n nr
tr.n.n.n
r.n.nn t
r
z.nn n
zx
z.n.n.nz.n.n
nz x
p?
static void main() {
}
static List reverse(List t) {
return r;}
Example
x
List z = reverse(x);
p x.n.nn nx.n.n.n
pxx.n
n
y.n.nn
yy.nn yq y.n.n
nyy.n
n yq
t.n.nt.n.n.n
L t t.n
t.n.nn nt.n.n.n
Ltt.n
nL t
L tn n nList x = reverse(p);List y = reverse(q);
L.nr.n
n nLr
t L.n.n.nr.n.n.n
L.n.nr.n.n
nL t
r
L.nr.n
n nLr
t L.n.n.nr.n.n.n
L.n.nr.n.n
n tL
r
p.nz.n
n npz
x p.n.n.nz.n.n.n
p.n.nz.n.n
nz xp
Cutpoint labels
• Relate pre-state with post-state• Additional roots • Mark cutpoints at and throughout an
invocation
Cutpoint labels
• Cutpoint label: the set of access paths that point to a cutpoint • when the invoked procedure starts
L t.n.nt.n.n.n
L t t.n t
L {t.n.n.n}
Sharing patterns
• Cutpoint labels encode sharing patterns
L tt.n.nn nt.n.n.n
L tt.n
n L tt.n.nn nt.n.n.n
L tt.n
n
p wn
ww.nn
L {t.n.n.n}
Stack sharing Heap sharing
Memory states
L = CPL,A
Lr.nL.n
rL
t, r.n.n.nL.n.n.n
r.n.nL.n.n
t
L={h.n.n.n}r n n n
{t.n.n.n} ,{ r ,{t.n.n.n}},
{r.n, {t.n.n.n}.n},{r.n, {t.n.n.n}.n.n},
{ t, r.n.n.n, {t.n.n.n}.n.n.n}
Formal semantics Ordinary statements
Procedure call semantics
Observational equivalence
L L (Local-heap Storeless Semantics)
G G (Global-heap Store-based Semantics)
L and G observationally equivalent
when for every access paths , = (L) = (G)
Main theorem: semantics equivalence
L L (Local-heap Storeless Semantics)
G G (Global-heap Store-based Semantics)
L and G observationally equivalent
st, L L st, G G
L and L are observationally equivalent
LSL GSB
Corollaries
• Preservation of invariants =
• Detection of memory leaks
Application
• Justify soundness of static analysis• May-alias analysis [TAU-TR-26/04]
• Shape Analysis
Outline
Motivating example Why semantics LSL: Localized Heap Storeless Semantics • Shape abstraction
Shape Abstraction
• Shape descriptors represent unbounded memory states• Conservatively• Bounded way
A Shape abstraction
Lr.nL.n
rL
t, r.n.n.nL.n.n.n
r.n.nL.n.n
t
L={t.n.n.n}
r n n n
A Shape abstraction
L tr n n nr.n
L.nrL
t, r.n.n.nL.n.n.n
r.n.nL.n.n
L=*
A Shape abstraction
Lt
r n nn
L=*
A Shape abstraction
Lt
r n nn
Lr.nL.n
rL
t, r.n.n.nL.n.n.n
r.n.nL.n.n
tr n n n
L={t.n.n.n}
L=*
L1={h.n}
A Shape abstraction
Lt
r n nn
L1
L1r.n
rt, L2.n, L1.n.n,r.n.n.n
L2, L1.n,r.n.n
tn n n
L2={h.n.n}L2
L=*
Application (joint work with Eran Yahav)
• A framework shape analysis using local heaps
• Parametric abstraction• Local heap (lists, trees, …)• Sharing patterns
Application
• Single threaded Java programs• Properties proved
• Absence of null derferences• Listness preservation• API conformance
• Recursive Iterative• Procedural abstraction
Procedural abstraction
Inline Procedure Call
Program MB Sec MB Sec
crt3 22.3 5.4 22.0 6.4
crt3x3 50.7 27.0 26.2 9.2
Recursion vs. Iteration Iterative Recursive
Program MB Sec. MB Sec
create 19.7 10.9 19.3 9.3
find 22.3 21.3 23.5 35.8
insert 23.3 41.2 23.3 41.2
delete 23.2 42.0 24.8 45.3
append 25.1 17.2 25.6 20.2
reverse 23.6 23.7 24.0 33.7
revApp 26.0 45.7 26.5 46.8
merge 25.9 579.7 27.8 91.9
splice 25.5 70.1 26.1 36.9
Democlass List {int d; List n; static List reverse(List t) { if (t == null || t.n == null) return t; List tn = t.n; t.n = null; List r = reverse(tn); tn.n = t; return r;}
static void main() { List p = create(4); List q = create(3); List x = reverse(p); List y = reverse(q); List z = reverse(x);}
Related work
• Storeless semantics• Jonkers, Algorithmic Languages ‘81 • Deutsch, ICCL ‘92
Related work
• Interprocedural shape analysis• Rinetzky and Sagiv, CC ’01
• Global heap
• Jeannet et al., SAS ’04 • Local heap, relational
• Chong and Rugina, SAS ’03• Local heap
• Hackett and Rugina, POPL ’05• Staged analysis
Related work
• Local reasoning• Ishtiaq and O’Hearn, POPL ‘01• Reynolds, LICS ’02• •
Summary
• Operational semantics • Storeless • Local heap• Cutpoints • Equivalence theorem
• Applications • Shape analysis• May-alias analysis
End
www.cs.tau.ac.il/~maon
A Semantics for procedure local heaps and its abstraction
Noam Rinetzky, Jörg Bauer, Thomas Reps, Mooly Sagiv, and Reinhard Wilhelm
AVACS Technical Report 1
Interprocedural functional shape analysis using local heaps
Noam Rinetzky, Mooly Sagiv, and Eran Yahav
School of Computer Science, Tel Aviv University, Technical Report 26/04