A Combination Framework for Tracking Partition Sizes
Sumit Gulwani, Microsoft ResearchTal Lev-Ami, Tel-Aviv UniversityMooly Sagiv, Tel-Aviv University
POPLJanuary 22, 2009
Savannah, Georgia
What?
• Framework for constructing static analyses– Tracking the sizes of dynamically allocated data
structures
h
h.size=
StringBuffer (from MS code)
• Linked lists of chunks– Reversed order (fast append)– Partially filled (fast remove)
• chunk.len = number of used chars in chunk
x10011 1819 31
used(nil) = used(z) = used(z.succ) z.data[0 .. z.len]
y
used(y)
Termination: BubbleSort
• Termination is non-trivial
BubbleSort(int* A, int n) { change := true;
while (change) {
change := false; for (j:=0; j<n–1; j:=j+1) { if (A[j] > A[j+1]) { Swap(A[j], A[j+1]); change := true;} } } }
Termination: BubbleSort
• Termination is non-trivial• Prove c n – c number of elements in the correct position
BubbleSort(int* A, int n) { change := true; c := 0; while (change) { c := c + 1; change := false; for (j:=0; j<n–1; j:=j+1) { if (A[j] > A[j+1]) { Swap(A[j], A[j+1]); change := true;} } } }
The Key Idea
• Modular abstract-domain combination approach• Reuse existing domains– Set Domain
• Track sets of memory locations• Such as domains for shape analysis• E.g., Canonical Abstraction [SRW’02], Separation Domain
[DOY’06], Boolean Heaps [PW’05]
– Numerical Domain• Track sizes and correlations with numerical variables• E.g., Polyhedra [CH’78], Octagon [Miné’01], Intervals
[CC’07]
Reasoning about Sets and Sizes
ls(x,nil) ls(y,nil)
x_,nil y_,nil z=nil
z = x.next
x_,nil ls (y,nil) z=nil
x_,z ls (z,nil) ls (y,nil)
|ls(x,nil)| = |ls(y,nil)|
|ls(z,nil)|+1 = |ls(y,nil)|
|x_,nil| = |ls(y,nil)| |x_,nil| = |y_,nil|
Division of labor
• Share information between the domains– Similar to Nelson-Oppen [NO’80]
[x_,nil]A [ls(y,nil)]B z = nil A=B
|x_,nil| = A|ls(y,nil)| = B
x_,nil ls(y,nil) z = nil
Extra Operations Required of Set Domain
• BaseSets– List the base sets of a given set-domain element
Example
BaseSets(x_,nil ls(y,nil) z = nil) ={x_,nil, ls(y,nil)}
Extra Operations Required of Set Domain
• BaseSets– List the base sets of a given set-domain element
• Witness– Relate the base sets before and after a set-domain
operation
Example
Witness(ls(x,nil) x_,z ls(z,nil)) = {ls(x,nil) x_,z ls(z,nil)}
z=x.next
Combination Approach
• Construct the standard operations for the combined domain– Use the operations of the base domains and the
extra operations of the set domain
Example: Join[x_,nil]A [ls(y,nil)]B
A=1 B = n-1 B 1
[ls(x,nil)]C [y_,nil]D
D=1 C = n-1 C 1
[ls(x,nil)]E [ls(y,nil)]F
A=E B=F A=1 B=n-1 B 1
C=E D=F D=1 C=n-1 C 1
E+F = n E 1 F 1
JoinSet
JoinNum
WitnessWitness
In the Paper
• Set Domains that support the extra operations– Canonical Abstraction– Boolean Heaps– Separation Domain
• Algorithms for combined domain operations– Soundness and precision claims and proofs
• Tradeoffs between complexity of set and numerical domains
Prototype Implementation
• Set Domain– Canonical Abstraction - TVLA [LS’00]
• Numerical Domain– Polyhedra - PPL [BHZ’08]
The Benchmarks Category Program Time (secs) Overhead States String Buffer SB.remove 295.21 2.83 50,615 SB.toString 79.53 3.15 10,176 Termination BubbleSort 3.57 0.54 886 Mark 2.44 3.02 1,530 Linked List Reverse 0.34 1.64 90 Filter 0.76 0.54 238 Merge 1.08 1.88 341 MergeNoDups 4.06 2.53 1,838 Data AcyclicList.copy 0.39 1.44 74 Structure CyclicList.copy 4.54 1.02 155 Copy Tree.copy 4.15 1.45 642 NaryTree.copy 138.2 N/A 5,439 ListOfLists.copy 39.95 1.44 5,353 ListOfArrays.copy 12.67 1.02 2,260 ArrayOfLists.copy 7.99 3.00 1,628 JDK LinkedList.add 1.45 2.23 17 Collections LinkedList.addAll 10.93 2.00 215 Library LinkedList.remove 2.51 2.10 173 HashMap.put 9.45 1.02 3,132 HashMap.putAll 111.84 2.59 22,431 HashMap.remove 2.13 1.92 725
No False Alarms
Related Work
• Domain constructors [CC’79]– Logical Abstract Domains [GT’06]
• Combination of numeric and pointer analysis [Detsch’92]– Type systems [HP’99, HJ’03]– Tracking lengths of linked lists [YB’02, BBHIMV’06, MBCC’07]– Tracking other numerical properties [GDDRS’04, Rugina’04]
• Reducing Pointer to Integer Programs [DRS’03, BBHIMV’06, MBCC’07]
• Decision Procedures– BAPA [KR’07]– Entailment for separation logic with arithmetic [NDQC’07]
Our Basic Operation 1: Saturate
• Share Information between the domains – Similar to Nelson-Oppen [NO’80]
[x_,nil]A [ls(y,nil)] B z = nil A=B
A=1
B=1
[x_,nil]A [y_,nil]B z = nil B=1 A=1