![Page 1: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/1.jpg)
A Dynamic Evaluation of the Precision
of Static Heap Abstractions
OOSPLA - Reno, NV October 20, 2010
Percy Liang Omer Tripp Mayur Naik Mooly SagivUC Berkeley Tel-Aviv Univ. Intel Labs Berkeley Tel-Aviv Univ.
![Page 2: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/2.jpg)
Introduction
Broad goal: verify correctness properties of software
2
![Page 3: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/3.jpg)
Introduction
Broad goal: verify correctness properties of software
Motivating domain: multi-threaded programs (race and deadlock detection)
2
![Page 4: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/4.jpg)
Introduction
Broad goal: verify correctness properties of software
Motivating domain: multi-threaded programs (race and deadlock detection)
client query
program Static Analysis heap abstraction
2
![Page 5: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/5.jpg)
Introduction
Broad goal: verify correctness properties of software
Motivating domain: multi-threaded programs (race and deadlock detection)
client query
program Static Analysis heap abstraction
no OR possible(false positives ⇒ imprecision!)
2
![Page 6: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/6.jpg)
Introduction
Broad goal: verify correctness properties of software
Motivating domain: multi-threaded programs (race and deadlock detection)
client query
program Static Analysis heap abstraction
no OR possible(false positives ⇒ imprecision!)
Heap abstraction affects precision and scalabilty
2
![Page 7: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/7.jpg)
Introduction
Broad goal: verify correctness properties of software
Motivating domain: multi-threaded programs (race and deadlock detection)
client query
program Static Analysis heap abstraction
no OR possible(false positives ⇒ imprecision!)
Heap abstraction affects precision and scalabilty
Question: what heap abstractions should one use?
2
![Page 8: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/8.jpg)
Example client: ThreadEscape
Query: Does a variable point to a thread-escaping object at a program point?
3
![Page 9: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/9.jpg)
Example client: ThreadEscape
Query: Does a variable point to a thread-escaping object at a program point?
getnew() {return new
}x = getnew()y = getnew()y.f = newz = newspawn y
p: ... ? ...
3
![Page 10: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/10.jpg)
Example client: ThreadEscape
Query: Does a variable point to a thread-escaping object at a program point?
getnew() {return new
}x = getnew()y = getnew()y.f = newz = newspawn y
p: ... ? ...
x
3
![Page 11: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/11.jpg)
Example client: ThreadEscape
Query: Does a variable point to a thread-escaping object at a program point?
getnew() {return new
}x = getnew()y = getnew()y.f = newz = newspawn y
p: ... ? ...
x
y
3
![Page 12: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/12.jpg)
Example client: ThreadEscape
Query: Does a variable point to a thread-escaping object at a program point?
getnew() {return new
}x = getnew()y = getnew()y.f = newz = newspawn y
p: ... ? ...
x
y
3
![Page 13: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/13.jpg)
Example client: ThreadEscape
Query: Does a variable point to a thread-escaping object at a program point?
getnew() {return new
}x = getnew()y = getnew()y.f = newz = newspawn y
p: ... ? ...
x
y
z
3
![Page 14: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/14.jpg)
Example client: ThreadEscape
Query: Does a variable point to a thread-escaping object at a program point?
getnew() {return new
}x = getnew()y = getnew()y.f = newz = newspawn y
p: ... ? ...
x
y
z
3
![Page 15: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/15.jpg)
Example client: ThreadEscape
Query: Does a variable point to a thread-escaping object at a program point?
getnew() {return new
}x = getnew()y = getnew()y.f = newz = newspawn y
p: ... ? ...
x
y
z
x y zconcrete answer no yes no
3
![Page 16: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/16.jpg)
Example client: ThreadEscape
Query: Does a variable point to a thread-escaping object at a program point?
getnew() {return new
}x = getnew()y = getnew()y.f = newz = newspawn y
p: ... ? ...
x
y
z
x y zconcrete answer no yes noabstract answer yes yes no
3
![Page 17: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/17.jpg)
Heap abstractions
Heap abstraction: partitioning of concrete objects
4
![Page 18: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/18.jpg)
Heap abstractions
Heap abstraction: partitioning of concrete objectsP1
P2
P3
4
![Page 19: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/19.jpg)
Heap abstractions
Heap abstraction: partitioning of concrete objectsP1
P2
P3
Property holds of partition ⇔ ∃o ∈ partition such that property holds of o
4
![Page 20: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/20.jpg)
Heap abstractions
Heap abstraction: partitioning of concrete objectsP1
P2
P3
Property holds of partition ⇔ ∃o ∈ partition such that property holds of o
Formally: heap abstraction is function α
concrete object o abstract object α(o)
4
![Page 21: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/21.jpg)
Heap abstractions
Heap abstraction: partitioning of concrete objectsP1
P2
P3
Property holds of partition ⇔ ∃o ∈ partition such that property holds of o
Formally: heap abstraction is function α
concrete object o abstract object α(o)
Example:
α(o) = alloc-site(o)
4
![Page 22: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/22.jpg)
Heap abstractions
Heap abstraction: partitioning of concrete objectsP1
P2
P3
Property holds of partition ⇔ ∃o ∈ partition such that property holds of o
Formally: heap abstraction is function α
concrete object o abstract object α(o)
Example:
α(o) = 〈alloc-site(o), other-information(o)〉
4
![Page 23: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/23.jpg)
The heap abstraction landscape
Tradeoff:
imprecise, fast
(e.g., 0-CFA)
precise, slow
(e.g., ∞-CFA)
5
![Page 24: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/24.jpg)
The heap abstraction landscape
Tradeoff:
imprecise, fast
(e.g., 0-CFA)
precise, slow
(e.g., ∞-CFA)
How much precision is necessary for the given client?
5
![Page 25: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/25.jpg)
The heap abstraction landscape
Tradeoff:
imprecise, fast
(e.g., 0-CFA)
precise, slow
(e.g., ∞-CFA)
How much precision is necessary for the given client?
But it’s expensive to implement precise abstractions...
5
![Page 26: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/26.jpg)
The heap abstraction landscape
Tradeoff:
imprecise, fast
(e.g., 0-CFA)
precise, slow
(e.g., ∞-CFA)
How much precision is necessary for the given client?
But it’s expensive to implement precise abstractions...
Many dimensions:
k-CFA: call stack information
5
![Page 27: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/27.jpg)
The heap abstraction landscape
Tradeoff:
imprecise, fast
(e.g., 0-CFA)
precise, slow
(e.g., ∞-CFA)
How much precision is necessary for the given client?
But it’s expensive to implement precise abstractions...
Many dimensions:
k-CFA: call stack informationObject recencyHeap connectivityetc.
5
![Page 28: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/28.jpg)
The heap abstraction landscape
Tradeoff:
imprecise, fast
(e.g., 0-CFA)
precise, slow
(e.g., ∞-CFA)
How much precision is necessary for the given client?
But it’s expensive to implement precise abstractions...
Many dimensions:
k-CFA: call stack informationObject recencyHeap connectivityetc.
Question: how can we explore all these abstractions cheaply?
5
![Page 29: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/29.jpg)
Main idea
Goal: get an idea of the utility of these abstractionswithout implementing expensive static analyses
6
![Page 30: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/30.jpg)
Main idea
Goal: get an idea of the utility of these abstractionswithout implementing expensive static analyses
Key idea: use dynamic information
6
![Page 31: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/31.jpg)
Main idea
Goal: get an idea of the utility of these abstractionswithout implementing expensive static analyses
Key idea: use dynamic information
Static: all traces (expensive)6
![Page 32: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/32.jpg)
Main idea
Goal: get an idea of the utility of these abstractionswithout implementing expensive static analyses
Key idea: use dynamic information
Static: all traces (expensive) Dynamic: one trace (cheap)6
![Page 33: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/33.jpg)
Methodology
1. Run program dynamically with instrumentation
Concrete trace: ω1 ω2 ω3 ω4 ω5
7
![Page 34: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/34.jpg)
Methodology
1. Run program dynamically with instrumentation
2. Compute heap abstraction on each state
Concrete trace: ω1 ω2 ω3 ω4 ω5
Abstract trace: ωα1 ωα
2 ωα3 ωα
4 ωα5
7
![Page 35: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/35.jpg)
Methodology
1. Run program dynamically with instrumentation
2. Compute heap abstraction on each state
3. Answer query under abstraction
Concrete trace: ω1 ω2 ω3 ω4 ω5
Abstract trace: ωα1 ωα
2 ωα3 ωα
4 ωα5
Abstract query answer: no yes no yes no
7
![Page 36: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/36.jpg)
Methodology
1. Run program dynamically with instrumentation
2. Compute heap abstraction on each state
3. Answer query under abstraction
Query is true ⇔ true on any state in trace
Concrete trace: ω1 ω2 ω3 ω4 ω5
Abstract trace: ωα1 ωα
2 ωα3 ωα
4 ωα5
Abstract query answer: no yes no yes no ⇒ yes
7
![Page 37: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/37.jpg)
What does this tell us?
8
![Page 38: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/38.jpg)
What does this tell us?
Note: no approximation on primitive data, method summarization, etc.
(focus exclusively on the heap abstraction)
8
![Page 39: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/39.jpg)
What does this tell us?
Note: no approximation on primitive data, method summarization, etc.
(focus exclusively on the heap abstraction)
⇒ performing the most precise analysis using a given heap abstraction α
8
![Page 40: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/40.jpg)
What does this tell us?
Note: no approximation on primitive data, method summarization, etc.
(focus exclusively on the heap abstraction)
⇒ performing the most precise analysis using a given heap abstraction α
⇒ provides upper bound on precision of any static analysis using α
8
![Page 41: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/41.jpg)
Outline
• Abstractions: augment allocation sites with more context
– call stack
– object recency
– heap connectivity
9
![Page 42: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/42.jpg)
Outline
• Abstractions: augment allocation sites with more context
– call stack
– object recency
– heap connectivity
• Clients: motivated by concurrency
– ThreadEscape
– SharedAccess
– SharedLock
– NonStationaryField
9
![Page 43: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/43.jpg)
Outline
• Abstractions: augment allocation sites with more context
– call stack
– object recency
– heap connectivity
• Clients: motivated by concurrency
– ThreadEscape
– SharedAccess
– SharedLock
– NonStationaryField
• Benchmarks: 9 programs from the standard Dacapo suite
9
![Page 44: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/44.jpg)
Outline
• Abstractions: augment allocation sites with more context
– call stack
– object recency
– heap connectivity
• Clients: motivated by concurrency
– ThreadEscape
– SharedAccess
– SharedLock
– NonStationaryField
• Benchmarks: 9 programs from the standard Dacapo suite
• Results: investigate all combinations
9
![Page 45: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/45.jpg)
Abstraction: call stack [Shivers, 1988]
Common pattern: factory constructor methods
getnew() {h1: return new
}p2: x = getnew()p3: y = getnew()
spawn yp1: ... x ...
10
![Page 46: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/46.jpg)
Abstraction: call stack [Shivers, 1988]
Common pattern: factory constructor methods
getnew() {h1: return new
}p2: x = getnew()p3: y = getnew()
spawn yp1: ... x ...
x
y
h1
Alloc
Allocation sites are too weak
10
![Page 47: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/47.jpg)
Abstraction: call stack [Shivers, 1988]
Abstraction Allock (k is call stack depth):
call-stack-during-allocation-of(o)[1..k]
Common pattern: factory constructor methods
getnew() {h1: return new
}p2: x = getnew()p3: y = getnew()
spawn yp1: ... x ...
x
y
h1
Alloc
Allocation sites are too weak
10
![Page 48: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/48.jpg)
Abstraction: call stack [Shivers, 1988]
Abstraction Allock (k is call stack depth):
call-stack-during-allocation-of(o)[1..k]
Common pattern: factory constructor methods
getnew() {h1: return new
}p2: x = getnew()p3: y = getnew()
spawn yp1: ... x ...
x
y
h1
Alloc
x
y
h1,p2
h1,p3 Allock=1
Allocation sites are too weak
Adding one level of calling context is sufficient
10
![Page 49: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/49.jpg)
Abstraction: object recency [Balakrishnan & Reps, 2006]
Common pattern: server programs construct data, release to new thread
while (*) {x = new
p1: ... x ...spawn x
}
11
![Page 50: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/50.jpg)
Abstraction: object recency [Balakrishnan & Reps, 2006]
Common pattern: server programs construct data, release to new thread
while (*) {x = new
p1: ... x ...spawn x
}
x
h1 Allock=∞
No amount of calling context helps
11
![Page 51: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/51.jpg)
Abstraction: object recency [Balakrishnan & Reps, 2006]
Abstraction Recencyrk (r is recency depth); for r = 1:
recency-bit(o)
Common pattern: server programs construct data, release to new thread
while (*) {x = new
p1: ... x ...spawn x
}
x
h1 Allock=∞
No amount of calling context helps
11
![Page 52: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/52.jpg)
Abstraction: object recency [Balakrishnan & Reps, 2006]
Abstraction Recencyrk (r is recency depth); for r = 1:
recency-bit(o)
Objects allocated: o1 o2 o3 o4 o5Allock: h2 h4 h4 h2 h4
Common pattern: server programs construct data, release to new thread
while (*) {x = new
p1: ... x ...spawn x
}
x
h1 Allock=∞
No amount of calling context helps
11
![Page 53: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/53.jpg)
Abstraction: object recency [Balakrishnan & Reps, 2006]
Abstraction Recencyrk (r is recency depth); for r = 1:
recency-bit(o)
Objects allocated: o1 o2 o3 o4 o5Allock: h2 h4 h4 h2 h4
recency-bit: 0 0 0 1 1
Common pattern: server programs construct data, release to new thread
while (*) {x = new
p1: ... x ...spawn x
}
x
h1 Allock=∞
No amount of calling context helps
11
![Page 54: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/54.jpg)
Abstraction: object recency [Balakrishnan & Reps, 2006]
Abstraction Recencyrk (r is recency depth); for r = 1:
recency-bit(o)
Objects allocated: o1 o2 o3 o4 o5Allock: h2 h4 h4 h2 h4
recency-bit: 0 0 0 1 1
Common pattern: server programs construct data, release to new thread
while (*) {x = new
p1: ... x ...spawn x
}
x
h1 Allock=∞
x
h1,1 h1,0 Recencyr=1
No amount of calling context helps
Recency makes the proper distinctions11
![Page 55: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/55.jpg)
Abstraction: heap connectivity [Sagiv et al., 2002]
Common pattern: build linked list data structures
h1: s = newspawn s
h2: x = newy = xwhile (*) {
h3: z = newy.f = zif (x.f == y)
s.f = zy = z
}x = x.f
p1: ... x ...
12
![Page 56: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/56.jpg)
Abstraction: heap connectivity [Sagiv et al., 2002]
Common pattern: build linked list data structures
h1: s = newspawn s
h2: x = newy = xwhile (*) {
h3: z = newy.f = zif (x.f == y)
s.f = zy = z
}x = x.f
p1: ... x ...
x sh1,0
h2,0 h3,1 h3,0 Recencyr=∞
No amount of recency helps
12
![Page 57: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/57.jpg)
Abstraction: heap connectivity [Sagiv et al., 2002]
ReachFromk: set of alloc. sites reaching Allock(o)
Common pattern: build linked list data structures
h1: s = newspawn s
h2: x = newy = xwhile (*) {
h3: z = newy.f = zif (x.f == y)
s.f = zy = z
}x = x.f
p1: ... x ...
x sh1,0
h2,0 h3,1 h3,0 Recencyr=∞
No amount of recency helps
12
![Page 58: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/58.jpg)
Abstraction: heap connectivity [Sagiv et al., 2002]
ReachFromk: set of alloc. sites reaching Allock(o)
PointedToByk: set of alloc. sites reaching Allock(o) in 1 step
Common pattern: build linked list data structures
h1: s = newspawn s
h2: x = newy = xwhile (*) {
h3: z = newy.f = zif (x.f == y)
s.f = zy = z
}x = x.f
p1: ... x ...
x sh1,0
h2,0 h3,1 h3,0 Recencyr=∞
No amount of recency helps
12
![Page 59: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/59.jpg)
Abstraction: heap connectivity [Sagiv et al., 2002]
ReachFromk: set of alloc. sites reaching Allock(o)
PointedToByk: set of alloc. sites reaching Allock(o) in 1 step
Common pattern: build linked list data structures
h1: s = newspawn s
h2: x = newy = xwhile (*) {
h3: z = newy.f = zif (x.f == y)
s.f = zy = z
}x = x.f
p1: ... x ...
x sh1,0
h2,0 h3,1 h3,0 Recencyr=∞
x s{h1}
{h2} {h2,h3} {h1,h2,h3} ReachFromk=0
No amount of recency helps
Reachability makes proper distinctions
12
![Page 60: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/60.jpg)
Clients
ThreadEscape: Does variable v
point to an object potentially reachable from another thread?
13
![Page 61: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/61.jpg)
Clients
ThreadEscape: Does variable v
point to an object potentially reachable from another thread?
SharedAccess: Does variable v
point to an object actually accessed by multiple threads?
13
![Page 62: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/62.jpg)
Clients
ThreadEscape: Does variable v
point to an object potentially reachable from another thread?
SharedAccess: Does variable v
point to an object actually accessed by multiple threads?
SharedLock: Does variable v
point to an object which is locked by multiple threads?
13
![Page 63: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/63.jpg)
Clients
ThreadEscape: Does variable v
point to an object potentially reachable from another thread?
SharedAccess: Does variable v
point to an object actually accessed by multiple threads?
SharedLock: Does variable v
point to an object which is locked by multiple threads?
NonStationaryField: for a field f , does there exist an object o such that
o.f is written to after o.f is read from?
(generalization of final in Java from [Unkel & Lam, 2008])
13
![Page 64: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/64.jpg)
Clients
ThreadEscape: Does variable v
point to an object potentially reachable from another thread?
SharedAccess: Does variable v
point to an object actually accessed by multiple threads?
SharedLock: Does variable v
point to an object which is locked by multiple threads?
NonStationaryField: for a field f , does there exist an object o such that
o.f is written to after o.f is read from?
(generalization of final in Java from [Unkel & Lam, 2008])
Motivated by race and deadlock detection.
13
![Page 65: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/65.jpg)
Benchmarks
9 Java programs from the DaCapo benchmark suite (version 9.12):
antlr A parser generator and translator generatoravrora A simulation and analysis framework for
AVR microcontrollersbatik A Scalable Vector Graphics (SVG) toolkitfop An output-independent print formatterhsqldb An SQL relational-database engineluindex A text indexing toollusearch A text search toolpmd A source-code analyzerxalan An XSLT processor for transforming XML
290–1357 classes, 1.7K–6.8K methods, 133K–512K bytecodes, 5–46 threads
14
![Page 66: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/66.jpg)
Experiments
Precision:
0% ≤ number of queries q such that q is true (concrete)
number of queries q such that qα is true (abstract)≤ 100%
15
![Page 67: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/67.jpg)
Experiments
Precision:
0% ≤ number of queries q such that q is true (concrete)
number of queries q such that qα is true (abstract)≤ 100%
Questions:
• What abstraction works best for a given client?
• What is the effect of the k in k-CFA?
• What is the effect of the recency depth r?
• How scalable are the high-precision abstractions?
15
![Page 68: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/68.jpg)
General results: ThreadEscape
benchmark Alloc Allock=5 Recency ReachFrom
antlr 48.6 85.0 81.0 100.0avrora 54.7 62.3 69.2 77.8batik 13.5 15.1 20.9 20.6fop 36.3 99.3 42.8 41.3hsqldb 62.6 69.0 94.3 ?luindex 6.3 97.2 6.8 6.8lusearch 14.3 90.0 19.0 19.6pmd 12.4 87.1 14.9 14.6xalan 64.0 78.9 78.7 76.6average 34.8 76.0 47.5 44.7
Main points:
• Alloc can be very imprecise
• Allock=5 works best most of the time
16
![Page 69: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/69.jpg)
General results: NonStationaryField
benchmark Alloc Allock=5 Recency ReachFrom
antlr 59.1 60.1 91.0 78.3avrora 33.2 33.6 93.6 77.2batik 35.8 36.1 99.5 65.3fop 42.0 44.9 90.9 68.2hsqldb 45.4 49.5 94.6 ?luindex 78.0 84.2 94.8 94.8lusearch 38.2 38.2 64.9 56.5pmd 37.8 39.9 96.4 69.4xalan 44.0 44.5 90.4 74.2average 45.9 47.9 90.7 73.0
Main points:
• Call stack useless, reachability helps a bit
• Recency offers huge improvement: captures temporal properties
17
![Page 70: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/70.jpg)
Effect of call stack depth k
0 1 2 3 4 5 6 7 8 ∞k
20
40
60
80
100
Pre
cisi
on
0 1 2 3 4 5 6 7 8 ∞k
20
40
60
80
100
Pre
cisi
on
Alloc
Recency
PointedToBy
ReachFrom
(a) (ThreadEscape, batik) (b) (ThreadEscape, lusearch)
Main points:
• Phase transition: sharp increase in precision beyond k ≈ 5
• Synergy of information: ReachFrom requires high k to be precise
18
![Page 71: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/71.jpg)
Effect of recency depth
ThreadEscape on batik:
r = 0 r = 1 r = 2 r = 3 r = 4 r = 5k = 0 13.5 20.9 21.4 22.1 22.5 22.6k =∞ 15.1 23.4 99.0 99.0 99.0 99.0
Main points:
• Increasing recency depth beyond 1 helps, but maxes out quickly
• Synergy of information: need both large k and large r for success
19
![Page 72: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/72.jpg)
Tradeoff between precision and size
20 40 60 80 100
precision
0.7
5.3
38.1
275.9
2000.0
size
rati
o
Random
Alloc
Recency
PointedToBy
ReachFrom
20 40 60 80 100
precision
0.7
5.3
38.1
275.9
2000.0
size
rati
o
(a) (ThreadEscape, batik) (b) (NonStationaryField, batik)
Main points:
• Reachability is quite expensive, Recency is cheap
• Random is surprisingly effective on NonStationaryField,but Recency is better
20
![Page 73: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/73.jpg)
Summary
• Goal: determine good heap abstractions to use in static analysis
• Dynamic analysis enables us to quickly explore many heap abstractions
21
![Page 74: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/74.jpg)
Summary
• Goal: determine good heap abstractions to use in static analysis
• Dynamic analysis enables us to quickly explore many heap abstractions
• Heap abstraction has large impact on precision
– Best abstraction depends on how its properties fit the client
– Non-trivial interactions between dimensions
21
![Page 75: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/75.jpg)
Summary
• Goal: determine good heap abstractions to use in static analysis
• Dynamic analysis enables us to quickly explore many heap abstractions
• Heap abstraction has large impact on precision
– Best abstraction depends on how its properties fit the client
– Non-trivial interactions between dimensions
• Hopefully will serve as a useful guide for developers of static analyses
21
![Page 76: A Dynamic Evaluation of the Precision of Static Heap ...pliang/papers//abstractions-oopsla2010-talk.pdfof Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer](https://reader033.vdocuments.mx/reader033/viewer/2022051907/5ffa09ae18940b21cc701b83/html5/thumbnails/76.jpg)
Summary
• Goal: determine good heap abstractions to use in static analysis
• Dynamic analysis enables us to quickly explore many heap abstractions
• Heap abstraction has large impact on precision
– Best abstraction depends on how its properties fit the client
– Non-trivial interactions between dimensions
• Hopefully will serve as a useful guide for developers of static analyses
Thank you!
21