shape analysis by graph decomposition
DESCRIPTION
Shape Analysis by Graph Decomposition. R. Manevich M. Sagiv Tel Aviv University. G. Ramalingam MSR India. J. Berdine B. Cook MSR Cambridge. Motivation. Challenge: precise and efficient shape analyses Prove properties of dynamically allocated linked data structures - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/1.jpg)
Shape Analysisby Graph Decomposition
R. ManevichM. Sagiv
Tel Aviv University
G. Ramalingam
MSR India
J. BerdineB. Cook
MSR Cambridge
![Page 2: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/2.jpg)
2
Motivation Challenge: precise and efficient shape
analyses Prove properties of dynamically allocated
linked data structures Observation: often many correlations
irrelevant for proving shape properties
Our approach: develop a flexible abstraction that takes advantage of this
![Page 3: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/3.jpg)
3
h1 t1
...
h2 t2
...
h1 t1 h2 t2
Example program – 2 lists// @assume h1!=null && h1==t1 && h1.n==null &&// h2!=null && h2==t2 && h2.n==null//// @loop_invariant Reach(h1,t1) &&// Reach(h2,t2) &&// DisjointLists(h1,h2)
EnqueueEvents() {L1: while (...) { List temp = new List(getEvent()); if (nondet()) { t1.n = temp; t1 = temp; } else { t2.n = temp; t2 = temp; } }}
Correlation between two lists irrelevant for proving loop invariant
![Page 4: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/4.jpg)
4
size>2
size=2
size=1
size>2size=2size=1
Abstract states - full heaps [VMCAI’05]
h1
>1
t1
h2 t2
1
h2 t2
h1 t1
>1
h2 t2
1
h1 t1
>1
h2 t2
>1
h1 t1
1
h2 t2
1
h1 t1
1
h2 t2
>1
h1 t1
1
h2 t2
h1 t1
>1
h2 t2
h1 t1
h1 t1
h2 t2
![Page 5: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/5.jpg)
5
Graph decomposition
1
h2 t2
1
h1 t1
>1
h2 t2
1
h1 t1
h1
>1
t1
h2 t2
>1
h2 t2
>1
h1 t1
1
h2 t2
>1
h1 t1
1
h2 t2
h1 t1
1
h2 t2
h1 t1
>1
h2 t2
h1 t1
h1 t1
h2 t2
![Page 6: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/6.jpg)
6
Connected component 1
Connected component 2
Graph decomposition
1
h2 t2
1
h1 t1
Connected components by undirected reachability
1
h2 t2
1
h1 t1
decompose
![Page 7: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/7.jpg)
7
Abstract states – decomposed heaps
h1 t1 h1
1
t1 h1
>1
t1
h2 t2 h2
1
t2 h2
>1
t2
For k lists:full heap abstraction generates 3k abstract statesdecomposed heap abstraction generates 3×k abstract states
Coarser abstraction precise enough to prove invariantbut generates fewer states
![Page 8: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/8.jpg)
8
Overall view
h1 t1
...
h2 t2
...
h1 t1
h2 t2
h1 t1
h2 t2
h1 t1
h2 t2
>1
>1
1
1
h1 t1
h2 t2
h1 t1
h2 t2
>1
>1
1
1
Concrete domain:concrete heaps
Full heaps domain:shape graphs
Decomposed heaps domain:shape subgraphs
FH
FH
GD
GD
Shape graphs trackALL correlations
Shape subgraphs trackSOME correlations
![Page 9: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/9.jpg)
9
Main results New abstraction for shape analysis reduces
exponential factors by: Connected component decomposition Abstracting away null-value correlations
Sound and sufficiently precise transformers Most precise transformers are FNP-complete Polynomial time efficient transformers Sufficiently precise
Implementation and empirical results Sufficiently precise on set of benchmarks,
including Windows device driver models State space/time reduced by factor of 33/212
![Page 10: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/10.jpg)
10
Outline Full heap abstraction [VMCAI’05]
Reference abstraction Further abstraction by decomposition
Connected component decomposition Abstracting away null-value correlations
(details in paper) Abstract transformers
Concretization by composition Experimental results
![Page 11: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/11.jpg)
11
Full heap abstraction [VMCAI’05]
h1 t1
...
h2 t2
...
h1 t1
h2 t2
h1 t1
h2 t2
h1 t1
h2 t2
>1
>1
1
1
h1 t1
h2 t2
h1 t1
h2 t2
>1
>1
1
1
Concrete domain:concrete heaps
Full heaps domain:shape graphs
Decomposed heaps domain:shape subgraphs
FH
FH
GD
GD
![Page 12: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/12.jpg)
12
Full heap abstraction [VMCAI’05]
Abstraction for singly-linked lists Basic concepts:
Interruptions (bounded number of) Uninterrupted list segments (bounded number of)
Abstraction keeps interruptions and abstracts segment lengths to {1,>1} Result is a shape graph
x
y
Concrete heapx
y
1
>1
>1
>1
Shape graph
βFH
FH by point-wiseextension
![Page 13: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/13.jpg)
13
Graph decomposition abstraction
h1 t1
...
h2 t2
...
h1 t1
h2 t2
h1 t1
h2 t2
h1 t1
h2 t2
>1
>1
1
1
h1 t1
h2 t2
h1 t1
h2 t2
>1
>1
1
1
Concrete domain:concrete heaps
Full heaps domain:shape graphs
Decomposed heaps domain:shape subgraphs
FH
FH
GD
GD
![Page 14: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/14.jpg)
14
Graph decomposition abstraction
Abstraction of shape graphs Further abstraction over shape graphs
Decouples connected components Intuitively different components =
different logical data structures Result = set of shape subgraphs
![Page 15: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/15.jpg)
15
Connected components decomposition
1
h2 t2
h1 t1
h1
>1
t1
h2 t2
GD
h1 t1
h2
1
t2
h1
>1
t1
h2 t2
![Page 16: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/16.jpg)
17
Concretization GD
h1 t1
...
h2 t2
...
h1 t1
h2 t2
h1 t1
h2 t2
h1 t1
h2 t2
>1
>1
1
1
h1 t1
h2 t2
h1 t1
h2 t2
>1
>1
1
1
Concrete domain:concrete heaps
Full heaps domain:shape graphs
Decomposed heaps domain:shape subgraphs
FH
FH
GD
GD
![Page 17: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/17.jpg)
18
1
h2 t2
h1 t1
h1
>1
t1
h2 t2
GD
Abstracting correlations
GD
1
h2 t2h1 t1
h1
>1
t1h2 t2
h1 t1 h2 t2
h2
1
t2
h1
>1
t1
h1 t1
h2
1
t2
h1
>1
t1
h2 t2
![Page 18: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/18.jpg)
19
Abstract transformers Need transformers for program
statements x=new List() x=null x=y x=y.n x.n=y assume(x!=y) assume(x==y) …
![Page 19: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/19.jpg)
20
Abstract transformers outline Induced transformers by concretization
(from subgraphs and shape graphs) Problem: concretization introduces exponential
space blow-up Most precise transformers by partial
concretization Avoids exponential space blow-up Requires oracle to test strong feasibility Strong feasibility test NP-complete
Conservative transformers Give up on strong feasibility test Avoids exponential time blow-up
![Page 20: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/20.jpg)
21
Most precise transformer [CC’77]
h1 t1
...
h2 t2
...
h1 t1
h2 t2
Concrete domain:concrete heaps
Full heaps domain:shape graphs
Decomposed heaps domain:shape subgraphs
FH
FH
GD
GD
st st
Problem: concretization is exponential space in worst-case
![Page 21: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/21.jpg)
22
Partial concretization Compose weakly-feasible subgraphs
Subgraphs that do not share any variables Compose only subgraphs in footprint of
statement Compose at most any 2 or 3 subgraphs
h1 t1h2
1
t2 h1
>1
t1h2
1
t2 h1 t1h1 t1 h1
>1
t1h1 t1
![Page 22: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/22.jpg)
23
Transformer exampletemp h1 t1 h1
1
t1 h2 t2
t1.n = temp
temph1
1
t1
t1.n = temp
temph1
1
t1
1
t1.n = temp
h2 t2
t1.n = temp
h2 t2temph1
1
t1temph1 t1
![Page 23: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/23.jpg)
24
Most precise transformer
x z w x y w y z
Can we extend to havevariable w?
M1 M2 M3 M4 M5
x z y
Most precise requires strong feasibility test Check that subgraphs can be extended to
include all variables
![Page 24: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/24.jpg)
25
Most precise transformer
Inconsistency: shared variable x
x z w x y w y z
M1 M2 M3 M4 M5
x z y
Most precise requires strong feasibility test Check that subgraphs can be extended to
include all variables
![Page 25: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/25.jpg)
26
Most precise transformer
Inconsistency:shared variable y
Conclusion: can’t extend with w
M1 and M4 are weakly-feasiblebut not strongly-feasible in {M1,…,M5}
Strong feasibility NP-complete Therefore most precise transformer
FNP-complete
x z y
x z w x y w y z
M1 M2 M3 M4 M5
![Page 26: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/26.jpg)
27
Making the transformers efficient Vanilla transformer inefficient in
practice Incremental transformers
Reuse results of previous iterations Details in paper
Engineering optimizations Avoid unnecessarily composing subgraphs … Optimized transformers linear time in
practice
![Page 27: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/27.jpg)
28
Prototype implementation Implemented in Java Supports assertions
assertReach(x,y) assertDisjointLists(x,y) assertAcyclicList(x) assertCyclicList(x) assert(x==y) assert(x!=y)
Check cleanness properties Absence of null derefs Absence of memory leaks No misuse of dangling pointers
![Page 28: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/28.jpg)
29
Experiments – precision Precision lost in just 2/21 benchmarks
getLast Unable to prove x points to last cell Due to imprecise transformer Can be avoided by simple and efficient
heuristics queue_2_stack
Intentionally constructed Loss of correlations important to prove
property
Same precision as full heap analysis on other benchmarks
![Page 29: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/29.jpg)
30
Experiments – “standard” suite Programs operating on 1-2 lists
insert, delete, reverse, merge… New analysis slightly less efficient But running times < 0.6 seconds so…
![Page 30: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/30.jpg)
31
Experiments – multiple lists
1.40.5
12.0
33.5
2.44.6
11.6
0.0
5.0
10.0
15.0
20.0
25.0
30.0
35.0
40.0(89,430 / 7,733)
number of shape graphsnumber of subgraphs
x
![Page 31: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/31.jpg)
32
Experiments – multiple lists
1.00.525.0
95.0
14.621.7
212.5
0.0
50.0
100.0
150.0
200.0
250.0
full shape graph analysis time graph decomposition analysis time
x(552.6 / 2.6)
![Page 32: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/32.jpg)
33
Properties of the abstraction No loss of precision when connected
components represent completely independent lists Reduces state space exponentially
Loss of precision when mixing abstract statesGD(X1 X2) GD(X1) GD(X2)
So where is this technique useful?
![Page 33: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/33.jpg)
34
Related work Partial isomorphism join [Manevich et al. SAS’04]
Applied in more generic context but does not reduce exponential blow-ups addressed in this paper
Heap analysis by separation[Yahav et al. PLDI’04] [Hackett et al. POPL’05] Decompose verification problem itself and
conservatively approximate contexts Heap decomposition for interprocedural
analysis [Rinetzky et al. POPL’05] [Rinetzky et al. SAS’05] [Gotsman et al. SAS’06] [Gotsman et al. PLDI’07] Decompose/compose at procedure boundaries
Predicate/variable clustering [Clark et al. CAV’00] Statically-determined decomposition
![Page 34: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/34.jpg)
35
Conclusions New abstraction scheme to control
precision/cost trade-off for shape analyses Efficient algorithms for abstract domain
operations Abstraction Partial concretization Transformers …
Applicable beyond singly-linked lists E.g., class of graphs supported by Lev-Ami et al.
[CAV’06] Doubly-linked lists Trees …
![Page 35: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/35.jpg)
36
Ongoing work Extension for concurrent program
analysis Future work:
Tune abstraction by counterexample-guided refinement
![Page 36: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/36.jpg)
37
Questions?
![Page 37: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/37.jpg)
38
Conservative transformer Computes superset of subgraph computed
by most precise transformer Algorithm sketch:
Compose components in footprint of statement Apply local st on footprint and decompose
result Test consistency instead of strong feasibility Pass other components as is
Time(st) polynomial in #vars in st x=null : linear x.n=y: quadratic assume(x==y) : cubic
![Page 38: Shape Analysis by Graph Decomposition](https://reader036.vdocuments.mx/reader036/viewer/2022062517/56813745550346895d9ed960/html5/thumbnails/38.jpg)
39
Concretization GD
Maps sets of shape subgraphs to sets of full shape graphs
Mathematically: GD(XG) = {G | β(G) XG} Algorithmically: by composing weakly-
feasible subgraphs Subgraphs that do not share any variables Full shape graph includes all program variables