a semantics for procedure local heaps and its abstractions
DESCRIPTION
Noam Rinetzky Tel Aviv University. A Semantics for Procedure Local Heaps and its Abstractions. Noam Rinetzky Tel Aviv University. www.cs.tau.ac.il/~maon. Joint work with. Jörg Bauer Universität des Saarlandes Thomas Reps University of Wisconsin Mooly Sagiv Tel Aviv University - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/1.jpg)
A Semantics for Procedure Local Heapsand its Abstractions
Noam Rinetzky Tel Aviv University
Jörg Bauer Universität des Saarlandes Thomas Reps University of Wisconsin Mooly Sagiv Tel Aviv University Reinhard Wilhelm Universität des Saarlandes
Joint work with
Noam Rinetzky Tel Aviv University www.cs.tau.ac.il/~maon
![Page 2: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/2.jpg)
Motivation
• Interprocedural shape analysis• Conservative static pointer analysis• Heap intensive programs
• Imperative programs with procedures• Recursive data structures
• Goals• Precision• Efficiency
![Page 3: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/3.jpg)
Main idea
• Procedures as local heap transformers
y
t
g
X
y
t
g
call p(x);X
xx
![Page 4: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/4.jpg)
Main Results
• Concrete operational semantics• Large step
• Functional analysis• Storeless
• Shape abstractions• Local heap• Observationally equivalent to “standard” semantics
• Java and “clean” C
• Abstractions• Shape analysis [Sagiv, Reps, Wilhelm, TOPLAS ‘02]• May-alias [Deutsch, PLDI ‘94]• …
![Page 5: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/5.jpg)
Outline
• Motivating example• Why semantics• Localized Heap Storeless Semantics • Shape abstraction
![Page 6: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/6.jpg)
static List reverse(List t) {
}
static void main() {
}
Example
p nn
t rn nn
List x = reverse(p);
return r;
nnt
List y = reverse(q);List z = reverse(x);
…
n nn
t rn nn
p x
nn
q nn
q
![Page 7: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/7.jpg)
static List reverse(List t) {
}
static void main() {
}
Example
List y = reverse(q);
return r;List z = reverse(x);
List x = reverse(p);n
nt
t rn nnt rn nn
n nn
p x
q y
nn
nnt
q nn
n nn
p x
n nn
![Page 8: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/8.jpg)
static List reverse(List t) {
}
static void main() {
}
Example
return r;
nnt
t rn nnt rn nn
n nn
p x
x z
n nn
p x
List z = reverse(x);
List x = reverse(p);List y = reverse(q);
q yn nn
n nn t
n nn t
q yn nn
pn n
n
![Page 9: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/9.jpg)
• Separating objects • Not pointed-to by a parameter
Cutpoints
![Page 10: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/10.jpg)
• Separating objects • Not pointed-to by a parameter
Cutpoints
p xn nn
n nn
proc(x)
Stack sharing
![Page 11: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/11.jpg)
• Separating objects • Not pointed-to by a parameter
xn n
nn n
n
n y
Cutpoints
p x nn n
nn n
n
proc(x)
Stack sharing Heap sharing
proc(x)
![Page 12: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/12.jpg)
Sharing patterns
t nn
q n n
p
t nn
p
q yn n n
t nn
n
px
q yn n n
t nn
n
qn n n
x y
![Page 13: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/13.jpg)
static List reverse(List t) {
}
static void main() {
}
Example
return r;
r tn nnr tn nn
n nn
p x
z x
n nn
p x
List z = reverse(x);
List x = reverse(p);List y = reverse(q);
q yn nn
n nn t
q yn nn
pn n
n
![Page 14: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/14.jpg)
Outline
Motivating example• Why semantics• Localized Heap Storeless Semantics • Shape abstraction
![Page 15: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/15.jpg)
Abstract Interpretation[Cousot and Cousot, POPL ’77]
Operational semantics
Abstract transformer
![Page 16: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/16.jpg)
Introducing local heap semantics
Operational semantics
Abstract transformer
Local heap Operational semantics
~’ ’
Part I
Part II
![Page 17: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/17.jpg)
Outline
Motivating example Why semantics• LSL: Localized Heap Storeless Semantics • Shape abstraction
![Page 18: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/18.jpg)
Programming model
• Single threaded• Procedures
Value parametersRecursion
• Heap Recursive data structuresDestructive update No explicit addressing (&, cast)
![Page 19: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/19.jpg)
Simplifying assumptions
• No primitive values (reference only)• No globals• Formals not modified
![Page 20: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/20.jpg)
0x10
0x12
0x14
0x11
0x12
0x13
0x14
0x00x15
x0x10…
n
n
Store-based semantics
• Object address• Memory state:
• Object: FieldIdAddress• Heap: AddressObject
Natural Addresses do not affect
shape x
~
0x12
0x0
0x10
x0x14…
n
n
![Page 21: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/21.jpg)
Storeless semantics
• No addresses• Memory state:
• Object: 2Access paths
• Heap: 2Object
• Alias analysis
y=x
xn n
x x.n x.n.n
x=null
x n nxy
x.ny.n
x.n.ny.n.ny
yn ny y.n y.n.n
![Page 22: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/22.jpg)
static void main() {
}
static List reverse(List t) {
return r;}
Example
x
List z = reverse(x);
p x.n.nn nx.n.n.n
pxx.n
n
y.n.nn
yy.nn yq y.n.n
nyy.n
n yq
t.n.nt.n.n.n tt.n
t.n.nn n
t.n.n.n tt.nn t
tn n nList x = reverse(p);List y = reverse(q);
r.nn n
rt
r.n.n.nr.n.n
n t
rr.n
n nr
tr.n.n.n
r.n.nn t
r
z.nn n
zx
z.n.n.nz.n.n
nz x
p?
![Page 23: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/23.jpg)
static void main() {
}
static List reverse(List t) {
return r;}
Example
x
List z = reverse(x);
p x.n.nn nx.n.n.n
pxx.n
n
y.n.nn
yy.nn yq y.n.n
nyy.n
n yq
t.n.nt.n.n.n
L t t.n
t.n.nn nt.n.n.n
Ltt.n
nL t
L tn n nList x = reverse(p);List y = reverse(q);
L.nr.n
n nLr
t L.n.n.nr.n.n.n
L.n.nr.n.n
nL t
r
L.nr.n
n nLr
t L.n.n.nr.n.n.n
L.n.nr.n.n
n tL
r
p.nz.n
n npz
x p.n.n.nz.n.n.n
p.n.nz.n.n
nz xp
![Page 24: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/24.jpg)
Cutpoint labels
• Relate pre-state with post-state• Additional roots • Mark cutpoints at and throughout an
invocation
![Page 25: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/25.jpg)
Cutpoint labels
• Cutpoint label: the set of access paths that point to a cutpoint • when the invoked procedure starts
L t.n.nt.n.n.n
L t t.n t
L {t.n.n.n}
![Page 26: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/26.jpg)
Sharing patterns
• Cutpoint labels encode sharing patterns
L tt.n.nn nt.n.n.n
L tt.n
n L tt.n.nn nt.n.n.n
L tt.n
n
p wn
ww.nn
L {t.n.n.n}
Stack sharing Heap sharing
![Page 27: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/27.jpg)
Memory states
L = CPL,A
Lr.nL.n
rL
t, r.n.n.nL.n.n.n
r.n.nL.n.n
t
L={h.n.n.n}r n n n
{t.n.n.n} ,{ r ,{t.n.n.n}},
{r.n, {t.n.n.n}.n},{r.n, {t.n.n.n}.n.n},
{ t, r.n.n.n, {t.n.n.n}.n.n.n}
![Page 28: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/28.jpg)
Formal semantics Ordinary statements
![Page 29: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/29.jpg)
Procedure call semantics
![Page 30: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/30.jpg)
Observational equivalence
L L (Local-heap Storeless Semantics)
G G (Global-heap Store-based Semantics)
L and G observationally equivalent
when for every access paths , = (L) = (G)
![Page 31: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/31.jpg)
Main theorem: semantics equivalence
L L (Local-heap Storeless Semantics)
G G (Global-heap Store-based Semantics)
L and G observationally equivalent
st, L L st, G G
L and L are observationally equivalent
LSL GSB
![Page 32: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/32.jpg)
Corollaries
• Preservation of invariants =
• Detection of memory leaks
![Page 33: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/33.jpg)
Application
• Justify soundness of static analysis• May-alias analysis [TAU-TR-26/04]
• Shape Analysis
![Page 34: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/34.jpg)
Outline
Motivating example Why semantics LSL: Localized Heap Storeless Semantics • Shape abstraction
![Page 35: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/35.jpg)
Shape Abstraction
• Shape descriptors represent unbounded memory states• Conservatively• Bounded way
![Page 36: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/36.jpg)
A Shape abstraction
Lr.nL.n
rL
t, r.n.n.nL.n.n.n
r.n.nL.n.n
t
L={t.n.n.n}
r n n n
![Page 37: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/37.jpg)
A Shape abstraction
L tr n n nr.n
L.nrL
t, r.n.n.nL.n.n.n
r.n.nL.n.n
L=*
![Page 38: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/38.jpg)
A Shape abstraction
Lt
r n nn
L=*
![Page 39: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/39.jpg)
A Shape abstraction
Lt
r n nn
Lr.nL.n
rL
t, r.n.n.nL.n.n.n
r.n.nL.n.n
tr n n n
L={t.n.n.n}
L=*
![Page 40: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/40.jpg)
L1={h.n}
A Shape abstraction
Lt
r n nn
L1
L1r.n
rt, L2.n, L1.n.n,r.n.n.n
L2, L1.n,r.n.n
tn n n
L2={h.n.n}L2
L=*
![Page 41: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/41.jpg)
Application (joint work with Eran Yahav)
• A framework shape analysis using local heaps
• Parametric abstraction• Local heap (lists, trees, …)• Sharing patterns
![Page 42: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/42.jpg)
Application
• Single threaded Java programs• Properties proved
• Absence of null derferences• Listness preservation• API conformance
• Recursive Iterative• Procedural abstraction
![Page 43: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/43.jpg)
Procedural abstraction
Inline Procedure Call
Program MB Sec MB Sec
crt3 22.3 5.4 22.0 6.4
crt3x3 50.7 27.0 26.2 9.2
![Page 44: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/44.jpg)
Recursion vs. Iteration Iterative Recursive
Program MB Sec. MB Sec
create 19.7 10.9 19.3 9.3
find 22.3 21.3 23.5 35.8
insert 23.3 41.2 23.3 41.2
delete 23.2 42.0 24.8 45.3
append 25.1 17.2 25.6 20.2
reverse 23.6 23.7 24.0 33.7
revApp 26.0 45.7 26.5 46.8
merge 25.9 579.7 27.8 91.9
splice 25.5 70.1 26.1 36.9
![Page 45: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/45.jpg)
Democlass List {int d; List n; static List reverse(List t) { if (t == null || t.n == null) return t; List tn = t.n; t.n = null; List r = reverse(tn); tn.n = t; return r;}
static void main() { List p = create(4); List q = create(3); List x = reverse(p); List y = reverse(q); List z = reverse(x);}
![Page 46: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/46.jpg)
Related work
• Storeless semantics• Jonkers, Algorithmic Languages ‘81 • Deutsch, ICCL ‘92
![Page 47: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/47.jpg)
Related work
• Interprocedural shape analysis• Rinetzky and Sagiv, CC ’01
• Global heap
• Jeannet et al., SAS ’04 • Local heap, relational
• Chong and Rugina, SAS ’03• Local heap
• Hackett and Rugina, POPL ’05• Staged analysis
![Page 48: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/48.jpg)
Related work
• Local reasoning• Ishtiaq and O’Hearn, POPL ‘01• Reynolds, LICS ’02• •
![Page 49: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/49.jpg)
Summary
• Operational semantics • Storeless • Local heap• Cutpoints • Equivalence theorem
• Applications • Shape analysis• May-alias analysis
![Page 50: A Semantics for Procedure Local Heaps and its Abstractions](https://reader036.vdocuments.net/reader036/viewer/2022062518/56813fef550346895daafacd/html5/thumbnails/50.jpg)
End
www.cs.tau.ac.il/~maon
A Semantics for procedure local heaps and its abstraction
Noam Rinetzky, Jörg Bauer, Thomas Reps, Mooly Sagiv, and Reinhard Wilhelm
AVACS Technical Report 1
Interprocedural functional shape analysis using local heaps
Noam Rinetzky, Mooly Sagiv, and Eran Yahav
School of Computer Science, Tel Aviv University, Technical Report 26/04