finding optimum abstractions in parametric dataflow analysis
Post on 01-Jan-2016
42 Views
Preview:
DESCRIPTION
TRANSCRIPT
Finding Optimum Abstractions in Parametric Dataflow Analysis
Xin ZhangGeorgia Tech
Mayur NaikGeorgia Tech
Hongseok YangUniversity of Oxford
A Key Challenge for Static Analysis
Precision
Scalability
Our setting
Query qProgram pStatic Analysis S
p ` q p 0 q
Abstraction a
assert(x != null)
p
a1
Sq1
p ` q1 ?
q2S
p ` q2 ?
a2
Our setting
q2p S
p ` q2 ?
Sq1
p ` q1 ?
Our setting
1 0 1 1 0 0 1 0 1 0
q2p S
p ` q2 ?
Sq1
p ` q1 ?
Example 1: Predicate Abstraction
1 0 1 1 0 0 1 0 1 0
Predicates to use in predicate abstractionPredicates to use as
abstraction predicates
q2p S
p ` q2 ?
Sq1
p ` q1 ?
Example 2: Cloning ‐based Pointer Analysis
1 0 1 1 0 0 1 0 1 0
Predicates to use in predicate abstraction
K value to use for each call and each allocation site
Problem StatementAn efficient algorithm with:
INPUTS:– program p and property q– abstractions A = { a1, …, an }
– boolean function S(p, q, a)
OUTPUT:– Proof: a 2 A: S(p, q, a) = true
8 a’ 2 A: (a’ · a Æ S(p, q, a’) = true) ) a’ = a
– Impossibility: @ a 2 A: S(p, q, a) = trueOptimum
Abstraction
qp S
p ` q ?
a
Problem StatementAn efficient algorithm with:
INPUTS:– program p and property q– abstractions A = { a1, …, an }
– boolean function S(p, q, a)
OUTPUT:– Proof: a 2 A: S(p, q, a) = true
8 a’ 2 A: (a’ · a Æ S(p, q, a’) = true) ) a’ = a
– Impossibility: @ a 2 A: S(p, q, a) = trueOptimum
Abstraction
S(p, q, a)
!S(p, q, a)
1111 most expensive
0000 least expensive
0110 optimum
A
Example: Typestate Analysis
x = new File;<{closed}, {x}>y = x;
z = x;
x.open();
y.close();
assert1(x, closed);assert2(x, opened);
openedclosed
error
open()
close()
close() open()
Type-state set ts
Example: Typestate Analysis
x = new File;<{closed}, {x}>y = x;<{closed}, {x}>z = x;<{closed}, {x}>x.open();<{opened}, {x}>y.close();<{opened, closed}, {x}>assert1(x, closed);assert2(x, opened);
Must-alias accesspath set ms
Only allows the accesspaths specified in the abstraction
Strong update
Weak updateFailedFailed
Example: Typestate Analysisx = new File;y = x;z = x;x.open();y.close();assert1(x, closed);assert2(x, opened);
Query Abstraction
assert1 any a
assert2 none
Query Abstraction Our Goal
assert1 any a
assert2 none impossibility
x = new File;y = x;z = x;x.open();y.close();assert1(x, closed);assert2(x, opened);
Example: Typestate Analysis
Query Abstraction
assert1
assert2
↑ x = new File;↓<{closed}, {}>↑ y = x;↓<{closed}, {}>↑
z = x;↓<{closed}, {}>↑
x.open();↓<{closed, opened}, {}>↑y.close();↓top↑assert1(x, closed);
Naïve approach: calculating weakest precondition (WP)
{}
Failed
Example: Typestate Analysis
Query Abstraction
assert1
assert2
↑ x = new File;↓<{closed}, {}>↑ y = x;↓<{closed}, {}>↑
z = x;↓<{closed}, {}>↑
x.open();↓<{closed, opened}, {}>↑y.close();↓top↑assert1(x, closed);
Naïve approach: calculating weakest precondition (WP)
{}
Failed
Exponential Blowup!
unreachablex = new File;y = x;z = x;x.open();y.close();assert1(x, closed);assert2(x, opened);
Example: Typestate Analysis↑ x = new File;↓<{closed}, {}>↑ y = x;↓<{closed}, {}>↑
z = x;↓<{closed}, {}>↑
x.open();↓<{closed, opened}, {}>↑y.close();↓top↑assert1(x, closed);
Too large?
Let’s ignore part of it!
Example: Typestate Analysis↑ x = new File;↓<{closed}, {}>↑ y = x;↓<{closed}, {}>↑
z = x;↓<{closed}, {}>↑
x.open();↓<{closed, opened}, {}>↑y.close();↓top↑assert1(x, closed);
Unreachable
Example: Typestate Analysis↑ x = new File;↓<{closed}, {}>↑ y = x;↓<{closed}, {}>↑
z = x;↓<{closed}, {}>↑
x.open();↓<{closed, opened}, {}>↑y.close();↓top↑assert1(x, closed);
Intersect with the forward state
Example: Typestate Analysis↑ x = new File;↓<{closed}, {}>↑ y = x;↓<{closed}, {}>↑
z = x;↓<{closed}, {}>↑
x.open();↓<{closed, opened}, {}>↑y.close();↓top↑assert1(x, closed);
Keep as many disjuncts as possible
Intersect with forward state
x = new File;y = x;z = x;x.open();y.close();assert1(x, closed);assert2(x, opened);
Example: Typestate Analysis
Query Abstraction
assert1
assert2
↑x = new File;↓<{closed}, {}>↑y = x;↓<{closed}, {}>↑z = x;↓<{closed}, {}>↑x.open();↓<{closed, opened}, {}>↑y.close();↓top↑assert1(x, closed);
Our approach: WP + Underapproximation
Failed
Example: Typestate Analysis
Query Abstraction
assert1
assert2
↑x = new File;↓<{closed}, {}>↑y = x;↓<{closed}, {}>↑z = x;↓<{closed}, {}>↑x.open();↓<{closed, opened}, {}>↑y.close();↓top↑assert1(x, closed);
Our approach: WP + Underapproximation
Failed
𝑥∈𝒂𝑥∉𝒂
𝒚 ∈𝒂
𝒚 ∉𝒂
Example: Typestate Analysis
Query Abstraction
assert1
assert2
↑x = new File;↓<{closed}, {x}>↑
y = x;↓<{closed}, {x}>↑z = x;↓<{closed}, {x}>↑x.open();↓<{opened}, {x}>↑y.close();↓<{opened}, {x}>↑assert1(x, closed);
Our approach: WP + Underapproximation
Failed
𝑥∈𝒂𝑥∉𝒂
𝒚 ∈𝒂
𝒚 ∉𝒂
Example: Typestate Analysis
Query Abstraction
assert1
assert2
↑x = new File;↓<{closed}, {x}>↑
y = x;↓<{closed}, {x}>↑z = x;↓<{closed}, {x}>↑x.open();↓<{opened}, {x}>↑y.close();↓<{opened}, {x}>↑assert1(x, closed);
Our approach: WP + Underapproximation
Failed
𝑥∈𝒂𝑥∉𝒂
𝒚 ∈𝒂
𝒚 ∉𝒂
Example: Typestate Analysisx = new File;↓<{closed}, {x}>
y = x;↓<{closed}, {x, y}>
z = x;↓<{closed}, {x, y}>
x.open();↓<{opened}, {x, y}>
y.close();↓<{closed}, {x, y}>
assert1(x, closed);
Our approach: WP + Underapproximation
Proof!
𝑥∉𝒂
𝒚 ∈𝒂
𝒚 ∉𝒂
Query Abstraction
assert1
assert2
Example: Typestate Analysisx = new File;y = x;z = x;x.open();y.close();assert1(x, closed);assert2(x, opened);
Query Abstraction
assert1
assert2
↑x = new File;↓<{closed}, {}>↑y = x;↓<{closed}, {}>↑z = x;↓<{closed}, {}>↑x.open();↓<{closed, opened}, {}>↑y.close();↓top↑assert2(x, opened);
Our approach: WP + Underapproximation
Failed
Example: Typestate Analysis
Query Abstraction
assert1
assert2
↑x = new File;↓<{closed}, {}>↑y = x;↓<{closed}, {}>↑z = x;↓<{closed}, {}>↑x.open();↓<{closed, opened}, {}>↑y.close();↓top↑assert2(x, opened);
Our approach: WP + Underapproximation
Failed
𝑥∈𝒂𝑥∉𝒂
𝒚 ∈𝒂
𝒚 ∉𝒂
Example: Typestate Analysis
Query Abstraction
assert1
assert2
↑x = new File;↓<{closed}, {x}>↑y = x;↓<{closed}, {x}>↑z = x;↓<{closed}, {x}>↑x.open();↓<{opened}, {x}>↑y.close();↓<{opened,closed}, {x}>↑assert2(x, opened);
Our approach: WP + Underapproximation
Failed
𝑥∈𝒂𝑥∉𝒂
𝒚 ∈𝒂
𝒚 ∉𝒂
Example: Typestate Analysis
Query Abstraction
assert1
assert2
↑x = new File;↓<{closed}, {x}>↑y = x;↓<{closed}, {x}>↑z = x;↓<{closed}, {x}>↑x.open();↓<{opened}, {x}>↑y.close();↓<{opened,closed}, {x}>↑assert2(x, opened);
Our approach: WP + Underapproximation
Failed
Impossibility!
𝑥∈𝒂𝑥∉𝒂
𝒚 ∈𝒂
𝒚 ∉𝒂
In paper: a general framework for parametric
dataflow analysis
Experiment
Implementation in Chord for Java programs
2 Client Analyses: Typestate and Thread-Escape Both fully context- and flow-sensitive analysesOnly scale with sparse parameters
7 Java Benchmarks
Benchmarks
name bytecode(KB) KLOC log|A|
thread-escape typestate
tsp 391 269 569 6,175
elevator 390 269 352 6,180
hedc 442 283 1,400 7,326
weblech 504 326 2,993 7,663
antlr 532 303 16,563 7,748
avrora 634 340 37,797 10,151
lusearch 511 314 14,508 7,395
Precision: Thread-Escape Analysis
tsp
elev
ator
hedc
web
lech
antlr
avro
ra
luse
arch
AVG.
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Unresolved
Impossible
Proven
% Q
ue
rie
s
209 221 552 658 5857 14322 6726 (Total # Queries)
Resolved: ~90%Previous: ~40%
[POPL12]
Precision: Typestate Analysis
tsp
elev
ator
hedc
web
lech
antlr
avro
ra
luse
arch
AVG.
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Impossible
Proven
% Q
ue
rie
s
12 72 170 71 7903 5052 3644 (Total # Queries)
Scalability: Number of iterations
1 2 3 4 5 6 7 8 9 10 11-970
1000
2000
3000
4000
5000
6000
avrora
Proven
Impossible
# analysis iterations
# q
uer
ies
Scalability: Number of iterations
1 2 3 4 5 6 7 8 9 10 11-88
0
400
800
1200
antlr
# analysis iterations
# q
uer
ies
1 2 3 4 5 6 7 8 9 10 11-20
0500
1000150020002500
lusearch
# analysis iterations
# q
uer
ies
1 2 3 4 5 6 7 8 9 10 11-97
0100020003000400050006000
avroraProven
# analysis iterations
# q
uer
ies
Scalability: Running time
0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10 10-1730
1000
2000
3000
4000
5000
6000
avrora
Proven Impossible
analysis time (minutes)
# q
uer
ies
Scalability: Running time
0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
10-76
0
400
800
1200
antlr
Analysis Time (minutes)
# q
ue
rie
s
0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
10-44
0
500
1000
1500
2000
lusearch
analysis time (minutes)
# q
uer
ies
0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10
10-173
0
2000
4000
6000
avroraProvenImpossible
analysis time (minutes)
# q
uer
ies
Size of optimal abstractions
1 2 3 4 5 6 7 8 9 10 11-960
1000
2000
3000
4000
5000
60005436
954 892
164 68 110 13 181 41 13 123
avrora
size of abstraction |a|
# p
rove
n q
uer
ies
Size of optimal abstractions
1 2 3 4 5 6 7 8 9 10 11-87
0
200
400
600
800
1000
1200
1400 1275
706
390
79 39 19 4 2 6 3 13
antlr
1 2 3 4 5 6 7 8 9 10 18-18
0
500
1000
1500
2000
2500 2345
805
295129 86 23 4 3 15 2 1
lusearch
1 2 3 4 5 6 7 8 9 10 11-96
0
1000
2000
3000
4000
5000
6000 5436
954 892
164 68 110 13 181 41 13 123
avrora
size of abstraction |a|
# p
rove
n q
uer
ies
Related workModern pointer analysis
Demand-driven, query-driven, … Heintze & Tardieu ’01, Guyer & Lin ’03, Sridharan & Bodik ’06, ...
CEGAR model checkers: SLAM, BLAST, YOGI, …Work on concrete counterexamples
Can disprove queries
1. No optimality guarantee – can over-refineand hurt scalability.
2. No impossibility - can cause divergence.
Thank you!
Q&A
top related