Finding Optimum Abstractions in Parametric Dataflow Analysis Xin Zhang Georgia Tech Mayur Naik Georgia Tech Hongseok Yang University of Oxford A Key Challenge for Static Analysis Precision Scalability ID: 762666
Download Presentation The PPT/PDF document "Finding Optimum Abstractions in Parametr..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Finding Optimum Abstractions in Parametric Dataflow Analysis Xin ZhangGeorgia Tech Mayur NaikGeorgia Tech Hongseok Yang University of Oxford
A Key Challenge for Static Analysis Precision Scalability
Our setting Query q Program p Static Analysis S p ` q p 0 q Abstraction a assert(x != null)
p a1 S q1 p ` q1 ? q2 S p ` q2 ? a2 Our setting
q2 p S p ` q2 ? S q1 p ` q1 ? Our setting 1 0 1 1 0 0 1 0 1 0
q2 p S p ` q2 ? S q1 p ` q1 ? Example 1: Predicate Abstraction 1 0 1 1 0 0 1 0 1 0 Predicates to use in predicate abstraction Predicates to use as abstraction predicates
q2 p S p ` q2 ? S q1 p ` q1 ? Example 2: Cloning‐based Pointer Analysis 1 0 1 1 0 0 1 0 1 0 Predicates to use in predicate abstraction K value t o use for each call and each allocation site
Problem Statement An efficient algorithm with: INPUTS: program p and property qabstractions A = { a1, …, an }boolean function S(p, q, a) OUTPUT: Proof: a 2 A: S(p, q, a) = true 8 a’ 2 A: (a’ · a Æ S(p, q, a’) = true) ) a’ = aImpossibility: @ a 2 A: S(p, q, a) = trueOptimum Abstraction q p S p ` q ? a
Problem Statement An efficient algorithm with: INPUTS: program p and property qabstractions A = { a1, …, an }boolean function S(p, q, a) OUTPUT: Proof: a 2 A: S(p, q, a) = true 8 a’ 2 A: (a’ · a Æ S(p, q, a’) = true) ) a’ = aImpossibility: @ a 2 A: S(p, q, a) = trueOptimum Abstraction S(p, q, a) !S(p, q, a) 1111 most expensive 0000 least expensive0110 optimumA
Example: Typestate Analysis x = new File;< {closed}, {x}>y = x;z = x;x.open(); y.close (); assert1(x, closed); assert2(x, opened); opened closed error open() close() close() open() Type-state set ts
Example: Typestate Analysis x = new File;<{closed}, {x}>y = x;<{closed}, {x}>z = x ; <{closed}, {x }> x.open (); <{ opened}, {x }>y.close();<{opened, closed}, {x}>assert1(x, closed);assert2(x, opened); Must-alias accesspath set msOnly allows the accesspaths specified in the abstraction Strong updateWeak update FailedFailed
Example: Typestate Analysis x = new File;y = x; z = x;x.open();y.close();assert1(x, closed ); assert2(x , opened); Query Abstraction assert1 any aassert2noneQueryAbstractionassert1assert2 noneQueryAbstractionOur Goalassert1any a assert2noneimpossibilityQueryAbstractionOur Goalassert1assert2noneimpossibility
x = new File ;y = x;z = x;x.open();y.close();assert1(x, closed); assert2(x , opened); Example: Typestate Analysis Query Abstraction assert1assert2↑ x = new File;↓<{closed}, {}>↑ y = x;↓<{closed}, {}>↑ z = x;↓<{closed}, {}>↑ x.open(); ↓<{closed, opened}, {}>↑ y.close();↓top↑assert1(x, closed); Naïve approach: calculating weakest precondition (WP) {} Failed
Example: Typestate Analysis Query Abstractionassert1assert2↑ x = new File ; ↓<{closed}, {}> ↑ y = x; ↓<{closed}, {}> ↑ z = x; ↓<{closed}, {}> ↑ x.open ();↓<{closed, opened}, {}>↑ y.close();↓top↑assert1(x, closed ); Naïve approach: calculating weakest precondition (WP){}Failed Exponential Blowup! unreachable x = new File ; y = x; z = x; x.open (); y.close (); assert1(x , closed ); assert2(x , opened);
Example: Typestate Analysis ↑ x = new File ; ↓<{closed}, {}> ↑ y = x; ↓<{closed}, {}> ↑ z = x; ↓<{closed}, {}> ↑ x.open (); ↓<{closed, opened}, {}>↑ y.close();↓top↑ assert1(x, closed); Too large?Let’s ignore part of it!
Example: Typestate Analysis ↑ x = new File ; ↓<{closed}, {}> ↑ y = x; ↓<{closed}, {}> ↑ z = x; ↓<{closed}, {}> ↑ x.open (); ↓<{closed, opened}, {}>↑ y.close();↓top ↑assert1(x, closed); Unreachable
Example: Typestate Analysis ↑ x = new File ; ↓<{closed}, {}> ↑ y = x; ↓<{closed}, {}> ↑ z = x; ↓<{closed}, {}> ↑ x.open (); ↓<{closed, opened}, {}>↑ y.close ();↓top↑assert1(x, closed); Intersect with the forward state
Example: Typestate Analysis ↑ x = new File ; ↓<{closed}, {}> ↑ y = x; ↓<{closed}, {}> ↑ z = x; ↓<{closed}, {}> ↑ x.open (); ↓<{ closed, opened}, {}>↑ y.close(); ↓top ↑ assert1(x , closed ); Keep as many disjuncts as possible Intersect with forward state
x = new File ;y = x;z = x;x.open();y.close();assert1(x, closed); assert2(x , opened); Example: Typestate Analysis Query Abstraction assert1 assert2QueryAbstractionassert1 assert2↑x = new File;↓<{closed}, {}>↑ y = x;↓<{closed}, {}>↑ z = x;↓<{closed}, {}>↑ x.open();↓<{closed, opened}, {}>↑y.close();↓top ↑assert1(x, closed); Our approach: WP + Underapproximation Failed
Example: Typestate Analysis Query Abstractionassert1 assert2 Query Abstraction assert1 assert2 ↑ x = new File; ↓<{closed}, {}> ↑ y = x; ↓<{closed}, {}>↑ z = x;↓<{closed}, {}>↑ x.open();↓<{closed, opened}, {}>↑ y.close();↓top↑assert1(x, closed); Our approach: WP + Underapproximation Failed
Example: Typestate Analysis Query Abstractionassert1 assert2 Query Abstraction assert1 assert2 ↑ x = new File ; ↓<{closed}, {x}> ↑ y = x;↓<{closed}, {x}>↑ z = x;↓<{closed}, {x}>↑ x.open();↓<{opened}, {x}>↑ y.close();↓<{opened}, {x}>↑assert1(x, closed); Our approach: WP + Underapproximation Failed
Example: Typestate Analysis Query Abstractionassert1 assert2 Query Abstraction assert1 assert2 ↑ x = new File ; ↓<{closed}, {x}> ↑ y = x;↓<{closed}, {x}>↑ z = x;↓<{closed}, {x}>↑ x.open();↓<{opened}, {x}>↑ y.close();↓<{opened}, {x}>↑assert1(x, closed); Our approach: WP + Underapproximation Failed
Example: Typestate Analysis x = new File;↓<{closed}, {x}> y = x;↓<{closed}, {x, y}>z = x; ↓<{closed}, {x, y }> x.open (); ↓ <{opened}, {x, y}> y.close (); ↓<{closed}, {x, y}> assert1(x, closed); Our approach: WP + Underapproximation Proof! QueryAbstractionassert1 assert2QueryAbstractionassert1assert2
Example: Typestate Analysis x = new File;y = x; z = x;x.open();y.close();assert1(x, closed); assert2(x , opened); Query Abstraction assert1 assert2 Query Abstraction assert1assert2 ↑x = new File;↓<{closed}, {}>↑ y = x;↓<{closed}, {}>↑ z = x;↓<{closed}, {}>↑ x.open();↓<{closed, opened}, {}>↑y.close();↓top↑ assert2(x, opened); Our approach: WP + Underapproximation Failed
Example: Typestate Analysis Query Abstractionassert1assert2 Query Abstraction assert1 assert2 ↑ x = new File; ↓<{closed}, {}> ↑ y = x; ↓ <{closed}, {}> ↑z = x;↓<{closed}, {}>↑x.open();↓<{closed, opened}, {}>↑ y.close();↓top↑assert2(x, opened); Our approach: WP + Underapproximation Failed
Example: Typestate Analysis Query Abstractionassert1assert2 Query Abstraction assert1 assert2 ↑ x = new File ; ↓<{closed}, {x}> ↑ y = x; ↓<{closed}, {x}>↑ z = x;↓<{closed}, {x}>↑x.open ();↓<{opened}, {x}>↑y.close();↓<{opened,closed}, {x}>↑ assert2(x, opened); Our approach: WP + Underapproximation Failed
Example: Typestate Analysis Query Abstractionassert1assert2 Query Abstraction assert1 assert2 ↑ x = new File ; ↓<{closed}, {x}> ↑ y = x; ↓<{closed}, {x}>↑ z = x;↓<{closed}, {x}>↑ x.open();↓<{opened}, {x}>↑y.close();↓<{opened,closed}, {x}> ↑assert2(x, opened); Our approach: WP + Underapproximation Failed Impossibility! In paper: a general framework for parametric dataflow analysis
Experiment Implementation in Chord for Java programs2 Client Analyses: Typestate and Thread-Escape Both fully context- and flow-sensitive analysesOnly scale with sparse parameters 7 Java Benchmarks
Benchmarks name bytecode(KB)KLOClog|A|thread-escapetypestate tsp 391 269 569 6,175 elevator 390 269 352 6,180hedc4422831,4007,326weblech5043262,9937,663antlr53230316,5637,748avrora63434037,797 10,151lusearch51131414,5087,395
Precision: Thread-Escape Analysis 209 221 552 658 5857 14322 6726 (Total # Queries)Resolved: ~90%Previous: ~40% [POPL12]
Precision: Typestate Analysis 12 72 170 71 7903 5052 3644 (Total # Queries)
Scalability: Number of iterations
Scalability: Number of iterations
Scalability: Running time
Scalability: Running time
Size of optimal abstractions
Size of optimal abstractions
Related work Modern pointer analysisDemand-driven, query-driven, …Heintze & Tardieu ’01, Guyer & Lin ’03, Sridharan & Bodik ’06, ...CEGAR model checkers: SLAM, BLAST, YOGI, …Work on concrete counterexamplesCan disprove queries No optimality guarantee – can over-refine and hurt scalability. No impossibility - can cause divergence.
Thank you! Q&A