Collaborators George Necula Xavier Rival INRIA BorYuh Evan Chang University of California Berkeley FebruaryApril 2008 Precise Program Analysis with Data Structures by Designing with the User in Mind ID: 618884
Download Presentation The PPT/PDF document "Precise Program Analysis with Data Stru..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Precise Program Analysis with Data Structures
Collaborators: George Necula, Xavier Rival (INRIA)
Bor-Yuh
Evan Chang
University of California, Berkeley
February-April 2008Slide2
Precise Program Analysis with Data Structures
by Designing with the User in Mind
Collaborators: George
Necula, Xavier Rival (INRIA)
Bor-Yuh
Evan Chang
University of California, Berkeley
February-April
2008Slide3
Software errors cost a lot
~$60 billion
annually (~0.5% of US GDP)
2002 National Institute of Standards and Technology report
total annual revenue of
>
10x annual budget of
>
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide4
But there’s hope in program analysis
Microsoft
uses and distributes
the
Static Driver Verifier
Airbus
applies
the
Astrée
Static Analyzer
Companies, such as
Coverity
and Fortify, market static source code analysis tools
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide5
Because program analysis caneliminate entire classes of bugs
For example,Reading from a closed file:
Reacquiring a locked lock:
How?
Systematically examine the programSimulate running program on “all inputs”“Automated code review”
read( );
acquire(
);
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide6
…
code …
//
x
now points to an unlocked lock
acquire
(x);
…
code …
analysis state
Program analysis by example:
Checking for double acquires
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data Structures
Simulate running program on “all inputs”
x
acquire(
x
);
…
code …Slide7
…
code …
//
x
now points to an unlocked lock
in a linked list
acquire
(
x
)
;
…
code …
ideal analysis state
Program analysis by example:
Checking for double acquires
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data Structures
Simulate running program on “all inputs”
x
x
x
or
or
or
…
undecidabilitySlide8
…
code …
//
x
now points to an unlocked lock
in a linked list
acquire
(
x
)
;
…
code …
ideal analysis state
analysis state
Must abstract
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data Structures
x
x
x
or
or
or
…
?
x
For decidability, must
abstract
—“model all inputs” (e.g.,
merge objects)
Abstraction too
coarse
or
not precise
enough (e.g., lost x is always unlocked)
mislabels good code as buggy
Slide9
To address the precision challenge
Traditional program analysis mentality:
“
Why
can’t developers write more
specifications for our analysis
? Then, we could verify so much more.”
“
Since developers won’t write specifications,
we will use
default abstractions
(perhaps coarse) that work hopefully most of the time.”
My approach
:
“
Can
we design program analyses around the user? Developers write testing code. Can we
adapt
the analysis
to use those as specifications?”
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide10
Summary of overview
Challenge in analysis
: Finding a good abstraction
precise enough but not more than necessary
Powerful, generic abstractions
expensive, hard to use and understand
Built-in, default abstractions
often not precise enough (e.g., data structures)
My approach
:
Must involve the user in abstraction
without expecting the user to be a program analysis expert
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide11
Overview of contributions
Extensible Inductive Shape Analysis [POPL’08,SAS’07]Precise inference of data structure properties
Able to check, for instance, the locking example
Targeted to software developers
Uses data structure checking code for guidance
Turns testing code into a specification for static analysis
Efficient
~10-100x speed-up over generic approaches
Builds abstraction out of developer-supplied checking code
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide12
Extensible Inductive
Shape Analysis
Precise
inference of data structure properties
Developer-oriented
approach
[POPL’08, SAS’07]
…
Part 1Slide13
Shape analysis is a fundamental analysis
Data structures are at the core of Traditional languages (C, C++, Java)
Emerging web scripting languages
Improves verifiers that try to
Eliminate resource usage bugs (locks, file handles)
Eliminate memory errors (leaks, dangling pointers)
Eliminate concurrency errors (data races)
Validate
developer assertions
Enables program
transformations
Compile-time garbage collection
Data structure refactorings
…
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide14
Shape analysis by example:
Removing duplicates//
l
is a sorted doubly-linked list
for each node cur in
list
l
{
remove cur
if duplicate;
}
assert
l is sorted, doubly-linked with no duplicates;
Example/Testing
Code Review/Static Analysis
“no duplicates”
l
“sorted dl list”
l
program-specific
l
2
2
4
4
l
2
4
4
cur
l
2
4
“sorted dl list”
l
“segment with
no duplicates”
cur
intermediate state more complicated
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide15
Shape analysis is not yet practical
Choosing the heap abstraction difficult for precision
Parametric in high-level, developer-oriented predicates
+
Extensible
+
Targeted
to
developers
Xisa
Built-in high-level predicates
-
Hard to extend
+
No additional user
effort (if precise enough)
Parametric in low-level, analyzer-oriented predicates
+
Very general and expressive
-
Hard for non-expert
89
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data Structures
Traditional approaches
:
My approach
:
Space Invader [
Distefano
et al.]
TVLA
[
Sagiv
et al.]Slide16
Key insight
for being developer-friendly and efficient
Utilize “run-time
checking code
” as specification for static analysis.
assert
(
sorted_dll
(l,
…
));
for each node
cur in list
l { remove cur if duplicate;
}
assert
(
sorted_dll_nodup
(l,
…
));
l
l
cur
l
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data Structures
dll
(h, p) =
if
(h
=
null
)
then true else h!prev = p and dll(h!next, h)checkerContribution: Automatically generalize checkers for complicated intermediate statesContribution: Build the abstraction for analysis out of developer-specified checking code p specifies where prev should pointSlide17
Our framework is …
Extensible and targeted for developersParametric in developer-supplied checkersPrecise yet compact abstraction for efficiency
Data structure-specific based on properties of interest to the developer
An automated
shape analysis
with a
precise memory
abstraction
based around
invariant checkers
.
shape
analyzer
dll
(h, p) =
if
(h
=
null
)
then
true
else
h
!
prev
=
prev
and dll(h!next, h)checkersBor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide18
Splitting
of summaries
(
materialization
)
To reflect updates precisely (
strong updates
)
And
summarizing
for termination (
widening
)
Shape analysis is an abstract interpretation on
abstract memory descriptions
with …
cur
l
cur
l
cur
l
cur
l
cur
l
cur
l
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide19
Outline
shape analyzer
abstract interpretation
splitting and
interpreting update
summarizing
type
“pre-analysis”
on checker
definitions
dll
(h, p) =
if
(h
=
null
)
then
true
else
h
!
prev
=
prev
and
dll(h!next, h)checkersBor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresLearn information about the checker to use it as an abstraction
1
23
Compare and contrast manual code review and our automated shape analysisSlide20
Overview: Split summaries
to interpret updates precisely
l
cur
l
cur
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data Structures
Want abstract update to be “exact”, that is, to update one “concrete memory cell”.
The example at a high-level: iterate using
cur
changing the doubly-linked list from
purple
to
red
.
l
cur
split
at cur
update
cur
purple
to
red
l
cur
Challenge
:
How does the analysis “split” summaries and know where to “split”?Slide21
“Split forward”by unfolding inductive definition
Ç
dll
(h, p) =
if
(h
=
null
)
then
true
else
h!prev
=
p
and
dll
(
h
!
next
, h)
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data Structures
l
cur
get
:
cur
!
next
l
cur
nullpdll(cur, p)
lcurp
dll(n, cur)nAnalysis doesn’t forget the empty caseSlide22
“Split backward” also possible and necessary
dll
(h, p) =
if
(h
=
null
)
then
true
else
h!prev = p and
dll(h!
next
, h)
Bor-Yuh
Evan Chang, UC Berkeley - Precise Program Analysis with Data Structures
l
cur
p
dll
(
n
, cur)
n
f
or each node
cur
in list
l
{
remove
cur if duplicate;}assert l is sorted, doubly-linked with no duplicates;“dll segment”lcur
p0dll(n, cur)n
“dll segment”cur!prev!next= cur!next;lcur
dll
(
n
, cur)
nnullget: cur!prev!nextÇ
Technical Details: How does the analysis do this unfolding? Why is this unfolding allowed?
(Key: Segments are also inductively defined)
[POPL’08]
How does the analysis know to do this unfolding?Slide23
Outline
shape analyzer
abstract interpretation
splitting and
interpreting update
summarizing
type
“pre-analysis”
on checker
definitions
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data Structures
Contribution
:
Turns testing code into specification for static analysis
1
2
3
How do we decide where to unfold?
Derives additional information to guide unfolding
dll
(h, p) =
if
(h
=
null
)
then
true
else
h
!
prev = prev
and dll(h!next, h)checkersSlide24
memory cell (points-to:
°!
next
=
±)Abstract memory as graphs
dll
(h, p) =
if
(h
=
null
)
then true
else
h
!
prev
=
p
and
dll
(
h
!
next
, h)
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data Structures
l
®
dll(null)dll(¯)cur°dll(
°)¯
prev
next±Make endpoints and segments explicit, yet high-levelldll(±, °)
±“dll segment”cur°®segment summarychecker summary (inductive pred)
memory address (value)Contribution: Generalization of checker(Intuitively, dll(®,null) up to dll(°,¯).)Some number of memory cells (thin edges)Which summary (thick edge), in what direction, and how far do we unfold to get the edge ¯!next (cur!prev!next)?¯nextSlide25
0
1
-1
-2
Types for deciding where to unfold
®
dll
(null
)
dll
(
¯
)
dll
(
¯
)
°
dll
(
®
,null)
dll
(
¯
,
®
)
dll
(
°
,
¯
)
dll
(
±
,°)dll(null,±)Checker “Run” (call tree/derivation)InstanceSummary°±next
prev®¯prevnextnextprevnextprevnullnull
dll(h, p) = if (h = null) then true else h!prev = p and dll(h!next, h)h : {nexth0i, prevh0i }p : {nexth-1i, prevh-1i }If it exists, where is:°!next ?¯!next ?Checker Definition0-1
Says:For h!next/h!prev, unfold from hFor p!next/p!prev, unfold before hBor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide26
Types make the analysis robust with respect to how checkers are written
¯
dll
(
®
)
dll
(
¯
)
dll
(
¯
)
°
0
-1
¯
.
dll
(
®
)
°
.
dll
(
¯
)
null.dll(
°
)
Instance
Summary
dll
(h, p) =
if (h =
null) then true else h!prev = p and dll(h!next, h)h : {nexth0i, prevh0i }p : {nexth-1i, prevh-1i }Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data Structures°¯
prevnextnextprevnull®0-1¯.dll0()°.dll0()
Checker “Run”¯next°nextprevnullInstance¯dll0dll0
dll0°Summarydll0(h) = if (h!next = null) then true else h!next!prev = h and dll0(h!next)Alternative doubly-linked list checkerh : {nexth0i, prevh-1i }
°!prev ?
-1
Checker “Run”
Doubly-linked list checker (as before)
Different types for different unfoldingSlide27
Summary of checker parameter types
Tell
where
to unfold for
which fields
Make analysis
robust
with respect to how checkers are written
Learn where in summaries unfolding won’t help
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data Structures
Can be
inferred automatically
with a fixed-point computation on the checker definitionsSlide28
Summary of interpreting updates
Splitting of summaries needed for precision
Unfolding checkers is a natural way to do splitting
When checker traversal matches code traversal
Checker parameter types
Enable, for example, “back pointer” traversal without blindly guessing where to unfold
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide29
Outline
shape analyzer
abstract interpretation
splitting and
interpreting update
summarizing
type
“pre-analysis”
on checker
definitions
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data Structures
1
2
3
dll
(h, p) =
if
(h
=
null
)
then
true
else
h
!
prev
=
prev and dll
(h!next, h)checkersSlide30
Summarize
by folding into inductive predicates
last = l;
cur =
l!next;while (cur !=
null
) {
//
… cur, last …
if (…) last = cur; cur = cur! next;
}
list
l, last
next
cur
list
l
next
next
cur
last
list
l
next
next
next
cur
last
summarize
list
last
list
next
cur
list
l
Challenge
:
Precision (e.g., last, cur separated by at least one step)Previous approaches guess where to fold for each graph.Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresContribution: Determine where by comparing graphs across historylastlistnext
curSlide31
Summary:
Given checkers, everything is automatic
shape analyzer
abstract interpretation
splitting and
interpreting update
summarizing
type
“pre-analysis”
on checker
definitions
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data Structures
dll
(h, p) =
if
(h
=
null
)
then
true
else
h
!
prev
=
prev
and dll(h!next, h)checkersSlide32
Results: Performance
Benchmark
Max. Num. Graphs at a Program Pt
Analysis Time (
ms
)
singly-linked list reverse
1
0.6
doubly-linked list reverse
1
1.4
doubly-linked list copy
2
5.3
doubly-linked list remove
5
6.5
doubly-linked list remove and back
5
6.8
search tree with
parent
insert
5
8.3
search tree with parent insert
and back
5
47.0
two-level skip list rebalance
6
87.0
Linux
scull
driver (894 loc) (char arrays ignored, functions
inlined)49710.0Times negligible for data structure operations (often in sec or 1/10 sec)Expressiveness: Different data structuresVerified shape invariant as given by the checker is preserved across the operation.Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data Structures
TVLA: 850 msTVLA: 290 msSpace Invaderonly analyzes lists (built-in)Slide33
Demo: Doubly-linked list reversal
http://xisa.cs.berkeley.edu
Body of loop over the elements
:
Swaps the
next
and
prev
fields of
curr
.
Already reversed segment
Node whose
next
and
prev
fields were swapped
Not yet reversed list
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide34
Experience with the tool
Checkers are easy to write and try out Enlightening (e.g., red-black tree checker in 6 lines)
Harder to “reverse engineer” for someone else’s code
Default checkers based on types useful
Future expressiveness and usability improvements
Pointer arithmetic and arrays
More generic checkers:
polymorphic “element kind unspecified”
higher-order parameterized by other predicates
Future evaluation: user study
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide35
Short-term future work:
Exploiting common specification framework
Scenario
: Code instrumented with lots of checker calls (perhaps automatically with object invariants)
assert
(
mychecker
(x) );
// … operation on x …
assert
(
mychecker(x) );
Can
we prove
parts
statically?
Static Analysis View:
Hybrid checking
Testing View:
Incrementalize
invariant checking
Example
: Insert in a sorted list
l
v
w
u
Preservation of
sortedness
shown statically
Emit run-time check for new element:
u
·
v · wVery slow to executeHard to prove statically (in general)Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide36
Summary ofExtensible Inductive Shape Analysis
Key Insight:
Checkers as specifications
Developer View:
Global, Expressed in a familiar style
Analysis View:
Capture developer intent, Not arbitrary inductive definitions
Constructing the program analysis
Intermediate states:
Generalized segment
predicates
Splitting: Checker parameter
types with levels
Summarizing:
History-guided approach
next
list
list
r
list
list
list
®
¯
c(
°
)
c
0
(
°
0
)
h
: {next
h
0
i, prevh0i} p : {nexth-1i, prevh-1i}
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide37
Are there other kinds of program analysis users?
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide38
Two kinds of users of program analysis
software
software
developer
end-user
Wants
:
Precise program analysis for development tools
Wants
:
Program analysis to certify software is ok
Analysis of Low-Level Code Using
Decompilers
[SAS’06, TLDI’05]
Extensible Inductive Shape Analysis
[POPL’08, SAS’07]
1
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data Structures
2Slide39
Analysis of
Low-Level Code Using Cooperating Decompilers[SAS’06, TLDI’05]
Part 2Slide40
End-users want low-level code analysis
Want analyses to check code to be executed
is ok
E.g., won’t crash, good wrt
Static Driver VerifierDo not know any details about the programAnalysis must be fully automatic
But can demand additional information from the developer
To make analysis automatic
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data Structures
source code
But most program analyses operate at the
source-level
!
executable
code
end-user
for low-level code
analyzerSlide41
Analyzers for low-level code are more difficult and tedious to build
Porting source-level analyses is error prone
one statement becomes many instructions
dependencies between instructions must be carefully tracked
Key Insight:
Low-level complexity
deals with compilation idioms
mostly independent of the analysis
can be captured with intermediate languages
Bor-Yuh
Evan Chang, UC Berkeley - Precise Program Analysis with Data Structures
executable
code
end-user
source code
for low-level code
analyzer
for low-level code
analyzerSlide42
Decompile code rather than port analysis
Framework of small,
cooperating
decompilers
that
gradually lift the level of the program
Decompilation
for program analysis
Need not get to original, nor be human understandable
Only concern is
safety, not performance
Unlike, e.g., Java VM platform (JIT compiler)
Can use additional meta-data (e.g., source-level types)
Bor-Yuh
Evan Chang, UC Berkeley - Precise Program Analysis with Data Structures
executable
code
end-user
source code
for low-level code
analyzerSlide43
Summary of results
Flexibility and usability
3
compilers
(gcc/C, gcj/Java, coolc/Cool)
2 architectures (x86, MIPS)
With 6
decompiler
modules
Basic Java type-checking for
gcj output implemented in 3-4 hours, 500 lines of code
Benefits of modularity
decompiler
-based re-implementation of a low-level analysis uncovered 8 bugs in the original implementation (
heavily used,
deployed in the classroom)
Applicability of existing
source-level tools
applied C code tools, BLAST and
Cqual
, on
decompiled
benchmarks (size: ~10,000 lines of C)
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide44
Future ResearchSlide45
Long-term and outreach
Theme: Overcome decidability issues in program analysis by tailoring it to the user
“Programs” are no longer only written to be executed on computers
E.g., computational models of biological pathways in systems biology
Need new “program” analysis toolsValidate models(e.g., pathway model produces only expected products)Reason about models
How do these users work?
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide46
Conclusion
Extensible Inductive Shape Analysisprecision demanding program analysis improved by novel user interaction
Developer:
Gets results corresponding to intuition
Analysis:
Focused on what’s important to the developer
Cooperating
Decompilers
adapt program analyses to code end-users run
Practical precise tools for better software!
Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide47
What can
inductive
shape analysis do for you?
http://xisa.cs.berkeley.eduSlide48
Bonus Slides:
Extensible InductiveShape AnalysisSlide49
Intuition: Checkers and types
global specification (i.e., per data structure)more precise (typically)
holds
only in “steady-state”
need generalization
global specification (i.e., per data structure)
less precise (typically)
holds
always
doesn’t need generalization
l.
sorteddll
(
prev
, min) =
if (l =
null
)
then
true
else
l
!
prev
=
prev
and
min · l!val and l!next.sorteddll(l,l!val)struct Dll { int val; Dll* prev; Dll* next;};x . sorteddll
(…)x : DllBor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide50
Segments as partial checkers
®
.
dll
(null)
¯
.
dll
(
®
)
°
.
dll
(
¯
)
±
.
dll
(
°
)
null.dll(
±
)
Checker “Run”
Instance
Summary
®
dll
(null
)
dll
(¯)
dll
(¯)
°
c0(¯
,°0)c(®,°)……………
®¯c(°)c0(°0)i
i
i
= 0
i = 0i
i00c = c0® = ¯° = °
0® = °
¯
= nullnull
next
°next±prev
prevnull®¯nextprevnextprevnullBor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide51
To unfold backward, split the segment and then unfold forward
cur =
l
!
next
;
while
(cur !=
null
)
{
if
(
cur
!
prev
!
val
==
cur
!
val
)
{
cur =
cur
!
prev
;
remove_after
(cur
);
} cur = cur!next;}
:=
9´.
¼dll(½)Ǽ = nullemp¼ null¼nextdll(¼)
´½prev
materialize: cur!prev!nextl®dll(null)dll(°)cur°±prevdll
(±)next"l®cur°¯dll(null)dll(¯)prevnext±
prev
dll
(
±
)next"dll(±)next
"Çl, cur°±
prev
® = ±
° = null
°
0dll(¯)dll(¯)1
=unfoldBor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide52
Backward unfolding
by forward unfolding
¯
dll(null)
dll(
°
)
i
+1
°
prev
split (lemma)
dll(null)
dll(
e
)
i
1
±
¯
°
prev
dll(
°
)
dll(
e
)
i
unfold forward at
±
dll(null)
dll(
e
)
i
0
±°prev
dll(°)eprev¯´nextdll(±)nextdll(null)dll(e)±preveprev
¯reduce ´ = ¯, ± = °Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide53
Chang, Rival, Necula - Shape Analysis with Structural Invariant Checkers
History-guided folding
list
next
list
next
next
list
next
list
r
l,
last
last
cur
cur
l
l
last
cur
l,
list
?
v
?
list
Yes
last = l;
cur = l
!
next;
while
(cur !=
null
) {
if (…) last = cur;
cur = cur
!
next;}
Match edges to identify where to foldApply local folding rulesnextllastllastl, lastSlide54
Bonus Slides:
Analysis of Low-Level CodeSlide55
Porting source-level analyses is error prone
class C extends P { void m() { … }}
P
p
= new P();P c = … ? new C() : p;…c.m();
r
c
:= m[
r
sp
]
if (rc = 0) L
exc
r1 := m[rc]
r1 := m[r1+28]rsp := r
sp - 4m[
r
sp
] := m[r
sp
+4]
-
m[
r
sp
] :=
r
c
icall
[r
1
]
Analyzers for low-level code are more difficult and tedious to build
Example
: Java Type Analysishrc : P, … ihrc : nonnull P, …ihr1 : disp(P), …ihr1 : meth(P,28), …ihm[rsp] : nonnull P, …iType analysis intermixed with low-level reasoning(e.g., args on
stack)Bor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data StructuresSlide56
Porting source-level analyses is error prone
class C extends P { void m() { … }
}
P
p = new P();P c = … ? new C() : p;
…
c.m
();
r
c
:= m[
rsp]
if (r
c = 0) Lexc
r1 := m[rc]r1 := m[r1
+28]rsp
:=
r
sp
- 4
m[
r
sp
] :=
r
p
icall
[r
1
]
Analyzers for low-level code are more difficult and tedious to build
Example
: Java Type Analysis
h
rc : P, … ihrc : nonnull P, …ihr1 : disp(P), …ihr1 : meth(P,28), …ihm[rsp] : nonnull P, …i
unsoundBor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data Structures
Dependencies must be carefully trackedSlide57
f:
… r
c
:= m[rsp+12]
if (rc = 0) Lexc r1 := m[r
c
]
r
1
:= m[r
1+28] rsp := rsp - 4
m[rsp] := m[r
sp+16]
icall [r1]
…
f(tc
):
r
c
:=
t
c
if (
r
c
= 0)
L
exc
r
1
:= m[
r
c
] r1 := m[r1+28] t1 := tc icall [r1](t1)f(c): if (c = 0) Lexc icall [m[m[c]+28]] (c)f(obj c): if (c = 0) Lexc invokevirtual
[c, 28] ()f(C c):
if (c = 0) Lexc
c.m() Framework of small, reusable cooperating decompiler modulesstatic void f(C c) { c.m(); }LocalsSymEvalOOJavaTypes
Local VariablesSymbolic EvaluationDynamic DispatchyouranalyzerBor-Yuh Evan Chang, UC Berkeley - Precise Program Analysis with Data Structures