Shape Abstractions with Support for Sharing and Disjunctions - PowerPoint PPT Presentation

Shape Abstractions with Support for Sharing and Disjunctions Huisong Li Advised by: Xavier Rival ENS,INRIA,CNRS,PSL* March 8, 2018 Huisong Li Sharing & Disjunctions March 8, 2018 1 / 51

Introduction Software is challenging Software is extremely complex, huge and important military, medical, transportation, bank systems, . . . hard to develop and maintain often buggy, e.g. a recent Mac os allows you to become a root user without a password testing and code review, useful, but cannot guarantee anything We want to guarantee that: safe: absence of run time errors, especially for critical software secure: does not leak important information be functionally correct Huisong Li Sharing & Disjunctions March 8, 2018 2 / 51

Introduction Programs manipulating dynamic data structures are challenging Dynamic data structures, e.g., linked list, binary search tree &t 10 0 6 15 0 0 0 0 0 0 4 8 19 pointers as links dereferencing of null, uninitialized, and dangling pointers dynamic memory allocation and deallocation illegal free, memory leak structural properties have to be preserved complex code Huisong Li Sharing & Disjunctions March 8, 2018 3 / 51

Introduction Formal verification Formal verification prove a program satisfies certain properties using mathematics formal semantics + formal specification describe programs and program properties in mathematical language Automatic formal verification program algorithm Sound the verification answers yes = ⇒ a program satisfies a specification Complete a program satisfies a specification = ⇒ the verification answers yes undecidable problem: no complete, sound and automatic algorithm Huisong Li Sharing & Disjunctions March 8, 2018 4 / 51

Introduction Conservative static analyses Conservative static analyses aim at automatically verifying programs sound + automatic + not complete based on abstraction (over-approximation) approach Abstract interpretation is a framework to design static analyses abstract program properties e.g., intervals as abstraction of integers abstract program operations e.g., [ m 1 , m 2 ] + [ n 1 , n 2 ] = [ m 1 + n 1 , m 2 + n 2 ] widening ▽ for computing abstract loop invariants abstract domain = abstractions + abstract operations + widening Existing analyses numeric analysis memory analysis . . . Huisong Li Sharing & Disjunctions March 8, 2018 5 / 51

Introduction Points-to abstraction Concrete memory: v 0 v 1 v 2 v 3 0 Points-to abstraction: abstract concrete addresses with symbolic variables v 0 → α 0 v 1 → α 1 v 2 → α 2 v 3 → α 3 abstract memory cells with points-to predicates α 0 �→ α 1 ∧ α 1 �→ α 2 ∧ α 2 �→ α 3 ∧ α 3 �→ 0 Limitation: hard to express disjointness of memory cells to support strong update α 0 �→ α 1 and α 1 �→ α 2 describe different memory cells Huisong Li Sharing & Disjunctions March 8, 2018 6 / 51

Introduction Separating conjunction Concrete memory: v 0 v 1 v 2 v 3 0 Points-to abstraction with separating conjunction ( ∗ ) (John C. Reynolds’02) : separating conjunction ( ∗ ) allows us to express disjointness α 0 �→ α 1 ∗ α 1 �→ α 2 ∗ α 2 �→ α 3 ∗ α 3 �→ 0 = ⇒ ∀ 0 ≤ i , j ≤ 3 , i � = j = ⇒ α i � = α j separating conjunction ( ∗ ) enables local reasoning [ φ ] P [ φ ′ ] [ φ ∗ ψ ] P [ φ ′ ∗ ψ ] Huisong Li Sharing & Disjunctions March 8, 2018 7 / 51

Introduction Summarization of unbounded inductive data structures Concrete memory: v 0 v 1 0 Abstraction with summarization: inductive definitions to precisely describe dynamic data structures α · list ::= α = 0 ∨ α � = 0 ∧ ∃ β. α · n �→ β ∗ β · list inductive predicates as instances of inductive definitions: list n α 0 · n �→ α 1 ∗ α 1 · list α 0 α 1 Abstract state (formula) Abstract state (graph) Huisong Li Sharing & Disjunctions March 8, 2018 8 / 51

Introduction Example: Forward analysis of a list traversal program h list α 0 1 list * c = h ; 2 while ( c != NULL ) 3 c = c -> n ; Forward analysis: start from a given abstract pre-condition automatically compute an abstract post-condition Huisong Li Sharing & Disjunctions March 8, 2018 9 / 51

Introduction Example: Forward analysis of a list traversal program 1 list * c = h ; 2 while ( c != NULL ) h , c list α 0 � = 0 α 0 3 c = c -> n ; abstract state: shape abstraction × numerical abstraction Huisong Li Sharing & Disjunctions March 8, 2018 9 / 51

Introduction Example: Forward analysis of a list traversal program 1 list * c = h ; 2 while ( c != NULL ) h , c list α 0 � = 0 α 0 3 c = c -> n ; Unfolding the inductive predicate Huisong Li Sharing & Disjunctions March 8, 2018 9 / 51

Introduction Example: Forward analysis of a list traversal program 1 list * c = h ; 2 while ( c != NULL ) h , c h , c list n α 0 � = 0 ∨ α 0 � = 0 ∧ α 0 = 0 α 0 α 1 α 0 3 c = c -> n ; unfolding generates case splits the second case is unsatisfiable Huisong Li Sharing & Disjunctions March 8, 2018 9 / 51

Introduction Example: Forward analysis of a list traversal program 1 list * c = h ; h , c list α 0 2 while ( c != NULL ) 3 c = c -> n ; h c list n α 0 � = 0 α 0 α 1 widening ▽ abstract states to compute loop invariant widening folds back unfolded predicates Huisong Li Sharing & Disjunctions March 8, 2018 9 / 51

Introduction Example: Forward analysis of a list traversal program 1 list * c = h ; 2 while ( c != NULL ) h c list list α 1 � = 0 α 0 α 1 3 c = c -> n ; Abstract loop invariant Huisong Li Sharing & Disjunctions March 8, 2018 9 / 51

Introduction Limitation: sharing is hard to express List: recursive data structure no sharing (a node can only be dereferenced by a pointer) list list n ⇐ ⇒ ∨ α = 0 α α Adjacency lists representing directed graphs : a recursive data structure (list of lists) unbounded sharing a node can be dereferenced by many edge pointers inductive definition cannot capture unbounded sharing a 0 a 1 a 2 a 3 0x0 &h 0 1 2 3 0 1 0x0 3 2 Huisong Li Sharing & Disjunctions March 8, 2018 10 / 51

Introduction Limitation: disjunctions are necessary but costly Without merging, disjuncts number grows exponentially in disjunctive forward analysis unfolding . . . . . . h m list list if ( . . . ) { . . . while ( . . . ) { } . . .  h � = m else { if ( . . . ) { . . . }   case splits: ∨ h = m = 0 else { . . . } . . .  ∨ h = m � = 0 }  . . . . . . . . . . . . . . . . . . . . . ∨ ∨ ∨ ∨ For scalability, disjuncts number should be kept small Fewer disjuncts means lower analysis cost But merging disjuncts may lose precision Deciding how to merge disjuncts without losing too much precision is critical Huisong Li Sharing & Disjunctions March 8, 2018 11 / 51

Introduction Contribution of my thesis We study abstractions to improve expressiveness and scalability: Scalibility disjunct control (abstraction of abstraction) sharing (combination of abstraction) SLA Expressiveness For sharing problem: separation-logic based shape analysis for unstructured sharing For disjunction control problem: semantic-directed clumping of disjunctive abstract states Implemented and evaluated within the MemCAD static analyzer Huisong Li Sharing & Disjunctions March 8, 2018 12 / 51

Shape analysis for unstructured sharing Table of Contents Introduction 1 Shape analysis for unstructured sharing 2 Abstract states Analysis algorithm Experimental evaluation Semantic-directed clumping of disjunctive abstract states 3 Silhouettes Silhouette guided clumping and joining Experimental evaluation Conclusion and future directions 4 Huisong Li Sharing & Disjunctions March 8, 2018 13 / 51

Shape analysis for unstructured sharing Abstract states Graph random path traversal typedef struct node { 0 node * c = h ; struct node ⋆ next ; // start at the first node int id ; 1 while ( c != NULL ) { struct edge ⋆ edges ; 2 edge * s = c -> edges ; } node ; ...... 3 c = s -> dest ; typedef struct edge { 4 n = c -> id ; struct node ⋆ dest ; // random visit a successor struct edge ⋆ next ; } } edge ; Analysis goals: preservation of structural properties of adjacency lists absence of memory errors, e.g., dereferencing of null, uninitialized, and dangling pointers Huisong Li Sharing & Disjunctions March 8, 2018 14 / 51

Shape analysis for unstructured sharing Abstract states Towards precise summarization of adjacency lists Concrete adjacency list: a 0 a 1 a 2 a 3 0x0 &h 0 1 2 3 0x0 Inductive definition for adjacency lists following list of list structure: nodes n nodes id ⇐ ⇒ ∨ α α = 0 α edges edges nodes can only be dereferenced from next field of a previous node information about edge pointers is missing Huisong Li Sharing & Disjunctions March 8, 2018 15 / 51