to to Termination Analysis in in Lin inear Tim ime Roman - - PowerPoint PPT Presentation

to to termination analysis
SMART_READER_LITE
LIVE PREVIEW

to to Termination Analysis in in Lin inear Tim ime Roman - - PowerPoint PPT Presentation

Sep 11, 2022 179 likes •884 views

From Shape Analysis to to Termination Analysis in in Lin inear Tim ime Roman Manevich Ben-Gurion University of the Negev Noam Rinetzky Tel Aviv University Boris Dogadov Tel Aviv University UPGRADE YOUR SHAPE ANALYSIS 2 UPGRADE YOUR

slide-1
SLIDE 1

Shape Analysis Termination Analysis Lin inear Tim ime

Roman Manevich Ben-Gurion University of the Negev Noam Rinetzky Tel Aviv University Boris Dogadov Tel Aviv University

From to to in in

slide-2
SLIDE 2

2

UPGRADE YOUR SHAPE ANALYSIS

slide-3
SLIDE 3

2

UPGRADE YOUR SHAPE ANALYSIS

START PROVING TOTAL CORRECTNESS TODAY

slide-4
SLIDE 4

2

UPGRADE YOUR SHAPE ANALYSIS

START PROVING TOTAL CORRECTNESS TODAY

FOR JUST 5% OF THE RUNNING TIME

slide-5
SLIDE 5

Research problem

  • Automatically verify termination of heap-manipulating programs
  • Dynamic memory allocation
  • Destructive updates
  • Applications
  • Systems codes, e.g., Windows device drivers containing linked data structures:

lists, trees, etc.

  • Object-oriented programs utilizing containers: sets, maps, and graphs

3

slide-6
SLIDE 6

Scalability “dimensions”

4

Code size Shape complexity

(complexity of heap invariants)

PL features

recursion concurrency numeric data recursive containers hierarchical

  • verlaid
slide-7
SLIDE 7

Integer Program

[Berdine et al. CAV 2006] [Berdine et al. POPL 2007] [Magill et al. POPL 2010]

Classic approach

5

Instrumented Shape Analyzer Termination Analyzer

Heap-manipulating Program Safety property 

Always terminates May not terminate

slide-8
SLIDE 8

Integer Program

[Berdine et al. CAV 2006] [Berdine et al. POPL 2007] [Magill et al. POPL 2010]

Classic approach

5

Instrumented Shape Analyzer Termination Analyzer

Heap-manipulating Program Safety property 

Always terminates May not terminate Shape analysis-specific

slide-9
SLIDE 9

Integer Program

[Berdine et al. CAV 2006] [Berdine et al. POPL 2007] [Magill et al. POPL 2010]

Classic approach

5

Instrumented Shape Analyzer Termination Analyzer

Heap-manipulating Program Safety property 

Always terminates May not terminate Shape analysis-specific Termination undecidable

slide-10
SLIDE 10

Integer Program

[Berdine et al. CAV 2006] [Berdine et al. POPL 2007] [Magill et al. POPL 2010]

Classic approach

5

Instrumented Shape Analyzer Termination Analyzer

Heap-manipulating Program Safety property 

Always terminates May not terminate Shape analysis-specific Termination undecidable Heavyweight

slide-11
SLIDE 11

Integer Program

[Berdine et al. CAV 2006] [Berdine et al. POPL 2007] [Magill et al. POPL 2010]

Classic approach

5

Instrumented Shape Analyzer Termination Analyzer

Heap-manipulating Program Safety property 

Always terminates May not terminate Shape analysis-specific Termination undecidable Heavyweight

TRS

[AProVE Giesl et al. CAV 2012, RTA 2011, IJCAR 2014]

slide-12
SLIDE 12

Integer Program

[Berdine et al. CAV 2006] [Berdine et al. POPL 2007] [Magill et al. POPL 2010]

Classic approach

5

Instrumented Shape Analyzer Termination Analyzer

Heap-manipulating Program Safety property 

Always terminates May not terminate Shape analysis-specific Termination undecidable Heavyweight

TRS

[AProVE Giesl et al. CAV 2012, RTA 2011, IJCAR 2014]

Logic Program

[Albert et al. FMOOBDS 2008] [Spoto et al. TOPLAS 2010]

slide-13
SLIDE 13

Integer Program

[Berdine et al. CAV 2006] [Berdine et al. POPL 2007] [Magill et al. POPL 2010]

Classic approach

5

Instrumented Shape Analyzer Termination Analyzer

Heap-manipulating Program Safety property 

Always terminates May not terminate Shape analysis-specific Termination undecidable Heavyweight

Naughty idea: Once shape analysis does the heavy lifting termination is easy

TRS

[AProVE Giesl et al. CAV 2012, RTA 2011, IJCAR 2014]

Logic Program

[Albert et al. FMOOBDS 2008] [Spoto et al. TOPLAS 2010]

slide-14
SLIDE 14

Our solution

6

Partition-based Shape Analyzer Termination Analyzer

Heap-manipulating Program Safety property 

Evolution relation Abstract transition relation

Always terminates May not terminate

slide-15
SLIDE 15

Our solution

6

Partition-based Shape Analyzer Termination Analyzer

Heap-manipulating Program Safety property 

Evolution relation Abstract transition relation

Always terminates May not terminate Most shape analyses (Sep. Logic, TVLA, Boolean heaps, TRS)

slide-16
SLIDE 16

Our solution

6

Partition-based Shape Analyzer Termination Analyzer

Heap-manipulating Program Safety property 

Evolution relation Abstract transition relation

Always terminates May not terminate Most shape analyses (Sep. Logic, TVLA, Boolean heaps, TRS) Easy to implement Induced by shape analysis

slide-17
SLIDE 17

Our solution

6

Partition-based Shape Analyzer Termination Analyzer

Heap-manipulating Program Safety property 

Evolution relation Abstract transition relation

Always terminates May not terminate Most shape analyses (Sep. Logic, TVLA, Boolean heaps, TRS) Easy to implement Induced by shape analysis Termination checked in linear time

slide-18
SLIDE 18

Main results

7

slide-19
SLIDE 19

Main results

  • 1. Termination analysis parametrized

by partition-based shape analysis

  • Enables handling wide range of shape invariants

(both inductive data structures and unstructured graphs)

7

slide-20
SLIDE 20

Main results

  • 1. Termination analysis parametrized

by partition-based shape analysis

  • Enables handling wide range of shape invariants

(both inductive data structures and unstructured graphs)

7

 Shape complexity

slide-21
SLIDE 21

Main results

  • 1. Termination analysis parametrized

by partition-based shape analysis

  • Enables handling wide range of shape invariants

(both inductive data structures and unstructured graphs)

  • Novel ranking function based on evolution relation

7

 Shape complexity

slide-22
SLIDE 22

Main results

  • 1. Termination analysis parametrized

by partition-based shape analysis

  • Enables handling wide range of shape invariants

(both inductive data structures and unstructured graphs)

  • Novel ranking function based on evolution relation
  • 3. Featherweight analysis
  • Linear time modulo shape analysis
  • Modular

7

 Shape complexity

slide-23
SLIDE 23

Main results

  • 1. Termination analysis parametrized

by partition-based shape analysis

  • Enables handling wide range of shape invariants

(both inductive data structures and unstructured graphs)

  • Novel ranking function based on evolution relation
  • 3. Featherweight analysis
  • Linear time modulo shape analysis
  • Modular

7

 Shape complexity  Code size

slide-24
SLIDE 24

Main results

  • 1. Termination analysis parametrized

by partition-based shape analysis

  • Enables handling wide range of shape invariants

(both inductive data structures and unstructured graphs)

  • Novel ranking function based on evolution relation
  • 3. Featherweight analysis
  • Linear time modulo shape analysis
  • Modular
  • 4. Handles recursion very precisely
  • Limited support for concurrency

7

 Shape complexity  Code size

slide-25
SLIDE 25

Main results

  • 1. Termination analysis parametrized

by partition-based shape analysis

  • Enables handling wide range of shape invariants

(both inductive data structures and unstructured graphs)

  • Novel ranking function based on evolution relation
  • 3. Featherweight analysis
  • Linear time modulo shape analysis
  • Modular
  • 4. Handles recursion very precisely
  • Limited support for concurrency

7

 Shape complexity  Code size  PL features

slide-26
SLIDE 26

Main results

  • 1. Termination analysis parametrized

by partition-based shape analysis

  • Enables handling wide range of shape invariants

(both inductive data structures and unstructured graphs)

  • Novel ranking function based on evolution relation
  • 3. Featherweight analysis
  • Linear time modulo shape analysis
  • Modular
  • 4. Handles recursion very precisely
  • Limited support for concurrency
  • 5. Precise enough on a variety of benchmarks

7

 Shape complexity  Code size  PL features

slide-27
SLIDE 27

Agenda

  • Our recipe for proving termination
  • Apply recipe for shape analysis
  • Handling nested loops and recursion
  • Experiments and conclusion

8

slide-28
SLIDE 28

Reminder: general recipe for proving termination

To show that a transition system (, ) does not contain infinite paths:

9

slide-29
SLIDE 29

Reminder: general recipe for proving termination

To show that a transition system (, ) does not contain infinite paths:

  • 1. Find well-founded ordering  :   

(all descending chains finite)

9

slide-30
SLIDE 30

Reminder: general recipe for proving termination

To show that a transition system (, ) does not contain infinite paths:

  • 1. Find well-founded ordering  :   

(all descending chains finite)

  • 2. Show that every infinite path must contain an infinite -descending chain

9

1 i j k * * * *   

slide-31
SLIDE 31

Our recipe

To show that a transition system (, ) does not contain infinite paths:

10

slide-32
SLIDE 32

Our recipe

To show that a transition system (, ) does not contain infinite paths:

  • 1. Find well-founded ordering  :   

that is monotone:   ’  ’  

10

slide-33
SLIDE 33

Our recipe

To show that a transition system (, ) does not contain infinite paths:

  • 1. Find well-founded ordering  :   

that is monotone:   ’  ’  

  • 2. Compute a (finite) abstract transition system (, )

10

slide-34
SLIDE 34

Our recipe

To show that a transition system (, ) does not contain infinite paths:

  • 1. Find well-founded ordering  :   

that is monotone:   ’  ’  

  • 2. Compute a (finite) abstract transition system (, )

10

  • 3. Find all decreasing transitions

 := {} for each   ’   do if   ’ then  :=   (, ’) fi

  • d // linear time
slide-35
SLIDE 35

Our recipe

To show that a transition system (, ) does not contain infinite paths:

  • 1. Find well-founded ordering  :   

that is monotone:   ’  ’  

  • 2. Compute a (finite) abstract transition system (, )

10

  • 3. Find all decreasing transitions

 := {} for each   ’   do if   ’ then  :=   (, ’) fi

  • d // linear time
  • 4. Check for cutting set

if  \  contains no cycles then answer true else answer “may not terminate” fi // linear time

slide-36
SLIDE 36

Our recipe

To show that a transition system (, ) does not contain infinite paths:

  • 1. Find well-founded ordering  :   

that is monotone:   ’  ’  

  • 2. Compute a (finite) abstract transition system (, )

10

  • 3. Find all decreasing transitions

 := {} for each   ’   do if   ’ then  :=   (, ’) fi

  • d // linear time
  • 4. Check for cutting set

if  \  contains no cycles then answer true else answer “may not terminate” fi // linear time

slide-37
SLIDE 37

Agenda

  • Our recipe for proving termination
  • Apply recipe for shape analysis
  • Handling nested loops and recursion
  • Experiments and conclusion

11

slide-38
SLIDE 38

Part rtition-based shape analysis: : symbolic heaps example

Concrete heaps abstracted into heap descriptors that partition the set of concrete objects into a finite number of heap regions

12

x y

nil

slide-39
SLIDE 39

Part rtition-based shape analysis: : symbolic heaps example

Concrete heaps abstracted into heap descriptors that partition the set of concrete objects into a finite number of heap regions

12

x y

nil

ls(x, y) ls(y, nil) * 1 =

slide-40
SLIDE 40

Abstract transition relation

  • A shape analysis results in a finite abstract transition relation

13

x y

nil

ls(x, y) ls(y, nil) * 1 =

slide-41
SLIDE 41

Abstract transition relation

  • A shape analysis results in a finite abstract transition relation

13

x y

nil

ls(x, y) ls(y, nil) * y := y.n

x y

nil

ls(x, y) ls(y, nil) * 2 = 1 =

slide-42
SLIDE 42

Concrete evolution relation

  • A consistent renaming of object identifiers

14

x y

nil

x y

nil

y := y.n

slide-43
SLIDE 43

Concrete evolution relation

  • A consistent renaming of object identifiers

14

x y

nil

x y

nil

y := y.n

slide-44
SLIDE 44

Abstract evolution relation

  • May/must edges express how objects change membership in regions

15

x y

nil

ls(x, y) ls(y, nil) *

x y

nil

ls(x, y) ls(y, nil) * y := y.n 2 = 1 =

slide-45
SLIDE 45

Abstract evolution relation

  • May/must edges express how objects change membership in regions

15

x y

nil

ls(x, y) ls(y, nil) *

x y

nil

ls(x, y) ls(y, nil) * y := y.n 2 = 1 =

slide-46
SLIDE 46

Must evolution edges help deplete regions

  • May/must edges express how objects change membership in regions

16

x y

nil

ls(x, y) ls(y, nil) *

x y

nil

ls(x, y) ls(y, nil) * y := y.n 2 = 1 =

slide-47
SLIDE 47

Must evolution edges help deplete regions

  • May/must edges express how objects change membership in regions

16

x y

nil

ls(x, y) ls(y, nil) *

x y

nil

ls(x, y) ls(y, nil) * y := y.n 2 = 1 =

Region size decreases

slide-48
SLIDE 48

Modeling dynamic allocation/deallocation

17

x

nil

ls(x, nil) free * yv * y := new 2 = 1 =

x

nil

ls(x, nil)

y

free *

… …

slide-49
SLIDE 49

Modeling dynamic allocation/deallocation

17

x

nil

ls(x, nil) free * yv * y := new 2 = 1 =

x

nil

ls(x, nil)

y

free *

Infinite region

… …

slide-50
SLIDE 50

Defi fining a monotone WF for shape analysis

  • 1. Use evolution relation to define monotone WF

relation for objects

  • 2. Use it to define monotone WF relation for heaps

18

slide-51
SLIDE 51

Abstract evolution relation is a fi finite graph

  • Nodes are region:descriptor pairs

19

ls(x, y) ls(y, nil) * ls(x, y) ls(y, nil) * y := y.n 2 = 1 = free * free *

slide-52
SLIDE 52

Abstract evolution relation is a fi finite graph

  • Nodes are region:descriptor pairs

19

ls(x, y) ls(y, nil) ls(x, y) ls(y, nil) 2 = 1 = free free

slide-53
SLIDE 53

Abstract evolution relation to to WF over regions

  • Nodes are region:descriptor pairs
  • Lemma: collapsing strongly-connected component yields WF relation

(linear time)

20

1:ls(x, y) 1:ls(y, nil) 2:ls(x, y) 2:ls(y, nil) free free

slide-54
SLIDE 54

Abstract evolution relation to to WF over regions

  • Nodes are region:descriptor pairs
  • Lemma: collapsing strongly-connected component yields WF relation

(linear time)

20

1:ls(x, y) 1:ls(y, nil) 2:ls(x, y) 2:ls(y, nil) free free

slide-55
SLIDE 55

Ranking objects

  • Merged nodes = region ranks
  • Assign each object its respective region ranks

21

1:ls(x, y) 2:ls(x, y) free

Suffix rank Prefix rank

1:ls(y, nil) 2:ls(y, nil)

Condensation graph

x y

nil S S S S P P P

slide-56
SLIDE 56

Before y:=y.n

  • Merged nodes = region ranks
  • Assign each object its respective region ranks
  • Lemma: monotone WF

22

free

Suffix rank Prefix rank

x y

nil S S S S P P P

1:ls(y, nil) 2:ls(y, nil) 1:ls(x, y) 2:ls(x, y)

slide-57
SLIDE 57

Aft fter y:=y.n

  • Merged nodes = region ranks
  • Assign each object its respective region ranks
  • Lemma: monotone WF

23

free

Suffix rank Prefix rank

x y

nil S S S P P P P

1:ls(y, nil) 2:ls(y, nil) 1:ls(x, y) 2:ls(x, y)

slide-58
SLIDE 58

Monotone WF relation for heaps

  • Order heaps by comparing the ranks of their objects points-wise
  • Lemma: monotone WF (have to be careful with memory allocation)

24

x y

nil S S S P P P P

x y

nil S S S S P P P

y := y.n = = = = = = 

slide-59
SLIDE 59

Agenda

  • Our recipe for proving termination
  • Apply recipe for shape analysis
  • Handling nested loops and recursion
  • Experiments and conclusion

25

slide-60
SLIDE 60

Assume control-flow graphs are structured

26

if xnil assume innil

  • ut := nil

x := in return out y := out if ynil  y.nnil  y.d<x.d if y=out then // replace list head

  • ut := new Node(out, x.d)

else // insert element after y y.n := new Node(y.n, x.d) x := x.n y := y.n

N1 N2 N3 N4 N5 N6 N7

FindPos InsertionSort

slide-61
SLIDE 61

Handling nested loops

  • Problem: proving termination for nested loops often requires

lexicographic ranking functions

  • Solution: summarize loops
  • Simply compose relations across statements: precise
  • Linear time
  • Prove termination from inner loop up to outer loop
  • Limited to structured programs
  • Improved in ongoing work [Boris Dogadov, M.Sc. thesis]

27

slide-62
SLIDE 62

Termination for recursive procedures

  • Model call stack as linked list [Rinetzky & Sagiv, CC 2001]

[Rival & Chang POPL 2011]

  • Call modelled as allocation of stack object and insertion to call stack list
  • Return modelled as removing from call stack
  • For precision use predicates to capture shape patterns across calls
  • Our algorithms can be applied without change
  • Future work: extend to local interprocedural analysis

based on heap cutpoints [Rinetzky et al. POPL 2005, SAS 2005]

28

slide-63
SLIDE 63

Agenda

  • Our recipe for proving termination
  • Apply recipe for shape analysis
  • Handling nested loops and recursion
  • Experiments and conclusion

29

slide-64
SLIDE 64

Im Implementation

  • Use TVLA as underlying

shape analysis

  • No need to refine abstraction

(two exceptions)

  • Overhead usually < 5%

30

slide-65
SLIDE 65

Im Implementation

  • Use TVLA as underlying

shape analysis

  • No need to refine abstraction

(two exceptions)

  • Overhead usually < 5%

30

Required (manual) abstraction refinement Required (manual) abstraction refinement

slide-66
SLIDE 66

Conclusion

  • Upgrade almost any shape analysis to automatically prove termination
  • Simple to implement
  • Featherweight reasoning
  • Linear time in output of shape analysis
  • Usually 5% of overall running time
  • Naturally supports recursion
  • Some support for concurrency
  • Improving with ongoing work
  • Practically quite precise

31

slide-67
SLIDE 67

Conclusion

  • Upgrade almost any shape analysis to automatically prove termination
  • Simple to implement
  • Featherweight reasoning
  • Linear time in output of shape analysis
  • Usually 5% of overall running time
  • Naturally supports recursion
  • Some support for concurrency
  • Improving with ongoing work
  • Practically quite precise

31

Thanks for lis listening Questions?

slide-68
SLIDE 68

Sugg ggested questions

  • How easy it is to extend a shape analysis with an abstract evolution

relation?

  • Which programs defeat your analysis?
  • How would you handle integer/string-valued fields?

How would you handle integer variables?

32

slide-69
SLIDE 69

v, Q  H * ls(E, F) v, Q  H * (EF) Unroll1 v, Q  H * ls(E, F) v, Q  H * (Ez) * ls(z, F) where z is fresh Unroll>1 v, Q  H * (Ez) * ls(z, F) v, Q  H * ls(E, F) Fold v, Q  H * (yw) y := y.n v’, Q  H[y/w, z/y] * (zy) where z is fresh Next v, Q  H assume EF v’, Q  EF  H assume EF

In Inference rules ext xtended with evolution relation

33