Joining Dataflow with Predicates - PowerPoint PPT Presentation

1 / 32
About This Presentation
Title:

Joining Dataflow with Predicates

Description:

Tracks values of program variables and heap ... created at each heap allocation call. To bound the number of names, equivalence classes defined for heap names ... – PowerPoint PPT presentation

Number of Views:446
Avg rating:3.0/5.0
Slides: 33
Provided by: jefffi3
Category:

less

Transcript and Presenter's Notes

Title: Joining Dataflow with Predicates


1
Joining Dataflow with Predicates
  • Jeffrey Fischer UC Los Angeles
  • Ranjit Jhala UC San Diego
  • Rupak Majumdar UC Los Angeles

2
Classical dataflow analysis
  • Fast and systematic approach to program analysis
  • Compute the least fixed-point for a set of
    dataflow facts
  • An eager analysis set of facts is fixed
  • Problems
  • Imprecision
  • Dataflow facts propagated across infeasible
    branches
  • Unification of facts at join points
  • Not adaptive may be overwhelmed with irrelevant
    facts

Introduction
3
Another approach CEGAR
  • Start with coarse abstraction and refine based on
    infeasible counter examples
  • Counterexample-guided abstraction and refinement
  • Clarke et al, 2000
  • Informally called lazy analyses
  • Avoids cost of tracking unnecessary information
  • gt Scales better to large programs
  • Most common approach Predicate abstraction
  • Represent program state using first-order
    predicates over program variables
  • Can we use this to regain precision in dataflow
    analyses?

Introduction
4
Problems with lazy dataflow analysis
  • Not always convenient to model program structures
  • May require several iterations to find obvious
    facts
  • Limitations in predicate discovery algorithms

Introduction
5
Our contributions
  • Combine best features of lazy and eager analyses
    through predication
  • Demonstrate effectiveness through symbolic
    execution lattice
  • Implementation in BLAST model checker

Introduction
6
Outline
  • Motivating example
  • Predicated lattices
  • Symbolic execution lattice
  • Implementation and results
  • Related work and conclusion

Introduction
7
Example tracking the state of a FILE
FILE out int flag 1 out-gtis_open
1 2 assert(out-gtis_open1) 3 out-gtis_open
0 . . 4 flag 0,1 5 if (flag) 6
out-gtis_open 1 7 else . . 8 if
(flag) 9 assert(out-gtis_open)
FILE out int flag 1 open(out) 2
fprintf(out, ...) 3 close(out) . . 4
flag getIntOpt(dbg) 5 if (flag) 6
open(out) 7 else . . 8 if (flag) 9
fprintf(out, ...)
Simplified program
  • Dataflow facts
  • out-gtis_open

Motivating example
8
An eager dataflow analysis
1 out-gtis_open 1 2 assert(out-gtis_open1)
3 out-gtis_open 0 . .
out-gtis_open ? 1
OK
out-gtis_open ? 0
Motivating example
9
An eager dataflow analysis
4 flag 0,1 5 if (flag) 6 out-gtis_open
1 7 else . . 8 if (flag) 9
assert(out-gtis_open)
Error!
Motivating example
10
If we track flag, the analysis still fails
4 flag 0,1 5 if (flag) 6 out-gtis_open
1 7 else . . 8 if (flag) 9
assert(out-gtis_open)
Error!
Motivating example
11
Predicated Lattices
  • For each program location, track a set of
    first-order predicates over program variables
  • Rather than track dataflow facts directly, track
    a predicated lattice
  • Each lattice element maps predicates to original
    lattice elements
  • At join points, only join facts associated with
    the same set of predicates
  • We use true as the default predicate
  • Instance of reduced cardinal powers of lattices
    Cousot 79

Predicated lattices
12
Example
4 flag 0,1 5 if (flag) 6 out-gtis_open
1 7 else . . 8 if (flag) 9
assert(out-gtis_open)
OK
Predicated lattices
13
Where do the predicates come from?
  • Initially, no predicates are tracked
  • Run the dataflow analysis
  • Upon finding a counterexample, check whether it
    is feasible
  • If feasible, report an error
  • If not feasible, add predicates which rule out
    the counterexample
  • Repeat from step 1

Predicated lattices
14
Details of lazy analysis
  • Path to error found via search of control flow
    graph
  • Weakest precondition computed backward from error
  • If WP to beginning is satisfiable, error is
    feasible
  • If WP not satisfiable, use to find new predicates
  • Coverage check used join points to ensure
    termination
  • See Henzinger, et al. 2002 for details

Predicated lattices
15
Search for path to error
4 flag 0,1 5 if (flag) 6 out-gtis_open
1 7 else . . 8 if (flag) 9
assert(out-gtis_open)
4 flag 0,1
Error!
Predicated lattices
16
Take WP of each statement
4 flag 0,1 5 if (flag) 6 out-gtis_open
1 7 else . . 8 if (flag) 9
assert(out-gtis_open)
Contradiction! WP5 flag0 WP7 WP7 WP8
. . WP8 flag1 out-gtis_open0
WP5 flag0 WP7
Add predicates for flag
WP8 flag1
Predicated lattices
17
Rerun with predicates
4 flag 0,1 5 if (flag) 6 out-gtis_open
1 7 else . . 8 if (flag) 9
assert(out-gtis_open)
4 flag 0,1
out-gtis_open ? 0
flag0
out-gtis_open ? 0
flag0
out-gtis_open ? 0
false
Path not feasible!
Predicated lattices
18
Symbolic Execution Lattice
  • Proof of concept for predicated lattices,
    implemented in BLAST model checker
  • Tracks values of program variables and heap
  • Facts at each program point represented as map
    from names to values
  • Symbolic Execution used to compute new facts
    after each statement

Symbolic execution lattice
19
Symbolic Execution Lattice
  • Uncertainty introduced by joins, environment, and
    approximations
  • Use predicated lattice to introduce path
    sensitivity as needed
  • To be sound, must always track potential
    points-to relationships

Symbolic execution lattice
20
Names
  • Program variables
  • Fresh name created at each heap allocation call
  • To bound the number of names, equivalence classes
    defined for heap names
  • Summary values maintained for multi-valued
    equivalence classes

Symbolic execution lattice
21
Values
  • Constants (integers, strings, etc.)
  • Pointers
  • Must(addr) definitely points to addr
  • May(v,addrSet) may point to any location in
    addrSet, with target value v
  • Special addresses
  • null
  • Errp
  • T (top)

Symbolic execution lattice
22
Dataflow fact notation
  • Constants name ? constant
  • Example x ? 5
  • Structures name ? (field1 ? v1, field2 ? v2, )
  • Example outp ?(is_open ?1)
  • Must-pointers pointer_name ? target name
  • Example x ? y
  • May-pointers
  • ltpointer_namegt ? target1, target2, gt value
  • Examples x ? p1, p2 gt 5, y ? T gt 5

Symbolic execution lattice
23
Joining dataflow facts
  • Dataflow facts are joined
  • At join-points in the control flow
  • When assigning through a may-pointer
  • When computing summary values

Symbolic execution lattice
24
Rules for joining values
Symbolic execution lattice
25
Example
  • int x 0
  • int y 1
  • int z
  • if ()
  • z x
  • else
  • z y
  • ...
  • z 5

Symbolic execution lattice
26
Another example
  • int ex(FILE fp)
  • FILE outp
  • if ()
  • if (fp-gtis_open!1)
  • return -1
  • else
  • outp fp
  • else
  • outp (FILE)malloc(...)
  • fopen(outp, ...)
  • ...
  • assert(outp-gtis_open1)
  • ...

OK
Symbolic execution lattice
27
Dynamic Allocation
  • We partition heap names based on equivalence
    classes
  • All values assigned to equivalence class are
    joined together and with T
  • Different partitioning strategies possible
  • Merge all allocations at a given statement
  • Merge all allocations at a given statement,
    except for most recent
  • Merge all allocations at a given statement, when
    their values agree on some set of 3-valued
    predicates
  • gt Shape Analysis Sagiv,Reps,Wilhelm 99

Symbolic execution lattice
28
Implementation in Blast
  • Dataflow analyses implemented as lattice plug-ins
    to BLAST
  • Details of each analysis hidden behind an ADT

Implementation and results
29
Implementation in BLAST
  • Symbolic Execution lattice
  • Models arrays as summary nodes
  • Full support for structures
  • Uses
  • Rule out infeasible paths (avoiding
    counterexample analysis)
  • Context sensitive alias analysis

Implementation and results
30
Experiments
  • Checked MS Windows device drivers
  • 14k to 138k lines of preprocessed C code
  • Typestate property related to I/O request
    protocols
  • Described by a 22 state automaton
  • Compared results with and without symbolic
    execution lattice

Implementation and results
31
Results
Implementation and results
32
Related work
  • Tensor analysis
  • Cousot,Cousot 79
  • Predicated lattices an application of this theory
  • We consider implementation issues
  • Qualified dataflow analysis
  • Holly,Rosen 81, Dwyer,Clarke 96, Dwyer, et
    al. 2004
  • Key difference our approach automatically
    generates qualifications
  • ESP
  • Das,Lerner,Seigle 2002
  • ESP provides fixed qualifications based on
    property automata
  • Predicated lattices a generalization of ESP

Related work and conclusion
33
Conclusion
  • Predicated lattices incrementally add path
  • sensitivity to your favorite dataflow analysis

Now you have the advantages of both eager and
lazy analyses.
Related work and conclusion
34
Supplemental Slides
35
Example an eager dataflow analysis
  • Lattice

T
out-gtis_open0, flagT
out-gtis_open1, flagT
out-gtis_openT, flag0
out-gtis_openT, flag1
out-gtis_open0, flag0
out-gtis_open1, flag0
out-gtis_open0, flag1
out-gtis_open1, flag1
T
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Joining Dataflow with Predicates" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!