thesis presentation

Field-Sensitive Unreachability and Non-Cyclicity Analysis

Enrico Scapin and Nicola Fausto Spoto

Dipartimento di Informatica - University of Verona (Italy)

Trier, 30th October 2012

Enrico Scapin (univr.it) Unreachability & Non-Cyclicity Analysis October 30th, 2012

Static Analysis

Static Analysis

DefinitionStatic analysis consists in building compile-time techniques in order toprove properties of programs before actually running them.

Shape Analyses try to understand how the program executionmanipulates the heap.

e.g.,sharing analysis determines if two variables might be bound tooverlapping data structures.reachability analysis determines if exists a path in memory that linkstwo variables.cyclicity analysis determines if a variable is bound to a cyclical datastructure.


Scenario

Scenario

Given the following Java instructions,

while(x!=null)

x=x.next;

Does the loop halt?

Assuming ρ(x) = l1 before starting the loop.

It depends on the cyclicity of variable x.


Scenario

Scenario


while(x!=null)

x=x.next;

Does the loop halt?Assuming ρ(x) = l1 before starting the loop.

tikzpicture

tikzpicture

next

l2

Element

o2

tikzpicture

next

l4

Element

o4

tikzpicture

l1

Element

o1

next

tikzpicture

next

l3

Element

o3

value value value value

Heap

The loopterminates in 3iterations!



Scenario

Scenario


while(x!=null)

x=x.next;

Does the loop halt?Assuming ρ(x) = l1 before starting the loop.

tikzpicture

tikzpicture

next

l2

Element

o2

tikzpicture

next

l4

Element

o4

tikzpicture

l1

Element

o1

next

tikzpicture

next

l3

Element

o3


Heap

The loop doesnot terminate!



State of the Art

State of the Art

Cyclicity property, state of the art:Stefano Rossignoli and Fausto Spoto (2006), "Detecting non-cyclicity by abstract compilation into booleanfunctions".

Samir Genaim and Damiano Zanardini. (2012), "Reachability-based Acyclicity Analysis by AbstractInterpretation".

Ðurica Nikolić and Fausto Spoto (2012), "Reachability Analysis of Program Varibles".

x.next=y; This assignment makes x cyclical only ify reaches x.

We defined a state as σ = 〈ρ, µ〉, where:

ρ maps variablesto locations;µ binds locationsto objects.


State of the Art

State of the Art

Cyclicity property, state of the art:Stefano Rossignoli and Fausto Spoto (2006), "Detecting non-cyclicity by abstract compilation into booleanfunctions".

Samir Genaim and Damiano Zanardini. (2012), "Reachability-based Acyclicity Analysis by AbstractInterpretation".

Ðurica Nikolić and Fausto Spoto (2012), "Reachability Analysis of Program Varibles".

x.next=y; This assignment makes x cyclical only ify reaches x.

We defined a state as σ = 〈ρ, µ〉, where:

ρ maps variablesto locations;µ binds locationsto objects. tikzpicture

next

l2

Element

o2

l2

y µρ

tikzpicture

l1

Element

o1

next

Heap

l1

x

Environment

valuevalue


Properties

Can we refine them?

Yes, by developing a field-sensitive analysis!while(x!=null)

x=x.next;

x.next=y;

GoalFor each program point, maintain a subset F of the program fields withrespect to which our properties hold.

We have introduced the concept of path P as a tuple of fields linking twolocations inside the heap µ.

e.g., `1 Pµ `4

with P =

〈El .next,El .next,El .next〉


Properties

Can we refine them?

Yes, by developing a field-sensitive analysis!while(x!=null)

x=x.next;

x.next=y;

GoalFor each program point, maintain a subset F of the program fields withrespect to which our properties hold.

We have introduced the concept of path P as a tuple of fields linking twolocations inside the heap µ.

e.g., `1 Pµ `4

with P =

〈El .next,El .next,El .next〉

tikzpicture

tikzpicture

next

l2

Element

o2

tikzpicture

next

l4

Element

o4

tikzpicture

l1

Element

o1

next

tikzpicture

next

l3

Element

o3


Heap


Properties

Field-sensitive properties

LetF : set of all program fields;Lσ(x): set of all locations reachable from x .

Unreachability for each path from x to y in state σ, the fields in Fare not part of that path.

∀P ⊆ F(x Pσ y =⇒ P ∩ F = ∅

)≡ x 6 F

σ y

Non-cyclicity for each cycle reachable from x in state σ, the fieldsin F are not part of the cycle.

∀` ∈ Lσ(x), ∀P ⊆ F(` Pµ `⇒ P ∩ F = ∅

)≡ x

6�

Fσ


Abstract Interpretation


In order to make our analysis computable, we use the general framework ofAbstract Interpretation.



Concrete and Abstract Domains

Σ - set of all statesV - set of all variablesF - set of all program fieldsConcrete domain: C = ℘(Σ)

Abstract domain: A = ℘(V × V × ℘(F)) ∪ ℘(V × ℘(F))

Concretization map γ : A→ C

γ(I ) =

σ ∈ Σ

∣∣∣∣∣∣∣(∀a 6 Fb ∈ I we have a 6 F ′

σ b with F ⊆ F ′)∧(

∀c

6�

F∈ I we have c

6�

F ′σ with F ⊆ F ′

)

for every I ∈ A.

Our properties are under-approximated by the information in I .


Methodology

Methodology

1 Program Under Analysis

class Element{

private Object value;

private Element prec , next;

public Element(Object value){

this.value=value;

}

public Element(Object value , Element prec){

this.value=value;

this.prec=prec;

prec.next=this;

}

}

public class MWexample{

public static void main(String [] args){

Element top = new Element(new Integer (0));

for(int i=1;i<=3;i++)

top = new Element(new Integer(i),top);

}

}

2 Java Bytecode3 Control Flow Graph


Methodology

Methodology


class Element{




this.value=value;

}

public Element(Object value, Element prec){this.value=value;

this.prec=prec;

prec.next=this;

}}






}

}

2 Java Bytecodeinvokespecial #1 <Object/<init >()V>

aload_0

aload_1

putfield #2 Element.value: Object

aload_0

aload_2

putfield #3 Element.prec: Element

aload_2

aload_0

putfield #4 Element.next: Element

return

3 Control Flow Graph


Methodology

Methodology


class Element{




this.value=value;

}

public Element(Object value, Element prec){this.value=value;

this.prec=prec;

prec.next=this;

}}






}

}

2 Java Bytecodeinvokespecial #1 <Object/<init >()V>

aload_0

aload_1

putfield #2 Element.value: Object

aload_0

aload_2

putfield #3 Element.prec: Element

aload_2

aload_0

putfield #4 Element.next: Element

return

3 Control Flow Graphcall java.lang.Object.〈init〉() : void

load 0 Elementload 1 Object

putfield Element.value : Object

load 0 Elementload 2 Element

putfield Element.prec : Element

load 2 Elementload 0 Element

putfield Element.next : Element

return void

catchthrow java.lang.Throwable


Abstract Constraint Graph

Constraint Based Static Analysis

From the Control Flow Graph we build an Abstract Constraint Graph

Nodes represent bytecodeinstructions.Arcs represent the abstractsemantics.Each node is decorated with anabstract set I .Each arc is decorated with apropagation rule.Propagation Rules

defined for each type of arc,depending on its sources;state how the information ineach node is propagated.

exception

exit

node Anode Ccatch

node 16exception@〈init〉

node Bstore 1 Element

node 13exit@〈init〉

call Element.〈init〉(Object,Element) : void

node 1load 0 Element

node 2call java.lang.Object.〈init〉() : void


node 4load 1 Object

node 5putfield Element.value : Object



node 8putfield Element.prec : Element



node 11putfield Element.next : Element

node 12return void

node 14catch

node 15throw java.lang.Throwable

]10

#15 ]11

]3

#15

]11

]7

]3

]3

]6

]3

]3

]6

]3

]3

]6

]8

]9

]14

]14

]14


Propagation Rules

Propagation Rules

Their definitions can becamecomplex whenever they exploitother static analyses.The unreachability andnon-cyclicity information ispropagated along the arcs of theACG until reaching a fix-point.It exists since they are allmonotonic functions.The fix-point is the maximalsolution of the ACG with respectto the partial order ⊇.

exception

exit

node Anode Ccatch

node 16exception@〈init〉

node Bstore 1 Element

node 13exit@〈init〉

call Element.〈init〉(Object,Element) : void


node 2call java.lang.Object.〈init〉() : void


node 4load 1 Object

node 5putfield Element.value : Object



node 8putfield Element.prec : Element



node 11putfield Element.next : Element

node 12return void

node 14catch

node 15throw java.lang.Throwable

]10

#15 ]11

]3

#15

]11

]7

]3

]3

]6

]3

]3

]6

]3

]3

]6

]8

]9

]14

]14

]14


Conclusions

Conclusions

1 Definition of a concrete operational semantics of Java Bytecode.2 Formally definition the notion of the field-sensitive unreachability and

non-cyclicity properties.3 Build a constraint-based static analysis based on the abstract

interpretation framework.4 Soundness:

each propagation rule correctly approximates the set of states obtainedby the correspondent instruction execution.the analysis correctly approximates the semantics of the program withrespect to the two properties defined.

Future works: implementing this analysis in Julia Tool in order toimprove the precision of its termination checker.

Stay tuned: www.juliasoft.com!


www.juliasoft.com

Conclusions

Thank You

Thank You!


Soundness

Soundness

1 We have proved the soundness of each propagation rule.Let

ins: a generic bytecode instructionΠ: a generic propagation rule

then, for each I ∈ Ains (γ (I )) ⊆ γ (Π (I ))

2 We have proved the soundness of the whole analysis w.r.t. a small-stepoperational semantics defined for the Java Bytecode.

Definition of a configuration as a pair 〈b, σ〉, where b is a basic blockand σ, a state.Given an execution of the operational semantics

〈bfirst(main) ‖ ξ〉 ⇒∗ 〈 insrest

→→

b1· · ·bm

‖ σ〉 :: a

and Iins the approximation of our properties at the node correspondingto ins , we have proved σ ∈ γ(Iins).


thesis presentation

Documents

null x

x cyclical

x enrico scapin

program eldsl x

x fy noncyclicityfor

cyclicity of variable

eldsensitive analysis

p f p f