Field-Sensitive Unreachability and Non-Cyclicity Analysis Enrico Scapin and Fausto Spoto Dipartimento di Informatica - University of Verona (Italy) BYTECODE/ETAPS 2013 Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 1 / 15
Static Analysis Static Analysis Definition Static analysis consists in building compile-time techniques in order to prove properties of programs before actually running them. Shape Analyses try to understand how the program execution manipulates the heap. e.g., sharing analysis determines if two variables might be bound to overlapping data structures. reachability analysis determines if exists a path in memory that links two variables. cyclicity analysis determines if a variable is bound to a cyclical data structure. Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 2 / 15
State of the Art State of the Art Reachability and Cyclicity, state of the art: Stefano Rossignoli and Fausto Spoto, "Detecting non-cyclicity by abstract compilation into boolean functions". In: VMCAI’06 Samir Genaim and Damiano Zanardini, "Reachability-based Acyclicity Analysis by Abstract Interpretation". In: CoRR’12 Ðurica Nikolić and Fausto Spoto, "Reachability Analysis of Program Varibles". In: IJCAR’12 x.next=y; This assignment makes x cyclical if and only if y reaches x. Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 3 / 15
State of the Art State of the Art Reachability and Cyclicity, state of the art: Stefano Rossignoli and Fausto Spoto, "Detecting non-cyclicity by abstract compilation into boolean functions". In: VMCAI’06 Samir Genaim and Damiano Zanardini, "Reachability-based Acyclicity Analysis by Abstract Interpretation". In: CoRR’12 Ðurica Nikolić and Fausto Spoto, "Reachability Analysis of Program Varibles". In: IJCAR’12 x.next=y; This assignment makes x cyclical if and only if y reaches x. We defined a state as σ = � ρ, µ � , where: Heap Environment l1 l2 ... ρ maps variables x y to locations; µ ρ l1 l2 Element Element ... µ binds locations value next value next to objects. tikzpicture tikzpicture ... Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 3 / 15
State of the Art State of the Art Reachability and Cyclicity, state of the art: Stefano Rossignoli and Fausto Spoto, "Detecting non-cyclicity by abstract compilation into boolean functions". In: VMCAI’06 Samir Genaim and Damiano Zanardini, "Reachability-based Acyclicity Analysis by Abstract Interpretation". In: CoRR’12 Ðurica Nikolić and Fausto Spoto, "Reachability Analysis of Program Varibles". In: IJCAR’12 x.next=y; This assignment makes x cyclical if and only if y reaches x. We defined a state as σ = � ρ, µ � , where: Heap Environment l1 l2 ... ρ maps variables x y to locations; µ ρ l1 l2 Element Element ... µ binds locations value next value next to objects. tikzpicture tikzpicture ... Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 3 / 15
Scenario Scenario Given the following Java instructions, while(x!= null) x=x.next; Does the loop halt? Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 4 / 15
Scenario Scenario Given the following Java instructions, while(x!= null) x=x.next; Does the loop halt? Assuming ρ ( x ) = l 1 before starting the loop. Heap l1 l2 l3 l4 The loop o1 o2 o3 tikzpicture o4 terminates in 3 Element Element Element Element iterations! value next value next value next value next tikzpicture tikzpicture tikzpicture tikzpicture Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 4 / 15
Scenario Scenario Given the following Java instructions, while(x!= null) x=x.next; Does the loop halt? Assuming ρ ( x ) = l 1 before starting the loop. Heap l1 l2 l3 l4 o1 o2 o3 tikzpicture o4 The loop does Element Element Element Element not terminate! value next value next value next value next tikzpicture tikzpicture tikzpicture tikzpicture It depends on the cyclicity of variable x. Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 4 / 15
Properties Can we refine them? Yes, by developing a field-sensitive analysis! while(x!= null) x.next=y; x=x.next; Goal For each program point, maintain a set of static fields F such that a program property holds. Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 5 / 15
Properties Can we refine them? Yes, by developing a field-sensitive analysis! while(x!= null) x.next=y; x=x.next; Goal For each program point, maintain a set of static fields F such that a program property holds. We introduce the concept of path P as a tuple of fields linking two locations inside the heap µ . Heap l1 l2 l3 l4 e.g., ℓ 1 � P µ ℓ 4 o1 o2 o3 tikzpicture o4 Element Element Element Element with P = value next value next value next value next � El . next , El . next , El . next � tikzpicture tikzpicture tikzpicture tikzpicture Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 5 / 15
Properties Field-sensitive properties Let F : set of all fields; L σ ( x ) : set of all locations reachable from x . Unreachability for each path from x to y in state σ , the fields in F are not part of that path. � x � P � ≡ x � � F ∀P ⊆ F σ y = ⇒ P ∩ F = ∅ σ y Non-cyclicity for each cycle reachable from x in state σ , the fields in F are not part of the cycle. � � F � ℓ � P � ∀ ℓ ∈ L σ ( x ) , ∀P ⊆ F µ ℓ ⇒ P ∩ F = ∅ ≡ x � σ Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 6 / 15
Abstract Interpretation Abstract Interpretation In order to make our analysis computable, we use the general framework of Abstract Interpretation. Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 7 / 15
Abstract Interpretation Concrete and Abstract Domains Σ - set of all states V - set of all variables F - set of all program fields Concrete domain: C = ℘ (Σ) Abstract domain: A = ℘ ( V × V × ℘ ( F )) ∪ ℘ ( V × ℘ ( F )) Concretization map γ : A → C � � ∀ a � � F b ∈ I , ∃ F ′ ⊆ F . a � � F ′ σ b ∧ F ⊆ F ′ � � ∧ � γ ( I ∈ A ) = σ ∈ Σ � � F ∈ I , ∃ F ′ ⊆ F . c � ∧ F ⊆ F ′ � � � � � � F ′ ∀ c � � σ � Our properties are under-approximated by the information in I . Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 8 / 15
Methodology Methodology 1 Program Under Analysis class Element{ private Object value; private Element prec , next; public Element(Object value ){ this.value=value; } public Element(Object value , Element prec ){ this.value=value; this.prec=prec; prec.next=this; } } public class MWexample{ public static void main(String [] args ){ Element top = new Element(new Integer (0)); for(int i=1;i <=3;i++) top = new Element(new Integer(i),top); } } Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 9 / 15
Methodology Methodology 2 Java Bytecode invokespecial #1 <Object/<init >()V> 1 Program Under Analysis aload_0 aload_1 putfield #2 Element.value: Object aload_0 class Element{ aload_2 private Object value; putfield #3 Element.prec: Element private Element prec , next; aload_2 aload_0 public Element(Object value ){ putfield #4 Element.next: Element this.value=value; return } public Element(Object value, Element prec) { this.value=value; this.prec=prec; prec.next=this; } } public class MWexample{ public static void main(String [] args ){ Element top = new Element(new Integer (0)); for(int i=1;i <=3;i++) top = new Element(new Integer(i),top); } } Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 9 / 15
Methodology Methodology 2 Java Bytecode invokespecial #1 <Object/<init >()V> 1 Program Under Analysis aload_0 aload_1 putfield #2 Element.value: Object aload_0 class Element{ aload_2 private Object value; putfield #3 Element.prec: Element private Element prec , next; aload_2 aload_0 public Element(Object value ){ putfield #4 Element.next: Element this.value=value; return } public Element(Object value, Element prec) { this.value=value; 3 Control Flow Graph this.prec=prec; prec.next=this; call java . lang . Object . � init � () : void } } public class MWexample{ load 0 Element load 1 Object public static void main(String [] args ){ putfield Element . value : Object catch Element top = new Element(new Integer (0)); throw java . lang . Throwable for(int i=1;i <=3;i++) load 0 Element top = new Element(new Integer(i),top); load 2 Element putfield Element . prec : Element } } load 2 Element load 0 Element putfield Element . next : Element return void Scapin and Spoto (univr.it) Unreachability & Non-Cyclicity Analysis BYTECODE’13 9 / 15
Recommend
More recommend