shape analysis
DESCRIPTION
Shape Analysis. Tal Zelmanovich Seminar in automatic tools for analyzing programs with dynamic memory 2013/2014B. Subjects. Introducing shape analysis TVLA method Cutpoint -free method Separation logic method Conclusion & Personal view. Part 1 – General shape analysis. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/1.jpg)
Shape Analysis
Tal ZelmanovichSeminar in automatic tools for analyzing
programs with dynamic memory 2013/2014B
![Page 2: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/2.jpg)
Subjects
• Introducing shape analysis• TVLA method• Cutpoint-free method• Separation logic method• Conclusion & Personal view
![Page 3: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/3.jpg)
Part 1 – General shape analysis
• The idea behind shape analysis• Goals• Analysis scope & limits• Termination problem• Common definitions & symbols
![Page 4: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/4.jpg)
What is the best way to describe a list or a binary tree?
![Page 5: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/5.jpg)
The concept
Analyze program behavior through shapes of data structures occurring in the heap• In-depth analysis that answers advanced
questions about the program• Static analysis• No single algorithm – a family of methods with
common principles
![Page 6: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/6.jpg)
The concept
Structures are usually kept as pointing-graphs or logical statementsExample:
void three_func(){
List_element * L = NULL;for (int i=0; i<3; i++)
L = append_element(L, i)}
Possible states inside loop:
L
0x100
e1L
0x100 0x40
e2 e1L
0x100 0x54 0x40
e3 e2 e1L
0x100 0x30 0x54 0x40
![Page 7: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/7.jpg)
Goals
The analysis allows us to answer some common pointer-analysis questions:• Does a pointer points at NULL?• Are two pointers aliasing?• Can we reach y from x?• Is there an access violations?Using shape analysis we can get answers about both stack pointers and heap locations
![Page 8: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/8.jpg)
Goals
Shape analysis also answers more complicated questions:• How many places points to a single location?• Is x a part of a pointing cycle?• Is there a memory leak?• Does x points to a list\double list\tree?In some shape analysis methods it is even possible to define questions\properties on our own
![Page 9: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/9.jpg)
Analysis scope
Shape analysis may be a part of a complete analysis system, but the basic version cannot answer questions about:• Pointer arithmetic• Arrays• Data values (follows pointer only)• Flow questions (is code reachable?)It only gives info about memory structures!
![Page 10: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/10.jpg)
Analysis examplestruct Tree {int data = DC, Tree * left = NULL, Tree * right = NULL};
Tree * generate_tree(int times){
Tree * t = new Tree(); Tree * cur_node = t;
for (int i=0; i<times; i++){
Tree * left_son = new Tree();Tree * right_son = new_Tree();cur_node->left = left_son; cur_node->right =
right_son;cur_node = cur_node->left
}return t;
}
![Page 11: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/11.jpg)
Analysis exampleTree * t = new Tree(); Tree * cur_node = t;
for (int i=0; i<times; i++)…cur_node->left = left_son; cur_node->right =
right_son;cur_node = cur_node->left
1.2.
3.4.
step 1
e1cur
t
step 3 step 4
e1cur
t
e2 e3
e1cur
t
e2 e3
![Page 12: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/12.jpg)
Analysis examplestep 4 (1)
e1cur
t
e2 e3
e1cur
t
e2 e3
e4 e5
step 4 (2)
e1cur
t
e2 e3
e4 e5
e6 e7
e8 e9
step 4 (100000000)
When should we stop?How should we stop?
![Page 13: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/13.jpg)
Summarization
Recall abstraction from a few lectures ago:• {1,2,3} [1,3]• {1,2,3} T
How can we do the same for pointing graphs?Summarize – represent memory locations with similar connectivity attributes as one node\placeSummarization allows us to treat a set of (possibly infinite) graphs as if it was a single graph
![Page 14: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/14.jpg)
e1cur
t
e2 e3
e4 e5
e6 e7
e8 e9
Summarization
e1cur
t
e2 e3
left
rightleftleft
left
left
left
right
right
right
right
![Page 15: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/15.jpg)
Summarization
e1cur
t
e2 e3
e4
e5e6
right
right
right
left
left
left
Summarization shrinks the representation, but may
lose information!
e1cur
t
e2 e3
left
rightleft
![Page 16: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/16.jpg)
Summarization
e1cur
t
e3e6
right
left
A good summarization method must keep the traits we care about correct
e1cur
t
e2 e3
left
rightleft
![Page 17: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/17.jpg)
Symbols & conventions
Pointer placed on stack
Single heap cell\struct
Collection of heap cells\structs (at least 1)
Has attribute t (examples: points_to_NULL, is_on_cycle, reachable_from_pointer_P)
P
u
v
u
t
![Page 18: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/18.jpg)
Symbols & conventions
x
y
n
x
y
n
x
y
n
x
y
n
x points to y by n field
x may point to yby n field
x may point to one element of y
by n field
Some elements of x may point
to some elements of y by n field
![Page 19: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/19.jpg)
Part 2 – the TVLA method
• About the TLVA method• 3 valued – logics• Predicates used in TLVA• Command translation in TLVA• Special uses and versions of TLVA• Runtime & bottleneck
![Page 20: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/20.jpg)
The TVLA method
• Method: Mooly Sagiv, Tom Reps & Reinhard Wilhelm• Tool: Mooly Sagiv, Tal Lev Ami & Roman Manevich
![Page 21: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/21.jpg)
Three valued logic
• Instead of {T, F} use {1, ½, 0} where ½ means “don’t know”
• Expressions are evaluated as expected:
• Attributes and connections may have value ½ (represented as dotted lines in graphs)
![Page 22: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/22.jpg)
Predicates
• Attributes and connections are represented as unary and binary predicates operating on heap locations
• Core predicates – basic shape analysis properties such as points-to
• Instrumentation predicates – additional properties we’d like to follow (reachability for example)
• Predicates have {0, ½, 1} values
![Page 23: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/23.jpg)
Core predicates
• points_to_by_x(y) – stack pointer x points to heap location y
• connected_through_n(x,y) – n property of heap location x points to y
• sm(x) – special predicate stating whether x is a summarized location (cannot be ½)
![Page 24: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/24.jpg)
Examples of instrumentation predicates
• r[n, p](x) – location x can be reached by going throw n-fields of stack pointer p
• Is_Null(x) – x is not an actual heap location, but NULL
• Is[n](x) – is x heap shared, meaning does more then one element points to x
• c[n](x) – x is a part of a cycle using n field• we can even define instrumentation predicates of
our own
![Page 25: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/25.jpg)
Predicates
x
u1
y
u4
nn
nu2u3
u0
n
n
nn
Core predicates?Reachability predicate?Cycle predicate?Is predicate?
r[n, x]
r[n, y]r[n, x]r[n, y]
r[n, x]r[n, y]
r[n, x]r[n, y]
c[n]c[n] is[n]is[n]
![Page 26: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/26.jpg)
Summary operation
• In TVLA summary is done by grouping together connected elements sharing the same set of abstraction predicates
• abstraction predicates are a set of unary predicates (can be chosen however you like)
• abstraction predicates are the properties that summary will conserve
• more abstraction predicates means better analysis and usually (although not always) longer running time
![Page 27: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/27.jpg)
Summary operation
Possibilities for abstraction predicates:{r[n,x], r[n,y]}
x
u1
y
u4
nn
nu2u3
u0
n
n
nn
r[n, x]
r[n, y]r[n, x]r[n, y]
r[n, x]r[n, y]
r[n, x]r[n, y]
c[n]c[n] is[n]is[n]
{c[n]} {}
![Page 28: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/28.jpg)
Revisit: summary information lost
e1cur
t
e2 e3
left
rightlefte1cur
t
e3e6
right
left
e1cur
t
e2 e3
e4
e5e6
right
right
right
left
left
left
r[left, t] = 1
is[right] = 0
![Page 29: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/29.jpg)
Command Translation
The TVLA process for translating a command:• Focus – if the command relates a property we’re
not sure of (for example x.n=u0 is ½), instantiate it for all possible values
• Update – preform command on current state graph + update predicates
• Coerce – remove impossible structures• Blur – perform summary operation (promises
process termination)
x
u1
y
n
u0n
n
x
u1
y
n
u0n
n
x
u1
y
n
u0
n
![Page 30: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/30.jpg)
Runtime
SetRemove
SetIn
sert
DeleteSorte
dTree
InsertSorte
dTree
InsertAVLT
ree
Reverse
InsertionSort
QuickSo
rt
0
10
20
30
40
50
60
70
80
90
TVLA Runtime
2.6GHz Pentium, 1GB Ram, Win XPTime unit: minutes
![Page 31: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/31.jpg)
Runtime
TLVA works well on small programs, but when trying to scale up the solution running time may reach double exponent!Most of the time is wasted due to the fact even a simple command may affect all predicates along the way. That means that every function call\loop cannot be analyzed out of its context – function analysis cannot be reused.Next up: two different methods to ease this runtime bottleneck
![Page 32: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/32.jpg)
More uses & versions of TVLA
• TLVA is very versatile and may be used to analyze (or relay on) other properties beside structures:• Determining program correctness (sort example)• Adding type predicates• Adding allocation position predicates• Time stamping heap cells creation
![Page 33: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/33.jpg)
Things we learned up to now…
Shape analysis is a form of static\dynamic program analysis.Summary is the process of:Converging multiple heap locations with similar attributes (predicates) to a single representationThe core predicates are: pointed_by_x \ c[n] \ connected_through_n \ r[x,n] \ is[n]TLVA’s runtime bottleneck is:A single update may require pass on the entire structure, no analysis reuse
![Page 34: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/34.jpg)
Break
![Page 35: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/35.jpg)
Part 3 – cutting down on runtime
• Cutpoint-free & separation logic methods:– Main concept– Algorithm implementation & examples– Runtime
• Comparing both methods
![Page 36: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/36.jpg)
Cutpoint-free shape analysis
Noam Rinetzky, Mooly Sagiv & Eran Yahav(based on TVLA)
![Page 37: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/37.jpg)
Cutpoint-free concept
• Function calls usually affects only memory pointed by the function arguments, and not other pointers\heap cells
• Such calls are called cutpoint-free• A cutpoint-free call can be analyzed considering
only the heap accessible through the function arguments – faster analysis
• Caller function analysis will treat calle analysis as sort of a black box
![Page 38: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/38.jpg)
CutpointsCall func(x,y)Is the call cutpoint free?
x y z
x y z
n n
n
x y z
n
n
n n
n
Definition of cutpoint?
![Page 39: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/39.jpg)
Cutpoint-free concept
• Cutpoint: a location reachable from a function argument, as well as reachable from a non-argument pointer while not passing through an argument.
• Exception: cutpoints cannot be pointed directly by a parameter
• Cutpoint-free algorithm can analyze only cutpoint -free programs (happens a lot, yet not always)
• If some call is not cutpoint free the algorithm can detect it using is-cutpoint[func] predicate
![Page 40: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/40.jpg)
Cutpoint-free analysis example
List splice operation:
x
y
splice
x
y
![Page 41: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/41.jpg)
Cutpoint-free analysis example
Splice(x, y)
x
y
z
y1
x1
z1
y2
x2
z2
n
n
n
splicep
q q1
p1n
n
![Page 42: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/42.jpg)
Cutpoint-free analysis example
Splice(x, y)
x
y
z
y1
x1
z1
y2
x2
z2
n
n
n
splicep
q q1
p1
nn
n
![Page 43: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/43.jpg)
Cutpoint-free analysis example
Splice(x, y)
x
y
z
y1
x1
z1
e2
e1
z2
nn
n
n
![Page 44: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/44.jpg)
Cutpoint-free analysis example
Splice(x, z)
x
y
z
y1
x1
z1
e2
e1
z2
nn
n
nCutpoint!
![Page 45: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/45.jpg)
Cutpoint-free analysis example
Splice(y, z)
x
y
z
y1
x1
z1
e2
e1
z2
nn
n
n
splice
p
q
p1
q1
n
n
n
![Page 46: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/46.jpg)
Cutpoint-free analysis example
Splice(y, z)
x
y
z
y1
x1
z1
e2
e1
z2
nn
n
n
splice
p
q
p1
q1
n
n n
n
![Page 47: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/47.jpg)
Cutpoint-free analysis example
Splice(y, z)
x
y
z
y1
x1
z1
e2
e1
e3
nn
n
n
![Page 48: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/48.jpg)
Tabulation
• Beside that time saved by not updating properties of the entire heap, the algorithm employs another useful technique to save time
• Since functions are analyzed separately, we can remember results of analyzed calls with various inputs and re-use them (Tabulation)
• This even allows us to treat different call locations the same way – and therefore compute them only once.
• Separation of functions from calling context reduces runtime to single-exponent!
![Page 49: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/49.jpg)
Cutpoint-free analysis runtime
list-re
verse
list-sp
lice
tree-in
sert_node
tree-find
tree-sp
lice
tail-s
ort0
20
40
60
80
100
120
RecursionIterative
1.5GHz Pentium, 1GB Ram, Win XPTime unit: seconds
![Page 50: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/50.jpg)
Separation logic based shape analysis
Method: Peter O’Hearn & John C. ReynoldsTool: Dino Distefano, Peter W. O’Hearn & Hongseok Yang
![Page 51: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/51.jpg)
Separation logic method
• Use specific logic with specific set of rules to represent memory pointing structure
• taking completely different approach from TVLA• Commands affects the logical state with O’Heran
logic style – {P} C {Q}• Use reasoning to bound the locations command c
might update to reduce runtime• Presented version works only for lists (each cell
has at most one pointer in it)
![Page 52: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/52.jpg)
Separation logic – memory presentation
• Explicit pointers addresses – x, y, z…• Implicit pointers addresses – x’, y’, z’…
• Locations aliasing x=y, x’=y’:
x x’ yz’y’
x, y
x’
x
x’,y’
![Page 53: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/53.jpg)
Separation logic – memory presentation
Two types of pointing:• Straight forward pointing: xy, x’y’, x’x’
• Path indirect acyclic pointing: ls(x’, y’), ls(x’, x’)
x y y’x’ x’
y’x’
t1’x’ y’t2’
y’x’
x’
![Page 54: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/54.jpg)
Separation logic – memory presentation
Operations between stacks\heaps:• s1,h1 s2,h2 – a structure that matches both:
{xy’ ls(z, z’)}
• s1,h1 s2,h2 – guarantees separation:{xy’ ls(z, z’)}
{xx’ x’y}
x, z y’,z’
x y’y’ z z’ x y’,z’ z
x y’x’ y’
![Page 55: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/55.jpg)
Separation logic examplevoid reverse_list(List * x){
List *t = NULL, *y=NULL;while (x != NULL){t = x->n;x->n = y;y=x;x=t;}
}
y
p’ c’ n’
x t
![Page 56: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/56.jpg)
Separation logic examplevoid reverse_list(List * x){
List *t = NULL, *y=NULL;while (x != NULL){t = x->n;x->n = y;y=x;x=t;}
}
{x NULL t=x ls(x) ls(y)} Unfold: { x’.t=x∃ xx’ls(x’)ls(y)} {xtls(t) ls(y) }
t,x y x y
t
{xyls(t) ls(y) }
x
y t{x=y ls(t) ls(y) } x,y t
{t=x ls(x) ls(y)}
t,x y
{t=x x=NULL ls(y)}
y What about abstraction?
Is it needed?
![Page 57: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/57.jpg)
Abstraction of separation logic
We allow two types of abstraction:• Collecting unreachable cells (memory leak):
mark - {junk}
• Trimming sequences of primed locations:
x x’j3’
j2’
j1’
x x’
junk
x x’
j2’j1’
y y’
c’
x x’
y y’
c’
![Page 58: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/58.jpg)
Locality principle
• What do we gain from analyzing the structure using separation logic?
• “” separates different memory slices{xx’ls(y, x’)ls(x’)}
• When an update occurs we only need to update slices directly affected
• saves a lot of time when the slices are relatively small
x
x’
y
![Page 59: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/59.jpg)
TVLA VS SeparationCategory TVLA\Cutpoint-free Separation logic
Model Abstraction by grouping predicates (graph oriented)
Logical proof
Predicates based on
Mainly reachability properties
Inductive predicate (ls for example)
Coverage Soundness Soundness
Operation Automatic only Automatic or manually
Achilles' heal Small updates can effect everything and impact runtime
Lower expressability
Locality principle
Function calls separation & tabulation
Locality & Tabulation
Reception One of the two leading methods for shape analysis
The other of the two leading methods (Linux kernel analyzed)
![Page 60: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/60.jpg)
Part 3 – Conclusions & Personal View
• Summary• My thoughts• My idea• Questions• Discussion
![Page 61: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/61.jpg)
Summary
• Shape analysis allows us to analyze the heap structure
• It can answer advanced questions (is this a doubly liked list? Is this a part of a cycle?)
• We’ve seen 3 methods of shape analysis:
• Last two attempt to solve runtime bottleneck
TVLA
Separation logic
Cutpoint-free
![Page 62: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/62.jpg)
Summary
• TVLA - uses three valued logic, easily allows definition of user properties (predicates)
• Cutpoints algorithm – attempts to decrease runtime by separating function points from their calling context (based on TVLA)
• Separation logic – uses tailored logic reasoning to bound the area requiring updates
![Page 63: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/63.jpg)
My thoughts & Conclusions• Ground breaking idea & techniques• Presented algorithms are complex, but are also
straight forward and very versatile• Competitive field• The distance to practical use is still far:• Long runtime (hard time scaling up)• Not a complete solution (structures only, libs support)
• Maybe general idea may solve other problems?• Image analysis• Pattern recognition
![Page 64: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/64.jpg)
B
My* idea – Template analysis
• Compress structure representation by identifying reoccurring structures
• For each new (small) heap state build a template, reuse templates to define entire heap A B
.
out1
in1
B
B
![Page 65: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/65.jpg)
My idea – template analysis
• Representation can be recursive (abstraction):
T T
in1
OR NULL
in1
T
![Page 66: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/66.jpg)
My idea – template analysis
Open Questions:• How to make pattern search feasible without
loss of quality?(subgraph isomorphism is NP-complete)
• How to select between few possible matches?• How to generate recursive structures?
![Page 67: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/67.jpg)
Shape analysis vs Template analysis
Template analysis advantages:- Properties calculated only once per shape- Utilizes recursion definition of structures- Allows short representation of common
objects (similar to dictionary contraction)Template analysis disadvantages:- Many open questions – not even sure possible- Runtime (probably) longer
![Page 68: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/68.jpg)
q6
q1
Q
q2
q3
q5
q4
nn
n
n
n
q6q6
n
q6n
![Page 69: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/69.jpg)
Discussion
• Which method is better?• Which properties\predicates would you
define?• Would you use shape analysis?
• Any comments about the lecture itself?(don’t be afraid to be rough)
![Page 70: Shape Analysis](https://reader036.vdocuments.us/reader036/viewer/2022062323/5681676e550346895ddc58d5/html5/thumbnails/70.jpg)
References• Shape analysis terms:
Shape Analysisby Reinhard Wilhelm, Mooly Sagiv & Thomas Reps
• TVLA algorithm:TVLA: a system for implementing static analysesby Tal Lev-Ami & Mooly Sagiv
• Cutpoint-free algorithm:Interprocedural shape analysis for cutpoint-free programsby Noam Rinetzky, Mooly Sagiv and Eran Yahav
• Separation logic algorithm:A local shape analysis based on separation logicby Dino Distefano, Peter W. O’Hearn & Hongseok Yang
• TVLA runtime examples:Revamping TVLA: making parametric shape analysis competativeby Igor Bogudlov, Tal Lev-Ami, Thomas Reps & Mooly Sagiv