Relational Inductive

Shape Analysis

Bor-Yuh Evan Chang

University of California, Berkeley

Xavier Rival
INRIA

POPL 2008
Example: Removing duplicates
Concrete Example Invariant/Abstraction
l 2 2 4 4
l “sorted dl list”

cur = l!next;
program-specific predicate
while (cur != null) {
cur = remove_if_dup(cur); intermediate state
cur = cur!next; more complicated
l 2 4 4 “sorted dl set “sorted dl list
l
segment (²·v)” (v·²)”

cur cur
}
l 2 4
l “sorted dl set”

Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis 2
Utilize “dynamic checking code” as
specification for static analysis
Checking code expresses a precise invariant of
interest (but only at “steady states”)
sorteddll(l, prev, min) = assert(sorteddll(l,null,0)); l
if (l = null) then cur = l;
true while (cur != null) {
else
cur = remove_if_dup(cur);
l!prev = prev
and min · l!val and
cur = cur!next;
sorteddll(l!next,l,l!val)
automatically generalize l
for intermediate states
cur
}
assert(sorteddlset(l,null,0)); l
Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis 3
Our framework is …

An automated shape analysis with a precise memory

abstraction based around invariant checkers.
checkers
sorteddll(l, prev, min) =
if (l = null) then
true
else
l!prev = prev and
min · l!val and
sorteddll(l!next,l,l!val)

checkers shape analyzer

• Compact abstraction
– Data structure-specific based on properties of interest
to the developer
• Extensible
– Parametric in developer-supplied checkers
Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis 4
Challenges 1
“split” segments
(back pointers)
cur = l!next;
while (cur != null) { “sorted dl set “sorted dl list
l
segment (²·v)” (v·²)”

cur

if (cur!prev!val == cur!val) {
l
“sorted dl set v w “sorted dl list
segment (²·u)” (w·²)”

cur u<v=w
cur = cur!prev; remove_after(cur);
2
} numerical constraints
cur = cur!next; (linking shape and data)
(see paper)
}
Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis 5
Shape analysis is an abstract interpretation
on memory states with …
Materialization (partial concretization)
l l

cur cur
To perform strong updates
l l

cur cur
And widening for termination

l l

cur cur
Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis 6
Outline

1 materialization
2 and
sorteddll(l, prev, min) =
type update
if (l = null) then
true
else
“pre-analysis”
l!prev = prev and
min · l!val and
sorteddll(l!next,l,l!val)
widening
checkers see paper

abstract interpretation

shape analyzer

Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis 7
Abstract memory using inductive predicates

Edges represent disjoint memory regions cur = l!next;

while (cur != null)
values points-to checker {
(e.g., address) (memory cell) (inductive pred) if ( cur!prev!val
== cur!val)
l segment cur {
next
® ° ± " cur = cur!prev;
dll(null) dll(¯) next dll(±) remove_after(cur);
prev
}
¯ prev
Onecur
traversal parameter
= cur!next;
with
} fields
update: cur!next = cur!next!next
dll(l,
¼ prev) :=
= 9´.
dll(½)
if (l = null) then
emp
true
l cur ¼ = null Ç
® ° ± " else
dll(null) dll(¯) next dll(±) ½ ¼ ´
prev l!prev prev
prev =next and
dll(¼)
¯ prev dll(l!next,l) ¼ ≠ null
Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis 8
Materialize by unfolding inductive definition

l cur cur = l!next;

® ± while (cur != null)
dll(null) dll(°) dll(°) {
if ( cur!prev!val
== cur!val)
materialize: cur!prev {
cur = cur!prev;
remove_after(cur);
l cur }
®
Need to unfold “backward”
dll(null) dll(°)
± Ç }
cur = cur!next;

l cur
¼ := 9´.
® ± " dll(½)
dll(null) dll(°)
emp
° ¼ = null Ç
½ ¼ ´
prev next dll(¼)
Need fields from ° ¼ ≠ null

Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis 9
Segments as partial checkers
Summary
i i
® ° ® ¯
dll(¯) c(°) c (° )
0 0

Instance
next
® ¯ ° ± null
next
prev prev
Checker “Run”
®.dll(null) c(®,°)

i
¯.dll(®) i … …
°.dll(¯)

±.dll(°) … c0(¯,°0) … …

null.dll(±)
Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis 10
Segments as partial checkers
Summary
0 0
® ° ® ¯
dll(¯) c(°) c (° )
0 0

Instance
next
null ° ± null
next
prev prev
Checker “Run”

i=0 ®=°
°.dll(¯)
¯ = null c = c0
±.dll(°) i=0 c0(¯,°0) ® = ¯
° = °0
null.dll(±)
Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis 11
To unfold backward, split the segment and
then unfold forward
unfold
l cur cur = l!next;
dll(¯) dll(¯) 1
® ° 0
± " while (cur != null)
dll(null) = dll(°) next dll(±) {
if ( cur!prev!val
° prev == cur!val)
{
materialize: cur!prev!next cur = cur!prev;
remove_after(cur);
}
l, cur
cur = cur!next;
®=± ±
next
" }
dll(±)
° = null
° prev ¼ := 9´.
dll(½)

l cur
Ç emp
Ç
¼ = null
® ° ± "
next dll(±) ½ ¼ ´
prev prev next dll(¼)
¯ ¼ ≠ null

Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis 12
Outline

1 materialization
2 and
sorteddll(l, prev, min) =
type update
if (l = null) then
true
else
pre-analysis
l!prev = prev and
min · l!val and
sorteddll(l!next,l,l!val)
widening
checkers
abstract interpretation

shape analyzer

Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis 13
Types for deciding where to unfold
Summary
If it exists, where is:
® °
dll(null) dll(¯) dll(¯) °!next ?
Instance ¯!next ?
null ® ¯ ° ± null

Checker “Run” Checker Definition

®.dll(null)

¯.dll(®)
¼
dll(½)
:= 9´.
°.dll(¯) emp
¼ = null Ç
±.dll(°) ½ ¼ ´
prev next dll(¼)
¼ ≠ null
null.dll(±)
Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis 14
Types for deciding where to unfold

• Types help the analysis

decide where to unfold
• Types can be inferred
automatically
(see paper)

Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis 15
Summary:
Given checkers, everything is automatic

materialization
and
sorteddll(l, prev, min) =
type update
if (l = null) then
true
else
pre-analysis
l!prev = prev and
min · l!val and
sorteddll(l!next,l,l!val)
widening
checkers
abstract interpretation

shape analyzer

Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis 16
Experiments
Max. Num. Max. Num Analysis
Graphs at a Iterations at a Time
Benchmark Program Point Program Point (ms)
ms
doubly-linked list reverse 1 3 1.4
doubly-linked list copy 2 3 5.3
doubly-linked list insert 2 4 3.8
doubly-linked list remove 5 4 6.5
doubly-linked list remove and back 5 4 6.8
search tree with parent insert 5 5 8.3
search tree with parent insert 5 5 47.0
and back

Verified shape invariant as given by a checker is preserved

across the operation.

Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis 17
Conclusion

• Inductive checkers can form the basis of

an effective memory abstraction and
analysis
– Easily extensible on a per-program basis
• To enable materialization anywhere
– Segments defined as partial checker runs
– Type pre-analysis on checker definitions to
decide where to unfold robustly
• Numerical reasoning via coordination with
a base domain (see paper)
Bor-Yuh Evan Chang and Xavier Rival - Relational Inductive Shape Analysis 18
 What can inductive
shape analysis do for you?