Fissile Type Analysis: Modular Checking of Almost ... · Fissile Type Analysis: Modular Checking of...

Fissile Type Analysis:Modular Checking of Almost

Everywhere Invariants

University of Colorado Boulder

Devin Coughlin Bor-Yuh Evan Chang

1

How to type check a program that is

almost well-typed?

2

Type system:dependent re!nement types

In this talk

Example property of interest:safety of re"ective method calls

3

Re"ective method call dispatches based on runtime string value

class Callbackvar sel : Strvar obj : Obj

def call()this.obj.[this.sel]()

4




Calls method with name (selector) stored in sel on

object stored in obj

4






If sel held string “notifyDidClick” would call notifyDidClick() on obj.

4






4

Run time error if obj does not respond to sel — i.e., method does not exist



Ensure re!ection safety with dependent re!nement type expressing required relationship

5




| r2 sel

obj must “respond to” sel

5




| r2 sel


Shorthand forobj :: {⌫ : Obj | ⌫ r2 sel}

5




| r2 sel


Shorthand forobj :: {⌫ : Obj | ⌫ r2 sel}

5

Guarantees no MethodNotFound error in call()

class Iteratorvar idx : Int var buf : Obj[]

def get(): Objreturn this.buf[this.idx]

Similar relationship for array bounds safety

| indexedBy idx

6




| indexedBy idx

idx must be a valid index into buf

6




| indexedBy idx


Guarantees no “ArrayOutOfBounds” error

6




| indexedBy idx


6

These kinds of relationships are important to many safety properties

class Callbackvar sel : Strvar obj : Obj | r2 sel

def update(s : Str, o : Obj | r2 s)this.sel = sthis.obj = o


Updating relationship causes type error

7




Field type says: obj must always respond to sel


7




o guaranteed to respond to s



7





Type error: old obj may not respond to new sel



7





Type error: old obj may not respond to new sel

False alarm: no runtime error



7

| r2 s


def update(s : Str, o : Obj )this.sel = sthis.obj = o


Two styles of reasoning to determine false alarm

| r2 sel

8

| r2 s





Reasoning by global invariant: call safe if relationship holds

| r2 sel

8

| r2 s






| r2 selReasoning about effects of imperative updates

8

| r2 s






Relationship violated


8

| r2 s






Relationship violated

Relationship restored


8

Idea: Selectively alternate between reasoning styles in

veri"cation

10

Fissile Type Analysis combines two styles of reasoning

Automated reasoning about global invariants

10



10

Flow-Insensitive Type Systems

� ` · · ·



Automated reasoning about execution

10


� ` · · ·



Automated reasoning about execution

10


� ` · · ·

Abstract Interpretation/Flow Analysis

�(·) = · · ·


Veri"cation of almost-everywhere invariants with intertwined type and !ow analysis

11


types violated

type analysis

Switch to symbolic analysis when global

type invariant violated

11


symbolic !ow analysis

types violated

type analysis

types restored



11

Back to types when invariant restored



types violated

type analysis

types restoredtype analysis

types violated



11




types violated

type analysis



types violated

types restored



11




types violated

type analysis

type analysis



types violated

types restored



11




types violated

type analysis

type analysis



types violated

types restored



Not changing type analysis at all: just when applied

11




types violated

type analysis

type analysis



types violated

types restored

Effective when global type invariant holds

most of the time

11



types violated

type analysis

type analysis



types violated

types restored


most of the time

11

• Relationship updates



types violated

type analysis

type analysis



types violated

types restored


most of the time

11


• Occurrence typing



types violated

type analysis

type analysis



types violated

types restored


most of the time

11


• Occurrence typing

• Tagged unions

Play to the strengths of each intertwined analysis

12


Flow-Insensitive Types• Easy to specify global invariants• Fast• Natural for modular reasoning• Good error reporting

12



Symbolic Flow Analysis• Natural for local reasoning about

heap mutation • Precise• Can be disjunctive/path-sensitive

12





!ow-sensitive typing?ownership types?alias types?permissions?effects?

12






Goal: keep types as simple as

possible

12






Goal: keep types as simple as

possible

12

Complexity lies in handoff between analyses and in symbolic analysis

Key Contributions1 Translate type invariant into

symbolic state via “symbolization” of type environment

type analysis

symbolic !owanalysis

type analysis

2 Leverage heap type invariantduring symbolic analysis viatype-consistent materialization and summarization

13



type analysis


type analysis


13

Reason precisely only when type invariant violated



type analysis


type analysis


13


Reason precisely only for locations where type invariant violated



type analysis


type analysis


1

13


Reason precisely only for locations where type invariant violated

Symbolization splits a type environment intofacts about values and storage for those values


def update(s:Str, o:Obj | r2 s)this.sel = sthis.obj = o



✘

Type environment

� this : Callback

s : Stro : Obj | r2 s

Maps local variables to dependent types

Re"nements refer to

variables



Type environment

symbolize� this : Callback


Symbolic state

this : eto : eos : es

eo : Obj | r2 eses : Str

et : Callbacke�eE


Re"nements refer to

variables



Type environment



Symbolic state



et : Callbacke�eE


Maps local variables to

symbolic values

Re"nements refer to

variables



Type environment



Symbolic state



et : Callbacke�eE



symbolic values

Maps symbolic values to dependent types lifted to symbolic

values (symbolic facts)

Re"nements refer to

variables



Type environment



Symbolic state



et : Callbacke�eE



symbolic values

Maps symbolic values to dependent types lifted to symbolic

values (symbolic facts)

Re"nements refer to values

Re"nements refer to

variables



� this : Callback



15

Symbolization allows local variables to hold values inconsistent with declared types

heap

this

o

s

this.obj this.sel

� this : Callback



15


A type environment constrains local

variables

heap

this

o

s

this.obj this.sel

� this : Callback



15



variables

heap

this

o

s

this.obj this.sel

But also constrains the reachable heap to be type-consistent: "elds must conform to

declared types

� this : Callback



15



variables

heap

this

o

s

this.obj this.sel

But also constrains the reachable heap to be type-consistent: "elds must conform to

declared types

This picture captures the fully type-consistent concrete state

� this : Callback



15


symbolize eE e�heap

this.obj this.sel

s

o

this

� this : Callback



15



this.obj this.sel

s

o

this

Symbolic environment allows, e.g., int in

� this : Callback



15



this.obj this.sel

s

o

this


Immediately type-inconsistent: value stored without dereferences violates a type constraint

� this : Callback



15


symbolize eE e�


s heapthis.obj this.selo

this


� this : Callback



15


symbolize eE e�


s heapthis.obj this.selo

this


Grey indicates storage that is not immediately type-inconsistent

�

Type environment

Symbolic fact map

symbolizethis : Callback

s : Stro : Obj | r2 s eo : Obj | r2 es

es : Str

et : Callbacke�

16

Symbolization unpacks local cells, but symbolic facts about values still constrain the heap

heapthis.obj this.sel

s

o

this

�

Type environment

Symbolic fact map



es : Str

et : Callbacke�

Base types same on both sides

16



s

o

this

�

Type environment

Symbolic fact map



es : Str

et : Callbacke�

Callback , {sel : Str, obj : Obj | r2 sel}

Base types same on both sides

16



s

o

this

Base type "eld re"nements still refer to

!elds

Summarize heap locations that are not immediately type-inconsistent with okheap

Concrete State

Symbolic Heap

eH okheap


17


s

o

this


Concrete State

Symbolic Heap

eH okheap


Formula literal: concretization includes every subheap that is not immediately type inconsistent

17


s

o

this


Concrete State

Symbolic Heap

eH okheap


Describes storage without explicitly enumerating it


17


s

o

this


Concrete State

Symbolic Heap

eH okheap


Describes storage without explicitly enumerating it


17


s

o

this

Immediately after switch, type invariants still hold so okheap

represents entire heap



type analysis


type analysis


1

18



type analysis


type analysis


2

18

Leverage heap type invariant via type-consistent materialization

Concrete State

Symbolic State

eH okheap


19


s

o

this


Concrete State

Symbolic State

eH okheap


fsel fobj

⇤ gthis 7! {sel 7! ⇤ obj 7! }

Materialize onto standard separation-logic explicit heap

19


s

o

this


Concrete State

Symbolic State

eH okheap


fsel fobj

⇤ gthis 7! {sel 7! ⇤ obj 7! }


Must-alias and dis-alias guarantee requires case split on materialization

19


s

o

this


Concrete State

Symbolic State

eH okheap


fsel fobj

⇤ gthis 7! {sel 7! ⇤ obj 7! }



Materialized storage guaranteed to be not immediately type-

inconsistent

19


s

o

this


Concrete State

Symbolic State

eH okheap


fsel fobj

⇤ gthis 7! {sel 7! ⇤ obj 7! }




inconsistent

19

Value stored in obj responds to value

stored in sel


s

o

this


Concrete State

Symbolic State

eH okheap


fsel fobj

⇤ gthis 7! {sel 7! ⇤ obj 7! }




inconsistent

19


stored in sel


s

o

this

Represent materialized storage

with cutout


Concrete State

Symbolic State

eH okheap


fsel fobj

⇤ gthis 7! {sel 7! ⇤ obj 7! }




inconsistent

19


stored in sel


s

o

this

Analysis can assume that type invariant initially holds on all materialized storage


s

o

this

Strong updates on materialized storage to detect invariant restoration

Concrete State

Symbolic State

eH okheap


fsel fobj

⇤ gthis 7! {sel 7! ⇤ obj 7! }

20


Concrete State

Symbolic State

eH okheap


fobj

⇤ gthis 7! {sel 7! ⇤ obj 7! }es

20


s

o

this


Concrete State

Symbolic State

eH okheap


fobj


20


s

o

this

Type invariant violated


Concrete State

Symbolic State

eH okheap


fobj


20


s

o

this

Type invariant violated

Surprising: can soundly permit pointers in and out of the region that is not

immediately type-consistent


Concrete State

Symbolic State

eH okheap


⇤ gthis 7! {sel 7! ⇤ obj 7! }eoes

20


s

o

this


Concrete State

Symbolic State

eH okheap



20


s

o

this

No longer immediately type-inconsistent

Safely summarize storage that is not immediately type inconsistent

Concrete State

Symbolic State

eH okheap



21


s

o

this


Concrete State

Symbolic State

eH okheap


21


s

o

this


Concrete State

Symbolic State

eH okheap


Only need to reason precisely about part of heap where invariant broken,

so helps manage alias explosion

21


s

o

this


Concrete State

Symbolic State

eH okheap




21


s

o

this

Entire heap is type consistent so safe to

return to type checking


Concrete State

Symbolic State

eH okheap




21

heap

this

o

s

this.obj this.sel

Entire heap is type consistent so safe to

return to type checking



type analysis


type analysis


2

22



type analysis


type analysis


22

23

Fissile Type Analysis is sound

23

Theorem (Soundness of Handoff). The entire state is type-consistent iff all locations are not immediately type-inconsistent.


heap

this

o

s

this.obj this.sel


s

o

this

23

Theorem (Soundness of Handoff). The entire state is type-consistent iff all locations are not immediately type-inconsistent.

Theorem (Soundness of Materialization/Summarization). Storage that is not immediately type-inconsistent can be safely materialized and summarized into okheap.


heap

this

o

s

this.obj this.sel


s

o

this


s

o

this


s

o

this

Precision: What is improvement over "ow-insensitive checking alone?

Cost: What is the cost of analysis in running time?

Evaluation

24

Analysis mechanics: How often is symbolic reasoning required?

9 Objective-C benchmarks

Case Study: Re"ection in Objective-C

76 r2 annotations on system libraries

6 libraries and 3 applications

136 annotations on benchmark code

Manual type annotations

1,000 to 176,000 lines of code

Plugin for clang static analyzer in C++

Prototype analysis implementation

25

9 Objective-C benchmarks

Case Study: Re"ection in Objective-C

76 r2 annotations on system libraries

6 libraries and 3 applications

136 annotations on benchmark code

Manual type annotations

1,000 to 176,000 lines of code

Plugin for clang static analyzer in C++

Prototype analysis implementation

25

Including Skim, Adium, and

OmniGraffle

benchmark

size

(loc)symbolicsections

maximummaterializations

OAUTH

SCRECORDER

ZIPKIT

SPARKLE

ASIHTTPREQUEST

OMNIFRAMEWORKS

VIENNA

SKIM

ADIUM

1248 7 1

2716 2 2

3301 0 0

5289 3 1

14620 59 2

160769 7 1

37327 28 2

60211 0 0

176629 16 1

combined 461080 125 2

Analysis mechanics

26

benchmark

size



OAUTH

SCRECORDER

ZIPKIT

SPARKLE

ASIHTTPREQUEST

OMNIFRAMEWORKS

VIENNA

SKIM

ADIUM

1248 7 1

2716 2 2

3301 0 0

5289 3 1

14620 59 2

160769 7 1

37327 28 2

60211 0 0

176629 16 1

combined 461080 125 2

Analysis mechanics

Number of successful switches to symbolic

analysis and back

26

benchmark

size



OAUTH

SCRECORDER

ZIPKIT

SPARKLE

ASIHTTPREQUEST

OMNIFRAMEWORKS

VIENNA

SKIM

ADIUM

1248 7 1

2716 2 2

3301 0 0

5289 3 1

14620 59 2

160769 7 1

37327 28 2

60211 0 0

176629 16 1

combined 461080 125 2

Analysis mechanics

A signi!cant number of switches:Approach successfully handles when developers break and restore global invariants

Number of successful switches to symbolic

analysis and back

26

benchmark

size



OAUTH

SCRECORDER

ZIPKIT

SPARKLE

ASIHTTPREQUEST

OMNIFRAMEWORKS

VIENNA

SKIM

ADIUM

1248 7 1

2716 2 2

3301 0 0

5289 3 1

14620 59 2

160769 7 1

37327 28 2

60211 0 0

176629 16 1

combined 461080 125 2

Analysis mechanics

Maximum number of simultaneous

materialized storage locations


26

benchmark

size



OAUTH

SCRECORDER

ZIPKIT

SPARKLE

ASIHTTPREQUEST

OMNIFRAMEWORKS

VIENNA

SKIM

ADIUM

1248 7 1

2716 2 2

3301 0 0

5289 3 1

14620 59 2

160769 7 1

37327 28 2

60211 0 0

176629 16 1

combined 461080 125 2

Analysis mechanics

Maximum number of simultaneous

materialized storage locations


At most 2 simultaneous materializations: Aliasing case splits will not blow up

26

benchmark

size



OAUTH

SCRECORDER

ZIPKIT

SPARKLE

ASIHTTPREQUEST

OMNIFRAMEWORKS

VIENNA

SKIM

ADIUM

1248 7 1

2716 2 2

3301 0 0

5289 3 1

14620 59 2

160769 7 1

37327 28 2

60211 0 0

176629 16 1

combined 461080 125 2

Analysis mechanics



26

benchmark

size



OAUTH

SCRECORDER

ZIPKIT

SPARKLE

ASIHTTPREQUEST

OMNIFRAMEWORKS

VIENNA

SKIM

ADIUM

1248 7 1

2716 2 2

3301 0 0

5289 3 1

14620 59 2

160769 7 1

37327 28 2

60211 0 0

176629 16 1

combined 461080 125 2

Analysis mechanics



26

Approaches limited to one-at-a-time materialization not sufficient

benchmark

sizesize false alarmsfalse alarms

(loc)re"ective call

sites"ow-

insensitivealmost-

everywhere

OAUTH

SCRECORDER

ZIPKIT

SPARKLE

ASIHTTPREQUEST

OMNIFRAMEWORKS

VIENNA

SKIM

ADIUM

1248 7 7 2 (-71%)

2716 12 2 0 (-100%)

3301 28 0 0 (-)

5289 40 4 1 (-75%)

14620 68 50 10 (-80%)

160769 192 82 74 (-10%)

37327 186 59 38 (-36%)

60211 207 43 43 (-0%)

176629 587 87 70 (-20%)

combined 461080 1327 334 238 (-29%)

Precision

27

benchmark


(loc)re"ective call

sites"ow-

insensitivealmost-

everywhere

OAUTH

SCRECORDER

ZIPKIT

SPARKLE

ASIHTTPREQUEST

OMNIFRAMEWORKS

VIENNA

SKIM

ADIUM

1248 7 7 2 (-71%)

2716 12 2 0 (-100%)

3301 28 0 0 (-)

5289 40 4 1 (-75%)

14620 68 50 10 (-80%)

160769 192 82 74 (-10%)

37327 186 59 38 (-36%)

60211 207 43 43 (-0%)

176629 587 87 70 (-20%)

combined 461080 1327 334 238 (-29%)

Precision

Baseline: standard, "ow-insensitive type analysis – no switching

27

benchmark


(loc)re"ective call

sites"ow-

insensitivealmost-

everywhere

OAUTH

SCRECORDER

ZIPKIT

SPARKLE

ASIHTTPREQUEST

OMNIFRAMEWORKS

VIENNA

SKIM

ADIUM

1248 7 7 2 (-71%)

2716 12 2 0 (-100%)

3301 28 0 0 (-)

5289 40 4 1 (-75%)

14620 68 50 10 (-80%)

160769 192 82 74 (-10%)

37327 186 59 38 (-36%)

60211 207 43 43 (-0%)

176629 587 87 70 (-20%)

combined 461080 1327 334 238 (-29%)

Precision


Almost everywhere techniques show 29% improvement in false alarms

27

benchmark


(loc)re"ective call

sites"ow-

insensitivealmost-

everywhere

OAUTH

SCRECORDER

ZIPKIT

SPARKLE

ASIHTTPREQUEST

OMNIFRAMEWORKS

VIENNA

SKIM

ADIUM

1248 7 7 2 (-71%)

2716 12 2 0 (-100%)

3301 28 0 0 (-)

5289 40 4 1 (-75%)

14620 68 50 10 (-80%)

160769 192 82 74 (-10%)

37327 186 59 38 (-36%)

60211 207 43 43 (-0%)

176629 587 87 70 (-20%)

combined 461080 1327 334 238 (-29%)

Precision


Almost everywhere techniques show 29% improvement in false alarms

Also found a real re!ection bug in Vienna, which we reported and

which was !xed

27

benchmark

size analysis timeanalysis time

(loc) TimeRate

(kloc/s)

OAUTH

SCRECORDER

ZIPKIT

SPARKLE

ASIHTTPREQUEST

OMNIFRAMEWORKS

VIENNA

SKIM

ADIUM

1248 0.24s 5.3

2716 0.28s 10.8

3301 0.10s 33.0

5289 0.67s 7.9

14620 0.50s 27.2

160769 4.25s 37.8

37327 2.79s 13.4

60211 2.49s 24.1

176629 8.79s 20.1

combined 461080 20.09s 23.0

Cost: Analysis time

28

benchmark


(loc) TimeRate

(kloc/s)

OAUTH

SCRECORDER

ZIPKIT

SPARKLE

ASIHTTPREQUEST

OMNIFRAMEWORKS

VIENNA

SKIM

ADIUM

1248 0.24s 5.3

2716 0.28s 10.8

3301 0.10s 33.0

5289 0.67s 7.9

14620 0.50s 27.2

160769 4.25s 37.8

37327 2.79s 13.4

60211 2.49s 24.1

176629 8.79s 20.1

combined 461080 20.09s 23.0

Includes analysis time but not parsing, base

type checking

Cost: Analysis time

28

benchmark


(loc) TimeRate

(kloc/s)

OAUTH

SCRECORDER

ZIPKIT

SPARKLE

ASIHTTPREQUEST

OMNIFRAMEWORKS

VIENNA

SKIM

ADIUM

1248 0.24s 5.3

2716 0.28s 10.8

3301 0.10s 33.0

5289 0.67s 7.9

14620 0.50s 27.2

160769 4.25s 37.8

37327 2.79s 13.4

60211 2.49s 24.1

176629 8.79s 20.1

combined 461080 20.09s 23.0

Includes analysis time but not parsing, base

type checking

Cost: Analysis time

Does not include system

headers

28

benchmark


(loc) TimeRate

(kloc/s)

OAUTH

SCRECORDER

ZIPKIT

SPARKLE

ASIHTTPREQUEST

OMNIFRAMEWORKS

VIENNA

SKIM

ADIUM

1248 0.24s 5.3

2716 0.28s 10.8

3301 0.10s 33.0

5289 0.67s 7.9

14620 0.50s 27.2

160769 4.25s 37.8

37327 2.79s 13.4

60211 2.49s 24.1

176629 8.79s 20.1

combined 461080 20.09s 23.0

Cost: Analysis time

Fast: 5 to 38 kloc/s with most time spent analyzing system headers

28

benchmark


(loc) TimeRate

(kloc/s)

OAUTH

SCRECORDER

ZIPKIT

SPARKLE

ASIHTTPREQUEST

OMNIFRAMEWORKS

VIENNA

SKIM

ADIUM

1248 0.24s 5.3

2716 0.28s 10.8

3301 0.10s 33.0

5289 0.67s 7.9

14620 0.50s 27.2

160769 4.25s 37.8

37327 2.79s 13.4

60211 2.49s 24.1

176629 8.79s 20.1

combined 461080 20.09s 23.0

Cost: Analysis time

Fast: 5 to 38 kloc/s with most time spent analyzing system headers Interactive

speeds

28

benchmark


(loc) TimeRate

(kloc/s)

OAUTH

SCRECORDER

ZIPKIT

SPARKLE

ASIHTTPREQUEST

OMNIFRAMEWORKS

VIENNA

SKIM

ADIUM

1248 0.24s 5.3

2716 0.28s 10.8

3301 0.10s 33.0

5289 0.67s 7.9

14620 0.50s 27.2

160769 4.25s 37.8

37327 2.79s 13.4

60211 2.49s 24.1

176629 8.79s 20.1

combined 461080 20.09s 23.0

Higher rate for projects with larger translation units

Cost: Analysis time

Fast: 5 to 38 kloc/s with most time spent analyzing system headers

28

benchmark


(loc) TimeRate

(kloc/s)

OAUTH

SCRECORDER

ZIPKIT

SPARKLE

ASIHTTPREQUEST

OMNIFRAMEWORKS

VIENNA

SKIM

ADIUM

1248 0.24s 5.3

2716 0.28s 10.8

3301 0.10s 33.0

5289 0.67s 7.9

14620 0.50s 27.2

160769 4.25s 37.8

37327 2.79s 13.4

60211 2.49s 24.1

176629 8.79s 20.1

combined 461080 20.09s 23.0

Higher rate for projects with larger translation units

Cost: Analysis time

Fast: 5 to 38 kloc/s with most time spent analyzing system headersMaintains key bene"t of !ow-

insensitive analyses: speed

28

• Check almost everywhere heap invariants with intertwined type and symbolic "ow analysis

• Translate type environment into symbolic state with symbolization

• Leverage heap type invariant during symbolic analysis via type-consistent materialization and summarization

• Approach is very fast and scales to large programs

Summary

29

Fissile Type Analysis yields signi"cant precision improvement at little cost

in performance

30


in performance

Why?

30


in performance

Because almost-everywhere invariants hold almost everywhere

Why?

30

Fissile Type Analysis: Modular Checking of Almost ... · Fissile Type Analysis: Modular Checking of...

Documents

Transcript of Fissile Type Analysis: Modular Checking of Almost ... · Fissile Type Analysis: Modular Checking of...