Differential S tatic A nalysis: Opportunities and Challenges
-
Upload
aurelia-vaughn -
Category
Documents
-
view
26 -
download
1
description
Transcript of Differential S tatic A nalysis: Opportunities and Challenges
![Page 1: Differential S tatic A nalysis: Opportunities and Challenges](https://reader035.fdocuments.in/reader035/viewer/2022062408/5681364b550346895d9dca93/html5/thumbnails/1.jpg)
Differential Static Analysis: Opportunities and Challenges
Shuvendu LahiriRiSE, MSR Redmond
UC Berkeley OSQ Retreat (5/12/11)
![Page 2: Differential S tatic A nalysis: Opportunities and Challenges](https://reader035.fdocuments.in/reader035/viewer/2022062408/5681364b550346895d9dca93/html5/thumbnails/2.jpg)
Challenges of static assertion checking
void F(A *z, int *a){ int n = ComplexFunc(z); int j = 0; List* x = z->list; while(x != null) {
j++;if (x->d == n) { a[j] = x->g; break;}x = x->next;
}
}
assert (0 <= j && j <= ?);
Loop invariant
Postcondition
Precondition
![Page 3: Differential S tatic A nalysis: Opportunities and Challenges](https://reader035.fdocuments.in/reader035/viewer/2022062408/5681364b550346895d9dca93/html5/thumbnails/3.jpg)
State of static assertion checking
• Not cost-effective for an average developer (yet)– Need for specs– Need for intermediate inductive assertions– Precise analysis non-scalable
• Most functional specs are tested by regression testing (expensive/low-coverage)
![Page 4: Differential S tatic A nalysis: Opportunities and Challenges](https://reader035.fdocuments.in/reader035/viewer/2022062408/5681364b550346895d9dca93/html5/thumbnails/4.jpg)
Microsoft Confidential
App-Compat problem– Every developer has to worry about introducing
incompatibility rather than fixing ALL existing bugs– Library writers (releases)
Do my changes introduce a regression?
Did the “refactoring” change any observable behavior?
How does the change propagate to the public APIs
![Page 5: Differential S tatic A nalysis: Opportunities and Challenges](https://reader035.fdocuments.in/reader035/viewer/2022062408/5681364b550346895d9dca93/html5/thumbnails/5.jpg)
Current practice
• Run regression tests and hope breaking changes show up
• Problems– Coverage: only a small fraction of paths covered
• Especially with few inputs, loops, recursive
– Controllability: hard to exercise the paths under change
– Oracles: mostly program crashes, or a few built-in assertions
![Page 6: Differential S tatic A nalysis: Opportunities and Challenges](https://reader035.fdocuments.in/reader035/viewer/2022062408/5681364b550346895d9dca93/html5/thumbnails/6.jpg)
Differential static analysis
• Provide relative guarantee instead of absolute guarantee– May be easier to obtain, and possibly desirable
![Page 7: Differential S tatic A nalysis: Opportunities and Challenges](https://reader035.fdocuments.in/reader035/viewer/2022062408/5681364b550346895d9dca93/html5/thumbnails/7.jpg)
Precedence (equivalence checking)
• Hardware– Equivalence checking was a big success– ISA vs. RTL, timing optimizations, ….
• Software– Translation validation (intraprocedural compiler
transformations)
• However, most code changes in software change behaviors (bug fixes, features, …)– Fairly limited applicability
![Page 8: Differential S tatic A nalysis: Opportunities and Challenges](https://reader035.fdocuments.in/reader035/viewer/2022062408/5681364b550346895d9dca93/html5/thumbnails/8.jpg)
Potential applications: Fast feedback about changes
• Equivalence checking– Manual refactorings, translation validation, app-
compat for different versions of compilers• Conditional equivalence checking– Allow the user to express (or infer) conditions
under which two versions are compatible• Differential contract checking– Show that contracts are not violated for more
inputs after a change
![Page 9: Differential S tatic A nalysis: Opportunities and Challenges](https://reader035.fdocuments.in/reader035/viewer/2022062408/5681364b550346895d9dca93/html5/thumbnails/9.jpg)
Differential contract checking
void F(A *z, int *a){ int n = ComplexFunc(z); int j = 0; List* x = z->list; while(x != null) {
j++;if (x->d == n) { a[j] = x->g; break;}x = x->next;
}
}
void F(A *z, int *a){ int n = ComplexFunc(z); int j = 0; List* x = z->list; while(x != null) {
j++;if (x->d == n) { a[j] = x->h + x->g; break;}x = x->next;
}
}May be able to check that the change does not introduce new buffer overruns, with cheap abstractions
![Page 10: Differential S tatic A nalysis: Opportunities and Challenges](https://reader035.fdocuments.in/reader035/viewer/2022062408/5681364b550346895d9dca93/html5/thumbnails/10.jpg)
SymDiff (Symbolic Diff)
• Project underway in MSR Redmond– With Chris Hawblitzel, ..
• In a nutshell– Windiff for a program’s input/output behaviors– Source language independent (uses Boogie/Z3)– Static tool for identifying semantic differences
between two closely related program versions
![Page 11: Differential S tatic A nalysis: Opportunities and Challenges](https://reader035.fdocuments.in/reader035/viewer/2022062408/5681364b550346895d9dca93/html5/thumbnails/11.jpg)
SymDiff screenshot
![Page 12: Differential S tatic A nalysis: Opportunities and Challenges](https://reader035.fdocuments.in/reader035/viewer/2022062408/5681364b550346895d9dca93/html5/thumbnails/12.jpg)
Current directions (in progress)
• Mutual summaries – With Chris Hawblitzel– A general mechanism for comparing programs
• E.g. Can prove most compiler optimizations (translation validation)
• Application of differential contract checking – Finding precise concurrent bugs in the presence of
underspecified environment• With Akash Lal (POIROT)
• Inference of conditional equivalence– Using abstract interpretation, interpolation, …
![Page 13: Differential S tatic A nalysis: Opportunities and Challenges](https://reader035.fdocuments.in/reader035/viewer/2022062408/5681364b550346895d9dca93/html5/thumbnails/13.jpg)
Summary
• Problem: Static App-compat– Relative vs. absolute guarantee
• Opportunities– Impact developers, quick feedback, more coverage
than tests, fewer false alarms, cheaper abstractions
• Challenges– Understanding developer intent, communicating
differences, root cause, …
![Page 14: Differential S tatic A nalysis: Opportunities and Challenges](https://reader035.fdocuments.in/reader035/viewer/2022062408/5681364b550346895d9dca93/html5/thumbnails/14.jpg)
Other projects
• Linear maps– Local reasoning in classical logic [Qadeer, Walker]
• POIROT– Assertion directed symbolic search for concurrent
programs [Lal, Qadeer]