Real-Time Java and Scoped Memory by sdfwerte


									Analyzing Memory Resource Bounds for
          Low-Level Programs

   Wei-Ngan Chin1                 Huu Hai Nguyen1
   Corneliu Popeea1               Shengchao Qin2

                  Univ. of Singapore
            2Durham University, UK

                      ISMM 2008                     1
    Motivation: Memory Bounds Analysis

Given a piece of program code, how much
 memory will it require for safe execution?
  • Can we know the answer before execution?
  • Applications:
    • Resource constrained embedded devices (limited
      memory footprint)
    • Safety critical systems

                       ISMM 2008
                   Simple Example

• Given a method:
  int foo (int n) {
       if (n <= 0) { return 1; }
       else { c x = new c(); c y = new c();
               int v = 2+foo(n-1);
               dispose(x); return v; } }

• Derive an upper-bound for the use of:
  • stack memory
  • heap memory

                            ISMM 2008
         What Programs to Analzye?

• Three design decisions:
  • low level programs: more accurate bounds analysis.
  • structured control flow: recovered if not available.
  • how to model heap recovery? (next slide)
                   method definition

P     ::= M1, … , Mn                           method invocation
M     ::= t m(t1, ... , tn) { E }
E     ::= Cmd | E1; E2 | if E1 E2 | while E
Cmd   ::= load<t> i | store<t> i | invoke m | const<t> k
      | new c | dispose c
                              ISMM 2008   deallocation             4
                  Heap Recovery

• Possible solutions for analyzing heap recovery:
  • use explicit memory disposal.
  • use region-based memory management.
• Both solutions over-approximate the recovery
  that can be achieved via GC.

  • Rely on an analysis that inserts dispose commands
     • alias annotations for object fields and methods
     • not for cyclic data structures
  • May achieve finer-grained heap recovery.

                          ISMM 2008
           Highlights of Our Work

• Derive both stack and heap bounds with similar
• Automatic and sound analysis of recursion.
• Precision and efficiency:
  • relational analysis for low-level code.
  • disjunctive invariants for “bounds analysis”.

                          ISMM 2008
          Overview of Our Solution

• A multi-pass analysis
  • automatically infers memory bounds in a modular way

                      2.abstract state    4. heap usage +
                                            heap bound

    t m(t1, .. , tn) F; Á; S; H; M {..}

                1.frame       3.stack
                 bound         bound

                           ISMM 2008
        1. Frame Bound Inference

• Stack Frames

• Simple analysis:
  l, ¡ `F E Ã A, ¡1, p
• Embed the current top frame
  pointer p at each program

                         ISMM 2008
       2. Abstract State Inference

• The abstract states expressed as Presburger
  formula over values on the stack [p,..,1] :
                                     Presburger formula

                                       Boolean expression

                                     arithmetic expression

• The inference rule:
                 State before               State after
• Abstract states inserted at each program point:

                        ISMM 2008
    Abstract State Inference: Some Rules

                                  make use of top
                                  frame pointer p

Ápo - postcondition                    ½ - substitution
    of callee m                       from formals to
                                      actual arguments

                      ISMM 2008
         3. Stack Bound Inference

• Problem: infer stack bound for each method.
                 each elem. denotes a bound s when g is true

    S - stack
   bound from                          F - minimum
   method body                         stack bound


                           ISMM 2008
     Stack Bound Inference: Some Rules
  retrieve stack                    the position where
bound of callee m1                  new frame is built

                                   incorporate guarded
                                 formula w/ current state

                                                tail call

                     ISMM 2008
               4. Heap Inference

• H and M are guarded form:
  • H / H1 heap usage before/after execution of B
  • M heap bound

         heap effect                  heap effect

                        ISMM 2008
          Example: Fixpoint Analysis

• Simple example:
  int foo (int n) {
       if (n <= 0) { return 1; }
       else { c x = new c(); c y = new c();
               int v = 2+foo(n-1);
               dispose(x); return v; } }

• First step: build a constraint abstraction
  rec(n,r) = (n·0 Æ r=1) Ç (9r1¢ n>0 Æ rec(n-1,r1) Æ r=2+r1)
• Next step: derive approximation for its fixpoint.
                            ISMM 2008
 Fixpoint Analysis for Abstract State

• Use disjunctive polyhedron abstract domain:
   • selective hulling: combines related disjuncts.
   • widening: ensures termination of fixpoint analysis.

rec1(n,r)   = (n·0 Æ r=1) Ç (9r1¢ n>0 Æ rec0(n-1,r1) Æ r=2+r1)
            = (n·0 Æ r=1)
rec2(n,r)   = (n·0 Æ r=1) Ç (9r1¢ n>0 Æ rec1(n-1,r1) Æ r=2+r1)
            = (n·0 Æ r=1) Ç (0 < n · 1 Æ r=2+1)
rec3(n,r)   = (n·0 Æ r=1) Ç (n=1 Æ r=3) Ç (n=2 Æ r=5)
            =h (n·0 Æ r=1) Ç (0 < n · 2 Æ r=2n+1)
            =w (n·0 Æ r=1) Ç (0 < n     Æ r=2n+1)
                            ISMM 2008
    Fixpoint Analysis: Memory Bounds

• Constraint abstraction:
  recM(n) = {n·0  {(c,0)}} [
            ({n>0  {(c,2)}} + recM(n-1))

• Derive fixpoint:
  recM(n) = {n·0  {(c,0)}} [ {n>0  {(c,2n)}}

• A similar analysis derives the stack bound.

                           ISMM 2008

• Safety theorem:

  • given memory resources equal to (or more than) its
    inferred bounds, each method always executes
    without error due to insufficient memory.

                         ISMM 2008
• A prototype system built in Haskell language.
• Omega library + disjunctive fixpoint analyzer.
• Small numerical programs (upto 2kloc).

                          ISMM 2008
                   Related Work
• Hughes-Pareto:ICFP99, Hofmann-Jost:POPL03
   • for first-order functional languages.
• Cachera-et-al:FM05 - for Java bytecode
   • certifies that memory is bounded (but not what bound)
• Albert-et-al:ESOP07 - for Java bytecode:
   • derives (only) heap bounds.
   • heap recovery via escape analysis.
• Braberman-et-al:ISMM08 - Java-like programs:
   • expressive heap bounds (polynomial expressions).
   • heap recovery via region-based memory management.
   • loop invariants inferred dynamically + user annotations.
                           ISMM 2008
• A sound inference system to predict the amount
  of memory space needed:
  • Can infer upper bounds for stack and heap spaces.
  • Uses guarded formulae to track both usage and upper
    bounds in a path sensitive manner.
  • Uses fixpoint analysis in the polyhedron domain to
    handle both recursion and loops.

• Prototype system used to infer memory bounds
  for a set of benchmark programs.

                        ISMM 2008
Thank you!


  ISMM 2008
• J. Hughes and L. Pareto. Recursion and Dynamic Data-Structures in
  Bounded Space: Towards Embedded ML Programming [ICFP99]
• M. Hofmann and S. Jost. Static prediction of heap space usage for
  first order functional programs [POPL03]
• D. Cachera, T. Jensen, D. Pichardie, and G. Schneider. Certified
  Memory Usage Analysis [FM05]
• W.N. Chin, H.H. Nguyen, S.C. Qin, and M. Rinard. Memory Usage
  Verification for OO Programs [SAS05]
• C. Popeea and W.N. Chin. Inferring disjunctive postconditions
• E. Albert, P. Arenas, S. Genaim, G. Puebla, and D. Zanardini. Cost
  Analysis of Java Bytecode [ESOP07]
• V. Braberman, F. Fernandez, D. Garbervetsky, and S. Yovine.
  Parametric Prediction of Heap Memory Requirements [ISMM08]

                               ISMM 2008
  Discussion: Abstract States for Objects

• Inference of abstract states for heap allocated
  objects not included in the paper
• Challenge: objects that are mutable & shareable
• We provided an alias type system which can
  identify two groups of trackable objects:
  • Unique references whose abstract states may change
  • Immutable references whose abstract states are
    immutable (but can be freely shared)
• In current work, abstract states are mainly size-
  related properties.

                        ISMM 2008
Abstract States for Objects: An Example

 No. of nodes                Height of tree

                                  Analysis result for
                                    method height

                                     Analysis result
                 ISMM 2008
                                    for mehtod sum 24

To top