Program Analysis and Verification
0368-4479http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html
Noam Rinetzky
Lecture 2: Program Semantics
Slides credit: Roman Manevich, Mooly Sagiv, Eran Yahav
2
Good manners
• Mobiles
3
Admin
• Grades– 4 Assignments (30%)
• 1 involves programming– 1 Lesson summary (10%)– Toar I: Final exam (60%)
• Must pass– Toar II: Project (60%)
Scribes (this week)? Scribes (nextweek)
4
Today
• What does semantics mean?– Why do we need it?– How is it related to analysis/verification?
• Operational semantics– Natural operational semantics– Structural operational semantics
5
Motivation: Verifying absence of bugs
static OSStatusSSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams, uint8_t *signature, UInt16 signatureLen){OSStatus err;
...
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)goto fail;if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)goto fail;goto fail;if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)goto fail;
...
fail:SSLFreeBuffer(&signedHashes);SSLFreeBuffer(&hashCtx);return err;
}
6
What can we do about it?
• Monitoring• Testing• Static analysis • Formal verification• Specification
Run time
Design Time
7
What can we do about it?
• Monitoring• Testing• Static analysis • Formal verification• Specification
Run time
Design Time
8
Program analysis & verification
y = ? x? = if (x > 0){
y = 42; }else{
y = 73; foo;)(
}assert (y == 42);
Is assertion true?
No/?/Yes
9
Program analysis & verification
Can we prove this? Automatically? Bad news: problem is generally undecidable
Yes/?/No
y = ? x? = x = y * 2if (x % 2 == 0) { y = 42;} else { y = 73; foo();} assert (y == 42);
10
universe
Main idea: use over-approximation
Exact set of configurations/Behaviors/states
Over Approximation
11
Main idea: find (properties of) all reachable states*
initialstates
badstates
reachablestates
*or of something else …
12
Technique: find (properties of) more than all reachable states*
initialstates
badstates
reachablestates
*or of something else …
13
Program analysis & verification
y = ?; x = ?;x = y * 2if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); ?
14
What does P do?
y = ?; x = ?;x = y * 2if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); ?
15
What does P mean?
y = ?; x = ?;x = y * 2if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42);
…
syntax semantics
16
“Standard” semantics
y = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42);
…-1,0,1, …
y x…-1,0,1,…
17
“Standard” semantics (“state transformer”)
y = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42);
…-1,0,1, …
y x…-1,0,1,…
18
“Standard” semantics (“state transformer”)
y = ?; y=3, x=9x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42);
…-1,0,1, …
y x…-1,0,1,…
19
“Standard” semantics (“state transformer”)
y = ?; y=3, x=9x = y * 2 y=3, x=6if (x % 2 == 0) { y=3, x=6 y = 42; y=42, x=6} else { y = 73; … foo(); …} assert (y == 42); y=42, x=6
…-1,0,1, …
y x…-1,0,1,…
20
“State transformer” semantics
initialstates
badstates
reachablestates
y=3,x=9
y=3,x=6
y=3,x=6
21
“State transformer” semantics
initialstates
badstates
reachablestates
y=4,x=1
y=4,x=8y=4,x=8
22
“State transformer” semantics
initialstates
badstates
reachablestates
y=4…,x=…
23
initialstates
badstates
reachablestates
y=3,x=9
y=3,x=6
y=4,x=1y=4,x=8
y=3,x=6
y=4,x=8
“State transformer” semanticsMain idea: find (properties of) all reachable states*
y=4…,x=…
24
“Standard” (collecting) semantics(“sets-of states-transformer”)
y = ?; x = ?; {(y,x) | y,x ∈ Nat}x = y * 2if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42);
25
“Standard” (collecting) semantics(“sets-of states-transformer”)
y = ?; {(y=3, x=9),(y=4,x=1),(y=…, x=…)}
x = y * 2 {(y=3, x=6),(y=4,x=8),(y=…, x=…)}
if (x % 2 == 0) { {(y=3, x=6),(y=4,x=8),(y=…, x=…)}
y = 42; {(y=42, x=6),(y=42,x=8),(y=42, x=…)}
} else { y = 73; { }
foo(); { }
} assert (y == 42); {(y=42, x=6),(y=42,x=8),(y=42, x=…)}
Yes
26
“Set-of-states transformer” semantics
initialstates
badstates
reachablestates
y=3,x=9
y=3,x=6
y=4,x=1
y=4,x=1
y=3,x=6
y=4,x=1
27
“Abstract-state transformer” semantics
y = ?; y=T, x=Tx = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42);
TO E
T
y x
TO E
T
(y=E,x=E)={(0,0), (0,2), (-4,10),…}
28
“Abstract-state transformer” semantics
y = ?; y=T, x=Tx = y * 2 y=T, x=Eif (x % 2 == 0) { y=T, x=E y = 42; y=T, x=E} else { y = 73; … foo(); …} assert (y == 42); y=E, x=E Yes/?/No
TO E
T
y x
TO E
T
(y=E,x=E)={(0,0), (0,2), (-4,10),…}
29
“Abstract-state transformer” semantics
y = ?; y=T, x=Tx = y * 2 y=T, x=Eif (x % 2 == 0) { y=T, x=E y = 42; y=T, x=E} else { y = 73; … foo(); …} assert (y == 42); y=E, x=E Yes/?/No
TO E
T
y x
TO E
T
(y=E,x=E)={(0,0), (0,2), (-4,10),…}
30
“Abstract-state transformer” semantics
y = ?; y=T, x=Tx = y * 2 y=T, x=Eif (x % 2 == 0) { y=T, x=E y = 42; y=E, x=E} else { y = 73; … foo(); …} assert (y%2 == 0) y=E, x=E ?
TO E
T
y x
TO E
T
(y=E,x=E)={(0,0), (0,2), (-4,10),…}
“Abstract-state transformer” semantics
initialstates
badstates
31
reachablestates
“Abstract-state transformer” semantics
initialstates
badstates
32
reachablestates
“Abstract-state transformer” semantics
initialstates
badstates
33
reachablestates
“Abstract-state transformer” semantics
initialstates
badstates
34
reachablestates
Technique: explore abstract states
initialstates
badstates
35
reachablestates
36
Sound: cover all reachable states
initialstates
badstates
reachablestates
37
Imprecise abstraction
initialstates
badstates
37
reachablestates
False alarms
38
What does P mean?
y = ?; x = ?;x = y * 2if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42);
…
syntax semantics
Abs
39
Programming Languages
• Syntax • “how do I write a program?”
– BNF– “Parsing”
• Semantics • “What does my program mean?”
– …
40
Program semantics
• State-transformer– Set-of-states transformer– Trace transformer
• Predicate-transformer• Functions
41
Program semantics
• State-transformer– Set-of-states transformer– Trace transformer
• Predicate-transformer• Functions
• Cat-transformer
42
What semantics do we want?
• Captures the aspects of computations we care about– “adequate”
• Hides irrelevant details– “fully abstract”
• Compositional
Operational Semantics
Recap
Program semantics
• State-transformer– Set-of-states transformer– Trace transformer
• Predicate-transformer• Functions
• Cat-transformer
What semantics do we want?
• Captures the aspects of computations we care about– “adequate”
• Hides irrelevant details– “fully abstract”
• Compositional
47
Formal semantics
“Formal semantics is concerned with rigorously specifying the meaning, or behavior, of
programs, pieces of hardware, etc.” / page 1
48
Formal semantics
“This theory allows a program to be manipulated like a formula –
that is to say, its properties can be calculated.”
Gérard Huet & Philippe Flajolet homage to Gilles Kahn
49
Why formal semantics?
• Implementation-independent definition of a programming language
• Automatically generating interpreters (and some day maybe full fledged compilers)
• Verification and debugging– if you don’t know what it does, how do you know
its incorrect?
50
Levels of abstractions and applications
Program Semantics
Assembly-level Semantics(Small-step)
Static Analysis(abstract semantics)
51
Semantic description methods• Operational semantics– Natural semantics (big step) [G. Kahn]– Structural semantics (small step) [G. Plotkin]
• Trace semantics• Collecting semantics• [Instrumented semantics]
• Denotational semantics [D. Scott, C. Strachy]
• Axiomatic semantics [C. A. R. Hoare, R. Floyd]
52
http://www.daimi.au.dk/~bra8130/Wiley_book/wiley.html
Operational Semantics
54
A simple imperative language: WhileAbstract syntax:
a ::= n | x | a1 + a2 | a1 a2 | a1 – a2
b ::= true | false| a1 = a2 | a1 a2 | b | b1 b2
S ::= x := a | skip | S1; S2| if b then S1 else S2
| while b do S
55
Concrete Syntax vs. Abstract Syntax
a
y
:=x
S
a
z
:=y
Sa
x
:=z
S
;
S;
S
a
x
:=z
S
a
y
:=x
S;
S ;
S
a
z
:=y
S
z:=x; x:=y; y:=z
z:=x; (x:=y; y:=z) (z:=x; x:=y); y:=z
56
Exercise: draw an AST
S S;
S
y:=1; while (x=1) do (y:=y*x; x:=x-1)
57
Syntactic categories
n Num numeralsx Var program variablesa Aexp arithmetic expressionsb Bexp boolean expressionsS Stm statements
58
Semantic categories
Z Integers {0, 1, -1, 2, -2, …}TTruth values {ff, tt}State Var Z
Example state: s=[x5, y7, z0]Lookup: s x = 5Update: s[x6] = [x6, y7, z0]
59
Example state manipulations
• [x1, y7, z16] y =• [x1, y7, z16] t =• [x1, y7, z16][x5] =• [x1, y7, z16][x5] x =• [x1, y7, z16][x5] y =
60
Semantics of arithmetic expressions
• Arithmetic expressions are side-effect free• Semantic function A Aexp : State Z• Defined by induction on the syntax tree
A n s = nA x s = s xA a1 + a2 s = A a1 s + A a2 sA a1 - a2 s = A a1 s - A a2 sA a1 * a2 s = A a1 s A a2 s A (a1) s = A a1 s --- not neededA - a s = 0 - A a1 s
• Compositional• Properties can be proved by structural induction
61
Arithmetic expression exercise
Suppose s x = 3Evaluate A x+1 s
62
Semantics of boolean expressions
• Boolean expressions are side-effect free• Semantic function B Bexp : State T• Defined by induction on the syntax tree
B true s = ttB false s = ffB a1 = a2 s =B a1 a2 s =B b1 b2 s = B b s =
63
Operational semantics
• Concerned with how to execute programs– How statements modify state– Define transition relation between configurations
• Two flavors– Natural semantics: describes how the overall
results of executions are obtained• So-called “big-step” semantics
– Structural operational semantics: describes how the individual steps of a computations take place• So-called “small-step” semantics
64
Natural operating semantics (NS)
65
Natural operating semantics (NS)
• aka “Large-step semantics”
S, s s’
all steps
66
Natural operating semantics
• Developed by Gilles Kahn [STACS 1987]• Configurations
S, s Statement S is about to execute on state ss Terminal (final) state
• TransitionsS, s s’ Execution of S from s will terminate
with the result state s’– Ignores non-terminating computations
67
Natural operating semantics
• defined by rules of the form
• The meaning of compound statements is defined using the meaning immediate constituent statements
S1, s1 s1’, … , Sn, sn sn’
S, s s’
if…
premise
conclusion
side condition
68
Natural semantics for While x := a, s s[x Aas][assns]
skip, s s[skipns]
S1, s s’, S2, s’ s’’S1; S2, s s’’ [compns]
S1, s s’ if b then S1 else S2, s s’
if B b s = tt[ifttns]
S2, s s’ if b then S1 else S2, s s’
if B b s = ff[ifffns]
axioms
69
Natural semantics for While
S, s s’, while b do S, s’ s’’while b do S, s s’’
if B b s = tt[whilettns]
while b do S, s s if B b s = ff[whileffns]
Non-compositional
70
Example
• Let s0 be the state which assigns zero to all program variables
x:=x+1, s0
skip, s0 s0
s0[x1]
skip, s0 s0, x:=x+1, s0 s0[x1] skip; x:=x+1, s0 s0[x1]
x:=x+1, s0 s0[x1]if x=0 then x:=x+1 else skip, s0 s0[x1]
71
Derivation trees
• Using axioms and rules to derive a transition S, s s’ gives a derivation tree– Root: S, s s’– Leaves: axioms– Internal nodes: conclusions of rules• Immediate children: matching rule premises
72
Derivation tree example 1• Assume s0=[x5, y7, z0]
s1=[x5, y7, z5]s2=[x7, y7, z5]s3=[x7, y5, z5]
(z:=x; x:=y); y:=z, s0 s3
(z:=x; x:=y), s0 s2 y:=z, s2 s3
z:=x, s0 s1 x:=y, s1 s2
[assns] [assns]
[assns][compns]
[compns]
73
Derivation tree example 1• Assume s0=[x5, y7, z0]
s1=[x5, y7, z5]s2=[x7, y7, z5]s3=[x7, y5, z5]
(z:=x; x:=y); y:=z, s0 s3
(z:=x; x:=y), s0 s2 y:=z, s2 s3
z:=x, s0 s1 x:=y, s1 s2
[assns] [assns]
[assns][compns]
[compns]
74
Top-down evaluation via derivation trees
• Given a statement S and an input state sfind an output state s’ such that S, ss’
• Start with the root and repeatedly apply rules until the axioms are reached– Inspect different alternatives in order
• In While s’ and the derivation tree is unique
75
Top-down evaluation example
• Factorial program with s x = 2• Shorthand: W=while (x=1) do (y:=y*x; x:=x-1)
y:=1; while (x=1) do (y:=y*x; x:=x-1), s s[y 2][x1]
y:=1, s s[y 1] W, s[y 1] s[y 2, x 1]
y:=y*x; x:=x-1, s[y 1] s[y 2][x1] W, s[y 2][x1] s[y 2, x 1]
y:=y*x, s[y 1] s[y 2] x:=x-1, s[y 2] s[y 2][x1][assns]
[compns]
[assns]
[compns]
[whileffns]
[whilettns]
[assns]
76
Program termination
• Given a statement S and input s– S terminates on s if there exists a state s’ such that
S, s s’– S loops on s if there is no state s’ such that
S, s s’• Given a statement S– S always terminates if
for every input state s, S terminates on s– S always loops if
for every input state s, S loops on s
77
Semantic equivalence
• S1 and S2 are semantically equivalent if for all s and s’ S1, s s’ if and only if S2, s s’
• Simple examplewhile b do Sis semantically equivalent to:if b then (S; while b do S) else skip– Read proof in pages 26-27
78
Properties of natural semantics
• Equivalence of program constructs– skip; skip is semantically equivalent to skip – ((S1; S2); S3) is semantically equivalent to
(S1; (S2; S3))– (x:=5; y:=x*8) is semantically equivalent to (x:=5; y:=40)
79
Equivalence of (S1; S2); S3 and S1; (S2; S3)
80
Equivalence of (S1; S2); S3 and S1; (S2; S3)
(S1; S2), s s12, S3, s12 s’ (S1; S2); S3, s s’
S1, s s1, S2, s1 s12
S1, s s1, (S2; S3), s12 s’ (S1; S2); S3, s s’
S2, s1 s12, S3, s12 s’
Assume (S1; S2); S3, s s’ then the following unique derivation tree exists:
Using the rule applications above, we can construct the following derivation tree:
And vice versa.
81
Deterministic semantics for While• Theorem: for all statements S and states s1, s2
if S, s s1 and S, s s2 then s1=s2
• The proof uses induction on the shape of derivation trees (pages 29-30)– Prove that the property holds for all simple
derivation trees by showing it holds for axioms– Prove that the property holds for all composite trees:
• For each rule assume that the property holds for its premises (induction hypothesis) and prove it holds for the conclusion of the rule
single node
#nodes>1
82
The semantic function Sns
• The meaning of a statement S is defined as a partial function from State to State
Sns: Stm (State State)
• Examples:Sns skips = sSns x:=1s = s [x 1]Sns while true do skips = undefined
Sns S s = s’ if S, s s’ undefined else
83
Structural operating semantics (SOS)
• aka “Small-step semantics”
S, s S’, s’
first step
84
Structural operational semantics• Developed by Gordon Plotkin• Configurations: has one of two forms:
S, s Statement S is about to execute on state ss Terminal (final) state
• Transitions S, s = S’, s’ Execution of S from s is not completed and
remaining computation proceeds from intermediate configuration
= s’ Execution of S from s has terminated and the final state is s’
• S, s is stuck if there is no such that S, s
first step
85
Structural semantics for While x:=a, s s[xAas][asssos]
skip, s s[skipsos]
S1, s S1’, s’ S1; S2, s S1’; S2, s’ [comp1
sos]
if b then S1 else S2, s S1, s if B b s = tt[ifttsos]
if b then S1 else S2, s S2, s if B b s = ff[ifffsos]
S1, s s’ S1; S2, s S2, s’ [comp2
sos]
When does this happen?
86
Structural semantics for While
while b do S, s if b then
S; while b do S) else
skip, s
[whilesos]
87
Derivation sequences• A derivation sequence of a statement S starting in state s is either• A finite sequence 0, 1, 2 …, k such that
1. 0 = S, s2. i i+1
3. k is either stuck configuration or a final state
• An infinite sequence 0, 1, 2, … such that1. 0 = S, s2. i i+1
• Notations:– 0 k k 0 derives k in k steps– 0 * 0 derives in a finite number of steps
• For each step there is a corresponding derivation tree
88
Derivation sequence example
• Assume s0=[x5, y7, z0](z:=x; x:=y); y:=z, s0
x:=y; y:=z, s0[z5] y:=z, (s0[z5])[x7] ((s0[z5])[x7])[y5]
(z:=x; x:=y); y:=z, s0 x:=y; y:=z, s0[z5]
z:=x; x:=y, s0 x:=y, s0[z5]
z:=x, s0 s0[z5]
• Derivation tree for first step:
89
Evaluation via derivation sequences
• For any While statement S and state s it is always possible to find at least one derivation sequence from S, s– Apply axioms and rules forever or until a terminal
or stuck configuration is reached• Proposition: there are no stuck configurations
in While
90
Factorial (n!) example
• Input state s such that s x = 3y := 1; while (x=1) do (y := y * x; x := x – 1)
y :=1 ; W, s W, s[y1] if (x =1) then ((y := y * x; x := x – 1); W else skip), s[y1] ((y := y * x; x := x – 1); W), s[y1] (x := x – 1; W), s[y3] W , s[y3][x2] if (x =1) then ((y := y * x; x := x – 1); W else skip), s[y3][x2] ((y := y * x; x := x – 1); W), s[y3] [x2] (x := x – 1; W) , s[y6] [x2] W, s[y6][x1] if (x =1) then ((y := y * x; x := x – 1); W else skip, s[y6][x1] skip, s[y6][x1] s[y6][x1]
91
Program termination
• Given a statement S and input s– S terminates on s if there exists a finite derivation
sequence starting at S, s– S terminates successfully on s if there exists a
finite derivation sequence starting at S, s leading to a final state
– S loops on s if there exists an infinite derivation sequence starting at S, s
92
Properties of structural operational semantics
• S1 and S2 are semantically equivalent if:– for all s and which is either final or stuck,
S1, s * if and only if S2, s * – for all s, there is an infinite derivation sequence
starting at S1, s if and only if there is an infinite derivation sequence starting at S2, s
• Theorem: While is deterministic:– If S, s * s1 and S, s * s2 then s1=s2
93
Sequential composition• Lemma: If S1; S2, s k s’’ then
there exists s’ and k=m+n such thatS1, s m s’ and S2, s’ n s’’
• The proof (pages 37-38) uses induction on the length of derivation sequences– Prove that the property holds for all derivation sequences
of length 0– Prove that the property holds for all other derivation
sequences: • Show that the property holds for sequences of length k+1 using
the fact it holds on all sequences of length k (induction hypothesis)
94
The semantic function Ssos
• The meaning of a statement S is defined as a partial function from State to State
Ssos: Stm (State State)
• Examples:Ssos skip s = sSsos x:=1 s = s [x 1]Ssos while true do skip s = undefined
Ssos S s = s’ if S, s * s’ undefined else
95
An equivalence result
• For every statement in WhileSns S = Ssos S
• Proof in pages 40-43
The End
Top Related