1 / 96

Noam Rinetzky Lecture 2: Program Semantics

Program Analysis and Verification 0368- 4479 http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html. Noam Rinetzky Lecture 2: Program Semantics. Slides credit: Roman Manevich , Mooly Sagiv , Eran Yahav. Good manners. Mobiles. Admin. Grades 4 Assignments (30%)

adem
Download Presentation

Noam Rinetzky Lecture 2: Program Semantics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Program Analysis and Verification 0368-4479http://www.cs.tau.ac.il/~maon/teaching/2013-2014/paav/paav1314b.html Noam Rinetzky Lecture 2: Program Semantics Slides credit: Roman Manevich, MoolySagiv, EranYahav

  2. Good manners • Mobiles

  3. Admin • Grades • 4 Assignments (30%) • 1 involves programming • 1 Lesson summary (10%) • Toar I: Final exam (60%) • Must pass • ToarII: Project (60%) • Scribes (this week) • Scribes (nextweek)

  4. Today • What does semantics mean? • Why do we need it? • How is it related to analysis/verification? • Operational semantics • Natural operational semantics • Structural operational semantics

  5. Motivation: Verifying absence of bugs static OSStatus SSLVerifySignedServerKeyExchange(SSLContext *ctx, boolisRsa, SSLBuffersignedParams, uint8_t *signature, UInt16 signatureLen) { OSStatuserr; ... if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) gotofail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) gotofail; gotofail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) gotofail; ... fail: SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); returnerr; }

  6. What can we do about it? Run time Design Time • Monitoring • Testing • Static analysis • Formal verification • Specification

  7. What can we do about it? Run time Design Time • Monitoring • Testing • Static analysis • Formal verification • Specification

  8. Program analysis & verification y = ? x = ? if (x > 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); No/?/Yes • Is assertion true?

  9. Program analysis & verification y = ? x = ? x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); Yes/?/No • Can we prove this? Automatically? • Bad news: problem is generally undecidable

  10. Main idea: use over-approximation Exact set of configurations/ Behaviors/states Over Approximation universe

  11. Main idea: find (properties of) all reachable states* badstates reachablestates initialstates *or of something else …

  12. Technique: find (properties of) more than all reachable states* badstates reachablestates initialstates *or of something else …

  13. Program analysis & verification y = ?; x = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); ?

  14. What does P do? y = ?; x = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); ?

  15. What does P mean? y = ?; x = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); … syntax semantics

  16. “Standard” semantics y = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); …-1,0,1, … …-1,0,1,… y x

  17. “Standard” semantics (“state transformer”) y = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); …-1,0,1, … …-1,0,1,… y x

  18. “Standard” semantics (“state transformer”) y = ?; y=3, x=9 x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); …-1,0,1, … …-1,0,1,… y x

  19. “Standard” semantics (“state transformer”) y = ?; y=3, x=9 x = y * 2 y=3, x=6 if (x % 2 == 0) { y=3, x=6 y = 42; y=42, x=6 } else { y = 73; … foo(); … } assert (y == 42); y=42, x=6 …-1,0,1, … …-1,0,1,… y x

  20. “State transformer” semantics badstates y=3,x=6 reachablestates y=3,x=6 y=3,x=9 initialstates

  21. “State transformer” semantics badstates reachablestates y=4,x=8 initialstates y=4,x=8 y=4,x=1

  22. “State transformer” semantics badstates reachablestates initialstates y=4…,x=…

  23. “State transformer” semanticsMain idea: find (properties of) all reachable states* badstates y=3,x=6 reachablestates y=3,x=6 y=3,x=9 y=4,x=8 y=4,x=1 initialstates y=4,x=8 y=4…,x=…

  24. “Standard” (collecting) semantics(“sets-of states-transformer”) y = ?; x = ?;{(y,x) | y,x∈ Nat} x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42);

  25. “Standard” (collecting) semantics(“sets-of states-transformer”) y = ?; {(y=3, x=9),(y=4,x=1),(y=…, x=…)} x = y * 2 {(y=3, x=6),(y=4,x=8),(y=…, x=…)} if (x % 2 == 0) { {(y=3, x=6),(y=4,x=8),(y=…, x=…)} y = 42; {(y=42, x=6),(y=42,x=8),(y=42, x=…)} } else { y = 73; { } foo(); { } } assert (y == 42);{(y=42, x=6),(y=42,x=8),(y=42, x=…)} Yes

  26. “Set-of-states transformer” semantics badstates y=3,x=6 reachablestates y=3,x=6 y=3,x=9 y=4,x=1 initialstates y=4,x=1 y=4,x=1

  27. “Abstract-state transformer” semantics y = ?; y=T, x=T x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); T T O E O E T T y x (y=E,x=E)={(0,0), (0,2),(-4,10),…}

  28. “Abstract-state transformer” semantics y = ?; y=T, x=T x = y * 2 y=T, x=E if (x % 2 == 0) { y=T, x=E y = 42; y=T, x=E } else { y = 73; … foo(); … } assert (y == 42); y=E, x=E T T O E O E T T y x (y=E,x=E)={(0,0), (0,2),(-4,10),…} Yes/?/No

  29. “Abstract-state transformer” semantics y = ?; y=T, x=T x = y * 2 y=T, x=E if (x % 2 == 0) { y=T, x=E y = 42; y=T, x=E } else { y = 73; … foo(); … } assert (y == 42); y=E, x=E T T O E O E T T y x (y=E,x=E)={(0,0), (0,2),(-4,10),…} Yes/?/No

  30. “Abstract-state transformer” semantics y = ?; y=T, x=T x = y * 2 y=T, x=E if (x % 2 == 0) { y=T, x=E y = 42; y=E, x=E } else { y = 73; … foo(); … } assert (y%2 == 0)y=E, x=E T T O E O E T T y x (y=E,x=E)={(0,0), (0,2),(-4,10),…} ?

  31. “Abstract-state transformer” semantics badstates reachablestates initialstates

  32. “Abstract-state transformer” semantics badstates reachablestates initialstates

  33. “Abstract-state transformer” semantics badstates reachablestates initialstates

  34. “Abstract-state transformer” semantics badstates reachablestates initialstates

  35. Technique: explore abstract states badstates reachablestates initialstates

  36. Sound: cover all reachable states badstates reachablestates initialstates

  37. Imprecise abstraction False alarms badstates reachablestates initialstates

  38. What does P mean? y = ?; x = ?; x = y * 2 if (x % 2 == 0) { y = 42; } else { y = 73; foo(); } assert (y == 42); … Abs syntax semantics

  39. Programming Languages • Syntax • “how do I write a program?” • BNF • “Parsing” • Semantics • “What does my program mean?” • …

  40. Program semantics • State-transformer • Set-of-states transformer • Trace transformer • Predicate-transformer • Functions

  41. Program semantics • State-transformer • Set-of-states transformer • Trace transformer • Predicate-transformer • Functions • Cat-transformer

  42. What semantics do we want? • Captures the aspects of computations we care about • “adequate” • Hides irrelevant details • “fully abstract” • Compositional

  43. Operational Semantics

  44. Recap

  45. Program semantics • State-transformer • Set-of-states transformer • Trace transformer • Predicate-transformer • Functions • Cat-transformer

  46. What semantics do we want? • Captures the aspects of computations we care about • “adequate” • Hides irrelevant details • “fully abstract” • Compositional

  47. Formal semantics “Formal semantics is concerned with rigorously specifying the meaning, or behavior, of programs, pieces of hardware, etc.” / page 1

  48. Formal semantics • “This theory allows a program to be manipulated like a formula –that is to say, its properties can be calculated.” • Gérard Huet & Philippe Flajolethomage to Gilles Kahn

  49. Why formal semantics? • Implementation-independent definition of a programming language • Automatically generating interpreters (and some day maybe full fledged compilers) • Verification and debugging • if you don’t know what it does, how do you know its incorrect?

  50. Levels of abstractions and applications Static Analysis(abstract semantics)  Program Semantics  Assembly-level Semantics(Small-step)

More Related