1 / 41

Spring 2018 Program Analysis and Verification Introduction

This Spring 2018 program introduces the concepts of program analysis and verification. Topics include program correctness, code review, functional correctness, and program verification using Dafny. The course also covers the basics of mathematical thinking in relation to programming. Attendees will gain new knowledge and capabilities in this discipline.

nadinec
Download Presentation

Spring 2018 Program Analysis and Verification Introduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Spring 2018Program Analysis and Verification Introduction Roman Manevich Ben-Gurion University

  2. Agenda What is program verification? Course overview and details What is program analysis?

  3. What is program verification?

  4. Code review // Negates the values of the vector in=(0|1)*.void negate(int[] in, int[] out) { int x = 0; while (x<in.length) { x = x+1; out[x] = in[1-x]; }} Is this program correct?(take 2 min. to answer privately) If answer is no, can you offer a fix?

  5. What does correct even mean? Language intrinsic properties (avoids which runtime exceptions?) // requires in!=null && out!=null && in.length==out.length// requires foreach 0z<in.length : 0in[z]1 // ensures foreach 0z<in.length : out[z] = 1-in[z] && 0out[z]1 // Negates the values of the vector in=(0|1)*.void negate(int[] in, int[] out) { int x = 0; while (x<in.length) { x = x+1; out[x] = in[1-x];} } Functional correctness We need a specification Does the program satisfy its specification?

  6. How do we know the spec is satisfied? // requires in!=null && out!=null && in.length==out.length// requires foreach 0z<in.length : 0in[z]1 // ensures foreach 0z<in.length : out[z] = 1-in[z] && 0out[z]1 // Negates the values of the vector in=(0|1)*.void negate(int[] in, int[] out) { int x = 0; while (x<in.length) { out[x] = 1-in[x]; x = x+1;}} In general, no (Rice’s theorem) Common practice: write a few tests Can we actually prove correctness?

  7. Program verification • A discipline for formally proving that a program (or a system) satisfies its specification • Semi-automated • Different tools exist • We will use Dafny: a programming language and program verifier for functional correctness • Developed at Microsoft Research (RiSE group) • And now… a demo [proved]

  8. Proving the program in Dafny methodarray_negate(a: array<int>, b: array<int>) returns () requires a != null; requires b != null; requiresa.Length == b.Length; requires (forall z :: (0 <= z < a.Length) ==> (a[z] == 0 || a[z] == 1)); ensures (forall z :: (0 <= z < a.Length) ==> b[z] == 1 - a[z]); modifies b; { vari := 0; while (i < a.Length) { b[i] := 1 - a[i]; i := i + 1; } } Warning message:This postcondition might not hold

  9. Proving the program in Dafny methodarray_negate(a: array<int>, b: array<int>) returns () requires a != null; requires b != null; requires a != b; requiresa.Length == b.Length; requires (forall z :: (0 <= z < a.Length) ==> (a[z] == 0 || a[z] == 1)); ensures (forall z :: (0 <= z < a.Length) ==> b[z] == 1 - a[z]); modifies b; { vari := 0; while (i < a.Length) invariant 0 <= i <= a.Length; invariant (forall z :: 0 <= z < i ==> b[z] == 1 - a[z]); decreasesa.Length - i; { b[i] := 1 - a[i]; i := i + 1; } } The postcondition is incorrect when ‘a’ and ‘b’ reference the same array These properties hold when the loop is about to be entered and after each iteration The program terminates, since the value of the term ‘a.Length – I’ decreases on each iteration and is bounded below by 0 Dafny program verifier finished with 2 verified, 0 errors

  10. Another example

  11. 30GB Zunes all over the world fail en masse December 31, 2008

  12. Zune bug What happens when days=366? Suggested solution: wait for tomorrow 1 while (days > 365) { 2 if (IsLeapYear(year)) { 3 if (days > 366) { 4 days -= 366; 5 year += 1; 6 } 7 } else { 8 days -= 365; 9 year += 1; 10 } 11 }

  13. Fixed code What makes this loop terminate? Let’s prove it terminates while (days > 365) { if (IsLeapYear(year)) { if (days > 366) { days -= 366; year += 1; } else { break; } } else { days -= 365; year += 1; } }

  14. Verification: learning outcomes How to think of programs mathematically How to write basic specifications How to guide the verifier towards a succfull proof The basic theory behind such tools

  15. Course overviewand details

  16. Course requirements • 50%: 3 assignments • Theory and programming • In pairs • Must obtain passing grade for each assignment • 50%: Project • In singles • Must obtain passing grade

  17. Typesetting assignments LaTeX: THE way to produce scientific documents Recommended cloud-based editor

  18. My obligations • Prepare an interesting and accessible course • Help you gain new knowledge and capabilities • Answer questions in class and offer my help • Course web-page • Slides + lecture recordings • Announcements • Assignments/project forums • Office hours: Wednesday 12:00-14:00 • E-mail: romanm@cs.bgu.ac.il • Skype: rmanevich

  19. Course policies • Don’t be late, be in class at 14:10, 15:10 • If you happen to be late (for a good reason) more than 15 minutes, wait for recess • Basic mutual dignity • No eating, sleeping, reading newspapers… • Follow announcements on course web-page • Course material page will also show schedule and any time/room changes

  20. How to succeed in this course • Attend class regularly • Make sure you understand material atclass • Ask right when you lost me, don’t delay • Solve worksheets • Engage by asking questions and raising ideas • Missed a lecture – make up for it before next one • Be on top of assignments • Submit on time • Don’t get stuck or give up on exercises – get help – ask me • Don’t start working on assignments the day before • Be ethical

  21. How to fail the course

  22. At the lecture Best: never show up, thereby minimizing the chance of contracting any course-related knowledge. Show up from time to time, but don’t persist otherwise you’ll have some context and you might understand the lecturer, it’s a slippery road Show up but don’t pay attention. Your phone is your best friend here. Show up, pay attention but never ask questions. Obviously, everyone else understands and you’ll just embarrass yourself.

  23. How to submita terrible assignment

  24. Working on the assignment Put off working until a day before the deadline; then ask for an extension. If you work with a partner, split the assignment and only focus on your portion.

  25. Submitting the assignment Never read your assignment. That’s the job of the reader. Repeat the question. That’s the most important part of the assignment. Use as many font families as you can and keep switching between them in the text. This will surely give the reader dizziness. Submit as many irrelevant files as you can. Name the files in a misleading way. Only document the obvious parts of the assignment and in no way make it easy for the reader to detect the key points. Don’t check for compilation errors and warnings. If they bother the reader he can fix them.

  26. Submitting the assignment Don’t submit. Better: ask for 2-3 extensions and never submit. Never submit via the submission system. Instead, send files via e-mail. This increases the chance the reader will forget about your files. Don’t follow the guidelines. Submit only a subset of the files requested by the assignment. Don’t put your name on the assignment. Privacy is so important in the digital age. Anyway, if it’s easy for the reader then what’s the fun?

  27. Tentative syllabus

  28. What is program analysis?

  29. Static analysis definition Runtime “The algorithmic discovery of properties of a program by inspection of its source text1” -- Manna, Pnueli at compile-time A generalization of the dataflow analysis frameworkthat you learned in the compiler construction course 1 Does not have to literally be the source text, just means w/o running it

  30. Why study program analysis? • Learn how to use abstraction to deal with intractable (usually undecidable) problems • Understand how to systematically • Reason about correctness / find bugs(connections to cyber-security) • Design compiler optimizations • Some techniques may be applied in other domains • Computational learning • Analysis of biological systems

  31. Possible usage 1: infer invariants methodarray_negate(a: array<int>, b: array<int>) returns () requires a != null; requires b != null; requires a != b; requiresa.Length == b.Length; requires (forall z :: (0 <= z < a.Length) ==> (a[z] == 0 || a[z] == 1)); ensures (forall z :: (0 <= z < a.Length) ==> b[z] == 1 - a[z]); modifies b; { vari := 0; while (i < a.Length) invariant 0 <= i <= a.Length; invariant (forall z :: 0 <= z < i ==> b[z] == 1 - a[z]); decreasesa.Length - i; { b[i] := 1 - a[i]; i := i + 1; } } Static analysis of linear inequalities Static analysis of universal array properties Termination analysis

  32. Possible usage 2: compiler optimization // Negates the values of the vector in=(0|1)*.void negate(int[] in, int[] out) { x = 0; while (x<in.length) { out[x] = 1-in[x]; x = x+1; } return out;} The array length doesn’t change – access memory just once for the whole loop How can we optimize this program?

  33. Optimized program // Negates the values of the vector in=(0|1)*.void negate(int[] in, int[] out) { x = 0;intlen = in.length; while (x<len) { out[x] = 1-in[x]; x = x+1; } return out;} How can we infer this optimization?

  34. Implementing program analyses • We will use Soot • A framework for analyzing and transforming Java and Android Applications • A library written for this course

  35. Program Analysis: learning outcomes The theory of abstract interpretation Learn about some existing analyses How to develop sound static analyses How to combine analyses Gain a little experience with Soot and Java

  36. Math refresher Read Appendix A (pages 213-215) ofSemantics with Applications book

  37. Next lecture:Operational Semantics

  38. Logical symbols • Vocabulary: set of predicate and function symbols • domain(p) is the domain of a predicate p • rank(p) the number of arguments for predicate symbol p • domain(f) is the domain of a function f • rank(f) the number of arguments for function symbol f • A nullary function (rank(f)=0) called a constant • range(f) is the range of a function f • Vfun – the set of function symbols in V • Vpred – the set of predicate symbols in V

  39. Logical structures • A logical structure S over a vocabulary V is a pair (U, I) • U is a set of abstract individuals called the universe • Notation: vec(U, k) all vectors of length k from U • I : {vec(domain(p), rank(p)) | pVpred {0, 1}} {vec(domain(f), rank(f)) | pVfun range(f)} is an interpretation assignment function

  40. Logical formulas Let vars be a countable set of logical variables First-order logic terms are defined asT ::= v | f(T,…,T) First-order logic sentences are defined asF ::= QF | v. F|v. FQF ::= p(T,…,T) | F | F  F | F  F

  41. What do you get in this course? • Learn basic principles of program verification and program analysis • Understand jargon/papers • Top programming languages conferences:POPL 20187, PLDI 2017, OOPSLA 2017, CAV 2017,SAS 2017 • Obtain some experience via assignments • Put to practice what you learned in logic, automata, data structures, and programming

More Related